H3C WX Series Access Controllers. WLAN Configuration Guide. Hangzhou H3C Technologies Co., Ltd. Document Version: 6W

Transcription

1 H3C WX Series Access Controllers WLAN Configuration Guide Hangzhou H3C Technologies Co., Ltd. Document Version: 6W

2 Copyright , Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. Trademarks H3C,, Aolynk,, H 3 Care,, TOP G,, IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V 2 G, V n G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners. Notice The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

3 Preface The H3C WX series documentation set describes the software features for the H3C WX series Access Controllers and guides you through the software configuration procedures. The configuration guides also provide configuration examples to help you apply the software features to different network scenarios. The WLAN Configuration Guide describes WLAN interface, WLAN service, WLAN security, WLAN roaming, WLAN RRM, WLAN IDS, WLAN QoS, and WLAN mesh link configurations. This preface includes: Audience Conventions About the H3C WX Series Documentation Set Obtaining Documentation Technical Support Documentation Feedback Audience This documentation is intended for: Network planners Field technical support and servicing engineers Network administrators working with the WX series Conventions This section describes the conventions used in this documentation set. Command conventions Convention Boldface italic [ ] { x y... } [ x y... ] { x y... } * [ x y... ] * Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you may select multiple choices or none.

4 Convention Description &<1-n> The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. # A line that starts with a pound (#) sign is comments. GUI conventions Boldface > Convention Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. Multi-level menus are separated by angle brackets. For example, File > Create > Folder. Symbols Convention Description Means reader be extremely careful. Improper operation may cause bodily injury. Means reader be careful. Improper operation may cause data loss or damage to equipment. Means an action or information that needs special attention to ensure successful configuration or good performance. Means a complementary description. Means techniques helpful for you to make configuration with ease. Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, an access controller module, or a switching engine on a unified switch. Represents an access point. Represents a mesh access point. Represents omnidirectional signals.

5 Convention Description Represents directional signals. About the H3C WX Series Documentation Set The H3C WX series documentation set includes: Category Documents Purposes Product description and specifications Hardware specifications and installation Software configuration Operations and maintenance WX3000 Series Unified Wired and Wireless Switches Brochure WX5000 Series Access Controllers Brochure WX6000 Series Access Controllers Brochure LSWM1WCM10 Access Controller Module Card Manual LSWM1WCM20 Access Controller Module Card Manual LSRM1WCM2A1 Access Controller Module Card Manual LSQM1WCMB0 Access Controller Module Installation Manual LSBM1WCM2A0 Access Controller Module Installation Manual WX Series Access Controllers Getting Started Guides WX Series Access Controllers Configuration Guides WX Series Access Controllers Command References WX Series Access Controllers Web-based Configuration Guides WX3000 Series Unified Switches Release Notes WX5002 Series Access Controllers Release Notes WX5004 Series Access Controllers Release Notes WX6103 Series Access Controllers Release Notes Describe product specifications and benefits. Provide the hardware specifications of the cards, and describe how to install and remove the cards. Guide you through hardware specifications and installation methods to help you install your AC. Guide you through the main functions of your AC, and describes how to install and log in to your AC, perform basic configurations, maintain software, and troubleshoot your AC. Describe software features and configuration procedures. Provide a quick reference to all available commands. Describes configuration procedures through the web interface. Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading.

6 Obtaining Documentation You can access the most up-to-date H3C product documentation on the World Wide Web at Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, getting started, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version. Technical Support Documentation Feedback You can your comments about product documentation to We appreciate your comments.

7 Read Compatibility Matrixes before using an H3C WX series access controller. Support of the H3C WX series access controllers for features and commands may vary by AC model. For more information, see Feature Matrixes and Command Matrixes in Compatibility Matrixes. The term AC in this document refers to H3C access controllers, access controller modules, and H3C WX series unified switches' access controller engines. The models listed in this manual are not applicable to all regions. Please consult your local sales office for the models applicable to your region.

8 Table of Contents 1 Applicable Models and Software Versions Typical Network Scenarios 2-1 AC Networking 2-1 Access Controller Module Networking 2-1 Unified Switch Networking Feature Matrixes 3-1 Feature Matrix for the WX5000 Series 3-1 Feature Matrix for the WX6000 Series 3-7 Feature Matrix for the WX3000 Series Command Matrixes 4-1 Command Matrix for the WX5000 Series 4-1 Command Matrix for the WX6000 Series 4-15 Command Matrix for the WX3000 Series WLAN Interface Configuration 5-1 WLAN-ESS Interface 5-1 Introduction 5-1 Entering WLAN-ESS Interface View 5-1 Configuring a WLAN-ESS Interface 5-1 WLAN-DBSS Interface 5-2 Introduction 5-2 WLAN Mesh Interface 5-2 Introduction 5-2 Entering WLAN Mesh Interface View 5-2 Configuring a WLAN Mesh Interface 5-3 Displaying and Maintaining a WLAN Interface WLAN Service Configuration 6-1 WLAN Service Overview 6-1 Terminology 6-1 Wireless Client Access Overview 6-4 CAPWAP Overview 6-5 Introduction to CAPWAP 6-5 CAPWAP Link Backup 6-5 WLAN Topologies 6-7 WLAN Topologies for ACs 6-7 Protocols and Standards 6-10 Configuring WLAN Service 6-10 Configuration Task List 6-10 Enabling WLAN Service 6-10 i

9 Specifying a Country Code 6-10 Configuring Software Version Automatic Update 6-11 Configuring a WLAN Service Template 6-11 Configuring an AP 6-12 Configuring Auto AP 6-13 Configuring CAPWAP Dual-Link 6-14 Configuring Radio Parameters 6-14 Configuring a Radio Policy on an AC 6-15 Configuring n 6-16 Displaying and Maintaining WLAN Service 6-17 Configuring User Isolation 6-18 Introduction to VLAN-Based User Isolation 6-18 Configuring VLAN-Based User Isolation 6-19 Introduction to SSID-Based User Isolation 6-20 Configuring SSID-Based User Isolation 6-20 Displaying and Maintaining User Isolation 6-21 Configuring AP Group 6-21 Configuring an AP Group 6-21 Applying the AP Group in a User Profile 6-22 Displaying and Maintaining AP Group 6-22 Configuring SSID-Based Access Control 6-23 Specifying a Permitted SSID in a User Profile 6-23 Configuring Uplink Detection 6-23 Configuring AC Hot Backup 6-24 Enabling AC Hot Backup 6-25 Configuring the VLAN ID of the Port Connected to Another AC 6-25 Configuring the Interval for Sending Heartbeat Messages 6-26 Displaying the AC Connection State 6-26 AP Registration Configuration Examples 6-26 Configuration Example for AP Registration Through DHCP Option Configuration Example for AP Registration Through DNS 6-27 WLAN Service Configuration Examples 6-28 WLAN Service Configuration Example 6-28 WLAN Auto-AP Configuration Example 6-29 CAPWAP Dual-Link Configuration Example n Configuration Example 6-32 User Isolation Configuration Example 6-33 Uplink Detection Configuration Example 6-34 AP Group Configuration Examples 6-35 AP Group Configuration without Roaming 6-35 AP Group Configuration for Inter-AC Roaming WLAN Security Configuration 7-1 Overview 7-1 Authentication Modes 7-1 ii

10 WLAN Data Security 7-2 Client Access Authentication 7-3 Protocols and Standards 7-3 Configuring WLAN Security 7-4 Configuration Task List 7-4 Enabling an Authentication Method 7-4 Configuring the PTK Lifetime 7-5 Configuring the GTK Rekey Method 7-5 Configuring Security IE 7-6 Configuring Cipher Suite 7-7 Configuring Port Security 7-9 Displaying and Maintaining WLAN Security 7-11 WLAN Security Configuration Examples 7-11 PSK Authentication Configuration Example 7-11 MAC and PSK Authentication Configuration Example x Authentication Configuration Example 7-18 Dynamic WEP Encryption-802.1X Authentication Configuration Example 7-26 Supported Combinations for Ciphers WLAN Roaming Configuration 8-1 WLAN Roaming Overview 8-1 Terminology 8-1 WLAN Roaming Topologies 8-2 Configuring an IACTP Mobility Group 8-5 Displaying and Maintaining WLAN Roaming 8-6 WLAN Roaming Configuration Examples 8-6 Intra-AC Roaming Configuration Example 8-6 Inter-AC Roaming Configuration Example WLAN RRM Configuration 9-1 Overview 9-1 Channel Adjustment 9-1 Power Adjustment 9-2 Configuration Task list 9-4 Configuring Data Transmit Rates 9-5 Configuring a/802.11b/802.11g Rates 9-5 Configuring n Rates 9-5 Configuring Dynamic Frequency Selection 9-6 Configuring Auto-DFS 9-6 Configuring One-Time DFS 9-7 Configuring DFS Triggers 9-7 Configuring Transmit Power Control 9-8 Configuring Auto-TPC 9-8 Configuring One-Time TPC 9-8 Specifying the Adjacency Factor 9-9 Configuring a Radio Group 9-9 iii

11 Configuring Scan Parameters 9-10 Configuring Power Constraint 9-11 Displaying and Maintaining WLAN RRM 9-11 WLAN Load Balancing 9-11 Load Balancing Configuration Task List 9-14 Configuring a Load Balancing Mode 9-15 Configuring Group-Based Load Balancing 9-16 Displaying and Maintaining Load Balancing 9-16 Enabling g Protection 9-17 WLAN RRM Configuration Examples 9-17 Configuring Auto DFS 9-17 Configuring Auto TPC 9-18 Configuring a Radio Group 9-20 WLAN Load Balancing Configuration Examples 9-21 Configuring Session-Mode AP Load Balancing 9-21 Configuring Traffic-Mode AP Load Balancing 9-23 Configuring Group-Based Session-Mode Load Balancing 9-24 Configuring Group-Based Traffic-Mode Load Balancing WLAN IDS Configuration 10-1 Overview 10-1 Terminology 10-1 Rogue Detection 10-2 IDS Attack Detection 10-2 WLAN IDS Configuration Task List 10-3 Configuring AP Operating Mode 10-4 Configuring Detection of Rogue Devices 10-4 Configuring Detection of Rogue Devices 10-4 Taking Countermeasures Against Attacks from Detected Rogue Devices 10-7 Displaying and Maintaining Rogue Detection 10-8 Configuring IDS Attack Detection 10-8 Configuring IDS Attack Detection 10-8 Displaying and Maintaining IDS Attack Detection 10-9 WLAN IDS Configuration Example WLAN IDS Frame Filtering Configuration 11-1 Overview 11-1 Introduction to Frame Filtering 11-1 Configuring WLAN IDS Frame Filtering 11-2 Displaying and Maintaining WLAN IDS Frame Filtering 11-3 WLAN IDS Frame Filtering Configuration Example WLAN QoS Configuration 12-1 Overview 12-1 Terminology 12-1 WMM Protocol Overview 12-2 Protocols and Standards 12-3 iv

12 WMM Configuration 12-4 Configuration Prerequisites 12-4 Configuring WMM 12-4 Displaying and Maintaining WMM 12-5 WMM Configuration Examples 12-6 WMM Basic Configuration Example 12-6 CAC Service Configuration Example 12-7 SVP Service Configuration Example 12-8 Traffic Differentiation Test Configuration Example 12-9 Troubleshooting EDCA Parameter Configuration Failure SVP or CAC Configuration Failure WLAN Mesh Link Configuration 13-1 Introduction to WLAN Mesh 13-1 Basic Concepts in WLAN Mesh 13-2 Advantages of WLAN Mesh 13-3 Deployment Scenarios 13-3 WLAN Mesh Security 13-6 Mesh Link Metric 13-6 Mobile Link Switch Protocol 13-6 Protocols and Standards 13-7 Introduction to WDS 13-8 Basic Concepts in WDS 13-8 Advantages of WDS 13-8 Deployment Scenarios 13-8 WLAN Mesh Configuration Task List 13-9 Configuring an MKD ID Configuring Mesh Port Security Configuring a Mesh Profile Configuring Mesh Portal Service Configuring an MP Policy Mapping a Mesh Profile to the Radio of an MP Mapping an MP Policy to the Radio of an MP Specifying a Peer MAC Address on the Radio Displaying and Maintaining WLAN Mesh Link WLAN Mesh Configuration Examples Normal WLAN Mesh Configuration Example Subway WLAN Mesh Configuration Example Troubleshooting WLAN Mesh Link Authentication process not started Failed to Ping through MAP Configuration download failed for zeroconfig device Configuration download failed for MP Debug error: Neither local nor remote is connected to MKD v

13 PMKMA delete is received by MPP for MP Index 14-1 vi

14 1 Applicable Models and Software Versions H3C WX series access controllers include the WX3000 series unified switches, and WX5000 and WX6000 series access controllers. Table 1-1 shows the applicable models and software versions. Table 1-1 Applicable models and software versions Model Software version WX3024 unified switches WX3010 unified switches WX3008 unified switches WX3000-CMW520-R3111P03 LSWM1WCM20 access controller module WX5002 access controller LS8M1WCMA0 access controller module WX5002-CMW520-R1112 WX5002V2 access controller WX5004 access controller WX5004-CMW520-R2107P04 LSWM1WCM10 access controller module WX6103 access controller LSQM1WCMB0 access controller module LSBM1WCM2A0 access controller module WX6103-CMW520-R2115P08 LSRM1WCM2A1 access controller module 1-1

15 2 Typical Network Scenarios AC Networking As shown in the following figure, the AC is connected to Switch (Layer 2 or Layer 3) through GE1/0/1, which can be connected to APs directly or connected to APs over an IP network. Clients can be connected to the network through the APs to implement WLAN user access. Figure 2-1 AC networking Scheme 1 AC GE 1/0/1 Server IP network AP 1 AP 2 Client A Client B Access Controller Module Networking As shown in the following figure, installed with an access controller module, Switch (Layer 2 or Layer 3) can be connected to APs directly or connected to APs over an IP network. Clients can be connected to the network through the APs to implement WLAN user access. 2-1

16 Figure 2-2 Access controller module networking Unified Switch Networking As shown in Figure 2-3, Unified switch (functions as both an AC and a Layer 2 switch) can be connected to APs directly or connected to APs over an IP network. Clients can be connected to the network through the APs to implement WLAN user access. Figure 2-3 Unified switch networking diagram 2-2

17 3 Feature Matrixes In this document, Yes means a feature or command is, and No means not. Feature Matrix for the WX5000 Series The LS8M1WCMA0, LSWM1WCM10, and LSWM1WCM20 on the WX5000 series adopt the OAP architecture. Installed on the expansion slots of switches, they work as OAP cards to exchange data and status and control information with the switches through their internal service interfaces. Do not configure services such as QoS rate limiting and 802.1X authentication on GE interfaces on the LS8M1WCMA0, XGE 1/0/1 on the LSWM1WCM10, and the logical interface BAGG1 aggregated by GE 1/0/1 and GE 1/0/2 on the LSWM1WCM20. Table 3-1 Feature matrix for the WX5000 series Document Module Feature WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 Fundamentals Configuration Guide Login configuration AUX user interface Yes No Yes No Yes Yes Console user interface No Yes No Yes No No Telnet Yes Yes Yes Yes Yes Yes User interface configuration User interface type Console user interface not AUX user interface not Yes AUX user interface not Console user interface not Console user interface not 3-1

18 Document Module Feature WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 File system management configuration Configuration file encryption Storage media No No No No No Yes Flash CF Flash CF CF Flash Device management configuration License Supports 32 concurrent APs by default, and can be extended to support 64. No on the WX Supports 32 concurrent APs by default, and can be extended to support 64. No Supports 64 concurren t APs by default, and can be extended to support 256. Supports 64 concurrent APs by default, and can be extended to support 256. Supports 32 concurrent APs by default, and can be extended to support 128. WLAN Configuration Guide WLAN services configuration Hot AC backup No Yes No Yes Yes No Maximum number of SSIDs Layer 2 LAN Switching Configuration Guide Ethernet interface configuration Combo port configuration Shutting down an Ethernet interface Yes Yes No Yes No No Yes Yes Yes Yes Yes. Do not use the shutdown command on internal interfaces; otherwise, the normal operation of the device will be affected. Yes. Do not use the shutdown command on internal interfaces; otherwise, the normal operation of the device will be affected. Configuring flow control on an Ethernet interface Yes Yes Yes Yes No No 3-2

19 Document Module Feature WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 Configuring loopback detection on an Ethernet interface Yes on GE interfaces only Yes on GE interfaces only Internal loopback testing on GE interfaces only Yes on GE interfaces only Internal loopback testing on XGE interfaces only Internal loopback testing on GE interfaces only Link aggregation configuration Link aggregation Yes Yes No Yes No Yes MSTP Configuration STP No Yes No Yes No No Layer 2 forwarding configuration Layer 2 forwarding Yes No Yes No No No Port mirroring configuration Port mirroring Remote port mirroring and cross-board mirroring not Remote port mirroring and cross-board mirroring not No Remote port mirroring and cross-boa rd mirroring not No No DNS configuration IPv6 DNS configuration Yes Yes Yes Yes Yes Yes Layer 3 IP Services Configuration Guide IP performance optimization configuration Adjacency table configuration Configuring ICMP to send error packets Displaying and maintaining adjacency table Yes No No No No No No Yes No Yes Yes Yes IPv6 basics configuration IPv6 basics configuration Yes Yes Yes Yes Yes Yes IPv6 application configuration IPv6 application configuration Yes Yes Yes Yes Yes Yes 3-3

20 Document Module Feature WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 Layer 3 IP Routing Configuration Guide IP Multicast Configuration Guide IP routing basics configuration IPv6 static routing configuration MLD snooping configuration IPv6 multicast VLAN configuration IPv6 features Yes Yes Yes Yes Yes Yes IPv6 static routing configuration Yes Yes Yes Yes Yes Yes MLD snooping Yes Yes Yes Yes Yes Yes IPv6 multicast VLAN Yes Yes Yes Yes Yes Yes ACL configuration IPv6 ACL Yes Yes Yes Yes Yes Yes ACL and QoS Configuration Configuring line rate Yes Yes Yes Yes Yes Yes Guide QoS Configuring CAR applicable to all traffic of online users No Yes No Yes Yes Yes Security Configuration Guide AAA Specifying the device ID to be used in stateful failover mode No Yes No Yes Yes No Configuring Layer 3 portal authentication No Yes No Yes Yes Yes Specifying the portal group to which the portal service backup interface belongs No Yes No Yes Yes No Portal configuration Specifying the device ID to be used in stateful failover mode No Yes No Yes Yes No Specifying the backup source IP address for RADIUS packets to be sent No Yes No Yes Yes No SSH2.0 configuration Specifying a source IPv6 address or interface for an SSH client Yes Yes Yes Yes Yes Yes 3-4

21 Document Module Feature WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 Establishing a connection between an SSH client and an IPv6 SSH server Specifying a source IPv6 address or interface for an SFTP client Establishing a connection between an SFTP client and an IPv6 SFTP server Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes IPv6 SFTP client Yes Yes Yes Yes Yes Yes Security protection configuration Management protocol packets Telnet, SNMP, and web managemen t packets whose destination IP address is the local host ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host Telnet, SNMP, and web management packets whose destination IP address is the local host ICMP, IEC, Telnet, and SNMP packets whose destinatio n IP address is the local host ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host 3-5

22 Document Module Feature WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 Other protocol packets 11MAC/802. 1X/ARP/DH CP/HWTAC AS/ICMP/IG MP/MLD/L WAPP/ND/ NTP/PIM/R ADIUS Data packets: all packets except the above packets. UDP/TCP/8 02.1X/DHC P/IGMP/NT P/ARP/LWA PP/LooPbac k/pppoe/ia CTP/ACSEI/ STP/LWAP P_DATA/De fault 11MAC/802.1X/ ARP/DHCP/HW TACAS/ICMP/IG MP/MLD/LWAP P/ND/NTP/PIM /RADIUS Data packets: all packets except the above packets. UDP/TCP/ 802.1X/D HCP/IGM P/NTP/AR P/LWAPP /LooPbac k/pppoe/i ACTP/AC SEI/ STP/LWA PP_DATA /Default UDP/TCP/802.1 X/DHCP/IGMP/ NTP/ARP/LWA PP/LooPback/P PPoE/IACTP/A CSEI/ STP/LWAPP_D ATA/Default UDP/TCP/802.1 X/DHCP/IGMP/ NTP/ARP/LWA PP/LooPback/P PPoE/IACTP/A CSEI/ STP/LWAPP_D ATA/Default Enabling attack prevention for protocols Configuring rate limits for a protocol No Yes No Yes Yes Yes No Yes No Yes Yes Yes Network Management and Monitoring Configuration Guide Information center configuration Logfile No Yes No Yes Yes No OAA Configuration Guide OAA configuration OAP module configuration ACSEI server configuration ACSEI client configuration No Yes No Yes No No No Yes No Yes No No No Yes Yes Yes Yes Yes Access Controller Module Basic Configuration Guide Access Controller Module Basic Configuration Access Controller Module Basic Configuration No No Yes No Yes Yes 3-6

23 Feature Matrix for the WX6000 Series The switch interface module on the WX6103, and the LSQM1WCMB0, LSBM1WCM2A0, and LSRM1WCM2A1 access controller modules on the WX6000 series adopt the OAP architecture. Installed on the expansion slots of switches, they work as OAP cards to exchange data and status and control information with the switches through their internal service interfaces. The XGE interfaces on the switch interface module on the WX6103, and the LSQM1WCMB0, LSBM1WCM2A0, and LSWM1WCM10 access controller modules are internal interfaces. Do not configure services such as QoS rate limiting and 802.1X authentication on them. Table 3-2 Feature matrix for the WX6000 series Volume Module Feature WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 AUX user interface No No No Yes Login configuration Console user interface Yes Yes Yes Yes Telnet Yes Yes Yes (IPv6 telnet not ) Yes Fundamentals Configuration Guide User interface configuration File management configuration User interface type Configuration file encryption AUX user interface not AUX user interface not AUX user interface not No No No No AUX user interface not Storage media CF and USB CF and USB CF and USB CF and USB Device management configuration License 128 APs at most by default, and can be extended to 640 APs. 128 APs at most by default, and can be extended to 640 APs. 128 APs at most by default, and can be extended to 640 APs. 128 APs at most by default, and can be extended to 640 APs. WLAN Configuration WLAN services Hot AC backup Yes Yes Yes Yes 3-7

24 Guide Volume Module Feature WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 configuration Maximum number of SSIDs Combo port configuration The MPU does not support the Combo port. No No No Layer 2 LAN Switching Configuration Guide Ethernet interface configuration Shutting down an Ethernet interface Configuring flow control on an Ethernet interface Loopback detection on an Ethernet interface Yes Yes Yes Yes Internal loopback testing on XGE interfaces only Internal loopback testing on XGE interfaces only Internal loopback testing on XGE interfaces only No No No No Internal loopback testing on XGE interfaces only Link aggregation configuration Link aggregation No No No No MSTP Configuration STP No No No No Layer 2 forwarding configuration Port mirroring configuration Layer 2 forwarding No No No No Port mirroring No No No No DNS configuration IPv6 DNS configuration Yes Yes No Yes IP performance optimization configuration Configuring ICMP to send error packets No No No No Layer 3 IP Services Configuration Guide Adjacency table configuration Displaying and maintaining adjacency table Yes Yes Yes Yes IPv6 basics configuration IPv6 basics configuration Yes Yes No Yes IPv6 application configuration IPv6 application configuration Yes Yes No Yes 3-8

25 Volume Module Feature WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 Layer 3 IP Routing Configuration Guide IP routing basics configuration IPv6 static routing configuration IPv6-related displaying and maintaining commands IPv6 static routing configuration Yes Yes No Yes Yes Yes No Yes IP Multicast Configuration Guide MLD snooping configuration IPv6 multicast VLAN configuration MLD snooping Yes Yes No No IPv6 multicast VLAN Yes Yes No No ACL configuration IPv6 ACL Yes Yes No Yes ACL and QoS Configuration Guide QoS Configuring line rate No No No No Configuring CAR applicable to all traffic of online users Yes Yes Yes Yes Security Configuration Guide AAA configuration Specifying the device ID to be used in stateful failover mode Yes Yes Yes Yes Configuring Layer 3 portal authentication Yes Yes Yes Yes Specifying the portal group to which the portal service backup interface belongs Yes Yes Yes Yes Portal configuration Specifying the device ID to be used in stateful failover mode Yes Yes Yes Yes Specifying the backup source IP address for RADIUS packets to be sent Yes Yes Yes Yes SSH2.0 configuration Specifying a source IPv6 address or interface for an SSH client Yes Yes No Yes 3-9

26 Volume Module Feature WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 Establishing a connection between an SSH client and an IPv6 SSH server Specifying a source IPv6 address or interface for an SFTP client Establishing a connection between an SFTP client and an IPv6 SFTP server Yes Yes No Yes Yes Yes No Yes Yes Yes No Yes IPv6 SFTP client Yes Yes No Yes Management protocol packets ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host Security protection configuration Other protocol packets UDP/TCP/802.1X/ DHCP/IGMP/NTP/ ARP/LWAPP/LooP back/pppoe/iact P/ACSEI/ STP/LWAPP_DAT A/Default UDP/TCP/802.1X/ DHCP/IGMP/NTP/ ARP/LWAPP/LooP back/pppoe/iact P/ACSEI/ STP/LWAPP_DAT A/Default UDP/TCP/802.1X/ DHCP/IGMP/NTP/ ARP/LWAPP/LooP back/pppoe/iact P/ACSEI/ STP/LWAPP_DAT A/Default UDP/TCP/802.1X/ DHCP/IGMP/NTP/ ARP/LWAPP/LooP back/pppoe/iact P/ACSEI/ STP/LWAPP_DAT A/Default Enabling attack prevention for protocols Configuring rate limits for a protocol Yes Yes Yes Yes Yes Yes Yes Yes Network Management and Monitoring Configuration Guide Information center configuration Logfile Yes No No No OAA Configuration Guide OAA configuration OAP module configuration Yes No No No ACSEI server configuration Yes No No No 3-10

27 Volume Module Feature WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 ACSEI client configuration Yes Yes Yes Yes Access Controller Module Basic Configuration Guide Access Controller Module Basic Configuration Access Controller Module Basic Configuration No Yes Yes Yes Feature Matrix for the WX3000 Series The access controller engine and switching engine on the WX3000 series adopt the OAP architecture. The switching engine is integrated on the access controller engine as an OAP card. You actually log in to the access controller engine when you log in to the device by default. GE 1/0/1 interfaces on the WX3024, WX3010 and WX3008 are used to exchange data, status and control information with GE1/0/29 (WX3024), GE1/0/11 (WX3010) or GE1/0/9 (WX3008) on the switching engine. Do not configure services such as QoS rate limiting and 802.1X authentication on these interfaces. Table 3-3 Feature matrix for the WX3000 series Volume Module Feature WX3024 WX3010 WX3008 Fundamentals Configuration Guide Login configuration AUX user interface Yes Yes Yes Console user interface No No No Telnet Yes (IPv6 telnet not ) Yes (IPv6 telnet not ) Yes (IPv6 telnet not ) User interface configuration User interface type Console user interface not Console user interface not Console user interface not File management configuration Configuration file encryption Yes Yes Yes 3-11

28 Volume Module Feature WX3024 WX3010 WX3008 WLAN Configuration Guide Device management configuration WLAN services configuration Storage media Flash Flash Flash License 24 APs at most by default, and can be extended to 48 APs. 12 APs at most by default, and can be extended to 24 APs. Hot AC backup No No No Maximum number of SSIDs Combo port configuration No No No No Ethernet interface configuration Shutting down an Ethernet interface Configuring flow control on an Ethernet interface No on GE1/0/1 of the access controller engine and GE1/0/29 on the switching engine No on GE1/0/1 of the access controller engine and GE1/0/29 on the switching engine No No No No on GE1/0/1 of the access controller engine and GE1/0/29 on the switching engine Layer 2 LAN Switching Configuration Guide Loopback detection on an Ethernet interface Internal loopback testing on GE interfaces only Internal loopback testing on GE interfaces only Internal loopback testing on GE interfaces only Link aggregation configuration Link aggregation configuration No No No MSTP Configuration STP No No No Layer 2 forwarding configuration Layer 2 forwarding No No No Port mirroring configuration Port mirroring configuration No No No Layer 3 IP Services Configuration Guide DNS configuration IPv6 DNS configuration No No No IP performance optimization configuration Configuring ICMP to send error packets No No No Adjacency table configuration Displaying and maintaining an adjacency table Yes Yes Yes IPv6 basics configuration IPv6 basics configuration No No No 3-12

29 Volume Module Feature WX3024 WX3010 WX3008 IPv6 application configuration IPv6 application configuration No No No Layer 3 IP Routing Configuration Guide IP routing basics configuration IPv6 static routing configuration IPv6-related displaying and maintaining commands IPv6 static routing configuration No No No No No No IP Multicast Configuration Guide MLD snooping configuration MLS snooping No No No IPv6 multicast VLAN configuration IPv6 multicast VLAN No No No ACL configuration IPv6 ACL No No No ACL and QoS Configuration Guide QoS Configuring line rate No No No Configuring CAR applicable to all traffic of online users Yes Yes Yes Security Configuration Guide AAA configuration Specifying the device ID to be used in stateful failover mode No No No Configuring Layer 3 portal authentication Yes Yes Yes Portal configuration Specifying the portal group to which the portal service backup interface belongs Specifying the device ID to be used in stateful failover mode No No No No No No Specifying the backup source IP address for RADIUS packets to be sent No No No SSH2.0 configuration Specifying a source IPv6 address or interface for an SSH client No No No Establishing a connection between an SSH client and an IPv6 SSH server No No No 3-13

30 Volume Module Feature WX3024 WX3010 WX3008 Specifying a source IPv6 address or interface for an SFTP client Establishing a connection between an SFTP client and an IPv6 SFTP server No No No No No No IPv6 SFTP client No No No Management protocol packets ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host ICMP, IEC, Telnet, and SNMP packets whose destination IP address is the local host Security protection configuration Other protocol packets UDP/TCP/802.1X/DHC P/IGMP/NTP/ARP/LWA PP/LooPback/PPPoE/I ACTP/ACSEI/ STP/LWAPP_DATA/De fault UDP/TCP/802.1X/DHC P/IGMP/NTP/ARP/LWA PP/LooPback/PPPoE/I ACTP/ACSEI /STP/LWAPP_DATA/De fault UDP/TCP/802.1X/DHC P/IGMP/NTP/ARP/LWA PP/LooPback/PPPoE/I ACTP/ACSEI /STP/LWAPP_DATA/De fault Enabling attack prevention for protocols Configuring rate limits for a protocol Yes Yes Yes Yes Yes Yes Network Management and Monitoring Configuration Guide OAA Configuration Guide Information center configuration OAA configuration Logfile No No No OAP module configuration Yes Yes Yes ACSEI server configuration No No No ACSEI client configuration No No No Access Controller Module Basic Configuration Guide Access Controller Module Basic Configuration Access Controller Module Basic Configuration No No No 3-14

31 4 Command Matrixes In this document, Yes means a feature or command is, and No means not. Command Matrix for the WX5000 Series Table 4-1 Command matrix for the WX5000 series Volume Module Command WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 Fundamentals Command Reference Login commands telnet ipv6 Yes Yes Yes Yes Yes Yes User Interface Commands display user-interface AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. Console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. Console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to

32 Volume Module Command WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 free user-interface AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. Console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. Console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. send AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. Console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. Console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to

33 Volume Module Command WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 user-interface AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. Console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. Console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. configuration encrypt No No No No No Yes ftp ipv6 Yes Yes Yes Yes Yes Yes File management commands mount No No No Yes No No open ipv6 No No No Yes No No tftp ipv6 Yes Yes Yes Yes Yes Yes umount No No No Yes No No Device management commands display device cf-card, usb, subslot subslot-number not usb not cf-card, usb, subslot subslot-number not usb not usb and subslot subslot-number not cf-card, usb, subslot subslot-number not display fan fan-id takes the value of 1 or 2. fan-id ranges from 1 to 5. fan-id takes the value of 1 or 2. fan-id ranges from 1 to 5. No No display power power-id takes the value of 1 or 2. power-id takes the value of 1 or 2. power-id takes the value of 1 or 2. power-id takes the value of 1 or 2. No No display rps No No No No No No 4-3

34 Volume Module Command WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 license append No on the WX Yes Yes Yes Yes Yes temperature-limit By default, lower-value is 5, and upper-value is 60 By default, lower-value is 0, and upper-value is 90 By default, lower-value is 5, and upper-value is 60 By default, lower-valu e is 0, and upper-valu e is 90 No By default, lower-value is 0, and upper-value is 60 Basic system configuration commands configure-user count number ranges from 1 to 6. number ranges from 1 to 7. number ranges from 1 to 6. number ranges from 1 to 7. number ranges from 1 to 7. number ranges from 1 to 7. WLAN Command Reference WLAN interface commands display interface wlan-ess interface wlan-ess interface-numbe r ranges from 0 to 127. interface-numbe r ranges from 0 to 127. interface-numb er ranges from 0 to interface-numb er ranges from 0 to interface-numbe r ranges from 0 to 127. interface-numbe r ranges from 0 to 127. interface-n umber ranges from 0 to interface-n umber ranges from 0 to interface-numbe r ranges from 0 to interface-numbe r ranges from 0 to interface-number ranges from 0 to 127. interface-number ranges from 0 to 127. WLAN services commands All commands for hot AC backup No Yes No Yes No Yes bind wlan-ess interface-index ranges from 0 to 127. interface-index ranges from 0 to interface-index ranges from 0 to 127. interface-in dex ranges from 0 to interface-index ranges from 0 to 127. interface-index ranges from 0 to display wlan ap-group group-id ranges from 1 to 128. group-id ranges from 1 to 32. group-id ranges from 1 to 128. group-id ranges from 1 to 64. group-id ranges from 1 to 32. group-id ranges from 1 to

35 Volume Module Command WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 hot-backup hellointerval No hellointerval ranges from 100 to 2000 milliseconds, and defaults to 2000 milliseconds. No hellointerv al ranges from 100 to 2000 millisecond s, and defaults to 2000 millisecond s. No hellointerval ranges from 100 to 2000 milliseconds, and defaults to 2000 milliseconds. wlan ap-group group-id ranges from 1 to 128. group-id ranges from 1 to 32. group-id ranges from 1 to 128. group-id ranges from 1 to 64. group-id ranges from 1 to 32. group-id ranges from 1 to 64. wlan permit-ap-group group-id ranges from 1 to 128. group-id ranges from 1 to 32. group-id ranges from 1 to 128. group-id ranges from 1 to 64. group-id ranges from 1 to 32. group-id ranges from 1 to 64. display wlan client Yes Yes Yes Yes Yes Yes WLAN roaming commands display wlan mobility-group Yes Yes Yes Yes Yes Yes member Yes Yes Yes Yes Yes Yes mobility-tunnel Yes Yes Yes Yes Yes Yes Layer 2 LAN Switching Command Reference Ethernet interface commands undo member Yes Yes Yes Yes Yes Yes source Yes Yes Yes Yes Yes Yes duplex Yes Yes Yes Yes No No display loopback-detecti on Yes Yes Yes Yes Yes No flow-control Yes Yes Yes Yes No No 4-5

36 Volume Module Command WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 jumboframe enable value ranges from 1600 to 9216 bytes and defaults to 1600 bytes. value ranges from 1600 to 4096 bytes and defaults to 1600 bytes. value ranges from 1600 to 4096 bytes and defaults to 1600 bytes. value ranges from 1600 to 4096 bytes and defaults to 1600 bytes. value ranges from 1600 to 4096 bytes and defaults to 1600 bytes. value ranges from 1600 to 4096 bytes and defaults to 1600 bytes. loopback Yes Yes Yes Yes Only internal is. Only internal is. loopback-detecti on control enable loopback-detecti on enable loopback-detecti on interval-time Yes Yes Yes Yes No No Yes Yes Yes Yes No No Yes Yes Yes Yes No No shutdown Yes Yes Yes Yes No No speed Yes Yes No Yes No No VLAN commands interface vlan-interface The maximum value is 64. The maximum value is 64. The maximum value is 64. The maximum value is 512. The maximum value is 512. The maximum value is 64. MAC Address Table Commands mac-address max-mac-count count ranges from 0 to count ranges from 0 to count ranges from 0 to count ranges from 0 to count ranges from 0 to count ranges from 0 to Link aggregation commands MSTP commands All commands in the link aggregation commands manual All commands in the MSTP commands manual Yes Yes No No No No No Yes No Yes No No 4-6

37 Volume Module Command WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 Layer 2 forwarding commands Port mirroring commands All commands in the Layer 2 commands manual All commands in the port mirroring commands manual Yes No Yes Yes No No Yes Yes No Yes No No Layer 2 WAN Command Reference PPP commands pppoe-server max-sessions local-mac pppoe-server max-sessions total number ranges from 1 to number ranges from 1 to 2048 and defaults to number ranges from 1 to number ranges from 1 to 4096 and defaults to number ranges from 1 to number ranges from 1 to 2048 and defaults to number ranges from 1 to number ranges from 1 to and defaults to number ranges from 1 to number ranges from 1 to 4096 and defaults to number ranges from 1 to number ranges from 1 to 2048 and defaults to Layer 3 IP Services Command Reference ARP commands arp max-learning-nu m number ranges from 0 to number ranges from 0 to number ranges from 0 to number ranges from 0 to number ranges from 0 to number ranges from 0 to DNS commands IP performance optimization commands Adjacency table commands All commands in IPv6 DNS configuration commands ip redirects enable ip ttl-expires enable ip unreachables enable display adjacent-table Yes Yes Yes Yes Yes Yes Yes No No No No No Yes No No No No No Yes No No No No No No Yes No Yes Yes Yes 4-7

38 Volume Module Command WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 IPv6 basics commands IPv6 application commands All commands in IPv6 basics commands manual ipv6 neighbors max-learning-nu m All commands in IPv6 application commands manual Yes Yes Yes Yes Yes Yes number ranges from 1 to 256 and defaults to 256. number ranges from 1 to 1024 and defaults to number ranges from 1 to 256 and defaults to 256. number ranges from 1 to 1024 and defaults to number ranges from 1 to 1024 and defaults to Yes Yes Yes Yes Yes Yes number ranges from 1 to 1024 and defaults to Layer 3 IP Routing Command Reference display ipv6 routing-table display ipv6 routing-table ipv6-address display ipv6 routing-table ipv6-address1 ipv6-address2 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes IP routing basics commands display ipv6 routing-table protocol display ipv6 routing-table statistics display ipv6 routing-table verbose reset ipv6 routing-table statistics Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes 4-8

39 Volume Module Command WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 IPv6 static routing commands All commands in IPv6 static routing commands manual Yes Yes Yes Yes Yes Yes IP Multicast Command Reference igmp-snooping fast-leave Layer 2 aggregate interface view Layer 2 aggregate interface view Layer 2 aggregate interface view Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view IGMP snooping commands igmp-snooping group-limit igmp-snooping static-group Layer 2 aggregate interface view Layer 2 aggregate interface view Layer 2 aggregate interface view Layer 2 aggregate interface view Layer 2 aggregate interface view Layer 2 aggregate interface view Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view Layer 2 aggregate interface view igmp-snooping static-router-port vlan Layer 2 aggregate interface view Layer 2 aggregate interface view Layer 2 aggregate interface view Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view Multicast VLAN commands port multicast-vlan Layer 2 aggregate interface view Layer 2 aggregate interface view Layer 2 aggregate interface view Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view MLD snooping commands IPv6 multicast VLAN commands MLD snooping commands IPv6 multicast VLAN commands Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes 4-9

40 Volume Module Command WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 port multicast-vlan ipv6 Layer 2 aggregate interface view Layer 2 aggregate interface view Layer 2 aggregate interface view Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view ACL and QoS Command Reference ACL Commands IPv6 ACL Configuration Commands Yes Yes Yes Yes Yes Yes QoS Commands car pir peak-informatio n-rate not green action not remark-lp-pas s new-local-prec edence not pir peak-informatio n-rate not green action not remark-lppass new-localprecedenc e not green action not remark-lp-pass new-local-prece dence not green action not remark-lp-pass new-local-prece dence not display qos lr interface Yes Yes Yes Yes Yes Yes display qos map-table dscp-lp not Yes dscp-lp not Yes Yes Yes 4-10

41 Volume Module Command WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 if-match Yes classifier tcl-name not inbound-interf ace interface-type interface-numb er not local-precede nce local-preceden ce-list not rtp start-port start-port-numb er end-port end-port-numb er not Yes classifier tcl-name not inbound-i nterface interface-ty pe interface-n umber not local-prec edence local-prece dence-list not rtp start-port start-port-n umber end-port end-port-n umber not classifier tcl-name not inbound-interfa ce interface-type interface-numbe r not local-preceden ce local-precedenc e-list not rtp start-port start-port-numbe r end-port end-port-numbe r not classifier tcl-name not inbound-interfa ce interface-type interface-number not local-preceden ce local-precedenc e-list not rtp start-port start-port-numbe r end-port end-port-number not qos pql inbound-interfac e Yes No Yes No No No qos pql protocol Yes No Yes No No No qos cql inbound-interfac e Yes No Yes No No No qos cql protocol Yes No Yes No No No qos car No Yes No Yes Yes Yes qos map-table dscp-lp not Yes dscp-lp not Yes Yes Yes 4-11

42 Volume Module Command WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 qos lr Yes [ ebs excess-burst-si ze ] not Yes No [ ebs excess-burst-siz e ] not [ ebs excess-burst-siz e ] not redirect No Yes No Yes Yes Yes Security Command Reference AAA commands nas device-id device-id 802.1X commands dot1x max-user No Yes No Yes Yes No user-number ranges from 1 to user-number ranges from 1 to user-number ranges from 1 to user-numb er ranges from 1 to user-number ranges from 1 to user-number ranges from 1 to MAC authentication commands mac-authenticati on max-user user-number user-number ranges from 1 to 1024 and defaults to user-number ranges from 1 to 4096 and defaults to user-number ranges from 1 to 1024 and defaults to user-numb er ranges from 1 to 4096 and defaults to user-number ranges from 1 to 4096 and defaults to user-number ranges from 1 to 2048 and defaults to Portal commands portal server server-name method { direct layer3 redhcp } layer3 not layer3 layer3 not layer3 layer3 layer3 portal backup-group group-id nas device-id device-id radius nas-backup-ip ip-address radius scheme radius-scheme-na me nas-backup-ip ip-address No Yes No Yes Yes No No Yes No Yes Yes No No Yes No Yes Yes No No Yes No Yes Yes No 4-12

43 Volume Module Command WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 portal max-user max-number max-number ranges from 1 to max-number ranges from 1 to max-number ranges from 1 to max-numb er ranges from 1 to max-number ranges from 1 to max-number ranges from 1 to ssh client ipv6 source Yes Yes Yes Yes Yes Yes SSH2.0 commands ssh2 ipv6 Yes Yes Yes Yes Yes Yes sftp client ipv6 source Yes Yes Yes Yes Yes Yes sftp ipv6 Yes Yes Yes Yes Yes Yes Security protection commands anti-attack protocol enable anti-attack protocol threshold display anti-attack { 11mac admin all arp data dhcp dot1x hwtacas icmp igmp lwapp nd ntp pim radius } display anti-attack { protocol protocol all } No Yes No Yes Yes Yes No Yes No Yes Yes Yes Yes No Yes No No No No Yes No Yes Yes Yes Network Management and Monitoring Command Reference System maintenance and debugging commands Information center commands ping ipv6 Yes Yes Yes Yes Yes Yes tracert ipv6 Yes Yes Yes Yes Yes Yes display logfile buffer No Yes No Yes Yes No 4-13

44 Volume Module Command WX5002 WX5002V2 LS8M1WCMA0 WX5004 LSWM1WCM10 LSWM1WCM20 display logfile summary info-center logfile enable info-center logfile frequency info-center logfile size-quota info-center logfile switch-directory No Yes No Yes Yes No No Yes No Yes Yes No No Yes No Yes Yes No No Yes No Yes Yes No No Yes No Yes Yes No logfile save No Yes No Yes Yes No mcms connect No No No No Yes on the device side of the access controller module Yes on the device side of the access controller module mcms reboot No No No No Yes Yes oap connect slot No Yes No Yes No No OAA OAA commands oap management-ip No Yes No Yes No No oap reboot slot No Yes No Yes No No ACSEI server configuration commands ACSEI client configuration commands No Yes No Yes No No No Yes Yes Yes Yes Yes 4-14

45 Command Matrix for the WX6000 Series Table 4-2 Command matrix for the WX6000 series Volume Module Command WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 Fundamentals Command Reference Login commands telnet ipv6 Yes Yes No Yes display user-interface AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 12. User Interface Commands free user-interface send AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 12. user-interface AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 6. AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 12. AUX, console and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 12. File management configuration commands configuration encrypt No No No No ftp ipv6 Yes Yes No Yes 4-15

46 Volume Module Command WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 mount Yes Yes Yes Yes open ipv6 Yes Yes Yes Yes tftp ipv6 Yes Yes No Yes umount Yes Yes Yes Yes display device Yes Yes Yes Yes display fan fan-id can only be 1. fan-id can only be 1. fan-id can only be 1. fan-id can only be 1. Device management commands display power power-id takes the value of 1 or 2. power-id takes the value of 1 or 2. power-id takes the value of 1 or 2. display rps No No No No power-id takes the value of 1 or 2. license append Yes Yes Yes Yes temperature-limit By default, lower-value is 0, and upper-value is 86 By default, lower-value is 0, and upper-value is 86 By default, lower-value is 0, and upper-value is 86 By default, lower-value is 0, and upper-value is 86 Basic system configuration commands configure-user count number ranges from 1 to 13. number ranges from 1 to 13. number ranges from 1 to 13. number ranges from 1 to 13. WLAN Command Reference WLAN interface commands display interface wlan-ess interface wlan-ess interface-number ranges from 0 to interface-number ranges from 0 to interface-number ranges from 0 to interface-number ranges from 0 to interface-number ranges from 0 to interface-number ranges from 0 to interface-number ranges from 0 to interface-number ranges from 0 to WLAN service commands All commands for hot AC backup Yes Yes Yes Yes bind wlan-ess interface-index ranges from 0 to interface-index ranges from 0 to interface-index ranges from 0 to interface-index ranges from 0 to display wlan ap-group group-id ranges from 1 to 640. group-id ranges from 1 to 640. group-id ranges from 1 to 640. group-id ranges from 1 to

47 Volume Module Command WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 hot-backup hellointerval hellointerval ranges from 30 to 2000 milliseconds, and defaults to 2000 milliseconds. hellointerval ranges from 30 to 2000 milliseconds, and defaults to 2000 milliseconds. hellointerval ranges from 30 to 2000 milliseconds, and defaults to 2000 milliseconds. hellointerval ranges from 30 to 2000 milliseconds, and defaults to 2000 milliseconds. wlan ap-group group-id ranges from 1 to 640. group-id ranges from 1 to 640. group-id ranges from 1 to 640. group-id ranges from 1 to 640. wlan permit-ap-group group-id ranges from 1 to 640. group-id ranges from 1 to 640. group-id ranges from 1 to 640. group-id ranges from 1 to 640. display wlan client Yes Yes member ipv6 ipv6-address not Yes display wlan mobility-group Yes Yes member ipv6 ipv6-address not Yes WLAN roaming commands member Yes Yes member ipv6 ipv6-address not Yes mobility-tunnel Yes Yes iactp6 not Yes undo member Yes Yes source Yes Yes undo member ipv6 ipv6-address not ipv6 ipv6-address not Yes Yes Layer 2 LAN Switching Command Reference Ethernet interface commands duplex Yes Yes Yes Yes display loopback-detection Yes Yes Yes Yes flow-control Yes Yes Yes Yes jumboframe enable value ranges from 1600 to 9216 bytes and defaults to 1600 bytes. value ranges from 1600 to 4096 bytes and defaults to 1600 bytes. value ranges from 1600 to 4096 bytes and defaults to 1600 bytes. value ranges from 1600 to 4096 bytes and defaults to 1600 bytes. 4-17

48 Volume Module Command WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 loopback Yes Yes Yes Yes loopback-detection control enable loopback-detection enable loopback-detection interval-time Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes shutdown Yes Yes Yes Yes speed Yes No Yes No VLAN commands interface vlan-interface The maximum value is The maximum value is The maximum value is The maximum value is MAC address table management commands mac-address max-mac-count count ranges from 0 to count ranges from 0 to count ranges from 0 to count ranges from 0 to Link aggregation commands All commands No No No No MSTP commands All commands No No No No Layer 2 forwarding commands Port mirroring commands All commands No No No No All commands No No No No Layer 2 WAN Command Reference PPP commands pppoe-server max-sessions local-mac pppoe-server max-sessions total number ranges from 1 to number ranges from 1 to and defaults to number ranges from 1 to number ranges from 1 to and defaults to number ranges from 1 to number ranges from 1 to and defaults to number ranges from 1 to number ranges from 1 to and defaults to Layer 3 IP Services Command Reference ARP commands arp max-learning-num number ranges from 0 to number ranges from 0 to number ranges from 0 to number ranges from 0 to DNS commands All commands for IPv6 DNS configuration Yes Yes No Yes 4-18

49 Volume Module Command WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 IP performance optimization commands ip redirects enable No No No No ip ttl-expires enable No No No No ip unreachables enable No No No No Adjacency table commands display adjacent-table Yes Yes Yes Yes IPv6 basics commands IPv6 application commands All commands Yes Yes No Yes ipv6 neighbors max-learning-num number ranges from 1 to 1024 and defaults to number ranges from 1 to 1024 and defaults to number ranges from 1 to 1024 and defaults to All commands Yes Yes No Yes number ranges from 1 to 1024 and defaults to IP Routing Command Reference IP routing basics commands display ipv6 routing-table Yes Yes No Yes display ipv6 routing-table ipv6-address Yes Yes No Yes display ipv6 routing-table ipv6-address1 ipv6-address2 Yes Yes No Yes display ipv6 routing-table protocol Yes Yes No Yes display ipv6 routing-table statistics Yes Yes No Yes display ipv6 routing-table verbose Yes Yes No Yes 4-19

50 Volume Module Command WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 reset ipv6 routing-table statistics Yes Yes No Yes IPv6 static routing commands All commands Yes Yes No Yes igmp-snooping fast-leave Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not IGMP snooping commands igmp-snooping group-limit igmp-snooping static-group Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not IP Multicast Command Reference igmp-snooping static-router-port vlan Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not Multicast VLAN commands port multicast-vlan Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not MLD snooping commands MLD snooping commands Yes Yes No No IPv6 multicast VLAN commands IPv6 multicast VLAN commands port multicast-vlan ipv6 Yes Yes No No Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not ACL and QoS Command Reference ACL Commands IPv6 ACL Configuration Commands Yes Yes Yes Yes 4-20

51 Volume Module Command WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 car green action not remark-lp-pass new-local-precedenc e not green action not remark-lp-pass new-local-precedenc e not green action not remark-lp-pass new-local-precedenc e not green action not remark-lp-pass new-local-precedenc e not display qos lr interface display qos map-table No No No No Yes Yes Yes Yes QoS commands if-match classifier tcl-name not inbound-interface interface-type interface-number not rtp start-port start-port-number end-port end-port-number not classifier tcl-name not inbound-interface interface-type interface-number not rtp start-port start-port-number end-port end-port-number not classifier tcl-name not inbound-interface interface-type interface-number not rtp start-port start-port-number end-port end-port-number not classifier tcl-name not inbound-interface interface-type interface-number not rtp start-port start-port-number end-port end-port-number not qos pql inbound-interface No No No No qos pql protocol No No No No qos cql inbound-interface No No No No qos cql protocol No No No No qos car Yes Yes Yes Yes qos lr No No No No qos map-table Yes Yes Yes Yes redirect Yes Yes Yes Yes Security Command Reference AAA commands nas device-id device-id Yes Yes Yes Yes 4-21

52 Volume Module Command WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A X commands dot1x max-user user-number ranges from 1 to user-number ranges from 1 to user-number ranges from 1 to user-number ranges from 1 to MAC authentication commands mac-authentication max-user user-number user-number ranges from 1 to 4096 and defaults to user-number ranges from 1 to 4096 and defaults to user-number ranges from 1 to 4096 and defaults to user-number ranges from 1 to 4096 and defaults to Portal commands portal server server-name method { direct layer3 redhcp } portal backup-group group-id nas device-id device-id radius nas-backup-ip ip-address radius scheme radius-scheme-name nas-backup-ip ip-address layer3 layer3 layer3 layer3 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes portal max-user max-number max-number ranges from 1 to max-number ranges from 1 to max-number ranges from 1 to max-number ranges from 1 to ssh client ipv6 source Yes Yes No Yes SSH2.0 commands ssh2 ipv6 Yes Yes No Yes sftp client ipv6 source Yes Yes No Yes sftp ipv6 Yes Yes No Yes Security protection commands anti-attack protocol enable anti-attack protocol threshold Yes Yes Yes Yes Yes Yes Yes Yes 4-22

53 Volume Module Command WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 display anti-attack { 11mac admin all arp data dhcp dot1x hwtacas icmp igmp lwapp nd ntp pim radius } display anti-attack { protocol protocol all } No No No No Yes Yes Yes Yes System maintenance ping ipv6 Yes Yes No Yes and debugging commands tracert ipv6 Yes Yes No Yes display logfile buffer Yes No No No display logfile summary Yes No No No Network Management and Monitoring Command Reference Information center commands info-center logfile enable info-center logfile frequency Yes No No No Yes No No No info-center logfile size-quota Yes No No No info-center logfile switch-directory Yes No No No OAA OAA commands logfile save Yes No No No mcms connect No No No No mcms reboot No No No No oap connect slot Yes No No No oap management-ip Yes No No No oap reboot slot Yes No No No 4-23

54 Volume Module Command WX6103 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 ACSEI server configuration commands ACSEI client configuration commands Yes No No No Yes Yes Yes Yes Command Matrix for the WX3000 Series Table 4-3 Command matrix for the WX3000 series Volume Module Command WX3024 WX3010 WX3008 Fundamentals Command Reference Login commands telnet ipv6 No No No display user-interface AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. User Interface Commands free user-interface send AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. user-interface AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to 5. AUX and VTY user interfaces are. When number is an absolute index, the value ranges from 0 to

55 Volume Module Command WX3024 WX3010 WX3008 configuration encrypt Yes Yes Yes ftp ipv6 No No No File management configuration commands mount No No No open ipv6 No No No tftp ipv6 No No No umount No No No display device cf-card and usb not cf-card and usb not cf-card and usb not display fan fan-id takes the value of 1 or 2. fan-id ranges from 1 to 3. fan-id ranges from 1 to 3. Device management commands display power power-id can only be 1. power-id can only be 1. power-id can only be 1. display rps Yes No No license append Yes Yes Yes temperature-limit By default, lower-value is 4, and upper-value is 79. By default, lower-value is 0, and upper-value is 63. By default, lower-value is 0, and upper-value is 63. Basic system configuration commands configure-user count number ranges from 1 to 6. number ranges from 1 to 6. number ranges from 1 to 6. WLAN Command Reference WLAN interface commands display interface wlan-ess interface wlan-ess interface-number ranges from 0 to 63. interface-number ranges from 0 to 63. interface-number ranges from 0 to 63. interface-number ranges from 0 to 63. interface-number ranges from 0 to 63. interface-number ranges from 0 to 63. WLAN services commands All commands for hot AC backup No No No bind wlan-ess interface-index ranges from 0 to 63. interface-index ranges from 0 to 63. interface-index ranges from 0 to 63. display wlan ap-group group-id ranges from 1 to 64. group-id ranges from 1 to 12. group-id ranges from 1 to

56 Volume Module Command WX3024 WX3010 WX3008 hot-backup hellointerval No No No wlan ap-group group-id ranges from 1 to 64. group-id ranges from 1 to 12. group-id ranges from 1 to 12. wlan permit-ap-group group-id ranges from 1 to 64. group-id ranges from 1 to 12. group-id ranges from 1 to 12. display wlan client member ipv6 ipv6-address not member ipv6 ipv6-address not member ipv6 ipv6-address not display wlan mobility-group member ipv6 ipv6-address not member ipv6 ipv6-address not member ipv6 ipv6-address not WLAN roaming commands member member ipv6 ipv6-address not member ipv6 ipv6-address not member ipv6 ipv6-address not mobility-tunnel iactp6 not iactp6 not iactp6 not undo member undo member ipv6 ipv6-address not undo member ipv6 ipv6-address not undo member ipv6 /ipv6-address not source ipv6 ipv6-address not ipv6 ipv6-address not ipv6 ipv6-address not Layer 2 LAN Switching Command Reference Ethernet interface commands duplex No No No display loopback-detection No No No flow-control No No No jumboframe enable value ranges from 1600 to 4086 bytes and defaults to 1600 bytes. value ranges from 1600 to 9216 bytes and defaults to 1600 bytes. value ranges from 1600 to 9216 bytes and defaults to 1600 bytes. loopback Only internal is Only internal is Only internal is loopback-detection control enable No No No loopback-detection enable No No No 4-26

57 Volume Module Command WX3024 WX3010 WX3008 loopback-detection interval-time No No No shutdown No on GE1/0/1 of the access controller engine and GE1/0/29 on the switching engine No on GE1/0/1 of the access controller engine and GE1/0/11 on the switching engine No on GE1/0/1 of the access controller engine and GE1/0/9 on the switching engine speed No No No VLAN commands interface vlan-interface The maximum value is 32. The maximum value is 32. The maximum value is 32. MAC address table management commands mac-address max-mac-count count ranges from 0 to count ranges from 0 to count ranges from 0 to Link aggregation commands All commands No No No MSTP commands All commands No No No Layer 2 forwarding commands Port mirroring commands All commands No No No All commands No No No Layer 2 WAN Command Reference PPP commands pppoe-server max-sessions local-mac pppoe-server max-sessions total number ranges from 1 to number ranges from 1 to 1024 and defaults to number ranges from 1 to number ranges from 1 to 1024 and defaults to number ranges from 1 to number ranges from 1 to 1024 and defaults to Layer 3 IP Services Command Reference ARP commands arp max-learning-num number ranges from 0 to number ranges from 0 to number ranges from 0 to

58 Volume Module Command WX3024 WX3010 WX3008 DNS commands All commands for IPv6 DNS configuration No No No IP performance optimization commands Adjacency table commands IPv6 basics commands IPv6 application commands ip redirects enable No No No ip ttl-expires enable No No No ip unreachables enable No No No display adjacent-table Yes Yes Yes All commands No No No ipv6 neighbors max-learning-num No No No All commands No No No display ipv6 routing-table No No No display ipv6 routing-table ipv6-address No No No display ipv6 routing-table ipv6-address1 ipv6-address2 No No No Layer 3 IP Routing Command Reference IP routing basics commands display ipv6 routing-table protocol display ipv6 routing-table statistics No No No No No No display ipv6 routing-table verbose No No No reset ipv6 routing-table statistics No No No IPv6 static routing commands All commands No No No IP Multicast Command Reference IGMP snooping commands igmp-snooping fast-leave Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not 4-28

59 Volume Module Command WX3024 WX3010 WX3008 igmp-snooping group-limit Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not igmp-snooping static-group Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not igmp-snooping static-router-port vlan Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not Multicast VLAN commands port multicast-vlan Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not MLD snooping commands MLD snooping commands No No No IPv6 multicast VLAN commands IPv6 multicast VLAN commands port multicast-vlan ipv6 No No No Layer 2 aggregate interface view not Layer 2 aggregate interface view not Layer 2 aggregate interface view not ACL and QoS Command Reference ACL Commands IPv6 ACL Configuration Commands No No No QoS commands car green action not remark-lp-pass new-local-precedence not green action not remark-lp-pass new-local-precedence not green action not remark-lp-pass new-local-precedence not 4-29

60 Volume Module Command WX3024 WX3010 WX3008 display qos map-table Yes Yes Yes display qos lr interface No No No if-match classifier tcl-name not inbound-interface interface-type interface-number not IPv6 ACL not rtp start-port start-port-number end-port end-port-number not classifier tcl-name not inbound-interface interface-type interface-number not local-precedence local-precedence-list not IPv6 ACL not rtp start-port start-port-number end-port end-port-number not classifier tcl-name not inbound-interface interface-type interface-number not local-precedence local-precedence-list not IPv6 ACL not rtp start-port start-port-number end-port end-port-number not qos pql inbound-interface No No No qos pql protocol No No No qos cql inbound-interface No No No qos cql protocol No No No qos car Yes Yes Yes qos lr No No No qos map-table Yes Yes Yes redirect Yes Yes Yes Congestion management configuration commands No No No Security Command Reference AAA commands nas device-id device-id No No No 802.1X commands dot1x max-user user-number ranges from 1 to user-number ranges from 1 to user-number ranges from 1 to

61 Volume Module Command WX3024 WX3010 WX3008 MAC authentication commands mac-authentication max-user user-number user-number ranges from 1 to 1024 and defaults to user-number ranges from 1 to 1024 and defaults to user-number ranges from 1 to 1024 and defaults to portal server server-name method { direct layer3 redhcp } portal backup-group group-id layer3 layer3 layer3 No No No Portal commands nas device-id device-id No No No radius nas-backup-ip ip-address No No No radius scheme radius-scheme-name nas-backup-ip ip-address No No No portal max-user max-number max-number ranges from 1 to max-number ranges from 1 to max-number ranges from 1 to ssh client ipv6 source No No No SSH2.0 commands ssh2 ipv6 No No No sftp client ipv6 source No No No sftp ipv6 No No No anti-attack protocol enable Yes Yes Yes Security protection commands anti-attack protocol threshold display anti-attack { 11mac admin all arp data dhcp dot1x hwtacas icmp igmp lwapp nd ntp pim radius } display anti-attack { protocol protocol all } Yes Yes Yes No No No Yes Yes Yes 4-31

62 Volume Module Command WX3024 WX3010 WX3008 System maintenance and debugging commands ping ipv6 No No No tracert ipv6 No No No Network Management and Monitoring Command Reference Information center commands display logfile buffer No No No display logfile summary No No No info-center logfile enable No No No info-center logfile frequency info-center logfile size-quota No No No No No No info-center logfile switch-directory No No No OAA OAA commands logfile save No No No mcms connect No No No mcms reboot No No No oap connect slot Yes Yes Yes oap management-ip Yes Yes Yes oap reboot slot Yes Yes Yes ACSEI server configuration commands ACSEI client configuration commands No No No No No No 4-32

63 5 WLAN Interface Configuration This chapter includes these sections: WLAN-ESS Interface WLAN-DBSS Interface WLAN Mesh Interface Displaying and Maintaining a WLAN Interface WLAN-ESS Interface Introduction WLAN-ESS interfaces are virtual Layer 2 interfaces. They operate like Layer 2 access Ethernet ports and have Layer 2 attributes. They also support multiple Layer 2 protocols. A WLAN-ESS interface can also be used as a template for configuring WLAN-DBSS interfaces. WLAN-DBSS interfaces created on a WLAN-ESS interface adopts the configuration of the WLAN-ESS interface. Entering WLAN-ESS Interface View Follow these steps to enter WLAN-Ethernet interface view: To do Use the command Remarks Enter system view system-view Enter WLAN-ESS interface view interface wlan-ess interface-number Required If the WLAN-ESS interface does not exist, this command creates the WLAN-ESS interface first. Configuring a WLAN-ESS Interface You can configure the description of a WLAN-ESS interface and assign the interface to a common VLAN or multicast VLAN. This section just provides features on WLAN-ESS interfaces. For detailed information about these features and commands, refer to the corresponding sections in the product manual. Follow these steps to configure a WLAN-ESS interface: To do Configure the description of the interface Configure the VLAN Configure multicast Configure multicast VLAN Configure IPv6 multicast VLAN description Use the command port access vlan port hybrid vlan port link-type port multicast-vlan port multicast-vlan ipv6 5-1

64 To do Configure a MAC authentication guest VLAN Use the command mac-authentication guest-vlan Before executing the port access vlan command, make sure that the VLAN identified by the vlanid argument already exists. You can use the vlan command to create a VLAN. For more information about the port access vlan command, see VLAN in the Layer 2 LAN Switching Command Reference. Some configurations (including configurations related to 802.1X authentication, MAC authentication, MAC VLAN, port attributes, port security, and QoS) of a WLAN-ESS interface with WLAN-DBSS interfaces created on it cannot be modified, and the WLAN-ESS interface cannot be removed either. WLAN-DBSS Interface Introduction WLAN-DBSS interfaces are virtual Layer 2 interfaces. They operate like Layer 2 Ethernet ports of the access type and have Layer 2 attributes. They also support multiple Layer 2 protocols and 802.1X. A WLAN-DBSS interface created on a WLAN-ESS interface adopts the configuration of the WLAN-ESS interface. On a wireless switch, the WLAN module dynamically creates a WLAN-DBSS interface for each wireless access service and removes the interface after the service expires. WLAN Mesh Interface Introduction WLAN mesh interfaces are Layer-2 virtual interfaces. You can use them as configuration templates to make and save settings made for WLAN mesh link interfaces. Once a WLAN mesh link interface is created, you will not be allowed to change the settings on its associated WLAN mesh interface. Entering WLAN Mesh Interface View Follow these steps to enter WLAN-Mesh interface view: To do Use the command Remarks Enter system view system-view Enter WLAN mesh interface view interface wlan-mesh interface-number Required If the specified WLAN mesh interface does not exist, this command creates the WLAN mesh interface first. 5-2

65 Configuring a WLAN Mesh Interface The following table lists the commands used for configuring a WLAN mesh interface. To do Use the command Remarks Configure the description of the WLAN mesh interface description Configure VLAN settings port link-type port access port trunk port hybrid port multicast-vlan Displaying and Maintaining a WLAN Interface To do Use the command Remarks Display information about WLAN-ESS interfaces Display information about WLAN-DBSS interfaces Display information about WLAN-Mesh interfaces display interface wlan-ess [ interface-number ] display interface wlan-dbss [ interface-number ] display interface wlan-mesh [ interface-number ] Available in any view Available in any view Available in any view 5-3

66 6 WLAN Service Configuration This chapter includes these sections: WLAN Service Overview Overview CAPWAP Overview WLAN Topologies Protocols and Standards Configuring WLAN Service Configuring AP Group Configuring SSID-Based Access Control Configuring Uplink Detection Configuring AC Hot Backup AP Registration Configuration Examples WLAN Service Configuration Examples AP Group Configuration Examples WLAN Service Overview Wireless Local Area Networks (WLAN) have become very popular because they are very easy to setup and use, and have low maintenance cost. Generally, one or more access points (APs) can cover a building or an area. A WLAN is not completely wireless because the servers in the backbone are fixed. The WLAN solution allows you to provide the following wireless LAN services to your customers: WLAN client connectivity to conventional LANs Secured WLAN access with different authentication and encryption methods Seamless roaming of WLAN clients in the mobility domain Terminology Client A handheld computer or laptop with a wireless Network Interface Card (NIC) can be a WLAN client. Access point (AP) An AP bridges frames between wireless and wired networks. Access controller (AC) An AC can control and manage all APs in a WLAN. The AC communicates with an authentication server for WLAN client authentication. SSID Service set identifier. A client scans all networks at first, and then selects a specific SSID to connect to a specific wireless network. 6-1

67 Wireless Client Access A wireless client access process involves three steps: active/passive scanning surrounding wireless services, authentication, and association, as shown in Figure 6-1. Figure 6-1 Establish a client access Scanning A wireless client can get the surrounding wireless network information in two ways, passive scanning or active scanning. With passive scanning, a wireless client gets wireless network information through listening to Beacon frames sent by surrounding APs; with active scanning, a wireless actively sends a probe request frame during scanning, and gets network signals by received probe response frames. Actually, when a wireless client operates, it usually uses both passive scanning and active scanning to get information about surrounding wireless networks. 1) Active scanning When a wireless client operates, it periodically searches for (that is, scans) surrounding wireless networks. Active scanning falls into two modes according to whether a specified SSID is carried in a probe request. A client sends a probe request (with the SSID null, that is, the SSID IE length is 0): The client periodically sends a probe request frame on each of its channels to scan wireless networks. APs that receive the probe request send a probe response, which carries the available wireless network information. The client associates with the AP with the strongest signal. This active scanning mode enables a client to actively get acquainted with the available wireless services and select to access the proper wireless network as needed. The active scanning process of a wireless client is as shown in Figure

68 Figure 6-2 Active scanning (the SSID of the probe request is null, that is, no SSID information is carried) Probe request (with no SSID) Probe Response Probe request (with no SSID) Probe Response A client sends a probe request (with a specified SSID): When the wireless client is configured to access a specific wireless network or has already successfully accessed a wireless network, the client periodically sends a probe request carrying the specified SSID of the configured or connected wireless network. When an AP that can provide the wireless service with the specified SSID receives the probe request, it sends a probe response. This active scanning mode enables a client to access a specified wireless network. The active scanning process is as shown in Figure 6-3. Figure 6-3 Active scanning (the probe request carries the specified SSID AP 1) 2) Passive scanning Passive scanning is used by clients to discover surrounding wireless networks through listening to the beacon frames periodically sent by an AP. All APs providing wireless services periodically send beacons frames, so that wireless clients can periodically listen to beacon frames on the channels to get information about surrounding wireless networks. Passive scanning is used by a client when it wants to save battery power. Typically, VoIP clients adopt the passive scanning mode. The passive scanning process is as shown in Figure

69 Figure 6-4 Passive scanning Authentication To secure wireless links, the wireless clients must be authenticated before accessing the AP, and only wireless clients passing the authentication can be associated with the AP links define two authentication mechanisms: open system authentication and shared key authentication. Open system authentication Shared key authentication For more information about the two authentication mechanisms, see WLAN Security in the WLAN Configuration Guide. Association A client that wants to access a wireless network via an AP must be associated with that AP. Once the client chooses a compatible network with a specified SSID and passes the link authentication to an AP, it sends an association request frame to the AP. The AP detects the capability information carried in the association request frame, determines the capability by the wireless client, and sends an association response to the client to notify the client of the association result. Usually, a client can associate with only one AP at a time, and an association process is always initiated by the client. Other related procedures 1) De-authentication A de-authentication frame can be sent by either an AP or wireless client to break an existing link. In a wireless system, de-authentication can occur due to many reasons, such as: Receiving an association/disassociation frame from a client which is unauthenticated. Receiving a data frame from a client which is unauthenticated. Receiving a PS-poll frame from a client which is unauthenticated. 2) Dissociation A dissociation frame can be sent by an AP or a wireless client to break the current wireless link. In the wireless system, dissociation can occur due to many reasons, such as: Receiving a data frame from a client which is authenticated and unassociated. Receiving a PS-Poll frame from a client which is authenticated and unassociated Overview The WLAN-MAC primarily includes the implementation of IEEE MAC layer functionality. Various modes of MAC are: Local-MAC Architecture Split-MAC Architecture 6-4

70 In local-mac architecture, most WLAN services are provided by the AP only. Currently, local-mac architecture is not. In split-mac architecture, the AP and the AC manage different services. CAPWAP Overview Introduction to CAPWAP Control And Provisioning of Wireless Access Points (CAPWAP) defines how an AP communicates with an AC. It provides a generic encapsulation and transport mechanism between AP and AC, as shown in Figure 6-5. Figure 6-5 CAPWAP CAPWAP runs on an AP and an AC to provide a secured connection in between. It is built on a standard client/server model and employs UDP. On an AP, CAPWAP provides a data tunnel to encapsulate data packets to be sent to the AC. These packets can be raw packets or to translated packets. On an AC, CAPWAP provides a control tunnel to support remote AP configuration and management, and WLAN and mobile management. With CAPWAP, the AC can dynamically configure an AP based on the information provided by the administrator. CAPWAP supports both IPv4 and IPv6. CAPWAP Link Backup Dual link establishment To achieve AC backup, an AP can establish two tunnel links with two different ACs, and the configuration of the AP on the two ACs must be the same. Only the AC which works in master mode provides services to all the APs in the network and the slave AC acts as the backup AC. If the master AC fails, APs should quickly use the services provided by the slave AC. A heartbeat mechanism is used between these two ACs, which ensures that failure of the master will be detected quickly by the backup AC. 6-5

71 Figure 6-6 LWAPP dual link topology In the above figure, AC1 is working in master mode and providing services to AP1, AP 2, AP 3 and AP 4. AC 2 is working in slave mode. APs are connected to AC 2 through LWAPP slave tunnels. AC1 and AC 2 can be configured as backup for each other and should start master/slave detection. When AC 2 detects AC1 is down, AC 2 will convert the work mode from slave to master. All APs which are connected to AC 2 through slave tunnels will transform the tunnels to master tunnels and use AC 2 as the master AC. Once AC 1 is reachable again, it will remain the backup. Primary AC recovery Figure 6-7 Primary AC recovery In the above figure, AC 1 acting as the primary AC is the master (which has the connection priority of 7), and it establishes a CAPWAP connection with the AP; AC 2 acts as the slave AC. If AC 1 goes down, AC 2 will act as the master until recovery of AC 1. This means once AC 1 is reachable again, the AP will establish a connection with AC 1 and disconnect from AC

72 Dual work mode Figure 6-8 Dual work mode AC 1 AC 2 AP 1 AP 2 Dual work mode indicates that an AC can provide both master and slave connections. An AC will act as the master for some APs and act as the slave for some other APs. In the above scenario, AC 1 acts as the master for AP 1 and slave for AP 2. Similarly, AC 2 acts as the master for AP 2 and slave for AP 1. WLAN Topologies WLAN Topologies for ACs WLAN topologies for ACs consist of: Single BSS Multi-ESS VLAN-based WLAN Centralized WLAN Single BSS The coverage of an AP is called a basic service set (BSS). Each BSS is identified by a BSSID. The most basic WLAN network can be established with only one BSS. All wireless clients associate with the same BSS. If these clients have the same authorization, they can communicate with each other. Figure 6-9 shows a single-bss WLAN. 6-7

73 Figure 6-9 Single BSS network The clients can communicate with each other and reach a host in the Internet. Communications between clients within the same BSS are carried out through the AP and the AC. Multi-ESS All the clients under the same logical administration form an extended service set (ESS). This multi-ess topology describes a scenario where more than one ESS exists. When a mobile client joins the AP, it can join one of the available ESSs. Figure 6-10 shows a multi-ess network. Figure 6-10 Multi-ESS network 6-8

74 Generally, an AP can provide more than one ESS at the same time. The configuration of ESS is distributed mainly from AC to AP, and the AP can broadcast the current information of ESS by beacon or probe response frames. Clients can select an ESS it is interested to join. Different ESS domains can be configured on the AC. The AC can be configured to allow associated APs to accept clients in these ESS domains once their credentials are accepted. Centralized WLAN Centralized WLAN is a unified solution for wireless local area networks. Figure 6-11 shows a centralized WLAN network. Figure 6-11 Centralized WLAN network Internet AC Gateway Client AP 1 AC Intranet AS Client AP 2 AP 3 Client In this network, there are two ACs and three APs. An AP can connect with an AC directly, or over a Layer 2 or Layer 3 network. The other AC serves as the backup. During initialization, an AP obtains its basic network configuration parameters, such as its own IP address, gateway address, domain name and DNS server address from a DHCP server. An AP uses a discovery mechanism to locate the AC. For example, using the unicast discovery mechanism, the AP can request the DNS server to provide the IP address of the AC. The following describes a basic communication process in the centralized WLAN network. 1) A client gets associated with an AP in the network. 2) The AP communicates with the AC for authenticating the client s credential. 3) The AC contacts the authentication server to authenticate the client. 4) Once the wireless client passes authentication, it can access authorized WLAN services and communicate with other wireless clients or wired devices. 6-9

75 Protocols and Standards ANSI/IEEE Std , 1999 Edition IEEE Std a IEEE Std b IEEE Std g IEEE Std i IEEE Std Configuring WLAN Service Configuration Task List Task Description Enabling WLAN Service Specifying a Country Code Configuring Software Version Automatic Update Configuring a WLAN Service Template Configuring an AP Configuring Auto AP Configuring CAPWAP Dual-Link Configuring Radio Parameters Configuring a Radio Policy on an AC Configuring n Required Required Required Required Required Required Enabling WLAN Service WLAN service is a component of the Comware platform, and can be enabled or disabled at runtime. Follow these steps to enable WLAN service: To do Use the command Remarks Enter system view system-view Enable WLAN service wlan enable By default, WLAN service is enabled and WLAN service enabled is displayed. Specifying a Country Code A country code identifies the country in which you want to operate radios. It determines characteristics such as operating power level and total number of channels available for the transmission of frames. You must set the valid country code or area code before configuring an AP. 6-10

76 Follow these steps to specify the country code: To do Use the command Remarks Enter system view system-view Specify the country code wlan country-code code By default, the country code is CN. For more information about country codes, see WLAN Services in the WLAN Command Reference. Configuring Software Version Automatic Update A fit AP is a zero-configuration device. It can automatically discover an AC after power-on. To ensure that a fit AP can associate with an AC, their software versions must be consistent by default, which complicates maintenance. This task allows you designate the software version of an AP on the AC, so that they can associate with each other even if their software versions are inconsistent. Follow these steps to configure software version automatic update: To do Use the command Remarks Enter system view system-view Configure software version automatic update wlan apdb model-name hardware-version software-version By default, the software version will be the value initialized by the driver, namely, the software versions of the fit AP and the AC should be consistent. Configuring a WLAN Service Template A WLAN service template includes attributes such as SSID, WLAN-ESS interface binding, authentication method (open-system or shared key) information. A service template can be of clear or crypto type. Follow these steps to configure a service template: To do Use the command Remarks Enter system view system-view Create a WLAN-ESS interface interface wlan-ess interface-index Exit interface view quit Create a WLAN service template and enter WLAN service template view Specify the service set identifier wlan service-template service-template-number { clear crypto } ssid ssid-name Required No WLAN service template is created by default. Required By default, no SSID is set. 6-11

77 To do Use the command Remarks Disable the advertising of SSID in beacon frames Bind the WLAN-ESS interface to the service template Enable local forwarding Specify an authentication method Specify the maximum number of clients allowed to associate with the same radio Enable the service template beacon ssid-hide bind wlan-ess interface-index client forwarding-mode local [ vlan vlan-id-list ] authentication-method { open system shared key } client max-count max-number service-template enable By default the SSID is advertised in beacon frames. Note that hiding the SSID does very little to increase security. Required Required For related configuration about the shared key, see WLAN Security in the WLAN Configuration Guide. 64 by default. Required Disabled by default. If a clear type service template exists, you cannot change it to crypto. To do so, you must delete the clear type service template, and configure a new service template with type as crypto. Configuring an AP Access Points are used to setup connections between the AC and stations. An AP uses radio signals to communicate with wireless clients and uses an uplink interface to connect to the wired network. Follow these steps to configure an AP on the AC: To do Use the command Remarks Enter system view system-view Specify the AP name and its model number and enter AP template view wlan ap ap-name model model-name [ id ap-id ] The model number needs to be specified only during new AP template creation. Configure a description for the AP description text Configure the echo interval for the AP Set the CIR for packets sent from AC to AP Configure the AP name Configure the jumbo frame threshold echo-interval interval cir committed-information-rate [ cbs committed-burst-size ] ap-name name jumboframe enable value By default, the echo interval is 10 seconds. By default, no CIR is set for an AP. By default, no AP name is configured. By default, the jumbo frame functionality is disabled. 6-12

78 To do Use the command Remarks Enable the AP to respond to broadcast probe requests that have no SSID Specify the client idle timeout interval Specify the client keep alive interval Configure the priority for the AP to connect to the AC Configure the CPU usage threshold of the AP Configure the memory usage threshold of the AP broadcast-probe reply client idle-timeout interval client keep-alive interval priority level priority cpu-usage threshold integer memory-usage threshold integer Enabled by default. By default, the client idle timeout is 3600 seconds. If no data is received from an associated client within the interval, the AP will remove it from the network. By default, the client keep-alive function is disabled. The default is by default. 90 by default. Exit AP template view quit Configure the discovery policy type as unicast Enable/disable WLAN radios wlan lwapp discovery-policy unicast wlan radio { disable enable } { radio-policy radio-policy-name all dot11a dot11an dot11b dot11g dot11gn } By default, the AC receives broadcast discovery messages. Required By default, no WLAN radio is enabled. Configuring Auto AP The auto AP feature allows an AP to automatically connect to an AC. When you deploy a wireless network with many APs, the auto AP function avoids configuration of many AP serial IDs, thus simplifying configuration. Follow these steps to configure auto AP: To do Use the command Remarks Enter system view system-view Enable the auto-ap function Enter AP template view wlan auto-ap enable wlan ap ap-name model model-name Enabled by default. The model number of the AP is specified only if an AP template is created Set auto-ap serial ID serial-id auto Required Exit AP template view quit 6-13

79 To do Use the command Remarks Convert auto AP into configured AP wlan auto-ap persistent { all name auto-ap-name [ new-ap-name ] } Configuring CAPWAP Dual-Link Follow these steps to configure CAPWAP dual-link: To do Use the command Remarks Enter system view system-view Specify the address of the global backup AC Enter AP template view Specify an IPv4/IPv6 backup AC Specify the AP connection priority for the AC wlan backup-ac { ip ipv4-address ipv6 ipv6-address } wlan ap ap-name model model-name backup-ac { ip ipv4-address ipv6 ipv6-address } priority level priority By default, no backup AC address exists. The backup AC configured in AP template view takes precedence over that configured in system view. The model number needs to be specified only during new AP template creation. By default, the global backup AC, if specified, is used by the AP. The backup AC configured in AP template view takes precedence over that configured in system view. By default, the AP connection priority of the AC is 4. If an AC has an AP connection priority of 7, the AC becomes the primary AC. When the primary AC fails and then recovers, it will re-establish connections with APs and become the master AC. When configuring CAPWAP dual-link, ensure that the configurations of APs made on the two ACs are identical; otherwise, when a switchover occurs between the two ACs, the associated APs cannot work normally. Configuring Radio Parameters Radio parameters include radio type, channel, and the maximum power. If a radio has a policy mapped, all the parameters in the policy apply to the radio. Follow these steps to configure the radio of an AP: To do Use the command Remarks Enter system view system-view 6-14

80 To do Use the command Remarks Enter AP template view Specify a radio type for the radio and enter radio view Map a service template to the current radio wlan ap ap-name model model-number radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] service-template service-template-number [ vlan vlan-id ] Required The default varies by device. WLAN supports customizing the default radio type for AP models. Required Configure a channel Specify a channel number for the radio Set the channel mode to auto. In this mode, you can lock the current channel. channel channel-number channel auto channel lock. By default: auto mode is enabled. No channel is locked. For more information about the commands, see WLAN Service in the WLAN Command Reference. Configure the radio power Specify the maximum radio power Lock the current power max-power radio-power power lock. By default: The maximum radio power varies with country codes, channels, AP models, radio types and antenna types. If n is adopted, the maximum radio power also depends on the bandwidth mode. The current power is not locked. For more information about the commands, see WLAN Service in the WLAN Command Reference. Specify the preamble type preamble { long short }. By default, the short preamble is. This command does not apply to a radios. Enable Adaptive Noise Immunity (ANI) function Bind a radio policy to the current radio ani enable radio-policy radio-policy-name. By default, ANI is enabled.. By default, the default_rp radio policy is bound to a radio. The radio policy must have been configured with the wlan radio-policy command. Enable the radio radio enable Required Configuring a Radio Policy on an AC Follow these steps to configure a radio policy on an AC: 6-15

81 To do Use the command Remarks Enter system view system-view Create a radio policy and enter radio policy view Set the interval for sending beacon frames Set the number of beacon intervals between DTIM frames Specify the maximum length of packets that can be transmitted without fragmentation Specify the request to send (RTS) threshold length Set the maximum number of retransmission attempts for frames larger than the RTS threshold Specify the maximum number of attempts to transmit a frame shorter than the RTS threshold Specify the interval for the AP to hold received packets Specify the maximum number of clients wlan radio-policy radio-policy-name beacon-interval interval dtim counter fragment-threshold size rts-threshold size long-retry threshold count short-retry threshold count max-rx-duration interval client max-count max-number By default, the beacon interval is 100 time units (TUs). By default, the DTIM counter is 1. By default, the fragment threshold is 2346 bytes. By default, the RTS threshold is 2346 bytes. By default, the long retry threshold is 4. By default, the short retry threshold is 7. By default, the interval is 2000 milliseconds. 64 by default. Configuring n As the next generation wireless LAN technology, n supports both 2.4GHz and 5GHz bands. It provides higher-speed services to customers by using the following methods: 1) Increasing bandwidth: n can bond two adjacent 20-MHz channels together to form a 40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with one acting as the primary channel and the other acting as the secondary channel or work together as a 40-MHz channel. This provides a simple way of doubling the data rate. 2) Improving channel utilization through the following ways: n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU can accommodate multiple Message Protocol Data Units (MPDUs) which have their PHY headers removed. This reduces the overhead in transmission and the number of ACK frames to be used, and thus improves network throughput. Similar with MPDU aggregation, multiple MAC Service Data Units (MSDU) can be aggregated into a single A-MSDU. This reduces the MAC header overhead and thus improves MAC layer forwarding efficiency. 6-16

82 To improve physical layer performance, n introduces the short GI function, which shortens the GI interval of 800 us in a/g to 400 us. This can increase the data rate by 10 percent. Follow these steps to configure n: To do Use the command Remarks Enter system view system-view Enter AP template view Enter radio view Specify the bandwidth mode for the radio Enable access permission for n clients only Enable the short GI function Enable the A-MSDU function Enable the A-MPDU function Enable the radio wlan ap ap-name model model-name radio radio-number type { dot11an dot11gn } channel band-width { } client dot11n-only short-gi enable a-msdu enable a-mpdu enable radio enable By default, an a/n radio operates in 40 MHz mode, and an g/n radio operates in 20 MHz mode. By default, an a/n radio permits both a and n clients to access, and an g/n radio permits both g and n clients to access. Enabled by default. Enabled by default. Enabled by default. Required Disabled by default. Before enabling the radio, you must configure the Modulation and Coding Scheme (MCS). For mandatory and n rates, see WLAN RRM in the WLAN Configuration Guide. For more information about Modulation and Coding Scheme (MCS) index and mandatory and n rates, see WLAN RRM in the WLAN Configuration Guide. Displaying and Maintaining WLAN Service To do Use the command Remarks Display AP information display wlan ap { all name ap-name } [ verbose address radio ] Available in any view 6-17

83 To do Use the command Remarks Display the model information of a specified AP or all APs on the AC Display the reboot log information of an AP Display WLAN radio policy information Display WLAN service template information Display WLAN statistics Display WLAN client information display wlan ap-model { all name ap-name } display wlan ap reboot-log name ap-name display wlan radio-policy [ radio-policy-name ] display wlan service-template [ service-template-number ] display wlan statistics { client [ all mac-address mac-address ] radio [ ap-name ] } display wlan client { ap ap-name [ radio radio-number ] mac-address mac-address service-template service-template-number } [ verbose ] Available in any view Available in any view Available in any view Available in any view Available in any view. Available in any view Reset AP connection(s) reset wlan ap { all name ap-name } Available in user view Clear WLAN AP reboot logs Clear WLAN statistics Cut off WLAN client(s) reset wlan ap reboot-log { all name ap-name } reset wlan statistics { radio [ ap-name ] client [ all mac-address ] } reset wlan client { all mac-address mac-address } Available in user view Available in user view Available in user view Configuring User Isolation Introduction to VLAN-Based User Isolation Without VLAN-based user isolation, devices in the same VLAN can access each other at Layer-2, which brings forth security problems. VLAN-based user isolation is designed to solve this problem. When an AC configured with user isolation receives unicast packets (broadcast packets and multicast packets in a VLAN are not isolated) from a wireless client to another wireless client or wired PC in the same VLAN, or from a wired PC to a wireless client in the same VLAN, the AC determines whether to isolate the two devices according to the configured list of permitted MAC addresses. To avoid user isolation from affecting communications between users and the gateway, you can add the MAC address of the gateway to the list of permitted MAC addresses. User isolation both provides network services for users and isolates users, disabling them from communication at Layer-2 and thus ensuring service security. Without VLAN-based user isolation As shown in Figure 6-12, when VLAN-based user isolation is disabled on the AC, wireless clients A and B, and wired PC Host A in VLAN 2 can access each other directly, and can also access the Internet. 6-18

84 Figure 6-12 VLAN-based user isolation network diagram Internet Gateway AC AP Host A Client A Client B VLAN 2 With VLAN-based user isolation When VLAN-based user isolation is enabled on the AC, Client A, Client B, and Host A in VLAN 2 access the Internet through the gateway. If you add the MAC address of the gateway to the permitted MAC address list, Client A, Client B, and Host A in the same VLAN are isolated at Layer-2. If you add the MAC address of a client (Client A, for example) to the permitted MAC address list, Client A and Client B can access each other directly, but Client B and Host A cannot. To enable all the clients in the VLAN to access one another at Layer-2, you must add the MAC address of the gateway and the MAC addresses of the clients to the permitted MAC address list. Configuring VLAN-Based User Isolation Follow these steps to configure VLAN-based user isolation: To do Use the command Remarks Enter system view system-view Enable user isolation for the specified VLAN(s) Specify permitted MAC addresses for the specified VLAN(s) user-isolation vlan vlan-list enable user-isolation vlan vlan-list permit-mac mac-list Required By default, user isolation is disabled. Up to 16 permitted MAC addresses can be configured for a VLAN. 6-19

85 To avoid network disruption caused by user isolation, you are recommended to add the MAC address of the gateway to the permitted MAC address list and then enable user isolation. Introduction to SSID-Based User Isolation SSID-based user isolation disables wireless users that use the same SSID from accessing each other at Layer-2 to ensure the security of services and accounting accuracy. Without SSID-based user isolation As shown in Figure 6-13, when SSID-based user isolation is disabled for SSID office on the AC, wireless clients A and B using SSID office can access each other at Layer-2, and can also access the Internet. Figure 6-13 SSID-based user isolation network diagram With SSID-based user isolation When SSID-based user isolation is disabled for SSID office on the AC, Client A and Client B using the same SSID can access the Internet through the gateway, but cannot access each other at Layer-2. Configuring SSID-Based User Isolation Follow these steps to configure SSID-based user isolation: To do Use the command Remarks Enter system view system-view 6-20

86 To do Use the command Remarks Configure a service template Enable SSID-based user isolation wlan service-template service-template-number { clear crypto } user-isolation enable Disabled by default. Displaying and Maintaining User Isolation To do Use the command Remarks Display user isolation statistics Clear user isolation statistics display user-isolation statistics [ vlan vlan-id ] reset user-isolation statistics [ vlan vlan-id ] Available in any view Available in user view Configuring AP Group Some wireless service providers need to control the access positions of clients. For example, as shown in the figure below, to meet security or billing needs, it is required to connect wireless clients 1, 2 and 3 to the wired network through APs 1, 2 and 3 respectively. To achieve this, you can configure an AP group and then apply the AP group in a user profile. Figure 6-14 Client access control Configuring an AP Group Follow these steps to configure an AP group: To do Use the command Remarks Enter system view system-view Create an AP group and enter AP group view wlan ap-group value 6-21

87 To do Use the command Remarks Add specified APs into the AP group Configure a description for the AP group ap template-name-list description text Required No AP is added by default. You can use this command repeatedly to add multiple APs, or add up to 10 APs in one command line. A nonexistent AP can be added. Not configured by default. Applying the AP Group in a User Profile Follow these steps to apply the AP group in a user profile: To do Use the command Remarks Enter system view system-view Enter user profile view Apply the AP group in the user profile user-profile profile-name wlan permit-ap-group value Required If the user profile does not exist, you need to create it first. Required No AP group is applied in the user profile by default. Return to system view quit Enable the user profile user-profile profile-name enable Required Not enabled by default. Note that: The name of the user profile must be identical to that of the external group on the RADIUS server. To support roaming, all ACs in a mobility group must have the same profile name configured. For more information about user profiles, see User Profile in the Security Configuration Guide. Displaying and Maintaining AP Group To do Use the command Remarks Display AP group information display wlan ap-group [ value ] Available in any view 6-22

88 Configuring SSID-Based Access Control When a user wants to access a WLAN temporarily, the administrator can specify a permitted SSID in the corresponding user profile so that the user can access the WLAN only through the SSID. Specifying a Permitted SSID in a User Profile After completing the configuration, the user profile needs to be enabled to take effect. Follow these steps to specify a permitted SSID: To do Use the command Remarks Enter system view system-view Enter user profile view Specify a permitted SSID user-profile profile-name wlan permit-ssid ssid-name Required If the specified user profile does not exist, this command will create it and enter its view. Required No permitted SSID is specified by default, that is, users can access the WLAN without SSID limitation. Return to system view quit Enable the user profile user-profile profile-name enable Required Not enabled by default. For more information about user access control, see AAA in the Security Configuration Guide. For more information about user profiles, see User Profile in the Security Configuration Guide. Configuring Uplink Detection When the uplink of an AC fails, clients cannot access external networks if they are associated with the AP connected to the AC. With the uplink detection function enabled, the AC detects the reachability to the uplink device through ICMP echo NQA test. When the uplink of the AC fails, it disables the clients from associating with the AP connected to it. Uplink detection ensures that when the uplink of an AC fails, clients can access external networks through APs connected to an AC whose uplink operates normally. Figure 6-15 Uplink detection network diagram Follow these steps to configure uplink detection: 6-23

89 To do Use the command Remarks Enter system view system-view Specify a track entry to detect whether the uplink is reachable wlan uplink track track-entry-number By default, no track entry is specified. For more information about track, see Track in the High Availability Configuration Guide. For more information about NQA, see NQA in the Network Management and Monitoring Configuration Guide. Configuring AC Hot Backup Support for this feature depends on your device model. As shown in the following figure, two ACs in a Layer 2 network are connected to each other through a service port to provide redundancy for the APs. An AP needs to establish two tunnel links with two ACs. The AC working in master mode provides services to all the APs in the network and the slave AC acts as the backup AC. A heartbeat mechanism is used between these two ACs, which ensures that failure of the master will be detected quickly by the backup AC. If the master AC fails, APs will quickly use the services provided by the slave AC. 6-24

90 Figure 6-16 LWAPP dual link connections In the above figure, AC 1 is working in master mode and providing services to AP 1, AP 2, AP 3 and AP 4. AC 2 is working in slave mode. APs are connected to AC 2 through LWAPP slave tunnels. AC 1 and AC 2 are configured as backup for each other and start master/slave detection. When AC 2 detects AC 1 is down, AC 2 will convert the work mode from slave to master. All APs which are connected to AC 2 through slave tunnels will transform the tunnels to master tunnels and use AC 2 as the master AC. Note that ACs in a roaming group cannot be set to work in AC hot backup mode. Enabling AC Hot Backup You can set the domain to which an AC belongs (a domain is a group of ACs that back up each other). Follow these steps to enable AC hot backup: To do Use the command Remarks Enter system view system-view Enable AC hot backup hot-backup enable [ domain domain-id ] * Required Disabled by default. Configuring the VLAN ID of the Port Connected to Another AC You can set the ID of the VLAN to which the port connected to another AC belongs. Follow these steps to configure the VLAN ID of the port connected to another AC: To do Use the command Remarks Enter system view system-view Configure the VLAN ID of the port connected to another AC hot-backup vlan vlan-id By default, the port connected to another AC belongs to VLAN

91 Configuring the Interval for Sending Heartbeat Messages If the master AC or backup AC does not receive any heartbeat packets from the peer within three heartbeat intervals, it considers the peer device disconnected. Follow these steps to configure the interval for sending heartbeat messages: To do Use the command Remarks Enter system view system-view Configure the interval for sending heartbeat messages hot-backup hellointerval hellointerval 2000 milliseconds by default. Displaying the AC Connection State To do Use the command Remarks Display the AC connection state display hot-backup state Available in any view AP Registration Configuration Examples Configuration Example for AP Registration Through DHCP Option 43 Network requirements As shown in Figure 6-17, the AP and ACs reside on different subnets. The AP acts as a DHCP client to obtain its IP address and AC addresses from the DHCP server on the Layer 3 switch. The DHCP server uses Option 43 to assign AC addresses. In this example, Option 43 is configured as 80 0B A A , in which, 80 identifies the sub-option type; 0B identifies the sub-option length; identifies the PXE server type (For more information about the PXE server type, see DHCP Configuration in the Layer 3 IP Services Configuration Guide.); 02 indicates the number of ACs; 0A indicates the IP address of AC 1; 0A indicates the IP address of AC 2. Figure 6-17 Network diagram for AP registration through DHCP Option 43 AC 1 AC 2 Client Vlan-int /24 DHCP server L3 switch Vlan-int /24 Vlan-int /24 Vlan-int /24 AP DHCP client Configuration procedures 1) Specify an IP address for each interface (omitted) 2) Configure a route to subnet on AC 1 and AC 2 respectively (omitted). 3) Configure the DHCP server. 6-26

92 # Enable DHCP. <DHCP server> system-view [DHCP server] dhcp enable # Create DHCP address pool 0. [DHCP server] dhcp server ip-pool 0 # Specify the IP address range for dynamic allocation in DHCP address pool 0. [DHCP server C-dhcp-pool-0] network mask # Specify the gateway address for the client in DHCP address pool 0. [DHCP server-dhcp-pool-0] gateway-list # Configure Option 43. [DHCP server-dhcp-pool-0] option 43 hex 80 0B A A Configuration verification Verify that the AP can obtain an IP address from the DHCP server and register with the ACs. You can use the display dhcp server ip-in-use command to view the IP address assigned to the AP. After the AP is automatically registered, complete WLAN service configuration. For more information about WLAN service configuration, see WLAN Service Configuration Examples. Configuration Example for AP Registration Through DNS Network requirements As shown in Figure 6-18, the AP and the ACs reside on different subnets. The AP automatically obtains its IP address, ACs domain name, and DNS server address from the DHCP server on the Layer 3 switch. Then the DHCP client uses the ACs domain name to get their IP addresses from the DNS server. The name format is H3C.XXXX.XXX, where XXXX.XXX is the ACs domain name suffix. In this example, the IP address of AC 1 is /24; the IP address of AC 2 is /24; and the ACs domain name suffix is host.com; the gateway address is /24; the DNS server address is /24. Figure 6-18 Network diagram for AP registration through DNS Configuration procedures 1) Specify an IP address for each interface (omitted) 2) Configure a route to subnet on AC 1 and AC 2 respectively (omitted). 3) Configuring the DHCP server 6-27

93 # Enable DHCP. <DHCP server> system-view [DHCP server] dhcp enable # Create DHCP address pool 0. [DHCP server] dhcp server ip-pool 0 # Specify the IP address range for dynamic allocation in DHCP address pool 0. [DHCP server-dhcp-pool-0] network mask # Specify the gateway address in DHCP address pool 0. [DHCP server-dhcp-pool-0] gateway-list # Specify the DNS server address in DHCP address pool 0. [DHCP server-dhcp-pool-0] dns-list # Specify the ACs domain name suffix host.com in DHCP address pool 0. [DHCP server-dhcp-pool-0] domain-name host.com Configuration verification On the DNS server, create a domain named host.com, configure two hosts with name h3c, and configure the IP addresses of the two hosts as /24 and /24. Then the AP can automatically obtain the IP address from the DHCP server and obtains the IP addresses of the ACs from the DNS server. After the AP is automatically registered, complete WLAN service configuration. For more information about WLAN service configuration, see WLAN Service Configuration Examples. WLAN Service Configuration Examples WLAN Service Configuration Example Network requirements As shown in Figure 6-19, it is required to enable the client to access the internal network resources at any time. More specifically: The AP is connected to the AC through a Layer 2 switch. The manually input serial ID of the AP is A29G007C The AP provides plain-text wireless access service with SSID service. The AP adopts g. Figure 6-19 WLAN service configuration Configuration procedure 1) Configuration on the AC # Enable WLAN service, which is enabled by default. <AC> system-view [AC] wlan enable # Create the WLAN ESS interface. <AC> system-view 6-28

94 [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Define a clear type WLAN service template, configure the SSID as service, and bind the WLAN-ESS interface to this service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid service [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure a radio policy (the default radio policy default_rp will be used if you don t want to configure a new radio policy for customizing related parameters). [AC] wlan radio-policy radpolicy1 [AC-wlan-rp-radpolicy1] beacon-interval 200 [AC-wlan-rp-radpolicy1] dtim 4 [AC-wlan-rp-radpolicy1] rts-threshold 2300 [AC-wlan-rp-radpolicy1] fragment-threshold 2200 [AC-wlan-rp-radpolicy1] short-retry threshold 6 [AC-wlan-rp-radpolicy1] long-retry threshold 5 [AC-wlan-rp-radpolicy1] max-rx-duration 500 [AC-wlan-rp-radiopolicy1] quit # Create an AP template named ap1, and specify its model as WA2100, and serial ID as A045B05B [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A045B05B [AC-wlan-ap-ap1] description L3Office # Specify the radio type as g, and channel as 11. [AC-wlan-ap-ap1] radio 1 type dot11g [AC-wlan-ap-ap1-radio-1] channel 11 # Bind radio policy radiopolicy1 to radio 1, and bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1] quit 2) Configuration verification The clients can associate with the APs. You can use the display wlan client and display connection commands to view the online clients. WLAN Auto-AP Configuration Example Network requirements As shown in the following figure, an AC is connected to a Layer 2 switch. AP 1 and AP 2 are connected to the AC through the L2 switch. AP 1, AP 2 and the AC are in the same network. AP 1 and AP 2 get their IP address from the DHCP server. It is required to enable the auto-ap function to enable APs to automatically connect to the AC. 6-29

95 Figure 6-20 WLAN service configuration Configuration procedure 1) Configuration on the AC # Create a WLAN ESS interface. <AC> system-view [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Define a WLAN service template of clear type, configure its SSID as service, and bind the WLAN-ESS interface to this service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid service [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure a radio policy (the default radio policy default_rp will be used if you don t want to configure a new radio policy for customizing related parameters). [AC] wlan radio-policy radpolicy1 [AC-wlan-rp-radpolicy1] beacon-interval 200 [AC-wlan-rp-radpolicy1] dtim 4 [AC-wlan-rp-radpolicy1] rts-threshold 2300 [AC-wlan-rp-radpolicy1] fragment-threshold 2200 [AC-wlan-rp-radpolicy1] short-retry threshold 6 [AC-wlan-rp-radpolicy1] long-retry threshold 5 [AC-wlan-rp-radpolicy1] max-rx-duration 500 [AC-wlan-rp-radpolicy1] quit # Configure the AP auto configuration feature. [AC] wlan auto-ap enable # Configure a common AP for model WA2100 (For each AP model, one common auto AP configuration is required). [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id auto # Configure the radio of the common AP, and set the maximum power to 10. Automatic channel is 6-30

96 adopted by default. [AC-wlan-ap-ap1] radio 1 type dot11a [AC-wlan-ap-ap1-radio-1] max-power 10 # Bind radio policy radiopolicy1 to radio 1, and bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 2) Configuration verification You can use the display wlan ap command to view the two APs, and use the wlan auto-ap persistent command to convert the two auto APs to configured APs. The clients can associate with the APs and access the WLAN. CAPWAP Dual-Link Configuration Example Network requirements As shown in the following figure, AC 1 and AC 2 are connected to a L2 switch. An AP is connected to AC 1 and AC 2 through the L2 switch. AC 1, AC 2 and the AP are in the same network. The AP gets its IP address from the DHCP server. The IP address of AC 1 is and the IP address of AC 2 is AC 1 is working in master mode while AC 2 is working in slave mode. When AC 2 detects AC 1 is down, AC 2 will convert its work mode from slave to master. The AP which is connected to AC 2 through a slave tunnel will transform the tunnel mode to master and use AC 2 as the master AC. Figure 6-21 CAPWAP dual link configuration DHCP server AC /24 L2 switch AP Client AC /24 Configuration procedure 1) Configuration on AC 1. # Create a WLAN ESS interface. <AC1> system-view [AC1] interface WLAN-ESS 1 [AC1-WLAN-ESS1] quit # Define a WLAN service template of clear type, configure the SSID of the service template as service, and bind the WLAN-ESS interface to this service template. [AC1] wlan service-template 1 clear [AC1-wlan-st-1] ssid service [AC1-wlan-st-1] bind WLAN-ESS

97 [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Specify the backup AC address. [AC1] wlan backup-ac ip # Configure the AP on AC1. [AC1] wlan ap ap1 model WA2100 [AC1-wlan-ap-ap1] serial-id A045B05B [AC1-wlan-ap-ap1] radio 1 type dot11g [AC1-wlan-ap-ap1-radio-1] service-template 1 [AC1-wlan-ap-ap1-radio-1] radio enable 2) Configuration on AC2. # Create a WLAN ESS interface. <AC2> system-view [AC2] interface wlan-ess 1 [AC2-WLAN-ESS1] quit # Define a WLAN service template of clear type, configure the SSID of AP 2 as service because the SSIDs of the master AC and slave AC must be the same, and bind the WLAN-ESS interface to this service template. [AC2] wlan service-template 1 clear [AC2-wlan-st-1] ssid service [AC2-wlan-st-1] bind WLAN-ESS 1 [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit # Specify the backup AC address. [AC2] wlan backup-ac ip # Configure the AP on AC2. [AC2] wlan ap ap1 model WA2100 [AC2-wlan-ap-ap1] serial-id A045B05B [AC2-wlan-ap-ap1] radio 1 type dot11g [AC2-wlan-ap-ap1-radio-1] service-template 1 [AC2-wlan-ap-ap1-radio-1] radio enable 3) Configuration verification When AC 1 fails, AC 2 becomes the master AC immediately. You can use the display wlan ap command on the AC to view the status of the APs n Configuration Example Network requirements As shown in Figure 6-22, it is required to deploy an n network to provide high-bandwidth access for multi-media applications. More specifically: The AP provides a plain-text wireless service with SSID 11nservice gn is adopted to inter-work with existing g networks. 6-32

98 Figure n configuration Configuration procedure 1) Configuration on the AC # Create a WLAN-ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Configure a service template of clear type, configure the SSID of the service template as 11nservice, and bind the WLAN-ESS interface with the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid 11n service [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure the AP on the AC, and the AP must support n. [AC] wlan ap ap1 model WA2610E-AGN [AC-wlan-ap-ap1] serial-id A045B05B # Configure the radio of the AP to operate in g/n mode. [AC-wlan-ap-ap1] radio 1 type dot11gn # Configure the working bandwidth of the radio as 40 MHz, and bind the service template to radio 1. [AC-wlan-ap-ap1-radio-1] channel band-width 40 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 2) Configuration verification The clients can associate with the APs and access the WLAN. You can use the display wlan client and display connection commands to view the online clients. The output information of the display wlan client command will display the information about n clients. User Isolation Configuration Example Network requirements As shown in Figure 6-23, the MAC address of the gateway is 000f-e It is required to configure user isolation on the AC so that Client A, Client B, and Host A in VLAN 2 can access the Internet but cannot access one another directly. 6-33

99 Figure 6-23 User isolation network diagram Internet Gateway MAC address: 000f-e AC AP Host A Client A Client B VLAN 2 Configuration procedure 1) Configuration on the AC. # Configure the AP so that a CAPWAP connection can be established between the AC and AP. For how to establish a CAPWAP connection, see WLAN Service Configuration Example. The detailed configuration steps are omitted. # Enable user isolation for VLAN 2 so that users in VLAN 2 cannot access each other directly. <AC> system-view [AC] user-isolation vlan 2 enable # Add the MAC address of the gateway to the permitted MAC address list of VLAN 2 so that Client A, Client B and Host A in VLAN 2 can access the Internet. [AC] user-isolation vlan 2 permit-mac 000f-e ) Configuration verification Client A, Client B and Host A in VLAN 2 can access the Internet, but they cannot access one another. Uplink Detection Configuration Example Network requirements As shown below, when the uplink of the AC fails, clients cannot access external networks if they are associated with the AP connected to the AC. It is required to enable the uplink detection function so that when the uplink of the AC fails, clients are disabled from associating with the AP connected to the AC. 6-34

100 Figure 6-24 Uplink detection network diagram Configuration procedure # Create an NQA test group with test type ICMP echo, and configure related test parameters. <AC> system-view [AC] nqa entry admin test [AC-nqa-admin-test] type icmp-echo [AC-nqa-admin-test-icmp-echo] destination ip # Configure the frequency for sending ICMP echo messages. [AC-nqa-admin-test-icmp-echo] frequency 1000 # Configure reaction entry 1, specifying that five consecutive probe failures trigger the collaboration between the reaction entry and NQA. [AC-nqa-admin-test-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only [AC-nqa-admin-test-icmp-echo] quit # Start the tests for the test group with the administrator name admin and operation tag test. The tests start now and will be performed forever. [AC] nqa schedule admin test start-time now lifetime forever # Configure track entry 1, and associate it with reaction entry 1 of the NQA test group. [AC] track 1 nqa entry admin test reaction 1 # Specify track entry 1 for uplink detection. [AC] wlan uplink track 1 AP Group Configuration Examples AP Group Configuration without Roaming Network requirements As shown in the figure below, configure an AP group and apply it in a user profile on the AC, so that a client can only access the WLAN through AP

101 Figure 6-25 Client access control configuration diagram Configuration procedure 1) Configuration on the AC # Enable port security. <AC> system-view [AC] port-security enable # Enable EAP authentication mode. [AC] dot1x authentication-method eap # Create a RADIUS scheme. [AC] radius scheme wlan-user-policy # Specify the RADIUS server and keys for authentication and accounting. [AC-radius-wlan-user-policy] server-type extended [AC-radius-wlan-user-policy] primary authentication [AC-radius-wlan-user-policy] primary accounting [AC-radius-wlan-user-policy] key authentication wlan [AC-radius-wlan-user-policy] key accounting wlan # Specify the IP address of the AC. [AC-radius-wlan-user-policy] nas-ip [AC-radius-wlan-user-policy] quit # Configure an ISP domain named universal by referencing the configured RADIUS scheme. [AC] domain universal [AC-isp-universal] authentication default radius-scheme wlan-user-policy [AC-isp-universal] authorization default radius-scheme wlan-user-policy [AC-isp-universal] accounting default radius-scheme wlan-user-policy [AC-isp-universal] quit # Configure domain universal as the default domain. [AC] domain default enable universal # Configure port security on interface WLAN-ESS 1. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext 6-36

102 [AC-WLAN-ESS1] port-security tx-key-type 11key [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Configure a service template. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid test [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure AP 1. [AC] wlan ap ap1 model wa2100 [AC-wlan-ap-ap1] serial-id A29G007C [AC-wlan-ap-ap1] radio 1 type dot11g [AC-wlan-ap-ap1-radio1] service-template 1 [AC-wlan-ap-ap1-radio1] radio enable [AC-wlan-ap-ap1-radio1] return # Add AP 1 to AP group 11, apply the AP group to user profile management and enable the user profile. <AC> system-view [AC] wlan ap-group 11 [AC-ap-group11] ap ap1 [AC-ap-group11] quit [AC] user-profile management [AC-user-profile-management] wlan permit-ap-group 11 [AC-user-profile- management] quit [AC] user-profile management enable 2) Configuration on the RADIUS server # Specify the name of the user profile in the external group checkbox on the RADIUS server. Log in to the CAMS management platform. On the left navigation tree, select Service Management > Service Config. Then click Add on the page to enter the following configuration page. Select the Access Control checkbox and add name management. If no user profile name is specified, all APs are permitted. Figure 6-26 Specify a user profile name 3) Verify the configuration 6-37

103 The AP group applied in the user profile contains only AP 1, and thus a client can only access the WLAN through AP 1. AP Group Configuration for Inter-AC Roaming Network requirements As shown in the figure below, AC 1 and AC 2 belong to the same mobility group. Configure an AP group on the ACs so that a client can still access the WLAN when it moves from between APs. Figure 6-27 AP group configuration for inter-ac roaming Configuration procedure Configuration on the RADIUS server is similar with that in AP Group Configuration without Roaming and thus is omitted. 1) Configuration on AC 1 # Configure AP 1. <AC1> system-view [AC1] port-security enable [AC1] dot1x authentication-method eap [AC1] interface wlan-ess 1 [AC1-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC1-WLAN-ESS1] port-security tx-key-type 11key [AC1-WLAN-ESS1] undo dot1x multicast-trigger 6-38

104 [AC1-WLAN-ESS1] undo dot1x handshake [AC1-WLAN-ESS1] quit [AC1] wlan service-template 1 crypto [AC1-wlan-st-1] ssid abc [AC1-wlan-st-1] bind wlan-ess 1 [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] cipher-suite ccmp [AC1-wlan-st-1] security-ie rsn [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit [AC1] wlan ap ap1 model WA2100 [AC1-wlan-ap-ap1] serial-id A045B05B [AC1-wlan-ap-ap1] radio 1 type dot11g [AC1-wlan-ap-ap1-radio-1] service-template 1 [AC1-wlan-ap-ap1-radio-1] radio enable [AC1-wlan-ap-ap1-radio-1] quit [AC1-wlan-ap-ap1] quit # Configure mobility group abc and enable the mobility group. [AC1] wlan mobility-group abc [AC1-wlan-mg-abc] source ip [AC1-wlan-mg-abc] member ip [AC1-wlan-mg-abc] mobility-group enable [AC1-wlan-mg-abc] return # Configure AP group 1, add AP 1 and AP 2 in it, apply it in user profile management, and enable the user profile. <AC1> system-view [AC1] wlan ap-group 1 [AC1-ap-group1] ap ap1 ap2 [AC1-ap-group1] quit [AC1] user-profile management [AC1-user-profile-management] wlan permit-ap-group 1 [AC1-user-profile-management] quit [AC1] user-profile management enable 2) Configuration on AC 2 # Configure AP 2. <AC2> system-view [AC2] port-security enable [AC2] dot1x authentication-method eap [AC2] interface wlan-ess 1 [AC2-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC2-WLAN-ESS1] port-security tx-key-type 11key [AC2-WLAN-ESS1] undo dot1x multicast-trigger [AC2-WLAN-ESS1] undo dot1x handshake [AC2-WLAN-ESS1] quit [AC2] wlan service-template 1 crypto [AC2-wlan-st-1] ssid abc [AC2-wlan-st-1] bind wlan-ess 1 [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] cipher-suite ccmp [AC2-wlan-st-1] security-ie rsn 6-39

105 [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit [AC2] wlan ap ap2 model WA2100 [AC2-wlan-ap-ap2] serial-id A22W [AC2-wlan-ap-ap2] radio 1 type dot11g [AC2-wlan-ap-ap2-radio-1] service-template 1 [AC2-wlan-ap-ap2-radio-1] radio enable [AC2-wlan-ap-ap2-radio-1] quit [AC2-wlan-ap-ap2] quit # Configure mobility group abc and enable the mobility group. [AC2] wlan mobility-group abc [AC2-wlan-mg-abc] source ip [AC2-wlan-mg-abc] member ip [AC2-wlan-mg-abc] mobility-group enable [AC2-wlan-mg-abc] quit # Configure AP group 1, add AP 1 and AP 2 in it, apply it in user profile management, and enable the user profile. [AC2] wlan ap-group 1 [AC2-ap-group1] ap ap1 ap2 [AC2-ap-group1] quit [AC2] user-profile management [AC2-user-profile-management] wlan permit-ap-group 1 [AC2-user-profile-management] quit [AC2] user-profile management enable 3) Verify the configuration AP 1 and AP 2 are permitted in the AP group, so a client can roam between them. 6-40

106 7 WLAN Security Configuration This chapter includes these sections: Overview Configuring WLAN Security WLAN Security Configuration Examples Supported Combinations for Ciphers Overview The wireless security capabilities incorporated in are inadequate for protecting networks containing sensitive information. They do a fairly good job for defending against the general public, but there are some good hackers lurking out there who can crack into wireless networks. As a result, there is a need to implement advanced security mechanisms beyond the capabilities of if we want to protect against unauthorized access to resources on our network. Authentication Modes To secure wireless links, the wireless clients must be authenticated before accessing the AP, and only wireless clients passing the authentication can be associated with the AP links define two authentication mechanisms: open system authentication and shared key authentication. Open system authentication Open system authentication is the default authentication algorithm. This is the simplest of the available authentication algorithms. Essentially it is a null authentication algorithm. Any client that requests authentication with this algorithm can become authenticated. Open system authentication is not required to be successful as an AP may decline to authenticate the client. Open system authentication involves a two-step authentication process. In the first step, the wireless client sends a request for authentication. In the second step, the AP determines that the wireless client passes the authentication and returns the result that the authentication is successful to the client. The first step is to request for authentication. The second step is to return the authentication result. If the result is successful, the client and AP are mutually authenticated. Figure 7-1 Open system authentication process 7-1

107 Shared key authentication The following figure shows a shared key authentication process. The two parties have the same shared key configured. 1) The client sends an authentication request to the AP. 2) The AP randomly generates a challenge and sends it to the client. 3) The client uses the shared key to encrypt the challenge and sends it to the AP. 4) The AP uses the shared key to encrypt the challenge and compares the result with that received from the client. If they are identical, the client passes the authentication. If not, the authentication fails. Figure 7-2 Shared key authentication process WLAN Data Security Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN devices share the same medium and thus every device can receive data from any other sending device. If no security service is provided, plain-text data is transmitted over the WLAN. To secure data transmission, protocols provide some encryption methods to ensure that devices without the right key cannot read encrypted data. 1) WEP encryption Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption for confidentiality. WEP encryption falls into static and dynamic encryption according to how a WEP key is generated. Static WEP encryption With Static WEP encryption, all clients using the same SSID must use the same encryption key. If the encryption key is deciphered or lost, attackers will get all encrypted data. In addition, periodical manual key update brings great management workload. Dynamic WEP encryption Dynamic WEP encryption is a great improvement over static WEP encryption. With dynamic WEP encryption, WEP keys are negotiated between client and server through the 802.1X protocol so that each client is assigned a different WEP key, which can be updated periodically to further improve unicast frame transmission security. Although WEP encryption increases the difficulty of network interception and session hijacking, it still has weaknesses due to limitations of RC4 encryption algorithm and static key configuration. 7-2

108 2) TKIP encryption Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has many advantages over WEP, and provides more secure protection for WLAN as follows: First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP encryption uses 128 bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48 bits. Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single static key with a base key generated by an authentication server. TKIP dynamic keys cannot be easily deciphered. Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC, the data may be tampered, and the system may be attacked. If two packets fail the MIC in a certain period, the AP automatically takes countermeasures. It will not provide services in a certain period to prevent attacks. 3) CCMP encryption CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE MPDU header. The AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a dynamic key negotiation and management method, so that each wireless client can dynamically negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to ensure that each encrypted packet uses a different PN, thus improving the security to a certain extent. Client Access Authentication 1) PSK authentication To implement PSK authentication, the client and the authenticator must have the same shared key configured. Otherwise, the client cannot pass pre-shared key (PSK) authentication. 2) 802.1x authentication As a port-based access control protocol, 802.1x authenticates and controls accessing devices at the port level. A device connected to an 802.1x-enabled port of a WLAN access control device can access the resources on the WLAN only after passing authentication. 3) MAC authentication MAC authentication does not require any client software. Once the authenticator detects the MAC address of a client, it performs MAC authentication on the client. Protocols and Standards IEEE Standard for Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements WI-FI Protected Access Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004 Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements ,

109 IEEE Standard for Local and metropolitan area networks Port-Based Network Access Control 802.1X i IEEE Standard for Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements Configuring WLAN Security Configuration Task List To configure WLAN security in a service template, map the service template to a radio policy, and add radios to the radio policy. The SSID name, advertisement setting (beaconing), and encryption settings are configured in the service template. You can configure an SSID to support any combination of WPA, RSN, and Pre-RSN clients Complete these tasks to configure WLAN security configuration tasks. Task Remarks Enabling an Authentication Method Configuring the PTK Lifetime Configuring the GTK Rekey Method Configuring Security IE Configuring Cipher Suite Configuring Port Security Required Required Required Enabling an Authentication Method You can enable open system or shared key authentication or both. Follow these steps to enable an authentication method: To do Use the command Remarks Enter system view system-view Enter WLAN service template view Enable the authentication method wlan service-template service-template-number crypto authentication-method { open-system shared-key } Required Open system authentication is used by default. Shared key authentication is usable only when WEP encryption is adopted. In this case, you must configure the authentication-method shared-key command. For RSN and WPA, shared key authentication is not required and only open system authentication is required. 7-4

110 Configuring the PTK Lifetime A pairwise transient key (PTK) is generated through a four-way handshake, during which, the pairwise master key (PMK), an AP random value (ANonce), a site random value (SNonce), the AP s MAC address and the client s MAC address are used. Follow these steps to configure the PTK lifetime: To do Use the command Remarks Enter system view system-view Enter WLAN service template view Configure the PTK lifetime wlan service-template service-template-number crypto ptk-lifetime time By default, the PTK lifetime is seconds. Configuring the GTK Rekey Method An AC generates a group transient key (GTK) and sends the GTK to a client during the authentication process between an AP and the client through group key handshake or the 4-way handshake. The client uses the GTK to decrypt broadcast and multicast packets. RSN negotiates the GTK through the 4-way handshake or group key handshake, while WPA negotiates the GTK only through group key handshake. Two GTK rekey methods can be configured: Time-based GTK rekey: After the specified interval elapses, GTK rekey occurs. Packet-based GTK rekey. After the specified number of packets is sent, GTK rekey occurs. You can also configure the device to start GTK rekey when a client goes offline, provided that GTK rekey has been enabled with the gtk-rekey enable command. Configuring GTK rekey based on time Follow these steps to configure GTK rekey based on time: To do Use the command Remarks Enter system view system-view Enter WLAN service template view Enable GTK rekey Configure the GTK rekey interval Configure the device to start GTK rekey when a client goes offline wlan service-template service-template-number crypto gtk-rekey enable gtk-rekey method time-based [ time ] gtk-rekey client-offline enable Required By default, GTK rekey is enabled. Required By default, the interval is seconds. Not configured by default. Configuring GTK rekey based on packet Follow these steps to configure GTK rekey based on packet: 7-5

111 To do Use the command Remarks Enter system view system-view Enter WLAN service template view Enable GTK rekey Configure GTK rekey based on packet Configure the device to start GTK rekey when a client goes offline wlan service-template service-template-number crypto gtk-rekey enable gtk-rekey method packet-based [ packet ] gtk-rekey client-offline enable Required By default, GTK rekey is enabled. Required The default packet number is Not configured by default. By default, time-based GTK rekey is adopted, and the rekey interval is seconds. Configuring a new GTK rekey method overwrites the previous one. For example, if time-based GTK rekey is configured after packet-based GTK rekey is configured, time-based GTK rekey takes effect. Configuring Security IE The security Information Element (IE) configuration includes WPA and RSN configuration. For WPA and RSN configuration, open system authentication is required. Wi-Fi Protected Access (WPA) ensures greater protection than WEP. WPA operates in either WPA-PSK (or called Personal) mode or WPA-802.1x (or called Enterprise) mode. In Personal mode, a pre-shared key or pass-phrase is used for authentication. In Enterprise mode, 802.1x and RADIUS servers and the Extensible Authentication Protocol (EAP) are used for authentication. Configuring WPA security IE Follow these steps to configure the WPA security IE: To do Use the command Remarks Enter system view system-view Enter WLAN service template view wlan service-template service-template-number crypto Enable the WPA security IE security-ie wpa Required Configuring RSN security IE An RSN is a security network that allows only the creation of robust security network associations (RSNAs). An RSN can be identified by the indication in the RSN Information Element (IE) of beacon frames. It provides greater protection than WEP and WPA. To do Use the command Remarks Enter system view system-view 7-6

112 To do Use the command Remarks Enter WLAN service template view wlan service-template service-template-number crypto Enable the RSN security IE security-ie rsn Required Configuring Cipher Suite A cipher suite is used for data encapsulation and decapsulation. It uses the following encryption methods: WEP40/WEP104/WEP128 TKIP CCMP You must specify the crypto type for the service template to configure the WEP, TKIP, or CCMP cipher suite. Configuring WEP cipher suite 1) Configure static WEP encryption The WEP encryption mechanism requires that the authenticator and clients on a WLAN have the same key configured. WEP adopts the RC4 algorithm (a stream encryption algorithm), supporting WEP-40, WEP-104, WEP-128 keys. WEP can be used with either open system authentication mode or shared key authentication mode: In open system authentication mode, a WEP key is used for encryption only. A client can go online without having the same key as the authenticator. But, if the receiver has a different key from the sender, it will discard the packets received from the sender. In shared key authentication mode, the WEP key is used for both encryption and authentication. If the key of a client is different from that of the authenticator, the client cannot go online. Follow these steps to configure static WEP encryption: To do Use the command Remarks Enter system view system-view Enter WLAN service template view Enable the WEP cipher suite Configure the WEP default key wlan service-template service-template-number crypto cipher-suite { wep40 wep104 wep128 } wep default-key { } { wep40 wep104 wep128 } { pass-phrase raw-key } key Required Required No WEP default key is configured by default. Specify a key index number wep key-id { } By default, the key index number is 1. 2) Configure dynamic WEP encryption Follow these steps to configure dynamic WEP encryption: To do Use the command Remarks Enter system view system-view 7-7

113 To do Use the command Remarks Enter WLAN service template view Enable dynamic WEP encryption Enable the WEP cipher suite Configure the WEP default key wlan service-template service-template-number crypto wep mode dynamic cipher-suite { wep40 wep104 wep128 } wep default-key { } { wep40 wep104 wep128 } { pass-phrase raw-key } [ cipher simple ] key Required By default, static WEP encryption is adopted. Dynamic WEP encryption must be used together with 802.1X authentication. With dynamic WEP encryption configured, the device automatically uses the WEP 104 cipher suite. To change the encryption method, use the cipher-suite command. No WEP default key is configured by default. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If not, the device randomly generates a multicast WEP key. Specify a key index number wep key-id { } By default, the key index number is 1. For dynamic WEP encryption, the WEP key ID cannot be configured as 4. Configuring TKIP cipher suite Follow these steps to configure the TKIP cipher suite: To do Use the command Remarks Enter system view system-view Enter WLAN service template view wlan service-template service-template-number crypto Enable the TKIP cipher suite cipher-suite tkip Required Configure the TKIP countermeasure interval tkip-cm-time time The default countermeasure interval is 0 seconds. Message integrity check (MIC) is used to prevent attackers from data modification. It ensures data security by using the Michael algorithm. When a fault occurs to the MIC, the device will consider that the data has been modified and the system is being attacked. Upon detecting the attack, TKIP will suspend within the countermeasure interval, that is, no TKIP associations can be established within the interval. 7-8

114 Configuring CCMP cipher suite CCMP adopts the AES encryption algorithm. Follow these steps to configure the CCMP cipher suite: To do Use the command Remarks Enter system view system-view Enter WLAN service template view wlan service-template service-template-number crypto Enable the CCMP cipher suite cipher-suite ccmp Required Configuring Port Security Port security configuration includes authentication type configuration and AAA server configuration. The authentication type configuration includes the following options: PSK 802.1x MAC PSK and MAC Before configuring port security, you must: 1) Create the wireless port. 2) Enable port security globally. Configuring PSK authentication Follow these steps to configure PSK authentication: To do Use the command Remarks Enter system view. system-view Enter WLAN-ESS interface view Enable key negotiation Configure the key Enable the PSK port security mode interface wlan-ess interface-number port-security tx-key-type 11key port-security preshared-key { pass-phrase raw-key } key port-security port-mode psk Required Not enabled by default. Required Not configured by default. Required Configuring 802.1X authentication Follow these steps to configure 802.1X authentication: To do Use the command Remarks Enter system view. system-view Enter WLAN-ESS interface view Enable key negotiation interface wlan-ess interface-number port-security tx-key-type 11key Required Not enabled by default. 7-9

115 To do Use the command Remarks Enable the 802.1X port security mode port-security port-mode userlogin-secure-ext Required Configuring MAC authentication Follow these steps to configure MAC authentication: To do Use the command Remarks Enter system view system-view Enter WLAN-ESS interface view interface wlan-ess interface-number Enable MAC port security mode port-security port-mode mac-authentication Required i does not support MAC authentication. Configuring PSK and MAC authentication Follow these steps to configure PSK and MAC authentication: To do Use the command Remarks Enter system view system-view Enter WLAN-ESS interface view Enable key negotiation Enable the PSK and MAC port security mode Configure the pre-shared key interface wlan-ess interface-number port-security tx-key-type 11key port-security port-mode mac-and-psk port-security preshared-key { pass-phrase raw-key } key Required Not enabled by default. Required Required The key is a string of 8 to 63 characters, or a 64-digit hex number. For more information about port security configuration commands, see Port Security in the Security Command Reference. 7-10

116 Displaying and Maintaining WLAN Security To do Use the command Remarks Display WLAN service template information Display MAC authentication information Display the MAC address information of port security Display the PSK user information of port security Display the configuration information, running state and statistics of port security Display 802.1x session information or statistics display wlan service-template [ service-template-number ] display mac-authentication [ interface interface-list ] display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] display port-security preshared-key user [ interface interface-type interface-number ] display port-security [ interface interface-list ] display dot1x [ sessions statistics ] [ interface interface-list ] Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view For more information about related display commands, see Port Security, 802.1x, and MAC Authentication in the Security Command Reference. WLAN Security Configuration Examples PSK Authentication Configuration Example Network requirements As shown in Figure 7-3, an AC is connected to an AP through a Layer 2 switch, and they are in the same network. It is required to perform PSK authentication with key on the client. Figure 7-3 PSK configuration Configuration procedure 1) Configure the AC # Enable port security. <AC> system-view [AC] port-security enable 7-11

117 # Configure WLAN port security, configure the authentication mode as PSK, and the pre-shared key as [AC] interface wlan-ess 108 [AC-WLAN-ESS10] port-security port-mode psk [AC-WLAN-ESS10] port-security preshared-key pass-phrase [AC-WLAN-ESS10] port-security tx-key-type 11key [AC-WLAN-ESS10] quit # Create service template 10 of crypto type, configure its SSID as psktest, and bind WLAN-ESS10 to service template 10. [AC] wlan service-template 10 crypto [AC-wlan-st-10] ssid psktest [AC-wlan-st-10] bind WLAN-ESS 10 [AC-wlan-st-10] security-ie rsn [AC-wlan-st-10] cipher-suite ccmp [AC-wlan-st-10] authentication-method open-system [AC-wlan-st-10] service-template enable [AC-wlan-st-10] quit # Create an AP template named ap1, and specify its model as WA2100, and serial ID as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C [AC-wlan-ap-ap1] radio 1 type dot11g # Bind service template 10 to radio 1. [AC-wlan-ap-ap1-radio-1] service-template 10 [AC-wlan-ap-ap1-radio-1] radio enable 2) Verify the configuration After passing the authentication, the client can associate with the AP and access the WLAN. You can use the display wlan client and display port-security preshared-key user commands to view the online clients. MAC and PSK Authentication Configuration Example Network requirements As shown in Figure 7-4, an AC with IP address , an AP, and a RADIUS server with IP address are connected through a Layer 2 switch. It is required to perform MAC and PSK authentication on the client. 7-12

118 Figure 7-4 MAC and PSK authentication RADIUS server /24 AC L2 switch AP Client /24 Configuration procedure 1) Configure the AC. # Enable port security. <AC> system-view [AC] port-security enable # Configure WLAN port security, using MAC and PSK authentication. [AC] interface wlan-ess 2 [AC-WLAN-ESS2] port-security port-mode mac-and-psk [AC-WLAN-ESS2] port-security tx-key-type 11key [AC-WLAN-ESS2] port-security preshared-key pass-phrase [AC-WLAN-ESS2] quit # Create service template 2 of crypto type, configure its SSID as mactest, and bind WLAN-ESS2 to service template 2. [AC] wlan service-template 2 crypto [AC-wlan-st-2] ssid mactest [AC-wlan-st-2] bind wlan-ess 2 [AC-wlan-st-2] authentication-method open-system [AC-wlan-st-2] cipher-suite tkip [AC-wlan-st-2] security-ie rsn [AC-wlan-st-2] service-template enable [AC-wlan-st-2] quit # Create an AP template named ap1, and specify its model as WA2100, and serial ID as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C [AC-wlan-ap-ap1] radio 1 type dot11g # Bind service template 2 to radio 1. [AC-wlan-ap-ap1-radio-1] service-template 2 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as

119 [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC-radius-rad] key authentication [AC-radius-rad] key accounting [AC-radius-rad] user-name-format with-domain [AC-radius-rad] quit # Configure AAA domain cams by referencing RADIUS scheme rad. [AC] domain cams [AC-isp-cams] authentication lan-access radius-scheme rad [AC-isp-cams] authorization lan-access radius-scheme rad [AC-isp-cams] accounting lan-access radius-scheme rad [AC-isp-cams] quit # Configure the MAC authentication domain by referencing AAA domain cams. [AC] mac-authentication domain cams # Configure MAC authentication user name format, using MAC addresses without hyphen as username and password (consistent with the format on the server). [AC] mac-authentication user-name-format mac-address without-hyphen 2) Configure the RADIUS server (CAMS) # Add access device. Log into the CAMS management platform. On the left navigation tree, click System Management > System Configuration to enter the System Configuration page. Click Modify on the page to enter the Access Device Configuration page. Click Add on the page to enter the following configuration page: Add the AC s IP address for Start IP and End IP. Add for Shared Key. Select LAN Access Service for Service Type. Add ports 1812, and 1813 for Port List. Select Extensible Protocol for Protocol Type. Select Standard for RADIUS Packet Type. 7-14

120 Figure 7-5 Add access device # Add service. On the left navigation tree, select Service Management > Service Config. Then click Add on the page to enter the following configuration page. Add a service name and select a configured accounting policy (The procedure for configuring an accounting policy is omitted). In this example, accounting is not performed. Figure 7-6 Add service # Add account. On the left navigation tree, select User Management > Account User. Then, click Add on the Account Management page to enter the following page. Enter a name and password, and select the service you configured. 7-15

121 Figure 7-7 Add account 3) Configure the RADIUS server (imc) The following takes the imc (the versions of the imc components are imc PLAT 3.20-R2602 and imc UAM 3.60-E6102) as an example to illustrate the basic configurations of the RADIUS server. # Add access device. Log in to the imc management platform. Select the Service tab, and then select Access Service > Access Device from the navigation tree to enter the access device configuration page. Click Add on the page to enter the configuration page shown in Figure 7-8: Add for Shared Key. Add ports 1812, and 1813 for Authentication Port and Accounting Port respectively. Select LAN Access Service for Service Type. Select H3C for Access Device Type. Select or manually add an access device with the IP address

122 Figure 7-8 Add access device # Add service. Select the Service tab, and then select Access Service > Access Device from the navigation tree to enter the add service page. Then click Add on the page to enter the following configuration page. Set the service name to mac, and the others use the default values. Figure 7-9 Add service # Add account. Select the User tab, and then select User > All Access Users from the navigation tree to enter the user page. Then, click Add on the page to enter the page shown in Figure Enter a username. Enter an account name and password. Select the service mac. 7-17

123 Figure 7-10 Add account 4) Verify the configuration After the client passes the authentication, the client can associate with the AP and access the WLAN. You can use the display wlan client command, display connection command and display mac-authentication command to view the online clients x Authentication Configuration Example Network requirements As shown in Figure 7-11, an AC with IP address , an AP and a RADIUS server with IP address are connected through a Layer 2 switch. It is required to perform 802.1x authentication on the client. Figure X configuration RADIUS server /24 AC L2 switch AP Client /24 Configuration procedure 1) Configure the AC # Enable port security. <AC> system-view [AC] port-security enable 7-18

124 # Configure the 802.1X authentication mode as EAP. [AC] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting as [AC-radius-rad] key authentication [AC-radius-rad] key accounting [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit # Configure AAA domain cams by referencing RADIUS scheme rad. [AC] domain cams [AC-isp-cams] authentication lan-access radius-scheme rad [AC-isp-cams] authorization lan-access radius-scheme rad [AC-isp-cams] accounting lan-access radius-scheme rad [AC-isp-cams] quit # Configure cams as the default domain. [AC] domain default enable cams # Configure WLAN port security, using 802.1X authentication. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as dot1x, and configure the tkip and ccmp cipher suite. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid dot1x [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite tkip [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, and specify its model as WA2100, and serial ID as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C [AC-wlan-ap-ap1] radio 1 type dot11g # Bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 7-19

125 2) Configure the RADIUS server (CAMS) # Add access device. Log into the CAMS management platform. On the left navigation tree, click System Management > System Configuration to enter the System Configuration page. Click Modify on the page to enter the Access Device Configuration page. Click Add on the page to enter the following configuration page: Add the AC s IP address for Start IP and End IP. Add for Shared Key. Select LAN Access Service for Service Type. Add ports 1812, and 1813 for Port List. Select Extensible Protocol for Protocol Type. Select Standard for RADIUS Packet Type. Figure 7-12 Add access device # Add service. On the left navigation tree, select Service Management > Service Config. Then click Add on the page to enter the following configuration page. Add a service name and select a configured accounting policy. In this example, accounting is not performed. Select EAP-PEAP authentication and MS-CHAPV

126 Figure 7-13 Add service # Add account. On the left navigation tree, select User Management > Account User. Then, click Add on the Account Management page to enter the following page. Enter a name and password, and select the service you configured. Figure 7-14 Add account 7-21

127 3) Configure the RADIUS server (imc) The following takes the imc (the versions of the imc components are imc PLAT 3.20-R2602 and imc UAM 3.60-E6102) as an example to illustrate the basic configuration of the RADIUS server. # Add access device. Log in to the imc management platform. Select the Service tab, and then select Access Service > Access Device from the navigation tree to enter the access device configuration page. Click Add on the page to enter the configuration page shown in Figure 7-15: Add for Shared Key. Add ports 1812, and 1813 for Authentication Port and Accounting Port respectively. Select LAN Access Service for Service Type. Select H3C for Access Device Type. Select or manually add an access device with the IP address Figure 7-15 Add access device # Add service. Select the Service tab, and then select Access Service > Service Configuration from the navigation tree to enter the add service page. Then click Add on the page to enter the configuration page shown in Figure Set the service name to dot1x. Select EAP-PEAP AuthN from the Certificate Type drop-down list, and MS-CHAPV2 AuthN from the Certificate Sub-Type drop-down list. 7-22

128 Figure 7-16 Add service # Add account. Select the User tab, and then select Users > All Access Users from the navigation tree to enter the user page. Then, click Add on the page to enter the page shown in Figure Enter a username. Add an account user and password dot1x. Select the previously configured service dot1x. Figure 7-17 Add account 4) Configure the wireless NIC Double click the icon at the bottom right corner of your desktop. The Wireless Network Connection Status window appears. Click the Properties button in the General tab. The Wireless Network Connection Properties window appears. In the Wireless Networks tab, select wireless 7-23

129 network with the SSID dot1x, and click Properties. The dot1x Properties window appears. Then, in the Authentication tab, select Protected EAP (PEAP) from the EAP type drop-down list, and click Properties. In the popup window, clear Validate server certificate, and click Configure. In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any). The configuration procedure is as shown in Figure 7-18 through Figure Figure 7-18 Configure the wireless card (I) 7-24

130 Figure 7-19 Configure the wireless card (II) 7-25

131 Figure 7-20 Configure the wireless card (III) 5) Verify the configuration The client can pass 802.1x authentication and associate with the AP. You can use the display wlan client command, display connection command and display dot1x command to view the online clients. Dynamic WEP Encryption-802.1X Authentication Configuration Example Network requirements As shown in Figure 7-21, an AC with IP address , an AP, and a RADIUS server with IP address are connected through a Layer 2 switch. It is required to perform dynamic WEP encryption. 7-26

132 Figure 7-21 Network diagram for dynamic WEP encryption-802.1x authentication RADIUS server /24 AC L2 switch AP Client /24 Configuration procedure 1) Configure the AC # Enable port security. <AC> system-view [AC] port-security enable # Configure the 802.1X authentication mode as EAP. [AC] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication and accounting servers as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting as [AC-radius-rad] key authentication [AC-radius-rad] key accounting [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit # Configure AAA domain bbb by referencing RADIUS scheme rad. [AC] domain bbb [AC-isp-bbb] authentication lan-access radius-scheme rad [AC-isp-bbb] authorization lan-access radius-scheme rad [AC-isp-bbb] accounting lan-access radius-scheme rad [AC-isp-bbb] quit # Configure bbb as the default domain. [AC] domain default enable cams # Configure WLAN port security to use 802.1X authentication. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext # Disable the multicast trigger function and the online user handshake function. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit 7-27

133 # Create service template 1 of crypto type, configure its SSID as dot1x, and configure dynamic WEP encryption. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid dot1x [AC-wlan-st-1] wep mode dynamic [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, and specify its model as WA2100, and serial ID as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C [AC-wlan-ap-ap1] radio 1 type dot11g # Bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 2) Configure the RADIUS server (CAMS) See Configure the RADIUS server (CAMS). 3) Configure the RADIUS server (imc) See Configure the RADIUS server (imc). 4) Configure the wireless card Double click the icon at the bottom right corner of your desktop. The Wireless Network Connection Status window appears. Click the Properties button in the General tab. The Wireless Network Connection Properties window appears. In the Wireless Networks tab, select wireless network with the SSID dot1x, and click Properties. The dot1x Properties window appears. Then, in the Authentication tab, select Protected EAP (PEAP) from the EAP type drop-down list, and click Properties. In the popup window, clear Validate server certificate, and click Configure. In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any). The configuration procedure is as shown in Figure 7-22 through Figure

134 Figure 7-22 Configure the wireless card (I) 7-29

135 Figure 7-23 Configure the wireless card (II) 7-30

136 Figure 7-24 Configure the wireless card (III) Configuration verification After inputting username user and password dot1x in the popup dialog box, the client can associate with the AP and access the WLAN. You can use the display wlan client command, display connection command, and display dot1x command to view online client information. Supported Combinations for Ciphers This section introduces the combinations that can be used during the cipher suite configuration. RSN For RSN, the WLAN-WSEC module supports only CCMP and TKIP ciphers as the pair wise ciphers and WEP cipher suites will only be used as group cipher suites. Below are the cipher suite combinations that WLAN-WSEC supports for RSN. (WEP40, WEP104 and WEP128 are mutually exclusive). Unicast cipher Broadcast cipher Authentication method Security Type CCMP WEP40 PSK RSN CCMP WEP104 PSK RSN CCMP WEP128 PSK RSN CCMP TKIP PSK RSN 7-31

137 Unicast cipher Broadcast cipher Authentication method Security Type CCMP CCMP PSK RSN TKIP WEP40 PSK RSN TKIP WEP104 PSK RSN TKIP WEP128 PSK RSN TKIP TKIP PSK RSN CCMP WEP x RSN CCMP WEP x RSN CCMP WEP x RSN CCMP TKIP 802.1x RSN CCMP CCMP 802.1x RSN TKIP WEP x RSN TKIP WEP x RSN TKIP WEP x RSN TKIP TKIP 802.1x RSN WPA For WPA, the WLAN-WSEC module supports only the TKIP ciphers as the pair wise ciphers and WEP cipher suites will only be used as group cipher suites. Below are the cipher suite combinations that WLAN-WSEC supports for WPA (WEP40, WEP104 and WEP128 are mutually exclusive). Unicast cipher Broadcast cipher Authentication method Security Type CCMP CCMP PSK WPA TKIP WEP40 PSK WPA TKIP WEP104 PSK WPA TKIP WEP128 PSK WPA TKIP TKIP PSK WPA TKIP WEP40 PSK WPA TKIP WEP104 PSK WPA TKIP WEP128 PSK WPA TKIP TKIP PSK WPA CCMP WEP x WPA CCMP WEP x WPA CCMP WEP x WPA CCMP TKIP 802.1x WPA CCMP CCMP 802.1x WPA TKIP WEP x WPA TKIP WEP x WPA TKIP WEP x WPA 7-32

138 Unicast cipher Broadcast cipher Authentication method Security Type TKIP TKIP 802.1x WPA Pre-RSN For Pre-RSN stations, the WLAN-WSEC module supports only WEP cipher suites. (WEP40, WEP104 and WEP128 are mutually exclusive). Unicast cipher Broadcast cipher Authentication method Security Type WEP40 WEP40 Open system no Sec Type WEP104 WEP104 Open system no Sec Type WEP128 WEP128 Open system no Sec Type WEP40 WEP40 Shared key no Sec Type WEP104 WEP104 Shared key no Sec Type WEP104 WEP128 Shared key no Sec Type 7-33

139 8 WLAN Roaming Configuration This chapter includes these sections: WLAN Roaming Overview Configuring an IACTP Mobility Group Displaying and Maintaining WLAN Roaming WLAN Roaming Configuration Examples WLAN Roaming Overview The Inter AC Tunneling Protocol (IACTP) is a proprietary protocol of H3C which defines how access controllers (ACs) communicate with each other. IACTP provides a generic encapsulation and transport mechanism between ACs to provide secure AC-AC communications based on the standard TCP client/server model. A mobility group is a group of ACs which communicate with each other using the IACTP protocol. A maximum of 8 ACs can be present in a mobility group in current version. Formation and maintenance of a mobility group is done using IACTP. IACTP provides a control tunnel for applications such as roaming to share/exchange messages. It also provides a data tunnel to encapsulate data packets to be transported between ACs. It can be used either with IPv4 or with IPv6. Whenever a station associates to any of the ACs in a mobility group (which would be it s Home-AC (HA)) for the first time, it will go through 802.1X authentication followed by 11 Key exchange. The station information will be synchronized across the ACs in the mobility group prior to the roaming of the station within an AC/across ACs. When this station roams to another AC in the mobility group (which would be its Foreign-AC (FA)), the station information is used to fast authenticate the station by skipping 802.1X authentication, and performing only key exchange to facilitate seamless roaming within the mobility group. Terminology HA: The AC to which a wireless station is connected by associating with an AP for the first time is the HA of the station. FA: An AC that is other than the HA and to which a station is currently connected is an FA of the station. Fast-roam capable station: A wireless station which directly associates to an AC in the mobility-group and supports fast-roam service (RSN+Dot1x). Roam-out station: A wireless station which has associated with an AC other than the HA in the mobility-group is referred to as a roam-out station at its HA. Roam-in station: A wireless station which has associated with an AC other than the HA in the mobility-group is referred to as a roam-in station at the FA. 8-1

140 Intra-AC roaming: A procedure where a wireless station roams from one AP to another AP, which are connected to the same AC. Inter-AC roaming: A procedure where a wireless station roams from one AP to another AP, which are connected to different ACs. Inter-AC fast roaming capability: If a station uses 802.1x (RSN) authentication through negotiation and supports Key Caching, this station has inter-ac fast roaming capability. WLAN Roaming Topologies WLAN Roaming topologies consist of: Intra-AC roaming topology Inter-AC roaming topology Intra-FA roaming topology Inter-FA roaming topology Roam-back topology Intra-AC roaming Figure 8-1 Intra-AC roaming AC Fast-roam association IP network Intra-AC roam association AP 1 AP 2 Intra-AC roaming 1) A station is associated with AP 1, which is connected to an AC. 2) The station disassociates with AP 1 and roams to AP 2 connected to the same AC. 3) The station is associated with AP 2 through intra-ac roam association. 8-2

141 Inter-AC roaming Figure 8-2 Inter-AC roaming 1) A station is associated with AP 1, which is connected to AC 1. 2) The station disassociates with AP 1 and roams to AP 2 connected to AC 2. 3) The station is associated with AP 2 through inter-ac roam association. Prior to inter-ac roaming, AC 1 should synchronize the station information with AC 2 through an IACTP tunnel. Intra-FA roaming Figure 8-3 Intra-FA roaming 1) A station is associated with AP 1, which is connected to AC 1. 2) The station disassociates with AP 1 and roams to AP 2 connected to AC 2. Now AC 2 is the FA for the station. 8-3

142 3) The station is associated with AP 2 through inter-ac roam association. Prior to inter-ac roaming, AC 1 should synchronize the station information with AC 2 through an IACTP tunnel. 4) The station then disassociates with AP 2 and roams to AP 3 which is also connected to AC 2. The station is associated with AP 3 through intra-fa roam association. Inter-FA roaming Figure 8-4 Inter-FA roaming 1) A station is associated with AP 1, which is connected to AC 1. 2) The station disassociates with AP 1 and roams to AP 2 connected to AC 2. Now AC 2 is the FA for the station. 3) The station is associated with AP 2 through inter-ac roam association. 4) The station then disassociates with AP 2 and roams to AP 3 which is connected to AC 3, which now is its FA. Prior to inter-ac roaming, AC 1 should synchronize the station information with AC 2 and AC 3 through IACTP tunnels. 8-4

143 Roam-back Figure 8-5 Roam-back AC 1 AC 2 Fast- roam association IP network Inter-AC roam association IP network Inter-AC roam association AP 1 AP 2 AP 3 Inter-AC roaming Inter-AC roaming 1) A station is associated with AP 1, which is connected to AC 1. 2) The station disassociates with AP 1 and roams to AP 3 connected to AC 2. Now AC 2 is the FA for the station. 3) The station is associated with AP 3 through inter-ac roam association. Prior to inter-ac roaming, AC 1 should synchronize the station information with AC 2 through an IACTP tunnel. 4) The station then disassociates with AP 3 and roams back to AP 2 connected to AC 1, which is its HA. Configuring an IACTP Mobility Group The IACTP service is part of the WLAN system, and can be enabled only after a mobility group and the tunnel source IP address are configured. An IACTP mobility group includes attributes such as the mobility tunnel protocol type, source IP address, authentication mode, and member IP addresses. Follow these steps to configure a mobility group and enable IACTP service for it: To do Use the command Remarks Enter system view system-view Create a mobility group with the specified name Specify the mobility tunnel protocol type Specify the tunnel source IP address wlan mobility-group name mobility-tunnel { iactp iactp6 } source { ip IPv4-address ipv6 IPv6-address } Required ACs in the same mobility group should have the same mobility group name. By default, the mobility tunnel protocol type is IPv4. Required 8-5

144 To do Use the command Remarks Specify a member IP address Specify the authentication mode Enable the IACTP service for the group member { ip IPv4-address ipv6 IPv6-address } authentication-mode authentication-method authentication-key mobility-group enable Required Members can be added dynamically irrespective of whether IACTP service is enabled or not. By default, no authentication method is used. Required By default, IACTP service is disabled. Do not configure ACs in a roaming group to back up each other. The configurations of user profile on ACs in a roaming group must be the same. Displaying and Maintaining WLAN Roaming To do Use the command Remarks Display mobility group information Display the roam-track information of a client on the HA Display the WLAN client roaming information display wlan mobility-group [ member { ip IPv4-address ipv6 IPv6-address } ] display wlan client roam-track mac-address mac-address display wlan client { roam-in roam-out } [ member { ip IPv4-address ipv6 IPv6-address } ] [ verbose ] Available in any view Available in any view Available in any view WLAN Roaming Configuration Examples Intra-AC Roaming Configuration Example Network requirements As shown in the figure below, an AC has two APs associated and all of them are in VLAN 1. A client is associated with AP1. It is required to configure intra-ac roaming so that the client can associate with AP2 when roaming to AP2. 8-6

145 Figure 8-6 Intra-AC roaming AC /24 RADIUS server /24 L2 Switch VLAN 1 VLAN 1 AP 1 AP 2 Roaming Client Configuration procedure 1) Configuration on the AC # Configure WLAN port security, using 802.1X authentication. <AC> system-view # On WLAN-ESS1, configure the port security mode as userlogin-secure-ext, and enable key negotiation. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as intra-roam, and bind WLAN-ESS1 to intra-roam. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid intra-roam [AC-wlan-st-1] bind wlan-ess 1 # Configure the authentication method as open system authentication, and enable the CCMP cipher suite in the encryption of frames. [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn # Enable service template 1. [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Enable port security. [AC] port-security enable # Configure the 802.1X authentication method as EAP. 8-7

146 [AC] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC-radius-rad] key authentication [AC-radius-rad] key accounting # Configure the source IP address of RADIUS packets sent by the AC as [AC-radius-rad] nas-ip [AC-radius-rad] quit # Create ISP domain cams and configure the ISP domain cams to use RADIUS scheme rad to implement authentication, authorization, and accounting for all types of users. [AC] domain cams [AC-isp-cams] authentication default radius-scheme rad [AC-isp-cams] authorization default radius-scheme rad [AC-isp-cams] accounting default radius-scheme rad [AC-isp-cams] quit # Configure cams as the default ISP domain. [AC] domain default enable cams # Configure AP 1: Create an AP template named ap1 and specify the AP model as WA2100. Configure the serial ID of AP 1 as A045B05B [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A045B05B [AC-wlan-ap-ap1] radio 1 type dot11g # Bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit # Configure AP 2: Create an AP template named ap2 and specify the AP model as WA2100. Configure the serial ID of AP 2 as A22W [AC] wlan ap ap2 model WA2100 [AC-wlan-ap-ap2] serial-id A22W [AC-wlan-ap-ap2] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 2 (Intra-AC roaming requires SSIDs of different APs to be consistent. Therefore, radio 1 of AP 2 should be bound to service template 1.). [AC-wlan-ap-ap2-radio-1] service-template 1 [AC-wlan-ap-ap2-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] quit [AC-wlan-ap-ap2]quit 2) Verify the configuration After the client roams to AP2, use the display wlan client verbose command to display detailed client information. You should find that the AP name and BSSID fields have been changed to those of AP2. You can also use the display wlan client roam-track mac-address command to view client roaming 8-8

147 track information. Inter-AC Roaming Configuration Example Network requirements As shown in the figure below, two ACs that each are connected to an AP are connected through a Layer 2 switch. Both ACs are in the same network. The IP address of AC 1 is and that of AC 2 is A client associates with AP 1. It is required to configure inter-ac roaming so that the client can associate with AP2 when roaming to it. Figure 8-7 Inter-AC roaming RADIUS server /24 L2 Switch AC 1 AC / /24 VLAN 1 VLAN 1 AP 1 AP 2 Roaming Client For wireless service configuration, see WLAN Service in the WLAN Configuration Guide. A client has inter-ac fast roaming capability only if it uses 802.1x (RSN) authentication through negotiation. If you select an authentication mode involving remote authentication, you need to configure the corresponding RADIUS server. For more information, see WLAN Security in the WLAN Configuration Guide. Configuration procedure 1) Configuration on AC 1 # Configure WLAN port security, using 802.1X authentication. <AC1> system-view # Enter view of port WLAN-ESS1, configure the port security mode as userlogin-secure-ext, and enable key negotiation on the port. 8-9

148 [AC1] interface wlan-ess 1 [AC1-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC1-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC1-WLAN-ESS1] undo dot1x multicast-trigger [AC1-WLAN-ESS1] undo dot1x handshake [AC1-WLAN-ESS1] quit # Create service template 1 (crypto type service template), configure the SSID of the current service template as inter-roam, and bind WLAN-ESS1 to inter-roam. [AC1] wlan service-template 1 crypto [AC1-wlan-st-1] ssid inter-roam [AC1-wlan-st-1] bind wlan-ess 1 # Configure the authentication method as open system authentication, and enable CCMP cipher suite for the encryption of frames. [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] cipher-suite ccmp [AC1-wlan-st-1] security-ie rsn # Enable service template 1. [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Enable port security. [AC1] port-security enable # Configure the 802.1X authentication method as EAP. [AC1] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC1] radius scheme rad [AC1-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC1-radius-rad] primary authentication [AC1-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC1-radius-rad] key authentication [AC1-radius-rad] key accounting # Configure the source IP address of RADIUS packets sent by the AC as [AC1-radius-rad] nas-ip [AC1-radius-rad] quit # Configure ISP domain cams to use RADIUS scheme rad to implement authentication, authorization, and accounting for all types of users. [AC1] domain cams [AC1-isp-cams] authentication default radius-scheme rad [AC1-isp-cams] authorization default radius-scheme rad [AC1-isp-cams] accounting default radius-scheme rad [AC1-isp-cams] quit # Configure cams as the default ISP domain. [AC] domain default enable cams # Configure AP 1. Create an AP template named ap1 and specify the AP model as WA2100. Configure the serial ID of AP 1 as A045B05B

149 [AC1] wlan ap ap1 model WA2100 [AC1-wlan-ap-ap1] serial-id A045B05B [AC1-wlan-ap-ap1] radio 1 type dot11g # Bind service template inter-roam to radio 1. [AC1-wlan-ap-ap1-radio-1] service-template 1 [AC1-wlan-ap-ap1-radio-1] radio enable [AC1-wlan-ap-ap1-radio-1] quit [AC1-wlan-ap-ap1] quit # Configure roaming group Roaming1 on AC 1. [AC1] wlan mobility-group Roaming1 # Configure the source IP address (IP address of AC 1) of the roaming group as , the IP address of the roaming group member (IP address of AC 2) as [AC1-wlan-mg-roaming1] source ip [AC1-wlan-mg-roaming1] member ip # Enable roaming group Roaming1. [AC1-wlan-mg-roaming1] mobility-group enable 2) Configuration on AC 2 # Configure WLAN port security, using 802.1X authentication. <AC2> system-view # Enter view of port WLAN-ESS1, configure the port security mode as userlogin-secure-ext, and enable key negotiation of the port. [AC2] interface wlan-ess 1 [AC2-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC2-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC2-WLAN-ESS1] undo dot1x multicast-trigger [AC2-WLAN-ESS1] undo dot1x handshake [AC2-WLAN-ESS1] quit # Create service template 1 (crypto type service template), configure the SSID of the current service template as inter-roam, and bind WLAN-ESS1 to inter-roam. [AC2] wlan service-template 1 crypto [AC2-wlan-st-1] ssid inter-roam [AC2-wlan-st-1] bind wlan-ess 1 # Configure the authentication method as open system authentication, enable CCMP cipher suite for the encryption of frames, and enables the RSN information element in the beacon and probe response frames sent by the AP. [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] cipher-suite ccmp [AC2-wlan-st-1] security-ie rsn # Enable service template 1. [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit # Enable port security. [AC2] port-security enable # Configure the 802.1X authentication method as EAP. [AC2] dot1x authentication-method eap # Configure AP 2. Create an AP template named ap2 and specify the AP model as WA2100. Configure 8-11

150 the serial ID of AP 2 as A22W [AC2] wlan ap ap2 model WA2100 [AC2-wlan-ap-ap2] serial-id A22W [AC2-wlan-ap-ap2] radio 1 type dot11g # Bind service template inter-roam to radio 1 of AP 2 (Inter-AC roaming requires SSIDs of APs to be consistent. Therefore, radio 1 of AP 2 should be bound to service template inter-roam.). [AC2-wlan-ap-ap2-radio-1] service-template 1 # Enable radio 1 on AP 2. [AC2-wlan-ap-ap2-radio-1] radio enable [AC2-wlan-ap-ap2-radio-1] quit [AC2-wlan-ap-ap2] quit # Create roaming group Roaming1 on AC 2. [AC2] wlan mobility-group Roaming1 # Configure the source IP address (IP address of AC 1) of the roaming group as , the IP address of the roaming group member (IP address of AC 2) as [AC2-wlan-mg-roaming1] source ip [AC2-wlan-mg-roaming1] member ip # Enable roaming group Roaming1. [AC2-wlan-mg-roaming1] mobility-group enable 3) Verify the configuration. You can use the display wlan client roam-out command on AC 1 to display roamed out client information, and use the display wlan client roam-in command on AC 2 to display roamed in client information. You can also use the display wlan client roam-track mac-address command to view client roaming track information on AC

151 9 WLAN RRM Configuration This chapter includes these sections: Overview Configuration Task list Configuring Data Transmit Rates Configuring Dynamic Frequency Selection Configuring Transmit Power Control Configuring a Radio Group Configuring Scan Parameters Configuring Power Constraint Displaying and Maintaining WLAN RRM WLAN Load Balancing Enabling g Protection WLAN RRM Configuration Examples WLAN Load Balancing Configuration Examples Overview Radio signals are susceptible to surrounding interference. Causes of radio signal attenuation in different directions are very complex. Therefore, we need to make careful plans before deploying a WLAN network. After WLAN deployment, the running parameters still need to be adjusted because the radio environment is always varying due to interference from mobile obstacles, micro-wave ovens and so on. To adapt to environment changes, radio resources such as working channels and transmit power should be dynamically adjusted. Such adjustments are complex and require experienced personnel to implement regularly, which brings high maintenance costs. WLAN radio resource management (RRM) is a scalable radio resource management solution. Through information collection (APs collect radio environment information in real time), information analysis (The AC analyzes the collected information), decision-making (The AC makes radio resource adjustment configuration according to analysis results), and implementation (APs implement the configuration made by the AC for radio resource optimization), WLAN RRM delivers a real-time, intelligent, integrated radio resource management solution, which enables a WLAN network to quickly adapt to radio environment changes and keep staying in a healthy state. Channel Adjustment Working channels available in WLANs are few. For example, there are only three working channels in a 2.4G WLAN network. As a result, channel overlapping is very easy to occur. In addition, other radio sources may exist in a WLAN, such as radar, micro-wave ovens, which interfere with the operation of APs. All these problems can be resolved through dynamic channel adjustment. 9-1

152 With dynamic channel adjustment, each AP can be assigned with the best channel in real time to avoid co-channel interference and interference from other radio sources, and continuous communication can be ensured to provide for high-reliability data transmission. Figure 9-1 Dynamic channel adjustment Power Adjustment Traditionally, an AP has its transmitting power set to the maximum to cover an area as large as possible, which, however, affects the operation of surrounding wireless devices. Therefore, both coverage and capacity need to be considered. Power adjustment is responsible for real-time radio environment monitoring and dynamic power assignment. When an AP starts for the first time, it uses the maximum transmission power. Then, it collects reports from detected neighbors (which are managed by the same AC) to make a power adjustment decision. When a new neighbor joins, each AP reduces its transmission power. As shown in Figure 9-2, APs 1, 2 and 3 cover an area. When AP 4 joins, the default maximum number of allowed neighbors (adjacency factor, which is configurable) is reached. Then, the APs perform power adjustment. You can find from the figure that they all reduce their transmission power. 9-2

153 Figure 9-2 Power reduction As shown in Figure 9-3, when AP 3 fails, the other APs increase their transmission power to cover the whole area. 9-3

154 Figure 9-3 Power increasing AP 1 AP 2 AP 3 AC L2 Switch AP 4 Channel 1 Channel 6 Channel 11 Enable power adjustment After AP3 fails, other APs increase their power to cover the whole area. AP 1 AP 2 AC L2 Switch AP 4 Channel 1 Channel 6 Channel 11 Configuration Task list Complete the following tasks to configure WLAN RRM: Task Remarks Configuring Data Transmit Rates Configuring Dynamic Frequency Selection Configuring Transmit Power Control Configuring a Radio Group Configuring Scan Parameters Configuring Power Constraint 9-4