Table of Contents 1 WLAN Service Configuration 1-1 WLAN Service Overview 1-1 Terminology 1-1 Wireless Client Access 1-2 802.11 Overview 1-4 WLAN Topologies 1-5 Single BSS 1-5 Multi-ESS 1-5 Single ESS Multiple BSS (The multiple radio case) 1-6 Protocols and Standards 1-7 Configuring WLAN Service 1-7 Configuring Global WLAN Parameters 1-7 Specifying the Country Code 1-7 Configuring a Service Template 1-8 Configuring the Radio of an AP 1-9 Configuring a Radio Interface 1-9 Configuring 802.11n 1-10 Configuring Uplink Detection 1-11 Displaying and Maintaining WLAN Service 1-12 Configuring WLAN Client Isolation 1-12 Introduction 1-12 Enabling WLAN Client Isolation 1-13 WLAN Service Configuration Examples 1-13 WLAN Service Configuration Example 1-13 802.11n Configuration Example 1-14 i
The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region. Support of the H3C WA series WLAN access points (APs) for features may vary by AP model. For more information, see Feature Matrix. The interface types and the number of interfaces vary by AP model. The term AP in this document refers to common APs, wireless bridges, or mesh APs. 1 WLAN Service Configuration This chapter includes these sections: WLAN Service Overview 802.11 Overview WLAN Topologies Protocols and Standards Configuring WLAN Service Configuring Uplink Detection Displaying and Maintaining WLAN Service Configuring WLAN Client Isolation WLAN Service Configuration Examples WLAN Service Overview Wireless Local Area Networks (WLAN) have become very popular because they are very easy to setup and use, and have low maintenance cost. Generally, one or more access points (APs) can cover a building or an area. A WLAN is not completely wireless because the servers in the backbone are fixed. The WLAN solution allows you to provide the following wireless LAN services to your customers: WLAN client connectivity to conventional 802.3 LANs Secured WLAN access with different authentication and encryption methods Seamless roaming of WLAN clients in the mobility domain Terminology Client A handheld computer, a laptop with a wireless Network Interface Card (NIC), or a terminal supporting WiFi can be a WLAN client. Access point (AP) An AP bridges frames between wireless and wired networks. 1-1
Fat AP A fat AP controls and manages all associated wireless stations and bridges frames between wired and wireless networks. SSID The service set identifier. A client scans all networks at first, and then selects a specific SSID to connect to a specific wireless network. Wireless medium A medium that is used for transmitting frames between wireless clients. Radio frequency is used as the wireless medium in the WLAN system. Wireless Client Access A wireless client access process involves three steps: active/passive scanning surrounding wireless services, authentication, and association, as shown in Figure 1-1. Figure 1-1 Establish a client access Scanning A wireless client can get the surrounding wireless network information in two ways, passive scanning or active scanning. With passive scanning, a wireless client gets wireless network information through listening to Beacon frames sent by surrounding APs; with active scanning, a wireless actively sends a probe request frame during scanning, and gets network signals by received probe response frames. Actually, when a wireless client operates, it usually uses both passive scanning and active scanning to get information about surrounding wireless networks. 1) Active scanning When a wireless client operates, it periodically searches for (that is, scans) surrounding wireless networks. Active scanning falls into two modes according to whether a specified SSID is carried in a probe request. A client sends a probe request (with no SSID, which means the length of the SSID is 0.): The client broadcasts a probe request frame on each of the supported channels to scan wireless networks. APs that receive the probe request frame send a probe response frame. The client associates with the AP with the strongest signal. This active scanning mode enables a client to know the available wireless services and then access the target wireless network. 1-2
Figure 1-2 Active scanning (the SSID of the probe request is null, that is, no SSID information is carried) When the wireless client is configured to access a specific wireless network or has already been connected to a wireless network, the client periodically unicasts a probe request carrying the specified SSID of the configured or connected wireless network. When an AP that can provide the wireless service with the specified SSID receives the probe request, it sends a probe response. This active scanning mode enables a client to access a specified wireless network. The active scanning process is as shown in Figure 1-3. Figure 1-3 Active scanning (the probe request carries the specified SSID AP 1) 2) Passive scanning Passive scanning is used by clients to discover surrounding wireless networks through listening to the beacon frames periodically sent by an AP. All APs providing wireless services periodically send beacons frames, so that wireless clients can periodically listen to beacon frames on the supported channels to get information about surrounding wireless networks. Passive scanning is used by a client when it wants to save battery power. Typically, VoIP clients adopt the passive scanning mode. The passive scanning process is as shown in Figure 1-4. Figure 1-4 Passive scanning 1-3
Authentication To secure wireless links, a wireless client must be authenticated before accessing an AP, and only wireless clients passing the authentication can be associated with the AP. 802.11 links define two authentication mechanisms: open system authentication and shared key authentication. Open system authentication Shared key authentication For more information about the two types of authentication, see WLAN Security in the WLAN Configuration Guide. Association A client that wants to access a wireless network via an AP must be associated with that AP. Once the client chooses a compatible network with a specified SSID and passes the link authentication to an AP, it sends an association request frame to the AP. The AP detects the capability information carried in the association request frame, determines the capability supported by the wireless client, and sends an association response to the client to notify the client of the association result. Usually, a client can associate with only one AP at a time, and an association process is always initiated by the client. Other related frames 1) De-authentication A de-authentication frame can be sent by either an AP or wireless client to break an existing link. In a wireless system, de-authentication can occur due to many reasons, such as: Receiving an association/disassociation frame from a client which is unauthenticated. Receiving a data frame from a client which is unauthenticated. Receiving a PS-poll frame from a client which is unauthenticated. The validity timer for a client expires and the port is not secured. 2) Dissociation A dissociation frame can be sent by an AP or a wireless client to break the current wireless link. In wireless the system, dissociation can occur due to many reasons, such as: Receiving a data frame from a client which is authenticated and unassociated. Receiving a PS-Poll frame from a client which is authenticated and unassociated. A dissociation frame is either unicast or broadcast. 802.11 Overview The following functions are provided by Fat-AP WMAC: Beacon generation Handling Probe Request Handling Open System Authentication Handling (Re) Association Handling De-authentication Handling Disassociation Power Management Fragmentation and Defragmentation Dot11 to Ethernet Frame Conversion 1-4
Ethernet to Dot11 Frame Conversion Keep Alive Mechanism Idle Timeout Mechanism Clear Channel Search WLAN Topologies WLAN has the following topologies: Single BSS Multiple ESS Single ESS Multiple BSS Single BSS Coverage of an access point is called a Basic Service Set (BSS). Each BSS is identified by the BSSID. The most basic WLAN network can be established with only one BSS. All wireless clients associate with same BSS. If those clients have same authorization, they can communicate with each other. Figure 1-5 shows the single BSS network. Figure 1-5 Single BSS network The clients are able to communicate with each other and are also able to reach a host in the Internet. Communication between clients within the same BSS shall be carried out by the Fat AP. Multi-ESS All the clients under the same logical administration form an extended service set (ESS). This multi-ess topology describes a scenario where more than one ESS exists. When a mobile client joins the AP, it can join one of the available ESSs. Figure 1-6 shows the multiple ESS network. 1-5
Figure 1-6 Multiple ESS network Generally, Fat AP can provide more than one logical ESS at the same time. The configuration of ESS in Fat AP can broadcast the current information of ESS by Beacon or Probe response frames. Client can select an ESS it is interested to join. The different ESS domains can be configured on the fat AP. The fat AP can be configured to allow advertising and accepting Clients in these ESS domains once there credentials are accepted. Single ESS Multiple BSS (The multiple radio case) This topology describes a usage where a fat AP has more than one radio in single logical administration. Both radios support same service set in the same ESS; but since the coverage area is logically different, they belong to different BSSs. Figure 1-7 Single ESS Multiple BSS network Internet Gateway FAT AP BSS 1 Radio 1 Radio 2 BSS 2 Client 1 ESS 1 ESS 1 Client 2 This can be used in scenarios where 802.11a and 802.11b/g need to be supported together. Figure 1-7 shows two clients connected to different radios but belonging to the same ESS and different BSSs. 1-6
Protocols and Standards For more information on protocols and standards, see: ANSI/IEEE Std 802.11, 1999 Edition IEEE Std 802.11a IEEE Std 802.11b IEEE Std 802.11g IEEE Std 802.11i IEEE Std 802.11-2004 Configuring WLAN Service WLAN service configuration includes WLAN global configuration, country code, service template and radio configuration. Task Description Configuring Global WLAN Parameters Specifying the Country Code Configuring a Service Template Configuring the Radio of an AP Configuring a Radio Interface Configuring Global WLAN Parameters Follow these steps to configure global WLAN parameters To do Use the command Remarks Enter system view system-view Configure the idle timeout interval Configure the keep alive timeout interval for the client Enable the fat AP to respond to the probe requests with the SSID null sent by the client wlan client idle-timeout interval wlan client keep-alive interval wlan broadcast probe reply By default, the idle timeout interval is 3600 seconds. By default, keep alive function is disabled. Enabled by default. Specifying the Country Code A country code identifies the country in which you want to operate the radio. It determines characteristics such as operating power level and total number of channels available for the transmission of frames. You need to configure the valid country code before configuring the fat AP. Follow these steps to configure the country code: 1-7
To do Use the command Remarks Enter system view system-view Specify the country code wlan country-code code By default the country code is CN. For relations between country codes and countries, see WLAN Command Reference. Configuring a Service Template WLAN service template includes the attributes such as SSID, authentication algorithm (open-system or shared key) information. Service template can be clear or crypto type. If one service template exists and it is of type clear, you cannot change it to crypto. To change the service template from clear to crypto you must delete the existing service template, and configure a new service template again with type as crypto. Follow these steps to configure a WLAN service template: To do Use the command Remarks Enter system view system-view Create a WLAN service template wlan service-template service-template-number { clear crypto } By default, a clear type service template exists. Specify the service set identifier ssid ssid-name Disable the advertising of SSID in beacon frames Specify the maximum number of clients allowed to associate with the same radio Enable the authentication method Enable the service template beacon ssid-hide client max-count max-number authentication-method { open system shared key } service-template enable By default, the SSID is advertised in the beacon frames. 64 by default. For more information about shared key authentication, see WLAN Security in the WLAN Configuration Guide. By default, the service template is disabled. 1-8
Configuring the Radio of an AP Follow these steps to configure the radio of an AP: To do Use the command Remarks Enter system view system-view Enter radio interface view Specify a radio type for the radio Map a service template to the current radio Specify a channel number for the radio Specify the maximum radio power Specify the type of preamble interface wlan-radio interface-number radio-type { dot11b dot11g dot11a } service-template service-template-number interface wlan-bss interface-number channel { channel-number auto } max-power max-power preamble { long short } By default, auto mode is enabled. The working channel of a radio varies with country codes and radio types. The channel list depends on your device model. By default, the maximum radio power varies with country codes, channels, AP models, radio types and antenna types. If 802.11n is adopted, the maximum radio power also depends on the bandwidth mode. By default, the short preamble is supported. Configuring a Radio Interface A set of radio parameters can be configured for a radio interface. If a radio interface is mapped to a radio (for example, 802.11b/g or 802.11a), all parameters configured for the radio interface apply to the radio. Follow these steps to configure a radio interface: To do Use the command Remarks Enter system view system-view Enter radio interface view Set the interval for sending beacon frames Set the number of beacon intervals between DTIM frames Specify the fragmentation threshold Specify the Request to Send (RTS) threshold interface wlan-radio interface-number beacon-interval interval dtim counter fragment-threshold size rts-threshold size 100 time units (TUs) by default. The default is 1. By default, the fragmentation threshold is 2346 bytes. By default, the RTS threshold is 2346 bytes. 1-9
To do Use the command Remarks Set the maximum number of attempts for transmitting a frame larger than the RTS threshold Specify the maximum number of attempts to transmit a frame shorter than the RTS threshold Specify the duration for the AP to hold received packets long-retry threshold count short-retry threshold count max-rx-duration duration The default count is 4. The default count is 7. By default, the duration is 2000 milliseconds. Configuring 802.11n As the next generation wireless LAN technology, 802.11n supports both 2.4 GHz and 5 GHz bands. It provides higher-speed services to customers by using the following two methods: 1) Increasing bandwidth: 802.11n can bond two adjacent 20-MHz channels together to form a 40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with one acting as the primary channel and the other acting as the secondary channel or work together as a 40-MHz channel. This provides a simple way of doubling the data rate. 2) Improving channel utilization through the following ways: A-MPDU frame: By aggregating multiple message protocol data units (MPDUs) and using only one PHY header for the aggregate MPDUs (A-MPDU), the overhead in transmission and the number of ACK frames to be used are reduced, and thus improves channel utilization. A-MSDU: Multiple MAC service data units (MSDU) can be aggregated into a single A-MSDU. This reduces the MAC header overhead and thus improves MAC layer forwarding efficiency and channel utilization. Short GI function at the physical layer: This feature shortens the guard interval (GI) of 800 us in 802.11a/g to 400 us. This feature effectively reduces the channel idle time, and improves channel utilization. The short GI feature can increase the performance by about 10 percent. Follow these steps to configure 802.11n: To do Use the command Remarks Enter system view system-view Enter radio interface view interface wlan-radio interface-number Enter radio view radio-type { dot11an dot11gn } Specify the bandwidth mode for the radio Enable access permission for 802.11n clients only channel band-width { 20 40 } client dot11n-only By default, the 802.11an radio operates in 40 MHz mode; the 802.11gn radio operates in 20 MHz mode. By default, an 802.11a/n radio permits both 802.11a and 802.11n clients to access, and an 802.11g/n radio permits both 802.11g and 802.11n clients to access. 1-10
To do Use the command Remarks Enable the short GI function Enable the A-MSDU function Enable the A-MPDU function short-gi enable a-msdu enable a-mpdu enable Enabled by default. Enabled by default. Enabled by default. Support for the configuration of 802.11n rates depends on the device model. For information about Modulation and Coding Scheme (MCS) index and mandatory and supported 802.11n rates, see WLAN RRM in the WLAN Configuration Guide. Configuring Uplink Detection A fat AP connects to a wired network through an uplink Ethernet interface or radio interface in bridge mode, as shown in Figure 1-8 and Figure 1-9. If the uplink Ethernet interface or radio interface fails, the fat AP and associated clients cannot access the wired network. With uplink detection enabled, as long as its uplink interface fails, the AP stops providing WLAN services and the SSID of the AP is not available for the clients to access the WLAN until it recovers. In this way, WLAN clients will select other APs (if any) to access the network. Figure 1-8 Uplink detection network diagram (an Ethernet interface used as the uplink interface) Figure 1-9 Uplink detection network diagram (a radio interface used as the uplink interface) Follow these steps to specify the uplink interface of the fat AP: 1-11
To do Use the command Remarks Enter system view system-view Specify the uplink interface (Ethernet interface) Specify the uplink interface (radio interface) wlan uplink-interface interface-type interface-number wlan uplink-interface mesh-link interface-type interface-number By default, no interface is configured as an uplink interface. By default, no interface is configured as an uplink interface. For more information about the wlan uplink-interface mesh-link command, see WDS in the WLAN Command Reference. Displaying and Maintaining WLAN Service To do Use the command Remarks Display WLAN client information Display WLAN service template information Display WLAN client statistics Cut off client(s) Clear WLAN client statistics display wlan client { interface wlan-radio [ radio-number ] mac-address mac-address service-template service-template-number } [ verbose ] display wlan service-template [ service-template-number ] display wlan statistics client { all mac-address mac-address } reset wlan client { all mac-address mac-address } reset wlan statistics client { all mac-address mac-address } Available in any view Available in any view Available in any view Available in user view Available in user view Configuring WLAN Client Isolation Introduction In hot spots such as airport and coffee shops, some users need to access the Internet through WLAN. In this case, if user authentication cannot be performed, unauthorized users are able to use network resources, which may occupy wireless channels to increase bandwidth cost, decrease the service quality for authorized users, and bring losses to wireless service providers. Used together with IEEE 802.11i, RADIUS authentication and accounting, wireless user isolation can provide security protection for users. User isolation enables a fat AP to isolate Layer-2 packets (unicast/broadcast) exchanged between wireless clients associated with it, thus disabling them from direct communication. 1-12
Figure 1-10 User isolation network diagram As shown in Figure 1-10, after the fat AP is enabled with user isolation, clients 1 through 4 cannot access each other directly, or learn one another s MAC and IP addresses. Enabling WLAN Client Isolation Follow these steps to enable WLAN client isolation: To do Use the command Remarks Enter system view system-view Enable WLAN client isolation wlan-client-isolation enable Enabled by default. WLAN Service Configuration Examples WLAN Service Configuration Example Network requirements As shown in Figure 1-11, it is required to enable the client to access the internal network resources at any time. More specifically: The AP provides plain-text wireless access service with SSID service. The AP adopts 802.11g. Figure 1-11 Network diagram for WLAN service configuration LAN Segment 1-13
Configuration procedure 1) Configuration on the fat AP # Create a WLAN BSS interface. <AP> system-view [AP] interface WLAN-BSS 1 [AP-WLAN-BSS1] quit # Configure a clear-type service template, and configure its SSID as service, specify the open-system authentication mode, and enable the WLAN service template. [AP] wlan service-template 1 clear [AP-wlan-st-1] ssid service [AP-wlan-st-1] authentication-method open-system [AP-wlan-st-1] service-template enable [AP-wlan-st-1]quit # Bind WLAN-Radio 1/0/1 to service template 1 and WLAN-BSS 1. [AP] interface WLAN-Radio 1/0/1 [AP-WLAN-Radio1/0/1] radio-type dot11ag [AP-WLAN-Radio1/0/1] channel 149 [AP-WLAN-Radio1/0/1] service-template 1 interface WLAN-BSS 1 2) Configuration verification The clients can associate with the AP and access the WLAN. You can use the display wlan client and display connection commands to view the online clients. 802.11n Configuration Example Support for 802.11n depends on your device model. Network requirements As shown in Figure 1-12, it is required to deploy an 802.11n network to provide high-bandwidth access for multi-media applications. More specifically: The AP provides a plain-text wireless service with SSID service. 802.11gn is adopted to inter-work with existing 802.11g network. Figure 1-12 802.11n configuration LAN Segment 1-14
Configuration procedure 1) Configuration on the fat AP # Create a WLAN-ESS interface. <AP> system-view [AP] interface WLAN-BSS 1 [AP-WLAN-BSS1] quit # Configure a clear-type service template, and configure its SSID as service, specify the open-system authentication mode, and enable the WLAN service template. [AP] wlan service-template 1 clear [AP-wlan-st-1] ssid service [AP-wlan-st-1] authentication-method open-system [AP-wlan-st-1] service-template enable [AP-wlan-st-1] quit # Configure the bandwidth as 40 MHz, and bind WLAN-Radio 1/0/1 to service template 1 and WLAN-BSS 1. [AP] interface WLAN-Radio 1/0/1 [AP-WLAN-Radio1/0/1] radio-type dot11gn [AP-WLAN-Radio1/0/1] channel 6 [AP-WLAN-Radio1/0/1] channel band-width 40 [AP-WLAN-Radio1/0/1] service-template 1 interface WLAN-BSS 1 2) Configuration verification The clients can associate with the APs and access the WLAN. You can use the display wlan client and display connection commands to view the online clients. The 802.11n client information is displayed in the output information of the display wlan client command. 1-15