h3c wx series access controllers web-based configuration guide(r3308_r2308)-6w106-book

H3C WX Series Access ControllersWeb-Based Configuration Guide

Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: WX3000-CMW520-R3308 (WX3024E)

WX5004-CMW520-R2308 (WX5000 series) WX6103-CMW520-R2308 (WX6000 series)

Document version: 6W106-20120824

Copyright © 2008-2012, Hangzhou H3C Technologies Co., Ltd. and its licensors

All rights reserved

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , Aolynk, , H3Care, , TOP G, , IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners

Notice

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

Preface

The H3C WX Series Access Controllers Web-Based Configuration Guide describes the web functions of the WX series, such as quick start, web overview, wireless service configuration, security and authentication related configurations, QoS configuration, and advanced settings.

NOTE:

• Support of the H3C WX series access controllers for features may vary by device model. For the featurematrixes, see the chapter “Feature Matrixes”.

• The interface types and output information may vary by device model.

• The grayed-out functions and parameters on the web interface are unavailable or not configurable.

This preface includes:

• Audience

• Conventions

• About the H3C WX Series documentation set

• Obtaining documentation

• Technical support

• Documentation feedback

Audience This documentation is intended for:

• Network planners

• Field technical support and servicing engineers

• Network administrators working with the WX series

Conventions This section describes the conventions used in this documentation set.

GUI conventions

Convention Description

Boldface Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Symbols

Convention Description

WARNING An alert that calls attention to important information that if not understood or followed can result in personal injury.

CAUTION An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software.

IMPORTANT An alert that calls attention to essential information.

NOTE An alert that contains additional or supplementary information.

TIP An alert that provides helpful information.

Network topology icons

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

Represents an access controller, an access controller module, or a switching engine on a unified switch.

Represents an access point.

Represents a mesh access point.

Represents omnidirectional signals.

Represents directional signals.

Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.

About the H3C WX Series documentation set The H3C WX series documentation set includes:

Category Documents Purposes

Product description and specifications

Marketing brochures Describe product specifications and benefits.

Technology white papers Provide an in-depth description of software features and technologies.

Category Documents Purposes

Hardware specifications and installation

Card manuals Provide the hardware specifications of cards and describe how to install and remove the cards.

Installation guide Provides a complete guide to hardware installation and hardware specifications.

Software configuration

Getting started guide

Guides you through the main functions of your device, and describes how to install and log in to your device, perform basic configurations, maintain software, and troubleshoot your device.

Configuration guides Describe software features and configuration procedures.

Command references Provide a quick reference to all available commands.

Web-based configuration guide

Describes configuration procedures through the web interface.

Operations and maintenance

Release notes

Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading.

Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com.

Click the links on the top navigation bar to obtain different categories of product documentation:

[Technical Support & Documents > Technical Documents] – Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation.

[Products & Solutions] – Provides information about products and technologies, as well as solutions.

[Technical Support & Documents > Software Download] – Provides the documentation released with the software version.

Technical support [email protected]

http://www.h3c.com

Documentation feedback You can e-mail your comments about product documentation to [email protected].

We appreciate your comments.

http://www.h3c.com/�

http://www.h3c.com/portal/Technical%5FSupport%5F%5F%5FDocuments/Technical%5FDocuments/�

http://www.h3c.com/portal/Products%5F%5F%5FSolutions/�

http://www.h3c.com/portal/Technical%5FSupport%5F%5F%5FDocuments/Software%5FDownload/�

i

Contents

Models of WX series access controllers ····················································································································· 1

Typical network scenarios ··········································································································································· 2 Access controller network scenario ································································································································· 2 Access controller module network scenario ··················································································································· 2 Wireless switch network scenario ··································································································································· 3

Feature matrixes ··························································································································································· 4 Feature matrix for the WX5000 series ··························································································································· 4 Feature matrix for the WX6000 series ··························································································································· 5 Feature matrix for the WX3024E ···································································································································· 8

Quick Start ···································································································································································· 9 Quick start wizard home page ········································································································································ 9 Basic configuration ··························································································································································· 9 Admin configuration ······················································································································································ 10 IP configuration ······························································································································································ 11 Wireless configuration ··················································································································································· 12 RADIUS configuration ···················································································································································· 13 Portal configuration ························································································································································ 15 Encryption configuration ··············································································································································· 16 AP configuration ····························································································································································· 17 Configuration summary ················································································································································· 19

Web overview ···························································································································································· 20 Logging in to the Web interface··································································································································· 20 Logging out of the Web interface ································································································································ 21 Introduction to the Web interface ································································································································· 21 Web user level ······························································································································································· 22 Introduction to the Web-based NM functions ············································································································· 23 Common Web interface elements ································································································································ 35 Configuration guidelines ··············································································································································· 39 Troubleshooting Web browser ····································································································································· 40

Failure to access the device through the Web interface ··················································································· 40

Summary ····································································································································································· 43 Device information ························································································································································· 43

Device info ····························································································································································· 44 System resource state ············································································································································ 44 Device interface information ································································································································ 44 Recent system logs ················································································································································· 45

Displaying WLAN service ············································································································································· 45 Displaying detailed information of WLAN service ···························································································· 45 Displaying statistics of WLAN service ················································································································· 48 Displaying connection history information of WLAN service ··········································································· 48

Displaying AP ································································································································································· 49 Displaying WLAN service information of an AP ······························································································· 49 Displaying AP connection history information···································································································· 49 Displaying AP radio information ························································································································· 50 Displaying AP detailed information ····················································································································· 52

Displaying clients ··························································································································································· 57

ii

Displaying client detailed information ················································································································ 57 Displaying client statistics ····································································································································· 60 Displaying client roaming information ················································································································ 61 Displaying RF ping information ··························································································································· 62

License management ·················································································································································· 64 Configuring licenses ······················································································································································ 64 Adding a license ···························································································································································· 64

Displaying license information ····························································································································· 65 Configuring enhanced licenses ···································································································································· 65

Registering an enhanced license ························································································································· 65 Displaying registered enhanced licenses ············································································································ 66

Device basic information configuration ···················································································································· 67 Configuring system name ·············································································································································· 67 Configuring Web idle timeout period ························································································································· 67

Device maintenance ··················································································································································· 69 Software upgrade ·························································································································································· 69 Rebooting the device ····················································································································································· 70 Generating the diagnostic information file ·················································································································· 71

System time ································································································································································· 73 Displaying the system time ············································································································································ 73

Configuring the system time ································································································································· 73 Configuring the network time ······························································································································· 74

System time configuration example ····························································································································· 76 Configuration guidelines ··············································································································································· 77

Log management ························································································································································ 78 Displaying syslog ··························································································································································· 78 Setting the log host························································································································································· 79 Setting buffer capacity and refresh interval ················································································································ 80

Configuration management ······································································································································· 82 Backing up the configuration ········································································································································ 82 Restoring the configuration ··········································································································································· 82 Saving the configuration ··············································································································································· 83 Initializing the configuration ········································································································································· 84

File management ························································································································································ 85 Displaying file list ··························································································································································· 85 Downloading a file ························································································································································ 86 Uploading a file ····························································································································································· 86 Removing a file ······························································································································································· 86 Specifying the main boot file ········································································································································ 86

Interface management ··············································································································································· 87 Interface management overview ·································································································································· 87 Displaying interface information and statistics ··········································································································· 87 Creating an interface ····················································································································································· 89 Modifying a Layer 2 interface ······································································································································ 92 Modifying a Layer 3 interface ······································································································································ 95 Interface management configuration example ··········································································································· 97

Port mirroring ······························································································································································ 99 Introduction to port mirroring ········································································································································ 99 Port mirroring configuration task list ·························································································································· 100

iii

Adding a mirroring group ·································································································································· 100 Configuring ports for a mirroring group ··········································································································· 101

Configuration examples ·············································································································································· 102 Configuration guidelines ············································································································································· 104

User management ··················································································································································· 105 Creating a user ····························································································································································· 105 Setting the super password ········································································································································· 106 Switching the user access level to the management level ······················································································· 107

SNMP configuration ··············································································································································· 108 SNMP overview···························································································································································· 108 SNMP configuration task list ······································································································································· 108

Enabling SNMP ··················································································································································· 109 Configuring an SNMP view ········································································································································ 111

Creating an SNMP view····································································································································· 111 Adding rules to an SNMP view ························································································································· 112 Configuring an SNMP community ····················································································································· 113 Configuring an SNMP group ····························································································································· 114 Configuring an SNMP user ································································································································ 116 Configuring SNMP trap function ······················································································································· 118

Displaying SNMP packet statistics ····························································································································· 119 SNMP configuration example ···································································································································· 120

Loopback ································································································································································· 126 Loopback operation ····················································································································································· 126 Configuration guidelines ············································································································································· 127

MAC address configuration ··································································································································· 128 Overview ······································································································································································· 128 Configuring a MAC address entry ····························································································································· 129

Setting the aging time of MAC address entries ······························································································· 130 MAC address configuration example ························································································································ 131

VLAN configuration ················································································································································ 133 Overview ······································································································································································· 133 Recommended configuration procedure···················································································································· 133 Creating a VLAN·························································································································································· 133 Modifying a VLAN ······················································································································································· 134 Modifying a port ·························································································································································· 135 VLAN configuration examples ···································································································································· 137 Configuration guidelines ············································································································································· 140

ARP configuration ··················································································································································· 141 Overview ······································································································································································· 141

Introduction to ARP ·············································································································································· 141 Introduction to gratuitous ARP ···························································································································· 141

Displaying ARP entries ················································································································································· 141 Creating a static ARP entry ········································································································································· 142 Removing ARP entries ·················································································································································· 143 Configuring gratuitous ARP ········································································································································· 143 Static ARP configuration example ······························································································································ 144

ARP attack protection configuration ······················································································································ 148 ARP detection ······················································································································································· 148 Source MAC address based ARP attack detection ·························································································· 148 ARP active acknowledgement ···························································································································· 148

iv

ARP packet source MAC address consistency check ······················································································ 149 Configuring ARP detection ·········································································································································· 149 Configuring other ARP attack protection functions ··································································································· 150

IGMP snooping configuration ································································································································ 152 Overview ······································································································································································· 152 Recommended configuration procedure···················································································································· 153 Enabling IGMP snooping globally ····························································································································· 153 Configuring IGMP snooping on a VLAN ··················································································································· 154 Configuring IGMP snooping on a port ······················································································································ 155 Displaying IGMP snooping multicast entry information ··························································································· 157 IGMP snooping configuration examples ··················································································································· 158

IPv4 and IPv6 routing configuration ······················································································································ 163 Overview ······································································································································································· 163 Displaying the IPv4 active route table ······················································································································· 163 Creating an IPv4 static route ······································································································································· 164 Displaying the IPv6 active route table ······················································································································· 165 Creating an IPv6 static route ······································································································································· 166 IPv4 static route configuration example ····················································································································· 167 IPv6 static route configuration example ····················································································································· 168 Configuration guidelines ············································································································································· 170

DHCP overview ······················································································································································· 172 Introduction to DHCP snooping ························································································································· 172

Recommended configuration procedure (for DHCP server) ···················································································· 173 Enabling DHCP ···························································································································································· 174 Creating a static address pool for the DHCP server ································································································ 175 Creating a dynamic address pool for the DHCP server ·························································································· 176 Enabling the DHCP server on an interface ················································································································ 178 Displaying information about assigned IP addresses ······························································································· 178 Recommended configuration procedure (for DHCP relay agent) ··········································································· 179 Enabling DHCP and configuring advanced parameters for the DHCP relay agent ············································· 180 Creating a DHCP server group ·································································································································· 182 Enabling the DHCP relay agent on an interface ······································································································ 183 Configuring and displaying clients' IP-to-MAC bindings ························································································· 184 Recommended configuration procedure (for DHCP snooping) ··············································································· 185 Enabling DHCP snooping ··········································································································································· 185 Configuring DHCP snooping functions on an interface ··························································································· 186 Displaying clients' IP-to-MAC bindings ······················································································································ 187 DHCP server configuration example ·························································································································· 188 DHCP relay agent configuration example ················································································································· 190 DHCP snooping configuration example ···················································································································· 192

DNS configuration ·················································································································································· 195 Overview ······································································································································································· 195

Static domain name resolution ··························································································································· 195 Dynamic domain name resolution ····················································································································· 195 DNS proxy ··························································································································································· 195

Recommended configuration procedure···················································································································· 195 Configuring static name resolution table ·········································································································· 195 Configuring dynamic domain name resolution ································································································ 196 Configuring DNS proxy ······································································································································ 196

Configuring static name resolution table ··················································································································· 196 Configuring dynamic domain name resolution ········································································································ 197 Configuring DNS proxy ·············································································································································· 198

v

Adding a DNS server address ··································································································································· 198 Adding a domain name suffix ···································································································································· 199 Clearing dynamic DNS cache ···································································································································· 199 DNS configuration example ······································································································································· 199

Service management ·············································································································································· 204 Overview ······································································································································································· 204 Configuring service management ······························································································································ 205

Diagnostic tools ······················································································································································· 207 Ping ······································································································································································· 207 Trace route ··························································································································································· 207

Ping operation ······························································································································································ 208 IPv4 ping operation ············································································································································· 208 IPv6 ping operation ············································································································································· 209

Trace route operation ·················································································································································· 211

AP configuration ······················································································································································ 213 AC-AP connection ························································································································································ 213 Auto AP ········································································································································································· 213 AP group ······································································································································································· 213 Configuring an AP ······················································································································································· 214

Creating an AP ···················································································································································· 214 Configuring an AP ·············································································································································· 214 Configuring advanced settings ·························································································································· 216

Configuring auto AP ···················································································································································· 218 Enabling auto AP ················································································································································· 218 Renaming an AP ·················································································································································· 219 Batch switch ························································································································································· 219

Configuring an AP group ············································································································································ 220 Creating an AP group ········································································································································· 220 Configuring an AP group ··································································································································· 220 Applying the AP group ······································································································································· 221

AP connection priority configuration example ·········································································································· 221

Configuring access services ··································································································································· 223 Access service overview ·············································································································································· 223

Terminology ························································································································································· 223 Client access ························································································································································ 223 WLAN data security ··········································································································································· 226 Client access authentication ······························································································································· 227 802.11n ······························································································································································· 229

Configuring access service ········································································································································· 230 Recommended configuration procedure ··········································································································· 230 Creating a WLAN service ·································································································································· 230 Configuring clear type wireless service ············································································································ 231 Configuring crypto type wireless service ·········································································································· 240 Security parameter dependencies ····················································································································· 247 Enabling a wireless service ································································································································ 247 Binding an AP radio to a wireless service ········································································································ 248 Enabling a radio ················································································································································· 249 Displaying the detailed information of a wireless service ·············································································· 250

Wireless service configuration example ···················································································································· 253 Auto AP configuration example ·································································································································· 256 802.11n configuration example ································································································································ 261 WPA-PSK authentication configuration example ······································································································ 263

vi

Local MAC authentication configuration example ··································································································· 268 Remote MAC authentication configuration example ································································································ 273 Remote 802.1X authentication configuration example ··························································································· 284 Dynamic WEP encryption-802.1X authentication configuration example ····························································· 297

Configuring mesh services ······································································································································ 304 Mesh overview ····························································································································································· 304

Basic concepts in WLAN mesh ·························································································································· 304 Advantages of WLAN mesh ······························································································································ 305 Deployment scenarios ········································································································································· 305 WLAN mesh security··········································································································································· 308 Mobile link switch protocol ································································································································ 308 Mesh network topologies ··································································································································· 310

Configuring mesh service ············································································································································ 311 Configuring mesh service ··································································································································· 311 Configuring a mesh policy ································································································································· 316 Mesh global setup ··············································································································································· 320 Configuring a working channel ························································································································· 321 Enabling radio ····················································································································································· 322 Configuring a peer MAC address ····················································································································· 322 Mesh DFS ····························································································································································· 323 Displaying the mesh link status ·························································································································· 325

Normal WLAN mesh configuration example ··········································································································· 326 Subway WLAN mesh configuration example ··········································································································· 330 Mesh point-to-multipoint configuration example ······································································································· 331 Tri-radio mesh configuration example ······················································································································· 332 Mesh DFS configuration example ······························································································································ 333

WLAN roaming configuration ······························································································································· 336 Configuring WLAN roaming ······································································································································ 336

Configuring a roaming group ···························································································································· 336 Adding a group member ···································································································································· 337 Displaying client information······························································································································ 338

WLAN roaming configuration examples ··················································································································· 338 Intra-AC roaming configuration example ·················································································································· 338 Inter-AC roaming configuration example ·················································································································· 342

Radio configuration ················································································································································ 347 Radio overview ····························································································································································· 347 WLAN RRM overview ·················································································································································· 347

Dynamic frequency selection ····························································································································· 347 Transmit power control ······································································································································· 348

Radio setup ··································································································································································· 350 Configuring radio parameters ··························································································································· 350 Enabling a radio ················································································································································· 354 Locking the channel ············································································································································· 355 Locking the power ··············································································································································· 356

Configuring data transmit rates ·································································································································· 356 Configuring 802.11a/802.11b/802.11g rates ···························································································· 356 Configuring 802.11n MCS ································································································································ 358

Configuring channel scanning ···································································································································· 360 Configuring calibration ··············································································································································· 361

Parameter setting ················································································································································· 361 Configuring a radio group ································································································································· 365 Calibration operations ········································································································································ 367

Antenna ········································································································································································· 369

vii

Manual channel adjustment configuration example ································································································ 370 Automatic power adjustment configuration example ······························································································· 372 Radio group configuration example ·························································································································· 373

Configuring 802.1X ··············································································································································· 377 802.1X architecture ····················································································································································· 377 Access control methods ··············································································································································· 377 Configuring 802.1X ···················································································································································· 378

Configuration prerequisites ································································································································ 378 Recommended configuration procedure ··········································································································· 378 Configuring 802.1X globally ····························································································································· 378 Configuring 802.1X on a port ··························································································································· 381

Configuring portal authentication ·························································································································· 385 Introduction to portal authentication ·························································································································· 385 Configuring portal authentication ······························································································································ 386

Configuration prerequisites ································································································································ 386 Recommended configuration procedure ··········································································································· 386 Configuring the portal service ···························································································································· 387 Configuring advanced parameters for portal authentication ········································································· 391 Configuring a portal-free rule····························································································································· 392 Customizing authentication pages ···················································································································· 394

Portal authentication configuration example ············································································································· 397

Configuring AAA ···················································································································································· 406 AAA overview ······························································································································································ 406 Configuring AAA ························································································································································· 406

Configuration prerequisites ································································································································ 406 Recommended configuration procedure ··········································································································· 407 Configuring an ISP domain ································································································································ 407 Configuring authentication methods for the ISP domain ················································································· 408 Configuring authorization methods for the ISP domain ·················································································· 410 Configuring accounting methods for the ISP domain ······················································································ 412

AAA configuration example ······································································································································· 414 Network requirements ········································································································································· 414 Configuration procedure ···································································································································· 415

Configuring RADIUS ··············································································································································· 419 RADIUS overview ························································································································································· 419 Configuring a RADIUS scheme ··································································································································· 419 RADIUS configuration example ·································································································································· 425

Network requirements ········································································································································· 425 Configuration procedure ···································································································································· 425 Verifying the configuration ································································································································· 430

Configuration guidelines ············································································································································· 430

Configuring the local EAP service ·························································································································· 432 Configuration procedure ············································································································································· 432 Local EAP service configuration example ·················································································································· 433

Network requirements ········································································································································· 433 Configuration procedure ···································································································································· 434 Verifying the configuration ································································································································· 439

Configuring users ···················································································································································· 440 Overview ······································································································································································· 440 Configuring a local user ·············································································································································· 441 Configuring a user group ············································································································································ 443

viii

Configuring a guest ····················································································································································· 444 Configuring a user profile ··········································································································································· 447

Managing certificates ············································································································································· 450 PKI overview ································································································································································· 450 Configuring PKI ···························································································································································· 450

Recommended configuration procedure for manual request ·········································································· 451 Recommended configuration procedure for automatic request ······································································ 452 Creating a PKI entity ··········································································································································· 453 Creating a PKI domain ······································································································································· 454 Generating an RSA key pair ······························································································································ 457 Destroying the RSA key pair ······························································································································ 458 Retrieving and displaying a certificate ············································································································· 458 Requesting a local certificate ····························································································································· 459 Retrieving and displaying a CRL ························································································································ 460

Certificate management configuration example ······································································································· 461 Configuration guidelines ············································································································································· 466

WLAN security configuration ································································································································· 467 WLAN security overview ············································································································································· 467

Terminology ························································································································································· 467 WIDS attack detection ········································································································································ 469 Blacklist and white list ········································································································································· 470

Configuring rogue device detection··························································································································· 471 Recommended configure procedure ················································································································· 471 Configuring AP operating mode ······················································································································· 471 Configuring detection rules ································································································································ 472 Configuring detection rule lists ··························································································································· 475 Enabling countermeasures and configuring aging time for detected rogue devices ··································· 476 Displaying monitor record ·································································································································· 477 Displaying history record···································································································································· 478

Configuring WIDS ······················································································································································· 479 Configuring WIDS ··············································································································································· 479 Displaying history record···································································································································· 479 Displaying statistics information ························································································································· 480

Configuring the blacklist and white list functions ····································································································· 480 Configuring dynamic blacklist ··························································································································· 481 Configuring static blacklist ································································································································· 481 Configuring white list ·········································································································································· 483

Rogue detection configuration example ···················································································································· 484

User isolation ··························································································································································· 487 User isolation overview ··············································································································································· 487

Before user isolation is enabled ························································································································· 487 After user isolation is enabled ··························································································································· 488

Configuring user isolation ··········································································································································· 488 Configuring user isolation ·································································································································· 488 Displaying user isolation information ················································································································ 489

User isolation configuration example ························································································································ 489

Authorized IP ··························································································································································· 491 Overview ······································································································································································· 491 Configuring authorized IP ··········································································································································· 491

Configuring ACL and QoS ····································································································································· 493 ACL overview ······························································································································································· 493 QoS overview ······························································································································································· 493

ix

Configuring an ACL ····················································································································································· 494 Recommend configuration procedures ·············································································································· 494 Adding a time range ··········································································································································· 495 Adding an IPv4 ACL ··········································································································································· 496 Configuring a rule for a basic IPv4 ACL ··········································································································· 497 Configuring a rule for an advanced IPv4 ACL ································································································· 498 Configuring a rule for an Ethernet frame header ACL ···················································································· 501 Adding an IPv6 ACL ··········································································································································· 503 Configuring a rule for a basic IPv6 ACL ··········································································································· 504 Configuring a rule for an advanced IPv6 ACL ································································································· 506

Configuring line rate ···················································································································································· 508 Configuring the priority trust mode of a port ············································································································ 509

Priority mapping overview ································································································································· 509 Configuring priority mapping ···························································································································· 509

Configuring a QoS policy ··········································································································································· 512 Recommended QoS policy configuration procedure ······················································································ 512 Adding a class ····················································································································································· 513 Configuring classification rules ·························································································································· 514 Adding a traffic behavior ··································································································································· 517 Configuring actions for a traffic behavior ········································································································ 518 Adding a policy ··················································································································································· 521 Configuring classifier-behavior associations for the policy ············································································ 521 Applying a policy to a port ································································································································ 522 Applying a QoS policy to a WLAN service ····································································································· 523

ACL and QoS configuration example························································································································ 525 Network requirements ········································································································································· 525 Configuration procedure ···································································································································· 525 Verifying the configuration ································································································································· 534

Configuration guidelines ············································································································································· 534

Configuring wireless QoS ······································································································································ 536 Overview ······································································································································································· 536

Terminology ························································································································································· 536 WMM protocol overview ··································································································································· 536

Enabling wireless QoS ················································································································································ 538 Setting the SVP service ················································································································································ 539 Setting CAC admission policy ···································································································································· 540 Setting radio EDCA parameters for APs ···················································································································· 540 Setting client EDCA parameters for wireless clients ································································································· 542 Displaying the radio statistics ····································································································································· 543 Displaying the client statistics ····································································································································· 544 Setting rate limiting ······················································································································································ 546

Setting wireless service-based client rate limiting ···························································································· 546 Setting radio-based client rate limiting ·············································································································· 547

Configuring the bandwidth guarantee function ········································································································ 548 Setting the reference radio bandwidth ············································································································· 548 Setting guaranteed bandwidth percents ··········································································································· 549 Enabling bandwidth guaranteeing ···················································································································· 550 Displaying guaranteed bandwidth settings ······································································································ 551

CAC service configuration example ·························································································································· 551 Network requirements ········································································································································· 551 Configuring the wireless service ························································································································ 551 Configuring wireless QoS ·································································································································· 551 Verifying the configuration ································································································································· 553

Wireless service-based static rate limiting configuration example ········································································· 553

x

Network requirements ········································································································································· 553 Configuring the wireless service ························································································································ 553 Configuring static rate limiting ··························································································································· 553 Verifying the configuration ································································································································· 554

Wireless service-based dynamic rate limiting configuration example ··································································· 554 Network requirements ········································································································································· 554 Configuring the wireless service ························································································································ 555 Configuring dynamic rate limiting ····················································································································· 555 Verifying the configuration ································································································································· 555

Bandwidth guarantee configuration example ··········································································································· 555 Network requirements ········································································································································· 555 Configuring the wireless services ······················································································································ 556 Configuring bandwidth guaranteeing ··············································································································· 556 Verifying the configuration ································································································································· 559

Advanced settings ··················································································································································· 560 Advanced settings overview ······································································································································· 560

Country/Region code ········································································································································· 560 1+1 AC backup ·················································································································································· 560 1+N AC backup ·················································································································································· 561 Continuous transmitting mode ···························································································································· 562 Channel busy test ················································································································································ 562 WLAN load balancing ······································································································································· 562 AP version setting ················································································································································ 564 Switching to fat AP ·············································································································································· 564 Wireless location ················································································································································· 564 Wireless sniffer ···················································································································································· 566 Band navigation ·················································································································································· 566

Configuring WLAN advanced settings ······················································································································ 567 Setting a country/region code ··························································································································· 567 Configuring 1+1 AC backup ····························································································································· 568 Configuring 1+N AC backup ···························································································································· 571 Configuring continuous transmitting mode ······································································································· 573 Configuring a channel busy test ························································································································ 574 Configuring load balancing ······························································································································· 576 Configuring AP ···················································································································································· 579 Configuring wireless location ···························································································································· 580 Configuring wireless sniffer ································································································································ 582 Configuring band navigation ····························································································································· 583

Advanced settings configuration examples ··············································································································· 585 1+1 fast backup configuration example ··········································································································· 585 1+N backup configuration example ················································································································· 590 AP-based session-mode load balancing configuration example ···································································· 593 AP-based traffic-mode load balancing configuration example ······································································ 595 Group-based session-mode load balancing configuration example ····························································· 596 Group-based traffic-mode load balancing configuration example ································································ 598 Wireless location configuration example ········································································································· 601 Wireless sniffer configuration example············································································································· 603 Band navigation configuration example ··········································································································· 606

Configuring stateful failover ··································································································································· 609 Overview ······································································································································································· 609

Introduction to stateful failover ··························································································································· 609 Introduction to stateful failover states ················································································································ 610

Configuring stateful failover ········································································································································ 610

xi

Stateful failover configuration example ····················································································································· 611 Configuration guidelines ············································································································································· 619

Index ········································································································································································ 621

1

Models of WX series access controllers

H3C WX series access controllers include the WX3000E series wireless switches, and WX5000 and WX6000 series access controllers. Table 1 shows the models of WX series.

Table 1 Models of WX series access controllers

Product Model

WX3000E series wireless switches WX3024E wireless switch

WX5000 series access controllers

• WX5002V2 access controller • WX5004 access controller • LSWM1WCM10 access controller module • LSWM1WCM20 access controller module

WX6000 series access controllers

• WX6103 access controller • LSQM1WCMB0 access controller module • LSQM1WCMD0 access controller module • LSBM1WCM2A0 access controller module • LSRM1WCM2A1 access controller module • LSRM1WCM3A1 access controller module

NOTE:

The WX6103 access controller supports EWPX1WCMB0 and EWPX1WCMD0 main control boards.

2

Typical network scenarios

Access controller network scenario As shown in Figure 1, the AC connects to a Layer 2 or Layer 3 switch through GE1/0/1, the switch is connected to APs directly or over an IP network, and clients access the network through the APs.

Figure 1 AC networking

Access controller module network scenario As shown in Figure 2, the AC is installed on a Layer 2 or Layer 3 switch, the switch is connected to APs directly or over an IP network, and clients access the network through the APs.

3

Figure 2 Access controller module networking

Wireless switch network scenario As shown in Figure 3, the wireless switch that has both AC and switch functions is connected to APs directly or over an IP network, and clients access the network through the APs.

Figure 3 Unified switch networking diagram

Access controller module Switch

Scheme 2

Server

AP 1 AP 2

Client A Client B

IP network

IP network

Scheme 3

Wireless switch

Server

AP 1 AP 2

Client A Client B

4

Feature matrixes

In this document, Yes means a feature is supported, and No means not supported.

Feature matrix for the WX5000 series

NOTE:

The LSWM1WCM10 and LSWM1WCM20 access controller modules of the WX5000 series adopt the OAP architecture. They work as OAP cards to exchange data and status and control information with the switch through their internal interfaces. Do not configure services such as QoS rate limiting and 802.1X authentication on XGE 1/0/1 of the LSWM1WCM10, and the logical aggregate interface BAGG1 formed by GE 1/0/1 and GE 1/0/2 of the LSWM1WCM20.

Table 2 Feature matrix for the WX5000 series

Module Feature WX5002V2 WX5004 LSWM1WCM10 LSWM1WCM20

Device

License management

Supports 32 concurrent APs by default, and can be extended to support 64 concurrent APs.




File management CF Yes CF Yes CF Yes Flash Yes

Port mirroring Yes Yes No No

Loopback test Yes on GE interfaces Yes on GE interfaces Internal loopback testing Yes on XGE interfaces only

Internal loopback testing Yes on GE interfaces only

Network IGMP Snooping

The maximum number of multicast groups ranges from 1 to 256 and defaults to 256.




5

Module Feature WX5002V2 WX5004 LSWM1WCM10 LSWM1WCM20

AP

AP group (Licenses must be fully configured to reach the maximum number of group IDs)

The number of group IDs ranges from 1 to 64.




Wireless Service Access service

The maximum number of associated users per SSID is 124 and defaults to 64.




Advanced settings

AC hot backup Yes Yes Yes No

Fast backup (Hello interval)

Yes (The hello interval ranges from 100 to 2000 and defaults to 2000.)



No

1+1 AC backup Yes Yes Yes No

1+1 fast backup Yes Yes Yes No

High availability Stateful failover Yes Yes Yes No

Feature matrix for the WX6000 series

NOTE:

• The switch interface board of the WX6103 adopts OAP architecture and is installed on the slot with purple paint at slot sides. The WX6103 supports EWPX1WCMB0 and EWPX1WCMD0 main control boards. The switch interface board exchanges data, and state and control information with the main control board through internal interfaces. Do not configure services such as QoS rate limiting and 802.1X authentication on the internal interfaces.

• For configuration information about the switch interface board of the WX6103, see the H3C WX6103 Access Controller Switch Interface Board Configuration Guide and H3C WX6103 Access Controller Switch Interface Board Command Reference.

• The LSQM1WCMB0/LSQM1WCMD0/LSBM1WCM2A0/LSRM1WCM2A1/LSRM1WCM3A1 of the WX6000 series are OAP cards. Each OAP card is installed on the expansion slot of the switch and exchanges data and status and control information with the switch through internal interfaces. Do not configure services such as QoS rate limiting and 802.1X authentication on the internal interfaces.

6

Table 3 Feature matrix for the WX6000 series

Module Feature WX6103 LSQM1WCMB0 LSQM1WCMD0 LSBM1WCM2A0

LSRM1WCM2A1

LSRM1WCM3A1

Device

License management

EWPX1WCMB0 supports 128 concurrent APs by default, and can be extended to support 640 concurrent APs. EWPX1WCMD0 supports 128 concurrent APs by default, and can be extended to support 1024 concurrent APs.






File management CF and USB supported

CF and USB supported





Port mirroring No No No No No No

Loopback test

Internal loopback testing supported on XGE interfaces only






Network IGMP Snooping







7

Module Feature WX6103 LSQM1WCMB0 LSQM1WCMD0 LSBM1WCM2A0

LSRM1WCM2A1

LSRM1WCM3A1

AP

AP group (Licenses must be fully configured to reach the maximum number of group IDs)

On EWPX1WCMB0, the number of group IDs ranges from 1 to 640. On EWPX1WCMD0, the number of group IDs ranges from 1 to 1024.






Wireless Service Access service







Advanced settings

AC backup Yes Yes Yes Yes Yes Yes

Fast backup (Hello interval)







1+1 AC backup Yes Yes Yes Yes Yes Yes

High availability Stateful failover Yes Yes Yes Yes Yes Yes

8

Feature matrix for the WX3024E

NOTE:

• The access controller engine and switching engine of the WX3024E adopt the OAP architecture. The switching engine is integrated on the access controller engine and adopts OAP architecture. You actually log in to the access controller engine when you log in to the switch by default. The GE 1/0/1 and GE 1/0/2 interfaces of the access controller engine form a logical interface BAGG1, and the GE1/0/29 and GE1/0/30 interfaces of the switching engine form a logical interface BAGG1. The two BAGG1 interfaces exchange data, status, and control information. Do not configure services such as QoS rate limiting and 802.1X authentication on these internal interfaces.

• For configuration information about the switching engine of the WX3024E, see the H3C WX3024E Wireless Switch Switching Engine Configuration Guide and H3C WX3024E Wireless Switch Switching Engine Command Reference.

Table 4 Feature matrix for the WX3024E

Module Feature WX3024E

Device

License management Supports 24 concurrent APs by default, and can be extended to support 60 concurrent APs.

File management Flash supported

Port mirroring No

Loopback test Internal loopback testing supported on GE interfaces only

Network IGMP Snooping The maximum number of multicast groups ranges from 1 to 64 and defaults to 64.

AP AP group (Licenses must be fully configured to reach the maximum number of group IDs) The number of group IDs ranges from 1 to 60.

Wireless Service Access service The maximum number of associated users per SSID is 124, and defaults to 64.

Advanced settings

AC backup No

Fast backup (Hello interval) No

1+1 AC backup No

High availability Stateful failover No

9

Quick Start

Quick start wizard home page From the navigation tree, select Quick Start to enter the home page of the Quick Start wizard, as shown in Figure 4.

Figure 4 Home page of the quick start wizard

Basic configuration On the home page of the Quick Start wizard, click start to enter the basic configuration page, as shown in Figure 5.

10

Figure 5 Basic configuration page

Table 5 Configuration items

Item Description

System Name Specify the name of the current device.

By default, the system name of the device is H3C.

Country/Region Code

Select the code of the country where you are. This field defines the radio frequency characteristics such as the power and the total number of channels for frame transmission. Before configuring the device, you need to configure the country code correctly. If the Country Code field is grayed out, it cannot be modified.

Time Zone Select a time zone for the system.

Time Specify the current time and date.

Admin configuration On the basic configuration page, click Next to enter the admin configuration page, as shown in Figure 6.

11

Figure 6 Admin configuration page


Item Description

Password Specify the password for user Admin to use to log into the device, in cipher text.

Confirm Password Enter the password again to confirm the password.

IP configuration On the Admin Configuration page, click Next to enter the IP configuration page, as shown in Figure 7.

12

Figure 7 IP configuration page


Item Description

IP Address Specify the IP address of VLAN-interface 1. This IP address is used for logging into the device.

The default is 192.168.0.100.

Mask Specify the IP address mask of VLAN-interface 1.

By default, the mask is 24-bit long.

Default Gateway Specify the IP address of the default gateway that connects the device to the network.

By default, the IP address of the default gateway is not specified.

Wireless configuration On the IP configuration page, click Next to enter the wireless configuration page, as shown in Figure 8.

13

Figure 8 Wireless configuration page


Item Description

Primary Service Authentication type

Select the authentication type for the wireless service, which can be: • None: Performs no authentication. • User authentication (802.1X): Performs 802.1X authentication. • Portal: Performs Portal authentication.

Wireless Service Specify the Service Set Identifier (SSID).

Encrypt Select this box to go to the 7/13: Encryption Configuration step.

By default, no encryption is performed. If this option is not selected, the 7/13: Encryption Configuration step is skipped.

RADIUS configuration On the wireless configuration page, select User authentication (802.1X) or Portal for the Primary Service Authentication Type field, and then click Next to enter the RADIUS configuration page, as shown in Figure 9.

14

Figure 9 RADIUS configuration page


Item Description

Service Type

Select the type of the RADIUS server.

Two types are available: standard and enhanced: • extended—Specifies extended RADIUS server, which is usually an IMC server.

In this case, the RADIUS client (access device) and the RADIUS server exchange packets based on the specifications and packet format definitions of a private RADIUS protocol.

• standard—Specifies the standard RADIUS server. In this case, the RADIUS client (access device) and the RADIUS server exchange packets based on the specifications and packet format definitions of the standard RADIUS protocols (RFC 2138, RFC 2139, and the updates).

Authentication IP Enter the IP address of the RADIUS authentication server.

Authentication UDP Port Enter the port number of the RADIUS authentication server.

Authentication Key Enter the shared key of the RADIUS authentication server.

Accounting IP Enter the IP address of the RADIUS accounting server.

Accounting UDP Port Enter the port number of the RADIUS accounting server.

Accounting Key Enter the shared key of the RADIUS accounting server.

15

Portal configuration On the wireless configuration page, select Portal for the Primary Service Authentication Type field, and then click Next to enter the RADIUS configuration page. After you complete RADIUS configuration, click Next to enter the portal configuration page, as shown in Figure 10.

Figure 10 Portal configuration page


Item Description

Server-name Specify the system name of the portal server.

Server-IP Enter the IP address of the portal server.

Port Enter the port number of the portal server.

Redirect-URL Enter the URL of the portal authentication server.

16

Item Description

Method

Specify the portal authentication method to be used, which can be: • Direct—Before authentication, a user manually configures an IP address or

directly obtains a public IP address through DHCP, and can access only the portal server and predefined free websites. After passing authentication, the user can access the network resources. The authentication process of direct authentication is relatively simple than that of the re-DHCP authentication.

• Layer3—Layer 3 authentication is similar to direct authentication but allows Layer 3 forwarding devices to be present between the authentication client and the access device.

• Redhcp—Before authentication, a user gets a private IP address through DHCP and can access only the portal server and predefined free websites. After passing authentication, the user is allocated a public IP address and can access the network resources.

Encryption configuration On the wireless configuration page, select User authentication (802.1X) for Primary Service Authentication Type and click Next to enter the encryption configuration page, as shown in Figure 11.

Figure 11 Encryption configuration page

17


Item Description

Provide Key Automatically

Specify whether to use WEP keys provided automatically or use static WEP keys. • Enable: Use WEP keys provided automatically. • Disable: Use static WEP keys.

By default, static WEP keys are used.

After you select Enable, WEP104 is displayed for WEP.

IMPORTANT:

Automatically provided WEP keys must be used together with 802.1X authentication. Therefore, This option is available only after you select User authentication (802.1X) for Primary Service Authentication type on the wireless configuration page.

WEP Select the key type of the WEP encryption mechanism, which can be WEP40, WEP104 and WEP 128.

Key ID

Select the WEP key index, which can be 1, 2, 3, or 4. Each number represents one of the four static keys of WEP. The selected key index will be used for frame encryption and decryption.

IMPORTANT:

If you select to enable Provide Key Automatically, only 1, 2, and 3 are available for the Key ID option.

Key Length

Select the key length. • When the key type is WEP40, the key length can be five alphanumeric

characters or ten hexadecimal characters. • When the key type is WEP104, the key length can be 13 alphanumeric

characters or 26 hexadecimal characters. • When the key type is WEP128, the key length can be 16 alphanumeric

characters or 32 hexadecimal characters.

WEP Key Enter the WEP key.

AP configuration On the guest service configuration page, click Next to enter the AP configuration page, as shown in Figure 12. You can configure an AP and click Add. You can configure multiple APs on the page. The section at the bottom of the page displays all existing APs.

18

Figure 12 AP configuration page


Item Description

AP Name Enter the name of the AP.

Model Select the model of the AP.

Serial ID

Specify the serial ID of the AP. • If the Auto box is not selected, you need to manually enter a serial ID. • If the Auto box is selected, the AC automatically searches the serial ID of the AP.

This option needs to cooperate with the auto AP function to implement automatic AP discovery so that the AP can connect with the AC automatically. If there are a large number of APs, the automatic AP discovery function can avoid repeated configuration of AP serial numbers. For how to configure auto AP, see "AP configuration."

Country/Region Code

Select a country/region code for the AP.

By default, no country/region code is configured for the AP and the AP uses the global country/region code (which is configured on the AC). If the country/region code is specified on this page, the AP uses this configuration. For information about the country/region code configured on the AC, see "Advanced settings."

Radio Radio unit of the AP.

Mode Select the radio mode. The radio mode depends on the AP model.

19

Item Description

Channel

Select the working channel.

The channel list for the radio depends on the country/region code and radio mode, and varies with device models.

Auto: Specifies the automatic channel mode. With Auto specified, the AC evaluates the quality of channels in the wireless network, and selects the best channel as the working channel.

After the channel is changed, the power list is refreshed.

Power

Select the transmission power.

The maximum power of the radio depends on the country/region code, working channel, AP model, radio mode, and antenna type. If 802.11n is specified as the radio mode, the maximum power of the radio also depends on the bandwidth mode.

Configuration summary On the AP configuration page, click Next to enter the configuration summary page, as shown in Figure 13. The configuration summary page displays all configurations you have made. Click finish to save your configurations.

Figure 13 Configuration summary page

20

Web overview

The device provides Web-based configuration interfaces for visual device management and maintenance.

Figure 14 Web-based network management operating environment

Logging in to the Web interface You can use the following default settings to log in to the Web interface through HTTP:

• Username—admin

• Password—admin

• IP address of VLAN-interface 1 of the device—192.168.0.100.

To log in to the Web interface of the device from a PC:

1. Connect the Ethernet port of the device to the PC by using a crossover Ethernet cable.

By default, all ports belong to VLAN 1.

2. Configure an IP address for the PC and make sure that the PC and the device can reach each other.

For example, assign the PC an IP address (for example, 192.168.0.2) within the network segment 192.168.0.0/24 (except for 192.168.0.100).

3. Open the browser and input the login information:

a. Type the IP address http://192.168.0.100 in the address bar and press Enter.

The login page of the Web interface (see Figure 15) appears.

b. Enter the username and password admin, and the verification code, select the language (English and Chinese are supported at present), and click Login.

Figure 15 Login page of the Web interface

21

c. After you click Login, you will enter the following page. Select a country/region code from the Country/Region list, and click Apply.

Figure 16 Selecting a country/region code

The PC where you configure the device is not necessarily the Web-based network management terminal. A Web-based network management terminal is a PC (or another terminal) used to log in to the Web interface and is required to be reachable to the device.

After logging in to the Web interface, you can create a new user and configure the IP address of the interface connecting the user and the device.

If you click the verification code displayed on the Web login page, you can get a new verification code.

Up to 24 users can concurrently log in to the device through the Web interface.

Logging out of the Web interface As shown in Figure 17, click Logout in the upper-right corner of the Web interface to quit Web-based network management.

The system does not save the current configuration before you log out of the Web interface. H3C recommends you to save the current configuration before logout.

CAUTION:

A logged-in user cannot automatically log out by directly closing the browser.

Introduction to the Web interface The Web interface comprises three parts: navigation tree, title area, and body area.

22

Figure 17 Web-based configuration interface

(1) Navigation area (2) Body area (3) Title area

• Navigation area—Organizes the Web-based NM function menus in the form of a navigation tree, where you can select function menus as needed. The result is displayed in the body area. The Web network management functions not supported by the device are not displayed in the navigation area.

• Body area—The area where you can configure and display a function.

• Title area—On the left, displays the path of the current configuration interface in the navigation area; on the right, provides the Save button to quickly save the current configuration, the Help button to display the Web related help information, and the Logout button to log out of the Web interface.

Web user level Web user levels, ranging from low to high, are visitor, monitor, configure, and management. A user with a higher level has all the operating rights of a user with a lower level.

• Visitor—Users of this level can perform the ping and traceroute operations, but they can neither access the device data nor configure the device.

• Monitor—Users of this level can only access the device data but cannot configure the device.

• Configure—Users of this level can access data from the device and configure the device, but they cannot upgrade the host software, add/delete/modify users, or back up/restore the application file.

• Management—Users of this level can perform any operations for the device.

23

Introduction to the Web-based NM functions

NOTE:

• Support for the configuration items depends on the device model. For more information, see "Feature matrixes."

• A user level in Table 13 indicates that users of this level or users of a higher level can perform the corresponding operations.

Table 13 Description for Web-based NM functions

Function menu Description User level

Quick Start Perform quick configuration of the device. Configure

Summary

Device Info

Display and refresh system resource state, device information, device interface information, and recent system operation logs.

Monitor

Wireless Service

Display the information of the queried WLAN service, including the detailed information, statistics, and connection history.

Monitor

AP

Display the information of the queried AP, including wireless service, connection history, radio, and detailed information.

Monitor

Reboot an AP. Configure

Client

Display the detailed information, statistics, and roaming information of the client.

Monitor

Clear statistics of the client, disconnect the connection, and add the client into the blacklist.

Configure

Device

License

License Display license information. Monitor

Add licenses. Configure

Enhanced License Display enhanced license information. Monitor

Register enhanced licenses. Configure

Basic

System Name Display and configure the system name.

Configure

Web Idle Timeout Display and configure the idle timeout period for a logged-in user.

Configure

Device Maintenance

Software Upgrade Upload the file to be upgraded from the local host to upgrade the system software.

Management

Reboot Reboot the device. Management

24


Diagnostic Information

Generate a diagnostic information file, view the file, or save the file to the local host.

Management

System Time

System Time Display the system date and time. Monitor

Manually set the system time. Configure

Net Time

Set local and external clock sources and system time zone. Monitor

Set the network time. Configure

Syslog

Loglist Display and refresh system logs. Monitor

Clear system logs. Configure

Loghost Display and configure the loghost. Configure

Log Setup Display and configure the buffer capacity, and refresh interval for displaying system logs.

Configure

Configuration

Backup Back up the configuration file for the next startup to the host of the current user.

Management

Restore Upgrade the configuration file on the host of the current user to the device for the next startup.

Management

Save Save the current configuration to the configuration file for the next startup. Configure

Initialize Restore the system to factory defaults. Configure

File management

Manage files on the device, including displaying file list, downloading a file, uploading a file, removing a file, and setting the main boot file.

Management

Interface

Display interface information and statistics. Monitor

Create, modify, and delete an interface, and clear interface statistics. Configure

Port Mirroring

Summary Display the configuration information of a port mirroring group. Monitor

Add Create a port mirroring group. Configure

Remove Remove a port mirroring group. Configure

Modify Port Configure ports for a mirroring group. Configure

Users

Summary Display brief information of FTP and Telnet users. Monitor

Super Password

Configure the password for a lower-level user to switch from the current access level to the management level.

Management

Create Create an FTP or Telnet user. Management

25


Modify Modify FTP or Telnet user information. Management

Remove Remove an FTP or a Telnet user. Management

Switch To Management

Switch the current user level to the management level.

Monitor

SNMP

Setup

Display and refresh SNMP configuration and statistics information.

Monitor

Configure SNMP. Configure

Community

Display SNMP community information. Monitor

Create, modify, and delete an SNMP community. Configure

Group

Display SNMP group information. Monitor

Create, modify, and delete an SNMP group.

Configure

User

Display SNMP user information. Monitor

Create, modify, and delete an SNMP user. Configure

Trap

Display the status of the SNMP trap function and information about target hosts.

Monitor

Enable or disable the SNMP trap function, or create, modify, and delete a target host.

Configure

View

Display SNMP view information. Monitor

Create, modify, and delete an SNMP view.

Configure

Loopback Perform the loopback test on Ethernet interfaces. Configure

Network

MAC

MAC Display MAC address information. Monitor

Create or remove MAC addresses. Configure

Setup Display and configure MAC address aging time.

Configure

VLAN

VLAN

Display all VLANs on the device and information about their member ports.

Monitor

Create, modify, and delete VLANs. Configure

Port

Display VLANs to which a port on the device belongs. Monitor

Modify the VLANs to which a port belongs. Configure

ARP Management ARP Table

Display ARP table information. Monitor

Add, modify, or delete an ARP entry. Configure

26


Gratuitous ARP

Display configuration information of gratuitous ARP. Monitor

Configure gratuitous ARP. Configure

ARP Anti-Attack

ARP Detection

Display the configuration information of ARP detection. Monitor

Configure ARP detection. Configure

Advanced Configuration

Display the configuration information of source MAC address based ARP attack detection, ARP active acknowledgement, and ARP packet source MAC address consistency check.

Monitor

Configure source MAC address based ARP attack detection, ARP active acknowledgement, and ARP packet source MAC address consistency check.

Configure

IGMP Snooping

Basic

Display global IGMP Snooping configuration information and the IGMP Snooping configuration information in a VLAN, and view the IGMP Snooping multicast entry information.

Monitor

Configure IGMP Snooping globally and in a VLAN. Configure

Advance

Display the IGMP Snooping configuration information on a port. Monitor

Configure IGMP Snooping on a port. Configure

IPv4 Routing

Summary Display the IPv4 active route table. Monitor

Create Create an IPv4 static route. Configure

Remove Delete the selected IPv4 static routes. Configure

IPv6 Routing

Summary Display the IPv6 active route table. Monitor

Create Create an IPv6 static route. Configure

Remove Delete the selected IPv6 static routes. Configure

DHCP DHCP Server

Display the DHCP service status, the DHCP address pool information, the DHCP server status on an interface, and addresses in use.

Monitor

Set the DHCP service status, add, modify, or delete a DHCP address pool, and modify the DHCP server status on an interface.

Configure

27


DHCP Relay

Display the status of a DHCP service and advanced configuration information of DHCP relay, display information of a DHCP group, and status of the DHCP relay agent on an interface, and view the DHCP relay user information.

Monitor

Configure the status of a DHCP service and advanced configuration information of DHCP relay, add or delete a DHCP group, and modify the status of the DHCP relay agent on an interface.

Configure

DHCP Snooping

Display the status of the DHCP Snooping function, and the trusted and untrusted attributes of a port, and view the DHCP Snooping user information.

Monitor

Configure the status of the DHCP Snooping function, and modify the trusted and untrusted attributes of a port.

Configure

DNS

Static Display, create, modify, or delete a static host name-to-IP address mapping.

Configure

Dynamic

Display and configure related parameters for dynamic domain name resolution. Display, create, or delete an IP address and the domain name suffix.

Configure

Service

Display the states of the services: enabled or disabled. Configure

Specify whether to enable various services, and set related parameters. Management

Diagnostic Tools

IPv4 Ping Ping an IPv4 address or host and display the result. Visitor

IPv6 Ping Ping an IPv6 address or host and display the result. Visitor

Trace Route Perform trace route operations and display the result. Visitor

AP

AP Setup

Display AP-related information, including AP name, AP IP address, serial ID, model and status.

Monitor

Add an AP and modify the AP configuration. Configure

Auto AP

Display auto AP information after auto AP is enabled, including AP name, model, serial ID and IP address.

Monitor

Enable auto AP. Configure

28


AP Group Display AP group information. Monitor

Create and configure an AP group. Configure

WLAN Service

Access Service

Display an access service, including security type, detailed information, service status and binding status.

Monitor

Create and configure an access service, map an access service to an AP radio, and add a MAC authentication list.

Configure

Mesh Service

Mesh Service

Display a mesh service, including its detailed information, status, and binding information.

Monitor

Create and configure a mesh service, including security settings.

Configure

Mesh Policy Display mesh policies. Monitor

Create and configure a mesh policy. Configure

Global Setup

Display mesh global setting, including basic setting, mesh DFS, and mesh portal service.

Monitor

Configure mesh global setting, including basic setting, mesh DFS, and mesh portal service.

Configure

Mesh Channel Optimize

Display radio information and channel switch information in a mesh network. Monitor

Configure mesh channel optimization. Configure

Mesh Link Info

Display mesh link status information. Monitor

Monitor mesh link status and refresh mesh link status information. Configure

Mesh Link Test

Display mesh link test results. Monitor

Test mesh links and refresh mesh link test results. Configure

Roam

Roam Group

Display a roaming group and its members. Monitor

Configure a roaming group and add a group member. Configure

Roam Client Display client information, including MAC address, BSSID, VLAN ID, home AC and roaming direction.

Monitor

Radio Radio

Display radio status, including radio mode and radio status. Monitor

Configure radio parameters, including 802.11n settings. Configure

Rate Display rate settings. Monitor

29


Configure 802.11n rates, including MCS index. Configure

Channel Scan

Display channel scanning, including scanning mode, scanning type and scanning interval.

Monitor

Configure channel scanning, including scanning mode and scanning type.

Configure

Calibration

Operation

Display or refresh AP status, including channel status, neighbor information, and history information.

Monitor

Manual calibration Configure

Parameters

Display basic setup, channel setup and power setup. Monitor

Configure channel calibration parameters. Configure

Radio Group Display radio group configuration. Monitor

Configure a radio group. Configure

Antenna Switch Configure the antenna of an AP. Configure

Authentication

802.1X

Display the global 802.1X information and 802.1X information of a port. Monitor

Display the global 802.1X features and 802.1x features of a port.

Configure

Portal

Portal Server

Display configuration information about the portal server and advanced parameters for portal authentication.

Monitor

Add and delete a portal server, and modify advanced parameters for portal authentication.

Configure

Free Rule

Display the portal-free rule configuration information. Monitor

Add and delete a portal-free rule. Configure

AAA

Domain Setup

Display ISP domain configuration information. Monitor

Add and remove ISP domains. Management

Authentication

Display the authentication method configuration information of an ISP domain.

Monitor

Specify authentication methods for an ISP domain. Management

Authorization Display the authorization method configuration information of an ISP domain.

Monitor

30


Specify authorization methods for an ISP domain. Management

Accounting

Display the accounting method configuration information of an ISP domain.

Monitor

Specify accounting methods for an ISP domain.

Management

RADIUS Display and add, modify, and delete a RADIUS scheme. Management

Local EAP Server

Display the configuration information of the local EAP service. Monitor

Configure the local EAP service. Configure

Users

Local User

Display local users' configuration information. Monitor

Add, modify, and remove local users. Management

User Group

Display user groups' configuration information. Monitor

Add, modify, and remove user groups. Management

Guest

Display guest users' configuration information.

Monitor

Add, modify, and remove guest users. Management

User Profile

Display user profile configuration information. Monitor

Add, modify, remove, enable, and disable user profiles. Configure

Certificate Management

Entity Display information about PKI entities. Monitor

Add, modify, and delete a PKI entity. Configure

Domain

Display information about PKI domains.

Monitor

Add, modify, and delete a PKI domain. Configure

Certificate

Display the certificate information of PKI domains and view the contents of a certificate.

Monitor

Generate a key pair, destroy a key pair, retrieve a certificate, request a certificate, and delete a certificate.

Configure

CRL Display the contents of the CRL. Monitor

Receive the CRL of a domain. Configure

31


Security

Rogue detection

AP Monitor Display AP operating mode. Monitor

Configure AP operating mode. Configure

Rule List

Display list types for the rogue device detection and the detection rules.

Monitor

Configure list types for rogue device detection and the rules.

Configure

Monitor Record

Display monitor record of rogue device detection.

Monitor

Clear monitor record of rogue device detection, and add rogue devices to blacklist.

Configure

History Record

Display rogue device detection history. Monitor

Clear history of rogue device detection and add rogue devices to blacklist. Configure

WIDS

WIDS Setup

Display IDS configuration. Monitor

Configure IDS detection, including flood attack detection, spoofing attack detection, and weak IV detection.

Configure

History Record

Display IDS attack detection history. Monitor

Clear history record of IDS attack detection and add the detected devices that initiate attacks to blacklist.

Configure

Statistics

Display statistics of IDS attack detection. Monitor

Clear the statistics. Configure

Filter

Blacklist

Display dynamic and static blacklists. Monitor

Clear dynamic blacklist and static blacklist; enable dynamic blacklist; add entries to the static blacklist.

Configure

White List

Display white list. Monitor

Clear white list and add entries to the white list. Configure

Authorized IP Summary

Display the configurations of the authorized IP, the associated IPv4 ACL rule list, and the associated IPv6 ACL rule list.

Management

Setup Configure the authorized IP. Configure

User Isolation Display, add, modify, and remove user isolation configuration.

Management

32


QoS

Time Range

Summary Display time range configuration information. Monitor

Add Create a time range. Configure

Remove Delete a time range. Configure

ACL IPv4

Summary Display IPv4 ACL configuration information.

Monitor

Add Create an IPv4 ACL. Configure

Basic Setup Configure a rule for a basic IPv4 ACL. Configure

Advanced Setup Configure a rule for an advanced IPv4 ACL. Configure

Link Setup Create a rule for an Ethernet frame header ACL.

Configure

Remove Delete an IPv4 ACL or its rules. Configure

ACL IPv6

Summary Display IPv6 ACL configuration information. Monitor

Add Create an IPv6 ACL. Configure

Basic Setup Configure a rule for a basic IPv6 ACL. Configure

Advanced Setup Configure a rule for an advanced IPv6 ACL.

Configure

Remove Delete an IPv6 ACL or its rules. Configure

Wireless QoS

Wireless QoS

Display wireless QoS, including SVP mapping, CAC admission policy, radio EDCA and client EDCA.

Monitor

Configure wireless QoS, including SVP mapping, CAC admission policy, radio EDCA and client EDCA.

Configure

Radio Statistics

Display radio statistics, including WMM status and detailed radio information.

Monitor

Display radio statistics, including WMM status and detailed radio information, and clear the radio statistics.

Configure

Client Statistics

Display client statistics, including WMM status and detailed client information.

Monitor

Display client statistics, including WMM status and detailed client information, and clear the client statistics.

Configure

Client Rate Limit Display the configured client rate limit information.

Monitor

33


Configure and modify client rate limiting mode, direction and rate. Configure

Bandwidth Guarantee

Display bandwidth settings for different radio types. Monitor

Configure bandwidth guarantee settings. Configure

Line Rate Summary

Display line rate configuration information. Monitor

Setup Configure the line rate. Configure

Port Priority

Display the priority and trust mode of a port.

Monitor

Modify the priority and trust mode of a port.

Configure

Trust Mode

Display priority trust mode configuration information.

Management

Configure the priority trust mode. Management

Classifier

Summary Display classifier configuration information. Monitor

Add Create a class. Configure

Setup Configure the classification rules for a class. Configure

Remove Delete a class or its classification rules. Configure

Behavior

Summary Display traffic behavior configuration information.

Monitor

Add Create a traffic behavior. Configure

Setup Configure actions for a traffic behavior. Configure

Remove Delete a traffic behavior. Configure

QoS Policy

Summary Display QoS policy configuration information.

Monitor

Add Create a QoS policy. Configure

Setup Configure the classifier-behavior associations for a QoS policy. Configure

Remove Delete a QoS policy or its classifier-behavior associations. Configure

Port Policy

Summary Display the QoS policy applied to a port. Monitor

Setup Apply a QoS policy to a port. Configure

Remove Remove the QoS policy from the port. Configure

Service Policy Display the QoS policy applied to a WLAN-ESS port.

Monitor

34


Configure the QoS policy applied to a WLAN-ESS port. Configure

Advanced

Country/Region Code Display the country/region code. Monitor

Modify the country/region code. Configure

AC Backup

Setup

Display the address of the backup AC. Monitor

Configure the address of the backup AC. Configure

Status Display the status of the AC. Monitor

Continuous Transmit

Display the continuous transmitting mode of an AP.

Monitor

Switch the continuous transmitting mode of an AP. Configure

Channel Busy Test

Display channel busy rate test results. Monitor

Test busy rate of channels, and output test results.

Configure

Load Balancing

Load Balance

Display the load balancing mode and the current connection status.

Monitor

Configure the load balancing mode and refresh the current connection status.

Configure

Load Balance Group

Display load balancing group configuration.

Monitor

Configure a load balancing group. Configure

AP

AP Module

Display the AP version, including the AP model and software version. Monitor

Upgrade the software. Configure

Switch to fat AP

Display the model and IP address of the AP. Monitor

Switch to fat AP. Configure

Wireless Location

Display wireless location settings. Monitor

Configure, enable, and disable wireless location. Configure

Wireless Sniffer

Display wireless sniffer configuration. Monitor

Configure, enable, and disable wireless sniffer parameters. Configure

35


High Reliability

Stateful Failover Display stateful failover information. Monitor

Modify stateful failover configuration. Configure

Common Web interface elements Common buttons and icons

Table 14 Common buttons and icons

Button and icon Description

Bring the configuration on the current page into effect.

Cancel the configuration on the current page, and go to the corresponding display page or device information page.

Refresh the information on the current page.

Clear all statistics or items in a list.

Enter the page for adding an entry.

Delete entries on a list.

Select all the entries on a list or all ports on a device panel.

Clear all the entries on a list or all ports on a device panel.

Restore the values of all the entries on the current page to the default.

Typically locating at a configuration procedure page of the configuration wizard, it allows you to save the configuration of the current configuration procedure (not bring it into effect) and go to the page of the next configuration procedure.

Typically locating at a configuration procedure page of the configuration wizard, it allows you to save the configuration of the current configuration procedure (not bring it into effect) and return to the page of the previous configuration procedure.

Typically locating at a configuration procedure page of the configuration wizard, it allows you to bring all configurations into effect.

Typically locating at the Operation column of a display page, it allows you to enter the modify page of a corresponding entry so as to display or modify the configurations of the entry.

Typically locating at the Operation column of a display page, it allows you to remove an entry.

Content display by pages

The Web interface can display contents by pages, as shown in Figure 18. You can set the number of entries displayed per page, and view the contents on the first, previous, next, and last pages, or go to any page that you want to check.

36

Figure 18 Content display by pages

Searching function

The Web interface provides you with the basic and advanced searching functions to display only the entries that match specific searching criteria.

• Basic search—As shown in Figure 18, input the keyword in the text box above the list, select a search item from the list and click Search to display the entries that match the criteria. Figure 19 shows an example of searching for entries with 00e0 included in the MAC address.

Figure 19 Basic search function example

37

• Advanced search—Advanced search function: As shown in Figure 18, you can click the Advanced Search link to open the advanced search page, as shown in Figure 20. Specify the search criteria, and click Apply to display the entries that match the criteria.

Figure 20 Advanced search

Take the ARP table shown in Figure 18 as an example. If you want to search for the ARP entries with 000f at the beginning of the MAC address, and IP address range being 192.168.1.50 to 192.168.1.59, follow these steps:

1. Click the Advanced Search link, specify the search criteria on the advanced search page as shown in Figure 21, and click Apply. The ARP entries with 000f at the beginning of the MAC address are displayed.

Figure 21 Advanced search function example (I)

2. Click the Advanced Search link, specify the search criteria on the advanced search page as shown in Figure 22, and click Apply. The ARP entries with 000f at the beginning of the MAC address and IP address range 192.168.1.50 to 192.168.1.59 are displayed as shown in Figure 23.

38

Figure 22 Advanced search function example (II)

Figure 23 Advanced search function example (III)

Sorting function

The Web interface provides you with the basic functions to display entries in certain orders.

On a list page, you can click the blue heading item of each column to sort the entries based on the heading item you selected. After your clicking, the heading item is displayed with an arrow beside it as shown in Figure 24. The upward arrow indicates the ascending order, and the downward arrow indicates the descending order.

39

Figure 24 Basic sorting function example (based on IP address in the descending order)

Configuration guidelines • The Web-based configuration interface supports the operating systems of Windows XP, Windows

2000, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Vista, Linux, and MAC OS.

• The Web-based configuration interface supports the browsers of Microsoft Internet Explorer 6.0 SP2 and higher, Mozilla Firefox 3.0 and higher, Google Chrome 2.0.174.0 and higher.

• The Web-based configuration interface does not support the Back, Next, and Refresh buttons. Using these buttons may result in abnormal display of Web pages.

• The Windows firewall limits the number of TCP connections, so when you use IE to log in to the Web interface, sometimes you may be unable to open the Web interface. To avoid this problem, turn off the Windows firewall before login.

• If the software version of the device changes, clear the cache data on the browser before logging in to the device through the Web interface; otherwise, the Web page content may not be displayed correctly.

• You can display at most 20,000 entries that support content display by pages.

40

Troubleshooting Web browser

Failure to access the device through the Web interface Symptom

You can ping the device successfully, and log in to the device through telnet. HTTP is enabled and the operating system and browser version meet the Web interface requirements. However, you cannot access the Web interface of the device.

Analysis

• If you use the Microsoft Internet Explorer, you can access the Web interface only when these functions are enabled: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for scripting and active scripting.

• If you use the Mozilla Firefox, you can access the Web interface only when JavaScript is enabled.

Configuring the Internet Explorer settings

1. Open the Internet Explorer, and then select Tools > Internet Options.

2. Click the Security tab, and then select a Web content zone to specify its security settings.

Figure 25 Internet Explorer setting (I)

3. Click Custom Level, and a dialog box Security Settings appears.

41

4. As shown in Figure 26, set the enable these functions: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for scripting and active scripting.

Figure 26 Internet Explorer setting (II)

5. Click OK in the Security Settings dialog box.

Configuring Firefox Web browser settings

1. Open the Firefox Web browser, and then select Tools > Options.

2. Click the Content tab, select Enable JavaScript, and click OK.

42

Figure 27 Firefox Web browser setting

43

Summary

Device information You can view the following information on the Device Info menu:

• Device information

• System resource state

• Device interface information

• Recent system logs (at most five)

After logging in to the Web interface, you enter the Summary > Device Info page.

Figure 28 Device info page

Select the refresh mode from the Refresh Period list.

• If you select a specific refresh period (for example, 1 minute), the system periodically refreshes the Device Info page according to the selected refresh period.

• If you select Manual, you need to click Refresh to refresh the page.

44

Device info Table 15 Field description

Field Description

Device Name Display the device model.

Product Information Display the product information.

Device Location Display the location of the device.

To configure the device location information, select Device > SNMP > Setup; for more information, see "SNMP configuration."

Contact Information Display the contact information for device maintenance.

To configure the contact information, select Device > SNMP > Setup; for more information, see "SNMP configuration."

SerialNum Display the serial number of the device.

Software Version Display the software version of the device.

Hardware Version Display the hardware version of the device.

Bootrom Version Display the Boot ROM version of the device.

Running Time Display the running time after the latest boot of the device.

System resource state Table 16 Field description

Field Description

CPU Usage Display the real-time CPU usage.

Memory Usage Display the real-time memory usage and the total memory size.

Temperature Display the temperature of the device.

Device interface information Table 17 Field description

Field Description

Interface Display interface name and interface number.

IP Address/Mask Display the IP address and mask of an interface.

Status

Display interface status. • —The interface is up and is connected. • —The interface is up, but not connected. • —The interface is down.

45

NOTE:

For more information about device interfaces, click the More hyperlink under the Device Interface Information area to enter the Device > Interface page to view and operate the interfaces. For more information, see "Interface management."

Recent system logs Table 18 Field description

Field Description

Time Display the time when the system logs are generated.

Level Display the level of the system logs.

Description Display the contents of the system logs.

NOTE:

For more information about system logs, click the More hyperlink under the Recent System Operation Logs area to enter the Device > Syslog > Loglist page to view the logs. For more information, see "Log management."

Displaying WLAN service 1. Select Summary > Wireless Service from the navigation tree

2. Click the specified WLAN service to view the detailed information, statistics, or connection history.

Displaying detailed information of WLAN service The detailed information of WLAN service (clear type) is as shown in Figure 29. For the description of the fields, see Table 19.

46

Figure 29 Display detailed information of WLAN service (clear type)

Table 19 Field description

Field Description

Service Template Number Service template number.

SSID Service set identifier (SSID) for the ESS.

Binding Interface Name of the interface bound with the service template.

Service Template Type Service template type.

Authentication Method Type of authentication used.

WLAN service of the clear type only uses open system authentication.

SSID-hide • Disable—The SSID is advertised in beacon frames. • Enable—Disables the advertisement of the SSID in beacon

frames.

Bridge Mode

Forwarding mode: • Local forwarding—Uses local forwarding in the service

template. • Remote forwarding—Uses AC remote forwarding in the

service template.

Service Template Status Status of service template: • Enable—Enables WLAN service. • Disable—Disables WLAN service.

Maximum clients per BSS Maximum number of associated clients per BSS.

The detailed information of WLAN service (crypto type) is as shown in Figure 30. For the description of the fields in the detailed information, see Table 20.

47

Figure 30 Display detailed information of WLAN service (crypto type)


Field Description

Service Template Number Service template number.

SSID SSID for the ESS.

Binding Interface Name of the interface bound with the service template.


Security IE Security IE: WPA or WPA2 (RSN)

Authentication Method Authentication method: open system or shared key.

SSID-hide • Disable—The SSID is advertised in beacon frames. • Enable—Disables the advertisement of the SSID in beacon frames.

Cipher Suite Cipher suite: AES-CCMP, TKIP, WEP40, WEP104, or WEP128.

TKIP Countermeasure Time(s) TKIP countermeasure time in seconds.

PTK Life Time(s) PTK lifetime in seconds.

GTK Rekey GTK rekey configured.

GTK Rekey Method GTK rekey method configured: packet based or time based.

GTK Rekey Time(s)

Time for GTK rekey in seconds. • If Time is selected, the GTK will be refreshed after a specified period

of time. • If Packet is selected, the GTK will be refreshed after a specified

number of packets are transmitted.

Bridge Mode

Forwarding mode: • Local forwarding—Uses local forwarding in the service template. • Remote forwarding—Uses AC remote forwarding in the service

template.

48

Field Description

Service Template Status Status of service template: • Enable—Enables WLAN service. • Disable—Disables WLAN service.


Displaying statistics of WLAN service The statistics of WLAN service are as shown in Figure 31.

Figure 31 Displaying WLAN service statistics

Displaying connection history information of WLAN service The connection history information of WLAN service is as shown in Figure 32.

49

Figure 32 Displaying the connection history information of WLAN service

Displaying AP Select Summary > AP from the navigation tree to enter the AP page, as shown in Figure 33. You can display the WLAN service information, connection history, radio and detailed information of an AP by clicking the tabs on the page.

Displaying WLAN service information of an AP The WLAN service information of an AP is as shown in Figure 33.

Figure 33 Displaying WLAN service information

Displaying AP connection history information The connection history information of an AP is as shown in Figure 34.

50

Figure 34 Displaying AP connection history information

Displaying AP radio information Select Summary > AP from the navigation tree to enter the AP page, click the Radio tab on the page, and click the name of the specified AP to view the radio statistics of an AP.

The radio statistics of an AP are as shown in Figure 35. For the description of the fields in the AP radio statistics, see Table 21.

51

Figure 35 Displaying AP radio information

NOTE:

• The Noise Floor item in the table indicates various random electromagnetic waves during the wireless communication. For the environment with a high noise floor, you can improve the signal-to-noise ratio(SNR) by increasing the transmit power or reducing the noise floor.

• The Service Type item in the table has two options: Access and Mesh.

• Res Using Ratio represents the resource utilization of a radio within a certain period. For example, in aperiod of 10 seconds, if a radio has occupied the channel for five seconds, the resource utilization of theradio is 5 seconds divided by 10 seconds: 50%.


Field Description

AP name Access point name.

Radio Id Radio ID.

Transmitted Frames Statistics Statistics of transmitted frames.

Total Frames

Total number of frames (probe response frames and beacon frames) transmitted.

Total Frames = Unicast Frames + Broadcast/Multicast Frames + Others.

Unicast Frames Number of unicast frames (excluding probe response frames) transmitted.

52

Field Description

Broadcast/Multicast Frames Number of broadcast or multicast frames (excluding beacon frames) transmitted.

Others Total number of other type of frames transmitted.

Discard Frames Number of frames discarded.

Retry Count Number of transmission retries.

Multiple Retry Count Number of frames that have been retransmitted.

Authentication Frames Number of authentication responses transmitted.

Failed RTS Number of RTS failed during transmission.

Successful RTS Number of RTS transmitted successfully.

Failed ACK Number of transmitted frames for which no acknowledgement is received.

Association Frames Number of association responses transmitted.

Received Frames Statistics Statistics of received frames.

Total Frames Number of frames received.

Unicast Frames Number of unicast frames received.

Broadcast/Multicast Frames Number of broadcast or multicast frames received.

Fragmented Frames Number of fragmented frames received.

FCS Failures Number of frames dropped due to FCS failure.

Authentication Frames Number of authentication requests received.

Duplicate Frames Number of duplicate frames received.

Decryption Errors Number of frames dropped due to decryption error.

Association Frames Number of association requests received.

Displaying AP detailed information Select Summary > AP from the navigation tree to enter the AP page, click the Detail tab on the page, and click the name of the specified AP to view the detailed information of an AP.

The detailed information of an AP is as shown in Figure 36. For the description of the fields in the AP detailed information, see Table 22.

53

Figure 36 Displaying AP detailed information


Field Description

APID Access point identifier.

AP System Name Access point name.

Map Configuration Configuration file mapped to the AP.

State

Current state of the AP: • ImageDownload—The AP is downloading the version. If the

ImageDownload state persists, check the following: 1) The version of the fit AP saved on the AC matches with the version that the AC requires; 2) The space of the flash is enough.

• Idle—The AP is idle. If the Idle state persists, check the following: 1) If the fields of Latest IP Address and Tunnel Down Reason are displayed as -NA-, it indicates that the AP has never connected to the AC successfully. You need to check the network cable, power supply of the fit AP, and the AP serial number if the serial number was manually input. 2) If the fields of Latest IP Address and Tunnel Down Reason are displayed as other contents, it indicates that the AP has connected to the AC successfully. See the output of the Tunnel Down Reason field for the detailed reason.

• Run—The AP is operating. It indicates that the AP has connected to the AC successfully.

• Config—The AC is delivering configuration file to the fit AP, and the fit AP is collecting radio information through the radio interface and reporting to the AC. This state is an instantaneous state.

Up Time(hh:mm:ss) Time duration for which the AP has been connected to the AC. NA indicates AP is not connected to the AC.

Model AP model name.

54

Field Description

Serial-ID Serial ID of the AP.

IP Address IP address of the AP.

H/W Version Hardware version of the AP.

S/W Version Software version of the AP.

Boot-Rom version Boot ROM version of the AP.

Description Description of the AP.

Connection Type AP connection type: "Master" or "Backup"

Peer AC MAC Address Peer AC MAC address in case of AC backup.

Priority Level AP connection priority.

Echo Interval(s) Interval for sending echo requests, in seconds.

Statistics report Interval(s) Interval for sending statistics information messages, in seconds.

Cir (Kbps) Committed information rate in kbps.

Cbs (Bytes) Committed burst size in bytes.

Jumboframe Threshold Threshold value of jumbo frames.

Transmitted control packets Number of transmitted control packets.

Received control packets Number of received control packets.

Transmitted data packets Number of transmitted data packets.

Received data packets Number of received data packets.

Configuration Failure Count Count of configuration request message failures.

Last Failure Reason Last configuration request failure reason.

Last Reboot Reason

Last reboot reason of the AP: • Normal—The AP was powered off. • Crash—The AP crashed, and the information is needed for analysis. • Tunnel Initiated—The reset wlan ap command is executed on the AC (in

this case, the Tunnel Down Reason is displayed as Reset AP). • Tunnel Link Failure—The fit AP rebooted abnormally because an error

occurred when the AP was establishing a connection with the AC.

Latest IP Address IP address of the last AP.

Tunnel Down Reason

The tunnel between the AC and the AP is down when one of the following occurs: • Neighbor Dead Timer Expire—The AC does not receive an Echo request

from the AP within three times the handshake interval. • Response Timer Expire—The AC sends a control packet to the AP but

does not receive any response within the specified waiting time. • Reset AP—The AP is rebooted by the execution of a command on the AC. • AP Config Change: The corresponding configurations are modified on

the AC. • No Reason—Other reasons.

55

Field Description

Connection Count

Connection count between the AP and AC. This field is reset in one of the following situations: • AC is rebooted. • You re-configure an AP template after deleting the old one.

If you click Reboot on this page to reboot the AP, the connection count will not be reset.

AP Mode Mode supported by the AP. Currently only the split MAC mode is supported.

AP operation mode Operation mode of AP. Currently Normal and Monitor modes are supported.

Portal Service Whether the portal service is enabled or not.

Device Detection Whether device detection is enabled or not.

Maximum Number of Radios Maximum number of radios supported by the AP.

Current Number of Radios Number of radios in use on the AP.

Client Keep-alive Interval Interval to detect clients segregated from the system due to various reasons such as power failure or crash, and disconnect them from the AP.

Client Idle Interval(s) If the client is idle for more than the specified interval, that is, if the AP does not receive any data from the client within the specified interval, the client will be removed from the network.

Broadcast-probe Reply Status Whether the AP is enabled to respond to broadcast probe requests or not.

Basic BSSID MAC address of the AP.

Current BSS Count Number of BSSs connected with the AP.

Running Clients Count Number of clients currently running.

Wireless Mode Wireless mode: 802.11a, 802.11b, or 802.11g.

Client Dot11n-only • Enabled—Only 802.11n clients can be associated with the AP. • Disabled—802.11a/b/g/n clients can be associated with the AP.

Channel Band-width Channel bandwidth, 20 MHz or 40 MHz.

Secondary channel offset

Secondary channel information for 802.11n radio mode: • SCA (Second Channel Above)—The AP operates in 40 MHz bandwidth

mode, and the secondary channel is above the primary channel. • SCB (Second Channel Below)—The AP operates in 40 MHz bandwidth

mode, and the secondary channel is below the primary channel. • SCN—The AP operates in 20 MHz bandwidth mode.

56

Field Description

HT protection mode

802.11n protection modes: • no protection mode(0)—The clients associated with the AP, and the

wireless devices within the coverage of the AP operate in 802.11n mode, and all the clients associated with the AP operate in either 40 MHz or 20 MHz mode.

• Non-member mode(1)—The clients associated with the AP operate in 802.11n mode, but non-802.11n wireless devices exist within the coverage of the AP.

• 20 MHz mode(2)—The radio mode of the AP is 40 MHz. The clients associated with the AP and the wireless devices within the coverage of the AP operate in 802.11n mode, and at least one 802.11n client operating in 20 MHz mode is associated with the radio of the AP.

• Non-HT mix mode(3)—All situations except the above three.

Short GI for 20MHz Whether the AP supports short GI when it operates in 20 MHz mode.

Short GI for 40MHz Whether the AP supports short GI when it operates in 40 MHz mode.

Mandatory MCS Set Mandatory MCS for the AP.

Supported MCS Set Supported MCS for the AP.

A-MSDU Status of the A-MSDU function: enable or disable.

A-MPDU Status of the A-MPDU function: enable or disable.

Configured Channel

Operating channel: • If the channel is manually configured, the configured channel number is

displayed. • If the channel is automatically selected, auto(channel) is displayed, where

channel is the optimal channel automatically selected by the AC.If the AP operates in 802.11n radio mode and 40 MHz bandwidth mode, this field displays the primary channel.

Configured Power(dBm)

Transmission power on the radio. • If one-time (transmit power control) is adopted, the configured transmit

power is displayed. • If auto TPC is adopted, two values are displayed, with the first being the

maximum power, and the second auto (number), where number in the brackets represents the actual power.

Interference (%) Interference observed on the operating channel, in percentage.

Channel Load (%) Load observed on the operating channel, in percentage.

Utilization (%) Utilization rate of the operating channel, in percentage.

Co-channel Neighbor Count Number of neighbors found on the operating channel.

Channel Health Status of the channel.

Preamble Type Type of preamble that the AP can support: short or long.

Radio Policy Radio policy used.

Service Template Service template number.

SSID SSID for the ESS.

Port WLAN-DBSS interface associated with the service template.

Mesh Policy Mesh policy adopted.

57

Field Description

ANI Support ANI (Adaptive Noise Immunity) status: enabled or disabled.

11g Protection 11.g protection status: enable or disable.

Admin State Administrative state of the radio.

Physical State Physical state of the radio.

Operational Rates (Mbps) Operational rates in Mbps.

Radar detected Channels Channels on which radar signals are detected.

Displaying clients Select Summary > Client from the navigation tree to enter the page as shown in Figure 37. For the description of the fields in the client information, see Table 23.

Figure 37 Displaying clients


Field Description

Refresh Refresh the current page.

Add to Blacklist Add the selected client to the static blacklist, which you can display by selecting Security > Filter from the navigation tree.

Reset Statistic Clear statistics of the specified client.

Disconnect Log off the selected client.

Displaying client detailed information Select Summary > Client from the navigation tree to enter the Client page, click the Detail Information tab on the page, and click the name of the specified client to view the detailed information of the client.

The detailed information of a client is as shown in Figure 38. For the description of the fields in the client detailed information, see Table 24.

58

Figure 38 Displaying client detailed information


Field Description

MAC address MAC address of the client.

AID Association ID of the client.

User Name

Username of the client. • The field is displayed as –NA– if the client adopts plain-text

authentication or an authentication method that does not require a username.

• The field is irrelevant to the portal authentication method. If the client uses the portal authentication method, the field does not display the portal username of the client.

AP Name Name of the AP.

Radio Id Radio ID of the client.

SSID SSID of the AP.

BSSID BSSID of the AP.

Port WLAN-DBSS interface associated with the client.

VLAN VLAN to which the client belongs.

State State of the client.

Backup indicates a backup client.

Power Save Mode Client's power save mode: active or sleep.

Wireless Mode Wireless mode such as 802.11a, 802.11b, 802.11g, 802.11an, or 803.11gn.

59

Field Description

Channel Band-width Channel bandwidth, 20 MHz or 40 MHz.

SM Power Save Enable

SM Power Save enables a client to have one antenna in active state, and others in sleep state to save power. • Enabled: SM Power Save is supported. • Disabled: SM Power Save is not supported.

Short GI for 20MHz

Whether the client supports short GI when its channel bandwidth is 20 MHz. • Not Supported. • Supported.

Short GI for 40MHz

Whether the client supports short GI when its channel bandwidth is 40 MHz. • Not Supported. • Supported.

Support MCS Set MCS supported by the client.

BLOCK ACK-TID 0

BLOCK ACK is negotiated based on QoS priority ID 0: • OUT—Outbound direction. • IN— Inbound direction. • BOTH—Both directions.

BLOCK ACK-TID 1

BLOCK ACK is negotiated based on QoS priority ID 1: • OUT—Outbound direction. • IN—Inbound direction. • BOTH—Both directions.

BLOCK ACK-TID 2


BLOCK ACK-TID 3


QoS Mode Whether the AP supports the WMM function.

Listen Interval (Beacon Interval) Specifies how often the client wakes up to receive frames saved in the AP and is expressed in units of beacon interval.

RSSI Received signal strength indication. This value indicates the client signal strength detected by the AP.

Rx/Tx Rate

Represents the frame reception/transmission rate of the client, including data, management, and control frames. For the AC + fit AP mode, there is delay because Rx Rate is transmitted from AP to AC periodically depending on the statistics interval.

Client Type Client type such as RSN, WPA, or Pre-RSN.

Authentication Method Authentication method such as open system or shared key.

AKM Method AKM suite used, such as Dot1X or PSK.

60

Field Description

4-Way Handshake State

Displays either of the 4-way handshake states: • IDLE—Displayed in initial state. • PTKSTART—Displayed when the 4–way handshake is initialized. • PTKNEGOTIATING—Displayed after valid message 3 was sent. • PTKINITDONE—Displayed when the 4-way handshake is successful.

Group Key State

Displays the group key state: • IDLE—Displayed in initial state. • REKEYNEGOTIATE—Displayed after the AC sends the initial

message to the client. • REKEYESTABLISHED—Displayed when re-keying is successful.

Encryption Cipher Encryption password: clear or crypto.

Roam Status Displays the roaming status: Normal or Fast Roaming.

Roam Count

Roaming count of the client, including intra-AC roaming and inter-AC roaming. • For intra-AC roaming, this field is reset after the client is

de-associated with the AP connected to the AC. • For inter-AC roaming, this field is reset after the client leaves the

mobility group to which the AC belongs.

Up Time Time for which the client has been associated with the AP.

Displaying client statistics Select Summary > Client from the navigation tree to enter the Client page, click the Statistic Information tab on the page, and click the name of the specified client to view the statistics of the client.

The statistics of a client is as shown in Figure 39. For the description of the fields in the client statistic information, see Table 25.

Figure 39 Displaying client statistics

61


Field Description

AP Name Name of the associated access point.

Radio Id Radio ID.

SSID SSID of the AP.

BSSID BSSID of the AP.

MAC Address MAC Address of the client.


Transmitted Frames Number of transmitted frames.

Back Ground(Frames/Bytes) Statistics of background traffic, in frames or in bytes.

Best Effort(Frames/Bytes) Statistics of best effort traffic, in frames or in bytes.

Video(Frames/Bytes) Statistics of video traffic, in frames or in bytes.

Voice(Frames/Bytes) Statistics of voice traffic, in frames or in bytes.

Received Frames Number of received frames.

Discarded Frames Number of discarded frames.

NOTE:

You can collect statistics of priority queues such as Back Ground, Best Effort, Video and Voice on a QoSclient only. Traffic including SVP packets sent and received on a client where QoS is not enabled falls intoBest Effort priority queue. Therefore, the queues collected may be different from the queues actually sent.You can collect statistics of priority queues carried in Dot11E or WMM packets; otherwise, statistics collection of priority queues on the receive end may fail.

Displaying client roaming information Select Summary > Client from the navigation tree to enter the Client page, click the Roam Information tab on the page, and click the name of the specified client to view the roaming information of the client.

Client roaming information is as shown in Figure 40. For the detailed description of the fields in the client roaming information, see Table 26.

62

Figure 40 Displaying client roaming information


Field Description

BSSID BSSID of the AP associated with the client.

Online-time Online time of the client.

AC-IP-address The IP address of the AC connected with the client. When the configured roaming channel type is IPv6, the IPv6 address of the AC is displayed.

Displaying RF ping information Radio Frequency Ping (RF Ping) is a ping function performed on wireless links. This function enables you to get the connection information between the AP and its associated clients, such as signal strength, packet re-transmission attempts, and round trip time (RTT).

Select Summary > Client from the navigation tree to enter the Client page, click the Link Test Information tab on the page, and click the name of the specified client to view the link test information of the client, as shown in Figure 41. For the description of the fields in the client link test information, see Table 27.

63

Figure 41 View link test information


Field Description

No./MCS • Rate number for a non-802.11n client. • MCS value for an 802.11n client.

Rate(Mbps) Rate at which the radio interface sends wireless ping frames.

TxCnt Number of wireless ping frames that the radio interface sent.

RxCnt Number of wireless ping frames that the radio interface received from the client.


Retries Total number of retransmitted ping frames.

RTT(ms) Round trip time.

64

License management

Configuring licenses A license controls the maximum number of online APs. You can add a license on a device to increase the maximum number of online APs that the device supports. However, the upper limit of online APs that a device supports is restricted by its specification and varies by device model. For more information, see "Feature matrixes."

Adding a license

CAUTION:

• After adding a license, you must reboot the device to validate the license.

• You can also increase the maximum number of online APs by adding an enhanced license. For more information about enhanced license, see "Enhanced license management."

1. Select Device > License from the navigation tree.

The License page appears.

Figure 42 License

2. In the Add License area, configure the license information as described in Table 28.

3. Click Add.


Item Description

License Key Enter the license key.

Activation Key Enter the activation key for the license.

65

Displaying license information 1. Select Device > License from the navigation tree

The page Figure 42 in appears.

2. View the license information in the License area.


Field Description

default AP number Maximum number of APs that the device supports by default.

max AP number Upper limit of APs that the device supports.

current AP number Maximum number of APs that the device currently supports.

License Key License key of the license.

Activation Key Activation key of the license.

AP Number Number of APs that the license supports.

Configuring enhanced licenses Some features of the device can be used only after you register them by using an enhanced license. The enhanced license required for registration can be a beta version or an official version. A beta version has a lifetime, and the features registered by using the version cannot be used any more after the version expires. An official version, obtained by purchasing the features, provides the serial number for registering the features and presents a description of the features.

Registering an enhanced license

CAUTION:

After registering an enhanced license, you must reboot the device to validate the newly added features.

You can also increase the number of allowed APs by adding a license. For more information about license, see "License management."

1. Select Device > License from the navigation tree.

2. Click the Enhanced License tab.

The Enhanced License tab page appears.

66

Figure 43 Enhanced license

3. Configure enhanced license information as described in Table 30.

4. Click Add.


Item Description

Feature Name Select the name of the feature to be registered.

For example, AP allows you to increase the number of APs.

Serial Number Type the serial number of the license.

Displaying registered enhanced licenses 1. Select Device > License from the navigation tree.

2. Click the Enhanced License tab

The page in Figure 43 appears.

3. View the registered enhanced licenses at the lower part of the page.


Filed Description

Feature Name Name of the feature registered.

Serial Number Serial number of the license.

Available Time Left Left time of the license. After the time elapses, the license expires.

The value Forever means that the license is an official version.

AP Number Number of APs that the license supports.

67

Device basic information configuration

The device basic information feature provides you the following functions:

• Set the system name of the device. The configured system name will be displayed on the top of the navigation bar.

• Set the idle timeout period for a logged-in user. That is, the system logs an idle user off the Web for security purpose after the configured period.

Configuring system name 1. Select Device > Basic from the navigation tree

The page for configuring the system name appears.

Figure 44 System name

2. Set the system name for the device.

3. Click Apply.

Configuring Web idle timeout period 1. Select Device > Basic from the navigation tree.

2. Click the Web Idle Timeout tab.

The page for configuring Web idle timeout period appears.

Figure 45 Configuring Web idle timeout period

68

3. Set the Web idle timeout period for a logged-in user.

4. Click Apply.

69

Device maintenance

Software upgrade A boot file, also known as the system software or device software, is an application file used to boot the device. Software upgrade allows you to obtain a target application file from the local host and set the file as the boot file to be used at the next reboot. In addition, you can select whether to reboot the device to bring the upgrade software into effect.

CAUTION:

• A software upgrade takes some time. Avoid performing any operation on the Web interface during theupgrading procedure. Otherwise, the upgrade operation may be interrupted.

• You can keep the original file name or change it to another one (extension name not changed) after youget the target application file from the local host.

1. Select Device > Device Maintenance from the navigation tree.

The software upgrade configuration page appears.

Figure 46 Software upgrade configuration page

2. Configure the software upgrade parameters as described in Table 32.

3. Click Apply.


Item Description

File Specify the path of the local application file, which must be with an extension .app or .bin.

70

Item Description

File Type

Specify the type of the boot file for the next boot: • Main—Boots the device. • Backup—Boots the device when the main boot file is

unavailable.

If a file with the same name already exists, overwrite it without any prompt

Specify whether to overwrite the file with the same name.

If you do not select the option, when a file with the same name exists, the system prompts "The file has existed.", and you cannot upgrade the software.

Reboot after the upgrade is finished. Specify whether to reboot the device to make the upgraded software take effect after the application file is uploaded.

Rebooting the device

CAUTION:

• Before rebooting the device, save the configuration. Otherwise, all unsaved configurations are lost afterdevice reboot.

• Re-log in to the Web interface after the device reboots.


2. Click the Reboot tab.

The reboot tab page appears.

Figure 47 Device reboot page

3. Clear the box before "Check whether the current configuration is saved in the next startup configuration file" or keep it selected.

4. Click Apply.

A confirmation dialog box appears.

5. Click OK.

If you select the box before "Check whether the current configuration is saved in the next startup configuration file", the system checks the configuration before rebooting the device. If the check succeeds, the system reboots the device; if the check fails, the system displays a dialog box to inform you that the current configuration and the saved configuration are inconsistent, and

71

does not reboot the device. In this case, you must save the current configuration manually before you can reboot the device.

If you do not select the box, the system reboots the device directly.

Generating the diagnostic information file Each functional module has its own running information, and generally, you need to view the output information for each module one by one. To receive as much information as possible in one operation during daily maintenance or when system failure occurs, the device supports generating diagnostic information. When you perform the diagnostic information generation operation, the system saves the running statistics of multiple functional modules to a file named default.diag, and then you can locate problems faster by checking this file.

To generate the diagnostic information file:


2. Click the Diagnostic Information tab.

The diagnostic information tab page appears.

Figure 48 Diagnostic information

3. Click Create Diagnostic Information File.

The system begins to generate diagnostic information file, and after the file is generated, the page in Figure 49 appears.

Figure 49 The diagnostic information file is created

4. Click Click to Download.

The File Download dialog box appears. You can select to open this file or save this file to the local host.

72

NOTE:

• The generation of the diagnostic file will take a period of time. During this process, do not perform anyoperation on the Web page.

• To view this file after the diagnostic file is generated successfully, select Device > File Management, ordownload this file to the local host. For more information, see "File management configuration."

73

System time

You need to configure a correct system time so that the device can work with other devices properly. System time allows you to display and set the device system time on the Web interface.

The device supports setting system time through manual configuration and automatic synchronization of NTP server time.

An administrator cannot keep time synchronized among all the devices within a network by changing the system clock on each device, because this is time-consuming task and cannot guarantee clock precision.

Defined in RFC 1305, the Network Time Protocol (NTP) synchronizes timekeeping among distributed time servers and clients.

NTP can keep consistent timekeeping among all clock-dependent devices within the network and ensure a high clock precision so that the devices can provide diverse applications based on consistent time.

Displaying the system time 1. Select Device > System Time from the navigation tree.

The page for configuring system time appears.

Figure 50 System time page

2. View the current system time on the top of the page.

Configuring the system time 1. Select Device > System Time from the navigation tree.


2. Click the System Time Configuration field.

The calendar page appears.

74

Figure 51 Calendar page

3. Modify the system time either in the System Time Configuration field, or through the calendar page.

You can perform the following operations on the calendar page:

a. Click Today to set the current date on the calendar to the current system date of the local host, and the time keeps unchanged.

b. Set the year, month, date and time, and then click OK.

4. Click Apply in the system time configuration page to save your configuration.

Configuring the network time 1. Select Device > System Time from the navigation tree.

2. Click Net Time.

The network time page appears.

75

Figure 52 Network time

3. Configure system time parameters as described in Table 33.

4. Click Apply.


Item Description

Clock status Display the synchronization status of the system clock.

Local Reference Source

Set the IP address of the local clock source to 127.127.1.u, where u ranges from 0 to 3, representing the NTP process ID. • If the IP address of the local clock source is specified, the local clock

is used as the reference clock, and thus can provide time for other devices.

• If the IP address of the local clock source is not specified, the local clock is not used as the reference clock.

Stratum

Set the stratum level of the local clock.

The stratum level of the local clock decides the precision of the local clock. A higher value indicates a lower precision. A stratum 1 clock has the highest precision, and a stratum 16 clock is not synchronized and cannot be used as a reference clock.

Source Interface

Set the source interface for an NTP message.

If you do not want the IP address of a certain interface on the local device to become the destination address of response messages, you can specify the source interface for NTP messages, so that the source IP address in the NTP messages is the primary IP address of this interface. If the specified source interface is down, the source IP address of the NTP messages sent is the primary IP address of the outbound interface.

76

Item Description

Key 1

Set NTP authentication key.

The NTP authentication feature should be enabled for a system running NTP in a network where there is a high security demand. This feature enhances the network security by means of client-server key authentication, which prohibits a client from synchronizing with a device that has failed authentication.

You can set two authentication keys, each of which is composed of a key ID and key string. • ID is the ID of a key. • Key string is a character string for MD5 authentication key.

Key 2

External Reference Source

NTP Server 1/Reference Key ID

Specify the IP address of an NTP server, and configure the authentication key ID used for the association with the NTP server. The device synchronize its time to the NTP server only if the key provided by the server is the same with the specified key.

You can configure two NTP servers. The clients will choose the optimal reference source.

IMPORTANT:

The IP address of an NTP server is a unicast address, and cannot be a broadcast or a multicast address, or the IP address of the local clock source.

NTP Server 2/Reference Key ID

TimeZone Set the time zone for the system.

System time configuration example Network requirements

• As shown in Figure 53, the local clock of Switch is set as the reference clock.

• AC operates in client mode, and uses Switch as the NTP server.

• NTP authentication is configured on both AC and Switch.

Figure 53 Network diagram

Configuring the switch

Configure the local clock as the reference clock, with the stratum of 2, configure authentication, with the key ID of 24, and trusted key as aNiceKey. (Details not shown.)

Configuring the AC

To configure Switch as the NTP server of AC:

1. Select Device > System Time from the navigation tree.

2. Click the Net Time tab.

The Net Time tab page appears.

77

Figure 54 Configuring Switch as the NTP server of AC

3. Enter 24 for the ID of key 1, and aNiceKey for the key string. Enter 1.0.1.12 in the NTP Server 1 box and 24 in the Reference Key ID box.

4. Click Apply.

Verifying the configuration

After the above configuration, the current system time displayed on the System Time page is the same for AC and Switch.

Configuration guidelines • A device can act as a server to synchronize the clock of other devices only after its clock has been

synchronized. If the clock of a server has a stratum level higher than or equal to that of a client's clock, the client will not synchronize its clock to the server's.

• The synchronization process takes a period of time. The clock status may be displayed as unsynchronized after your configuration. In this case, you can refresh the page to view the clock status later on.

• If the system time of the NTP server is ahead of the system time of the device, and the difference between them exceeds the Web idle time specified on the device, all online Web users are logged out because of timeout.

78

Log management

System logs contain a large amount of network and device information, including running status and configuration changes. System logs are an important way for administrators to know network and device status. With system logs, administrators can take corresponding actions against network problems and security problems.

The system sends system logs to the following destinations:

• Console

• Monitor terminal, which is a user terminal that has login connections through the AUX, VTY, or TTY user interface.

• Log buffer

• Loghost

• Web interface

Displaying syslog The Web interface provides abundant search and sorting functions. You can view syslogs through the Web interface conveniently.

To display syslog:

1. Select Device > Syslog from the navigation tree.

The page for displaying syslog appears.

Figure 55 Displaying syslog

79

TIP:

• You can click Reset to clear all system logs saved in the log buffer on the Web interface.

• You can click Refresh to manually refresh the page, or you can set the refresh interval on the Log Setuppage to enable the system to automatically refresh the page periodically. For more information, see "Setting buffer capacity and refresh interval."

2. View system logs.


Field Description

Time/Date Display the time/date when system logs are generated.

Source Display the module that generates system logs.

Level

Display the system information levels. The information is classified into eight levels by severity: • Emergency—The system is unusable. • Alert—Action must be taken immediately. • Critical—Critical conditions. • Error—Error conditions. • Warning—Warning conditions. • Notification—Normal but significant condition. • Informational—Informational messages. • Debug—Debug-level messages.

Digest Display the brief description of system logs.

Description Display the contents of system logs.

Setting the log host You can set the loghost on the Web interface to enable the system to output syslogs to the log host. You can specify at most four different log hosts.

To set the log host:

1. Select Device > Syslog from the navigation tree.

2. Click the Loghost tab

The loghost configuration page appears.

80

Figure 56 Setting loghost

3. Configure the log host as described in Table 35.

4. Click Apply.


Item Description

IPv4/Domain

Set the IPv4 address, domain, or IPv6 address of the loghost.. IPv6

Loghost IP/Domain

Setting buffer capacity and refresh interval 1. Select Device > Syslog from the navigation tree.

2. Click the Log Setup tab.

The syslog configuration page appears.

81

Figure 57 Syslog configuration page

3. Configure buffer capacity and refresh interval as described in Table 36.

4. Click Apply.


Item Description

Buffer Capacity Set the number of logs that can be stored in the log buffer of the Web interface.

Refresh Interval

Set the refresh period on the log information displayed on the Web interface.

You can select manual refresh or automatic refresh: • Manual—Click Refresh to refresh the Web interface when displaying log

information. • Automatic—You can select to refresh the Web interface every 1 minute, 5

minutes, or 10 minutes.

82

Configuration management

NOTE:

When backing up a configuration file, back up the configuration file with the extension .xml. Otherwise some configuration information may not be restored in some cases (for example, when the configurationis removed).

Backing up the configuration Configuration backup provides the following functions:

• Open and view the configuration file (.cfg file or .xml file) for the next startup

• Back up the configuration file (.cfg file or .xml file) for the next startup to the host of the current user

To back up the configuration:

1. Select Device > Configuration from the navigation tree.

The page for backing up configuration appears.

Figure 58 Backup configuration page

2. Click the upper Backup button.

A file download dialog box appears. You can select to view the .cfg file or to save the file locally.

3. Click the lower Backup button.

A file download dialog box appears. You can select to view the .xml file or to save the file locally.

Restoring the configuration

CAUTION:

The restored configuration file takes effect at the next device reboot.

Configuration restore provides the following functions:

• Upload the .cfg file on the host of the current user to the device for the next startup

• Upload the .xml file on the host of the current user to the device for the next startup, and delete the previous .xml configuration file that was used for the next startup

To restore the configuration:

83


2. Click the Restore tab.

The page for restoring configuration appears.

Figure 59 Configuration restore page

3. Click the upper Browse button.

The file upload dialog box appears. You can select the .cfg file to be uploaded.

4. Click the lower Browse button in this figure.

The file upload dialog box appears. You can select the .xml file to be uploaded.

5. Click Apply.

Saving the configuration

CAUTION:

• Saving the configuration takes some time.

• The system does not support the operation of saving configuration of two or more consecutive users. If such a case occurs, the system prompts the latter users to try later.

The save configuration module provides the function to save the current configuration to the configuration file (.cfg file or .xml file) to be used at the next startup. You can save the configuration in one of the following ways:

Fast

Click the Save button at the upper right of the auxiliary area, and you can save the configuration to the configuration file.

84

Figure 60 Saving configuration confirmation

Common


2. Click the Save tab.


3. Click Save Current Settings to save the current configuration to the configuration file.

Initializing the configuration This operation restores the system to factory defaults, delete the current configuration file, and reboot the device.

To initialize the configuration:


2. Click the Initialize tab.

The initialize confirmation page appears.

Figure 61 Initializing the configuration

3. Click Restore Factory-Default Settings to restore the system to factory defaults.

85

File management

NOTE:

There are many types of storage media such as flash, compact flash (CF), and so on. Different devices support different types of storage device. For more information, see "Feature matrixes."

The device saves useful files (such as host software, configuration file) into the storage device, and the system provides the file management function for the users to manage those files conveniently and effectively.

Displaying file list 1. Select Device > File Management from the navigation tree.

The file management page appears.

Figure 62 File management

2. Select a disk from the Please select disk list on the top of the page.

3. View the used space, free space and capacity of the disk at the right of the list.

4. View all files saved in this disk (in the format of path + filename), file sizes, and the boot file types (Main or Backup is displayed if the file is an application file, that is, with the extension of .bin or .app).

86

Downloading a file 1. Select Device > File Management from the navigation tree.


2. Select a file from the list.

You can select one file at a time.

3. Click Download File.

The File Download dialog box appears. You can select to open the file or to save the file to a specified path.

Uploading a file

NOTE:

Uploading a file takes some time. H3C recommends you not to perform any operation on the Web interface during the upgrading procedure.

1. Select Device > File Management from the navigation tree.


2. Select the disk to save the file in the Upload File box.

3. Click Browse to set the path and name of the file.

4. Click Apply.

Removing a file 1. Select Device > File Management from the navigation tree.


2. Select one or multiple files from the file list,

3. Click Remove File.

NOTE:

You can also remove a file by clicking the icon.

Specifying the main boot file 1. Select Device > File Management from the navigation tree.


2. Select the box to the left of an application file (with the extension of .bin or .app).

You can set one file at a time.

3. Click Set as Main Boot File to set the main boot file to be used at the next startup.

87

Interface management

Interface management overview An interface is the point of interaction or communication used for exchanging data between entities. There are two types of interfaces: physical and logical. A physical interface refers to an interface that physically exists as a hardware component. An example is Ethernet interfaces. A logical interface refers to an interface that can implement data switching but does not exist physically. A logical interface must be created manually. An example is VLAN interfaces.

You can use the interface management feature on the Web-based configuration interface to manage the following types of interfaces.

• Layer 2 Ethernet interface—Physical interface operating on the data link layer for forwarding Layer 2 protocol packets.

• Management Ethernet interface—Physical interface operating on the network layer. You can configure IP addresses for a management Ethernet interface. You can log in to the device through a management Ethernet interface to manage the device.

• Loopback interface—A loopback interface is a software-only virtual interface. The physical layer state and link layer protocols of a loopback interface are always up unless the loopback interface is manually shut down. You can enable routing protocols on a loopback interface, and a loopback interface can send and receive routing protocol packets. When you assign an IPv4 address whose mask is not 32-bit, the system automatically changes the mask into a 32-bit mask.

• Null interface—A null interface is a completely software-based logical interface, and is always up. However, you cannot use it to forward data packets or configure an IP address or link layer protocol on it. With a null interface specified as the next hop of a static route to a specific network segment, any packets routed to the network segment are dropped. The null interface provides a simpler way to filter packets than ACL. You can filter uninteresting traffic by transmitting it to a null interface instead of applying an ACL.

• VLAN interface—Virtual Layer 3 interface used for Layer 3 communications between VLANs. A VLAN interface corresponds to a VLAN. You can assign an IP address to a VLAN interface and specify it as the gateway of the corresponding VLAN to forward traffic destined for an IP network segment different from that of the VLAN.

• Virtual template (VT) interface—Template used for configuring virtual access (VA) interfaces.

• Bridge-Aggregation interface (BAGG)—Multiple Layer 2 Ethernet interfaces can be combined to form a Layer 2 aggregation group. The logical interface created for the group is called an aggregate interface.

With the interface management feature, you can view interface information, create/remove logical interfaces, change interface status, and reset interface parameters.

Displaying interface information and statistics 1. Select Device > Interface from the navigation tree.

The interface management page appears. The page displays the interfaces' names, IP addresses, masks, and status.

88

Figure 63 Interface management page

2. Click an interface name in the Name column to display the statistics of that interface.

The page for displaying interface statistics appears.

89

Figure 64 Statistics on an interface

Creating an interface 1. Select Device > Interface from the navigation tree.


2. Click Add.

The page for creating an interface appears.

90

Figure 65 Creating an interface

3. Configure the interface as described in Table 37.

4. Click Apply.


Item Description

Interface Name Set the type and number of a logical interface.

VID

If you are creating a Layer 3 Ethernet subinterface, set the VLANs associated with the subinterface.

This parameter is available only for Layer 3 Ethernet subinterfaces.

IMPORTANT:

Currently, this configuration item is not configurable because the device does not support Layer 3 Ethernet subinterfaces.

MTU

Set the maximum transmit unit (MTU) of the interface.

The MTU value affects fragmentation and reassembly of IP packets.

IMPORTANT:

Support for this configuration item depends on the interface type. All Layer 3 interfaces support MTU.

91

Item Description

TCP MSS

Set the maximum segment size (MSS) for IP packets on the interface.

The TCP MSS value affects fragmentation and reassembly of IP packets.

IMPORTANT:

Support for this configuration item depends on the interface type. All Layer 3 interfaces support MTU.

IP Config

Set the way for the interface to obtain an IP address, include: • None—Select this option if you do not want to assign an IP address for the

interface. • Static Address—Select the option to manually assign an IP address and mask for

the interface. If this option is selected, you must set the IP Address and Mask fields.

• DHCP—Select the option for the interface to obtain an IP address through DHCP automatically.

• BOOTP—Select the option for the interface to obtain an IP address through BOOTP automatically.

• PPP Negotiate—Select the option for the interface to obtain an IP address through PPP negotiation.

• Unnumbered—Select this option to borrow the IP address of another interface on the same device for the interface. If this option is selected, you must select the interface whose IP address you want to borrow in the Unnumbered Interfaces list.

IMPORTANT:

Support for the way of obtaining an IP address depends on the interface type.

IP Address/Mask After selecting the Static Address option for the IP Config configuration item, you need to set the primary IP address and mask, and secondary IP addresses and masks for the interface.

IMPORTANT: • The primary and secondary IP addresses cannot be 0.0.0.0. • For a loopback interface, the mask is fixed to 32 bits and is not configurable. • The number of secondary IP addresses supported by the device depends on the

device model..

Secondary IP Address/Mask

Unnumbered Interface If the Unnumbered option is selected as the way for the interface to obtain an IP address, you must set the interface whose IP address is to be borrowed.

IPv6 Config

Set the way for the interface to obtain an IPv6 link-local address, include. • None—Select this option if you do not want to assign an IPv6 link-local address

to the interface. • Auto—Select this option for the system to automatically assign an IPv6 link-local

address to the interface. • Manual—Select this option to manually assign an IPv6 link-local address to the

interface. If this option is selected, you must set the IPv6 Link Local Address field.

IPv6 Link Local Address If the Manual option is selected as the way for the interface to obtain an IPv6 link-local address, you must set an IPv6 link-local address for the interface.

92

Modifying a Layer 2 interface 1. Select Device > Interface from the navigation tree.


2. Click the icon corresponding to a Layer 2 interface.

The page for modifying a Layer 2 interface appears.

Figure 66 Modifying a Layer 2 physical interface

3. Modify the information about the Layer 2 physical interface as described in Table 38.

4. Click Apply.


Item Description

Port State

Enable or disable the interface.

In some cases, modification to the interface parameters does not take effect immediately. You need to shut down and then bring up the interface to make the modification work.

93

Item Description

Speed

Set the transmission rate of the interface.

Available options include: • 10—10 Mbps. • 100—100 Mbps. • 1000—1000 Mbps. • Auto—Auto-negotiation. • Auto 10—The auto-negotiation rate of the interface is 10 Mbps. • Auto 100—The auto-negotiation rate of the interface is 100 Mbps. • Auto 1000—The auto-negotiation rate of the interface is 1000 Mbps. • Auto 10 100—The auto-negotiation rate of the interface is 10 Mbps or 100 Mbps. • Auto 10 1000—The auto-negotiation rate of the interface is 10 Mbps or 1000

Mbps. • Auto 100 1000—The auto-negotiation rate of the interface is 100 Mbps or 1000

Mbps. • Auto 10 100 1000—The auto-negotiation rate of the interface is 10 Mbps, 100

Mbps or 1000 Mbps.

Duplex

Set the duplex mode of the interface. • Auto—Auto-negotiation. • Full—Full duplex. • Half—Half duplex.

Link Type

Set the link type of the current interface, which can be access, hybrid, or trunk. For more information, see Table 39.

IMPORTANT:

To change the link type of a port from trunk to hybrid or vice versa, you must first set its link type to access.

PVID

Set the default VLAN ID of the hybrid or trunk port.

IMPORTANT:

The trunk ports at the two ends of a link must have the same PVID.

94

Item Description

MDI

Set the Medium Dependent Interface (MDI) mode for the interface.

Two types of Ethernet cables can be used to connect Ethernet devices: crossover cable and straight-through cable. To accommodate these two types of cables, an Ethernet interface on the device can operate in one of the following three MDI modes: • Across mode. • Normal mode. • Auto mode.

An Ethernet interface is composed of eight pins. By default, each pin has its particular role. For example, pin 1 and pin 2 are used for transmitting signals; pin 3 and pin 6 are used for receiving signals. You can change the pin roles through setting the MDI mode. • In across mode, the default pin roles are kept, that is, pin 1 and pin 2 for

transmitting signals, and pin 3 and pin 6 for receiving signals. • In auto mode, the pin roles are determined through auto negotiation. • In normal mode, pin 1 and pin 2 are used for receiving signals while pin 3 and

pin 6 are used for transmitting signals.

To enable normal communication, you should connect the local transmit pins to the remote receive pins. Therefore, you should configure the MDI mode depending on the cable types. • Generally, the auto mode is recommended. The other two modes are useful only

when the device cannot determine the cable types. • When straight-through cables are used, the local MDI mode must be different

from the remote MDI mode. • When crossover cables are used, the local MDI mode must be the same as the

remote MDI mode, or the MDI mode of at least one end must be set to auto.

Flow Control

Enable or disable flow control on the interface.

After flow control is enabled on both ends, if there is traffic congestion on the device on the local end, it sends information to notify the peer end to stop sending packets temporarily; upon receiving the information, the peer end stops sending packets; and vice versa. This is used to avoid packet loss.

IMPORTANT:

Flow control can be realized only when it is enabled on both ends.

Jumbo Frame Enable or disable the forwarding of jumbo frames.

Max MAC Count

Set the maximum number of MAC addresses the interface can learn. Available options include: • User Defined—Select this option to set the limit manually. • No Limited—Select this option to set no limit.

Broadcast Suppression

Set broadcast suppression. You can suppress broadcast traffic by percentage or by PPS as follows: • ratio—Sets the maximum percentage of broadcast traffic to the total transmission

capability of an Ethernet interface. When this option is selected, you need to enter a percentage in the box below.

• pps—Sets the maximum number of broadcast packets that can be forwarded on an Ethernet interface per second. When this option is selected, you need to enter a number in the box below.

95

Item Description

Multicast Suppression

Set multicast suppression. You can suppress multicast traffic by percentage or by PPS as follows: • ratio—Sets the maximum percentage of multicast traffic to the total transmission


• pps—Sets the maximum number of multicast packets that can be forwarded on an Ethernet interface per second. When this option is selected, you need to enter a number in the box below.

Unicast Suppression

Set unicast suppression. You can suppress unicast traffic by percentage or by PPS as follows: • ratio—Sets the maximum percentage of unicast traffic to the total transmission


• pps—Sets the maximum number of unicast packets that can be forwarded on an Ethernet interface per second. When this option is selected, you need to enter a number in the box below.

Table 39 Link type description

Link type Description

Access An access port can belong to only one VLAN and is usually used to connect a user device.

Hybrid A hybrid port can be assigned to multiple VLANs to receive and send packets for them and allows packets of multiple VLANs to pass through untagged.

Hybrid ports can be used to connect network devices, as well as user devices.

Trunk A trunk port can be assigned to multiple VLANs to receive and send packets for them but allows only packets of the default VLAN to pass through untagged.

Trunk ports are usually used to connect network devices.

Modifying a Layer 3 interface 1. Select Device > Interface from the navigation tree.


2. Click the icon corresponding to a Layer 3 interface.

The page for modifying a Layer 3 interface appears.

96

Figure 67 Modifying a Layer 3 physical interface

3. Modify the information about the Layer 3 interface.

The configuration items of modifying the Layer 3 interface are similar to those of creating an interface. Table 40 describes configuration items proper to modifying a Layer 3 interface.

4. Click Apply.


Item Description

Interface Type Set the interface type, which can be Electrical port, Optical port, or None.

Interface Status

Display and set the interface status. • The display of Connected indicates that the current status of the interface is up and

connected. You can click Disable to shut down the interface. • The display of Not connected indicates that the current status of the interface is up

but not connected. You can click Disable to shut down the interface. • The display of Administratively Down indicates that the interface is shut down by

the administrator. You can click Enable to bring up the interface.

After you click Enable or Disable, the page displaying interface information appears.

IMPORTANT:

For an interface whose status cannot be changed, the Enable or Disable button is not available.

Working Mode Set the interface to work in bridge mode or router mode.

97

Interface management configuration example Network requirements

Create VLAN-interface 100 and specify its IP address as 10.1.1.2.

Configuration procedure

1. Create VLAN 100:

a. Select Network > VLAN from the navigation tree.

The VLAN tab page appears.

b. Click Add.

The page for creating VLANs appears.

Figure 68 Creating VLAN 100

c. Enter VLAN ID 100.

d. Click Apply.

2. Create VLAN-interface 100 and assign an IP address for it:

a. Select Device > Interface from the navigation tree.

b. Click Add.

The page for creating an interface appears.

98

Figure 69 Creating VLAN-interface 100

c. Select Vlan-interface from the Interface Name list, enter the interface ID 100, select the Static Address option in the IP Config area, enter the IP address 10.1.1.2, and select 24 (255.255.255.0) from the Mask list.

d. Click Apply.

99

Port mirroring

NOTE:

• There are two kinds of port mirroring: local port mirroring and remote port mirroring. Unless otherwisespecified, port mirroring described in this chapter all refers to local port mirroring.

• Support for the port mirroring feature depends on the device model. For more information, see "Featurematrixes."

Introduction to port mirroring Port mirroring is to copy the packets passing through one or multiple ports (called mirroring ports) to a port (called the monitor port) on the local device. The monitor port is connected with a monitoring device. By analyzing on the monitoring device the packets mirrored to the monitor port, you can monitor the network and troubleshoot possible network problems.

Figure 70 A port mirroring implementation

Port mirroring is implemented through mirroring groups. The mirroring ports and the monitor port are in the same mirroring group. With port mirroring enabled, the device copies packets passing through the mirroring ports to the monitor port.

100

Port mirroring configuration task list Table 41 Port mirroring configuration task list

Task Remarks

Add a mirroring group

Required.

For more information, see "Adding a mirroring group."

You need to select the mirroring group type local in the Type list.

Configure the mirroring ports

Required.

For more information, see "Configuring ports for a mirroring group."

During configuration, you need to select the port type Mirror Port.

Configure the monitor port

Required.

For more information, see "Configuring ports for a mirroring group."

During configuration, you need to select the port type Monitor Port.

Adding a mirroring group 1. Select Device > Port Mirroring from the navigation tree.

2. Click the Add tab.

The page for adding a mirroring group appears.

Figure 71 The page for adding a mirroring group

3. Configure the mirroring group as described in Table 42.

4. Click Apply.

101


Item Description

Mirroring Group ID ID of the mirroring group to be added.

Type Specify the type of the mirroring group to be added:

Local: Adds a local mirroring group.

Configuring ports for a mirroring group 1. Select Device > Port Mirroring from the navigation tree.

2. Click the Modify Port tab.

The page for configuring ports for a mirroring group appears.

Figure 72 The page for configuring ports for a mirroring group

3. Configure the port information for the mirroring group as described in Table 43.

4. Click Apply.

The progress bar appears.

5. Click Close after the progress bar prompts that the configuration is complete.


Item Description

Mirroring Group ID ID of the mirroring group to be configured.

Port Type Set the types of the ports to be configured: • Monitor Port—Configures the monitor port for the mirroring group. • Mirror Port—Configures mirroring ports for the mirroring group.

102

Item Description

Stream Orientation

Set the direction of the traffic monitored by the monitor port of the mirroring group.

This configuration item is available when Mirror Port is selected is the Port Type list. • both—Mirrors both received and sent packets on mirroring ports. • inbound—Mirrors only packets received by mirroring port. • outbound—Mirrors only packets sent by mirroring ports.

interface name Select the ports to be configured from the interface name list.

Configuration examples Network requirements

As shown in Figure 73, the customer network is as described below:

• Packets from AP access AC through GigabitEthernet 1/0/1.

• Server is connected to GigabitEthernet 1/0/2 of AC.

Configure port mirroring to monitor the bidirectional traffic on GigabitEthernet 1/0/1 of AC on the server.

To satisfy the above requirement through port mirroring, perform the following configuration on AC:

• Configure GigabitEthernet 1/0/1 of AC as a mirroring port.

• Configure GigabitEthernet 1/0/2 of AC as the monitor port.


Adding a mirroring group

1. Select Device > Port Mirroring from the navigation tree.

2. Click Add.

The page for adding a mirroring group appears.

103

Figure 74 Adding a mirroring group

3. Enter 1 for Mirroring Group ID and select Local in the Type list.

4. Click Apply.

Configuring the mirroring ports

1. Click Modify Port.

The page for configuring a mirroring port appears.

Figure 75 Configuring a mirroring port

2. Select 1 – Local for Mirroring Group ID, select Mirror Port for Port Type, select both for Stream Orientation, and select GigabitEthernet 1/0/1 from the interface name list.

3. Click Apply.

The progress bar appears.


104

Configuring the monitor port

1. Click Modify Port tab.

The page for configuring the mirroring port appears.

Figure 76 Configuring the monitor port

2. Select 1 – Local for Mirroring Group ID, select Monitor Port for Port Type, and select GigabitEthernet 1/0/2 from the interface name list.

3. Click Apply.

A progress bar appears.


Configuration guidelines When you configure port mirroring, follow these guidelines:

• Depending on the device model, you can assign these types of ports to a mirroring group as mirroring ports: Layer 2 Ethernet, Layer 3 Ethernet, POS, CPOS, serial, and MP-group.

• Depending on the device model, you can configure these types of ports as the monitor port: Layer 2 Ethernet, Layer 3 Ethernet, and tunnel.

• To ensure normal operation of your device, do not enable STP, MSTP, or RSTP on the monitor port.

• On some types of devices, you can configure a member port in link aggregation as the monitor port.

• Other restrictions on the monitor port depend on your device model.

• You can configure multiple mirroring ports but only one monitor port for a mirroring group.

• A port can be assigned to only one mirroring group.

105

User management

In the user management part, you can perform the following configuration:

• Create a local user, and set the password, access level, and service type for the user.

• Set the super password for switching the current Web user level to the management level.

• Switch the current Web user access level to the management level.

Creating a user 1. Select Device > Users from the navigation tree.

2. Click the Create tab.

The page for creating local users appears.

Figure 77 Creating a user

3. Configure the user information as described in Table 44.

4. Click Apply.


Item Description

Username Set the username for a user.

106

Item Description

Access Level

Set the access level for a user. Users of different levels can perform different operations.

Web user levels, from low to high, are visitor, monitor, configure, and management. • Visitor—Users of visitor level can perform the ping and traceroute operations, but they

can neither access the device data nor configure the device. • Monitor—Users of this level can only access the device data but cannot configure the

device. • Configure—Users of this level can access data on the device and configure the

device, but they cannot upgrade the host software, add/delete/modify users, or back up/restore the application file.

• Management—Users of this level can perform any operations on the device.

Password Set the password for a user.

Confirm Password Enter the same password again. Otherwise, the system prompts that the two passwords enter are not consistent when you apply the configuration.

Service Type Set the service type, including Web, FTP, and Telnet services. You must select one of them.

Setting the super password In this part, users of the management level can specify the password for a lower-level user to switch from the current access level to the management level. If no such a password is configured, the switchover will fail.

To set the super password:

1. Select Device > Users from the navigation tree.

2. Click the Super Password tab.

The super password configuration page appears.

Figure 78 Super password

3. Set the super password as described in Table 45.

4. Click Apply.

107


Item Description

Create/Remove Set the operation type: • Create—Configure or modify the super password. • Remove—Remove the current super password.

Password Set the password for a user to switch to the management level.

Confirm Password Enter the same password again. Otherwise, the system prompts that the two passwords enter are not consistent when you apply the configuration.

Switching the user access level to the management level

This function is provided for a user to switch the current user level to the management level. Note the following:

• Before switching, make sure that the super password is already configured. A user cannot switch to the management level without a super password.

• The access level switchover of a user is valid for the current login only. The access level configured for the user is not changed. When the user re-logs in to the Web interface, the access level of the user is still the original level.

To switch the user access level to the management level:

1. Select Device > Users from the navigation tree.

2. Click the Switch To Management tab.

The access level switching page appears.

Figure 79 Switching to the management level.

3. Enter the super password.

4. Click Login.

108

SNMP configuration

SNMP overview Simple Network Management Protocol (SNMP) offers the communication rules between a management device and the managed devices on the network; it defines a series of messages, methods and syntaxes to implement the access and management from the management device to the managed devices. SNMP shields the physical differences between various devices and realizes automatic management of products from different manufacturers.

An SNMP enabled network comprises the network management system (NMS) and agents.

The NMS manages agents by exchanging management information through SNMP. The NMS and managed agents must use the same SNMP version.

SNMP agents support SNMPv1, SNMPv2c, and SNMPv3.

• SNMPv1 uses community name for authentication. Community name defines the relationship between an SNMP NMS and an SNMP agent. SNMP packets with community names that do not pass the authentication on the device are simply discarded. A community name plays a similar role as a key word and can be used to control access from NMS to the agent.

• SNMPv2c uses community name for authentication. Compatible with SNMPv1, it extends the functions of SNMPv1. SNMPv2c provides more operation modes such as GetBulk and InformRequest; it supports more data types such as Counter64; and it provides various error codes, thus being able to distinguish errors in more detail.

• SNMPv3 offers an authentication that is implemented with a User-Based Security Model (USM). You can set the authentication and privacy functions. The former is used to authenticate the validity of the sending end of the authentication packets, preventing access of illegal users; the latter is used to encrypt packets between the NMS and agents, preventing the packets from being intercepted. USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy.

For more information about SNMP, see H3C WX Series Access Controllers Network Management and Monitoring Configuration Guide.

SNMP configuration task list SNMPv1 or SNMPv2c configuration task list

Perform the tasks in Table 46 to configure SNMPv1 or SNMPv2c.

Table 46 SNMPv1 or SNMPv2c configuration task list

Task Remarks

Enabling SNMP

Required.

The SNMP agent function is disabled by default.

IMPORTANT:

If SNMP agent is disabled, all SNMP agent-related configurations are removed.

109

Task Remarks

Configuring an SNMP view

Optional.

After creating SNMP views, you can specify an SNMP view for an SNMP group to limit the MIB objects that can be accessed by the SNMP group.

Configuring an SNMP community Required.

Configuring SNMP trap function

Optional.

Allows you to configure that the agent can send SNMP traps to the NMS, and configure information about the target host of the SNMP traps.

By default, an agent is allowed to send SNMP traps to the NMS.

Displaying SNMP packet statistics Optional.

SNMPv3 configuration task list

Perform the tasks in Table 47 to configure SNMPv3.

Table 47 SNMPv3 configuration task list

Task Remarks

Enabling SNMP

Required.

The SNMP agent function is disabled by default.

IMPORTANT:

If SNMP agent is disabled, all SNMP agent-related configurations are removed.

Configuring an SNMP view Optional.

After creating SNMP views, you can specify an SNMP view for an SNMP group to limit the MIB objects that can be accessed by the SNMP group.

Configuring an SNMP group

Required.

After creating an SNMP group, you can add SNMP users to the group when creating the users. Therefore, you can realize centralized management of users in the group through the management of the group.

Configuring an SNMP user Required.

Before creating an SNMP user, you need to create the SNMP group to which the user belongs.

Configuring SNMP trap function

Optional.

Allows you to configure that the agent can send SNMP traps to the NMS, and configure information about the target host of the SNMP traps

By default, an agent is allowed to send SNMP traps to the NMS.

Displaying SNMP packet statistics Optional.

Enabling SNMP 1. Select Device > SNMP from the navigation tree.

The SNMP configuration page appears.

110

Figure 80 Set up

2. Configure SNMP settings on the upper part of the page as described in Table 48.

3. Click Apply.


Item Description

SNMP Specify to enable or disable SNMP.

Local Engine ID

Configure the local engine ID.

The validity of a user after it is created depends on the engine ID of the SNMP agent. If the engine ID when the user is created is not identical to the current engine ID, the user is invalid.

111

Item Description

Maximum Packet Size Configure the maximum size of an SNMP packet that the agent can receive/send.

Contact

Set a character string to describe the contact information for system maintenance.

If the device is faulty, the maintainer can contact the manufacture factory according to the contact information of the device.

Location Set a character string to describe the physical location of the device.

SNMP Version Set the SNMP version run by the system.

Configuring an SNMP view

Creating an SNMP view 1. Select Device > SNMP from the navigation tree.

2. Click the View tab.

The view page appears.

Figure 81 View page

3. Click Add.

The Add View window appears.

Figure 82 Creating an SNMP view (1)

112

4. Enter the view name.

5. Click Apply.



6. Configure the parameters as described in Table 49.

7. Click Add.

8. Repeat steps 6 and 7 to add more rules for the SNMP view.

9. Click Apply.

To cancel the view, click Cancel.


Item Description

View Name Set the SNMP view name.

Rule Select to exclude or include the objects in the view range determined by the MIB subtree OID and subtree mask.

MIB Subtree OID

Set the MIB subtree OID (such as 1.4.5.3.1) or name (such as system).

MIB subtree OID identifies the position of a node in the MIB tree, and it can uniquely identify a MIB subtree.

Subtree Mask Set the subtree mask.

If no subtree mask is specified, the default subtree mask (all Fs) will be used for mask-OID matching.

Adding rules to an SNMP view 1. Select Device > SNMP from the navigation tree.

2. Click the View tab.


3. Click the icon of the target view.

113

The Add rule for the view ViewDefault window appears.

Figure 84 Adding rules to an SNMP view


5. Click Apply.

NOTE:

You can modify the rules of a view in the page you enter by clicking the icon of that view.

Configuring an SNMP community 1. Select Device > SNMP from the navigation tree.

2. Click the Community tab.

The community tab page appears.

Figure 85 Configuring an SNMP community

3. Click Add.

The Add SNMP Community page appears.

114

Figure 86 Creating an SNMP Community

4. Configure SNMP community settings as described in Table 50.

5. Click Apply.


Item Description

Community Name Set the SNMP community name.

Access Right

Configure SNMP NMS access right. • Read only—The NMS can perform read-only operations to the MIB objects

when it uses this community name to access the agent. • Read and write—The NMS can perform both read and write operations to

the MIB objects when it uses this community name to access the agent.

View Specify the view associated with the community to limit the MIB objects that can be accessed by the NMS.

ACL Associate the community with a basic ACL to allow or prohibit the access to the agent from the NMS with the specified source IP address.

Configuring an SNMP group 1. Select Device > SNMP from the navigation tree.

2. Click the Group tab.

The group tab page appears.

115

Figure 87 SNMP group

3. Click Add.

The Add SNMP Group page appears.

Figure 88 Creating an SNMP group

4. Configure SNMP group settings as described in Table 51.

5. Click Apply.


Item Description

Group Name Set the SNMP group name.

Security Level

Select the security level for the SNMP group. The available security levels are: • NoAuth/NoPriv—No authentication no privacy. • Auth/NoPriv—Authentication without privacy. • Auth/Priv—Authentication and privacy.

Read View Select the read view of the SNMP group.

116

Item Description

Write View Select the write view of the SNMP group.

If no write view is configured, the NMS cannot perform the write operations to all MIB objects on the device.

Notify View

Select the notify view of the SNMP group, that is, the view that can send trap messages.

If no notify view is configured, the agent does not send traps to the NMS.

ACL

Associate a basic ACL with the group to restrict the source IP address of SNMP packets, that is, you can configure to allow or prohibit SNMP packets with a specific source IP address, so as to restrict the intercommunication between the NMS and the agent.

Configuring an SNMP user 1. Select Device > SNMP from the navigation tree.

2. Click the User tab.

The user tab page appears.

Figure 89 SNMP user

3. Click Add.

The Add SNMP User page appears.

117

Figure 90 Creating an SNMP user

4. Configure SNMP user settings as described in Table 52.

5. Click Apply.


Item Description

User Name Set the SNMP user name.

Security Level

Select the security level for the SNMP group. The available security levels are: • NoAuth/NoPriv—No authentication no privacy. • Auth/NoPriv—Authentication without privacy. • Auth/Priv—Authentication and privacy.

Group Name

Select an SNMP group to which the user belongs. • When the security level is NoAuth/NoPriv, you can select an

SNMP group with no authentication no privacy. • When the security level is Auth/NoPriv, you can select an

SNMP group with no authentication no privacy or authentication without privacy.

• When the security level is Auth/Priv, you can select an SNMP group of any security level.

Authentication Mode Select an authentication mode (including MD5 and SHA) when the security level is Auth/NoPriv or Auth/Priv.

118

Item Description

Authentication Password Set the authentication password when the security level is Auth/NoPriv or Auth/Priv.

The confirm authentication password must be the same with the authentication password.

Confirm Authentication Password

Privacy Mode Select a privacy mode (including DES56, AES128, and 3DES) when the security level is Auth/Priv.

Privacy Password Set the privacy password when the security level is Auth/Priv.

The confirm privacy password must be the same with the privacy password. Confirm Privacy Password

ACL

Associate a basic ACL with the user to restrict the source IP address of SNMP packets, that is, you can configure to allow or prohibit SNMP packets with a specific source IP address, so as to allow or prohibit the specified NMS to access the agent by using this user name.

Configuring SNMP trap function 1. Select Device > SNMP from the navigation tree.

2. Click the Trap tab.

The trap configuration page appears.

Figure 91 Traps configuration

3. Select the box of Enable SNMP Trap.

4. Click Apply.

5. Click Add.

The page for adding a target host of SNMP traps appears.

119

Figure 92 Adding a target host of SNMP traps

6. Configure the settings for the target host as described in Table 53.

7. Click Apply.


Item Description

Destination IP Address

Set the destination IP address or domain.

Select the IP address type: IPv4/Domain or IPv6, and then type the corresponding IP address or domain in the field according to the IP address type.

Security Name Set the security name, which can be an SNMPv1 community name, an SNMPv2c community name, or an SNMPv3 user name.

UDP Port

Set UDP port number.

IMPORTANT:

The default port number is 162, which is the SNMP-specified port used for receiving traps on the NMS. Generally (such as using iMC or MIB Browser as the NMS), you can use the default port number. To change this parameter to another value, you need to make sure that the configuration is the same with that on the NMS.

Security Model Select the security model, that is, the SNMP version, which must be the same with that running on the NMS; otherwise, the NMS cannot receive any trap.

Security Level

Set the authentication and privacy mode for SNMP traps when the security model is selected as v3. The available security levels are: no authentication no privacy, authentication but no privacy, and authentication and privacy.

Displaying SNMP packet statistics 1. Select Device > SNMP from the navigation tree.

120

The page for displaying SNMP packet statistics appears.

Figure 93 SNMP packet statistics

SNMP configuration example Network requirements

The NMS connects to the agent, an AC, through an Ethernet. The IP address of the NMS is 1.1.1.2/24. The IP address of the VLAN interface on the AC is 1.1.1.1/24. Configure SNMP to achieve the following purposes.

• The NMS monitors the agent by using SNMPv3.

• The agent reports errors or faults to the NMS.


Configuring the agent

1. Enable SNMP agent:

a. Select Device > SNMP from the navigation tree.


b. Select the Enable option.

c. Select the v3 box.

d. Click Apply.

121

Figure 95 Enabling SNMP

2. Configure an SNMP view:

a. Click the View tab.

b. Click Add.


c. Enter view1 in the field.

d. Click Apply.


e. Select the Included radio box, enter the MIB subtree OID interfaces, and click Add.

f. Click Apply.

A configuration progress dialog box appears.

g. Click Close after the configuration process is complete.


122


3. Configure an SNMP group:

a. Click the Group tab.

b. Click Add.


c. Enter group1 in the field of Group Name, select view1 from the Read View box, and select view1 from the Write View box.

d. Click Apply.

Figure 98 Creating an SNMP group

4. Configure an SNMP user:

a. Click the User tab.

b. Click Add.

123


c. Enter user1 in the field of User Name and select group1 from the Group Name box.

d. Click Apply.

Figure 99 Creating an SNMP user

5. Enable the agent to send SNMP traps:

a. Click the Trap tab


b. Select the Enable SNMP Trap box.

c. Click Apply.

124

Figure 100 Enabling the agent to send SNMP traps

6. Add target hosts of SNMP traps:

a. Click Add on the Trap tab.


b. Select the destination IP address type as IPv4/Domain, enter the destination address 1.1.1.2, enter the user name user1, and select v3 from the Security Model list.

c. Click Apply.

Figure 101 Adding target hosts of SNMP traps

Configuring the NMS

CAUTION:

The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot performcorresponding operations.

125

SNMPv3 adopts a security mechanism of authentication and privacy. You must configure username and security level. According to the configured security level, you must configure the related authentication mode, authentication password, privacy mode, privacy password, and so on.

You must also configure the aging time and retry times. After these configurations, you can configure the device as needed through the NMS. For more information about NMS configuration, see the manual provided for NMS.


• After the above configuration, an SNMP connection is established between the NMS and the agent. The NMS can get and configure the values of some parameters on the agent through MIB nodes.

• If an idle interface on the agent is shut down or brought up, the NMS receives a trap information sent by the agent.

126

Loopback

You can check whether an Ethernet port works normally by performing the Ethernet port loopback test, during which the port cannot forward data packets normally.

Ethernet port loopback test can be an internal loopback test or an external loopback test.

• In an internal loopback test, self loop is established in the switching chip to check whether there is a chip failure related to the functions of the port.

• In an external loopback test, a self-loop header is used on the port. Packets forwarded by the port will be received by itself through the self-loop header. The external loopback test can be used to check whether there is a hardware failure on the port.

Loopback operation 1. Select Device > Loopback from the navigation tree.

The loopback test configuration page appears.

Figure 102 Loopback test configuration page

2. Configure the loopback test parameters as described in Table 54.


Item Description

Testing type

External Set the loopback test type, which can be selected between External and Internal.

Support for the test type depends on the device model. Internal

3. Click Test to start the loopback test.

127

The Result box displays the test results.

Figure 103 Loopback test result

Configuration guidelines When you perform a loopback test, follow these guidelines:

• You can perform an internal loopback test but not an external loopback test on a port that is physically down, while you can perform neither test on a port that is manually shut down.

• The system does not allow Rate, Duplex, Cable Type, and Port Status configuration on a port under a loopback test.

• An Ethernet port operates in full duplex mode when the loopback test is performed, and restores its original duplex mode after the loopback test.

128

MAC address configuration

NOTE:

• MAC address configurations related to interfaces apply only to Layer 2 Ethernet interfaces.

• This chapter covers only the management of static and dynamic MAC address entries, not multicast MAC address entries.

Overview A device maintains a MAC address table for frame forwarding. Each entry in this table indicates the MAC address of a connected device, to which interface this device is connected and to which VLAN the interface belongs. A MAC address table consists of two types of entries: static and dynamic. Static entries are manually configured and never age out. Dynamic entries can be manually configured or dynamically learned and will age out.

When a frame arrives at a port, Port A for example, the device performs the following tasks:

1. Checks the frame for the source MAC address (MAC-SOURCE for example).

2. Looks up the MAC address in the MAC address table.

If an entry is found, updates the entry.

If no entry is found, adds an entry for the MAC address and the receiving port (Port A) to the MAC address table.

When receiving a frame destined for MAC-SOURCE, the device looks up the MAC address table and forwards it from port A.

NOTE:

Dynamically learned MAC addresses cannot overwrite static MAC address entries, but the latter can overwrite the former.

When forwarding a frame, the device adopts the following forwarding modes based on the MAC address table:

• Unicast mode—If an entry matching the destination MAC address exists, the device forwards the frame directly from the sending port recorded in the entry.

• Broadcast mode—If the device receives a frame with the destination address being all Fs, or no entry matches the destination MAC address, the device broadcasts the frame to all the ports except the receiving port.

129

Figure 104 MAC address table of the device

Configuring a MAC address entry 1. Select Network > MAC from the navigation tree. The system automatically displays the MAC tab,

which shows all the MAC address entries on the device, as shown in Figure 105.

Figure 105 The MAC tab

2. Click Add in the bottom to enter the page for creating MAC address entries, as shown in Figure 106.

Port 1 Port 2

MAC address Port

MAC A 1

MAC B 1

MAC C 2

MAC D 2

MAC A

MAC B

MAC C

MAC D

130

Figure 106 Creating a MAC address entry

3. Configure the MAC address entry as described in Table 55.

4. Click Apply.


Item Description

MAC Set the MAC address to be added.

Type

Set the type of the MAC address entry: • static—Static MAC address entries that never age out. • dynamic—Dynamic MAC address entries that will age out. • blackhole—Blackhole MAC address entries that never age out.

IMPORTANT:

The tab displays the following types of MAC address entries: • Config static—Static MAC address entries manually configured by the users. • Config dynamic—Dynamic MAC address entries manually configured by the

users. • Blackhole—Blackhole MAC address entries. • Learned—Dynamic MAC address entries learned by the device. • Other—Other types of MAC address entries.

VLAN Set the ID of the VLAN to which the MAC address belongs.

Port Set the port to which the MAC address belongs.

Setting the aging time of MAC address entries 1. Select Network > MAC from the navigation tree.

2. Click the Setup tab to enter the page for setting the MAC address entry aging time, as shown in Figure 107.

131

Figure 107 Setting the aging time for MAC address entries

3. Set the aging time as described in Table 56.

4. Click Apply.


Item Description

No-aging Specify that the MAC address entry never ages out.

Aging time Set the aging time for the MAC address entry.

MAC address configuration example Network requirements

Use the MAC address table management function of the Web-based NMS. Create a static MAC address 00e0-fc35-dc71 for GigabitEthernet 1/0/1 in VLAN 1.


1. Create a static MAC address entry:

a. Select Network > MAC from the navigation tree to enter the MAC tab.

b. Click Add.

The page shown in Figure 108 appears.

c. Enter MAC address 00e0-fc35-dc71, select static from the Type list, select 1 from the VLAN list, and select GigabitEthernet1/0/1 from the Port list.

d. Click Apply.

132

Figure 108 Creating a static MAC address entry

133

VLAN configuration

Overview Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on an Ethernet. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all broadcast traffic is contained within it, as shown in Figure 109.

Figure 109 A VLAN diagram

You can implement VLANs based on a variety of criteria. The web interface, however, is available only for port-based VLANs, which group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN.

For more information about VLAN, see H3C WX Series Access Controllers Layer 2 Configuration Guide.

Recommended configuration procedure

Step Remarks 1. Creating a VLAN Required.

2. Modifying a VLAN Required.

Select either task.

Configure the untagged member ports and tagged member ports of the VLAN, or remove ports from the VLAN.

3. Modifying a port

Creating a VLAN 1. Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab

and enters the page as shown in Figure 110.

VLAN 2

VLAN 5

Switch BSwitch ARouter

134

Figure 110 VLAN configuration page

TIP:

To easily configure a specific range of VLANs within a large number of VLANs, enter a VLAN range in theVLAN Range field and click Select, and all undesired VLANs will be filtered out. If you click Remove, allVLANs within this range will be deleted.

2. Click Add to enter the page for creating a VLAN, as shown in Figure 111.

3. Enter the ID of the VLAN you want to create.

4. Click Apply.

Figure 111 Creating a VLAN

Modifying a VLAN 1. Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab

and enters the page as shown in Figure 110.

2. Click the icon of the VLAN you want to modify to enter the page as shown in Figure 112.

135

Figure 112 Modifying a VLAN

3. Configure the description and port members for the VLAN as described in Table 57.

4. Click Apply.


Item Description

ID Display the ID of the VLAN to be modified.

Description Set the description string of the VLAN.

By default, the description string of a VLAN is its VLAN ID, such as VLAN 0001.

Port

Untagged Member

Find the port to be modified and select the Untagged Member, Tagged Member, or Not a Member option for the port: • Untagged—Indicates that the port sends the traffic of the VLAN with the

VLAN tag removed. • Tagged—Indicates that the port sends the traffic of the VLAN without

removing the VLAN tag. • Not a Member—Removes the port from the VLAN.

IMPORTANT:

When you configure an access port as a tagged member of a VLAN, the link type of the port is automatically changed into hybrid.

Tagged Member

Not a Member

Modifying a port 1. Select Network > VLAN from the navigation tree

2. Click the Port tab to enter the page as shown in Figure 113.

136

Figure 113 Port configuration page

3. Click the icon for the port to be modified to enter the page as shown in Figure 114.

Figure 114 Modifying a port

4. Configure the port as described in Table 58.

5. Click Apply.


Item Description

Port Display the port to be modified.

Untagged Member Display the VLAN(s) to which the port belongs as an untagged member.

Tagged Member Display the VLAN(s) to which the port belongs as a tagged member.

137

Item Description

Member Type

Untagged Select the Untagged, Tagged, or Not a Member option: • Untagged—Indicates that the port sends the traffic of the VLAN with the VLAN

tag removed. • Tagged—Indicates that the port sends the traffic of the VLAN without removing

the VLAN tag. • Not a Member—Removes the port from the VLAN.

IMPORTANT: • You cannot configure an access port as an untagged member of a nonexistent

VLAN. • When you configure an access port as a tagged member of a VLAN, or

configure a trunk port as an untagged member of multiple VLANs in bulk, the link type of the port is automatically changed into hybrid.

• You can configure a hybrid port as a tagged or untagged member of a VLAN only if the VLAN is an existing, static VLAN.

Tagged

Not a Member

VLAN ID Specify the VLAN to which the port belongs.

VLAN configuration examples Network requirements

As shown in Figure 115:

• GigabitEthernet 1/0/1 of AC is connected to GigabitEthernet 1/0/1 of Switch.

• GigabitEthernet 1/0/1 on both devices are hybrid ports with VLAN 100 as their default VLAN.

• Configure GigabitEthernet 1/0/1 to permit packets of VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 to pass through.


Configuring AC

1. Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100:

a. Select Network > VLAN from the navigation tree to enter the VLAN tab.

b. Click Add.

c. Enter VLAN IDs 2,6-50,100, as shown in Figure 116.

d. Click Apply.

138

Figure 116 Creating a VLAN

2. Configure GigabitEthernet 1/0/1 as an untagged member of VLAN 100:

a. Enter 100 in the VLAN Range field, as shown in Figure 117.

b. Click Select to display only the information of VLAN 100.

Figure 117 Selecting a VLAN

c. Click the icon of VLAN 100.

d. Select the Untagged Member option for port GigabitEthernet 1/0/1, as shown in Figure 118.

e. Click Apply.

139

Figure 118 Modifying a VLAN

3. Configure GigabitEthernet 1/0/1 as a tagged member of VLAN 2, and VLAN 6 through VLAN 50:

a. Select Network > VLAN from the navigation tree and then select the Port tab.

b. Click the icon of port GigabitEthernet 1/0/1.

c. Select the Tagged option, and enter VLAN IDs 2, 6-50, as shown in Figure 119.

Figure 119 Modifying a port

d. Click Apply. A dialog box appears asking you to confirm the operation.

e. Click OK in the dialog box.

140

Configuring Switch

The configuration on Switch is similar to that on AC.

Configuration guidelines When you configure VLAN, follow these guidelines:

• VLAN 1 is the default VLAN, which cannot be manually created or removed.

• Some VLANs are reserved for special purposes. You cannot manually create or remove them.

• Dynamic VLANs cannot be manually removed.

141

ARP configuration

Overview

Introduction to ARP The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or physical address).

In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding MAC address.

For more information about ARP, see H3C WX Series Access Controllers Layer 3 Configuration Guide.

Introduction to gratuitous ARP Gratuitous ARP packets

In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device, the sender MAC address is the MAC address of the sending device, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff.

A device sends a gratuitous ARP packet for either of the following purposes:

• Determine whether its IP address is already used by another device. If the IP address is already used, the device will be informed of the conflict by an ARP reply.

• Inform other devices of the change of its MAC address.

Learning of gratuitous ARP packets

With this feature enabled, a device, upon receiving a gratuitous ARP packet, adds an ARP entry that contains the sender IP and MAC addresses in the packet to its ARP table. If the corresponding ARP entry exists, the device updates the ARP entry.

With this feature disabled, the device uses the received gratuitous ARP packets to update existing ARP entries, but not to create new ARP entries.

Displaying ARP entries Select Network > ARP Management from the navigation tree to enter the default ARP Table page shown in Figure 120. All ARP entries are displayed on the page.

142

Figure 120 ARP Table configuration page

Creating a static ARP entry 1. Select Network > ARP Management from the navigation tree to enter the default ARP Table page

shown in Figure 120.

2. Click Add to enter the New Static ARP Entry page, as shown in Figure 121.

Figure 121 Adding a static ARP entry

3. Configure the static ARP entry as described in Table 59.

4. Click Apply.


Item Description

IP Address Enter an IP address for the static ARP entry.

MAC Address Enter a MAC address for the static ARP entry.

143

Item Description

Advanced Options

VLAN ID Enter a VLAN ID and specify a port for the static ARP entry.

IMPORTANT:

The VLAN ID must be the ID of the VLAN that has already been created, and the port must belong to the VLAN. The corresponding VLAN interface must have been created.

Port

Removing ARP entries 1. Select Network > ARP Management from the navigation tree to enter the default ARP Table page


2. Remove ARP entries:

To remove specific ARP entries, select target ARP entries, and click Del Selected.

To remove all static and dynamic ARP entries, click Delete Static and Dynamic.

To remove all static ARP entries, click Delete Static.

To remove all dynamic ARP entries, click Delete Dynamic.

Configuring gratuitous ARP 1. Select Network > ARP Management from the navigation tree.

2. Click the Gratuitous ARP tab to enter the page shown in Figure 122.

Figure 122 Gratuitous ARP configuration page

3. Configure gratuitous ARP as described in Table 60.


Item Description

Disable gratuitous ARP packets learning function

Disable learning of ARP entries according to gratuitous ARP packets.

Enabled by default.

Send gratuitous ARP packets when receiving ARP requests from another network segment

Enable the device to send gratuitous ARP packets upon receiving ARP requests from another network segment.

Disabled by default.

144

Static ARP configuration example Network requirements

To enhance communication security between the AC and the router, configure a static ARP entry on the AC.



1. Create VLAN 100:

a. Select Network > VLAN from the navigation tree to enter the default VLAN page.

b. Click Add.

c. Enter 100 for VLAN ID, as shown in Figure 124.

d. Click Apply.


2. Add GigabitEthernet 1/0/1 to VLAN 100:

a. On the VLAN page, click the icon of VLAN 100.

b. Select the Untagged Member option for GigabitEthernet1/0/1.

c. Click Apply.

145

Figure 125 Adding GigabitEthernet 1/0/1 to VLAN 100

3. Configure VLAN-interface 100:

a. Select Device > Interface from the navigation tree.

b. Click Add.

c. On the page that appears, select Vlan-interface from the Interface Name list, and enter 100, select the Static Address option for IP Config, enter 192.168.1.2 for IP Address., and select 24 (255.255.255.0) for Mask.

d. Click Apply.

146

Figure 126 Configuring VLAN-interface 100

4. Create a static ARP entry:

a. Select Network > ARP Management from the navigation tree to enter the default ARP Table page.

b. Click Add.

c. On the page that appears, enter 192.168.1.1 for IP Address, enter 00e0-fc01-0000 for MAC Address, select the Advanced Options option, enter 100 for VLAN ID, and select GigabitEthernet1/0/1 from the Port list.

d. Click Apply.

147

Figure 127 Creating a static ARP entry

148

ARP attack protection configuration

Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple features to detect and prevent such attacks. This chapter mainly introduces these features.

ARP detection The ARP detection feature enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks.

ARP detection provides the following functions:

• User validity check—The device compares the sender IP and MAC addresses of a received ARP packet against the static IP source guard binding entries, DHCP snooping entries, 802.1X security entries, or OUI MAC addresses. If no match is found, the ARP packet is discarded.

• ARP packet validity check—The device does not check ARP packets received from an ARP trusted port. Upon receiving an ARP packet from an ARP untrusted port, the device checks the ARP packet based on source MAC address, destination MAC address, or source and destination IP addresses. ARP packets that fail the check are discarded.

For more information about ARP detection, see H3C WX Series Access Controllers Security Configuration Guide.

Source MAC address based ARP attack detection This feature allows the device to check the source MAC address of ARP packets delivered to the CPU. If the number of ARP packets from a MAC address within five seconds exceeds the specified threshold, the device considers this an attack and adds the MAC address to the attack detection table. Before the attack detection entry is aged out, the device generates a log message upon receiving an ARP packet sourced from that MAC address and filters out subsequent ARP packets from that MAC address (in filter mode), or only generates a log message upon receiving an ARP packet sourced from that MAC address (in monitor mode).

A gateway or critical server may send a large number of ARP packets. To prevent these ARP packets from being discarded, you can specify the MAC address of the gateway or server as a protected MAC address. A protected MAC address is excluded from ARP attack detection even if it is an attacker.

ARP active acknowledgement The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP packets.

ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid generating any incorrect ARP entry.

149

ARP packet source MAC address consistency check This feature enables a gateway device to filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message, so that the gateway device can learn correct ARP entries.

Configuring ARP detection

NOTE:

If both the ARP detection based on specified objects and the ARP detection based on static IP Source Guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses are enabled, the former one applies first, and then the latter applies.

1. Select Network > ARP Anti-Attack from the navigation tree to enter the default ARP Detection page shown in Figure 128.

Figure 128 ARP Detection configuration page

2. Configure ARP detection as described in Table 61.

3. Click Apply.


Item Description

VLAN Settings

Select VLANs on which ARP detection is to be enabled.

To add VLANs to the Enabled VLANs list box, select one or multiple VLANs from the Disabled VLANs list box and click the << button.

To remove VLANs from the Enabled VLANs list box, select one or multiple VLANs from the list box and click the >> button.

150

Item Description

Trusted Ports

Select trusted ports and untrusted ports.

To add ports to the Trusted Ports list box, select one or multiple ports from the Untrusted Ports list box and click the << button.

To remove ports from the Trusted Ports list box, select one or multiple ports from the list box and click the >> button.

ARP Packet Validity Check

Select ARP packet validity check modes, including: • Discard the ARP packet whose sender MAC address is different from the source MAC

address in the Ethernet header. • Discard the ARP packet whose target MAC address is all 0s, all 1s, or inconsistent with

the destination MAC address in the Ethernet header. • Discard the ARP request whose source IP address is all 0s, all 1s, or a multicast address,

and discard the ARP reply whose source and destination IP addresses are all 0s, all 1s, or multicast addresses.

ARP packet validity check takes precedence over user validity check. If none of the above is selected, the system does not check the validity of ARP packets.

Configuring other ARP attack protection functions Other ARP attack protection functions include source MAC address based ARP attack detection, ARP active acknowledgement, and ARP packet source address consistency check.

1. Select Network > ARP Anti-Attack from the navigation tree.

2. Click the Advanced Configuration tab to enter the page shown in Figure 129.

Figure 129 Advanced Configuration page

3. Configure ARP attack protection parameters as described in Table 62.

4. Click Apply.

151


Item Description

Source MAC Address Attack Detection

Detection Mode

Select the detection mode for source MAC address based ARP attack detection. The detection mode can be: • Disable—The source MAC address attack detection is disabled. • Filter Mode—The device generates an alarm and filters out ARP packets

sourced from a MAC address if the number of ARP packets received from the MAC address within five seconds exceeds the specified value.

• The device only generates an alarm if the number of ARP packets sent from a MAC address within five seconds exceeds the specified value.

Aging Time Enter the aging time of the source MAC address based ARP attack detection entries.

Threshold Enter the threshold of source MAC address based ARP attack detection.

Protected MAC Configuration

Add a protected MAC address in the following way: 1. Expand Protected MAC Configuration and contents are displayed as

shown in Figure 130. 2. Enter a MAC address. 3. Click Add.

A protected MAC address is excluded from ARP attack detection even if it is an attacker. You can specify certain MAC addresses, such as that of a gateway or an important server, as a protected MAC address.

Enable ARP Packet Active Acknowledgement

Enable or disable ARP packet active acknowledgement.

Enable Source MAC Address Consistency Check

Enable or disable source MAC address consistency check.

Figure 130 Protected MAC configuration

152

IGMP snooping configuration

Overview Internet Group Management Protocol (IGMP) snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups.

By analyzing received IGMP messages, a Layer 2 device that is running IGMP snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.

As shown in Figure 131, when IGMP snooping is not running on the switch, multicast packets are flooded to all devices at Layer 2. However, when IGMP snooping is running on the switch, multicast packets for known multicast groups are multicast to the receivers, rather than broadcast to all hosts, at Layer 2.

Figure 131 Multicast forwarding before and after IGMP snooping runs

IGMP snooping sends Layer 2 multicast packets to the intended receivers only. This mechanism provides the following advantages:

• Reducing Layer 2 broadcast packets and saving network bandwidth

• Enhancing the security of multicast packets

• Facilitating the implementation of accounting for each host

For more information about IGMP snooping, see H3C WX Series Access Controllers IP Multicast Configuration Guide.

153


Step Remarks

1. Enabling IGMP snooping globally Required.

By default, IGMP snooping is disabled.

2. Configuring IGMP snooping on a VLAN

Required.

Enable IGMP snooping in the VLAN and configure the IGMP snooping version and querier feature.

By default, IGMP snooping is disabled in a VLAN.

IMPORTANT: • IGMP snooping must be enabled globally before it can be

enabled in a VLAN. • When you enable IGMP snooping in a VLAN, this function takes

effect for ports in this VLAN only.

3. Configuring IGMP snooping on a port

Optional.

Configure the maximum number of multicast groups allowed and the fast leave function for ports in the specified VLAN.

IMPORTANT: • Multicast routing or IGMP snooping must be enabled globally

before IGMP snooping can be enabled on a port. • IGMP snooping configured on a port takes effect only after IGMP

snooping is enabled in the VLAN or IGMP is enabled on the VLAN interface.

4. Displaying IGMP snooping multicast entry information Optional.

Enabling IGMP snooping globally 1. Select Network > IGMP snooping from the navigation tree to enter the basic configuration page


2. Select Enable, and click Apply.

154

Figure 132 Basic IGMP snooping configurations

Configuring IGMP snooping on a VLAN 1. Select Network > IGMP snooping from the navigation tree to enter the basic configuration page


2. Click the icon corresponding to the VLAN to enter the page you can configure IGMP snooping in the VLAN, as shown in Figure 133.

Figure 133 Configuring IGMP snooping in the VLAN

3. Configure IGMP snooping as described in Table 63.

155

4. Click Apply.


Item Description

VLAN ID This field displays the ID of the VLAN to be configured.

IGMP snooping Enable or disable IGMP snooping in the VLAN.

You can proceed with the subsequent configurations only if Enable is selected here.

Version

By configuring an IGMP snooping version, you actually configure the versions of IGMP messages that IGMP snooping can process. • IGMP snooping version 2 can process IGMPv1 and IGMPv2 messages, but

not IGMPv3 messages, which will be flooded in the VLAN. • IGMP snooping version 3 can process IGMPv1, IGMPv2, and IGMPv3

messages.

Drop Unknown

Enable or disable the function of dropping unknown multicast packets.

Unknown multicast data refers to multicast data for which no entries exist in the IGMP snooping forwarding table. • With the function of dropping unknown multicast data enabled, the device

drops all the unknown multicast data received. • With the function of dropping unknown multicast data disabled, the device

floods unknown multicast data in the VLAN to which the unknown multicast data belong.

Querier

Enable or disable the IGMP snooping querier function.

On a network without Layer 3 multicast devices, no IGMP querier-related function can be implemented because a Layer 2 device does not support IGMP. To address this issue, you can enable IGMP snooping querier on a Layer 2 device so that the device can generate and maintain multicast forwarding entries at data link layer, thereby implementing IGMP querier-related functions.

Query interval Configure the IGMP query interval.

General Query Source IP Source IP address of IGMP general queries.

Special Query Source IP Source IP address of IGMP group-specific queries.

Configuring IGMP snooping on a port 1. Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.

2. Click the Advanced tab to enter the page shown in Figure 134.

156

Figure 134 Advanced configuration

3. Configure IGMP snooping on a port as described in Table 64.

4. Click Apply.


Item Description

Port Select the port on which advanced IGMP snooping features are to be configured.

After a port is selected, advanced features configured on this port are displayed at the lower part of this page.

VLAN ID Specify a VLAN in which you can configure the fast leave function for the port or the maximum number of multicast groups allowed on the port.

Group Limit

Configure the maximum number of multicast groups that the port can join.

With this feature, you can regulate multicast traffic on the port.

IMPORTANT: • When the number of multicast groups a port has joined reaches the configured

threshold, the system deletes all the forwarding entries persistent on that port from the IGMP snooping forwarding table, and the hosts on this port must join the multicast groups again.

• Support for the maximum number of multicast groups that a port can join may vary depending on your device model. For more information, see "Feature matrixes."

157

Item Description

Fast Leave

Enable or disable the fast leave function for the port.

With the fast leave function enabled on a port, the device, when receiving an IGMP leave message on the port, immediately deletes that port from the outgoing port list of the corresponding forwarding table entry. Then, when receiving IGMP group-specific queries for that multicast group, the device will not forward them to that port. In VLANs where only one host is attached to each port, the fast leave function helps improve bandwidth and resource usage.

IMPORTANT:

If fast leave is enabled for a port to which more than one host is attached, when one host leaves a multicast group, the other hosts listening to the same multicast group will fail to receive multicast data.

Displaying IGMP snooping multicast entry information

1. Select Network > IGMP snooping from the navigation tree to enter the basic configuration page shown in Figure 132.

2. Click the plus sign (+) in front of Show Entries to display IGMP snooping multicast entries, as shown in Figure 135.

Figure 135 Displaying entry information

3. Clicking the icon corresponding to an entry to display the detailed information of the entry, as shown in Figure 136.

Figure 136 Detailed information of an entry

158


Field Description

VLAN ID ID of the VLAN to which the entry belongs.

Source Multicast source address, where 0.0.0.0 indicates all multicast sources.

Group Multicast group address.

Router port All router ports.

Member port All member ports.

IGMP snooping configuration examples Network requirements

• As shown in Figure 137, Router A connects to a multicast source (Source) through Ethernet 1/2, and to AC through Ethernet 1/1.

• The multicast source sends multicast data to group 224.1.1.1. Host A is a receiver of the multicast group.

• IGMPv2 runs on Router A and IGMP snooping version 2 runs on AC.

• The function of dropping unknown multicast packets is enabled on AC to prevent AC from flooding multicast packets in the VLAN if no corresponding Layer 2 forwarding entry exists.

• The fast leave function is enabled for GigabitEthernet 1/0/2 on AC to improve bandwidth and resource usage.


Configuring IP addresses

Configure the IP address for each interface, as shown in Figure 137. (Details not shown.)

Configuring Router A

Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/1. (Details not shown.)

Configuring the AC

1. Create VLAN 100:

a. Select Network > VLAN from the navigation tree to enter the VLAN displaying page.

b. Click Add.

c. Enter the VLAN ID 100, as shown in Figure 138.

d. Click Apply.

159


2. Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as untagged members of VLAN 100:

a. Click the icon of VLAN 100 to enter its configuration page.

b. Select the Untagged Member option for GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, as shown in Figure 139.

c. Click Apply.

Figure 139 Adding a port to the VLAN

3. Enable IGMP snooping globally:

a. Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.

b. Select the Enable option for IGMP Snooping.

c. Click Apply.

160

Figure 140 Enabling IGMP snooping globally

4. Enable IGMP snooping and the function of dropping unknown multicast data on VLAN 1:

a. Click the icon corresponding to VLAN 100.

b. On the page that appears, select the Enable option for IGMP Snooping, select the 2 option for Version, and select the Enable option for Drop Unknown.

c. Click Apply.

Figure 141 Configuring the VLAN

5. Enable the fast leave function for GigabitEthernet 1/0/2:

a. Click the Advanced tab.

161

b. Select GigabitEthernet 1/0/2 from the Port list, enter the VLAN ID 100, and select the Enable option for Fast Leave.

c. Click Apply.



Display the IGMP snooping multicast entry information on AC.

1. Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.

2. Click the plus sign (+) in front of Show Entries to view IGMP snooping multicast entries, as shown in Figure 143.

Figure 143 IGMP snooping multicast entry information displaying page

3. Click the icon corresponding to the multicast entry to view information about this entry, as shown in Figure 144. The page shows that GigabitEthernet 1/0/2 of AC is added to multicast group 224.1.1.1.

162

Figure 144 Information about an IGMP snooping multicast entry

163

IPv4 and IPv6 routing configuration

NOTE:

The term router in this document refers to routers, access controllers, unified switches, and access controller modules.

Overview Upon receiving a packet, a router determines the optimal route based on the destination address and forwards the packet to the next router in the path. When the packet reaches the last router, it then forwards the packet to the destination host. Routing provides the path information that guides the forwarding of packets.

A router selects optimal routes from the routing table, and sends them to the forwarding information base (FIB) table to guide packet forwarding. Each router maintains a routing table and a FIB table.

Static routes are manually configured. If a network's topology is simple, you only need to configure static routes for the network to work properly. Static routes cannot adapt to network topology changes. If a fault or a topological change occurs in the network, the network administrator must modify the static routes manually.

For more information about routing table and static routing, see H3C WX Series Access Controllers Layer 3 Configuration Guide.

Displaying the IPv4 active route table Select Network > IPv4 Routing from the navigation tree to enter the page shown in Figure 145.

Figure 145 IPv4 active route table

164


Field Description

Destination IP Address Destination IP address and subnet mask of the IPv4 route.

Mask

Protocol Protocol that discovered the IPv4 route.

Preference Preference value for the IPv4 route.

The smaller the number, the higher the preference.

Next Hop Next hop IP address of the IPv4 route.

Interface Outgoing interface of the IPv4 route. Packets destined for the specified network segment will be sent out the interface.

Creating an IPv4 static route 1. Select Network > IPv4 Routing from the navigation tree.

2. Click the Create tab to enter the IPv4 static route configuration page, as shown in Figure 146.

Figure 146 Creating an IPv4 static route

3. Specify relevant information as described in Table 67.

4. Click Apply.


Item Description

Destination IP Address Enter the destination host or network IP address, in dotted decimal notation.

165

Item Description

Mask Enter the mask of the destination IP address.

You can enter a mask length or a mask in dotted decimal notation.

Preference

Set a preference value for the static route. The smaller the number, the higher the preference.

For example, specifying the same preference for multiple static routes to the same destination enables load sharing on the routes, while specifying different preferences enables route backup.

Next Hop Enter the next hop IP address, in dotted decimal notation.

Interface

Select the outgoing interface.

You can select any available Layer 3 interface, for example, a virtual interface, of the device. If you select NULL 0, the destination IP address is unreachable.

Displaying the IPv6 active route table Select Network > IPv6 Routing from the navigation tree to enter the page shown in Figure 147.

Figure 147 IPv6 active route table


Field Description

Destination IP Address Destination IP address and prefix length of the IPv6 route.

Prefix Length

Protocol Protocol that discovered the IPv6 route.

Preference Preference value for the IPv6 route.

The smaller the number, the higher the preference.

Next Hop Next hop IP address of the IPv6 route.

Interface Outgoing interface of the IPv6 route. Packets destined for the specified network segment will be sent out the interface.

166

Creating an IPv6 static route 1. Select Network > IPv6 Routing from the navigation tree.

2. Click the Create tab to enter the IPv6 static route configuration page, as shown in Figure 148.

Figure 148 Creating an IPv6 static route

3. Specify relevant information as described in Table 69.

4. Click Apply.


Item Description

Destination IP Address

Enter the destination host or network IP address, in the X:X::X:X format. The 128-bit destination IPv6 address is a hexadecimal address with eight parts separated by colons (:). Each part is represented by a 4-digit hexadecimal integer.

Prefix Length Enter the prefix length of the destination IPv6 address.

Preference

Set a preference value for the static route. The smaller the number, the higher the preference.

For example, specifying the same preference for multiple static routes to the same destination enables load sharing on the routes, while specifying different priorities for them enables route backup.

Next Hop Enter the next hop address, in the same format as the destination IP address.

167

Item Description

Interface

Select the outgoing interface.

You can select any available Layer 3 interface, for example, a virtual interface, of the device. If you select NULL 0, the destination IPv6 address is unreachable.

IPv4 static route configuration example Network requirements

The IP addresses of devices are shown in Figure 149. IPv4 static routes must be configured on Switch A, Switch B and AC for Host A and Host B to communicate with each other.


Configuration outlines

1. On Switch A, configure a default route with Switch B as the next hop.

2. On Switch B, configure one static route with Switch A as the next hop and the other with AC as the next hop.

3. On AC, configure a default route with Switch B as the next hop.


1. Configure a default route with the next hop address 1.1.4.2 on Switch A.

2. Configure two static routes on Switch B: one with destination address 1.1.2.0/24 and next hop address 1.1.4.1, and the other with destination address 1.1.3.0/24 and next hop address 1.1.5.6.

3. Configure a default route on AC:

a. Select Network > IPv4 Routing from the navigation tree.

b. Click the Create tab to enter the IPv4 static route configuration page, as shown in Figure 150.

c. Enter 0.0.0.0 for Destination IP Address, 0 for Mask, and 1.1.5.5 for Next Hop.

d. Click Apply.

168

Figure 150 Configuring a default route


1. Display the route table:

Enter the IPv4 route page of Switch A, Switch B, and AC, respectively, to verify that the newly configured static routes are displayed as active routes on the page.

2. Ping Host B from Host A (assuming both hosts run Windows XP): C:\Documents and Settings\Administrator>ping 1.1.3.2

Pinging 1.1.3.2 with 32 bytes of data:

Reply from 1.1.3.2: bytes=32 time=1ms TTL=128




Ping statistics for 1.1.3.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 1ms, Average = 1ms

IPv6 static route configuration example Network requirements

The IP addresses of devices are shown in Figure 151. IPv6 static routes must be configured on Switch A, Switch B and AC for Host A and Host B to communicate with each other.

169


Configuration outlines

1. On Switch A, configure a default route with Switch B as the next hop.

2. On Switch B, configure one static route with Switch A as the next hop and the other with AC as the next hop.

3. On AC, configure a default route with Switch B as the next hop.


1. Configure a default route with the next hop address 4::2 on Switch A.

2. Configure two static routes on Switch B: one with destination address 1::/64 and next hop address 4::1, and the other with destination address 3::/64 and next hop address 5::1.

3. Configure a default route on AC:

a. Select Network > IPv6 Routing from the navigation tree.

b. Click the Create tab to enter the IPv6 static route configuration page, as shown in Figure 152.

c. Enter :: for Destination IP Address, select 0 for Prefix Length, and enter 5::2 for Next Hop.

d. Click Apply.

Figure 152 Configuring a default route

Vlan-int2004::2/64

Vlan-int3005::2/64

Vlan-int2004::1/64

Vlan-int3005::1/64

Vlan-int5003::1/64

Vlan-int1001::1/64

Host A 1::2/64 Host B 3::2/64

Switch B

Switch A APAC

170


1. Display the route table:

Enter the IPv6 route page of Switch A, Switch B, and AC, respectively, to verify that the newly configured static routes are displayed as active routes on the page.

2. Ping Host B from Switch A: <SwitchA> system-view

[SwitchA] ping ipv6 3::2

PING 3::2 : 56 data bytes, press CTRL_C to break

Reply from 3::2

bytes=56 Sequence=1 hop limit=254 time = 63 ms

Reply from 3::2


Reply from 3::2


Reply from 3::2


Reply from 3::2


--- 3::2 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 62/62/63 ms

Configuration guidelines When you configure a static route, follow these guidelines:

1. If you do not specify the preference when you configure a static route, the default preference is used. Reconfiguration of the default preference applies only to newly created static routes. Currently, the Web interface does not support configuration of the default preference.

2. When you configure a static route, the static route does not take effect if you specify the next hop address first and then configure it as the IP address of a local interface, such as an Ethernet interface and VLAN interface.

3. When specifying the output interface, note that:

If NULL 0 or a loopback interface is specified as the output interface, there is no need to configure the next hop address.

If a point-to-point interface is specified as the output interface, you do not need to specify the next hop or change the configuration after the peer address has changed. For example, a PPP interface obtains the peer's IP address through PPP negotiation, and therefore, you only need to specify it as the output interface.

If the output interface is an NBMA or P2MP interface, which supports point-to-multipoint networks, the IP address-to-link layer address mapping must be established. Therefore, H3C recommends that you specify the next hop IP address when you configure it as the output interface.

171

If you want to specify a broadcast interface (such as an Ethernet interface, virtual template, or VLAN interface) as the output interface, which may have multiple next hops, you must specify the next hop at the same time.

172

DHCP overview

NOTE:

• After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address andother configuration parameters from the DHCP server. This facilitates configuration and centralized management. For more information about the DHCP client configuration, see "Interface management."

• For more information about DHCP, see H3C WX Series Access Controllers Layer 3 Configuration Guide.

The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices.

DHCP uses the client/server model. Figure 153 shows a typical a DHCP application.

Figure 153 A typical DHCP application

A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent.

Figure 154 DHCP relay agent application

Introduction to DHCP snooping

IP network

DHCP server

DHCP relay agent

DHCP client DHCP client

DHCP clientDHCP client

173

NOTE:

The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or betweenthe DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.

As a DHCP security feature, DHCP snooping can implement the following:

1. Recording IP-to-MAC mappings of DHCP clients

2. Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers

Recording IP-to-MAC mappings of DHCP clients

DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports that connect to DHCP clients, and VLANs to which the ports belong.

Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers

If there is an unauthorized DHCP server on a network, DHCP clients may obtain invalid IP addresses and network configuration parameters, and cannot normally communicate with other network devices. With DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients to obtain IP addresses from authorized DHCP servers.

• Trusted—A trusted port forwards DHCP messages normally.

• Untrusted—An untrusted port discards the DHCP-ACK or DHCP-OFFER messages received from any DHCP server.

Recommended configuration procedure (for DHCP server)

Step Remarks

1. Enabling DHCP Required.

Enable DHCP globally.

By default, global DHCP is disabled.

2. Creating an address pool for the DHCP server Creating a static address pool for the DHCP

server Creating a dynamic address pool for the DHCP

server

Required.

Use at least one approach.

IMPORTANT: • If the DHCP server and DHCP clients are on the

same subnet, make sure the address pool is on the same network segment as the interface with the DHCP server enabled; otherwise, the clients will fail to obtain IP addresses.

• If a DHCP client obtains an IP address via a DHCP relay agent, an IP address pool on the same network segment as the DHCP relay agent interface must be configured; otherwise, the client will fail to obtain an IP address.

174

Step Remarks

3. Enabling the DHCP server on an interface

Optional.

With the DHCP server enabled on an interface, upon receiving a client's request, the DHCP server will assign an IP address from its address pool to the DHCP client.

With DHCP enabled, interfaces work in the DHCP server mode.

IMPORTANT: • An interface cannot serve as both the DHCP server

and the DHCP relay agent. The latest configuration takes effect.

• The DHCP server works on interfaces with IP addresses manually configured only.

4. Displaying information about assigned IP addresses Optional.

Enabling DHCP 1. Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown

in Figure 155.

2. Select the Enable option on the upper part of the page to enable DHCP globally.

Figure 155 DHCP configuration page

175

Creating a static address pool for the DHCP server 1. Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown

in Figure 155.

2. Select the Static option in the Address Pool field to view all static address pools.

3. Click Add to enter the page shown in Figure 156.

Figure 156 Creating a static address pool

4. Configure the static address pool as described in Table 70.

5. Click Apply.


Item Description

IP Pool Name Enter the name of a static address pool.

IP Address Enter an IP address and select a subnet mask for the static address pool.

The IP address cannot be the IP address of any interface on the DHCP server. Otherwise, an IP address conflict may occur and the bound client cannot obtain an IP address correctly.

You can enter a mask length or a mask in dotted decimal notation.. Mask

Client MAC Address Configure the client MAC address or the client ID for the static address pool.

IMPORTANT:

The client ID must be identical to the ID of the client to be bound. Otherwise, the client cannot obtain an IP address..

Client ID

Client Domain Name Enter the domain name suffix for the client.

With the suffix assigned, the client only needs to enter part of a domain name, and the system adds the domain name suffix for name resolution.

176

Item Description

Gateway Address

Enter the gateway addresses for the client.

A DHCP client that wants to access an external host needs to send requests to a gateway. You can specify gateways in each address pool and the DHCP server will assign gateway addresses while assigning an IP address to the client.

Up to eight gateways can be specified in a DHCP address pool, separated by commas.

DNS Server Address

Enter the DNS server addresses for the client.

To allow the client to access a host on the Internet through DNS, you need to specify a DNS server address.

Up to eight DNS servers can be specified in a DHCP address pool, separated by commas.

WINS Server Address

Enter the WINS server addresses for the client.

If b-node is specified for the client, you do not need to specify any WINS server address.

Up to eight WINS servers can be specified in a DHCP address pool, separated by commas.

NetBIOS Node Type Select the NetBIOS node type for the client.

Creating a dynamic address pool for the DHCP server

1. Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown in Figure 155.

2. Select the Dynamic option in the Address Pool field to view all dynamic address pools.


177

Figure 157 Creating a dynamic address pool

4. Configure the dynamic address pool as described in Table 71.

5. Click Apply.


Item Description

IP Pool Name Enter the name of a dynamic address pool.

IP Address Enter an IP address segment for dynamic allocation.

To avoid address conflicts, the DHCP server excludes the IP addresses used by gateways or FTP servers from dynamic allocation.

You can enter a mask length or a mask in dotted decimal notation.

Mask

Lease Duration

Unlimited. Configure the address lease duration for the address pool.

Unlimited indicates the infinite duration. days/hours/minutes/seconds.

Client Domain Name

Enter the domain name suffix for the client.

With the suffix assigned, the client only needs to enter part of a domain name, and the system will add the domain name suffix for name resolution.

178

Item Description

Gateway Address

Enter the gateway addresses for the client.

DHCP clients that want to access hosts outside the local subnet request gateways to forward data. You can specify gateways in each address pool for clients and the DHCP server will assign gateway addresses while assigning an IP address to the client.

Up to eight gateways can be specified in a DHCP address pool, separated by commas.

DNS Server Address

Enter the DNS server addresses for the client.

To allow the client to access a host on the Internet via the host name, you need to specify DNS server addresses.

Up to eight DNS servers can be specified in a DHCP address pool, separated by commas.

WINS Server Address

Enter the WINS server addresses for the client.

If b-node is specified for the client, you do not need to specify any WINS server address.

Up to eight WINS servers can be specified in a DHCP address pool, separated by commas.

NetBIOS Node Type Select the NetBIOS node type for the client.

Enabling the DHCP server on an interface 1. Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown

in Figure 155.

2. Click the icon next to a specific interface to enter the page shown in Figure 158.

3. Select the Enable option for DHCP Server.

4. Click Apply.

Figure 158 Configuring a DHCP server interface

Displaying information about assigned IP addresses

1. Select Network > DHCP > DHCP Server from the navigation tree to enter the page, as shown in Figure 155.

2. Click Addresses in Use in the Address In Use field on the lowest part of the page to view information about the IP address assigned from the address pool.

179

Figure 159 Displaying addresses in use


Field Description

IP Address Assigned IP address.

Client MAC Address/Client ID Client MAC address or client ID bound to the IP address.

Pool Name Name of the DHCP address pool where the IP address belongs.

Lease Expiration Lease time of the IP address.

Recommended configuration procedure (for DHCP relay agent)

Step Remarks

1. Enabling DHCP and configuring advanced parameters for the DHCP relay agent

Required.

Enable DHCP globally and configure advanced DHCP parameters.

By default, global DHCP is disabled.

2. Creating a DHCP server group

Required.

To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface with the server group. When the interface receives requesting messages from clients, the relay agent will forward them to all the DHCP servers of the group.

180

Step Remarks

3. Enabling the DHCP relay agent on an interface

Required.

Enable the DHCP relay agent on an interface, and correlate the interface with a DHCP server group.

With DHCP enabled, interfaces work in the DHCP server mode by default.

IMPORTANT: • An interface cannot serve as both the DHCP server and the DHCP

relay agent. The latest configuration takes effect. • If the DHCP relay agent is enabled on an Ethernet subinterface, a

packet received from a client on this interface must contain a VLAN tag and the VLAN tag must be the same as the VLAN ID of the subinterface; otherwise, the packet is discarded.

• The DHCP relay agent works on interfaces with IP addresses manually configured only.

• If an Ethernet subinterface serves as a DHCP relay agent, it conveys IP addresses only to subinterfaces of DHCP clients. In this case, a PC cannot obtain an IP address as a DHCP client.

4. Configuring and displaying clients' IP-to-MAC bindings

Optional.

Create a static IP-to-MAC binding, and view static and dynamic bindings.

The DHCP relay agent can dynamically record clients' IP-to-MAC bindings after clients get IP addresses. It also supports static bindings. In other words, you can manually configure IP-to-MAC bindings on the DHCP relay agent, so that users can access external network using fixed IP addresses.

By default, no static binding is created.

Enabling DHCP and configuring advanced parameters for the DHCP relay agent

1. Select Network > DHCP from the navigation tree.

2. Click the DHCP Relay tab to enter the page as shown in Figure 160.

181

Figure 160 DHCP relay agent configuration page

3. Select the Enable option for DHCP Service.

4. Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration field, as shown in Figure 161.

Figure 161 Advanced DHCP relay agent configuration field

5. Configure the advanced DHCP relay agent parameters as described in Table 73.

6. Click Apply. You must also click Apply for enabling the DHCP service.

182


Item Description

Unauthorized Server Detect

Enable or disable unauthorized DHCP server detection.

There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses.

With this feature enabled, upon receiving a DHCP request, the DHCP relay agent will record the IP address of any DHCP server that assigned an IP address to the DHCP client and the receiving interface. The administrator can use this information to check out DHCP unauthorized servers. The device puts a record once for each DHCP server. The administrator needs to find unauthorized DHCP servers from the log information. After the information of recorded DHCP servers is cleared, the relay agent will re-record server information following this mechanism.

Dynamic Bindings Refresh

Enable or disable periodic refresh of dynamic client entries, and set the refresh interval.

Via the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast message to the DHCP server to relinquish its IP address. In this case the DHCP relay agent simply conveys the message to the DHCP server, thus it does not remove the IP address from dynamic client entries. To solve this problem, the periodic refresh of dynamic client entries feature is introduced.

With this feature, the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay agent interface to periodically send a DHCP-REQUEST message to the DHCP server. • If the server returns a DHCP-ACK message or does not return any message within

a specified interval, which means that the IP address is assignable now, the DHCP relay agent will age out the client entry.

• If the server returns a DHCP-NAK message, which means the IP address is still in use, the relay agent will not age it out.

If the Auto option is selected, the refresh interval is calculated by the relay agent according to the number of client entries..

Track Timer Interval

Creating a DHCP server group 1. Select Network > DHCP from the navigation tree.


3. In the Server Group field, click Add to enter the page as shown in Figure 162.

Figure 162 Creating a server group

4. Specify the DHCP server group information as described in Table 74.

5. Click Apply.

183


Item Description

Server Group ID Enter the ID of a DHCP server group.

You can create up to 20 DHCP server groups.

IP Address Enter the IP address of a server in the DHCP server group.

The server IP address cannot be on the same subnet as the IP address of the DHCP relay agent. Otherwise, the client cannot obtain an IP address.

Enabling the DHCP relay agent on an interface 1. Select Network > DHCP from the navigation tree.


3. In the Interface Config field, click the icon of a specific interface to enter the page as shown in Figure 163.

Figure 163 Configuring a DHCP relay agent interface


5. Click Apply.


Item Description

Interface Name This field displays the name of a specific interface.

DHCP Relay Enable or disable the DHCP relay agent on the interface.

If the DHCP relay agent is disabled, the DHCP server is enabled on the interface.

Address Match Check

Enable or disable IP address check.

With this function enabled, the DHCP relay agent checks whether a requesting client's IP and MAC addresses match a binding (dynamic or static) on the DHCP relay agent. If not, the client cannot access outside networks via the DHCP relay agent. This prevents invalid IP address configuration.

Server Group ID Correlate the interface with a DHCP server group.

A DHCP server group can be correlated with multiple interfaces.

184

Configuring and displaying clients' IP-to-MAC bindings

1. Select Network > DHCP from the navigation tree


3. In the User Information field, click User Information to view static and dynamic bindings, as shown in Figure 164.

Figure 164 Displaying clients' IP-to-MAC bindings


Figure 165 Creating a static IP-to-MAC binding

5. Configure static IP-to-MAC binding as described in Table 76.

6. Click Apply.


Item Description

IP Address Enter the IP address of a DHCP client.

MAC Address Enter the MAC address of the DHCP client.

Interface Name

Select the Layer 3 interface connected with the DHCP client.

IMPORTANT:

The interface of a static binding entry must be configured as a DHCP relay agent. Otherwise, address entry conflicts may occur.

185

Recommended configuration procedure (for DHCP snooping)

Step Remarks

1. Enabling DHCP snooping Required.

By default, DHCP snooping is disabled.

2. Configuring DHCP snooping functions on an interface

Required.

Specify an interface as trusted and configure DHCP snooping to support Option 82.

By default, an interface is untrusted and DHCP snooping does not support Option 82.

IMPORTANT:

You need to specify the ports connected to the authorized DHCP servers as trusted to make sure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same VLAN.

3. Displaying clients' IP-to-MAC bindings

Optional.

Display clients' IP-to-MAC bindings recorded by DHCP snooping.

Enabling DHCP snooping 1. Select Network > DHCP from the navigation tree.

2. Click the DHCP Snooping tab to enter the page as shown in Figure 166.

3. Select the Enable option for DHCP Snooping.

186

Figure 166 DHCP snooping configuration page

Configuring DHCP snooping functions on an interface

1. Select Network > DHCP from the navigation tree.


3. In the Interface Config field, click the icon of a specific interface to enter the page as shown in Figure 167.

Figure 167 DHCP snooping interface configuration page


5. Click Apply.

187


Item Description

Interface Name This field displays the name of a specific interface.

Interface State Configure the interface as trusted or untrusted.

Option 82 Support Configure DHCP snooping to support Option 82 or not.

Option 82 Strategy

Select the handling strategy for DHCP requests containing Option 82. The strategies include: • Drop—The message is discarded if it contains Option 82. • Keep—The message is forwarded without its Option 82 being changed. • Replace—The message is forwarded after its original Option 82 is replaced with

the Option 82 padded in normal format.

Displaying clients' IP-to-MAC bindings 1. Select Network > DHCP from the navigation tree.


3. Click User Information to enter the DHCP snooping user information page, as shown in Figure 168.

Figure 168 DHCP snooping user information

4. View clients' IP-to-MAC bindings recorded by DHCP snooping as described in Table 78.


Item Description

IP Address This field displays the IP address assigned by the DHCP server to the client.

MAC Address This field displays the MAC address of the client.

Type

This field displays the client type, which can be: • Dynamic—The IP-to-MAC binding is generated dynamically. • Static—The IP-to-MAC binding is configured manually. Currently, static

bindings are not supported.

Interface Name This field displays the device interface to which the client is connected.

VLAN This field displays the VLAN to which the device belongs.

Remaining Lease Time This field displays the remaining lease time of the IP address.

188

DHCP server configuration example Network requirements

As shown in Figure 169, the DHCP client on subnet 10.1.1.0/24 obtains an IP address dynamically from the DHCP server (AC). The IP address of VLAN-interface 2 of the AC is 10.1.1.1/24.

In subnet 10.1.1.0/24, the address lease duration is ten days and twelve hours and the gateway address is 10.1.1.1.



1. Enable DHCP:

a. Select Network > DHCP from the navigation tree to enter the default DHCP Server page.

b. Select the Enable option for DHCP Service.

Figure 170 Enabling DHCP

HostDHCP client

ACDHCP server

APDHCP client

Vlan-int210.1.1.1/24

189

2. Enable the DHCP server on VLAN-interface 2: (This operation can be omitted because the DHCP server is enabled on the interface by default.)

a. In the Interface Config field, click the icon of VLAN-interface 2.

b. Select the Enable option for DHCP Server.

c. Click Apply.

Figure 171 Enabling the DHCP server on VLAN-interface 2

3. Configure a dynamic address pool for the DHCP server:

a. Select the Dynamic option in the Address Pool field (default setting), and click Add.

b. On the page that appears, enter test for IP Pool Name, enter 10.1.1.0 for IP Address, enter 255.255.255.0 for Mask, enter 10 days 12 hours 0 minutes 0 seconds for Lease Duration, and enter 10.1.1.1 for Gateway Address.

c. Click Apply.

Figure 172 Configuring a dynamic address pool for the DHCP server

190

DHCP relay agent configuration example Network requirements

As shown in Figure 173, VLAN-interface 1 on the DHCP relay agent (AC) connects to the network where DHCP clients reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and the IP address of VLAN-interface 2 is 10.1.1.1/24. VLAN-interface 2 is connected to the DHCP server whose IP address is 10.1.1.1/24.

The AC forwards messages between DHCP clients and the DHCP server.



NOTE:

Because the DHCP relay agent and server are on different subnets, you must configure a static route or dynamic routing protocol so they can communicate.

1. Enable DHCP:

a. Select Network > DHCP from the navigation tree.

b. Click the DHCP Relay tab.

c. Select the Enable option for DHCP Service.

d. Click Apply.

191

Figure 174 Enabling DHCP

2. Configure a DHCP server group:

a. In the Server Group field, click Add.

b. Enter 1 for Server Group ID, and 10.1.1.1 for IP Address.

c. Click Apply.

Figure 175 Adding a DHCP server group

3. Enable the DHCP relay agent on VLAN-interface 1:

a. In the Interface Config field, click the icon of VLAN-interface 1.

192

b. Select the Enable option for DHCP Relay, and select 1 for Server Group ID.

c. Click Apply.

Figure 176 Enabling the DHCP relay agent on an interface and correlate it with a server group

DHCP snooping configuration example Network requirements

As shown in Figure 177, a DHCP snooping device (AC) is connected to a DHCP server through GigabitEthernet 1/0/2, and to an AP through GigabitEthernet 1/0/1.

• Enable DHCP snooping on the AC and configure DHCP snooping to support Option 82. Configure the handling strategy for DHCP requests containing Option 82 as replace.

• Enable GigabitEthernet 1/0/2 to forward DHCP server responses; disable GigabitEthernet 1/0/1 from forwarding DHCP server responses.

• Configure the AC to record clients' IP-to-MAC address bindings in DHCP-REQUEST messages and DHCP-ACK messages received from a trusted port.



1. Enable DHCP snooping:

a. Select Network > DHCP from the navigation tree.

b. Click the DHCP Snooping tab.

c. Select the Enable option for DHCP Snooping.

193

Figure 178 Enabling DHCP snooping

2. Configure DHCP snooping functions on GigabitEthernet 1/0/2:

a. Click the icon of GigabitEthernet 1/0/2 on the interface list.

b. Select the Trust option for Interface State.

c. Click Apply.

Figure 179 Configuring DHCP snooping functions on GigabitEthernet 1/0/2

3. Configure DHCP snooping functions on GigabitEthernet 1/0/1.

a. Click the icon of GigabitEthernet 1/0/1 on the interface list.

b. To configure the DHCP snooping functions on the interface:

Select the Untrust option for Interface State.

Select the Enable option for Option 82 Support.

Select Replace from the Option 82 Strategy list.

c. Click Apply.

194

Figure 180 Configuring DHCP snooping functions on GigabitEthernet 1/0/1

195

DNS configuration

Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses.

There are two types of DNS services, static and dynamic. After a user specifies a name, the device checks the local static name resolution table for an IP address. If no IP address is available, it contacts the DNS server for dynamic name resolution, which takes more time than static name resolution. Therefore, some frequently queried name-to-IP address mappings are stored in the local static name resolution table to improve efficiency.

Static domain name resolution Configuring static domain name resolution is to set up mappings between domain names and IP addresses manually. IP addresses of the corresponding domain names can be found in the static domain resolution table when you use applications such as telnet.

Dynamic domain name resolution Dynamic domain name resolution is implemented by querying the DNS server.

DNS proxy A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server.

A DNS client considers the DNS proxy as the DNS server and sends a DNS request to the DNS proxy, which forwards the request to the designated DNS server, and conveys the reply from the DNS server to the client.

The DNS proxy simplifies network management. When the DNS server address is changed, you only need to change the configuration on the DNS proxy instead of on each DNS client.

For more information about DNS, see H3C WX Series Access Controllers Layer 3 Configuration Guide.


Configuring static name resolution table

Step Remarks

Configuring static name resolution table Required.

By default, no host name-to-IP address mappings are configured in the static domain name resolution table.

196

Configuring dynamic domain name resolution

Step Remarks

1. Configuring dynamic domain name resolution Required.

This function is disabled by default.

2. Adding a DNS server address Required.

Not configured by default.

3. Adding a domain name suffix Optional.


4. Clearing dynamic DNS cache Optional.

Configuring DNS proxy

Step Remarks

1. Configuring DNS proxy Required.

By default, the device is not a DNS proxy.

2. Adding a DNS server address Required.


Configuring static name resolution table 1. Select Network > DNS from the navigation tree to enter the default static domain name resolution

configuration page shown in Figure 181.

Figure 181 Static domain name resolution configuration page


197

Figure 182 Creating a static domain name resolution entry


4. Click Apply.


Item Description

Host Name Configure the mapping between a host name and an IP address in the static domain mane table.

Each host name corresponds to only one IP address. If you configure multiple IP addresses for a host name, the last configured one takes effect..

Host IP Address

Configuring dynamic domain name resolution 1. Select Network > DNS from the navigation tree.

2. Click the Dynamic tab to enter the page shown in Figure 183.

3. Select the Enable option for Dynamic DNS.

4. Click Apply.

198

Figure 183 Dynamic domain name resolution configuration page

Configuring DNS proxy 1. Select Network > DNS from the navigation tree.


3. Select the Enable option for DNS Proxy.

4. Click Apply.

Adding a DNS server address 1. Select Network > DNS from the navigation tree.


3. Click Add IP to enter the page shown in Figure 184.

4. Enter an IP address in DNS Server IP address field.

5. Click Apply.

199

Figure 184 Adding a DNS server address

Adding a domain name suffix 1. Select Network > DNS from the navigation tree.


3. Click Add Suffix to enter the page shown in Figure 185.

4. Enter a DNS suffix in the DNS Domain Name Suffix field.

5. Click Apply.

Figure 185 Adding a domain name suffix

Clearing dynamic DNS cache 1. Select Network > DNS from the navigation tree.


3. Select the Clear Dynamic DNS cache box.

4. Click Apply.

DNS configuration example Network requirements

As shown in Figure 186, the AC wants to access the host by using an easy-to-remember domain name rather than an IP address, and to request the DNS server on the network for an IP address by using dynamic domain name resolution. The IP address of the DNS server is 2.1.1.2/16 and the DNS server has a com domain, which stores the mapping between domain name host and IP address 3.1.1.1/16.

200

AC serves as a DNS client, and uses dynamic domain name resolution and the suffix to access the host with the domain name host.com and the IP address 3.1.1.1/16.


NOTE:

• Before performing the following configuration, make sure that the AC and the host are reachable to each another, and the IP addresses of the interfaces are configured as shown in Figure 186.

• This configuration may vary with DNS servers. The following configuration is performed on a PC running Windows Server 2000.

Configuring the DNS server

1. Create zone com:

a. Select Start > Programs > Administrative Tools > DNS.

b. As shown in Figure 187, right click Forward Lookup Zones and select New Zone.

c. Follow the instructions to create a new zone named com.

Figure 187 Creating a zone

2. Create a mapping between host name and IP address:

a. In Figure 188, right click zone com, and then select New Host.

201

Figure 188 Adding a host

b. In the dialog box as shown in Figure 189, enter host name host and IP address 3.1.1.1.

c. Click Add Host.

Figure 189 Adding a mapping between domain name and IP address

Configuring the AC

1. Enable dynamic domain name resolution.

202

a. Select Network > DNS from the navigation tree.

b. Click the Dynamic tab

c. Select the Enable option for Dynamic DNS, as shown in Figure 190.

d. Click Apply.

Figure 190 Enabling dynamic domain name resolution

2. Configure the DNS server address:

a. Click Add IP in Figure 190 to enter the page for adding a DNS server IP address.

b. Enter 2.1.1.2 for DNS Server IP Address, as shown in Figure 191.

c. Click Apply.

Figure 191 Adding a DNS server address

3. Configure the domain name suffix:

• Click Add Suffix in Figure 190.

• Enter com for DNS Domain Name Suffix, as shown in Figure 192.

• Click Apply.

203

Figure 192 Adding a DNS domain name suffix


Use the ping host command on the AC to verify that the communication between the AC and the host is normal and that the corresponding destination IP address is 3.1.1.1.

1. Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.

2. Enter host in the Destination IP address or host name field.

3. Click Start to execute the ping command

4. View the result in the Summary field.

Figure 193 Ping operation

204

Service management

Overview The service management module provides the following types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services as needed. In this way, the performance and security of the system can be enhanced, thus secure management of the device can be achieved.

The service management module also provides the function to modify HTTP and HTTPS port numbers, and the function to associate the FTP, HTTP, or HTTPS service with an ACL, thus reducing attacks of illegal users on these services.

FTP service

The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network.

Telnet service

The Telnet protocol is an application layer protocol that provides remote login and virtual terminal functions on the network.

SSH service

Secure Shell (SSH) offers an approach to securely logging in to a remote device. By encryption and strong authentication, it protects devices against attacks such as IP spoofing and plain text password interception.

SFTP service

The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The device can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The device can also serve as an SFTP client, enabling a user to login from the device to a remote device for secure file transfer.

HTTP service

The Hypertext Transfer Protocol (HTTP) is used for transferring web page information across the Internet. It is an application-layer protocol in the TCP/IP protocol suite.

You can log in to the device using the HTTP protocol with HTTP service enabled, accessing and controlling the device with Web-based network management.

HTTPS service

The Secure HTTP (HTTPS) refers to the HTTP protocol that supports the Security Socket Layer (SSL) protocol.

The SSL protocol of HTTPS enhances the security of the device in the following ways:

• Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal clients;

• Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity, realizing the security management of the device;

205

• Defines certificate attribute-based access control policy for the device to control the access right of the client, in order to further avoid attacks from illegal clients.

Configuring service management 1. Select Network > Service from the navigation tree to enter the service management configuration

page, as shown in Figure 194.

Figure 194 Service management

2. Enable or disable various services on the page as described in Table 80.

3. Click Apply.


Item Description

FTP

Enable FTP service

Specify whether to enable the FTP service.

The FTP service is disabled by default.

ACL

Associate the FTP service with an ACL. Only the clients that pass the ACL filtering are permitted to use the FTP service.

You can view this configuration item by clicking the expanding button in front of FTP.

Telnet Enable Telnet service

Specify whether to enable the Telnet service.

The Telnet service is enabled by default.

SSH Enable SSH service

Specify whether to enable the SSH service.

The SSH service is disabled by default.

SFTP Enable SFTP service

Specify whether to enable the SFTP service.

The SFTP service is disabled by default.

IMPORTANT:

When you enable the SFTP service, the SSH service must be enabled.

206

Item Description

HTTP

Enable HTTP service

Specify whether to enable the HTTP service.

The HTTP service is disabled by default.

Port Number

Set the port number for HTTP service.

You can view this configuration item by clicking the expanding button in front of HTTP.

IMPORTANT:

When you modify a port, make sure that the port is not used by other service.

ACL

Associate the HTTP service with an ACL. Only the clients that pass the ACL filtering are permitted to use the HTTP service.

You can view this configuration item by clicking the expanding button in front of HTTP.

HTTPS

Enable HTTPS service

Specify whether to enable the HTTPS service.

The HTTPS service is disabled by default.

Port Number

Set the port number for HTTPS service.

You can view this configuration item by clicking the expanding button in front of HTTPS.

IMPORTANT:

When you modify a port, make sure that the port is not used by other service.

ACL

Associate the HTTPS service with an ACL. Only the clients that pass the ACL filtering are permitted to use the HTTPS service.

You can view this configuration item by clicking the expanding button in front of HTTPS.

Certificate

Set the local certificate for the HTTPS service. The list displays certificate subjects.

You can configure the available PKI domains by selecting Authentication > Certificate Management from the navigation tree at the left side of the interface. For more information, see "Certificate management."

IMPORTANT:

The service management, portal authentication and local EAP service modules always reference the same PKI domain. Changing the referenced PKI domain in any of the three modules also changes that referenced in the other two modules.

207

Diagnostic tools

Ping You can use the ping function to check whether a device with a specified address is reachable, and to examine network connectivity.

A successful execution of the ping command involves the following steps:

1. The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device.

2. The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source device after receiving the ICMP echo request.

3. The source device displays related statistics after receiving the reply.

Output of the ping command falls into the following:

• The ping command can be applied to the destination's host name or IP address. If the destination's host name is unknown, the prompt information is displayed.

• If the source device does not receive an ICMP echo reply within the timeout time, it displays the prompt information and the statistics during the ping operation. If the source device receives an ICMP echo reply within the timeout time, it displays the number of bytes of the echo reply, the message sequence number, Time to Live (TTL), the response time, and the statistics during the ping operation. Statistics during the ping operation include number of packets sent, number of echo reply messages received, percentage of messages not received, and the minimum, average, and maximum response time.

Trace route By using the trace route command, you can display the Layer 3 devices involved in delivering a packet from source to destination. This function is useful for identification of failed node(s) in the event of network failure.

The trace route command involves the following steps in its execution:

1. The source device sends a packet with a TTL value of 1 to the destination device.

2. The first hop (the Layer 3 device that first receives the packet) responds by sending a TTL-expired ICMP message to the source, with its IP address encapsulated. In this way, the source device can get the address of the first Layer 3 device.

3. The source device sends a packet with a TTL value of 2 to the destination device.

4. The second hop responds with a TTL-expired ICMP message, which gives the source device the address of the second Layer 3 device.

5. This process continues until the ultimate destination device is reached. In this way, the source device can trace the addresses of all the Layer 3 devices involved to get to the destination device.

The traceroute command can be applied to the destination's host name or IP address. If the destination's host name is unknown, the prompt information is displayed.

208

Ping operation

IPv4 ping operation 1. Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.

2. Click the expansion button before Advanced Setup to display the configurations of the advanced parameters of IPv4 ping operation, as shown in Figure 195.

Figure 195 IPv4 ping configuration page

3. Enter the IPv4 address or host name of the destination device in the Destination IP address or host name field.

4. Set the advanced parameters for the IPv4 ping operation.

5. Click Start to execute the ping command.

6. View the result in the Summary field.

209

Figure 196 IPv4 ping operation results

IPv6 ping operation 1. Select Diagnostic Tools > Ping from the navigation tree.

2. Enter the IPv6 ping configuration page (default setting).

3. Expand Advanced Setup to display the configurations of the advanced parameters of IPv6 ping operation, as shown in Figure 197.

210

Figure 197 IPv6 ping

4. Enter the IPv6 address or host name of the destination device in the Destination IP address or host name field.

5. Set the advanced parameters for the IPv6 ping operation.

6. Click Start to execute the ping command.

7. View the result in the Summary field, as shown in Figure 198.

211

Figure 198 IPv6 ping operation results

Trace route operation

NOTE:

• The web interface does not support trace route on IPv6 addresses.

• Before performing the trace route operations, execute the ip ttl-expires enable command on the intermediate device to enable the sending of ICMP timeout packets and the ip unreachables enable command on the destination device to enable the sending of ICMP destination unreachable packets.

1. Select Diagnostic Tools > Trace Route from the navigation tree.

2. Click the Trace Route tab to enter the Trace Route configuration page, as shown in Figure 199.

212

Figure 199 Trace Route configuration page

3. Enter the destination IP address or host name.

4. Click Start to execute the trace route command.

5. View the result in the Summary field, as shown in Figure 200.

Figure 200 Trace route operation results

213

AP configuration

The AP configuration module allows you to perform the following configurations:

• Establish a connection between AC and AP

• Configure auto AP

• Configure an AP group

AC-AP connection An AP and an AC establish a tunnel connection based on UDP.

An AP uses a data tunnel to encapsulate data packets to be sent to the AC. These packets can be raw 802.11 packets or 802.11 to 802.3 translated packets. An AC provides a control tunnel to support remote AP configuration and management, and WLAN and mobile management.

The AC can dynamically configure an AP based on the information provided by the administrator.

Auto AP The auto AP feature allows an AP to automatically connect to an AC. When you deploy a wireless network with many APs, the auto AP function avoids configuration of many AP serial IDs, thus simplifying configuration.

AP group Some wireless service providers need to control the access positions of clients. For example, as shown in the figure below, to meet security or billing needs, it is required to connect wireless clients 1, 2 and 3 to the wired network through APs 1, 2 and 3 respectively. To achieve this, you can configure an AP group that the clients can be associated with and then apply the AP group in a user profile.

Figure 201 Client access control

214

Configuring an AP

Creating an AP 1. Select AP > AP Setup from the navigation tree.

2. Click Add to enter the page for adding an AP.

Figure 202 Adding an AP

3. Create the AP as described in Table 81.

4. Click Apply.


Item Description

AP Name AP name.

Model AP model.

Serial ID

• Auto—If selected, the AC automatically searches the AP serial ID. This function is used together with the auto AP function. For how to configure auto AP, see "Configuring auto AP."

• Manual—If this mode is selected, you need to type an AP serial ID.

Configuring an AP 1. Select AP > AP Setup from the navigation tree.

2. Click the icon corresponding to the target AP to enter the page for configuring an AP.

215

Figure 203 AP setup

3. Configure the AP as described in Table 82.

4. Click Apply.


Item Description

AP Name Display the name of the AP selected.

Radio Number Select the number of the radios on the AP. The value depends on the AP model.

Radio Type

Select the radio type, which can be one of the following values: • 802.11a. • 802.11b. • 802.11g. • 802.11n (2.4 GHz) • 802.11n (5 GHz)

The value depends on the AP model and radio type.

Serial ID

Set a serial ID for the AP. • Auto—If selected, the AP serial ID is automatically found. This option is used together

with the auto AP function. For how to configure auto AP, see "Configuring auto AP." • Manual—You need to enter an AP serial ID.

IMPORTANT:

The serial ID is the unique identity of the AP. If the AP has connected to the AC, changing or deleting its serial ID renders the tunnel down and the AP needs to discover the AC to connect again.

Description Description of the AP.

216

Item Description

District Code

By default, no district code is configured for an AP, which uses the global district code. An AP configured with a district code uses its own district code rather than the global one. For how to configure the global district code, see "Advanced settings".

IMPORTANT:

Some ACs and fit APs use locked district codes, whichever is used is determined as follows: • An AC's locked district code cannot be changed, and all managed fit APs whose

district codes are not locked must use the AC's locked district code. • A fit AP's locked district code cannot be changed and the fit AP can only use the

district code. • If an AC and a managed fit AP use different locked district codes, the fit AP uses its

own locked district code.

Configuring advanced settings 1. Select AP > AP Setup from the navigation tree.

2. Click the icon corresponding to the target AP.

3. On the page that appears, expand Advanced Setup to enter the page for advanced AP setup.

Figure 204 Advanced setup

4. Configure advanced settings for the AP as described in Table 83.

5. Click Apply.

217


Item Description

AP Connection Priority

AP connection priority.

Specify the AP connection priority on the AC. For more information, see "AP connection priority configuration example." It can also be used together with the backup function. For more information, see "Advanced settings."

Broadcast Probe

• Enable—Enable the AP to respond to broadcast probe requests. The AP will respond to broadcast probe requests with the SSID null.

• Disable—Disable the AP from responding to broadcast probe requests. The AP will respond to broadcast probe requests with the specified SSID.

By default, this option is enabled.

Configuration File

Specify a name for the configuration file in the storage media and maps the specified configuration file to the AP.

When local forwarding is enabled, you can use the configuration file to configure the AP. For example, when you configure a user profile when local forwarding is enabled, you must write the user profile, QoS policy, and ACL commands to the configuration file, and download the configuration file to the AP.

IMPORTANT:

The commands in the configuration file must be in their complete form.

Jumbo Frame Size

Set the maximum size of jumbo frames.

When this function is enabled, the AC can send frames whose size does not exceed the maximum size to the AP.

By default, the AC cannot send jumbo frames to the AP.

AP Echo Interval

Set the interval for sending echo requests.

There is a keep-live mechanism between AP and AC, to confirm whether the tunnel is working or not. An AP periodically sends echo requests to an AC. The AC responds to echo requests by sending echo responses, which indicates that the tunnel is up.

Client Alive Time

Set the client keep alive interval.

The keep-alive mechanism is used to detect clients segregated from the system due to various reasons such as power failure or crash, and disconnect them from the AP.

By default, the client keep-alive functionality is disabled.

Client Free Time Maximum interval for which the link between the AP and a client can be idle.

Backup AC IPv4 Address

Set the IPv4 address of the backup AC for the AP.

If you configure the global backup AC information both in Advanced Setup > AC Backup and AP > AP Setup, the configuration in AP > AP Setup takes precedence. For more information about AC backup, see "Advanced settings."

Backup AC IPv6 Address

Set the IPv6 address of the backup AC for the AP.

AP CAR Select this box to configure CAR for the AP.

By default, no CAR is set for an AP.

218

Item Description

Remote AP

• Enable—Enable the remote AP function. • Disable—Disable the remote AP function.

By default, the remote AP function is disabled.

With this function enabled, when the tunnel between the AP and AC is terminated, the AP automatically enables local forwarding (despite whether or not local forwarding is configured on the AC) to provide wireless access for logged-in clients but not allow new clients. When a tunnel is established between the AP and AC again, the AP automatically switches to the centralized forwarding mode and logs off all clients on the remote AP.

IMPORTANT:

If a tunnel has been established between the remote AP and AC, when the tunnel between the AP and AC is terminated, the remote AP uses the backup tunnel to provide wireless access for logged-in clients. For more information about AC backup, see "Advanced settings."

CIR Committed information rate, in Kbps.

CBS Committed burst size, in bits.

By default, the CBS is the number of bytes transmitted in 500 ms at the rate of CIR. For example, if CIR is 100, CBS is 50000 bits, or, 6250 bytes by default.

Configuring auto AP

Enabling auto AP 1. Select Advance > Auto AP from the navigation tree.

Figure 205 Configuring auto AP

2. Enable auto AP as described in Table 84.

219


Item Description

Auto AP

• enable—Enable the auto AP function. You must also select Auto from the Serial ID list on the AP setup page to use the auto AP function.

• disable—Disable the auto AP function.

By default, the auto AP function is disabled.

IMPORTANT:

After using the auto AP function, H3C recommends you to disable the auto AP function.

Renaming an AP 1. After enabling auto AP, click Refresh.

2. To modify the automatically found AP name, click the icon in the Operation column.

Figure 206 Renaming an AP

3. On the page that appears, rename the AP as described in Table 85.

4. Click Apply.


Item Description

Old AP Name Display the name of the automatically discovered AP.

AP Rename Select the AP Rename check box, and type the new AP name.

For the example of configuring auto AP, see "Access service configuration."

Batch switch If you do not need to modify the automatically found AP names, you can select the AP Name box, and then click Transmit All AP to complete auto AP setup.

220

Configuring an AP group

Creating an AP group 1. Select AP > AP Group from the navigation tree.

2. Click Add.

Figure 207 Creating an AP group

3. Create the AP group as described in Table 86.


Item Description

AP Group ID AP group ID.

The value range varies with devices. For more information, see "Feature matrixes."

Configuring an AP group 1. Select AP > AP Group from the navigation tree.

2. Click the icon corresponding to the target AP group to enter the page for configuring an AP group.

Figure 208 Configuring an AP group

221

3. Configure the AP group as described in Table 87.

4. Click Apply.


Item Description

AP Group ID Display the ID of the selected AP group.

Description Select this option to configure a description for the AP group.

Exist AP List

Set the APs in the configured AP group. • To add the APs to the Selected AP List, click the APs to be

added to the AP group, and click the > button in the AP List area.

• To delete the selected APs from the AP group, select the APs to be deleted in the Selected AP List, and click the < button.

The APs to be added in AP Group ID should be created by selecting AP > AP Setup first.

Applying the AP group Select Authentication > Users from the navigation tree to apply the AP group. For the related configuration, see "Users."

AP connection priority configuration example Network requirements

Configure a higher AP connection priority on AC 1 to enable the AP to establish a connection with AC 1.


Configuring AC 1

1. Configure AP-related information:

For the detailed configuration, see "Access service configuration."

2. Configure an AP connection priority:

a. Select AP > AP Setup from the navigation tree.

b. Click the icon corresponding to the target AP to enter the AP setup page.

AC 1

AC 2

AP ClientSwitch

222

c. Expand Advanced Setup to enter the page shown in Figure 210 and set the AP connection priority to 6.

d. Click Apply.

Figure 210 Configuring AP connection priority

Configuring AC 2

1. Configure AP-related information:

For the detailed configuration, see "Access service configuration."

2. Configure AP connection priority:

Use the default AP connection priority on AC 2.


A higher AP connection priority is configured on AC 1, so AP must establish a connection with AC 1.

223

Configuring access services

Wireless Local Area Networks (WLAN) provide the following services:

• Connectivity to the Internet

• Secured WLAN access with different authentication and encryption methods

• Seamless roaming of WLAN clients in a mobility domain

Access service overview

Terminology Wireless client

A handheld computer or laptop with a wireless Network Interface Card (NIC) or a terminal supporting WiFi can be a WLAN client.

Access point (AP)

An AP bridges frames between wireless and wired networks.

Access controller (AC)

An AC can control and manage APs associated with it in a WLAN. The AC communicates with an authentication server for WLAN client authentication.

SSID

The service set identifier. A client scans all networks at first, and then selects a specific SSID to connect to a specific wireless network.

Client access A client access process involves three steps: active/passive scanning surrounding wireless services, authentication, and association, as shown in Figure 211.

224

Figure 211 Establishing a client access

Scanning

Wireless clients can get the surrounding wireless network information in two ways, active scanning and passive scanning. With active scanning, a wireless client actively sends probe requests during scanning, and receives probe responses. With passive scanning, a wireless client listens to Beacon frames sent by surrounding APs.

A wireless client usually uses both passive scanning and active scanning to get information about surrounding wireless networks.

1. Active scanning

When a wireless client operates, it periodically searches for (that is, scans) surrounding wireless networks. Active scanning falls into two modes according to whether a specified SSID is carried in a probe request.

• Mode 1—A client sends a probe request without any SSID on supported channels to scan wireless networks. APs that receive the probe request frame send a probe response frame. The client associates with the AP with the strongest signal.

Figure 212 Active scanning (no SSID in the probe request)

• Mode 2—When a wireless client is configured to access a specific wireless network or has already been connected to a wireless network, the client periodically sends a probe request carrying the specified SSID. When an AP that can provide the wireless service with the specified SSID receives the probe request, it sends a probe response. This active scanning mode enables a client to access a specified wireless network. The active scanning process is as shown in Figure 213.

AP 2

Client

AP 1

Probe request (with no SSID)

Probe request (with no SSID)Probe response

AC 1

AC 2

Probe response

225

Figure 213 Active scanning (the probe request carries the specified SSID AP 1)

2. Passive scanning

Passive scanning is used by clients to discover surrounding wireless networks through listening to the beacon frames periodically sent by an AP. All APs providing wireless services periodically send beacons frames, so that wireless clients can listen to beacon frames on the supported channels to get information about surrounding wireless networks. Passive scanning is used by a client when it wants to save battery power. Typically, VoIP clients adopt the passive scanning mode. The passive scanning process is as shown in Figure 214.

Figure 214 Passive scanning

Authentication

To secure wireless links, the wireless clients must be authenticated before accessing an AP. 802.11 links define two authentication mechanisms: open system authentication and shared key authentication.

• Open system authentication

Open system authentication is the default authentication algorithm. This is the simplest of the available authentication algorithms. Essentially it is a null authentication algorithm. Any client that requests authentication with this algorithm can become authenticated. Open system authentication is not required to be successful as an AP may decline to authenticate the client. Open system authentication involves a two-step authentication process. In the first step, the wireless client sends a request for authentication. In the second step, the AP returns the result to the client.

226

Figure 215 Open system authentication process

• Shared key authentication

Figure 216 shows a shared key authentication process. The two parties have the same shared key configured.

a. The client sends an authentication request to the AP.

b. The AP randomly generates a challenge and sends it to the client.

c. The client uses the shared key to encrypt the challenge and sends it to the AP.

d. The AP uses the shared key to encrypt the challenge and compares the result with that received from the client. If they are identical, the client passes the authentication. If not, the authentication fails.

Figure 216 Shared key authentication process

Association

A client that wants to access a wireless network via an AP must be associated with that AP. Once the client chooses a compatible network with a specified SSID and authenticates to an AP, it sends an association request frame to the AP. The AP sends an association response to the client and adds the client's information in its database. At a time, a client can associate with only one AP. An association process is always initiated by the client, but not by the AP.

WLAN data security Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN devices share the same medium and thus every device can receive data from any other sending device. If no security service is provided, plain-text data is transmitted over the WLAN.

To secure data transmission, 802.11 protocols provide some encryption methods to ensure that devices without the right key cannot read encrypted data.

APClient

Authentication request

Authentication response

AC

227

1. WEP encryption

Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream encryption algorithm) for confidentiality. WEP encryption falls into static and dynamic encryption according to how a WEP key is generated.

• Static WEP encryption

With Static WEP encryption, all clients using the same SSID must use the same encryption key. If the encryption key is deciphered or lost, attackers will get all encrypted data. In addition, periodical manual key update brings great management workload.

• Dynamic WEP encryption

Dynamic WEP encryption is a great improvement over static WEP encryption. With dynamic WEP encryption, WEP keys are negotiated between client and server through the 802.1X protocol so that each client is assigned a different WEP key, which can be updated periodically to further improve unicast frame transmission security.

Although WEP encryption increases the difficulty of network interception and session hijacking, it still has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.

2. TKIP encryption

Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has many advantages over WEP, and provides more secure protection for WLAN as follows:

First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48 bits.

Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single static key with a base key generated by an authentication server. TKIP dynamic keys cannot be easily deciphered.

Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC, the data may be tampered, and the system may be attacked. If two packets fail the MIC in a certain period, the AP automatically takes countermeasures. It will not provide services in a certain period to prevent attacks.

3. CCMP encryption

CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a dynamic key negotiation and management method, so that each wireless client can dynamically negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to ensure that each encrypted packet uses a different PN, thus improving the security to a certain extent.

Client access authentication 1. PSK authentication

To implement PSK authentication, the client and the authenticator must have the same shared key configured. Otherwise, the client cannot pass pre-shared key (PSK) authentication.

2. 802.1X authentication

228

As a port-based access control protocol, 802.1X authenticates and controls accessing devices at the port level. A device connected to an 802.1X-enabled port of a WLAN access control device can access the resources on the WLAN only after passing authentication.

The administrators of access devices can select to use RADIUS or local authentication to cooperate with 802.1X for authenticating users. For more information about remote/local 802.1X authentication, see "802.1X configuration."

3. MAC authentication

MAC authentication provides a way for authenticating users based on ports and MAC addresses. You can configure permitted MAC address lists to filter MAC addresses of clients. However, the efficiency will be reduced when the number of clients increases. Therefore, MAC authentication is applicable to environments without high security requirements, for example, SOHO and small offices.

MAC authentication falls into two modes:

Local MAC authentication—When this authentication mode is adopted, you need to configure a permitted MAC address list on the device. If the MAC address of a client is not in the list, its access request will be denied.

Figure 217 Local MAC authentication

Remote MAC authentication—Remote Authentication Dial-In User Service (RADIUS) based MAC authentication. If the device finds that the current client is an unknown client, it sends an unsolicited authentication request to the RADIUS server. After the client passes the authentication, the client can access the WLAN network and the corresponding authorized information.

AC L2 switch AP

Client: 0009-5bcf-cce3Permitted MAC

address list: 0009-5bcf-cce30011-9548-4007000f-e200-00a2

Client: 0011-9548-4007

Client: 001a-9228-2d3e

229

Figure 218 Remote MAC authentication

When a RADIUS server is used for MAC authentication, you can specify a domain for each wireless service, and thus send MAC authentication information of different SSIDs to different remote RADIUS servers.

802.11n As the next generation wireless LAN technology, 802.11n supports both 2.4GHz and 5GHz bands. It provides higher throughput to customers by using the following methods:

1. Increasing bandwidth: 802.11n can bond two adjacent 20-MHz channels together to form a 40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with one acting as the primary channel and the other acting as the secondary channel or work together as a 40-MHz channel. This provides a simple way of doubling the data rate.

2. Improving channel utilization through the following ways:

802.11n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU can accommodate multiple Message Protocol Data Units (MPDUs) which have their PHY headers removed. This reduces the overhead in transmission and the number of ACK frames to be used, and thus improves network throughput.

Similar with MPDU aggregation, multiple MAC Service Data Units (MSDU) can be aggregated into a single A-MSDU. This reduces the MAC header overhead and thus improves MAC layer forwarding efficiency.

To improve physical layer performance, 802.11n introduces the short GI function, which shortens the GI interval of 800 us in 802.11a/g to 400 us. This can increase the data rate by 10 percent.

230

Configuring access service


Step Remarks 1. Creating a WLAN service Required.

2. Configuring wireless service Configuring clear type wireless service Configuring crypto type wireless service

Required.

Use either approach.

Complete the security settings as needed.

3. Enabling a wireless service Required.

4. Binding an AP radio to a wireless service Required.

5. Enabling a radio Optional.

6. Displaying the detailed information of a wireless service Optional.

Creating a WLAN service 1. Select Wireless Service > Access Service from the navigation tree.

Figure 219 Configuring access service

2. Click Add.

Figure 220 Creating a wireless service

3. Configure the wireless service as described in Table 88.

4. Click Apply.

231


Item Description

Wireless Service Name

Set the Service Set Identifier (SSID), a case-sensitive string of 1 to 32 characters, which can include letters, digits, underlines, and spaces.

An SSID should be as unique as possible. For security, the company name should not be contained in the SSID. Meanwhile, it is not recommended to use a long random string as the SSID, because a long random string only adds payload to the header field, without any improvement to wireless security.

Wireless Service Type Select the wireless service type: • clear—Indicates the SSID will not be encrypted. • crypto—Indicates the SSID will be encrypted.

Configuring clear type wireless service Configuring basic settings for a clear type wireless service

NOTE:

Before configuring a clear-type wireless service, disable it first and then click the corresponding icon.

1. Select Wireless Service > Access Service from the navigation tree.

2. Click the icon corresponding to the target clear type wireless service to enter the page for configuring wireless service.

Figure 221 Configuring clear type wireless service

3. Configure basic settings for the clear type wireless service as described in Table 89.

4. Click Apply.


Item Description

Wireless Service Display the selected Service Set Identifier (SSID).

VLAN (Untagged) Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged) indicates that the port sends the traffic of the VLAN with the VLAN tag removed.

232

Item Description

Default VLAN

Set the default VLAN of a port.

By default, the default VLAN of all ports is VLAN 1. After you set the new default VLAN, VLAN 1 is the ID of the VLAN whose packets are to be sent untagged.

Delete VLAN Remove the IDs of the VLANs whose packets are to be sent untagged and tagged.

SSID HIDE

• Enable—Disable the advertisement of the SSID in beacon frames. • Disable—Enable the advertisement of the SSID in beacon frames.

By default, the SSID is advertised in beacon frames.

IMPORTANT: • If the advertising of the SSID in beacon frames is disabled, the SSID

must be configured for the clients to associate with the AP. • Disabling the advertising of the SSID in beacon frames does little

good to wireless security. Allowing the advertising of the SSID in beacon frames enables a client to discover an AP more easily.

Configuring advanced settings for the clear type wireless service


2. Click the icon corresponding to the target clear type wireless service to enter the page for configuring advanced settings for a clear type wireless service.

Figure 222 Advanced settings for the clear type wireless service

3. Configure advanced settings for the clear type wireless service as described in Table 90.

4. Click Apply.

233


Item Description

Local Forwarding

Local forwarding enables an AP to forward data frames between clients. In a centralized WLAN architecture, an AP transparently transmits data frames to an AC for processing. With the increase of clients, the forwarding load of the AC increases either. With local forwarding enabled, an AP, rather the AC forwards client data, greatly reducing the load of the AC. • Enable—If local forwarding is enabled, data frames from an associated

station will be forwarded by the AP itself. • Disable—If local forwarding is disabled, data frames from an associated

station will be handled by the AC.

Local Forwarding VLAN Clients using the same SSID may belong to different VLANs. You can configure a local forwarding VLAN when configuring a local forwarding policy.

Client Max Users

Maximum number of clients of an SSID to be associated with the same radio of the AP.

IMPORTANT:

When the number of clients of an SSID to be associated with the same radio of the AP reaches the maximum, the SSID is automatically hidden.

Management Right Web interface management right of online clients. • Disable—Disable the web interface management right of online clients. • Enable—Enable the web interface management right of online clients.

MAC VLAN

• Enable—Enable the MAC VLAN feature for the wireless service. • Disable—Disable the MAC VLAN feature for the wireless service.

IMPORTANT:

Before binding an AP radio to a VLAN, a step of enabling AP-based access VLAN recognition, enable the MAC VLAN feature first.

Fast Association

• Enable—Enable fast association. • Disable—Disable fast association.

By default, fast association is disabled.

When fast association is enabled, the device does not perform band navigation and load balancing calculations for associated clients.

Configuring security settings for a clear type wireless service


2. Click the icon corresponding to the target clear type wireless service to enter the page for configuring security settings for the clear type wireless service.

234

Figure 223 Security settings for the clear-type wireless service

3. Configure security settings for the clear type wireless service as described in Table 91.

4. Click Apply.


Item Description

Authentication Type For the clear type wireless service, you can select Open-System only.

235

Item Description

Port Mode

• mac-authentication—Perform MAC address authentication on users.

• mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication; upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.

• mac-else-userlogin-secure-ext—This mode is similar to the mac-else-userlogin-secure mode, except that it supports multiple 802.1X and MAC authentication users on the port.

• userlogin-secure—In this mode, MAC-based 802.1X authentication is performed for users; multiple 802.1X authenticated users can access the port, but only one user can be online.

• userlogin-secure-or-mac—This mode is the combination of the userlogin-secure and mac-authentication modes, with 802.1X authentication having a higher priority. For a wireless user, 802.1X authentication is performed first. If 802.1X authentication fails, MAC authentication is performed.

• userlogin-secure-or-mac-ext—This mode is similar to the userlogin-secure-or-mac mode, except that it supports multiple 802.1X and MAC authentication users on the port.

• userlogin-secure-ext—In this mode, a port performs 802.1X authentication on users in macbased mode and supports multiple 802.1X users.

TIP:

There are multiple security modes. To remember them easily, follow these rules to understand part of the port security mode names: • userLogin indicates port-based 802.1X authentication. • mac indicates MAC address authentication. • The authentication mode before Else is used preferentially. If

the authentication fails, the authentication after Else may be used depending on the protocol type of the packets to be authenticated.

• The authentication mode before Or and that after Or have the same priority. The device determines the authentication mode according to the protocol type of the packets to be authenticated. For wireless users, the 802.1X authentication mode is used preferentially.

• userLogin together with Secure indicates MAC-based 802.1X authentication.

• A security mode with Ext allows multiple 802.1X users to pass the authentication. A security mode without Ext allows only one 802.1X user to pass the authentication.

Max User Maximum number of users that can be connected to the network through a specific port.

a. Configure mac-authentication

236

Figure 224 mac-authentication port security configuration page


Item Description

Port Mode

mac-authentication—MAC-based authentication is performed on access users.

Select Wireless Service > Access Service from the navigation tree, click MAC Authentication List, and enter the MAC address of the client.

Max User Control the maximum number of users allowed to access the network through the port.

MAC Authentication Select MAC Authentication.

Domain

Select an existing domain from the list.

The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a new domain name in the Domain Name field. • The selected domain name applies to only the current wireless

service, and all clients accessing the wireless service use this domain for authentication, authorization, and accounting.

• Do not delete a domain name in use. Otherwise, the clients that access the wireless service will be logged out.

b. Configure userlogin-secure/userlogin-secure-ext

237

Figure 225 userlogin-secure/userlogin-secure-ext port security configuration page (userlogin-secure is taken for example)


Item Description

Port Mode

• userlogin-secure—Perform MAC-based 802.1X authentication for access users. In this mode, multiple 802.1X authenticated users can access the port, but only one user can be online.

• userlogin-secure-ext—Perform MAC-based 802.1X authentication for access users. In this mode, the port supports multiple 802.1X users.


Mandatory Domain


The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a new domain name in the Domain Name field. • The selected domain name applies to only the current wireless service, and all

clients accessing the wireless service use this domain for authentication, authorization, and accounting.


Authentication Method

• EAP—Use the Extensible Authentication Protocol (EAP). With EAP authentication, the authenticator encapsulates 802.1X user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication; it does not need to repackage the EAP packets into standard RADIUS packets for authentication.

• CHAP—Use the Challenge Handshake Authentication Protocol (CHAP). By default, CHAP is used. CHAP transmits usernames in simple text and passwords in cipher text over the network. Therefore this method is safer.

• PAP—Use the Password Authentication Protocol (PAP). PAP transmits passwords in plain text.

Handshake

• Enable—Enable the online user handshake function so that the device can periodically send handshake messages to a user to check whether the user is online. By default, the function is enabled.

• Disable—Disable the online user handshake function.

238

Item Description

Multicast Trigger

• Enable—Enable the multicast trigger function of 802.1X to send multicast trigger messages to the clients periodically for initiating authentication. By default, the multicast trigger function is enabled.

• Disable—Disable the 802.1X multicast trigger function.

IMPORTANT:

For a WLAN, the clients can actively initiate authentication, or the AP can discover users and trigger authentication. Therefore, the ports do not need to send 802.1X multicast trigger messages for initiating authentication periodically. H3C recommends that you disable the multicast trigger function in a WLAN because the multicast trigger messages consume bandwidth.

c. Configure the other four port security modes

Figure 226 Port security configuration page for the other four security modes (mac-else-userlogin-secure is taken for example)

239


Item Description

Port Mode

• mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication; upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.

• mac-else-userlogin-secure-ext—This mode is similar to the mac-else-userlogin-secure mode, except that it supports multiple 802.1X and MAC authentication users on the port.

• userlogin-secure-or-mac—This mode is the combination of the userlogin-secure and mac-authentication modes, with 802.1X authentication having a higher priority. For a wireless user, 802.1X authentication is performed first. If 802.1X authentication fails, MAC authentication is performed.

• userlogin-secure-or-mac-ext—This mode is similar to the userlogin-secure-or-mac mode, except that it supports multiple 802.1X and MAC authentication users on the port.



Mandatory Domain

Select an existing domain from the list. After a mandatory domain is configured, all 802.1X users accessing the port are forced to use the mandatory domain for authentication, authorization, and accounting.

The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a new domain name in the Domain Name field.

Authentication Method

• EAP—Use the Extensible Authentication Protocol (EAP). With EAP authentication, the authenticator encapsulates 802.1X user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication; it does not need to repackage the EAP packets into standard RADIUS packets for authentication.

• CHAP—Use the Challenge Handshake Authentication Protocol (CHAP). By default, CHAP is used. CHAP transmits usernames in simple text and passwords in cipher text over the network. Therefore this method is safer.

• PAP—Use the Password Authentication Protocol (PAP). PAP transmits passwords in plain text.

Handshake

• Enable—Enable the online user handshake function so that the device can periodically send handshake messages to a user to check whether the user is online. By default, the function is enabled.

• Disable—Disable the online user handshake function.

240

Item Description

Multicast Trigger

• Enable—Enable the multicast trigger function of 802.1X to send multicast trigger messages to the clients periodically for initiating authentication. By default, the multicast trigger function is enabled.

• Disable—Disable the 802.1X multicast trigger function.

IMPORTANT:

For a WLAN, the clients can actively initiate authentication, or the AP can discover users and trigger authentication. Therefore, the ports do not need to send 802.1X multicast trigger messages periodically for initiating authentication. You are recommended to disable the multicast trigger function in a WLAN because the multicast trigger messages consume bandwidth.


Domain





Configuring crypto type wireless service Configuring basic settings for a crypto type wireless service


2. Click the icon corresponding to the target crypto type wireless service to enter the page for configuring wireless service.

Figure 227 Crypto type wireless service

3. Configure basic settings for the crypto type wireless service as described in Table 89.

4. Click Apply.

241

Configuring advanced settings for a crypto type wireless service


2. Click the icon corresponding to the target crypto type wireless service to enter the page for configuring wireless service.

Figure 228 Advanced settings for the crypto type wireless service

3. Configure advanced settings for the crypto type wireless service as described in Table 95.

4. Click Apply.


Item Description

Local Forwarding

Local forwarding enables an AP to forward data frames between clients. In a centralized WLAN architecture, an AP transparently transmits data frames to an AC for processing. With the increase of clients, the forwarding load of the AC increases either. With local forwarding enabled, an AP, rather the AC, forwards client data, greatly reducing the load of the AC. • Enable—If local forwarding is enabled, data frames from an

associated station will be forwarded by the AP itself. • Disable—If local forwarding is disabled, data frames from an

associated station will be handled by the AC.

Local Forwarding VLAN Clients using the same SSID may belong to different VLANs. You can configure a local forwarding VLAN when configuring a local forwarding policy.

242

Item Description

Client Max Users

Maximum number of clients of an SSID to be associated with the same radio of the AP.

IMPORTANT:

When the number of clients of an SSID to be associated with the same radio of the AP reaches the maximum, the SSID is automatically hidden.

PTK Life Time Set the pairwise transient key (PTK) lifetime. A PTK is generated through a four-way handshake.

TKIP CM Time

Set the TKIP countermeasure time.

By default, the TKIP countermeasure time is 0 seconds, that is, the TKIP countermeasure policy is disabled.

Message integrity check (MIC) is designed to avoid hacker tampering. It uses the Michael algorithm and is extremely secure. When failures occur to MIC, the data may have been tampered, and the system may be under attack. With the countermeasure policy enabled, if more than two MIC failures occur within the specified time, the TKIP associations are disassociated and no new associations are allowed within the TKIP countermeasure time.

Management Right

Web interface management right of online clients. • Disable—Disable the web interface management right of online

clients. • Enable—Enable the web interface management right of online

clients.

MAC VLAN

• Enable—Enable the MAC VLAN feature for the wireless service. • Disable—Disable the MAC VLAN feature for the wireless service.

IMPORTANT:

Before you bind an AP radio to a VLAN, a step of enabling AP-based access VLAN recognition, enable the MAC VLAN feature first.

Fast Association

• Enable—Enable fast association. • Disable—Disable fast association.

By default, fast association is disabled.

When fast association is enabled, the device does not perform band navigation and load balancing calculations for associated clients.

GTK Rekey Method

An AC generates a group transient key (GTK) and sends the GTK to a client during the authentication process between an AP and the client through group key handshake/the 4-way handshake. The client uses the GTK to decrypt broadcast and multicast packets. • If Time is selected, the GTK will be refreshed after a specified

period of time. • If Packet is selected, the GTK will be refreshed after a specified

number of packets are transmitted.

By default, the GTK rekeying method is time-based, and the interval is 86400 seconds.

GTK User Down Status Enable refreshing the GTK when some client goes offline.

By default, the GTK is not refreshed when a client goes off-line.

243

Configuring security settings for a crypto type wireless service


2. Click the icon corresponding to the target crypto type wireless service to enter the page for configuring crypto type wireless service.

Figure 229 Security settings for the crypto type wireless service

3. Configure security settings for the crypto type wireless service as described in Table 96.

4. Click Apply.


Item Description

Authentication Type

• Open-System—No authentication. With this authentication mode enabled, all the clients will pass the authentication.

• Shared-Key—The two parties need to have the same shared key configured for this authentication mode. You can select this option only when WEP encryption mode is used.

• Open-System and Shared-Key—It indicates that you can select both open-system and shared-key authentication.

IMPORTANT:

WEP encryption can be used together with open system and shared-key authentication. • Open system authentication—When this authentication mode is used, a WEP

key is used for encryption only. If the two parities do not use the same key, a wireless link can still be established, but all data will be discarded.

• Shared-key authentication—When this authentication mode is used, a WEP key is used for both authentication and encryption. If the two parties do not use the same key, the client cannot pass the authentication, and thus cannot access the wireless network.

244

Item Description

Cipher Suite

Encryption mechanisms supported by the wireless service, which can be: • AES-CCMP—Encryption mechanism based on the AES encryption algorithm. • TKIP—Encryption mechanism based on the RC4 algorithm and dynamic key

management. • AES-CCMP and TKIP—It indicates that you can select both CCMP and TKIP

encryption.

Security IE

Wireless service type (IE information carried in the beacon or probe response frame): • WPA—Wi-Fi Protected Access. • RSN—An RSN is a security network that allows only the creation of robust

security network associations (RSNAs). It provides greater protection than WEP and WPA.

• WPA and RSN—It indicates that you can select both WPA and RSN..

Encryption

Provide Key Automatically

• Enable—A WEP key is dynamically assigned. • Disable—A static WEP key is used.

By default, a static WEP key is used.

When you enable this function, the WEP option is automatically set to wep104.

IMPORTANT: • This function must be used together with 802.1X authentication. • With dynamic WEP encryption configured, the WEP key used to encrypt unicast

frames is negotiated between client and server. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If not, the device randomly generates a multicast WEP key.

WEP

• wep40—Indicates the WEP40 key option. • wep104—Indicates the WEP104 key option. • wep128—Indicates the WEP128 key option.

Key ID

• 1—Key index 1. • 2—Key index 2. • 3—Key index 3. • 4—Key index 4.

There are 4 static keys in WEP. The key index can be 1, 2, 3 or 4. The key corresponding to the specified key index will be used for encrypting and decrypting broadcast and multicast frames.

Key Length

Key length. • For wep40, the key is a string of 5 alphanumeric characters or a 10-digit

hexadecimal number. • For wep104, the key is a string of 13 alphanumeric characters or a 26-digit

hexadecimal number. • For wep128, the key is a string of 16 alphanumeric characters or a 32-digit

hexadecimal number.

WEP Key Configure the WEP key.

245

Item Description

Port Security

See Table 91.

Parameters such as authentication type and encryption type determine the port mode. For more information, see Table 99.

After you select the Cipher Suite option, the following three port security modes are added: • mac and psk—MAC-based authentication must be performed on access users

first. If MAC-based authentication succeeds, an access user has to use the pre-configured PSK to negotiate with the device. Access to the port is allowed only after the negotiation succeeds.

• psk—An access user must use the pre-shared key (PSK) that is pre-configured to negotiate with the device. The access to the port is allowed only after the negotiation succeeds.

• userlogin-secure-ext—Perform MAC-based 802.1X authentication for access users. In this mode, the port supports multiple 802.1X users.

a. Configure mac and psk

Figure 230 mac and psk port security configuration page


Item Description

Port Mode

mac and psk: MAC-based authentication must be performed on access users first. If MAC-based authentication succeeds, an access user has to use the pre-configured PSK to negotiate with the device. Access to the port is allowed only after the negotiation succeeds.




246

Item Description

Domain





Pre-shared Key

• pass-phrase—Enter a PSK in the form of a character string. You must enter a string that can be displayed and is of 8 to 63 characters.

• raw-key—Enter a PSK in the form of a hexadecimal number. You must enter a valid 64-bit hexadecimal number.

b. Configure psk

Figure 231 psk port security configuration page


Item Description

Port Mode psk—An access user must use the pre-shared key (PSK) that is pre-configured to negotiate with the device. The access to the port is allowed only after the negotiation succeeds.


Pre-shared Key

• pass-phrase—Enter a PSK in the form of a character string. You must enter a string that can be displayed and is of 8 to 63 characters.

• raw-key—Enter a PSK in the form of a hexadecimal number. You must enter a valid 64-bit hexadecimal number.

c. Configure userlogin-secure-ext

Perform the configurations as shown in Configure userlogin-secure/userlogin-secure-ext.

247

Security parameter dependencies For a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are as shown in Table 99.

Table 99 Security parameter dependencies

Service type

Authentication mode

Encryption type Security IE WEP

encryption/key ID Port mode

Clear Open-System Unavailable Unavailable Unavailable

• mac-authentication • mac-else-userlogin-secu

re • mac-else-userlogin-secu

re-ext • userlogin-secure • userlogin-secure-ext • userlogin-secure-or-mac • userlogin-secure-or-mac

-ext

Crypto

Open-System

Selected Required

WEP encryption is available

The key ID can be 2, 3, or 4.

• mac and psk • psk • userlogin-secure-ext

Unselected Unavailable

WEP encryption is required

The key ID can be 1, 2, or 3.

• mac-authentication • userlogin-secure • userlogin-secure-ext

Shared-Key Unavailable Unavailable


The key ID can be 1, 2, 3 or 4.

mac-authentication

Open-System and Shared-Key

Selected Required



• mac and psk • psk • userlogin-secure-ext

Unselected Unavailable



• mac-authentication • userlogin-secure • userlogin-secure-ext

Enabling a wireless service 1. Select Wireless Service > Access Service from the navigation tree.

248

Figure 232 Enabling a wireless service

2. Select the wireless service to be bound.

3. Click Enable.

Binding an AP radio to a wireless service Binding an AP radio to a wireless service


2. Click the icon corresponding to the target wireless service to enter the page for binding an AP radio to a wireless service.

Figure 233 Binding an AP radio to a wireless service

3. Select the AP radio to be bound.

4. Click Bind.


5. After the configuration process is complete, click Close.

Binding an AP radio to a VLAN

Traffic of different services is identified by SSIDs. Locations are identified by APs. Users at different locations access different services. For a user roaming between different APs, you can provide services for the user based on its access AP. The detailed requirements are as follows:

• Users with the same SSID but accessing through different APs can be assigned to different VLANs based on their configurations.

• A roaming user always belongs to the same VLAN.

• For a user roaming between ACs, if the local AC does not have a VLAN-interface, the user needs to use an HA in the AC group for forwarding packets to avoid packet loss.

249

Figure 234 Schematic diagram for WLAN support for AP-based access VLAN recognition

As shown in Figure 234, Client 1 goes online through AP 1 and belongs to VLAN 3. When Client 1 roams within an AC or between ACs, Client 1 always belongs to VLAN 3. When Client 1 roams between ACs, if FA, that is, AC 2, has VLAN-interface 3, AC 2 forwards packets from Client 1. Otherwise, packets from Client 1 are sent to HA (AC 1) through the data tunnel and then HA forwards these packets.

Client 2 goes online through AP 4 and belongs to VLAN 2. That is, a client going online through a different AP is assigned to a different VLAN.


2. Click the icon corresponding to the target wireless service to enter the AP radio setup page, as shown in Figure 233.

3. Select the box corresponding to the AP radio mode to be bound.

4. Enter the VLAN to be bound in the Binding VLAN field.

5. Click Bind.

Enabling a radio 1. Select Radio > Radio from the navigation tree.

RADIUS server

AC 1 AC 2IACTP tunnel

AP 1

VLAN 2VLAN 3

Client 1

AP 2

Client 1

AP 3

Client 1

AP 4

Client 2

Intra AC roaming Inter AC roaming

HA FA

VLAN 3 VLAN 3

250

Figure 235 Enabling 802.11n radio

2. Select the box of the target radio.

3. Click Enable.


4. After the configuration process is complete, click Close.

Displaying the detailed information of a wireless service Displaying the detailed information of a clear-type wireless service


2. Click the specified clear-type wireless service to see its detailed information.

Figure 236 Displaying the detailed information of a clear-type wireless service

251


Field Description

Service Template Number Current service template number.

SSID Service set identifier.

Binding Interface Name of the WLAN-ESS interface bound with the service template.


Authentication Method Type of authentication used.

A clear-type wireless service can use only Open System authentication.

SSID-hide • Disable—Indicates that SSID advertisement is enabled. • Enable—Indicates that SSID advertisement is disabled, that is,

the AP does not advertise the SSID in the beacon frames.

Bridge Mode

Forwarding mode, which can be: • Local Forwarding—Use the local forwarding mode. • Remote Forwarding—Use the remote forwarding mode, that is,

uses the AC to forward data.

Service Template Status Service template status, which can be: • Enable—Indicates that the wireless service is enabled. • Disable—Indicates that the wireless service is disabled.


Displaying the detailed information of a crypto-type wireless service


2. Click a crypto-type wireless service to see its detailed information.

252

Figure 237 Displaying the detailed information of a crypto-type wireless service


Field Description

Service Template Number Current service template number.

SSID Service set identifier.

Binding Interface Name of WLAN-ESS the interface bound with the service template.


Security IE Security IE, which can be WPA or WPA2.

Authentication Method Type of authentication used, which can be Open System or Shared Key.

SSID-hide • Disable—Indicates that SSID advertisement is enabled. • Enable—Indicates that SSID advertisement is disabled, that is,

the AP does not advertise the SSID in the beacon frames.

Cipher Suite Cipher suite, which can be CCMP, TKIP, or WEP40/WEP104/WEP128.

WEP Key Index WEP key index for encryption or de-encryption frames.

WEP Key Mode WEP key mode: • HEX—WEP key in hexadecimal format. • ASCII—WEP key in the format of string.

WEP Key WEP key.

TKIP Countermeasure Time(s) TKIP MIC failure holdtime, in seconds.

PTK Life Time(s) PTK lifetime in seconds.

253

Field Description

GTK Rekey GTK rekey configured.

GTK Rekey Method GTK rekey method configured, which can be: • Time-based, which displays the GTK rekey time in seconds. • Packet-based, which displays the number of packets.

GTK Rekey Time Time for GTK rekey in seconds.

Bridge Mode

Forwarding mode, which can be: • Local Forwarding—Use the local forwarding mode. • Remote Forwarding—Use the remote forwarding mode, that is,

uses the AC to forward data.

Service Template Status Service template status, which can be: • Enable—Indicates that the wireless service is enabled. • Disable—Indicates that the wireless service is disabled.


Wireless service configuration example Network requirements

As shown in Figure 238, an AP is required to enable employees to access the internal resources at any time. More specifically:

• An AC and the AP (serial ID 210235A29G007C000020) is connected through a Layer 2 switch.

• The AP provides clear type wireless access service with SSID service1.

• 802.11n (2.4GHz) radio mode is adopted.


Configuring the AC

1. Create an AP:


b. Click Add.

c. On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select the serial ID manual, and enter the serial ID of the AP.

d. Click Apply.

254

Figure 239 Creating an AP

2. Configure a wireless service:

a. Select Wireless Service > Access Service from the navigation tree.

b. Click Add.

c. On the page that appears, set the service name to service1 and select the wireless service type clear.

d. Click Apply.


3. Enable the wireless service:


b. On the page that appears, select the service1 box and click Enable.

Figure 241 Enabling wireless service

4. Bind an AP radio to a wireless service:


b. Click the icon corresponding to the wireless service service1.

255

c. On the page that appears, select the box before ap with radio type 802.11n(2.4GHz).

d. Click Bind.

Figure 242 Binding an AP radio

5. Enable 802.11n(2.4GHz) radio

a. Select Radio > Radio from the navigation tree.

b. Select the box before ap with the radio mode 802.11n(2.4GHz).

c. Click Enable.

Figure 243 Enabling 802.11n(2.4GHz) radio


• The client can successfully associate with the AP and access the WLAN network.

• You can view the online clients on the page that you enter by selecting Summary > Client from the navigation tree.

256

Figure 244 Viewing the online clients

Configuration guidelines

Select a correct district code.

Auto AP configuration example Network requirements

As shown in Figure 245, enable the auto-AP function to enable APs to automatically connect to the AC.

• The AP provides a clear type wireless service with the SSID service1.

• 802.11n(2.4GHz) radio mode is adopted.


Configuring the AC

1. Create an AP:


b. Click Add.

c. On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select the serial ID auto, and click Apply.

257


2. Configure a wireless service:


b. Click Add.

c. On the page that appears, set the service name to service1, select the wireless service type clear, and click Apply.




b. Select the service1 box.

c. Click Enable.

Figure 248 Enabling the wireless service

4. Bind an AP to a wireless service:


b. Click the icon corresponding to the wireless service service1.

258

c. On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz), and click Bind.

Figure 249 Binding an AP

d. To view the AP status, select AP > AP Setup from the navigation tree. You can see that the AP is in IDLE state.

Figure 250 AP status before auto AP is enabled

5. Enable auto AP

a. Select AP > Auto AP from the navigation tree.

b. Select enable.

c. Click Apply.

Figure 251 Configuring auto AP

d. To view the automatically found AP (ap_0001), click Refresh.

259

Figure 252 Viewing the automatically found AP

6. Rename the automatically found AP

If you do not need to rename the automatically found AP, select the ap_0001 box, and then click Transmit All AP.

To rename the automatically found AP:

a. Select AP > Auto AP from the navigation tree.

b. Click the icon of the target AP.

c. On the page that appears, select AP Rename and enter ap1.

d. Click Apply.

Figure 253 Modifying the AP name

e. To view the renamed AP, select AP > AP Setup from the navigation tree.

260

Figure 254 Displaying AP



b. Select the box of the target AP.

c. Click Enable.


• You can see that the AP is in the Run state on the page you enter by selecting AP > AP Setup from the navigation tree.


• You can view the online clients on the page that you enter by selecting Summary > Client from the navigation tree.

261



Follow these guidelines when you configure an auto AP:

• Select a correct district code.

• Select the renamed AP (AP 1 in the example) rather than the auto AP (ap in the example) when enabling the radio. If you enable the radio of the automatically found AP, the radios of all the automatically found APs are enabled.

802.11n configuration example Network requirements

As shown in Figure 256, deploy an 802.11n network to provide high bandwidth access for multi-media applications.

• The AP provides a plain-text wireless service with SSID service.

• 802.11gn is adopted to inter-work with the existing 802.11g network and protect the current investment.


262

Configuring the AC

1. Create an AP:


b. Click Add.

c. On the page that appears, set the AP name to 11nap, select the AP model WA22610E-AGN, select the serial ID manual, enter the serial ID of the AP, and click Apply.

2. Create a wireless service:


b. Click Add.

c. On the page that appears, set the service name to 11nservice, select the wireless service type clear, and click Apply.

3. Enable wireless service:


b. Select the 11nservice box.

c. Click Enable.

4. Bind an AP radio:


b. Click the icon corresponding to the target wireless service.

c. Select the 11nap box.

d. Click Bind.

5. Enable 802.11n(2.4GHZ) radio:


b. Select the 11nap box of the target AP.

c. Click Enable.



• You can view the online clients on the page you enter by selecting Summary > Client from the navigation tree.


In this example, 0014-6c8a-43ff is an 802.11g user, and 001c-f0bf-9c92 is an 802.11n user. Both of the two users can access the WLAN network because there is no limit on the user type. If you enable client 802.11n only, only 001c-f0bf-9c92 can access the WLAN network.

263


Follow these guidelines when you configure 802.11n:

• Select Radio > Radio from the navigation tree, select the AP to be configured, and click to enter the page for configuring a radio. Then you can modify the 802.11n parameters, including bandwidth mode, A-MPDU, A-MSDU, short GI and whether 802.11n clients are allowed.

• Select Radio > Rate from the navigation tree to set 802.11n rates.

WPA-PSK authentication configuration example Network requirements

As shown in Figure 258, connect the client to the wireless network through WPA-PSK authentication. The PSK key configuration on the client is the same as that on the AC: 12345678.


Configuring the AC

1. Create an AP:


b. Click Add.

c. On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select the serial ID manual, enter the AP serial ID, and click Apply.


2. Create a wireless service


b. Click Add.

c. On the page that appears, set the service name to psk, select the wireless service type crypto, and click Apply.

264


3. Configure wireless service.

After you create a wireless service, you will enter the wireless service configuration page.

a. In the Security Setup area, select Open-System from the Authentication Type list.

b. Select the Cipher Suite box, select ASE-CCMP and TKIP (select an encryption type as needed), and then select WPA from the Security IE list.

c. Select the Port Set box, and select psk from the Port Mode list.

d. Select pass-phrase from the Pre-shared Key list, and enter the key ID 12345678.

e. Click Apply.

Figure 261 Security setup

4. Enable wireless service.


b. Select the psk[Bind] box.

c. Click Enable.

265


5. Bind an AP radio to a wireless service


b. Click the icon corresponding to the wireless service psk.

c. On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz) and click Bind.


d. After the configuration progress is complete, click Close.




b. Select the ap box before 802.11n(2.4GHz).

c. Click Enable.


d. After the configuration process is complete, click Close.

266


Configuring the client

1. Launch the client, and refresh the network list.

2. Select the configured service in Choose a wireless network (PSK in this example).

3. Click Connect.

4. In the popup dialog box, enter the key (12345678 in this example), and then click Connect.

267

Figure 265 Configuring the client

The client has the same pre-shared PSK key as the AP, so the client can associate with the AP.

268

Figure 266 The client is associated with the AP




Local MAC authentication configuration example Network requirements

AC is connected to AP through a Layer 2 switch, and they are in the same network. Perform MAC authentication on the client.


Configuring the AC

1. Create an AP:


b. Click Add.

269



2. Create a wireless service


b. Click Add.

c. On the page that appears, set the service name to mac-auth, select the wireless service type clear, and click Apply.


3. Configure the wireless service:

After you have created a wireless service, you enter the wireless service configuration page.


b. Select the Port Set box, and select mac-authentication from the Port Mode list.

c. Select the MAC Authentication box, and select system from the Domain list.

To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a domain name in the Domain Name field.

d. Click Apply.

270


4. Enable wireless service.


b. Select the mac-auth box.

c. Click Enable.


5. Configure a MAC authentication list

271


b. Click MAC Authentication List.

c. On the page that appears, add a local user in the MAC Address field. 0014-6c8a-43ff is used in this example.

d. Click Add.

Figure 272 Adding a MAC authentication list

6. Bind an AP radio to a wireless service


b. Click the icon corresponding to the wireless service mac-auth.

c. On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz) and click Bind.






b. Select the ap 802.11n(2.4GHz) box of the target AP.

272

c. Click Enable.




Configuring the client

1. Launch the client, and refresh the network list.

2. Select the configured service in Choose a wireless network (mac-auth in this example).

3. Click Connect.

If the MAC address of the client is in the MAC address list, the client can pass the MAC authentication and access the wireless network.

273

Figure 275 Configuring the client



• You can view the online clients on the page you enter by selecting Summary > Client.

Remote MAC authentication configuration example Network requirements

As shown in Figure 276, perform remote MAC authentication on the client.

• Use the intelligent management center (IMC) as the RADIUS server for authentication, authorization, and accounting (AAA). On the RADIUS server, configure the client's username and password as the MAC address of the client and the shared key as expert. The IP address of the RADIUS server is 10.18.1.88.

• The IP address of the AC is 10.18.1.1. On the AC, configure the shared key for communication with the RADIUS server as expert, and configure the AC to remove the domain name of a username before sending it to the RADIUS server.

274


Configuring the AC

1. Assign an IP address to the AC:

a. Select Network > VLAN to create a VLAN on the AC.

b. Select Device > Interface Management to assign an IP address to the VLAN interface.

2. Configure a RADIUS scheme:

a. Select Authentication > RADIUS from the navigation tree.

b. Click Add.

c. On the page that appears, add two servers in the RADIUS Server Configuration area, and specify the key expert.

d. Enter mac-auth in the Scheme Name field.

e. Select Extended as the server type.

f. Select Without domain name from the Username Format List.

g. Click Apply.

275

Figure 277 Configuring RADIUS

3. Configure AAA:

a. From the navigation tree, select Authentication > AAA.

b. Optional: On the Domain Setup tab, create a new ISP domain.

This example uses the default domain system.

c. On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box, select the authentication mode RADIUS, select the authentication scheme mac-auth from the Name list, and click Apply.



276

Figure 278 Configuring the AAA authentication method for the ISP domain

e. On the Authorization tab, select the ISP domain system, select the LAN-access AuthZ box, select the authorization mode RADIUS, select the authorization scheme mac-auth from the Name list, and click Apply.


f. After the configuration process is complete, click Close.

Figure 279 Configuring the AAA authorization method for the ISP domain

g. On the Accounting tab, select the ISP domain system, select the Accounting Optional box, and select Enable from the Accounting Optional list, select the LAN-access Accounting box, select the accounting method RADIUS, select the accounting scheme mac-auth from the Name list, and click Apply.


h. After the configuration process is complete, click Close.

277

Figure 280 Configuring the AAA accounting method for the ISP domain

4. Create an AP:


b. Click Add.

c. On the page that appears, set the AP name to ap., select the AP model WA2620-AGN., select the serial ID manual, enter the AP serial ID, and click Apply.

Figure 281 AP setup

5. Configure wireless service:


b. Click Add.

c. On the page that appears, set the wireless service name to mac-auth, select the wireless service type clear, and click Apply.

278


6. Configure MAC authentication:

After you create a wireless service, the wireless service configuration page appears.


b. Select the Port Set box, and select mac-authentication from the Port Mode list.

c. Select the MAC Authentication box, and select system from the Domain list.

d. Click Apply.


e. After the configuration process is complete, click Close.



279


b. On the page that appears, select the mac-auth box.

c. Click Enable.




8. Bind an AP radio to the wireless service:


b. Click the icon corresponding to the wireless service mac-auth.

c. Select the box of the AP with the radio mode 802.11n(2.4GHz).

d. Click Bind.




9. Enable 802.11n(2.4GHz) radio:


b. Select the ap 802.11n(2.4GHz) box of the target AP.

280

c. Click Enable.




Configuring the RADIUS server (IMCv3)

NOTE:

The following takes the IMC (IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) as an example to illustrate the basic configuration of the RADIUS server.

1. Add an access device.

a. Click the Service tab in the IMC Platform.

b. Select Access Service > Access Device from the navigation tree.

c. Click Add.

d. On the page that appears, add expert for Shared Key, add ports 1812 and 1813 for Authentication Port and Accounting Port respectively, select LAN Access Service for Service Type, select H3C for Access Device Type, select or manually add an access device with the IP address 10.18.1.1, and click Apply.

281

Figure 287 Adding access device

2. Add service.

a. Click the Service tab.


c. Click Add.

d. On the page that appears, set the service name to mac, keep the default values for other parameters, and click Apply.

Figure 288 Adding service

3. Add account.


b. Select User > All Access Users from the navigation tree.

c. Click Add.

d. On the page that appears, enter a username 00146c8a43ff, add an account and password 00146c8a43ff, select the service mac, and click Apply.

282

Figure 289 Adding account

Configuring the RADIUS server (IMC v5)

NOTE:

The following takes the IMC (IMC PLAT 5.0 and IMC UAM 5.0) as an example to illustrate the basic configuration of the RADIUS server.


a. Click the Service tab in the IMC Platform.

b. Select User Access Manager > Access Device Management from the navigation tree.

c. Click Add.

d. On the page that appears, enter 12345678 as the Shared Key, keep the default values for other parameters, select or manually add the access device with the IP address 10.18.1.1, and click Apply.


2. Add service.


283

b. Select User Access Manager > Service Configuration from the navigation tree.

c. Click Add.

d. On the page that appears, set the service name to mac, keep the default values for other parameters, and click Apply.


3. Add an account.


b. Select User > All Access Users from the navigation tree to enter the user page.

c. Click Add.

d. On the page that appears, enter username 00146c8a43ff, set the account name and password both to 00146c8a43ff, select the service mac, and click Apply.



• During authentication, the user does not need to enter the username or password. After passing MAC authentication, the client can associate with the AP and access the WLAN.


284

Remote 802.1X authentication configuration example Network requirements

Perform remote 802.1X authentication on the client.

• Use the IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username as user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is 10.18.1.88.

• On the AC, configure the shared key as expert, and configure the AC to remove the domain name of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.


Configuring the AC

1. Assign an IP address to the AC:

a. Select Network > VLAN to create a VLAN on the AC.

b. Select Device > Interface Management to assign an IP address to the VLAN interface.



b. Click Add.

c. On the page that appears, add two servers in the RADIUS Server Configuration, and specify the key expert.

d. Enter 802.1x in the Scheme Name field.

e. Select the server type Extended, and select Without domain name from the Username Format list.

f. Click Apply.

285

Figure 294 Configuring RADIUS

3. Configure AAA

a. Select Authentication > AAA from the navigation tree.

b. Optional: On the Domain Setup tab, create a new ISP domain.

This example uses the default domain system.

c. On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box, select the authentication mode RADIUS, select the authentication scheme 802.1x from the Name list, and click Apply.

Figure 295 Configuring the AAA authentication method for the ISP domain

286

d. On the Authorization tab, select the domain name system, select the LAN-access AuthZ box, select the authorization mode RADIUS, select the authorization scheme 802.1x from the Name list, and click Apply.

Figure 296 Configuring the AAA authorization method for the ISP domain

e. On the Accounting tab, select the ISP domain name system, select the Accounting Optional box and then select Enable from the Accounting Optional list, select the LAN-access Accounting box, select the accounting method RADIUS, select the accounting scheme 802.1x from the Name list, and click Apply.

Figure 297 Configuring the AAA accounting method for the ISP domain

4. Create an AP.


b. Click Add.


287

Figure 298 AP setup

5. Configure wireless service


b. Click Add.

c. On the page that appears, set the service name to dot1x, select the wireless service type crypto, and click Apply.


6. Configure 802.1X authentication.


a. In the Security Setup area, select Open-System from the Authentication Type list, select the Cipher Suite box, select AES-CCMP from the Cipher Suite list, and select WPA2 from the Security IE list.

b. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.

c. Select system from the Mandatory Domain list.

d. Select EAP from the Authentication Method list.

e. Disable Handshake and Multicast Trigger (recommended).

f. Click Apply.

g. A progress dialog box appears. During the process, another dialog box appears asking you whether to enable EAP authentication. Click OK.

h. After the configuration progress is complete, click Close.

288


7. Enable the wireless service


b. On the page that appears, select the dot1x box and click Enable.


8. Bind an AP radio to the wireless service.


b. Click the icon corresponding to the wireless service dot1x.

c. Select the box of the AP with the radio mode 802.11n(2.4GHz).

d. Click Bind.

289






b. Select the box of the target AP.

c. Click Enable.




Configuring the RADIUS server (IMCv3)

NOTE:

The following takes the IMC (IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) as an example to illustrate the basic configuration of the RADIUS server.

1. Add access device.

290

a. Click the Service tab in the IMC management platform.


c. Click Add.

d. On the page that appears, enter the shared key expert, enter the authentication and accounting ports 1812 and 1813, select LAN Access Service from the Service Type list, select H3C from the Access Device Type list, select or manually add an access device with the IP address 10.18.1.1, and click Apply.


2. Add service.



c. Click Add.

d. On the page that appears, set the service name to dot1x, and set the Certificate Type to EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply.

291


3. Add account.



c. Click Add.

d. On the page that appears, enter a username user, add an account user and password dot1x, and select the service dot1x, and click Apply.


292

Configuring the RADIUS server (IMC v5)

NOTE:

The following takes the IMC (IMC PLAT 5.0 and IMC UAM 5.0) as an example to illustrate the basic configuration of the RADIUS server.


a. Click the Service tab in the IMC platform.

b. Select User Access Manager > Access Device Management from the navigation tree.

c. Click Add.

d. On the page that appears, enter 12345678 as the Shared Key, keep the default values for other parameters, and select or manually add the access device with the IP address 10.18.1.1, and click Apply.


2. Add a service.


b. Select User Access Manager > Service Configuration from the navigation tree.

c. Click Add.

d. On the page that appears, set the service name to dot1x, and set the Certificate Type to EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply.

293

Figure 308 Adding a service

3. Add an account.



c. Click Add.

d. On the page that appears, enter username user, set the account name to user and password to dot1x, and select the service dot1x, and click Apply.


Configuring the wireless client

1. Double click the icon at the bottom right corner of your desktop.

The Wireless Network Connection Status window appears.

2. Click Properties in the General tab.

The Wireless Network Connection Properties window appears.

294

3. In the Wireless Networks tab, select wireless network with the SSID dot1x, and then click Properties.

The dot1x Properties window appears.

4. In the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.

5. In the popup window, clear Validate server certificate, and click Configure.

6. In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any).

295

Figure 310 Configuring the wireless client (I)

296

Figure 311 Configuring the wireless client (II)

297

Figure 312 Configuring the wireless client (III)


• After the user enters username user and password dot1x in the popup dialog box, the client can associate with the AP and access the WLAN.


Dynamic WEP encryption-802.1X authentication configuration example Network requirements

Perform dynamic WEP encryption-802.1X authentication on the client. More specifically,

• Use the IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username as user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is 10.18.1.88.

• On the AC, configure the shared key as expert, and configure the AC to remove the domain name of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.

298



1. Assign an IP address for the AC:

See "Assign an IP address to the AC:."


See "Configure a RADIUS scheme."

3. Configure AAA:

See "Configure AAA."

4. Configure the AP:

See "Create an AP.."

5. Create a wireless service:


b. Click Add.

c. On the page that appears, set the service name to dot1x, select the wireless service type crypto, and click Apply.


6. Configure 802.1X authentication.



b. Select Encryption, and select Enable from the Provide Key Automatically list.

c. Select the Cipher Suite box, select CCMP from the Cipher Suite list, and select WPA2 from the Security IE list.

d. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.

e. Select system from the Mandatory Domain list.

f. Select EAP from the Authentication Method list.

299

g. Disable Handshake and Multicast Trigger (recommended).

h. Click Apply.


7. Enable the wireless service.


b. On the page that appears, select the dot1x box and click Enable.


8. Bind an AP radio to the wireless service.


300

b. Click the icon corresponding to the wireless service dot1x.

c. On the page that appears, select the box of the AP with the radio mode 802.11n(2.4GHz) and click Bind.


9. Enable 802.11n(2.4GHz) radio:

See "Enable 802.11n(2.4GHz) radio."

10. Configure the RADIUS server (IMCv3):

See "Configuring the RADIUS server (IMCv3)."

11. Configure the RADIUS server (IMCv5):

See "Configuring the RADIUS server (IMC v5)."

Configuring the wireless client

1. Double click the icon at the bottom right corner of your desktop.

2. The Wireless Network Connection Status window appears.

3. Click Properties.

The Wireless Network window appears.

4. Click Add.

5. Click the Association tab, and enter dot1x in the Network name (SSID) field. Make sure that you have selected The key is provided for me automatically.

301

Figure 318 Configuring the wireless client (I)

6. On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.

7. In the popup window, clear Validate server certificate, and click Configure.

8. In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any), and then click OK.

302

Figure 319 Configuring the wireless client (II)

303

Figure 320 Configuring the wireless client (III)


• After the user enters username user and password dot1x in the popup dialog box, the client can associate with the AP and access the WLAN.


304

Configuring mesh services

Different from a traditional WLAN, a WLAN mesh network allows for wireless connections between APs, making the WLAN more mobile and flexible. Moreover, multi-hop wireless links can be established between APs. From the perspective of end users, a WLAN mesh network has no difference from a traditional WLAN.

Mesh overview

Basic concepts in WLAN mesh Figure 321 Typical WLAN mesh network

As shown in Figure 321, the concepts involved in WLAN mesh are described below.

Concept Description

Access controller (AC) A device that controls and manages all the APs in the WLAN.

Mesh point (MP) A wireless AP that connects to a mesh portal point (MPP) through a wireless connection but cannot have any client attached.

Mesh access point (MAP) An AP providing the mesh service and the access service concurrently.

Mesh portal point (MPP) A wireless AP that connects to an AC through a wired connection.

Mesh link A wireless link between MPs.

AC

Client

MAP

MAPMAP

MAP

MP

MP

MP

MPP

WLAN mesh network

Client Client

Client

305

Advantages of WLAN mesh The WLAN mesh technology allows operators to easily deploy wireless networks anywhere and anytime. WLAN mesh has the following advantages:

• High performance/price ratio—In a mesh network, only the MPPs need to connect to a wired network. In this way, the dependency on the wired network is reduced to the minimum extent, and the investment in wired devices, cabling, and installation is greatly reduced.

• Excellent scalability—In a mesh network, the APs can automatically discover each other and initiate wireless link setup. To add new APs to the mesh network, you just need to install these new APs and perform the related configurations on them.

• Fast deployment—Since only the MPPs need to connect to a wired network, WLAN mesh greatly reduces the network deployment time.

• Various application scenarios—The mesh network is applicable to enterprise, office, and campus networks, which are common application scenarios of traditional WLANs, and also applicable to large-sized warehouse, port, MAN, railway transportation, and crisis communication networks.

• High reliability—In a traditional WLAN, when the wired upstream link of an AP fails, all clients associated with the AP cannot access the WLAN. Comparatively, in a mesh network, all APs are fully meshed. There are multiple available wireless links for a mesh AP to reach a portal node in the wired network, thus avoiding single point failure effectively.

Deployment scenarios This section covers deployment scenarios of WLAN mesh, which are in two categories: subway networking and normal networking.

Normal WLAN mesh deployment

1. Normal fit MP scenario

As shown in Figure 322, two mesh networks are controlled by the same AC. At least one MPP in a mesh has wired connectivity with the AC. When an MP comes up, it scans the network and forms temporary connections with all available MPs in its vicinity. Such temporary connections allow the MP to connect to the AC for downloading its configurations. After downloading its configurations from the AC, the MP will establish secure connections with neighbors sharing the same pre-shared key.

306

Figure 322 Normal fit MP scenario

2. One fit MP with two radios, each on a different mesh

As shown in Figure 323, to avoid cross-interruption between Mesh 1 and Mesh 2, you can configure two radios for an MP, each of which is present in a different mesh network. The only constraint is that both meshes have to be managed by the same AC.

Figure 323 Two radios on different meshes

3. One fit MP with two radios on the same mesh

307

As shown in Figure 324, Radio 1 of MP 1 joins the mesh through the MPP. In this case, only Radio 1 can provide access for downstream MPs. Radio 2 cannot automatically access the mesh and provide the mesh service.

Figure 324 Two radios on different meshes

If an MP supports three radios, you can configure Radio 1 as the uplink interface, Radio 2 as the downlink interface, and Radio 3 as the multi-beam antenna. To utilize the dual-radio resources on MPs, you can establish the network as shown in Figure 325. In such a network, when Radio 1 of MP 1 accesses the mesh, Radio 2 on MP 1 also automatically joins the mesh. In this network, you should apply the same mesh service to both Radio 1 and Radio 2. For more information, see "Tri-radio mesh configuration example."

Figure 325 Two radios on the same mesh

Subway WLAN mesh deployment

A subway is an important traffic means for a modern city. In a subway system, control information must be sent to trains to effectively manage trains and provide various services to customers.

As shown in Figure 326, a subway WLAN mesh solution has fit MPs deployed along the rail, which are managed by the same AC. A train MP (fat AP) continuously scans new rail MPs (fit APs), and sets up active/dormant links with the rail MPs with the best signal quality. The active mesh link is used for data transmission, and the dormant mesh link acts as the backup link.

AC MPP MP 1 MP 2

Radio 1 Radio 1 Radio 1Radio 2 Radio 2 Radio 2

MP 2

Radio 1 Radio 2Radio 3 Radio 3 Radio 3

308

Figure 326 Subway deployment of mesh

The subway WLAN mesh deployment is based on the Mobile Link Switch Protocol (MLSP), which is used for high-speed link switch with zero packet loss during train movement. New IEEE standard 802.11s is adopted as the underlying protocol for link formation and communication between mobile radio (MR) and wayside AP. Train MPs are not required to act as authenticators.

WLAN mesh security A WLAN network uses air as the communication medium, so it is vulnerable to malicious attacks. In a mesh network, a wireless connection passes through multiple hops, and thus a mesh network is more vulnerable to malicious attacks. Therefore, WLAN mesh network security becomes an essential part of WLAN mesh networks. Security involves encryption algorithms and distribution and management of keys. Currently, PSK + CCMP combination is used for securing mesh networks.

Mobile link switch protocol At any given time, an active link should be available between a rail MP and a train MP for data communication. MLSP was developed to create and break links during train movement.

As shown in Figure 327, when the train is moving, it must break the existing active link with rail MP 2 and create a new active link with another rail MP.

309

Figure 327 Diagram for MLSP

• Active Link: Logical link through which all data communication from/to a train MP happens.

• Dormant Link: Logical link over which no data transfer happens, but it satisfies all the criteria for becoming an active link.

MLSP advantages

• MLSP ensures that the link switch time is less than 30 ms.

• MLSP works well even if the devices get saturated at high power level.

• MLSP achieves zero packet loss during link switch.

Operation of MLSP

MLSP establishes multiple links at any given time between a train MP and multiple rail MPs to provide link redundancy, thus ensuring high performance and good robustness for the network.

The following parameters are considered by MLSP for link switch. Based on the deployment, all these parameters are tunable to achieve best results.

• Link formation RSSI/link hold RSSI—This is the minimum RSSI to allow a link to be formed and held. Therefore, the minimum RSSI must be ensured at any given point in the tunnel. Otherwise, the error rate can be very high.

• Link switch margin—If the RSSI of the new link is greater than that of the current active link by the link switch margin, active link switch occurs. This mechanism is used to avoid frequent link switch.

• Link hold time—An active link remains up within the link hold time, even if the link switch margin is reached. This mechanism is used to avoid frequent link switch.

• Link saturation RSSI—This is the upper limit of RSSI on the active link. If the value is reached, link switch occurs.

Formation of dormant links

A train MP performs active scanning to find neighboring rail MPs by sending probe requests at a very high rate. Based on probe responses received, the train MP forms a neighbor table.

After that, the train MP creates dormant links with rail MPs that have an RSSI value greater than the link formation RSSI.

310

Selection of active link

A train MP selects the active link from dormant links based on the following rules:

1. If no dormant link is available, the active link cannot be formed.

2. Active link switch will not happen within the link hold time, except the following two conditions:

Condition 1—The active link RSSI exceeds the link saturation RSSI.

Condition 2—The active link RSSI is below the link hold RSSI.

3. When the link hold timer expires, if no dormant link has RSSI greater than the active link RSSI by the link switch margin, link switch will not happen.

4. In normal scenarios, active link switch will happen when all of these following conditions are met:

The link hold timer expires.

The dormant link's RSSI is higher than the current active link's RSSI by the link switch margin.

The dormant link RSSI is not greater than the link saturation RSSI.

5. Once the RSSI of the active and dormant links has gone below the link hold RSSI, links should be broken. However, to ensure service availability in worse cases, if the active link RSSI has gone below the link hold RSSI and no dormant links exist, the active link is not broken.

Mesh network topologies The mesh feature supports the following three topologies. Mesh is implemented through configuration of a peer MAC address for each AP. For more information, see "Configuring a peer MAC address."

Point to point connection

In this topology, by configuring the peer MAC address for an AP, you can determine the mesh link to be formed.

Figure 328 Mesh point to point topology

Point to multi-point connection

In this topology, a centralized bridging device forms wireless links with multiple MPs to bridge data among multiple LAN segments. As shown below, data transferred between different LAN segments goes via AP 1.

311

Figure 329 Mesh point to multi-point topology

Self topology detection and bridging connection

In this topology, MPs automatically detect neighbors and form wireless links to provide wireless connectivity between LAN segments, as shown Figure 330. Loops are easy to occur in the topology. In the topology, you can use mesh routes to selectively block redundant links to eliminate loops, and back up the links when the mesh links fail.

Figure 330 Self topology detection and bridging

Configuring mesh service

Configuring mesh service Creating a mesh service

1. Select Wireless Service > Mesh Service from the navigation tree.

2. Click the Mesh Service tab.

AP 1AC

AP 2

AP 3

AP 4

AP 5

AP 1AC

AP 2

AP 3

AP 4

312

Figure 331 Mesh service configuration page

3. Click Add.

Figure 332 Creating a mesh service

4. Configure the mesh service as described in Table 102.

5. Click Apply.


Item Description

Mesh Service Name Name of the created mesh service.

Configuring a mesh service


2. Click the Mesh Service tab.

3. Click the icon corresponding to the target mesh service to enter the page for configuring mesh service.

313

Figure 333 Configuring mesh service

4. Configure the mesh service as described in Table 103.

5. Click Apply.


Item Description

Mesh Service Display the selected mesh service name.

VLAN (Tagged) Enter the ID of the VLAN whose packets are to be sent tagged. VLAN (Tagged) indicates that the port sends the traffic of the VLAN without removing the VLAN tag.

VLAN (Untagged) Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged) indicates that the ports send the traffic of the VLAN with the VLAN tag removed.

Default VLAN Set the default VLAN.

By default, the default VLAN of all ports is VLAN 1. After you set the new default VLAN, VLAN 1 is the ID of the VLAN whose packets are to be sent untagged.

Exclude VLAN Remove the IDs of the VLANs whose packets are to be sent untagged and tagged.

Mesh Route

Enable or disable mesh route selection algorithm: • Disable—Disable the mesh route selection algorithm. • Enable—Enable the mesh route selection algorithm.

By default, the mesh route selection algorithm is disabled.

Link Keep Alive Interval Configure the mesh link keep-alive interval.

Link Backhaul Rate Configure the backhaul radio rate.

Security Configuration

Pass Phrase Enter a pre-shared key in the format of character string.

314

Item Description

Raw Key Enter a pre-shared key in the format of hexadecimal digits.

Pre-shared Key Pre-shared key. • A string of 8 to 63 characters, or. • A valid hexadecimal number of 64 bits.

Binding an AP radio to a mesh service


2. Click the icon to enter the page for binding an AP radio to a mesh service.


4. Click Bind.

Figure 334 Binding an AP radio to a mesh service

Enabling a mesh service


2. Click the Mesh Service tab to enter the mesh service configuration page.

Figure 335 Enabling a mesh service

3. Select the mesh service to be enabled.

4. Click Enable.

315

Displaying the detailed information of a mesh service


2. Click the Mesh Service tab to enter the mesh service configuration page.

3. Click a mesh service to see its detailed information.

Figure 336 Mesh service detailed information


Field Description

Mesh Profile Number Mesh service number.

Mesh ID Mesh ID of the mesh service.

Binding Interface Mesh interface bound to the mesh service.

MKD Service MKD service status, which can be: • Enable—Indicates that the MKD service is enabled. • Disable—Indicates that the MKD service is disabled.

Link Keep Alive Interval Interval to send keep-alive packets.

Link Backhaul Rate Link backhaul rate.

Mesh Profile Status Mesh service status, which can be: • Enable—Indicates that the mesh service is enabled. • Disable—Indicates that the mesh service is disabled.

316

Configuring a mesh policy Creating a mesh policy


2. Click the Mesh Service tab to enter the mesh policy configuration page.

Figure 337 Mesh policy configuration page

3. Click Add.

Figure 338 Create a mesh policy

4. Configure the mesh policy as described in Table 105.

5. Click Apply.


Item Description

Mesh Policy Name Name of the created mesh policy.

The created mesh policies use the contents of the default mesh policy default_mp_plcy.

Configuring a mesh policy


2. Click the Mesh Policy tab.

3. Click the icon corresponding to the target mesh policy to enter the mesh policy configuration page.

317

Figure 339 Configuring a mesh policy

4. Configure the mesh policy as described in Table 106.

5. Click Apply.


Item Description

Mesh Policy Display the name of the created mesh policy.

Link establishment

By default, link initiation is enabled.

IMPORTANT: • This feature should be disabled when you configure an MP

policy for a rail AP. • This feature is used on train MPs in subway WLAN mesh

deployment.

Minimum time to hold a link

Set the link hold time.

An active link remains up within the link hold time, even if the link switch margin is reached. This mechanism is used to avoid frequent link switch.

Maximum number of links

Set the maximum number of links that an MP can form in a mesh network.

IMPORTANT:

When configuring mesh, if the number of mesh links configured on an AP is greater than 2, you need to configure the maximum links that an MP can form as needed.

318

Item Description

Minimum rssi to hold a link

Set link formation/link hold RSSI (received signal strength indicator).

This is the minimum RSSI to allow a link to be formed and held. Therefore, the minimum RSSI must be ensured at any given point in the tunnel. Otherwise, the error rate can be very high.

Minimum margin rssi

Set the link switch margin.

If the RSSI of the new link is greater than that of the current active link by the link switch margin, active link switch will happen. This mechanism is used to avoid frequent link switch.

Maximum rssi to hold a link Set link saturation RSSI.

This is the upper limit of RSSI on the active link. If the value is reached, the chipset is saturated and link switch will happen.

Interval between probe requests Set the probe request interval.

Role as authenticator By default, whether a device plays the role of an authenticator is based on negotiation results.

ratemode

• fixed—The rate adopted is of a fixed value. It is the maximum rate of the current radio.

• realtime—The rate adopted changes with the link quality, that is, the rate changes with the change of the RSSI of the current radio.

The fixed mode is adopted by default..

The Mobile Link Switch Protocol (MLSP) implements high-speed link switch with zero packet loss during train movement. It is applicable to subway WLAN mesh deployment only.

Proxy MAC Address Select the Proxy MAC Address option to specify the MAC address of the peer device.

Proxy VLAN VLAN ID of the peer device.

Binding an AP radio to a mesh policy


2. Click the Mesh Policy tab.

3. Click the button corresponding to the target mesh policy.


5. Click Bind.

Displaying the detailed information of a mesh policy


2. Click the Mesh Policy tab to enter the mesh policy configuration page.

3. Click a mesh policy to see its detailed information.

319

Figure 340 Mesh policy detailed information


Field Description

MP Policy Name Name of the mesh policy.

Mesh Link Initiation Whether link initiation is enabled or not.

Mlsp Mobile Link Switch Protocol (MLSP) status, which can be: • Enable—Indicates that MLSP is enabled. • Disable—Indicates that MLSP is disabled.

Authenticator Role Authenticator role status, which can be: • Enable—Indicates that the authenticator role is enabled. • Disable—Indicates that the authenticator role is disabled.

Max Links Maximum number of links on a device using this mesh policy.

Probe Request Interval (ms) Interval between probe requests sent by a device using this mesh policy.

Link Hold RSSI Link hold RSSI.

Link Hold Time (ms) Link hold time.

Link Switch Margin Link switch margin.

Link saturation RSSI Link saturation RSSI.

Link rate-mode

Method of calculating the link cost, which can be: • Fixed—Indicates that the mesh interface rate is fixed. • real-time—Indicates that the mesh interface rate changes

with the RSSI in real-time.

320

Mesh global setup Mesh basic setup


2. Click the Global Setup tab to enter the mesh global setup page.

Figure 341 Mesh basic setup

3. Configure the basic mesh settings as described in Table 108.

4. Click Apply.


Item Description

MKD-ID • Make sure the MAC address configured is unused and has the correct

vendor specific part. • The MAC address of an AC should not be configured as the MKD ID.

Dynamic Channel Select

• Manual—Select one-time dynamic channel selection (DFS) and click Apply to enable it. After manual mode is selected, if no mesh network is manually specified when the next calibration interval is reached, the AC will refresh radio information of all mesh networks that it manages, and display it on the Radio Info tab of the Mesh Channel Optimize page. You can view the radio information and select mesh networks for which one-time DFS will be performed on the Mesh Channel Optimize tab. After that, if you want the AC to perform DFS for the mesh network, you have to make this configuration again.

• Auto—Select auto-DFS and click Apply to enable it. Auto-DFS applies to all mesh networks where the working channels of the radios are automatically selected. With auto DFS enabled, an AC makes DFS decisions at the calibrate interval automatically.

• Close—Close DFS. At the next calibration interval, the radio information and channel switching information on the Mesh Channel Optimize page will be cleared.

By default, DFS for a mesh network is disabled.

IMPORTANT:

Before enabling auto or one-time DFS for a mesh network, make sure that auto mode is selected for the working channel of radios in the mesh network. For the related configuration, see "Radio configuration."

Enabling mesh portal service


321

2. Click the Global Setup tab to enter the mesh portal service configuration page.

Figure 342 Mesh portal service configuration page

3. Select the AP for which mesh portal service is to be enabled.

4. Click Enable.

Configuring a working channel You can configure a working channel in one of the following ways:

Manual

1. Select Radio > Radio from the navigation tree.

Figure 343 Radio configuration page

2. On the page that appears, select a specified channel from the Channel list.

3. Click Apply.

NOTE:

Specify a working channel for the radios of the MAP and MPP, and the working channel on the radio ofthe MAP should be consistent with that on the MPP.

322

Auto

Set the working channel mode on the MPP and MAP to auto so that the working channel is automatically negotiated when a WDS link is established between the MPP and MAP.

NOTE:

If you configure the working channel mode of the radios of the MPP and MAP as auto, the automaticallyselected working channel is a non-radar channel.

Enabling radio 1. Select Radio > Radio from the navigation tree to enter the radio setup page.

Figure 344 Enabling radio

2. Select the radio mode to be enabled.

3. Click Enable.

Configuring a peer MAC address 1. Select Wireless Service > Mesh Service from the navigation tree.

2. Click to enter the page for binding an AP radio to a mesh service.

3. Select the AP radio to be bound, and click the icon to enter the page for configuring a peer MAC address.

323

Figure 345 Configuring a peer MAC address

4. Configure the peer MAC address as described in Table 109.

5. Click Apply.


Item Description

Peer MAC Address The mesh feature supports three topologies. For more information, see "Mesh network topologies." The mesh feature is implemented through configuration of peer MAC addresses for each AP.

cos Sets the STP cost of the mesh link to the peer. If not configured, the STP cost is automatically calculated by STP.

You can view the cost of the mesh link on the page shown in Figure 345.

Mesh DFS Displaying radio information


2. Click the Mesh Channel Optimize tab to enter the mesh optimization tab.

3. Click the specified mesh network, and click the Radio Info tab to enter the page shown in Figure 346 to view radio information.

324

Figure 346 Displaying radio information

Displaying channel switch information


2. Click the Mesh Channel Optimize tab to enter the mesh optimization tab.

3. Click the mesh network, and then select the Channel Switch Info tab to enter the page shown in Figure 347 to view the channel switching information.

Figure 347 Mesh channel switching information

NOTE:

• If you select Auto or Close for dynamic channel selection on the Global Setup tab, when you enter theMesh Channel Optimize page, the Channel Optimize button is grayed out, meaning you cannot perform the operation.

• If you select manual DFS on the Global Setup tab, select mesh networks where DFS will be performed,and then click Channel Optimize to complete DFS. In auto mode, DFS is performed at the calibration interval; in manual mode, DFS is performed for once.

325


Field Description

AP AP name in the mesh network.

Radio Radio of the AP.

Chl(After/Before) Channels before and after channel optimization.

Date(yyyy-mm-dd) Date, in the format of yyyy-mm-dd.

Time(hh:mm:ss) Time, in the format of hh:mm:ss.

Displaying the mesh link status Mesh link monitoring


2. Click the Mesh Link Info tab to enter the mesh link monitoring page.

Figure 348 Displaying the mesh link monitoring information

You can monitor the mesh link status in real-time on the mesh link monitoring page.

Mesh link test


2. Click the Mesh Link Test tab to enter the mesh link test page.

326

Figure 349 Displaying mesh link test information

3. Select the box of the target AP.

4. Click Begin.

Normal WLAN mesh configuration example Network requirements

As shown in the figure below, establish a mesh link between the MAP and the MPP.

Configure 802.11g on the MAP so that the client can access the network.

1. Establish a mesh link between the MPP and the MAP by following these steps:

Configure MAP and MPP—Select AP > AP Setup from the navigation tree, and click Add to configure MAP and MPP. For more information, see "Create an MAP and MPP."

Configure mesh service—After creating a mesh service and configuring a pre-shared key, you can bind the mesh service to the AP and enable the mesh service. For more information, see "Create a mesh service:."

Configure a mesh policy—A mesh policy exists by default. You can create a mesh policy and bind the mesh policy to an AP. For more information, see "(Optional) Configure a mesh policy."

Mesh global setup—Configure an MKD-ID (which exists by default), enable mesh portal service for the MPP. For more information, see "Configure mesh service globally."

Configure the same working channel, and enable the radio. For more information, see "Configure the same working channel and enable the radio on the MAP and MPP:."

2. Configure 802.11g service on the MAP to enable the client to access the WLAN network.

For more information, see "Wireless service configuration example."


MPP AC MAP Client

802.11a 802.11g

327

Configuring the AC

1. Create an MAP and MPP:

a. Select AP> AP Setup from the navigation tree.

b. Click Add.

c. On the page that appears, set the AP name to map, select the AP model WA2620-AGN, select the serial ID manual, enter the AP serial ID, and click Apply.

Figure 351 AP setup

d. Configure MPP by following the same steps.

2. Create a mesh service:

a. Select Wireless Service > Mesh Service from the navigation tree.

b. Click the Mesh Service tab.

c. Click Add.

d. On the page that appears, set the mesh service name to outdoor and click Apply.

After completing mesh service configuration, you enter the page shown in Figure 353.

Figure 352 Creating a mesh service

Figure 353 Configuring a pre-shared key

e. Select Pass Phrase, and set the pre-shared key to 12345678.

f. Click Apply.

328

3. Bind an AP radio to the mesh service.


b. Click the icon corresponding to the mesh service outdoor to enter the page for binding an AP radio to a mesh service.

c. Select the AP radios to be bound.

d. Click Bind.

Figure 354 Binding an AP radio to a mesh service

4. Enable the mesh service.


Figure 355 Enabling the mesh service

b. Select the mesh service to be enabled.

c. Click Enable.

5. (Optional) Configure a mesh policy (by default, the default mesh policy default_mp_plcy already exists.)

NOTE:

A mesh policy exists by default. You can create a mesh policy and bind the mesh policy to an AP as needed. By default, the default_mp_plcy mesh policy is mapped to an AP.

6. Configure mesh service globally:

329

a. (Optional) Select Wireless Service > Mesh Service from the navigation tree, and click the Global Setup tab to enter the mesh global setup page to set the MKD-ID (By default, the MKD-ID exists.)

b. Select the MPP that has wired connectivity with the AC to enable mesh portal service.

c. Click Enable.

Figure 356 Mesh portal service configuration page

7. Configure the same working channel and enable the radio on the MAP and MPP:


b. Click the icon corresponding to the target MAP to enter the radio setup page.

Figure 357 Configuring the working channel

c. Select the channel to be used from the Channel list.

d. Click Apply.

330

You can follow this step to configure the working channel for the MPP. Note that the working channel of the radio on the MPP must be the same as that on the MAP.

8. Enable radio:


b. Select the radio modes to be enabled for the MAP and MPP.

c. Click Enable.



• The mesh link between the MAP and the MPP has been established, and they can ping each other.

• After 802.11n(2.4GHz) is configured on the MAP, the client can access the network through the mesh link.

Subway WLAN mesh configuration example Network requirements

• As shown in Figure 359, all rail MPs are connected to an AC.

• Configure WLAN mesh so that the train MP will form links with rail MPs during movement, among them one link is the active link and all others are dormant links.

Subway WLAN mesh configuration is basically the same as normal WLAN mesh configuration. Note the following guidelines when you configure subway WLAN mesh:

1. Create a rail AP mesh policy:

Disable the link initiation function. For more information, see "Configuring a mesh policy."

Enable mesh portal service. For more information, see "Enabling mesh portal service."

2. Create a train AP mesh policy:

Enable MLSP.

Configure MLSP proxy MAC address and VLAN information.

Disable Role as authenticator. For more information, see "Configuring a mesh policy."

331

Set the value of maximum links that an MP can form in a mesh network (the default value is 2.). For more information, see "Configuring a mesh policy."


Configuring the AC

Subway mesh configuration differs from normal WLAN mesh configuration in the mesh policy configuration of rail APs and train APs. Other configurations are the same. For more information, see "Configuring the AC."

Mesh point-to-multipoint configuration example Network requirements

AP 1 operates as an MPP to establish a mesh link with AP 2, AP 3, AP 4, and AP 5 respectively.

The mesh configuration is the same as the normal WLAN mesh configuration.


Configuration considerations

• Configure a peer MAC address for each radio interface. Configure the MAC addresses of AP 2 through AP 5 on AP 1, and configure the MAC address of AP 1 on AP 2 through AP 5.

AP 1AC

AP 2

AP 3

AP 4

AP 5

332

• Set the value of maximum links that an MP can form in a mesh network (The default value is 2. It should be set to 4 in this example.). For more information, see "Configuring a mesh policy."

Configuring the AC

Mesh configuration is the same as normal WLAN mesh configuration. For more information, see "Configuring the AC."

Tri-radio mesh configuration example Network requirements

As shown in Figure 361, set up mesh links between MPs and the MPP, and use radio resources to make Radio 1 of MPP, Radio 1 and Radio 2 of MP, and Radio 1 of an MP 2 join the same mesh and use Radio 3 as the multi-beam antenna, which provides the wireless access service.



1. Configure the mesh service:

The mesh configuration here is similar to a common wireless mesh configuration. Pay attention to the following points:

Radios joining the same mesh must use the same mesh service. Thus, bind Radio 1 of MPP, Radio 1 and Radio 2 of MP 1, and Radio 1 of MP 2 to the same mesh service.

Figure 362 Binding radios to the mesh service

333

On Radio 1 of the MPP, configure Radio 1 of MP 1 as the peer MAC address. Similarly, configure Radio 1 of the MPP as the peer MAC address on MP 1. Perform the same operation for Radio 2 of MP 1 and Radio 1 of MP 2.

2. Configure the access service:

As the multi-beam antenna, Radio 3 provides the wireless access service. For more information, see "Wireless service configuration example." You can strictly follow the configuration example to configure the access service.


The mesh configuration here is similar to a common wireless mesh configuration. For more information, see "Configuring the AC."

Mesh DFS configuration example Network requirements

• As shown in Figure 363, establish an 802.11a mesh link between the MAP and MPP. The working channel is automatically selected.

• Enable one-time DFS. After that, the AC performs DFS for the radios when certain trigger conditions are met on the channel.



The mesh configuration in this example is similar to a common wireless mesh configuration. Note the following guidelines:

• Configure the working channel mode of the radios that provide mesh services as auto.

• Do not configure any wireless service on radios that provide mesh services.


The mesh configuration is the same as the normal WLAN mesh configuration. For configuration procedures, see "Normal WLAN mesh configuration example." Perform the following operations after completing mesh configuration:

1. (Optional) Set a calibration interval:

a. Select Radio > Calibration from the navigation tree.

b. Click the Parameters tab.

c. On the page that appears, enter the calibration interval 3 and click OK.

334

Figure 364 Mesh calibration interval

2. Configure mesh DFS:


b. Click the Global Setup tab.

c. On the page that appears, select the Manual box for Dynamic Channel Select.

d. Click OK.

Figure 365 DFS

3. Enable one time DFS for the mesh network:


b. Click the Mesh Channel Optimize tab.

c. Select the outdoor mesh network.

d. Click Channel Optimize.

Figure 366 One-time mesh DFS

335


After a next calibration interval, you can view the channel switching information:


2. Click the Mesh Channel Optimize tab to enter the Mesh Channel Optimize tab.

3. Click the Channel Info tab.

4. Select the target mesh network to display the radio information.

Figure 367 Displaying mesh channel switching information

336

WLAN roaming configuration

The Inter AC Tunneling Protocol (IACTP) is a proprietary protocol of H3C which defines how access controllers (ACs) communicate with each other. IACTP provides a generic packet encapsulation and transport mechanism between ACs to provide secure AC-AC communications based on the standard TCP client/server model.

A mobility group is a group of ACs that communicate with each other using the IACTP protocol. A maximum of 8 ACs can be present in a mobility group in current version. Formation and maintenance of a mobility group is done using IACTP.

IACTP provides a control tunnel for applications such as roaming to share/exchange messages. It also provides a data tunnel to encapsulate data packets to be transported between ACs. It can be used either with IPv4 or with IPv6.

Whenever a station supporting key caching associates to any of the ACs in a mobility group (which would be its Home-AC (HA)) for the first time, it goes through 802.1X authentication followed by 11 Key exchange. The station information is synchronized across the ACs in the mobility group prior to the roaming of the station within an AC/across ACs. When this station roams to another AC in the mobility group (which would be its Foreign-AC (FA)), the station information is used to fast authenticate the station by skipping 802.1X authentication, and performing only 802.11 key exchange to facilitate seamless roaming within the mobility group.

Configuring WLAN roaming

Configuring a roaming group

NOTE:

Roaming group configuration is available only for inter-AC roaming. For the configuration example of inter-AC roaming, see "Inter-AC roaming configuration example."

1. Select Roam > Roam Group from the navigation tree.

Figure 368 Configuring a roaming group

2. Configure a roaming group as described in Table 111.

3. Click Apply.

337


Item Description

Service status • enable—Enable IACTP service. • disable—Disable IACTP service.

IP type Select IPv4 or IPv6.

Source address Source address of the IACTP protocol.

Auth mode

MD5—Select the MD5 authentication mode. This item is optional.

The control message integrity can be verified when the MD5 authentication mode is selected. The sender (an AC) calculates a digest based on the content of a control message. On receiving such a message, the receiver (another AC in the roaming group) will calculate the digest again and compare it against the digest present in the message to verify the integrity of the packet received. If the digests are the same, the packet is not tampered.

Auth key MD5 authentication key.

If you select the MD5 authentication mode, you need to input an authentication key.

Adding a group member 1. Select Roam > Roam Group from the navigation tree.

Figure 369 Adding a group member

2. Add a group member as described in Table 112.

3. Click Add.

4. Click Apply.


Item Description

IP address

Add the IP address of an AC to a roaming group.

IMPORTANT:

When you configure a roaming group, the roaming group name configured for the ACs in the same roaming group must be the same.

338

Item Description

VLAN Configure the VLAN to which the roaming group member belongs.

This configuration item is optional.

NOTE:

• The user profile configurations of the ACs in a roaming group must be the same. For more information,see "User configuration."

• The ACs in a roaming group cannot be configured as hot backup ACs.

Displaying client information 1. Select Roam > Roam Client from the navigation tree.

Figure 370 Displaying client information

By clicking a target client, you can view the detailed information and roaming information of the client. The detailed information and roaming information of a client you can view by selecting Roam > Client Information are the same as those you can view by selecting Summary > Client. For the related information, see "Summary."

WLAN roaming configuration examples

Intra-AC roaming configuration example Network requirements

As shown in Figure 371, an AC has two APs associated and all of them are in VLAN 1. A client is associated with AP 1. Configure intra-AC roaming so that the client can associate with AP 2 when roaming to AP 2.

339


Configuring the AC

NOTE:

If remote authentication is required in the authentication mode you select, configure the RADIUS server. For how to configure the RADIUS server, see "AAA configuration."

1. Create two APs:


b. Click Add.

c. On the page that appears, set the AP name to ap1, select the AP model WA2620-AGN, select manual from the Serial ID list, enter the serial ID of the AP, and click Apply.

d. Follow the same steps to create the other AP.



b. Click Add.

c. On the page that appears, set the service name to Roam. And click Apply.

NOTE:

For how to configure the authentication mode, see "Access service configuration." However, fast roamingcan be implemented only when the RSN+802.1X authentication mode is adopted.



b. Select the Roam box.

c. Click Enable.

4. Bind AP radios to the wireless service:

AC

L2 switch

AP 2

RADIUS server

Client

Roaming

AP 1000f-e27b-3d90

AP 2000f-e233-5500

VLAN 1 VLAN 1

340


b. Click the icon corresponding to the wireless service Roam to enter the page for binding AP radio.

c. Select the box before ap1 with radio type 802.11n(2.4GHz), and the box before ap2 with radio type 802.11n(2.4GHz).

d. Click Bind.

Figure 372 Binding AP radios

5. Enable dot11g radio:

a. Select Radio > Radio Setup from the navigation tree.

b. On the page that appears, select the box before ap1 with the radio mode 802.11n(2.4GHz), and select the box before ap2 with the radio mode 802.11n(2.4GHz).

c. Click Enable.



1. Display the roaming information of the client:

341

a. Select Summary > Client from the navigation tree.

b. Select the Roam Information tab.

c. Click the desired client to view the roaming information of the client.

From the roaming information, you can see that the client accesses the WLAN through AP 1, and the BSSID of AP 1 is 000f-e27b-3d90 (see Figure 374.).

Figure 374 Client status before intra-AC roaming

d. Click Refresh.

On the page that appears, you can see that the client is connected to the WLAN through AP 2, and the BSSID of AP 2 is 000f-e233-5500.

Figure 375 Client status after intra-AC roaming

2. View the Roam Status field:

a. Select Summary > Client from the navigation tree.

342

b. Click the Detail Information tab.

c. Click the desired client.

You can see that Intra-AC roam association is displayed in the Roam Status field.

Figure 376 Verifying intra-AC roaming


When you configure intra-AC roaming, the SSIDs of the two APs must be the same. The same wireless service must be bound to the radios of the two APs in Bind AP radios to the wireless service.

Inter-AC roaming configuration example Network requirements

As shown in Figure 377, two ACs that each are connected to an AP are connected through a Layer 2 switch. Both ACs are in the same network. The IP address of AC 1 is 192.168.1.100 and that of AC 2 is 192.168.1.101. A client associates with AP 1.

Configure inter-AC roaming so that the client can associate with AP 2 when roaming to it.

343


Configuring AC 1 and AC 2

NOTE:

If remote authentication is required in the authentication mode you select, configure the RADIUS server. For how to configure the RADIUS server, see "AAA configuration."

1. Establish AC-AP connections:

Configure AC 1 and AC 2 so that a connection can be established between AP 1 and AC 1, and between AP 2 and AC 2. Only after the connections are established can you see that the two APs are in the running status. To view the AP status, select Summary > AP or AP > AP Setup.

For the related configuration, see "Access service configuration."

NOTE:

For the configuration of authentication mode, see "Access service configuration." Fast roaming supporting key caching can be implemented only when RSN+802.1X authentication is adopted.

2. Configure a roaming group:

a. Select Roam > Roam Group from the navigation tree.

b. On the page that appears, select enable from the Service status list, select IPv4 from the IP Type list, enter 192.168.1.100 for Source address, the IP address of AC 1, enter the IP address of AC 2 in the member list, and click Add.

c. Click Apply.

344

Figure 378 Configuring a roaming group on AC 1

d. Create a roaming group on AC 2. The source address is the IP address of AC 2, and the member address is the IP address of AC 1. (Details not shown.)


1. Verify the status of the roaming group:

a. On AC 1, select Roam > Roam Group from the navigation tree, and you can see that the group member 192.168.1.101 is in Run state.

Figure 379 Verifying the roaming group state

b. On AC 2, select Roam > Roam Group from the navigation tree, and you can see that the group member 192.168.1.100 is in Run state.

Figure 380 Verifying the roaming group state:

2. Display the client information:

a. After the client roams from AP 1 to AP 2, select Roam > Roam Client on AC 1.

You can see that the client roams out of 192.168.1.100.

345

Figure 381 Viewing client information

b. Select Roam > Roam Client on AC 2.

You can see that the client roams in to 192.168.1.100.

3. View connection information about the client that is associated with the AP, and the Roam Status field in the client detailed information:

a. Before roaming, select Summary > Client from the navigation tree on AC 1.

You can see that the client is associated with AP 1.

b. After roaming: Select Summary > Client from the navigation tree on AC 1.

The client has roamed from AP 1 to AP 2, so no client information is displayed on the page.

c. Select Summary > Client from the navigation tree on AC 2.

You can view the client information.

d. Select the Detail Information tab, and then click the desired client.

You will see that Inter-AC roam association is displayed in the Roam Status field, which indicates that the client has roamed to AP 2.

Figure 382 Verifying inter-AC roaming

4. View the BSSID field

a. Before roaming, select Summary > Client from the navigation tree on AC 1, select the Detail Information tab, and click the desired client to view the roaming information of the client.

The roaming information in Figure 383 shows that the client connects to the WLAN through AP 1, and the BSSID of AP 1 is 000f-e27b-3d90.

346

Figure 383 Client status before inter-AC roaming

b. Select Summary > Client, from the navigation tree on AC 2, select the Detail Information tab, and click the desired client to view the roaming information of the client.

The roaming information in Figure 384 shows that the client connects to the WLAN through AP 2, and the BSSID of AP 2 is 000f-e233-5500.

Figure 384 Client status after intra-AC roaming


Follow these guidelines when you configure inter-AC roaming:

• The SSIDs and the authentication and encryption modes of two APs should be the same.

• A roaming group must be configured on both of the two ACs.

• Do not configure the ACs in a roaming group as AC backup.

347

Radio configuration

Radio overview Radio frequency (RF) refers to electrical signals that can be transferred over the space to a long distance. 802.11b/g in the IEEE 802.11 standards operates at the 2.4 GHz band, 802.11a operates at the 5 GHz band, and 802.11n operates at both the 2.4 GHz and 5 GHz bands. Radio frequency is allocated in bands, each of which corresponds to a range of frequencies.

WLAN RRM overview Radio signals are susceptible to surrounding interference. The causes of radio signal attenuation in different directions are very complex, so you need to make careful plans before deploying a WLAN network. After WLAN deployment, the running parameters must still to be adjusted because the radio environment is always varying due to interference from mobile obstacles, micro-wave ovens and so on. To adapt to environment changes, radio resources such as working channels and transmit power should be dynamically adjusted. Such adjustments are complex and require experienced personnel to implement regularly, which brings high maintenance costs.

WLAN radio resource management (RRM) is a scalable radio resource management solution. Through information collection (APs collect radio environment information in real time), information analysis (The AC analyzes the collected information), decision-making (The AC makes radio resource adjustment configuration according to analysis results), and implementation (APs implement the configuration made by the AC for radio resource optimization), WLAN RRM delivers a real-time, intelligent, integrated radio resource management solution, which enables a WLAN network to quickly adapt to radio environment changes and ensures the optimal communication quality.

Dynamic frequency selection A WLAN has limited working channels. Channel overlapping can easily occur. In addition, other radio sources such as radar and micro-wave ovens may interfere with the operation of APs. Dynamic frequency selection (DFS) can solve these problems.

With DFS, the AC selects an optimal channel for each AP in real time to avoid co-channel interference and interference from other radio sources.

The following conditions determine DFS:

• Error code rate—physical layer error code and CRC errors.

• Interference—influence of 802.11 and non-802.11 wireless signals on wireless services.

• Retransmission—APs retransmit data if they do not receive ACK messages from the AC.

• Radar signal detected on a working channel—the AC immediately notifies the AP to change its working channel.

If the first three conditions are met, the AC calculates the channel quality. The AP does not use the new channel until the channel quality difference between the new and old channels exceeds the tolerance level.

348

Figure 385 Dynamic channel adjustment

Transmit power control Traditionally, an AP uses the maximum power to cover an area as large as possible. This method, however, affects the operation of surrounding wireless devices. Transmit power control (TPC) is used to select a proper transmission power for each AP to satisfy both coverage and usage requirements.

Whether the transmission power of an AP is increased or decreased is determined by these factors: the maximum number of neighbors (detected neighbors that are managed by the same AC), the neighbor AP that performs power detection, and the power adjustment threshold.

NOTE:

You cannot configure the neighbor AP that performs power detection and the power adjustment thresholdon the web interface.

As shown in Figure 386, APs 1, 2 and 3 cover an area. When AP 4 joins, the default maximum neighbor number 3 (configurable) is reached. Then, the APs perform power adjustment. You can find from the figure that they all reduce their transmission power.

349

Figure 386 Power reduction

As shown in Figure 387, when AP 3 fails or goes offline, the other APs increase their transmission power to cover the signal blackhole.

350

Figure 387 Power increasing

Radio setup

Configuring radio parameters 1. Select Radio > Radio from the navigation tree.

2. Click the icon of the desired AP to enter the page for AP radio setup.

351

Figure 388 Radio setup

3. Configure the radio as described in Table 113.


Item Description

AP Name Display the selected AP.

Radio Unit Display the selected AP's radios.

Radio Mode Display the selected AP's radio mode.

Transmit Power

Maximum radio transmission power, which varies with country codes, channels, AP models, radio modes and antenna types. If you adopt the 802.11n mode, the maximum transmit power of the radio also depends on the bandwidth mode.

Channel

Specify the working channel of the radio, which varies with radio types and country codes. The working channel list varies with device models.

auto—The working channel is automatically selected. If you select this mode, the AP checks the channel quality in the WLAN network, and selects the channel of the best quality as its working channel.

If you modify the working channel configuration, the transmit power is automatically adjusted.

802.11n The option is available only when the AP supports 802.11n.

bandwidth mode

802.11n can bond two adjacent 20-MHz channels together to form a 40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with one acting as the primary channel and the other acting as the secondary channel or work together as a 40-MHz channel. This provides a simple way of doubling the data rate.

By default, the channel bandwidth of the 802.11n radio (5 GHz) is 40 MHz, and that of the 802.11n radio (2.4GHz) is 20 MHz.

IMPORTANT: • If the channel bandwidth of the radio is set to 40 MHz, a 40 MHz channel

is used as the working channel. If no 40 MHz channel is available, a 20 MHz channel is used. For the specifications, see IEEE P802.11n D2.00.

• If you modify the bandwidth mode configuration, the transmit power is automatically adjusted.

client dot11n-only If you select the client dot11n-only option, non-802.11n clients are prohibited from access. If you want to provide access for all 802.11a/b/g clients, you must disable this function.

352

Item Description

A-MSDU

Select the A-MSDU option to enable A-MSDU.

Multiple MAC Service Data Units (MSDU) can be aggregated into a single A-MSDU. This reduces the MAC header overhead and thus improves MAC layer forwarding efficiency.

At present, only A-MSDUs can be received.

IMPORTANT:

When 802.11n radios are used in a mesh WLAN, ensure that they have the same A-MSDU configuration.

A-MPDU

Select the A-MPDU option to enable A-MPDU.

802.11n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU can accommodate multiple Message Protocol Data Units (MPDUs) which have their PHY headers removed. This reduces the overhead in transmission and the number of ACK frames to be used, and thus improves network throughput.

IMPORTANT:

When 802.11n radios are used in a mesh WLAN, ensure that they have the same A-MSDU configuration.

short GI Select short GI to enable short GI.

The 802.11a/g GI is 800ns. You can configure a short GI, 400 ns for 802.11n. The short GI increases the throughput by 10 percent.

4. Expand Advanced Setup.

Figure 389 Radio setup (advanced setup)

353

5. Configure the radio as described in Table 114.

6. Click Apply.


Item Description

Preamble

Preamble is a pattern of bits at the beginning of a frame so that the receiver can sync up and be ready for the real data. • Short preamble—A short preamble improves network performance.

Therefore, this option is always selected. • Long preamble—A long preamble ensures compatibility between access

point and some legacy client devices. Therefore, you can select this option to make legacy client devices support short preamble.

802.11a/802.11n (5 GHz) do not support this configuration.

Transmit Distance Maximum coverage of a radio.

ANI

Adaptive Noise Immunity (ANI). After the ANI function is enabled, the device automatically adjusts the noise immunity level according to the surrounding signal environment to eliminate RF interference. • Enable—Enable ANI. • Disable—Disable ANI.

Client Max Count Maximum number of clients that can be associated with one radio.

Fragment Threshold

Specify the maximum length of frames that can be transmitted without fragmentation. When the length of a frame exceeds the specified fragment threshold value, it is fragmented. • In a wireless network where error rate is high, you can decrease the

fragment threshold by a rational value. In this way, when a fragment of a frame is not received, only this fragment rather than the whole frame needs to be retransmitted, and thus the throughput of the wireless network is improved.

• In a wireless network where no collision occurs, you can increase the fragment threshold by a rational value to decrease acknowledgement packets and thus increase network throughput.

Beacon Interval Interval for sending beacon frames. Beacon frames are transmitted at a regular interval to allow mobile clients to join the network. Beacon frames are used for a client to identify nearby APs or network control devices.

354

Item Description

RTS (CTS)

There are two data collision avoidance mechanisms, RTS/CTS and CTS-to-self. • RTS/CTS—In this mode, an AP sends an RTS packet before sending data to

a client. After receiving the RTS packet, all the devices within the coverage of the AP will not send data within the specified time. Upon receiving the RTS packet, the client sends a CTS packet, ensuring that all the devices within the coverage of the client will not send data within the specified time. The RTS/CTS mechanism requires two frames to implement data collision avoidance, and thus has a higher cost.

• CTS-to-Self—In this mode, an AP uses its IP address to send a CTS packet before sending data to a client, ensuring that all the devices within the coverage of the AP will not send data within the specified time. The CTS-to-Self mechanism uses only one frame to avoid data collision. However, if another device is in the coverage of the client, but not in the coverage of the AP, data collision still may occur.

Compared with RTS/CTS, CTS-to-Self reduces the number of control frames. However, data collisions still occur when some clients are hidden and thus cannot receive the CTS frames sent by the AP. Therefore, the RTS/CTS mechanism can solve the data collision problem in a larger coverage than RTS/CTS.

RTS (CTS) Threshold

If a frame is larger than the RTS (CTS) threshold, the data collision avoidance mechanism is used.

A smaller RTS/CTS threshold causes RTS/CTS packets to be sent more often, thus consuming more bandwidth. However, the more often RTS/CTS packets are sent, the quicker the system can recover from collisions.

In a high-density WLAN, you can decrease the RTS threshold to reduce collisions in the network.

IMPORTANT:

The data collision avoidance mechanism occupies bandwidth. Therefore, this mechanism applies only to data frames larger than the RTS/CTS threshold.

DTIM Period Number of beacon intervals between delivery traffic indication message (DTIM) transmissions. The AP sends buffered broadcast/multicast frames when the DTIM counter reaches 0.

Long Retry Threshold Number of retransmission attempts for unicast frames larger than the RTS/CTS threshold.

Short Retry Threshold Number of retransmission attempts for unicast frames smaller than the RTS/CTS threshold if no acknowledgment is received for it.

Max Receive Duration Interval for which a frame received by an AP can stay in the buffer memory.

Enabling a radio 1. Select Radio > Radio from the navigation tree to enter the radio setup page.

355



3. Click Enable.

Locking the channel 1. Select Radio > Radio from the navigation tree to enter the page as shown in Figure 391.

Figure 391 Locking a channel


3. Click Lock Channel.

Channel locking takes effect only when the AC adopts the auto mode. For more information about automatic channel adjustment, see "Configuring radio parameters."

If you enable channel locking and then enable the radio, the AC automatically selects an optimal channel, and then locks the channel.

When the AC detects any radar signals, it immediately selects another channel even if the current channel is locked, and then locks the new channel.

If you lock the current channel first, and then enable channel adjustment, channel adjustment does not work because the current channel is locked. Therefore, before enabling channel adjustment, make sure that the current channel is not locked. If you enable channel adjustment and then lock the current channel, the last selected channel is locked. For information about channel adjustment, see "Dynamic frequency selection." For more information about channel adjustment configuration, see "Parameter setting."

356

Locking the power 1. Select Radio > Radio from the navigation tree to enter the page as shown in Figure 392.

Figure 392 Locking the current power


3. Click Lock Power.

For transmission power configuration, see "Configuring radio parameters."

If you lock the current power first, and then enable power adjustment, power adjustment does not work because the power is locked. Therefore, before enabling power adjustment, make sure that the current power is not locked. If you enable power adjustment, and then lock the current power, the last selected power is locked. For information about power adjustment, see "Transmit power control." For how to configure power adjustment, see "Parameter setting."

Configuring data transmit rates

Configuring 802.11a/802.11b/802.11g rates 1. Select Radio > Rate from the navigation tree to enter the rate setting page.

357

Figure 393 Setting 802.11a/802.11b/802.11g rates

2. Configure 802.11a/802.11b/802.11g rates as described in Table 115.

3. Click Apply.


Item Description

802.11a

Configure rates (in Mbps) for 802.11a.

By default: • Mandatory rates are 6, 12, and 24. • Supported rates are 9, 18, 36, 48, and 54. • Multicast rate: Automatically selected from the mandatory rates. The transmission rate of

multicasts in a BSS is selected from the mandatory rates supported by all the clients.

802.11b

Configure rates (in Mbps) for 802.11b.

By default: • Mandatory rates are 1 and 2. • Supported rates are 5.5 and 11. • Multicast rate: Automatically selected from the mandatory rates. The transmission rate of


358

Item Description

802.11g

Configure rates (in Mbps) for 802.11g.

By default: • Mandatory rates are 1, 2, 5.5, and 11. • Supported rates are 6, 9, 12, 18, 24, 36, 48, and 54. • Multicast rate: Automatically selected from the mandatory rates. The transmission rate of


Configuring 802.11n MCS Introduction to MCS

Configuration of mandatory and supported 802.11n rates is achieved by specifying the maximum Modulation and Coding Scheme (MCS) index. The MCS data rate table shows relations between data rates, MCS indexes, and parameters that affect data rates. Sample MCS data rate tables for 20 MHz and 40 MHz are shown in Table 116 and Table 117 respectively. For the entire table, see IEEE P802.11n D2.00.

Table 116 and Table 117 indicate that MCS 0 through 7 are for one single spatial stream, and when the MCS is 7, the data rate is the highest. MCS 8 through 15 are for two spatial streams, and when the MCS is 15, the data rate is the highest.

Table 116 MCS index table (20 MHz)

MCS index Number of spatial streams Modulation

Data rate (Mbps)

800ns GI 400ns GI

0 1 BPSK 6.5 7.2

1 1 QPSK 13.0 14.4

2 1 QPSK 19.5 21.7

3 1 16-QAM 26.0 28.9

4 1 16-QAM 39.0 43.3

5 1 64-QAM 52.0 57.8

6 1 64-QAM 58.5 65.0

7 1 64-QAM 65.0 72.2

8 2 BPSK 13.0 14.4

9 2 QPSK 26.0 28.9

10 2 QPSK 39.0 43.3

11 2 16-QAM 52.0 57.8

12 2 16-QAM 78.0 86.7

13 2 64-QAM 104.0 115.6

14 2 64-QAM 117.0 130.0

15 2 64-QAM 130.0 144.4

359

Table 117 MCS index table (40 MHz)

MCS index Number of spatial streams Modulation

Data rate (Mbps)

800ns GI 400ns GI

0 1 BPSK 13.5 15.0

1 1 QPSK 27.0 30.0

2 1 QPSK 40.5 45.0

3 1 16-QAM 54.0 60.0

4 1 16-QAM 81.0 90.0

5 1 64-QAM 108.0 120.0

6 1 64-QAM 121.5 135.0

7 1 64-QAM 135.0 150.0

8 2 BPSK 27.0 30.0

9 2 QPSK 54.0 60.0

10 2 QPSK 81.0 90.0

11 2 16-QAM 108.0 120.0

12 2 16-QAM 162.0 180.0

13 2 64-QAM 216.0 240.0

14 2 64-QAM 243.0 270.0

15 2 64-QAM 270.0 300.0

For example, if you specify the maximum MCS index as 5 for mandatory rates, rates corresponding to MCS indexes 0 through 5 are configured as 802.11n mandatory rates.

• Mandatory rates must be supported by the AP and the clients that want to associate with the AP.

• Supported rates allow some clients that support both mandatory and supported rates to choose higher rates when communicating with the AP.

• Multicast MCS: Specifies 802.11n multicast data rates.

Configuring 802.11n rates

1. Select Radio > Rate from the navigation tree to enter the rate setting page.

Figure 394 Setting 802.11n rate

2. Configure the 802.11n rate as described in Table 118.

3. Click Apply.

360


Item Description

Mandatory Maximum MCS

Set the maximum MCS index for 802.11n mandatory rates.

IMPORTANT:

If you select the client dot11n-only option, you must configure the mandatory maximum MCS.

Multicast MCS

Set the multicast MCS for 802.11n.

The multicast MCS is adopted only when all the clients use 802.11n. If a non 802.11n client exists, multicast traffic is transmitted at a mandatory MCS data rate.

IMPORTANT: • If you configure a multicast MCS index greater than the maximum MCS

index supported by the radio, the maximum MCS index is adopted. • When the multicast MCS takes effect, the corresponding data rates defined

for 20 MHz are adopted no matter whether the 802.11n radio operates in 40 MHz mode or in 20 MHz mode.

Supported Maximum MCS Set the maximum MCS index for 802.11n supported rates.

NOTE:

When 802.11n radios are used in a mesh WLAN, make sure that they have the same MCS configuration.

Configuring channel scanning

NOTE:

For more information about active passive scanning, see "WLAN service configuration."

1. Select Radio > Scan from the navigation tree to enter the page for setting channel scanning.

Figure 395 Setting channel scanning

2. Configure channel scanning as described in Table 119.

3. Click Apply.

361


Item Description

Scan Mode

Set the scan mode. • Auto—Legal channels with the scanning mode under country code are

scanned. • All—All the channels of the radio band are scanned.

Scan Non-802.11h Channel

Some of 802.11h channels, also called radar channels, overlap some 802.11a channels. If the device operates on an overlapping channel, its service quality may be affected. With this function enabled, the device selects a working channel from non-802.11h channels belonging to the configured country code to avoid channel collision.

Selecting the Scan Non-802.11h Channel option enables the function of scanning non-802.11h channels.

By default, the scan mode is auto, that is, all channels of the country code being set are scanned.

Scan Type

Set the scan type. • Active—The active scanning mode requires a client to send a probe

request. This scanning mode enables a client to discover APs more easily. • Passive—Passive scanning is used by a client when it wants to save battery

power. Typically, VoIP clients adopt the passive scanning mode.

For an AP that has the monitoring function: • Active—The AP simulates a client to send probe requests during the

scanning process. • Passive—The AP does not send probe requests during the scanning

process.

If you set active scanning for the AP, it is more likely to discover devices in the WLAN.

Scan Interval

Set the scan report interval. • A longer scan interval enables an AP to discover more devices in the

WLAN. • A shorter scan interval enables an AP to send scanning reports to an AC

more frequently.

If an AP has the monitoring function, the scan report interval will affect whether the scanning results can be processed in time and the frequency of message exchanges. Therefore, you need to set the interval properly according to the actual network conditions.

Configuring calibration

Parameter setting 1. Select Radio > Calibration from the navigation tree.

2. Click the Parameters tab.

362

Figure 396 Setting channel calibration

3. Configure channel calibration as described in Table 120.

4. Click Apply.

NOTE:

Channel switching results in temporary service interruption, so use the dynamic channel adjustment function with caution.


Item Description

Basic Setup Calibration Interval

Channel and power calibration interval. A calibration interval takes effect on both the mesh network channel calibration and channel and power calibration of wireless services.

363

Item Description

802.11g Protection Mode

• RTS/CTS—Use RTS/CTS mode to implement 802.11g protection. Before sending data to a client, an AP sends an RTS packet to the client, ensuring that all the devices within the coverage of the AP do not send data in the specified time after receiving the RTS packet. Upon receiving the RTS packet, the client will send a CTS packet again, ensuring that all the devices within the coverage of the client do not send data in the specified time.

• CTS-to-Self—Uses CTS-to-Self mode to implement 802.11g protection. When an AP sends packets to a client, it uses its IP address to send a CTS packet to inform the client that it will send a packet, ensuring that all the devices within the coverage of the AP do not send data in the specified time.

802.11g Protection

802.11b devices and 802.11g devices use different modulation modes, so 802.11g protection needs to be enabled for a 802.11g device to send RTS/CTS or CTS-to-self packets to 802.11b devices, which will defer access to the medium.

An AP running 802.11g uses the 802.11g protection function in the following two cases: • An 802.11b client is associated with it. • It detects APs or clients running 802.11b on the same channel. • Enable—Enable 802.11g protection. • Close—Disable 802.11g protection.

IMPORTANT: • Enabling 802.11g protection reduces network performance. • Enabling 802.11g protection applies to the second case only, because

802.11g protection is always enabled for the first case.

802.11n Protection Mode

Both RTS/CTS and CTS-to-Self modes can be adopted. The implementation of the two modes is the same as 802.11g.

802.11n Protection

• Enable—Enables 802.11n protection. When non 802.11n wireless devices or non 802.11n clients exist within the coverage of the AP, you need to enable 802.11n protection.

• Close—Disables 802.11n protection.

Channel Setup

Note the following guidelines when configuring channel adjustment: • Before configuring channel adjustment, make sure that the AC adopts the auto channel

adjustment mode (for more information, see "Configuring radio parameters."). Otherwise, channel adjustment does not work.

• If you lock the channel first, and then enable channel adjustment (by selecting Dynamic Channel Select), channel adjustment does not work because the channel is locked. Before enabling channel adjustment, make sure that the channel is not locked.

• If you enable channel adjustment and then lock the channel, the last selected channel is locked.

For how to lock the channel, see "Locking the channel."

364

Item Description

Dynamic Channel Select

• Close—Disables the DFS function. • Auto—With auto DFS enabled, an AC performs DFS for a radio when

certain trigger conditions are met on the channel, and returns the result to the AP after a calibration interval (the default calibration interval is 8 minutes, which can be set through the Calibration Interval option). After that, the AC will make DFS decisions at the calibration interval automatically.

• Manual—With one-time DFS configured for a radio, an AC performs DFS for the radio when certain trigger conditions are met on the channel, and returns the result to the AP after a calibration interval. After that, if you want the AC to perform DFS for the radio, you have to make this configuration again.

IMPORTANT:

If you select the manual mode, click Calibration on the Calibration page every time you perform channel calibration.

CRC Error Threshold Set the CRC error threshold value, in percentage.

Channel Interference Threshold

Set the channel interference threshold value, in percentage.

Tolerance Factor

A new channel is selected when either the configured CRC error threshold or interference threshold is exceeded on the current channel. However, the new channel is not applied until the quality of the current channel is worse than that of the new channel by the tolerance threshold.

Spectrum Management

• Enable—Enable spectrum management. • Close—Disable spectrum management.

Power Setup

Note the following guidelines when configuring power adjustment: • If you lock the power first, and then enable power adjustment (by selecting Dynamic

Channel Select), power adjustment does not work because the power is locked. Therefore, before enabling power adjustment, make sure that the power is not locked.

• If you enable power adjustment and then lock the power, the last selected power is locked.

For how to lock the power, see "Locking the power."

Dynamic Power Select

• Close—Disables transmit power control (TPC). • Auto—With auto TPC enabled, the AC performs TPC for an AP upon

certain interference and returns the result to the AP after a calibration interval (the default calibration interval is 8 minutes, which can be set through the Calibration Interval option). After that, the AC makes TPC decisions at the calibration interval automatically.

• Manual—With one-time TPC configured, an AC performs TPC for the AP upon certain interference, and returns the result to the AP after a calibration interval (the default calibration interval is 8 minutes, which can be set through the Calibration Interval option). After that, if you want the AC to perform TPC for the AP, you have to make this configuration again.

IMPORTANT:

If you select the manual mode, click Calibration on the Calibration page every time you perform channel calibration.

365

Item Description

Max Neighbor Count

Specify the maximum number of neighbors, which are managed by the same AC.

Power Constraint

Set the power constraint for all 802.11a radios. After power constraint is set, the transmission power of a client is the current transmission power minus the configured power constraint value.

IMPORTANT:

Enable spectrum management before configuring the power constraint; otherwise, the configuration does not take effect.

Configuring a radio group With DFS or TPC configured for a radio, the AC calculates the channel quality or power of the radio at the calibration interval. When the result meets a trigger condition, the AC selects a new channel or power for the radio. In an environment where interference is serious, frequent channel or power adjustments may affect user access to the WLAN network. In this case, you can configure a radio group to keep the channel or power of radios in the group unchanged within a specified time. The channel and power of radios not in the radio group are adjusted normally.

After a channel or power adjustment (one-time, auto, or initial DFS or TPC), the channel or power of any radio in the radio group keeps unchanged within the specified holddown time. When the holddown time expires, the AC calculates the channel or power again. If the result meets a trigger condition, the channel or power is changed, and the new channel or power keeps unchanged within the specified holddown time. This mechanism continues.

NOTE:

Before entering the Radio Group page, configure channel or power adjustment on the Parameters tab.

1. Select Radio > Calibration from the navigation tree.

2. Click Radio Group.

3. Click Add.

The Radio Group page appears.

366

Figure 397 Configuring a radio group

4. Configure the radio group as described in Table 121.

5. Click Apply.


Item Description

Group ID ID of the radio group

Description Description of the radio group

By default, a radio group has no description.

Channel Holddown Interval

Specify that the current channel keeps unchanged within the specified time after a channel adjustment (manual, automatic, or initial channel selection).

IMPORTANT:

The AC immediately selects another channel when it detects any radar signals on the current channel, and then resets the channel holddown timer.

Power Holddown Interval

Specify that the current power keeps unchanged within the specified time after a power adjustment (manual or automatic power adjustment).

Radio List

• Select the target radios from the Radios Available area, and then click << to add them into the Radios Selected area.

• Select the radios to be removed from the Radios Selected, and the click >> to remove them from the radio group.

367

Calibration operations

NOTE:

If RRM is not enabled, or the radio to be displayed works on a fixed channel, you can only view the workchannel and the power of the radio on the Operations tab in the Radio > Calibration page. Other information such as interference observed and the number of neighbors is displayed when RRM is enabled, that is, dynamic power selection or automatic dynamic frequency selection is enabled. For the configuration of RRM parameters, see "Parameter setting."

Displaying channel status


2. On the Operations tab, click the Channel Status tab.

3. Click the desired radio to enter the page for displaying channel status.

Figure 398 Channel status


Item Description

Channel No Running channel.

Neighbor Num Number of neighbors on a channel.

Load (%) Load detected on a channel.

Utilization (%) Channel utilization.

Interference (%) Interference detected on a channel.

Packet Error Rate (%) Error rate for packets on a channel.

Retransmission Rate (%) Retransmission rate on a channel.

Radar Detect Radar detection status.

Displaying neighbor information


2. On the Operations tab, click the Neighbor Info tab.

3. Click the desired radio to enter the page for displaying neighbor information.

368

Figure 399 Neighbor information


Field Description

AP MAC Address MAC address of an AP.

Channel No Running channel.

Interference (%) Interference detected on a channel.

RSSI (dBm) Received signal strength indication (RSSI) of AP, in dBm.

AP Type AP type, managed or unmanaged.

Displaying history information

NOTE:

History information is available only if channel switching or power adjustment occurs after RRM is enabled.


2. On the Operations tab, click History Info.

3. Click the desired radio to enter the page for displaying neighbor information.

369

Figure 400 History information


Field Description

Radio Radio ID of the AP.

Basic BSSID MAC address of the AP.

Chl Channel on which the radio operates in case of the change of channel or power.

Power Power of the radio in case of the change of channel or power.

Load Load observed on the radio in percentage in case of the change of channel or power.

Util Utilization of the radio in percentage in case of the change of channel or power.

Intf Interference observed on the radio in percentage in case of the change of channel or power.

PER Packet error rate observed on a channel, in percentage.

Retry Percentage of retransmission happened on the radio before/after the change of channel or power.

Reason Reason for the change of channel or power, such as Interference, packets discarded, retransmission, radar or coverage.

Date Date when the channel or power change occurred.

Time Time when the channel or power change occurred.

Antenna 1. Select Radio > Antenna to select an appropriate antenna for the corresponding radio.

2. Select the antenna type, Internal Antenna, or User-Default external antenna, for a specific radio from the Antenna list.

3. Click Apply.

370

Figure 401 Antenna switch

Manual channel adjustment configuration example Network requirements

As shown in Figure 402, configure manual channel adjustment on the AC so that the AC can perform manual channel adjustment when the channel of AP 1 is unavailable.



1. Before you configure manual channel adjustment, configure AP 1 on the AC to establish a connection between them.


2. Configure manual channel adjustment:


b. Select the Parameters tab.

c. Select Manual from the Dynamic Channel Select list.

d. Click Apply.

371

Figure 403 Configuring manual channel adjustment

3. Perform manual channel adjustment:


b. On the Operation tab, select the box of the target radio.

c. Click Channel Optimize..

Figure 404 Performing manual channel adjustment


• You can view the channel status on the Operation tab you enter by selecting Radio > Calibration from the navigation tree.

372

• After you perform manual channel calibration, the AC informs the adjusted channel to the AP after a calibration interval.

• You can view the detailed information, such as the specific reason for channel adjustment on the History Info tab you enter by selecting Radio > Calibration from the navigation tree, clicking Operation, and then clicking History Info.


If you select manual channel adjustment, click Channel Optimize on the Operation tab every time you perform manual channel adjustment.

Automatic power adjustment configuration example Network requirements

As shown in Figure 405, AP 1 through AP 3 are connected to the AC. Configure automatic power adjustment and specify the adjacency factor as 3 on the AC. In this way, when AP 4 joins, the AC performs automatic power adjustment to avoid interference.



1. Before you configure automatic power adjustment, configure AP 1 through AP 3 on the AC to establish a connection between the AC and each AP.


2. Configure automatic power adjustment:



c. Select Auto from the Dynamic Power Select list.

d. Click Apply.

373

Figure 406 Configuring automatic power adjustment


• You can view the power of each AP on the Operation tab you enter by selecting Radio > Calibration from the navigation tree.

• When AP 4 joins (the adjacency number becomes 3), the maximum number of neighbors reaches the upper limit (3 by default), and the AC performs power adjustment after the calibration interval. You can view the detailed information, such as decrease of the Tx power value, on the History Info tab you enter by selecting Radio > Calibration from the navigation tree, selecting the Operation tab, and then selecting History Info.

Radio group configuration example Network requirements

As shown in Figure 407, AP 1 through AP 3 are connected to the AC.

• Configure automatic channel adjustment so that the AC can automatically switch the channel when the signal quality on a channel is degraded to a certain level.

374

• Configure automatic power adjustment so that the AC can automatically adjust the power when the third neighbor is discovered (or in other words, when AP 4 joins) to avoid interference.

• Add radio 2 of AP 1 and radio 2 of AP 2 to a radio group to prevent frequent channel or power adjustments for the radios.



1. Before you configure a radio group, configure AP 1 through AP 3 on the AC to establish a connection between the AC and each AP.


2. Configure automatic channel and power adjustment:



c. Select Auto from the Dynamic Channel Select list, select Auto from the Dynamic Power Select list, and click Apply.

375

Figure 408 Configuring automatic channel and power adjustment

3. Configure a radio group:


b. Click Radio Group.

c. Click Add.

d. On the page that appears, enter the channel holddown interval 20 and enter the power holddown interval 30.

e. In the Radios Available area, select the target radios and click << to add them into the Radios Selected area.

f. Click Apply.

376

Figure 409 Configuring the radio group


• The working channel of radio 2 of AP 1 and that of radio 2 of AP 2 do not change within 20 minutes after each automatic channel adjustment.

• The power of radio 2 of AP 1 and that of radio 2 of AP 2 do not change within 30 minutes after each automatic power adjustment.

377

Configuring 802.1X

802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for the security of wireless LANs (WLANs). It has been widely used on Ethernet networks for access control.

802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.

You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port. Port security is beyond the scope of this chapter. It is described in Security Configuration Guide for the product.

802.1X architecture 802.1X operates in the client/server model. It comprises three entities: client (the supplicant), the network access device (the authenticator), and the authentication server, as shown in Figure 410.

Figure 410 802.1X architecture

• The client is a user terminal seeking access to the LAN. It must have 802.1X software to authenticate to the network access device.

• The network access device authenticates the client to control access to the LAN. In a typical 802.1X environment, the network access device uses an authentication server to perform authentication.

• The authentication server is the entity that provides authentication services for the network access device. It authenticates 802.1X clients by using the data sent from the network access device, and returns the authentication results for the network access device to make access decisions. The authentication server is typically a Remote Authentication Dial-in User Service (RADIUS) server. In a small LAN, you can also use the network access device as the authentication server.

For more information about the 802.1X protocol, see H3C WX Series Access Controllers Security Configuration Guide.

Access control methods H3C implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control.

• With port-based access control, once an 802.1X user passes authentication on a port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off.

Authentication server

Client

Device

378

• With MAC-based access control, each user is separately authenticated on a port. When a user logs off, no other online users are affected.

Configuring 802.1X

Configuration prerequisites • Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. For

more information, see "Configuring AAA" and "Configuring RADIUS."

• If RADIUS authentication is used, create user accounts on the RADIUS server.

• If local authentication is used, create local user accounts on the access device and set the service type to LAN-access.

• If you want to use EAP relay when the RADIUS server does not support any EAP authentication method or no RADIUS server is available, configure the EAP server function on your network access device.

NOTE:

Configure 802.1X on a wired port. Wireless ports support only the port security feature, and the port security is enabled by default on the wireless ports.


Task Description

1. Configuring 802.1X globally

Required.

Enable 802.1X authentication globally and configure the authentication method and advanced parameters.

By default, 802.1X authentication is disabled globally.

2. Configuring 802.1X on a port

Required.

Enable 802.1X authentication on specified ports and configure 802.1X parameters for the ports.

By default, 802.1X authentication is disabled on a port.

Configuring 802.1X globally 1. From the navigation tree, select Authentication > 802.1X.

379

Figure 411 802.1X global configuration

2. In the 802.1X Configuration area, select the Enable 802.1X box.

3. Select an authentication method for 802.1X users. Options include CHAP, PAP, and EAP.

CHAP—Sets the access device to perform EAP termination and use the CHAP to communicate with the RADIUS server.

PAP—Sets the access device to perform EAP termination and use the PAP to communicate with the RADIUS server.

EAP—Sets the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.

NOTE:

When you configure EAP relay or EAP termination, consider the following factors:

• Whether the RADIUS server supports EAP packets.

• The authentication methods supported by the 802.1X client and the RADIUS server.

If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an H3C iNode 802.1X client, you can use both EAP termination and EAP relay.To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay.

4. Click Advanced to expand the advanced 802.1X configuration area.

380


5. Configure advanced 802.1X settings as described in Table 125.

6. Click Apply.


Item Description

Quiet Specify whether to enable the quiet timer.

The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication.

Quiet Period Set the value of the quiet timer.

Retry Times

Set the maximum number of authentication request attempts.

The network access device retransmits an authentication request if it receives no response to the request it has sent to the client within a period of time (specified by using the TX Period option or the Supplicant Timeout Time option). The network access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.

TX Period

Set the username request timeout timer. • The timer starts when the device sends an EAP-Request/Identity packet to a client in

response to an authentication request. If the device receives no response before this timer expires, it retransmits the request.

• The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.

Handshake Period

Set the handshake timer.

The timer sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off. For information about how to enable the online user handshake function, see "Configuring 802.1X on a port."

Re-Authentication Period

Set the periodic online user re-authentication timer.

The timer sets the interval at which the network device periodically re-authenticates online 802.1X users. The change to the periodic re-authentication timer applies to the users that have been online only after the old timer expires. For information about how to enable periodic online user re-authentication on a port, see "Configuring 802.1X on a port."

381

Item Description

Supplicant Timeout Time

Set the client timeout timer.

The timer starts when the access device sends an EAP-Request/MD5 Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.

TIP:

You can set the client timeout timer to a high value in a low-performance network, and adjust the server timeout timer to adapt to the performance of different authentication servers. In most cases, the default settings are sufficient.

Server Timeout Time

Set the server timeout timer.

The timer starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.

IMPORTANT:

Do not change the timer parameters of global 802.1X from their default values unless you have determined that the changes would better the interaction process.

Configuring 802.1X on a port 1. From the navigation tree, select Authentication > 802.1X to enter the page, as shown in Figure

411.

The Ports With 802.1X Enabled area shows the 802.1X configuration on ports.

2. Click Add.

Figure 413 802.1X configuration on a port

3. Configure 802.1X features on a port as described in Table 126.

4. Click Apply.

382


Item Description

Port

Select the port to be enabled with 802.1X authentication. Only 802.1X-disabled ports are available.

NOTE:

802.1X is mutually exclusive with link aggregation group configuration on a port.

Port Control

Set the access control method for the port, which can be MAC Based or Port Based.

NOTE:

To use both 802.1X and portal authentication on a port, you must select MAC Based.

Port Authorization

Select the port authorization state for 802.1X.

Options include: • Auto—Places the port initially in unauthorized state to allow only EAPOL packets to

pass, and after a user passes authentication, sets the port in authorized state to allow access to the network. You can use this option in most scenarios.

• Force-Authorized—Places the port in authorized state, enabling users on the port to access the network without authentication.

• Force-Unauthorized—Places the port in unauthorized state, denying any access requests from users on the port.

Max Number of Users Set the maximum number of concurrent 802.1X users on the port.

Enable Handshake

Specify whether to enable the online user handshake function.

The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the Handshake Period setting. If no response is received from an online user after the maximum number of handshake attempts (set by the Retry Times setting) has been made, the network access device sets the user in offline state. For information about the timers, see Table 125.

NOTE:

If the network has 802.1X clients that cannot exchange handshake packets with the network access device, disable the online user handshake function to prevent their connections from being inappropriately torn down.

Enable Re-Authentication

Specify whether to enable periodic online user re-authentication on the port.

Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, and VLAN. The re-authentication interval is specified by the Re-Authentication Period setting in Table 125.

NOTE: • The periodic online user re-authentication timer can also be set by the authentication

server in the session-timeout attribute. The server-assigned timer overrides the timer setting on the access device, and enables periodic online user re-authentication, even if the function is not configured. Support for the server assignment of re-authentication timer and the re-authentication timer configuration on the server vary with servers.

• The VLAN assignment status must be consistent before and after re-authentication. If the authentication server has assigned a VLAN before re-authentication, it must also assign a VLAN at re-authentication. If the authentication server has assigned no VLAN before re-authentication, it must not assign one at re-authentication. Violation of either rule can cause the user to be logged off. The VLANs assigned to an online user before and after re-authentication can be the same or different.

383

Item Description

Guest VLAN Specify an existing VLAN as the guest VLAN. For more information, see "Configuring an 802.1X guest VLAN."

Enable MAC VLAN

Select the box to enable MAC-based VLAN.

NOTE:

Only hybrid ports support the feature.

Auth-Fail VLAN Specify an existing VLAN as the Auth-Fail VLAN to accommodate users that have failed 802.1X authentication.

For more information, see "Configuring an Auth-Fail VLAN."

Configuring an 802.1X guest VLAN

• Configuration guidelines:

You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different ports can be different.

Assign different IDs for the default VLAN, and 802.1X guest VLAN on a port, so the port can correctly process incoming VLAN tagged traffic.

With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.

Use Table 127 when you configure multiple security features on a port.

Table 127 Relationships of the 802.1X guest VLAN and other security features

Feature Relationship description

MAC authentication guest VLAN on a port that performs MAC-based access control

Only the 802.1X guest VLAN take effect. A user that fails MAC authentication will not be assigned to the MAC authentication guest VLAN.

802.1X Auth-Fail VLAN on a port that performs MAC-based access control The 802.1X Auth-Fail VLAN has a higher priority.

Port intrusion protection on a port that performs MAC-based access control

The 802.1X guest VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature.

• Configuration prerequisites:

Create the VLAN to be specified as the 802.1X guest VLAN.

If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger at the command-line interface (CLI). (802.1X multicast trigger is enabled by default.)

If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port, enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an untagged member.

Configuring an Auth-Fail VLAN

• Configuration guidelines:

Assign different IDs for the default VLAN, and 802.1X Auth-Fail VLAN on a port, so the port can correctly process VLAN tagged incoming traffic.

Use Table 128 when you configure multiple security features on a port.

384

Table 128 Relationships of the 802.1X Auth-Fail VLAN with other features

Feature Relationship description

MAC authentication guest VLAN on a port that performs MAC-based access control

The 802.1X Auth-Fail VLAN has a high priority.

Port intrusion protection on a port that performs MAC-based access control

The 802.1X Auth-Fail VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature.

• Configuration prerequisites:

Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.

If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger. (802.1X multicast trigger is enabled by default.)

If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port, enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged member.

385

Configuring portal authentication

Introduction to portal authentication Portal authentication helps control access to the Internet. It is also called "web authentication." A website implementing portal authentication is called a portal website.

With portal authentication, an access device forces all users to log onto the portal website first. Every user can access the free services provided on the portal website; but to access the Internet, a user must pass portal authentication on the portal website.

A user can access a known portal website and enter username and password for authentication. This authentication mode is called active authentication. There is also another authentication mode, forced authentication, in which the access device forces a user trying to access the Internet through HTTP to log on to a portal website for authentication.

The portal feature provides the flexibility for Internet service providers (ISPs) to manage services. A portal website can, for example, present advertisements, and deliver community services and personalized services. In this way, broadband network providers, equipment vendors, and content service providers form an industrial ecological system.

A typical portal system comprises these basic components: authentication client, access device, portal server, authentication/accounting server, and security policy server.

Figure 414 Portal system components

The components of a portal system interact in the following procedure:

1. When an unauthenticated user enters a website address in the address bar of the browser to access the Internet, an HTTP request is created and sent to the access device, which redirects the HTTP request to the web authentication homepage of the portal server. For extended portal functions, authentication clients must run the portal client software.

Authentication/accounting server

Security policy server

Portal server

Authentication client

Access deviceAuthentication client

Authentication client

386

2. On the authentication homepage/authentication dialog box, the user enters and submits the authentication information, which the portal server then transfers to the access device.

3. Upon receipt of the authentication information, the access device communicates with the authentication/accounting server for authentication and accounting.

4. After successful authentication, the access device checks whether there is a corresponding security policy for the user. If not, it allows the user to access the Internet. Otherwise, the client communicates with the access device and the security policy server for security check. If the client passes security check, the security policy server authorizes the user to access the Internet resources.

NOTE:

The web interface of the device supports configuring portal authentication only on Layer 3 interfaces. Formore information about portal authentication, see H3C WX Series Access Controllers Security Configuration Guide.

Configuring portal authentication

Configuration prerequisites The portal feature provides a solution for user identity authentication and security checking. However, the portal feature cannot implement this solution by itself. RADIUS authentication needs to be configured on the access device to cooperate with the portal feature to complete user authentication.

The prerequisites for portal authentication configuration are as follows:

• The portal authentication-enabled interfaces of the access device are configured with valid IP addresses or have obtained valid IP addresses through DHCP.

• The portal server and the RADIUS server have been installed and configured properly. Local portal authentication requires no independent portal server.

• With re-DHCP authentication, the invalid IP address check function of DHCP relay is enabled on the access device, and the DHCP server is installed and configured properly.

• With RADIUS authentication, usernames and passwords of the users are configured on the RADIUS server, and the RADIUS client configurations are performed on the access device. For information about RADIUS client configuration, see "Configuring RADIUS."

• To implement extended portal functions, install and configure IMC EAD, and make sure that the ACLs configured on the access device correspond to those specified for the resources in the quarantined area and for the restricted resources on the security policy server. For information about security policy server configuration on the access device, see "Configuring RADIUS."


Step Remarks

1. Configuring the portal service

Required.

Configure a portal server, apply the portal server to a Layer 3 interface, and configure the portal authentication parameters.

By default, no portal server is configured.

387

Step Remarks

2. Configuring advanced parameters for portal authentication

Optional.

Specify an auto redirection URL, set the time that the device must wait before redirecting an authenticated user to the auto redirection URL, and add web proxy server port numbers.

3. Configuring a portal-free rule

Optional.

Configure a portal-free rule, specifying the source and destination information for packet filtering.

A portal-free rule allows specified users to access specified external websites without portal authentication. Packets matching a portal-free rule will not trigger portal authentication and the users can directly access the specified external websites.

By default, no portal-free policy is configured.

Configuring the portal service 1. Select Authentication > Portal from the navigation tree.

The portal server configuration page appears.

Figure 415 Portal server configuration

388

TIP:

On the page shown in Figure 415, the portal service applied on a Layer 3 interface can be in either of thefollowing states:

• Running—Portal authentication has taken effect on the interface.

• Enabled—Portal authentication has been enabled on the interface but has not taken effect.

2. Click Add to enter the portal service application page.

Figure 416 Portal service application

3. Configure the portal application settings as described in Table 129.

4. Click Apply.


Item Description

Interface Specify the Layer 3 interface to be enabled with portal authentication.

Portal Server

Specify the portal server to be applied on the specified interface. Options include: • Select Server—Select an existing portal server from the Portal Server list. • New Server—If you select this option from the list, the portal server configuration area,

as shown in Figure 417, will be displayed at the lower part of the page. You can add a remote portal server and apply the portal server to the interface. For detailed configuration, see Table 130.

• Enable Local Server—If you select this option from the list, the local portal service configuration area, as shown in Figure 418, will be displayed at the lower part of the page. You can configure the parameters for local portal service. For detailed configuration, see Table 131.

389

Item Description

Method

Specify the portal authentication mode, which can be: • Direct—Direct portal authentication. • Layer3—Cross-subnet portal authentication. • Re DHCP—Re-DHCP portal authentication.

IMPORTANT: • In cross-subnet portal authentication mode, Layer 3 forwarding devices are not

required to be present between the authentication client and the access device. However, if they are present, you must select the cross-subnet portal authentication mode.

• In re-DHCP portal authentication mode, a client is allowed to send out packets using a public IP address before it passes portal authentication. However, responses of the packets are restricted.

• If the local portal server is used, you can configure the re-DHCP mode but it does not take effect.

Auth Network IP Specify the IP address and mask of the authentication subnet. This field is configurable when you select the Layer3 mode (cross-subnet portal authentication).

By configuring an authentication subnet, you specify that only HTTP packets from users on the authentication subnet can trigger portal authentication. If an unauthenticated user is not on any authentication subnet, the access device discards all the user's HTTP packets that do not match any portal-free rule.

IMPORTANT:

The authentication subnet in direct mode is any source IP address, and that in re-DHCP mode is the private subnet to which the interface's private IP address belongs.

Network Mask

Authentication Domain

Specify the authentication domain for Layer 3 portal users.

After you specify an authentication domain on a Layer 3 interface, the device will use the authentication domain for authentication, authorization, and accounting (AAA) of the portal users on the interface, ignoring the domain names carried in the usernames. You can specify different authentication domains for different interfaces as needed.

The available authentication domains are those specified on the page you enter by selecting Authentication > AAA from the navigation tree. For more information, see "Configuring AAA."

Figure 417 Adding a portal server

390


Item Description

Server Name Enter a name for the remote portal server.

IP Enter the IP address of the remote portal server.

Key Enter the shared key to be used for communication between the device and the remote portal server.

Port Enter the port number of the remote portal server.

URL

Specify the URL for HTTP packets redirection, in the format http://ip-address. By default, the IP address of the portal server is used in the URL.

IMPORTANT:

Redirection URL supports domain name resolution; however, you must configure a portal-free rule and add the DNS server address into the portal-free address range.

Figure 418 Local portal service configuration


Item Description

Server Name Specify the local portal server name.

IP Specify the IP address of the local portal server. You need to specify the IP address of the interface where the local portal server is applied.

URL

Specify the URL for HTTP packets redirection, in the format http://ip-address/portal/logon.htm or https://ip-address/portal/logon.htm (depending on the protocol type).

By default, the IP address of the local portal server is used in the URL.

IMPORTANT: • To use the local portal server for stateful failover in a wireless environment, you must

specify the redirection URL, and the IP address of the URL must be the virtual IP address of the VRRP group where the VRRP downlink resides.

• URL redirection supports domain name resolution, but you need to configure a portal-free rule and add the DNS server address into the portal-free address range.

Protocol Specify the protocol to be used for authentication information exchange between the local portal server and the client. It can be HTTP or HTTPS.

https://ip-address/portal/logon.htm�

391

Item Description

PKI Domain

Specify the PKI domain for HTTPS. This field is configurable when you select HTTPS.

The available PKI domains are those specified on the page you enter by selecting Authentication > Certificate Management from the navigation tree. For more information, see "Managing certificates."

IMPORTANT:

The service management, local portal authentication, and local EAP service modules always reference the same PKI domain. Changing the referenced PKI domain in any of the three modules will also change that referenced in the other two modules.

Page Customization

SSID Specify the authentication page files to be bound with SSIDs as required.

After you bind SSIDs with authentication page files, when a user access the portal page, the local portal server pushes the authentication pages for the user according to the SSID of the user login interface and the bound authentication page file.

By default, an SSID is not bound with any authentication page file. In this case, the system pushes the default authentication pages.

You can edit an authentication page file as required and save it in the root directory or the portal directory under the root directory of the access device. For rules of customizing authentication pages, see "Customizing authentication pages."

Page File

Configuring advanced parameters for portal authentication 1. Select Authentication > Portal from the navigation tree.

2. Expand the Advanced area to show the advanced parameters for portal authentication.


3. Configure the advanced parameters as described in Table 132.

4. Click Apply.

392

Table 132 Advanced portal parameters

Item Description

Web Proxy Server Ports

Add the web proxy server ports to allow HTTP requests proxied by the specified proxy servers to trigger portal authentication. By default, only HTTP requests that are not proxied can trigger portal authentication.

Different clients may have different web proxy configurations. To make sure that clients using a web proxy can trigger portal authentication, you must first complete some other relevant configurations. When the IMC portal server is used, you must first complete the following configurations: • If the client does not specify the portal server's IP address as a proxy exception, ensure

the IP connectivity between the portal server and the web proxy server and perform the following configurations on the IMC portal server:

Select NAT as the type of the IP group associated with the portal device. Specify the proxy server's IP address as the IP address after NAT. Configure the port group to support NAT.

• If the client specifies the portal server's IP address as an exception of the web proxy server, configure the IP group and port group to not support NAT.

IMPORTANT: • If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover

web proxy servers, add the port numbers of the web proxy servers on the device, and configure portal-free rules to allow user packets destined for the IP address of the WPAD server to pass without authentication.

• If the web proxy server port 80 is added on the device, clients that do not use a proxy server can trigger portal authentication only when they access a reachable host enabled with the HTTP service.

Authorized ACLs to be assigned to users who have passed portal authentication must contain a rule that permits the web proxy server's IP address. Otherwise, the user cannot receive heartbeat packets from the remote portal server.

Redirection URL

Specify the auto redirection URL to which users will be automatically redirected after they pass portal authentication.

To access the network, an unauthenticated user either goes to or is automatically forced to the portal authentication page for authentication. If the user passes portal authentication and the access device is configured with an auto redirection URL, the access device will redirect the user to the URL after a specified period of time.

Wait-Time Period of time that the device must wait before redirecting an authenticated portal user to the auto redirection URL.

Configuring a portal-free rule 1. Select Authentication > Portal from the navigation tree.

2. Click the Free Rule tab.

393

Figure 420 Portal-free rule configuration

3. Click Add.

The page for adding a new portal-free rule appears.

Figure 421 Adding a portal-free rule

4. Configure the portal-free rule as described in Table 133.

5. Click Apply.


Item Description

Number Specify the sequence number of the portal-free rule.

Source-interface Specify the source interface of the portal-free rule.

The SSIDs in the list are the corresponding SSIDs of the wireless ESS interfaces.

Source IP address Specify the source IP address and mask of the portal-free rule.

Mask

Source MAC

Specify the source MAC address of the portal-free rule.

IMPORTANT:

If you configure both the source IP address and the source MAC address, make sure that the mask of the specified source IP address is 255.255.255.255. Otherwise, the specified source MAC address will not take effect.

394

Item Description

Source-VLAN

Specify the source VLAN of the portal-free rule.

IMPORTANT:

If you configure both a source interface and a source VLAN for a portal-free rule, make sure that the source interface is in the source VLAN. Otherwise, the portal-free rule will not take effect.

Destination IP Address Specify the destination IP address and mask of the portal-free rule.

Mask

Customizing authentication pages When the local portal server is used for portal authentication, the local portal server pushes authentication pages to users. You can customize the authentication pages. If you do not customize the authentication pages, the local portal server pushes the system default authentication pages to users.

Customized authentication pages exist in the form of HTML files. You can compress them and then upload them to the access device. A set of authentication pages include six main pages and some page elements. The six main pages are the logon page, the logon success page, the logon failure page, the online page, the system busy page, and the logoff success page. The page elements are the files that the authentication pages reference, for example, back.jpg for page Logon.htm. Each main authentication page can reference multiple page elements. If you define only some of the main pages, the local portal server pushes the system default authentication pages for the undefined ones to users.

For the local portal server to operate normally and steadily, you need to follow the following rules when customizing authentication pages:

Rules on file names

The main pages of the authentication pages have predefined file names, which cannot be changed.

Table 134 Main authentication page file names

Main authentication page File name

Logon page logon.htm

Logon success page logonSuccess.htm

Logon failure page logonFail.htm

Online page

Pushed for online state notification online.htm

System busy page

Pushed when the system is busy or the user is in the logon process

busy.htm

Logoff success page logoffSuccess.htm

NOTE:

You can name the files other than the main page files. The file names and directory names are case insensitive.

395

Rules on page requests

The local portal server supports only Post and Get requests.

• Get requests are used to get the static files in the authentication pages and allow no recursion. For example, if file Logon.htm includes contents that perform Get action on file ca.htm, file ca.htm cannot include any reference to file Logon.htm.

• Post requests are used when users submit usernames and passwords, log on to the system, and log off the system.

Rules on Post request attributes

1. Observe the following requirements when editing a form of an authentication page:

• An authentication page can have multiple forms, but there must be one and only one form whose action is logon.cgi. Otherwise, user information cannot be sent to the local portal server.

• The username attribute is fixed as PtUser, and the password attribute is fixed as PtPwd.

• Attribute PtButton is required to indicate the action that the user requests, which can be Logon or Logoff.

• A logon Post request must contain PtUser, PtPwd, and PtButton attributes.

• A logoff Post request must contain the PtButton attribute.

2. Authentication pages logon.htm and logonFail.htm must contain the logon Post request.

The following example shows part of the script in page logon.htm. <form action=logon.cgi method = post >

<p>User name:<input type="text" name = "PtUser" style="width:160px;height:22px" maxlength=64>

<p>Password :<input type="password" name = "PtPwd" style="width:160px;height:22px" maxlength=32>

<p><input type=SUBMIT value="Logon" name = "PtButton" style="width:60px;" onclick="form.action=form.action+location.search;>

</form>

3. Authentication pages logonSuccess.htm and online.htm must contain the logoff Post request.

The following example shows part of the script in page online.htm. <form action=logon.cgi method = post >

<p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;">

</form>

Rules on page file compression and saving

• A set of authentication page files must be compressed into a standard zip file. The name of a zip file can contain only letters, digits, and underscores. The zip file of the default authentication pages must be saved with the name defaultfile.zip.

• The set of authentication pages must be located in the root directory of the zip file.

• Zip files can be transferred to the device through FTP or TFTP. The default authentication pages file must be saved in the root directory of the device, and customized authentication files can be saved in the root directory or in the portal directory under the root directory of the device.

Rules on file size and contents

For the system to push customized authentication pages smoothly, you need comply with the following size and content requirements on authentication pages.

396

• The size of the zip file of each set of authentication pages, including the main authentication pages and the page elements, must be no more than 500 KB.

• The size of a single page, including the main authentication page and the page elements, must be no more than 50 KB before being compressed.

• Page elements can contain only static contents such as HTML, JS, CSS, and pictures.

Logging off a user who closes the logon success or online page

After a user passes authentication, the system pushes the logon success page logonSuccess.htm to the user. If the user initiates another authentication through the logon page, the system pushes the online page online.htm. You can configure the device to forcibly log off the user when the user closes either of these two pages. To do so, add the following contents in logonSuccess.htm and online.htm:

1. Reference to file pt_private.js.

2. pt_unload(), the function for triggering page unloading.

3. pt_submit(), the event handler function for Form.

4. pt_init(), the function for triggering page loading.

The following is a script example with the added contents highlighted in gray: <html>

<head>

<script type="text/javascript" language="javascript" src="pt_private.js"></script>

</head>

<body onload="pt_init();" onbeforeunload="return pt_unload();">

... ...

<form action=logon.cgi method = post onsubmit="pt_submit()">

... ...

</body>

</html>

Redirecting authenticated users to a specified web page

To make the device automatically redirect authenticated users to a specified web page, do the following in logon.htm and logonSuccess.htm:

1. In logon.htm, set the target attribute of the form object to blank.

See the contents in gray: <form method=post action=logon.cgi target="blank">

2. Add the function for page loading pt_init() to logonSucceess.htm.

See the contents in gray: <html>

<head>

<title>LogonSuccessed</title>

<script type="text/javascript" language="javascript" src="pt_private.js"></script>

</head>

<body onload="pt_init();" onbeforeunload="return pt_unload();">

... ...

</body>

</html>

397

NOTE:

• H3C recommends using browser IE 6.0 or later on the authentication clients.

• Make sure that the browser of an authentication client permits pop-ups or permits pop-ups from the access device. Otherwise, the user cannot log off by closing the logon success or online page and canonly click Cancel to return to the logon success or online page.

• If a user refreshes the logon success or online page, or jumps to another web site from either of the pages, the device also logs off the user.

• If a user is using the Chrome browser, the device cannot log off the user when the user closes the logonsuccess or online page.

Portal authentication configuration example Network requirements

As shown in Figure 422, the wireless client belongs to VLAN 2. It accesses the network through the AP, which belongs to VLAN 3. The model and serial ID of the AP is WA2100 and 210235A29G007C00002, respectively.

AC supports the local portal server, which runs HTTPS. The local portal server can push the corresponding customized pages according to the SSID of the user logon interface.

A RADIUS server (IMC server) serves as the authentication/accounting server.

The client must pass direct portal authentication to access unrestricted Internet resources. Before authentication, the client can access only the local portal server.


Configuration prerequisites

Complete the follow tasks before you perform the portal configuration:

• Configure IP addresses for the devices as shown in Figure 422 and make sure they can reach each other.

• Configure PKI domain test, and make sure that a local certificate and a CA certificate are obtained successfully. For more information, see "Managing certificates."

• Complete the editing of the authentication page files to be bound with the client SSID.

• Configure the RADIUS server properly to provide authentication and accounting functions for users.

Configuring the AC

1. Configure the RADIUS scheme system:

a. From the navigation tree, select Authentication > RADIUS.

398

b. Click Add.

c. On the page that appears, enter the scheme name system, select the server type Extended, and select Without domain name for Username Format.

d. In the RADIUS Server Configuration area, click Add.

e. On the page that appears, select Primary Authentication as the server type, enter the IP address 1.1.1.2, the port number 1812, and the key expert, enter expert again in the Confirm Key field, and click Apply.

The RADIUS server configuration page closes, and the RADIUS Server Configuration area on the RADIUS scheme configuration page displays the authentication server you have just configured.

f. In the RADIUS Server Configuration area, click Add.

g. On the page that appears, select Primary Accounting as the server type, enter the IP address 1.1.1.2, the port number 1813, and the key expert, enter expert again in the Confirm Key field, and click Apply.

The RADIUS server configuration page closes, and the RADIUS Server Configuration area on the RADIUS scheme configuration page displays the accounting server you have just configured.

h. Click Apply.

Figure 423 Configuring the RADIUS scheme

2. Create ISP domain test, and configure it as the default domain.


399

The Domain Setup tab appears.

b. Enter the domain name test, and select Enable from the Default Domain list to use the domain test as the default domain.

c. Click Apply.

Figure 424 Creating an ISP domain

3. Configure an authentication method for the ISP domain.

a. Click the Authentication tab.

b. Select the domain name test.

c. Select the Default AuthN box and then select RADIUS as the authentication mode.

d. Select system from the Name list to use it as the authentication scheme

e. Click Apply.


f. After the configuration process is complete, click Close.

400

Figure 425 Configuring the authentication method for the ISP domain

4. Configure an authorization method for the ISP domain.

a. Click the Authorization tab.

b. Select the Default AuthZ box and then select RADIUS as the authorization mode.

c. Select system from the Name list to use it as the authorization scheme

d. Click Apply.

A configuration progress dialog box appears


Figure 426 Configuring the authorization method for the ISP domain

5. Configure an accounting method for the ISP domain.

a. Click the Accounting tab.

b. Select the domain name test.

c. Select the Accounting Optional box, and then select Enable for this parameter.

d. Select the Default Accounting box and then select RADIUS as the accounting mode.

e. Select system from the Name list to use it as the accounting scheme

401

f. Click Apply.

The configuration progress dialog box appears

g. After the configuration process is complete, click Close.

Figure 427 Configuring the accounting method for the ISP domain

6. Create an AP.

a. From the navigation tree, select AP > AP Setup.

b. Click Create.

c. Enter the AP name ap1.

d. Select model WA2100.

e. Select the manual mode for serial ID and then enter the serial ID 210235A29G007C00002.

f. Click Apply.


7. Create a wireless service.

a. From the navigation tree, select Wireless Service > Access Service.

b. Click New.

c. On the page that appears, enter the wireless service name abc, select clear as the wireless service type, and click Apply.

The wireless service configuration page appears.

402


d. Enter 2 in the VLAN (Untagged) field, enter 2 in the Default VLAN field, and click Apply.



Figure 430 Configuring parameters for the wireless service

8. Enable the wireless service.

a. On wireless service list as shown in Figure 431, select the box before wireless service abc.

b. Click Enable.


c. After the configuration process is complete, click Close.

403


9. Bind an AP radio with the wireless service.

a. On the wireless service list, click the icon in the Operation column of wireless service abc.

b. On the page that appears, select the box before ap1 with the radio mode of 802.11g.

c. Click Bind.




10. Enable radio.

a. From the navigation tree, select Radio > Radio.

404

b. Select the box before ap1 with the radio mode of 802.11g.

c. Click Enable.

Figure 433 Enabling 802.11g radio

11. Configure portal authentication

a. From the navigation tree, select Authentication > Portal.

b. Click Add.

c. Select interface Vlan-interface2, select Enable Local Server for Portal Server, select Direct as the authentication method, select the authentication domain test, enter 192.168.1.1 as the server IP address, select HTTPS as the protocol type, select test as the PKI domain, select the box before Page Customization, and select the authentication page file ssid1.zip for SSID abc.

d. Click Apply.

405

Figure 434 Portal service application

12. Configure a portal-free rule for Ethernet port GigabitEthernet 1/0/1.

a. Click the Free Rule tab.

b. Click Add.

c. On the page that appears, enter the rule number 0, and select the source interface GigabitEthernet1/0/1.

d. Click Apply.


When a user accesses subnet 1.1.1.0/24, the user is redirected to page https://192.168.1.1/portal/logon.htm and, after entering the correct username and password on the web page, the user passes the authentication.

406

Configuring AAA

The web interface supports configuring Internet Service Provider (ISP) domains and configuring AAA methods for ISP domains.

AAA overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions:

• Authentication—Identifies users and determines whether a user is valid.

• Authorization—Grants different users different rights and controls their access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.

• Accounting—Records all network service usage information of users, including the service type, start time, and traffic. The accounting function not only provides the information required for charging, but also allows for network security surveillance.

AAA usually uses a client/server model. The client runs on the network access server (NAS) and the server maintains user information centrally. In an AAA network, a NAS is a server for users but a client for the AAA servers.

Figure 435 Network diagram for AAA

AAA can be implemented through multiple protocols. The device supports using RADIUS, the most commonly used protocol in practice. For more information about RADIUS, see "Configuring RADIUS." For more information about AAA and ISP, see H3C WA Series WLAN Access Points Security Configuration Guide.

Configuring AAA

Configuration prerequisites • To deploy local authentication, configure local users on the access device as described in

"Configuring users."

407

• To deploy remote authentication, authorization, or accounting, create the RADIUS schemes to be referenced as described in "Configuring RADIUS."


Step Remarks

1. Configuring an ISP domain

Optional.

Create ISP domains and specify one of them as the default ISP domain.

By default, there is an ISP domain named system, which is the default ISP domain.

2. Configuring authentication methods for the ISP domain

Optional.

Configure authentication methods for various types of users.

By default, all types of users use local authentication.

AAA user types include LAN access users (such as 802.1x authentication users and MAC authentication users), login users (such as SSH, Telnet, FTP, terminal access users), PPP users, Portal users, and Command users.

3. Configuring authorization methods for the ISP domain

Optional.

Specify the authorization methods for various types of users.

By default, all types of users use local authorization.

4. Configuring accounting methods for the ISP domain

Required.

Specify the accounting methods for various types of users.

By default, all types of users use local accounting.

Configuring an ISP domain 1. Select Authentication > AAA from the navigation tree.

The Domain Setup page appears.

408

Figure 436 Domain Setup page

2. Configure an ISP domain as described in Table 135.

3. Click Apply.


Item Description

Domain Name Enter the ISP domain name, which is for identifying the domain.

You can enter a new domain name to create a domain, or specify an existing domain to change its status (whether it is the default domain).

Default Domain

Specify whether to use the ISP domain as the default domain. Options include: • Enable—Uses the domain as the default domain. • Disable—Uses the domain as a non-default domain.

There can only be one default domain at a time. If you specify a second domain as the default domain, the original default domain will become a non-default domain.

Configuring authentication methods for the ISP domain 1. Select Authentication > AAA from the navigation tree.

2. Click the Authentication tab to enter the authentication method configuration page.

409

Figure 437 Authentication method configuration page

3. Configure authentication methods for different types of users in the domain, as described in Table 136.

4. Click Apply.


5. After the configuration progress is complete, click Close.


Item Description

Select an ISP domain

Select the ISP domain for which you want to specify authentication methods.

Default AuthN Configure the default authentication method and secondary authentication method for all types of users.

Options include: • HWTACACS—Performs HWTACACS authentication. You must specify the

HWTACACS scheme to be used. • Local—Performs local authentication. • None—All users are trusted and no authentication is performed. Generally, do not use

this mode. • RADIUS—Performs RADIUS authentication. You must specify the RADIUS scheme to be

used. • Not Set—Restore the default, that is, local authentication.

Name

Secondary Method

LAN-access AuthN Configure the authentication method and secondary authentication method for LAN access users.

Options include: • Local—Performs local authentication. • None—All users are trusted and no authentication is performed. Generally, do not use


used. • Not Set—Uses the default authentication methods.

Name

Secondary Method

410

Item Description

Login AuthN Configure the authentication method and secondary authentication method for login users.





Name

Secondary Method

PPP AuthN Configure the authentication method and secondary authentication method for PPP users.





Name

Secondary Method

Portal AuthN Configure the authentication method for Portal users.

Options include: • Local—Performs local authentication. • None—All users are trusted and no authentication is performed. Generally, do not use



Name

Configuring authorization methods for the ISP domain 1. Select Authentication > AAA from the navigation tree.

2. Click the Authorization tab to enter the authorization method configuration page.

411

Figure 438 Authorization method configuration page

3. Configure authorization methods for different types of users in the domain, as described in Table 137.

4. Click Apply.




Item Description



Default AuthZ Configure the default authorization method and secondary authorization method for all types of users.

Options include: • HWTACACS—Performs HWTACACS authorization. You must specify the HWTACACS

scheme to be used. • Local—Performs local authorization. • None—All users are trusted and authorized. A user gets the default rights of the system. • RADIUS—Performs RADIUS authorization. You must specify the RADIUS scheme to be

used. • Not Set—Restore the default, that is, local authorization.

Name

Secondary Method

LAN-access AuthZ Configure the authorization method and secondary authorization method for LAN access users.

Options include: • Local—Performs local authorization. • None—All users are trusted and authorized. A user gets the default rights of the system. • RADIUS—Performs RADIUS authorization. You must specify the RADIUS scheme to be

used. • Not Set—Uses the default authorization methods.

Name

Secondary Method

412

Item Description

Login AuthZ Configure the authorization method and secondary authorization method for login users.




Name

Secondary Method

PPP AuthZ Configure the authorization method and secondary authorization method for PPP users.




Name

Secondary Method

Portal AuthZ Configure the authorization method for Portal users.

Options include: • Local—Performs local authorization. • None—All users are trusted and authorized. A user gets the default rights of the system. • RADIUS—Performs RADIUS authorization. You must specify the RADIUS scheme to be


Name

Command AuthZ Configure the authorization method for command users.


scheme to be used. • Not Set—Uses the default authorization methods.

Name

Configuring accounting methods for the ISP domain 1. Select Authentication > AAA from the navigation tree.

2. Click the Accounting tab to enter the accounting method configuration page.

413

Figure 439 Accounting method configuration page

3. Configure accounting methods for different types of users in the domain, as described in Table 138.

4. Click Apply.




Item Description



Accounting Optional

Specify whether to enable the accounting optional feature.

With the feature enabled, a user that will be disconnected otherwise can use the network resources even when there is no accounting server available or communication with the current accounting server fails.

If accounting for such a user fails, the device will not send real-time accounting updates for the user anymore.

Default Accounting Configure the default accounting method and secondary accounting method for all types of users.

Options include: • HWTACACS—Performs HWTACACS accounting. You must specify the HWTACACS

scheme to be used. • Local—Performs local accounting. • None—Performs no accounting. • RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be

used. • Not Set—Restore the default, that is, local accounting.

Name

Secondary Method

414

Item Description

LAN-access Accounting

Configure the accounting method and secondary accounting method for LAN access users.

Options include: • Local—Performs local accounting. • None—Performs no accounting. • RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be

used. • Not Set—Uses the default accounting methods.

Name

Secondary Method

Login Accounting Configure the accounting method and secondary accounting method for login users.




Name

Secondary Method

PPP Accounting Configure the accounting method and secondary accounting method for PPP users.




Name

Secondary Method

Portal Accounting Configure the accounting method for Portal users.

Options include: • Local—Performs local accounting. • None—Performs no accounting. • RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be


Name

AAA configuration example

Network requirements As shown in Figure 440, configure the AC to perform local authentication, authorization, and accounting for Telnet users.

415


Configuration procedure 1. Configure a local user:

a. Select Authentication > Users from the navigation tree.

The local user management page appears.

b. Click Add.

c. Enter telnet the username.

d. Enter abcd as the password.

e. Enter abcd again to confirm the password.

f. Select Common User as the user type.

g. Select Configure as the level.

h. Select Telnet as the service type.

i. Click Apply.

Figure 441 Configuring the local user

2. Configure ISP domain test.


The Domain Setup page appears, as shown in Figure 442.

416

b. Enter test as the domain name.

c. Click Apply.

Figure 442 Configuring ISP domain test

3. Configure the ISP domain to use local authentication for login users:

a. Select Authentication > AAA from the navigation tree

b. Click the Authentication tab.

c. Select the domain test.

d. Select the Login AuthN box and select the authentication method Local.

e. Click Apply.


f. After the configuration progress is complete, click Close.

417

Figure 443 Configuring the ISP domain to use local authentication

4. Configure the ISP domain to use local authorization for login users:


b. Click the Authorization tab.

c. Select the domain test.

d. Select the Login AuthZ box and select the authorization method Local.

e. Click Apply.



Figure 444 Configuring the ISP domain to use local authorization

5. Log in to the CLI, enable Telnet service, and configure the AC to use AAA for Telnet users. <AC> system-view

[AC] telnet server enable

[AC] user-interface vty 0 4

[AC-ui-vty0-4] authentication-mode scheme

[AC-ui-vty0-4] quit

418

6. Verify the configuration

Telnet to the AC and enter the username telnet@test and password abcd. You should be serviced as a user in domain test.

419

Configuring RADIUS

RADIUS overview The Remote Authentication Dial-In User Service (RADIUS) protocol implements Authentication, Authorization, and Accounting (AAA). RADIUS uses the client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS defines the packet format and message transfer mechanism, and uses UDP as the transport layer protocol for encapsulating RADIUS packets. It uses UDP port 1812 for authentication and UDP port 1813 for accounting.

RADIUS was originally designed for dial-in user access. With the addition of new access methods, RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL. RADIUS provides access authentication and authorization services, and its accounting function collects and records network resource usage information.

For more information about AAA and RADIUS, see H3C WA Series WLAN Access Points Security Configuration Guide.

Configuring a RADIUS scheme A RADIUS scheme defines a set of parameters that the device uses to exchange information with the RADIUS servers. There might be authentication servers and accounting servers, or primary servers and secondary servers. The parameters mainly include the IP addresses of the servers, the shared keys, and the RADIUS server type. By default, no RADIUS scheme exists.

To configure a RADIUS scheme:

1. Select Authentication > RADIUS from the navigation tree.

Figure 445 RADIUS scheme list

2. Click Add.

420

Figure 446 RADIUS scheme configuration page

3. Enter a scheme name.

4. Select a server type and a username format.


Item Description

Server Type

Select the type of the RADIUS servers supported by the device, which can be: • Standard—Specifies the standard RADIUS server. That is, the RADIUS client and

RADIUS server communicate by using the standard RADIUS protocol and packet format defined in RFC 2865/2866 or later.

• Extended—Specifies an extended RADIUS server (usually running on IMC). In this case, the RADIUS client and the RADIUS server communicate by using the proprietary RADIUS protocol and packet format.

Username Format

Select the format of usernames to be sent to the RADIUS server.

A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. If a RADIUS server (such as a RADIUS server of some early version) does not accept a username that contains an ISP domain name, you can configure the device to remove the domain name of a username before sending it to the RADIUS server. • Original format—Sends the username of a user on an "as is" basis. • With domain name—Includes the domain name in a username to be sent to the

RADIUS server. • Without domain name—Removes the domain name of a username to be sent to

the RADIUS server.

5. Click the expand button before Advanced in the Common Configuration area to expand the advanced configuration area.

421

Figure 447 Common configuration area

6. Configure the advanced parameters.

422


Item Description

Authentication Key Set the shared key for RADIUS authentication packets and that for RADIUS accounting packets.

The RADIUS client and the RADIUS authentication/accounting server use MD5 to encrypt RADIUS packets, and they verify the validity of packets through the specified shared key. Only if the shared key of the client and that of the server are the same, will the client and the server receive and respond to packets from each other.

IMPORTANT: • The shared keys configured on the device must be consistent with those

configured on the RADIUS servers. • The shared keys configured in the common configuration part are used only

when no corresponding shared keys are configured in the RADIUS server configuration part.

Confirm Authentication Key

Accounting Key

Confirm Accounting Key

Quiet Time

Set the time the device keeps an unreachable RADIUS server in blocked state.

If you set the quiet time to 0, when the device needs to send an authentication or accounting request but finds that the current server is unreachable, it does not change the server's status that it maintains. It simply sends the request to the next server in active state. As a result, when the device needs to send a request of the same type for another user, it still tries to send the request to the server because the server is in active state.

You can use this parameter to control whether the device changes the status of an unreachable server. For example, if you determine that the primary server is unreachable because the device's port for connecting the server is out of service temporarily or the server is busy, you can set the time to 0 so that the device uses the primary server as much.

Server Response Timeout Time

Set the RADIUS server response timeout time.

If the device sends a RADIUS request to a RADIUS server but receives no response within the specified server response timeout time, it retransmits the request. Setting a proper value according to the network conditions helps in improving the system performance.

IMPORTANT:

The server response timeout time multiplied by the maximum number of RADIUS packet transmission attempts must not exceed 75.

Request Transmission Attempts

Set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request. If the number of transmission attempts exceeds the limit but the device still receives no response from the RADIUS server, the device considers the request a failure.

423

Item Description

Realtime Accounting Interval

Set the interval for sending real-time accounting information. The interval must be a multiple of 3.

To implement real-time accounting, the device must send real-time accounting packets to the accounting server for online users periodically.

Different real-time accounting intervals impose different performance requirements on the NAS and the RADIUS server. A shorter interval helps achieve higher accounting precision but requires higher performance. Use a longer interval when a large number of users (1000 or more) exist. For more information about the recommended real-time accounting intervals, see "Configuration guidelines."

Realtime Accounting Attempts Set the maximum number of attempts for sending a real-time accounting request.

Unit for Data Flows Specify the unit for data flows sent to the RADIUS server, which can be byte, kilo-byte, mega-byte, or giga-byte.

Unit for Packets

Specify the unit for data packets sent to the RADIUS server, which can be: • One-packet. • Kilo-packet. • Mega-packet. • Giga-packet.

Enable EAP offload

Enable or disable the EAP offload function.

Some RADIUS servers do not support EAP authentication. They cannot process EAP packets. In this case, it is necessary to preprocess the EAP packets received from clients on the access device. This is where the EAP offload function comes in.

After receiving an EAP packet, the access device enabled with the EAP offload function first converts the authentication information in the EAP packet into the corresponding RADIUS attributes through the local EAP server, encapsulates the EAP packet into a RADIUS request and then sends the request to the RADIUS server for authentication. When the RADIUS server receives the request, it analyzes the carried authentication information, encapsulates the authentication result in a RADIUS packet, and then sends the packet to the local EAP server on the access device for subsequent interaction with the client.

Security Policy Server Specify the IP address of the security policy server.

RADIUS Packet Source IP

Specify the source IP address for the device to use in RADIUS packets sent to the RADIUS server.

H3C recommends you to use a loopback interface address instead of a physical interface address as the source IP address, because if the physical interface is down, the response packets from the server cannot reach the device.

RADIUS Packet Backup Source IP

Specify the backup source IP address for the device to use in RADIUS packets sent to the RADIUS server.

In a stateful failover environment, the backup source IP address must be the source IP address for the remote device to use in RADIUS packets sent to the RADIUS server.

Configuring the backup source IP address in a stateful failover environment makes sure that the backup server can receive the RADIUS packets sent from the RADIUS server when the master device fails.

Buffer stop-accounting packets

Enable or disable buffering of stop-accounting requests for which no responses are received.

424

Item Description

Stop-Accounting Attempts

Set the maximum number of stop-accounting attempts.

The maximum number of stop-accounting attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets.

Suppose that the RADIUS server response timeout period is three seconds, the maximum number of transmission attempts is five, and the maximum number of stop-accounting attempts is 20. For each stop-accounting request, if the device receives no response within three seconds, it retransmits the request. If it receives no responses after retransmitting the request five times, it considers the stop-accounting attempt a failure, buffers the request, and makes another stop-accounting attempt. If 20 consecutive attempts fail, the device discards the request.

Send accounting-on packets

Enable or disable the accounting-on feature.

The accounting-on feature enables a device to send accounting-on packets to RADIUS servers after it reboots, making the servers forcedly log out users who logged in through the device before the reboot.

IMPORTANT:

When enabling the accounting-on feature on a device for the first time, you must save the configuration so that the feature takes effect after the device reboots.

Accounting-On Interval Set the interval for sending accounting-on packets. This field is configurable only when the Send accounting-on packets option is selected.

Accounting-On Attempts Set the maximum number of accounting-on packets transmission attempts. This field is configurable only when the Send accounting-on packets option is selected.

Attribute Enable or disable the device to interpret the RADIUS class attribute as CAR parameters. Interpretation

7. In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration page.

Figure 448 RADIUS server configuration page

8. Configure a RADIUS server for the RADIUS scheme as described in Table 141.

9. Click Apply to add the server to the RADIUS scheme.

10. Repeat step 7 through step 9 to add more RADIUS servers to the RADIUS scheme.

11. On the RADIUS scheme configuration page, click Apply.

425


Item Description

Server Type Select the type of the RADIUS server to be configured. Possible values include primary authentication server, primary accounting server, secondary authentication server, and secondary accounting server.

IP Address Specify the IP address of the RADIUS server.

Port Specify the UDP port of the RADIUS server.

Key Specify the shared key for communication with the RADIUS server.

If no shared key is specified here, the shared key specified in the common configuration part is used. Confirm Key

RADIUS configuration example

Network requirements As shown in Figure 449, a RADIUS server running on IMC uses UDP ports 1812 and 1813 to provide authentication and accounting services respectively.

Configure the AC to use the RADIUS server for Telnet user authentication and accounting, and to remove domain names from the usernames sent to the server.

On the RADIUS server, configure a Telnet user account with the username hello@bbb and the password abc, and set the EXEC privilege level to 3 for the user.

Set the shared keys for packet exchange between the AC and the RADIUS server to expert.


Configuration procedure 1. Configure RADIUS scheme system:


b. Click Add.

c. Enter the scheme name system, select the server type Extended, and select the username format Without domain name.

d. In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration page.

e. Select the server type Primary Authentication, enter 10.1.1.1 as the IP address of the primary authentication server, 1812 as the port number, and expert as the key, and click Apply to add the primary authentication server to the scheme.

426

Figure 450 RADIUS authentication server configuration page

f. In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration page again.

g. Select Primary Accounting as the server type, enter 10.1.1.1 as the IP address of the primary accounting server, enter the port number 1813, the key expert, and click Apply, as shown in Figure 451.

The RADIUS scheme configuration page refreshes and the added servers appear in the server list, as shown in Figure 452.

h. Click Apply to finish the scheme configuration.

Figure 451 RADIUS accounting server configuration page

427

Figure 452 RADIUS scheme configuration

2. Create an ISP domain:


The domain setup page appears.

b. Enter bbb in the Domain Name box.

c. Click Apply.

428

Figure 453 Creating an ISP domain

3. Configure an authentication method for the ISP domain:


b. Select the domain name bbb.

c. Select the Default AuthN box and then select the authentication mode RADIUS.

d. Select the RADIUS scheme system from the Name list to use it as the authentication scheme.

e. Click Apply.



Figure 454 Configuring an authentication method for the ISP domain

429

4. Configure an authorization method for the ISP domain:



c. Select the Default AuthZ box and select the authorization mode RADIUS.

d. Select the RADIUS scheme system from the Name list to use it as the authorization scheme.

e. Click Apply.



Figure 455 Configuring an authorization method for the ISP domain

5. Configure an accounting method for the ISP domain, and enable accounting optional:



c. Select the Accounting Optional box and then select Enable.

d. Select the Default Accounting box and then select accounting mode RADIUS.

e. Select the RADIUS scheme system from the Name list to use it as the accounting scheme.

f. Click Apply.


g. After the configuration progress is complete, click Close.

430

Figure 456 Configuring an accounting method for the ISP domain

6. Enable the Telnet service.

a. From the navigation tree, select Network > Service.

b. Select the Enable Telnet service box.

c. Click Apply.

Figure 457 Enabling the Telnet service

7. Log in to the CLI, and configure the VTY user interfaces to use AAA for user access control. <AC> system-view

[AC] user-interface vty 0 4

[AC-ui-vty0-4] authentication-mode scheme

[AC-ui-vty0-4] quit

Verifying the configuration Telnet to the AC and enter the username hello@bbb and password abc. You can log in and access commands of levels 0 through 3.

Configuration guidelines When you configure the RADIUS client, follow these guidelines:

431

• Accounting for FTP users is not supported.

• If you remove the accounting server used for online users, the device cannot send real-time accounting requests and stop-accounting messages for the users to the server, and the stop-accounting messages are not buffered locally.

• The status of RADIUS servers (blocked or active) determines which servers the device will communicate with or turn to when the current servers are not available. In practice, you can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers that function as the backup of the primary servers. Generally, the device chooses servers based on these rules:

When the primary server is in active state, the device communicates with the primary server. If the primary server fails, the device changes the state of the primary server to blocked, starts a quiet timer for the server, and turns to a secondary server in active state (a secondary server configured earlier has a higher priority). If the secondary server is unreachable, the device changes the state of the secondary server to blocked, starts a quiet timer for the server, and continues to check the next secondary server in active state. This search process continues until the device finds an available secondary server or has checked all secondary servers in active state. If the quiet timer of a server expires or an authentication or accounting response is received from the server, the status of the server changes back to active automatically, but the device does not check the server again during the authentication or accounting process. If no server is found reachable during one search process, the device considers the authentication or accounting attempt a failure.

Once the accounting process of a user starts, the device keeps sending the user's real-time accounting requests and stop-accounting requests to the same accounting server. If you remove the accounting server, real-time accounting requests and stop-accounting requests for the user cannot be delivered to the server any more.

If you remove an authentication or accounting server in use, the communication of the device with the server will soon time out, and the device will look for a server in active state from scratch: it checks the primary server (if any) first and then the secondary servers in the order they are configured.

When the primary server and secondary servers are all in blocked state, the device communicates with the primary server. If the primary server is available, its statues changes to active. Otherwise, its status remains to be blocked.

If one server is in active state but all the others are in blocked state, the device only tries to communicate with the server in active state, even if the server is unavailable.

After receiving an authentication/accounting response from a server, the device changes the status of the server identified by the source IP address of the response to active if the current status of the server is blocked.

• It is a good practice to use the recommended real-time accounting intervals listed in Table 142.

Table 142 Recommended real-time accounting intervals

Number of users Real-time accounting interval (in minutes)

1 to 99 3

100 to 499 6

500 to 999 12

≥1000 ≥15

432

Configuring the local EAP service

In some simple application environments, you may want to use an access device to authenticate users locally, instead of deploying AAA servers for user authentication. When the Extensible Authentication Protocol (EAP) is used for user authentication, configure the local EAP authentication server to cooperate with local authentication method of AAA for local EAP authentication. For more information about AAA, see "Configuring AAA."

Configuration procedure 1. Select Authentication > Local EAP Server from the navigation.

The Local EAP service configuration page appears.

Figure 458 Local EAP service configuration page

2. Configure the local EAP service as described in Table 143.

3. Click Apply.


Item Description

Status Enable or disable the EAP server.

If the EAP server is enabled, the EAP authentication method and PKI domain configurations are required.

433

Item Description

Method

Specify the EAP authentication methods, including: • MD5—Uses Message Digest 5 (MD5) for authentication. • TLS—Uses the Transport Layer Security (TLS) protocol for authentication. • PEAP-MSCHAPV2—Uses the Protected Extensible Authentication Protocol (PEAP) for

authentication and uses the Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) for authentication in the established TLS tunnel.

• PEAP-GTC—Uses the Protected Extensible Authentication Protocol (PEAP) for authentication and uses the Microsoft Generic Token Card (GTC) for authentication in the established TLS tunnel.

When an EAP client and the local server communicate for EAP authentication, they first negotiate the EAP authentication method to be used. During negotiation, the local server prefers the authentication method with the highest priority from the EAP authentication method list. If the client supports the authentication method, the negotiation succeeds and they proceed with the authentication process. Otherwise, the local server tries the one with the next highest priority until a supported one is found, or if none of the authentication methods are found supported, the local server sends an EAP-Failure packet to the client for notification of the authentication failure.

TIP: • You can select more than one authentication method. An authentication method

selected earlier has a higher priority. • PEAP-MSCHAPV2 and PEAP-GTC are mutually exclusive.

PKI domain

Specify the PKI domain for EAP authentication.

The available PKI domains are those configured on the page you enter by selecting Authentication > Certificate Management. For more information, see "Managing certificates."

NOTE:

The service management, local portal authentication, and local EAP service modules always reference the same PKI domain. Changing the referenced PKI domain in any of the three modules will also change that referenced in the other two modules.

Local EAP service configuration example

Network requirements As shown in Figure 459, configure the AC to perform local EAP authentication and authorization for 802.1X users by using the authentication method EAP-TLS.


434


NOTE:

• To implement local EAP authentication and authorization for 802.1X users, make sure that port securityis enabled and 802.1X authentication uses the EAP authentication mode.

• To use the authentication method of EAP-TLS, configure the network properties of the connection and theclient certificate properly on the client.

• For more information about how to configure PKI domain test, requesting a local certificate, and retrieving a CA certificate, see "Managing certificates."

1. Configure local user usera:

a. Select Authentication > Users from the navigation tree.

b. Click Add.

c. Enter the username usera and password 1234, and select the service type LAN-Access.

d. Click Apply.

Figure 460 Local user configuration page

2. Configure the ISP domain system to use local authentication and local authorization.

The ISP domain system uses local authentication and local authorization by default. For the configuration procedure, see "Configuring AAA."

3. Enable the EAP server, configure the authentication method as TLS, and the PKI domain as test:

a. Select Authentication > Local EAP Server from the navigation tree.

b. Select Enabled for Status.

c. Select TLS from the Available methods list and click << to add TLS to the Selected methods list.

435

d. Select test from the PKI domain list.

e. Click Apply.

Figure 461 Configuring a local EAP server

4. Configure the AP:


b. Click Add.

c. Enter the AP name ap1.

d. Select the device model WA2620-AGN.

e. Select manual and enter the serial number in the following box.

f. Click Apply.

Figure 462 Configuring the AP

5. Create the wireless service:


b. Click Add.

c. Enter the wireless service name 802.1x-auth.

d. Select the service type crypto.

436

e. Click Apply.

The wireless service configuration page appears.


6. Configure the wireless service:

a. Click the expand button before Security Setup to expand the configuration items.

b. Select the authentication type Open-System.

c. Select the Cipher Suite box, and then select AES-CCMP and TKIP (select a cipher suite according to your actual network requirements). Select WPA as the security IE.

d. Click the expand button before Port Security to expand the configuration items.

e. Select the Port Set box and Select the port mode userlogin-secure-ext.

f. Select the Mandatory Domain box, and then select system.

g. Select the authentication method EAP.

h. Disable handshake and multicast trigger.

i. Click Apply.


j. When a dialog box appears asking for your confirmation to enable the EAP service, confirm the operation to proceed.

k. After the configuration process is complete, click Close.

437

Figure 464 Wireless service configuration page


a. On the access service list page, select the wireless service 802.1x-auth.

b. Click Enable.

A progress dialog box appears.

c. After the configuration process is complete, click Close.

438


8. Bind the AP's radio mode with the wireless service:

a. In the wireless service list, click the icon of wireless service 802.1x-auth.

b. Select the AP of ap1 with the radio mode 802.11n(2.4GHz).

c. Click Bind. A progress dialog box appears.


Figure 466 Binding the radio mode with the wireless service

9. Enable 802.11n(2.4GHz).


b. Select the AP of ap1 with the radio mode 802.11n(2.4GHz).

439

c. Click Enable.

Figure 467 Enabling 802.11n(2.4GHz)

Verifying the configuration After the configuration, a client should be able to pass EAP authentication and access the wireless network. You can ping the client successfully from the AC.

440

Configuring users

Overview This module allows you to configure local users, user groups, guests, and user profiles.

Local user

A local user represents a set of user attributes configured on a device (such as the user password, user type, service type, and authorization attribute), and is uniquely identified by the username. For a user requesting a network service to pass local authentication, you must add an entry as required in the local user database of the device. For more information about local authentication, see "Configuring AAA."

User group

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. All local users in a user group inherit the user attributes of the group, but if you configure user attributes for a local user, the settings of the local user take precedence over the settings for the user group.

By default, every newly added local user belongs to a user group named system, which is automatically created by the system.

Guest

A guest is a local user for specific applications. If Portal or LAN-access users need to access the network temporarily, you can establish a guest account for them and control access of the users as required.

User profile

A user profile is a configuration template for saving predefined configurations. You can configure different items such as Quality of Service (QoS) policy, rate limit, wireless service, and AP group for different user profiles to accommodate to different application scenarios.

When accessing the device, a user needs to be authenticated. During the authentication process, the authentication server sends the user profile name to the device, which then enables the configurations in the user profile. After the user passes the authentication and accesses the device, the device restricts the user's access based on the configurations in the user profile. When the user logs out, the device automatically disables the configurations in the user profile, removing the restrictions on the user as a result. As the mechanism indicates, user profiles are for restricting online users' access. If no user is online (no user is accessing the network, no user has passed authentication, or all users have logged out), user profiles do not take effect.

With user profiles, you can:

• Make use of system resources more granularly. For example, you can apply a QoS policy on a per-user basis.

• Restrict users' access rate more flexibly. For example, you can deploy traffic policing on a per-user basis by defining a rate limit in user profiles.

• Restrict users' access more specifically. For example, you can deploy user access control on a per-wireless service basis by defining an SSID in user profiles. Or you can deploy user access control on a per-AP basis by defining APs in the user profiles.

441

Configuring a local user 1. Select Authentication > Users from the navigation tree.

The local user management page appears, displaying information about all local users including common users, security log administrator, guest administrator, and guests.

NOTE:

On the Local User tab, you can modify a guest user, but the user type changes to another one after yourmodification.

Figure 468 Local user list

2. Click Add.

The local user configuration page appears. On this page, you can create a local user of any type except guest.

Figure 469 Local user configuration page

3. Configure a local user as described in Table 144.

4. Click Apply.

442


Item Description

Username Specify a name for the local user.

Password Specify a password for the local user and confirm the password.

The two passwords must be identical.

IMPORTANT:

It is a good practice to specify a password with no leading spaces. The spaces will be ignored, but they count at the user login page.

Confirm

Group Select a user group for the local user.

For information about user group configuration, see "Configuring a user group."

User Type

Specify the user type for the local user: • Common User. • Security Log Admin—Users of this type can only manage security log files through

the web interface. Only Users of this type can manage security log files. • Guest Admin—Users of this type can only manage guest accounts through the web

interface, log in to the Authentication > User > Guest page to add, modify, or delete a guest user.

Level

Select an authorization level for the local user, which can be Visitor, Monitor, Configure, or Management, in ascending order of priority. A local user has the rights of the specified level and all levels lower than the specified level (if any). • Visitor—A user of this level can perform ping and trace route operations but cannot

read any data from the device or configure the device. • Monitor—A user of this level can read data from the device but cannot configure the

device. • Configure—A user of this level can read data from the device and configure the

device but cannot upgrade the device software, add/delete/modify users, or backup/restore configuration files.

• Management—A user of this level can perform all operations except for security log file reading and management.

IMPORTANT:

This option is effective only for web, FTP, Telnet, and SSH users.

Service Type

Select the service types for the local user to use, including FTP, Telnet, PPP, Portal, LAN access (accessing through the Ethernet, such as 802.1X users), and SSH.

IMPORTANT: • If you do not specify any service type for a local user who uses local authentication,

the user cannot pass authentication and cannot log in. • The service type of the guest administrator and security log administrator is web. • The service type of the guest administrator and security log administrator is Portal

and LAN-Access.

Expire-time

Specify an expiration time for the local user.

When authenticating a local user with the expiration time argument configured, the access device checks whether the expiration time has elapsed. If not, the device permits the user to log in.

443

Item Description

VLAN

Specify the VLAN to be authorized to the local user after the user passes authentication.

IMPORTANT:

This option is effective only for Portal and LAN-access users.

ACL

Specify the ACL to be used by the access device to restrict the access of the local user after the user passes authentication.

IMPORTANT:

This option is effective only for PPP, Portal, and LAN-access users.

User-profile

Specify the user profile for the local user.

IMPORTANT:

This option is effective only for PPP, Portal, and LAN-access users.

Configuring a user group 1. Select Authentication > Users from the navigation tree.

2. Click the User Group tab to display the existing user groups.

Figure 470 User group list

3. Click Add to enter the user group configuration page.

444

Figure 471 User group configuration page

4. Add a user group as described in Table 145.

5. Click Apply.


Item Description

Group-name Specify a name for the user group.

Level Select an authorization level for the user group, which can be Visitor, Monitor, Configure, or Management, in ascending order of priority.

VLAN Specify the VLAN to be authorized to a user in the user group after the user passes authentication.

ACL Specify the ACL to be used by the access device to restrict the access of a user in the user group after the user passes authentication.

User-profile Specify the user profile for the user group.

Allow Guest Accounts

Specify whether to allow a guest to join the user group.

IMPORTANT:

User group system is an optional group of guest accounts by default, and cannot be modified.

Configuring a guest Two categories of administrators can configure guests: guest administrators and administrators of the management level.

NOTE:

For information about user type and authorization level, see Table 144.

Procedure for a management level administrator to configure a guest

1. Select Authentication > Users from the navigation tree.

445

2. Click the Guest tab to display the guest information.

Figure 472 Guest list

3. Click Add to enter the guest configuration page.

Figure 473 Guest configuration page

4. Configure a single guest or a batch of guests as described in Table 146.

5. Click Apply.


Item Description

Create Users in a Batch

Specify whether to create guests in a batch.

Username Specify a name for the guest when users are not created in a batch.

User-name(prefix) Specify the username prefix and number for guests to be created in a batch.

For example, if you specify the username prefix as abc and number as 50, 50 guests will be created, with the usernames abc0 through abc49.

Password Specify a password for the guest.

If you select this option, you do not need to enter the password and confirm password, and the guest password is the same as the username.

Same as the Username

446

Item Description

Confirm

If you do not select this option, you must enter the password and confirm password, and they must be the same.

IMPORTANT:

If the password starts with a space, the space will be omitted.

Group Select a user group for the guest.

For information about user group configuration, see "Configuring a user group."

ValidTime

Specify a valid time range for the guest, including the start time and end time.

When authenticating a local user with the valid time argument configured, the access device checks whether the valid time has elapsed. If not, the device permits the user to log in.

Procedure for a guest administrator to configure a guest

NOTE:

A guest administrator can only manage guests through the web interface.

1. Log in to the AC as a guest administrator and select Authentication > User from the navigation tree.

The guest management page appears.

Figure 474 Guest management page

2. Click Add to enter the guest configuration page.

447

Figure 475 Guest configuration page

3. Configure the guest as described in Table 146.

4. Click Apply.

NOTE:

The guest accounts are also displayed in the local user list. You can click the icon of a guest in the listto edit the guest information and authorization attributes.

Configuring a user profile 1. Select Authentication > Users from the navigation tree.

2. Click the User Profile tab to display the existing user profiles

Figure 476 User profile list

3. Click Add to enter the user profile name configuration page.

448

Figure 477 User profile name configuration item

4. Enter a profile name profile.

5. Click Apply.

The user profile configuration page appears.

Figure 478 User profile configuration page

449

6. Configure the profile as described in Table 147.

7. Click Apply.


Item Description

Userprofile name This field displays the user profile name.

Qos-out policy Select a QoS policy in the outbound direction.

Qos-in policy Select a QoS policy in the inbound direction.

limited-out rate Specify the rate limit in the outbound direction.

limited-in rate Specify the rate limit in the inbound direction.

Services permitted

Specify the wireless services permitted in the user profile:

Select the services in the Services list box and click the < button to add them to the Selected services list box.

The available wireless services are those configured on the page you enter by selecting Wireless Service > Access Service. For more information, see "Access service configuration."

APs permitted

Specify the APs permitted in the user profile:

Select the APs in the APs list box and click the < button to add them to the Selected APs list box.

The available APs are those you configured on the page you enter by selecting AP > AP Group. For more information, see "AP configuration."

8. From the page displaying the existing user profiles, select the option before the user profile to be enabled.

9. Click Enable.

NOTE:

• By default, a newly added user profile is disabled.

• A user profile takes effect and the authentication server notifies users of authentication results only afterthe user profile is enabled. Therefore, if you do not enable the user profile, users using the user profile will not be able to get online.

• Only enabled user profiles can be referenced by users. Disabling a user profile logs out all users usingthe user profile.

• Enabled user profiles cannot be modified or removed. To modify or remove an enabled user profile, youmust disable it first.

450

Managing certificates

PKI overview The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security through public key technologies, and it is the most widely applied encryption mechanism currently. H3C's PKI system provides certificate management for IP Security (IPsec), and Secure Sockets Layer (SSL).

PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt data. The key pair consists of a private key and a public key. The private key must be kept secret but the public key needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.

A key problem of PKI is how to manage the public keys. Currently, PKI employs the digital certificate mechanism to solve this problem. The digital certificate mechanism binds public keys to their owners, helping distribute public keys in large networks securely.

With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity.

The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI has a wide range of applications. Here are some application examples:

• Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI can address these needs. The secure email protocol that is currently developing rapidly is Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with signature.

• Web security—For Web security, two peers can establish a Secure Sockets Layer (SSL) connection first for transparent and secure communications at the application layer. With PKI, SSL enables encrypted communications between a browser and a server. Both the communication parties can verify the identity of each other through digital certificates.

NOTE:

For more information about PKI, see Security Configuration Guide.

Configuring PKI The system supports the following PKI certificate request modes:

• Manual—In manual mode, you must retrieve a CA certificate, generate a local RSA key pair, and submit a local certificate request for an entity.

• Auto—In auto mode, an entity automatically requests a certificate through the Simple Certification Enrollment Protocol (SCEP) when it has no local certificate or the present certificate is about to expire.

You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes require different configurations.

451

Recommended configuration procedure for manual request

Step Remarks

1. Creating a PKI entity

Required.

Create a PKI entity and configure the identity information.

A certificate is the binding of a public key and an entity, where an entity is the collection of the identity information of a user. A CA identifies a certificate applicant by entity.

The identity settings of an entity must be compliant to the CA certificate issue policy. Otherwise, the certificate request might be rejected.

2. Creating a PKI domain

Required.

Create a PKI domain, setting the certificate request mode to Manual.

Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain.

A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance.

3. Generating an RSA key pair

Required.

Generate a local RSA key pair.

By default, no local RSA key pair exists.

Generating an RSA key pair is an important step in certificate request. The key pair includes a public key and a private key. The private key is kept by the user, and the public key is transferred to the CA along with some other information.

IMPORTANT:

If a local certificate already exists, you must remove the certificate before generating a new key pair, so as to keep the consistency between the key pair and the local certificate.

4. Retrieving the CA certificate

Required.

Certificate retrieval serves the following purposes: • Locally store the certificates associated with the local security domain for

improved query efficiency and reduced query count, • Prepare for certificate verification.

IMPORTANT:

If a local CA certificate already exists, you cannot perform the CA certificate retrieval operation. This will avoid possible mismatch between certificates and registration information resulting from relevant changes. To retrieve the CA certificate, you must remove the CA certificate and local certificate first.

452

Step Remarks

5. Requesting a local certificate

Required.

When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate.

A certificate request can be submitted to a CA in online mode or offline mode. • In online mode, if the request is granted, the local certificate will be

retrieved to the local system automatically. • In offline mode, you must retrieve the local certificate by an out-of-band

means.

IMPORTANT:

If a local certificate already exists, you cannot perform the local certificate retrieval operation. This will avoid possible mismatch between the local certificate and registration information resulting from relevant changes. To retrieve a new local certificate, you must remove the CA certificate and local certificate first.

6. Destroying the RSA key pair

Optional.

If the certificate to be retrieved contains an RSA key pair, you must destroy the existing RSA key pair. Otherwise, the certificate cannot be retrieved. Destroying the existing RSA key pair also destroys the corresponding local certificate.

7. Retrieving and displaying a certificate

Required if you request a certificate in offline mode.

Retrieve an existing certificate and display its contents.

IMPORTANT: • If you request a certificate in offline mode, you must retrieve the CA

certificate and local certificate by an out-of-band means. • Before retrieving a local certificate in online mode, be sure to complete

LDAP server configuration.

8. Retrieving and displaying a CRL

Optional.

Retrieve a CRL and display its contents.

Recommended configuration procedure for automatic request

Step Remarks

1. Creating a PKI entity

Required.

Create a PKI entity and configure the identity information.

A certificate is the binding of a public key and an entity, where an entity is the collection of the identity information of a user. A CA identifies a certificate applicant by entity.

The identity settings of an entity must be compliant to the CA certificate issue policy. Otherwise, the certificate request might be rejected.

453

Step Remarks

2. Creating a PKI domain

Required.

Create a PKI domain, setting the certificate request mode to Auto.

Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain.

A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance.

3. Destroying the RSA key pair

Optional.

If the certificate to be retrieved contains an RSA key pair, you must destroy the existing RSA key pair. Otherwise, the certificate cannot be retrieved. Destroying the existing RSA key pair also destroys the corresponding local certificate.

4. Retrieving and displaying a certificate

Optional.

Retrieve an existing certificate and display its contents.

IMPORTANT: • Before retrieving a local certificate in online mode, be sure to complete

LDAP server configuration. • If a CA certificate already exists, you cannot retrieve another CA certificate.

This restriction avoids inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new CA certificate, remove the existing CA certificate and local certificate first.

5. Retrieving and displaying a CRL

Optional.

Retrieve a CRL and display its contents.

Creating a PKI entity 1. Select Authentication > Certificate Management from the navigation tree.

The PKI entity list page is displayed by default.

Figure 479 PKI entity list

2. Click Add to enter the PKI entity configuration page.

454

Figure 480 PKI entity configuration page


4. Click Apply.


Item Description

Entity Name Enter the name for the PKI entity.

Common Name Enter the common name for the entity.

IP Address Enter the IP address of the entity.

FQDN

Enter the fully qualified domain name (FQDN) for the entity.

An FQDN is a unique identifier of an entity on the network. It consists of a host name and a domain name and can be resolved to an IP address. For example, www.whatever.com is an FQDN, where www indicates the host name and whatever.com the domain name.

Country/Region Code

Enter the country or region code for the entity.

State Enter the state or province for the entity.

Locality Enter the locality for the entity.

Organization Enter the organization name for the entity.

Organization Unit Enter the unit name for the entity.

Creating a PKI domain 1. Select Authentication > Certificate Management from the navigation tree.

455

2. Click the Domain tab.

Figure 481 PKI domain list

3. Click Add to enter the PKI domain configuration page.

Figure 482 PKI domain configuration page


5. Click Apply.


Item Description

Domain Name Enter the name for the PKI domain.

CA Identifier

Enter the identifier of the trusted CA.

An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility of certificate registration, distribution, and revocation, and query.

In offline mode, this item is optional. In other modes, this item is required.

Entity Name

Select the local PKI entity.

When submitting a certificate request to a CA, an entity needs to show its identity information.

Available PKI entities are those that have been configured.

456

Item Description

Institution

Select the authority for certificate request. • CA—Indicates that the entity requests a certificate from a CA. • RA—Indicates that the entity requests a certificate from an RA.

RA is recommended.

Requesting URL

Enter the URL of the RA.

The entity will submit the certificate request to the server at this URL through the SCEP protocol. The SCEP protocol is intended for communication between an entity and an authentication authority.

In offline mode, this item is optional. In other modes, this item is required.

IMPORTANT:

This item does not support domain name resolution.

LDAP IP Enter the IP address, port number and version of the LDAP server.

In a PKI system, the storage of certificates and CRLs is a crucial problem, which is usually addressed by deploying an LDAP server.

Port

Version

Request Mode Select the online certificate request mode, which can be auto or manual.

Password Encrypt Select this box to display the password in cipher text.

This box is available only when the certificate request mode is set to Auto.

Password Enter the password for certificate revocation.

This item is available only when the certificate request mode is set to Auto.

Fingerprint Hash

Specify the fingerprint used for verifying the CA root certificate.

After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain, the entity will reject the root certificate. • If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The fingerprint

must a string of 32 characters in hexadecimal notation. • If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The fingerprint

must a string of 40 characters in hexadecimal notation. • If you do not specify the fingerprint hash, do not enter any fingerprint. The entity will

not verify the CA root certificate, and you yourself must make sure that the CA server is trusted.

IMPORTANT:

The fingerprint must be configured if you specify the certificate request mode as Auto. If you specify the certificate request mode as Manual, you can leave the fingerprint settings null. If you do not configure the fingerprint, the entity will not verify the CA root certificate and you yourself must make sure that the CA server is trusted.

Fingerprint

Polling Count Set the polling interval and attempt limit for querying the certificate request status.

After an entity makes a certificate request, the CA might need a long period of time if it verifies the certificate request in manual mode. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed.

Polling Interval

Enable CRL Checking

Click this box to specify that CRL checking is required during certificate verification.

457

Item Description

CRL Update Period

Enter the CRL update period, that is, the interval at which the PKI entity downloads the latest CRLs.

This item is available when the Enable CRL Checking box is selected.

By default, the CRL update period depends on the next update field in the CRL file.

CRL URL

Enter the URL of the CRL distribution point.

This item is available when the Enable CRL Checking box is selected.

When the URL of the CRL distribution point is not set, you should acquire the CA certificate and a local certificate, and then acquire a CRL through SCEP.

IMPORTANT:

This item does not support domain name resolution.

Generating an RSA key pair 1. Select Authentication > Certificate Management from the navigation tree

2. Click the Certificate tab.

Figure 483 Certificate configuration page

3. Click Create Key to enter RSA key pair parameter configuration page.

Figure 484 Key pair parameter configuration page

4. Set the key length.

5. Click Apply.

458

Destroying the RSA key pair 1. Select Authentication > Certificate Management from the navigation tree.


3. Click Destroy Key to enter RSA key pair destruction page.

4. Click Apply to destroy the existing RSA key pair and the corresponding local certificate.

Figure 485 Key pair destruction page

Retrieving and displaying a certificate You can download an existing CA certificate or local certificate from the CA server and save it locally. To do so, you can use offline mode or online mode. In offline mode, you can retrieve a certificate by an out-of-band means like FTP, disk, email and then import it into the local PKI system.

To retrieve a certificate:

1. Select Authentication > Certificate Management from the navigation tree.


3. Click Retrieve Cert to enter PKI certificate retrieval page.

Figure 486 PKI certificate retrieval page


5. Click Apply.


Item Description

Domain Name Select the PKI domain for the certificate.

Certificate Type Select the type of the certificate to be retrieved, which can be CA or local.

Enable Offline Mode

Click this box to retrieve a certificate in offline mode (that is, by an out-of-band means like FTP, disk, or email) and then import the certificate into the local PKI system.

459

Item Description

Get File From Device

Specify the path and name of the certificate file if you retrieve the certificate in offline mode. • If the certificate file is saved on the device, select Get File From Device and then specify

the path of the file on the device. • If the certificate file is saved on a local PC, select Get File From PC and. then specify

the path to the file and select the partition of the device for saving the file.

Get File From PC

Password Enter the password for protecting the private key if you retrieve the certificate in offline mode. The password was specified when the certificate was exported.

6. After retrieving a certificate, click View Cert corresponding to the certificate from the PKI certificates list to display the contents of the certificate.

Figure 487 Certificate information

Requesting a local certificate 1. Select Authentication > Certificate Management from the navigation tree.


3. Click Request Cert to enter the local certificate request page.

460

Figure 488 Local certificate request page



Item Description

Domain Name Select the PKI domain for the certificate.

Password Enter the password for certificate revocation.

Enable Offline Mode Click this box to request a certificate in offline mode, that is, by an out-of-band means like FTP, disk, or email.

5. Click Apply.

If you request the certificate in online mode, the system displays "Certificate request has been submitted." Click OK. If you request the certificate in offline mode, the system displays the offline certificate request information. You can submit the information to the CA by an out-of-band means.

Figure 489 Offline certificate request information page

Retrieving and displaying a CRL 1. Select Authentication > Certificate Management from the navigation tree.

2. Click the CRL tab.

461

Figure 490 CRL page

3. Click Retrieve CRL to retrieve the CRL of a domain.

4. Click View CRL for the domain to display the contents of the CRL.

Figure 491 CRL information

Certificate management configuration example Network requirements

As shown in Figure 492, configure the AC as the PKI entity, so that:

• The AC submits a local certificate request to the CA server, which runs the RSA Keon software.

• The AC acquires CRLs for certificate verification.

462


Configuring the CA server

1. Create a CA server named myca.

In this example, you must first configure the basic attributes of Nickname and Subject DN on the CA server: the nickname is the name of the trusted CA, and the subject DN is the DN attributes of the CA, including the common name (CN), organization unit (OU), organization (O), and country (C). Leave the default values of the other attributes.

2. Configure extended attributes.

After you configure the basic attributes, perform configuration on the Jurisdiction Configuration page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting.

3. Configure the CRL publishing behavior

After you complete the previous configuration, perform CRL related configurations.

In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to http://4.4.4.133:447/myca.crl.

After this configuration, make sure that the system clock of the AC is synchronous to that of the CA, so that the AC can request certificates and retrieve CRLs properly.

Configuring the AC

1. Create a PKI entity.

a. Select Authentication > Certificate Management from the navigation tree.

The PKI entity list page is displayed by default.

b. Click Add.

c. Enter aaa as the PKI entity name.

d. Enter ac as the common name.

e. Click Apply.

463

Figure 493 Configuring a PKI entity

2. Create a PKI domain.

a. Click the Domain tab.

b. Click Add.

c. Enter torsa as the PKI domain name.

d. Enter myca as the CA identifier.

e. Select aaa as the local entity.

f. Select CA as the authority for certificate request.

g. Enter http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for certificate request. The URL must be in the format of http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is the hexadecimal string generated on the CA.

h. Select Manual as the certificate request mode.

i. Click the expansion button before Advanced Configuration to display the advanced configuration items.

j. Click the Enable CRL Checking box.

k. Enter http://4.4.4.133:447/myca.crl as the CRL URL.

l. Click Apply.

The system displays "Fingerprint of the root certificate not specified. No root certificate validation will occur. Continue?"

m. Click OK.

464

Figure 494 Configuring a PKI domain

3. Generate an RSA key pair.

a. Click the Certificate tab.

b. Click Create Key to enter the page.

c. Enter 1024 for the key length.

d. Click Apply to generate an RSA key pair.

Figure 495 Generating an RSA key pair

4. Retrieve the CA certificate.


b. Click Retrieve Cert.

c. Select torsa as the PKI domain.

d. Select CA as the certificate type.

465

e. Click Apply.

Figure 496 Retrieving the CA certificate

5. Request a local certificate.


b. Click Request Cert.

c. Select torsa for the PKI domain.

d. Select Password and then enter challenge-word as the password.

e. Click Apply.

The system displays "Certificate request has been submitted".

f. Click OK.

Figure 497 Requesting a local certificate

6. Retrieve the CRL.

a. Click the CRL tab.

b. Click Retrieve CRL of the PKI domain of torsa.

Figure 498 Retrieving the CRL

466


After the configuration, you can select Certificate Management > Certificate from the navigation tree to view detailed information about the retrieved CA certificate and local certificate, or select Certificate Management > CRL from the navigation tree to view detailed information about the retrieved CRL.

Configuration guidelines When you configure PKI, note the following guidelines:

• Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of certificates will be abnormal.

• The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the PKI entity identity information in a certificate request goes beyond a certain limit, the server will not respond to the certificate request.

• The SCEP plug-in is required when you use the Windows Server as the CA. In this case, you need to specify RA as the authority for certificate request when you configure the PKI domain.

• The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case, you need to specify CA as the authority for certificate request when you configure the PKI domain.

467

WLAN security configuration

WLAN security overview 802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients, ad hoc networks, and Denial of Service (DoS) attacks. Rogue devices are a serious threat to enterprise security. To ensure security, the wireless intrusion detection system (WIDS) is introduced. WIDS provides early detection of malicious attacks and intrusions on a wireless network without affecting network performance, and provides real-time countermeasures.

WLAN security provides these features:

• Rogue detection

• WIDS attack detection

• Blacklist and white list.

Terminology • Rogue AP—An unauthorized or malicious access point on the network, such as an employee setup

AP, misconfigured AP, neighbor AP or an attacker operated AP. As it is not authorized, if there is any vulnerability in the AP, the hacker will have chance to compromise your network security.

• Rogue client—An unauthorized or malicious client on the network.

• Rogue wireless bridge—Unauthorized wireless bridge on the network.

• Monitor AP—An AP that scans or listens to 802.11 frames to detect rogue devices in the network.

• Ad hoc mode—A wireless client in ad-hoc mode can directly communicate with other stations without support from any other device.

Detecting rogue devices

Rogue detection is applicable to large wireless networks. It detects the presence of rogue devices in a WLAN network based on the pre-configured rules.

Rogue detection can detect different types of devices in a WLAN network, for example, rogue APs, rogue clients, rogue wireless bridges, and ad-hoc terminals. An AP can work in either of the following modes for rogue detection:

• Monitor mode: In this mode, an AP scans all 802.11g frames in the WLAN, but cannot provide WLAN services. As shown in Figure 499, AP 1 works as an access AP, and AP 2 works as a monitor AP to listen to all 802.11g frames. AP 2 cannot provide wireless access services.

468

Figure 499 Monitor AP for rogue detection

• Hybrid mode: In this mode, an AP can both scan devices in the WLAN and provide WLAN data services.

Figure 500 Hybrid AP for rogue detection

Taking countermeasures against rogue device attacks

You can enable the countermeasures on a monitor AP. The monitor AP downloads an attack list from the AC according to the countermeasure mode and takes countermeasures against detected rogue devices. The processing methods vary with rogue devices:

• If the rogue device is a rogue client, it will be logged out.

• If the rogue device is a rogue AP, legal clients will not use the rogue AP to access the WLAN.

• If the rogue device is an ad-hoc client, it is denied and ad-hoc clients cannot communicate with each other.

469

Figure 501 Taking countermeasures against rogue devices

Functionalities supported

The rogue detection feature supports the following functionalities:

• RF monitoring in different channels

• Rogue AP detection

• Rogue client detection

• Ad hoc network detection

• Wireless bridge detection

• Countermeasures against rogue devices, clients and ad hoc networks

WIDS attack detection The WIDS attack detection function detects intrusions or attacks on a WLAN network, and informs the network administrator of the attacks through recording information or sending logs. WIDS detection supports detection of the following attacks:

• Flood attack

• Spoofing attack

• Weak IV attack

Flood attack detection

A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind within a short span of time. When this occurs, the WLAN devices get overwhelmed and are unable to service normal clients.

WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic generated by each device. When the traffic density of a device exceeds the limit, the device is considered flooding the network and, if the dynamic blacklist feature is enabled, will be added to the blacklist and forbidden to access the WLAN for a period of time.

WIDS inspects the following types of frames:

• Authentication requests and de-authentication requests

470

• Association requests, disassociation requests and reassociation requests

• Probe requests

• 802.11 null data frames

• 802.11 action frames.

Spoofing attack detection

In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For instance, a client in a WLAN has been associated with an AP and works normally. In this case, a spoofed de-authentication frame can cause a client to get de-authenticated from the network and can affect the normal operation of the WLAN.

At present, spoofing attack detection counters this type of attack by detecting broadcast de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it is identified as a spoofed frame, and the attack is immediately logged.

Weak IV detection

Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame. An IV and a key are used to generate a key stream, and thus encryptions using the same key have different results. When a WEP frame is sent, the IV used in encrypting the frame is also sent as part of the frame header.

However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is compromised, the attacker can access network resources.

Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak IV is detected, it is immediately logged.

Blacklist and white list You can configure the blacklist and white list functions to filter frames from WLAN clients and thereby implement client access control.

WLAN client access control is accomplished through the following three types of lists.

• White list—Contains the MAC addresses of all clients allowed to access the WLAN. If the white list is used, only permitted clients can access the WLAN, and all frames from other clients will be discarded.

• Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is manually configured.

• Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. A client is dynamically added to the list if it is considered sending attacking frames until the timer of the entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more information about ARP detection, see "ARP attack defense configuration."

When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the frame as follows:

1. If the source MAC address does not match any entry in the white list, the frame is dropped. If there is a match, the frame is considered valid and will be further processed.

2. If no white list entries exist, the static and dynamic blacklists are searched.

3. If the source MAC address matches an entry in any of the two lists, the frame is dropped.

471

4. If there is no match, or no blacklist entries exist, the frame is considered valid and will be further processed.

A static blacklist or white list configured on an AC applies to all APs connected to the AC, while a dynamic blacklist applies to APs that receive attack frames.

Figure 502 Network diagram for WLAN client access control

• In the topology above, three APs are connected to an AC. Configure white list and static blacklist entries on the AC, which will send all the entries to the APs. If the MAC address of a station, Client 1 for example, is present in the blacklist, it cannot access any of the APs. If only Client 1 is present in the white list, it can access any of the APs, and other clients cannot access any of the APs.

• Enable dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, a dynamic blacklist entry is generated in the blacklist, and Client 1 cannot associate with AP 1, but can associate with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic blacklist entry is generated in the blacklist.

Configuring rogue device detection

Recommended configure procedure

Step Remarks

1. Configuring AP operating mode Required.

By default, the AP operates in normal mode and only provides WLAN data services.

2. Configuring detection rule lists Required.

3. Enabling countermeasures and configuring aging time for detected rogue devices Optional.

Configuring AP operating mode 1. Select Security > Rogue Detection from the navigation tree.

472

Figure 503 AP monitor configuration

2. On the AP Monitor tab, select the AP to be configured and click the icon to enter the page shown in Figure 504.

Figure 504 AP operating mode configuration

3. Configure the AP operating mode as described in Table 152.

4. Click Apply.


Item Description

Work mode

Configure the AP operating mode: • In normal mode, an AP provides WLAN data services but does not perform scanning. • In monitor mode, an AP scans all 802.11g frames in the WLAN, but cannot provide

WLAN services. • In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN data

services.

IMPORTANT: • When an AP has its operating mode changed from normal to monitor, it does not

restart. • When an AP has its operating mode changed from monitor to normal, it restarts.

NOTE:

• An AP operating in hybrid mode can provide WLAN data services as well as scanning devices in the WLAN, so WLAN service configurations are needed.

• An AP operating in monitor mode cannot provide WLAN data services, so WLAN service configurations are not needed.

Configuring detection rules Configuring detection rules is to configure rogue device classification rules. An AC classifies devices as rogues and friends based on the configured classification rules.

473

• Check whether an AP is a rogue.

Figure 505 Checking whether an AP is a rogue

• Check whether a client is a rogue.

474

Figure 506 Checking whether a client is a rogue

• Check whether an ad hoc network or a wireless bridge is a rogue.

Figure 507 Checking whether an ad hoc network or a wireless bridge is a rogue

In the static attack list?

No or the list is not configured

In the permitted MAC address list?

No or the list is not configured

Yes

Legal client(Friend)

Check if AP (BSSID) associated with the client

is legal

Illegal client (Rogue)

Yes

No

Client

Yes

475

Configuring detection rule lists 1. Select Security > Rogue Detection from the navigation tree.

2. Click the Rule List tab to enter detection rule list configuration page.

Figure 508 Rule list configuration

3. Configure the rule list as described in Table 153.


Item Description

List Type

• MAC—You can add MAC addresses to be permitted after selecting this option. • Wireless Service—You can add SSIDs to be permitted after selecting this

option. • Vendor—You can specify vendors to be permitted after selecting this option. • Attacker—You can add the MAC address of a device to configure the device as

a rogue.

4. Select MAC from the list and click Add to enter the MAC address configuration page.

476

Figure 509 MAC address list configuration page

5. Configure the MAC address list as described in Table 154.

6. Click Apply.


Item Description

MAC Enter the permitted MAC address in the box.

Select the existent devices If you select this option, the MAC address table displays MAC addresses of the current devices. Select the MAC addresses to be permitted.

The operation to add other types of lists is similar to the add operation of a MAC address list, and thus the description is omitted.

Enabling countermeasures and configuring aging time for detected rogue devices

1. Select Security > Rogue Detection from the navigation tree.

2. On the AP Monitor tab, click Common Set.

477

Figure 510 Common configuration

3. Perform common configuration as described in Table 155.

4. Click Apply.


Item Description

Reverse Mode

• Unlaw Set—Allows you to take countermeasures against rogue devices (including illegal APs and illegal clients).

• Unlaw Adhoc Device—Allows you to take countermeasures against ad hoc devices.

• Static Unlaw Device—Allows you to take countermeasures against rogue devices configured in the detection rule list.

Device Aging-Duration

Configure the aging time of entries in the device list.

Once a rogue device is detected, an entry for it is added to the monitor record and the aging time starts. The aging time restarts if the device is detected again during the time. When the aging time is reached, the entry is deleted from the monitor record and added to the history record.

Displaying monitor record 1. Select Security > Rogue Detection from the navigation tree.

2. Click the Monitor Record tab to enter the monitor record page.

478

Figure 511 Monitor record


Type Description

Type

• r—Rogue device. • p—Permitted device. • a—Ad hoc device. • w—AP. • b—Wireless bridge. • c—Client.

For example, pw represents a permitted AP while rb represents a rogue wireless bridge.

Displaying history record 1. Select Security > Rogue Detection from the navigation tree.

2. Click the History Record tab to enter the history record page.

479

Figure 512 History record page

Configuring WIDS

Configuring WIDS 1. Select Security > WIDS from the navigation tree.

Figure 513 WIDS configuration

2. On the WIDS Setup tab, configure WIDS as described in Table 157.

3. Click Apply.


Item Description

Flood Attack Detect If you select the option, flood attack detection is enabled.

It is disabled by default.

Spoofing Attack Detect If you select the option, spoofing attack detection is enabled. It is disabled by default.

Weak IV Attack Detect If you select the option, Weak IV attack detection is enabled. It is disabled by default.

Displaying history record 1. Select Security > WIDS from the navigation tree.

2. Click the History Record tab to enter the history information page.

480

Figure 514 History information

Displaying statistics information 1. Select Security > WIDS from the navigation tree.

2. Click the Statistics tab to enter the statistics information page.

Figure 515 Statistics

Configuring the blacklist and white list functions

NOTE:

A static blacklist or white list configured on an AC applies to all APs connected to the AC, while a dynamicblacklist applies to APs that receive attack frames. For more information, see "Blacklist and white list."

481

Configuring dynamic blacklist 1. Select Security > Filter from the navigation tree.

Figure 516 Dynamic blacklist configuration page

2. On the Blacklist tab, configure the dynamic blacklist as described in Table 158.

3. Click Apply.


Item Description

Dynamic Blacklist • Enable—Enable dynamic blacklist. • Disable—Disable dynamic blacklist.

Lifetime Configure the lifetime of the entries in the blacklist. When the lifetime of an entry expires, the entry is removed from the blacklist.

NOTE:

At present, these attacks can be detected through a dynamic blacklist: Assoc-Flood, Reassoc-Flood, Disassoc-Flood, ProbeReq-Flood, Action-Flood, Auth-Flood, Deauth-Flood and NullData-Flood.

Configuring static blacklist 1. Select Security > Filter from the navigation tree.

2. On the Blacklist tab, click Static to enter the static blacklist configuration page.

482

Figure 517 Static blacklist configuration

3. Click Add Static to enter the static blacklist configuration page.

Figure 518 Adding static blacklist

4. Add a static blacklist as described in Table 159.

5. Click Apply.


Item Description

MAC Address Select MAC Address, and then add a MAC address to the static blacklist.

Select from Connected Clients

If you select the option, the table below lists the current existing clients. Select the options of the clients to add their MAC addresses to the static blacklist.

483

Configuring white list 1. Select Security > Filter from the navigation tree.

2. Click the Whitelist tab.

Figure 519 Whitelist configuration

3. Click Add.

Figure 520 Adding a whitelist

4. Add a white list as described in Figure 508.

5. Click Apply.

484


Item Description

MAC Address Select MAC Address, and then add a MAC address to the white list.

Select from Connected Clients

If you select the option, the table below lists the current existing clients. Select the options of the clients to add their MAC addresses to the white list.

Rogue detection configuration example Network requirements

As shown in Figure 521, a monitor AP (AP 2 with serial ID SZ001) and AP 1 (serial ID SZ002) are connected to an AC through a Layer 2 switch.

• AP 1 operates in normal mode and provides WLAN data services only.

• AP 2 operates in monitor mode, and scans all 802.11g frames in the WLAN.

• Client 1 (MAC address 000f-e215-1515), Client 2 (MAC address 000f-e215-1530), and Client 3 (MAC address 000f-e213-1235) are connected to AP 1. They are configured as friends.

• Client 4 (MAC address 000f-e220-405e) is connected to AP 2. It is configured as a rogue device.



1. Configure AP 1 to operate in normal mode:

In normal mode, AP 1 provides WLAN data services only. For how to configure WLAN services, see "Access service configuration."

2. Configure AP 2 to operate in monitor mode:


b. Click Add.

c. On the page that appears, set the AP name to ap2., select the AP model WA2620-AGN, select Manual and enter the serial ID of AP 2.

485

d. Click Apply.

Figure 522 AP configuration

e. Select Security > Rogue Detection from the navigation tree.

f. Select Security > Rogue Detection from the navigation tree.

g. On the AP Monitor tab, click the icon corresponding to the target AP to enter the operating mode configuration page.

h. Select the operating mode Monitor.

i. Click Apply.

Figure 523 AP operating mode configuration

3. Enable the 802.11n(2.4GHz) radio mode:

a. Select Radio > Radio from the navigation tree to enter the AP radio configuration page.

b. Select the AP with the radio mode 802.11n(2.4GHz.

c. Click Enable.

Figure 524 Radio configuration

486

4. Configure rogue detection rules:

a. Select Security > Rogue Detection from the navigation tree.

b. Click the Rule List tab and click Add.

c. On the page that appears, enter 000f-e215-1515, 000f-e215-1530, and 000f-e213-1235 in the MAC Address field, and then click Apply.

d. Select Attacker, and click Add. Enter 000f-e220-405e in the MAC Address field and click Apply.

5. Enable countermeasures against the static rogue device:

a. Select Security > Rogue Detection from the navigation tree.

b. Click the AP Monitor tab, and click Common Set to enter the common configuration page.

c. Select Static Rogue Device. This is because the MAC address of Client 4 is added manually to the attacker list.

d. Click Apply.

Figure 525 Common configuration


• The radio must be disabled so that the AP operation mode can be changed.

• If you configure more than one detection rule, you need to specify the rogue device types (AP, client, bridge, and ad hoc) and the rule matching order. For more information, see "User isolation."

• The wireless service configuration is needed for an AP operating in hybrid mode, and not needed for an AP in monitor mode.

487

User isolation

User isolation overview Without user isolation, all the devices in the same VLAN can access each other directly, which brings forth security problems. User isolation can solve this problem. When an AC configured with user isolation receives unicast packets (broadcast packets and multicast packets in a VLAN are not isolated) from a wireless client to another wireless client or a wired PC in the same VLAN, or from a wired PC to a wireless client in the same VLAN, the AC determines whether to isolate the two devices according to the configured list of permitted MAC addresses.

To avoid user isolation from affecting communications between users and the gateway, you can add the MAC address of the gateway to the list of permitted MAC addresses.

User isolation both provides network services for users and isolates users, disabling them from communication at Layer-2 and thus ensuring service security.

Before user isolation is enabled As shown in Figure 526, before user isolation is enabled in VLAN 2 on the AC, wireless terminals Client A and Client B and wired terminal Host A in the VLAN can communicate with each other and access the Internet.

Figure 526 User communication

488

After user isolation is enabled As shown in Figure 526, user isolation is enabled on the AC. Client A and Client B, and Host A in VLAN 2 access the Internet through the gateway.

• If you add the MAC address of the gateway to the permitted MAC address list, Client A, Client B, and Host A in the same VLAN are isolated, but they can access the Internet.

• If you add the MAC address of a user (Client A, for example) to the permitted MAC address list, Client A and Client B, and Client A and Host A can access each other directly, but Client B and Host A cannot.

To enable all the users in the VLAN to access one another and the Internet, you need to add the MAC address of the gateway and the MAC addresses of the users to the permitted MAC address list.

Configuring user isolation

Configuring user isolation 1. Select Security > User Isolation from the navigation tree.

2. Click Add .

The page for configuring user isolation appears.

Figure 527 Configuring user isolation

3. Configure user isolation as described in Table 161.

4. Click Apply.


Item Description

VLAN ID Specify the VLAN in which user isolation is enabled.

489

Item Description

AccessMAC

Specify the MAC addresses to be permitted by the AC. For more information, see "After user isolation is enabled." • Enter a MAC address in the field next to the Add button. • Click Add to add the MAC address to the permitted MAC list. • To delete a MAC address from the list, select an entry and click Delete.

IMPORTANT:

• Broadcast or multicast MAC addresses cannot be specified as permitted MAC addresses.

• Up to 16 permitted MAC addresses can be configured for one VLAN.

To avoid network disruption caused by user isolation, add the MAC address of the gateway to the permitted MAC address list and then enable user isolation.

If you configure user isolation for a super VLAN, the configuration does not take effect on the sub-VLANs in the super VLAN, and you must configure user isolation on the sub-VLANs if needed.

Displaying user isolation information Select Security > User Isolation from the navigation tree to enter the page displaying user isolation configuration summary.

Figure 528 Displaying user isolation summary

User isolation configuration example Network requirements

As shown in Figure 529, isolate Client A, Client B, and Host A in VLAN 2 from one another while allowing them to access the Internet. The MAC address of the gateway is 000f-e212-7788.

490




For how to configure wireless service, see "Access service configuration. "

2. Configure user isolation:

a. Select Security > User Isolation from the navigation tree.

b. Click Add to enter the page for configuring user isolation.

c. On the page that appears, enter the VLAN ID 2, add MAC address 000f-e212-7788 to the permitted MAC address list, and click Apply.

Figure 530 Configuring user isolation

491

Authorized IP

Overview The authorized IP function is to associate the HTTP or Telnet service with an ACL to filter the requests of clients. Only clients that pass the ACL filtering can access the device.

Configuring authorized IP Before you configure authorized IP, you must create and configure the ACL. For ACL configuration, see "QoS configuration."

1. Select Security > Authorized IP from the navigation tree.

2. Click the Setup tab to enter the authorized IP configuration page.

Figure 531 Configuration page

3. Configure an authorized IP as described in Table 162.

4. Click Apply.

492


Item Description

Telnet

IPv4 ACL Select the IPv4 to be associated with the Telnet service.

Available IPv4 ACLs are those configured on the page you enter by selecting QoS > ACL IPv4.

IPv6 ACL Select the IPv6 to be associated with the Telnet service.


Web (HTTP) IPv4 ACL

Select the IPv4 ACL to be associated with the HTTP service.


493

Configuring ACL and QoS

NOTE:

Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.

ACL overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number.

ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and permits packets that match a permit rule. ACLs are also widely used by many modules, for example, QoS and IP routing, for traffic identification.

ACLs fall into the following categories.

Category ACL number IP version Match criteria

Basic ACLs 2000 to 2999 IPv4 Source IPv4 address

IPv6 Source IPv6 address

Advanced ACLs 3000 to 3999

IPv4 Source/destination IPv4 address, protocols over IPv4, and other Layer 3 and Layer 4 header fields

IPv6 Source/destination IPv6 address, protocols over IPv6, and other Layer 3 and Layer 4 header fields

Ethernet frame header ACLs 4000 to 4999 IPv4 and IPv6

Layer 2 header fields, such as source and destination MAC addresses, 802.1p priority, and link layer protocol type

NOTE:

For more information about ACL, see ACL and QoS Configuration Guide.

QoS overview Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs. Generally, QoS does not focus on grading services precisely, but on improving services under certain conditions.

In the internet, QoS refers to the ability of the network to forward packets. The evaluation on QoS of a network can be based on different aspects because the network may provide various services. Generally, QoS refers to the ability to provide improved service by solving the core issues such as delay, jitter, and packet loss ratio in the packet forwarding process.

Traditional packet forwarding services

On traditional IP networks, devices treat all packets equally and handle them using the first in first out (FIFO) policy. All packets share the resources of the network and devices. How many resources the

494

packets can obtain completely depends on the time they arrive. This service is called "best-effort". It delivers packets to their destinations as possibly as it can, without any guarantee for delay, jitter, packet loss ratio, reliability and so on.

This service policy is only suitable for applications insensitive to bandwidth and delay, such as WWW, file transfer and email.

New requirements from new applications

The Internet has been growing along with the fast development of networking technologies. More and more users take the Internet as their data transmission platform to implement various applications.

Besides traditional applications such as WWW, email and FTP, network users are experiencing new services, such as tele-education, telemedicine, video telephone, videoconference and Video-on-Demand (VoD). The enterprise users expect to connect their regional branches together through VPN technologies to carry out operational applications, for instance, to access the database of the company or to monitor remote devices through Telnet.

These new applications have one thing in common, and they all have special requirements for bandwidth, delay, and jitter. For instance, videoconference and VoD need large bandwidth, low delay and jitter. As for mission-critical applications, such as transactions and Telnet, they may not require large bandwidth but do require low delay and preferential service during congestion.

The new emerging applications demand higher service performance of IP networks. Better network services during packets forwarding are required, such as providing dedicated bandwidth, reducing packet loss ratio, managing and avoiding congestion, regulating network traffic, and setting the precedence of packets. To meet these requirements, networks must provide more improved services.

NOTE:

For more information about QoS, see ACL and QoS Configuration Guide.

Configuring an ACL

Recommend configuration procedures Recommended IPv4 ACL configuration procedure

Step Remarks

1. Adding a time range Optional.

A rule referencing a time range takes effect only during the specified time range.

2. Adding an IPv4 ACL Required.

The category of the added ACL depends on the ACL number that you specify.

3. Configuring a rule for a basic IPv4 ACL Required.

Complete one of the three steps according to the ACL category.

4. Configuring a rule for an advanced IPv4 ACL

5. Configuring a rule for an Ethernet frame header ACL

495

Recommended IPv6 ACL configuration procedure

Step Remarks

1. Adding a time range Optional.

A rule referencing a time range takes effect only during the specified time range.

2. Adding an IPv6 ACL Required.

The category of the added IPv6 ACL depends on the ACL number that you specify.

3. Configuring a rule for a basic IPv6 ACL Required.

Complete one of the steps according to the ACL category.

4. Configuring a rule for an advanced IPv6 ACL

Adding a time range 1. Select QoS > Time Range from the navigation tree.

2. Click the Add tab to enter the time range adding page.

Figure 532 Adding a time range

3. Configure the time range information, as described in Table 163.

4. Click Apply.


Item Description

Time Range Name Set the name for the time range.

496

Item Description

Periodic Time Range

Start Time Set the start time of the periodic time range.

These items are available after you select the Periodic Time Range option.

End Time Set the end time of the periodic time range. The end time must be greater than the start time.

Sun, Mon, Tue, Wed, Thu, Fri, and Sat.

Select the day or days of the week on which the periodic time range is valid. You can select any combination of the days of the week.

Absolute Time Range

From Set the start time of the absolute time range. The time of the day is in the hh:mm format (24-hour clock), and the date is in the MM/DD/YYYY format.

These items are available after you select the Absolute Time Range option. To

Set the end time of the absolute time range. The time of the day is in the hh:mm format (24-hour clock), and the date is in the MM/DD/YYYY format. The end time must be greater than the start time.

Adding an IPv4 ACL 1. Select QoS > ACL IPv4 from the navigation tree.

2. Click the Add tab to enter the IPv4 ACL adding page, as shown in Figure 533.

Figure 533 Adding an IPv4 ACL

3. Configure the IPv4 ACL information, as described in Table 164.

4. Click Apply.

497


Item Description

ACL Number Set the number of the IPv4 ACL.

Match Order

Set the match order of the ACL. Available values are: • Config—Packets are compared against ACL rules in the order that the rules are

configured. • Auto—Packets are compared against ACL rules in the depth-first match order.

Description Set the description for the ACL.

Configuring a rule for a basic IPv4 ACL 1. Select QoS > ACL IPv4 from the navigation tree.

2. Click the Basic Setup tab to enter the rule configuration page for a basic IPv4 ACL, as shown in Figure 534.

Figure 534 Configuring an basic IPv4 ACL

3. Configure a basic IPv4 ACL, as described in Table 165.

4. Click Add.

498


Item Description

ACL Select the basic IPv4 ACL for which you want to configure rules.

Available ACLs are basic IPv4 ACLs.

Rule ID

Select the Rule ID option and enter a number for the rule.

If you do not specify the rule number, the system will assign one automatically.

IMPORTANT:

If the rule number you specify already exists, the following operations modify the configuration of the rule.

Action Select the action to be performed for IPv4 packets matching the rule. • Permit—Allows matched packets to pass. • Deny—Drops matched packets.

Check Fragment Select this option to apply the rule to only non-first fragments.

If you do no select this option, the rule applies to all fragments and non-fragments.

Check Logging

Select this option to keep a log of matched IPv4 packets.

A log entry contains the ACL rule number, operation for the matched packets, protocol that IP carries, source/destination address, source/destination port number, and number of matched packets.

Source IP Address Select the Source IP Address option and enter a source IPv4 address and source wildcard, in dotted decimal notation. Source Wildcard

Time Range Select the time range during which the rule takes effect.

Configuring a rule for an advanced IPv4 ACL 1. Select QoS > ACL IPv4 from the navigation tree.

2. Click the Advanced Setup tab to enter the rule configuration page for an advanced IPv4 ACL, as shown in Figure 535.

499

Figure 535 Configuring an advanced IPv4 ACL

3. Configure an advanced IPv4 ACL rule, as described in Table 166.

4. Click Add.


Item Description

ACL Select the advanced IPv4 ACL for which you want to configure rules.

Available ACLs are advanced IPv4 ACLs.

500

Item Description

Rule ID



IMPORTANT:


Action

Select the action to be performed for IPv4 packets matching the rule. • Permit—Allows matched packets to pass. • Deny—Drops matched packets.

Non-First Fragments Only Select this option to apply the rule to only non-first fragments.


Logging



IP Address Filter

Source IP Address Select the Source IP Address option and enter a source IPv4 address and source wildcard, in dotted decimal notation. Source Wildcard

Destination IP Address Select the Source IP Address option and enter a source IP address and source wildcard, in dotted decimal notation. Destination Wildcard

Protocol

Select the protocol to be carried by IP.

If you select 1 ICMP, you can configure the ICMP message type and code; if you select 6 TCP or 17 UDP, you can configure the TCP or UDP specific items.

ICMP Type

ICMP Message Specify the ICMP message type and code.

These items are available only when you select 1 ICMP from the Protocol list.

If you select Other from the ICMP Message list, you must enter values in the ICMP Type and ICMP Code fields. Otherwise, the two fields will take the default values, which cannot be changed.

ICMP Type

ICMP Code

501

Item Description

TCP/UDP Port

TCP Connection Established

Select this option to make the rule match packets used for establishing and maintaining TCP connections.

These items are available only when you select 6 TCP from the Protocol list.

Source

Operator Select the operators and enter the source port numbers and destination port numbers as required.

These items are available only when you select 6 TCP or 17 UDP from the Protocol list.

Different operators have different configuration requirements for the port number fields: • Not Check—The following port number fields cannot be

configured. • Range—The following port number fields must be

configured to define a port range. • Other values—The first port number field must be

configured and the second must not.

Port

-

Destination

Operator

Port

-

Precedence Filter

DSCP Specify the DSCP value.

TOS Specify the ToS preference.

Precedence Specify the IP precedence.


Configuring a rule for an Ethernet frame header ACL 1. Select QoS > ACL IPv4 from the navigation tree.

2. Click the Link Setup tab to enter the rule configuration page for an Ethernet frame header IPv4 ACL, as shown in Figure 536.

502

Figure 536 Configuring a rule for an Ethernet frame header ACL

3. Configure an Ethernet frame header IPv4 ACL rule, as described in Table 167.

4. Click Add.


Item Description

ACL Select the Ethernet frame header IPv4 ACL for which you want to configure rules.

Available ACLs are Ethernet frame header IPv4 ACLs.

Rule ID



IMPORTANT:


503

Item Description

Action Select the action to be performed for IPv4 packets matching the rule. • Permit—Allows matched packets to pass. • Deny—Drops matched packets.

MAC Address Filter

Source MAC Address Select the Source MAC Address option and enter a source MAC address

and wildcard. Source Mask

Destination MAC Address Select the Destination MAC Address option and enter a destination MAC

address and wildcard. Destination Mask

COS(802.1p priority) Specify the 802.1p priority for the rule.

Type Filter

LSAP Type Select the LSAP Type option and specify the DSAP and SSAP fields in the LLC encapsulation by configuring the following items: • LSAP Type—Indicates the frame encapsulation format. • LSAP Mask—Indicates the LSAP wildcard.

TIP:

You can select only one of the LSAP Type option and the Protocol Type option.

LSAP Mask

Protocol Type Select the Protocol Type option and specify the link layer protocol type by configuring the following items: • Protocol Type—Indicates the frame type. It corresponds to the type-code

field of Ethernet_II and Ethernet_SNAP frames. • Protocol Mask—Indicates the wildcard.

TIP:

You can select only one of the LSAP Type option and the Protocol Type option.

Protocol Mask


Adding an IPv6 ACL 1. Select QoS > ACL IPv6 from the navigation tree.

2. Click the Add tab to enter the IPv6 ACL adding page, as shown in Figure 537.

504

Figure 537 Adding an IPv6 ACL

3. Configure the IPv6 ACL information, as described in Table 168.

4. Click Apply.


Item Description

ACL Number Enter a number for the IPv6 ACL.

Match Order

Select a match order for the ACL. Available values are: • Config—Packets are compared against ACL rules in the order the rules are

configured. • Auto—Packets are compared against ACL rules in the depth-first match order.

Description Set the description for the ACL.

Configuring a rule for a basic IPv6 ACL 1. Select QoS > ACL IPv6 from the navigation tree

2. Click the Basic Setup tab to enter the rule configuration page for a basic IPv6 ACL, as shown in Figure 538.

505

Figure 538 Configuring a rule for a basic IPv6 ACL

3. Configure the basic IPv6 ACL rule information, as described in Table 169.

4. Click Add.


Item Description

Select Access Control List (ACL)

Select the basic IPv6 ACL for which you want to configure rules.

Available ACLs are basic IPv6 ACLs.

Rule ID



IMPORTANT:


Operation Select the operation to be performed for IPv6 packets matching the rule. • Permit—Allows matched packets to pass. • Deny—Drops matched packets.



Check Logging



506

Item Description

Source IP Address Select the Source IP Address option and enter a source IPv6 address and prefix length.

The IPv6 address must be in a format like X:X::X:X. An IPv6 address consists of eight 16-bit long fields, each of which is expressed with two hexadecimal numbers and separated from its neighboring fields by colon (:).

Source Prefix


Configuring a rule for an advanced IPv6 ACL 1. Select QoS > ACL IPv6 from the navigation tree

2. Click the Advanced Setup tab to enter the rule configuration page for an advanced IPv6 ACL.

Figure 539 Configuring a rule for an advanced IPv6 ACL

3. Configure the advanced IPv6 ACL rule information, as described in Table 170.

4. Click Add.

507


Item Description

Select Access Control List (ACL) Select the advanced IPv6 ACL for which you want to configure rules.

Available ACLs are advanced IPv6 ACLs.

Rule ID



IMPORTANT:


Operation

Select the operation to be performed for IPv6 packets matching the rule. • Permit—Allows matched packets to pass. • Deny—Drops matched packets.



Check Logging



IP Address Filter

Source IP Address Select the Source IP Address option and enter a source IPv6 address and prefix length.


Source Prefix

Destination IP Address Select the Destination IP Address option and enter a destination IPv6 address and prefix length.


Destination Prefix

Protocol

Select the protocol to be carried by IP.

If you select 58 ICMPv6, you can configure the ICMP message type and code; if you select 6 TCP or 17 UDP, you can configure the TCP or UDP specific items.

ICMPv6 Type

Named ICMPv6 Type Specify the ICMPv6 message type and code.

These items are available only when you select 58 ICMPv6 from the Protocol list.

If you select Other from the Named ICMPv6 Type list, you must enter values in the ICMPv6 Type and ICMPv6 Code fields. Otherwise, the two fields will take the default values, which cannot be changed.

ICMPv6 Type

ICMPv6 Code

TCP/UDP Source Operator Select the operators and enter the source port numbers and d b d

508

Item Description

Port

To Port

Destination

Operator

Port

Port


Configuring line rate Line rate uses token buckets to control traffic. The line rate of a physical interface specifies the maximum rate for forwarding packets (including critical packets). Line rate can limit all the packets passing a physical interface.

To configure line rate:

1. Select QoS > Line rate from the navigation tree.

2. Click the Setup tab to enter the line rate configuration page, as shown in Figure 540.

Figure 540 Configuring line rate on a port

3. Configure line rate, as described in Table 171.

4. Click Apply.

509


Item Description

Please select an interface type Select the types of interfaces to be configured with line rate.

The interface types available for selection depend on your device model.

Rate Limit Select Enable or Disable to enable or disable line rate on the specified port.

Direction Select a direction in which the line rate is to be applied. • Inbound—Limits the rate of packets received on the specified port. • Outbound—Limits the rate of packets sent by the specified port.

CIR Set the committed information rate (CIR), the average traffic rate.

CBS Set the committed burst size (CBS), number of bits that can be sent in each interval.

EBS Set the excess burst size (EBS).

This configuration item is not supported.

Please select port(s) Specify the ports to be configured with line rate.

Click the ports to be configured with line rate in the port list. You can select one or more ports.

Configuring the priority trust mode of a port

Priority mapping overview When a packet enters a device, the device assigns a set of QoS priority parameters to the packet based on a certain priority field carried in the packet and sometimes may modify its priority, according to certain rules depending on device status. This process is called "priority mapping". The set of QoS priority parameters decides the scheduling priority and forwarding priority of the packet.

The device provides various types of priority mapping tables, or rather, priority mappings. By looking up a priority mapping table, the device decides which priority value is to assign to a packet for subsequent packet processing.

You can configure priority mapping by configuring trusting packet priority or trusting port priority.

• If packet priority is trusted, the device uses the specified priority field of the incoming packet to look up the priority mapping tables for the set of QoS priority parameters to assign to the packet. Note that, if a received packet does not carry the specified priority field, the device uses the port priority to look up the priority mapping tables for the set of QoS priority parameters to assign to the packet.

• If port priority is trusted, the device uses the port priority rather than packet priority to look up the priority mapping tables for the set of QoS priority parameters to assign to the packet.

Configuring priority mapping Two approaches are available for you to configure the priority trust mode on a port for priority mapping:

• In the first approach, you can configure a port to use the 802.1p or 802.11e priority carried in received packets for priority mapping. This approach is supported for the WLAN-ESS interface in addition to other types of interface.

510

• In the second approach, more options are available. In addition, you can change port priority (local precedence) of a port for priority mapping. This approach is not supported on the WLAN-ESS interface.

Approach 1

1. Select QoS > Trust Mode from the navigation tree to enter the priority trust mode configuration page, as shown in Figure 541.

Figure 541 Configuring priority trust mode

2. Configure the priority trust mode of the interfaces, as described in Table 172.

3. Click Apply.

511


Item Description

Please select the interface type

Select the type of the ports to be configured. The interface types available for selection depend on your device model.

IMPORTANT:

If a WLAN-ESS interface in use has WLAN-DBSS interfaces created on it, its priority cannot be modified. To modify the priority of the WLAN-ESS interface, you must stop the service the interface provides (make the current users on the interface offline).

Trust Mode

Select the priority trust mode: • Dot1p—Uses the 802.1p priority of received packets for mapping. • Dscp—Uses the DSCP value of received packets for mapping. • Dot11e—Uses the 802.11e priority of received packets for mapping. This

option is applicable to only WLAN-ESS interfaces.

IMPORTANT:

Support for priority trust modes depends on the interface type. The supported priority trust modes are shown in the Trust Mode list.

(Select the ports) Specify the ports to be configured.

Click the ports to be configured in the port list. You can select one or more ports.

Approach 2

1. Select QoS > Port Priority from the navigation tree to enter the page shown in Figure 542.

Figure 542 Port priority

2. Click the icon for a port to enter the page for configuring the priority and priority trust mode of the port, as shown in Figure 543.

512

Figure 543 Modify the port priority

3. Set the port priority, as described in Table 173.

4. Click Apply.


Item Remarks

Interface Name Name of the interface to be configured.

Priority

Set the local precedence value for the port.

Local precedence is allocated by the device and has only local significance. A local precedence value corresponds to an output queue. A packet with higher local precedence is assigned to a higher priority output queue to be preferentially scheduled.

Trust Mode

Set the priority trust mode of the port: • Untrust—Uses the port priority rather than a packet priority value for priority

mapping. • Dot1p—Uses the 802.1p priority of received packets for priority mapping. • DSCP—Uses the DSCP value of received packets for priority mapping.

IMPORTANT:

Support for priority trust modes depends on the interface type.

Configuring a QoS policy

Recommended QoS policy configuration procedure A QoS policy defines what QoS actions to take on what class of traffic for purposes such as traffic shaping or traffic policing. Before configuring a QoS policy, be familiar with these concepts: class, traffic behavior, and policy.

Class

Classes identify traffic.

A class is identified by a class name and contains some match criteria for identifying traffic. The relationship between the criteria can be:

• AND—A packet is considered belonging to a class only when the packet matches all the criteria in the class.

• OR—A packet is considered belonging to a class if it matches any of the criteria in the class.

513

Traffic behavior

A traffic behavior, identified by a name, defines a set of QoS actions for packets.

Policy

A policy associates a class with a traffic behavior to define what actions to take on which class of traffic.

You can define multiple class-traffic behavior associations in a policy. You can apply a policy to a port to regulate traffic sent or received on the port. A QoS policy can be applied to multiple ports, but in one direction (inbound or outbound) of a port, only one QoS policy can be applied.

Step Remarks

1. Adding a class Required.

Add a class and specify the operator of the class.

2. Configuring classification rules Required.

Configure match criteria for the class.

3. Adding a traffic behavior Required.

Add a traffic behavior.

4. Configuring actions for a traffic behavior Use either approach.

Configure various actions for the traffic behavior.

5. Adding a policy Required.

Add a policy.

6. Configuring classifier-behavior associations for the policy

Required.

Associate a traffic behavior with a class in the QoS policy.

You can associate a class with only one traffic behavior in a QoS policy. If a class is associated with multiple traffic behaviors, the last associated one takes effect.

7. Apply the policy • Applying a policy to a port • Applying a QoS policy to a WLAN service

Use either approach.

Apply the QoS policy to a port or a WLAN service.

Adding a class 1. Select QoS > Classifier from the navigation tree.

2. Click the Add tab to enter the page for adding a class, as shown in Figure 544.

514

Figure 544 Adding a class

3. Configure the class information, as described in Table 174.

4. Click Add.


Item Description

Classifier Name Specify a name for the classifier to be added.

Operator

Specify the logical relationship between rules of the classifier. • And—Specifies the relationship between the rules in a class as logic AND. The

device considers a packet belongs to a class only when the packet matches all the rules in the class.

• Or—Specifies the relationship between the rules in a class as logic OR. The device considers a packet belongs to a class as long as the packet matches one of the rules in the class.

Configuring classification rules 1. Select QoS > Classifier from the navigation tree.

2. Click the Setup tab to enter the page for setting a class, as shown in Figure 545.

515

Figure 545 Configuring classification rules

3. Configuration classification rules, as described in Table 175.

4. Click Apply.


5. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.


Item Description

Please select a classifier Select an existing classifier in the list.

Any Define a rule to match all packets.

Select the option to match all packets.

516

Item Description

DSCP

Define a rule to match DSCP values.

If multiple such rules are configured for a class, the new configuration does not overwrite the previous one.

You can configure up to eight DSCP values each time. If multiple identical DSCP values are specified, the system considers them as one. The relationship between different DSCP values is OR. After such configurations, all the DSCP values are arranged in ascending order automatically.

IP Precedence

Define a rule to match IP precedence values.


You can configure up to eight IP precedence values each time. If multiple identical IP precedence values are specified, the system considers them as one. The relationship between different IP precedence values is OR. After such configurations, all the IP precedence values are arranged in ascending order automatically.

Classifier

Define a rule to match a QoS class.

TIP:


Inbound Interface

Define a rule to match inbound interfaces.

TIP:


RTP Port

Define a rule to match a range of RTP ports.

Specify the start port in the from field and the end port in the to field.

TIP:


Dot1p

Service 802.1p

Define a rule to match the service 802.1p precedence values.


You can configure up to eight Dot1p values each time. If multiple identical Dot1p values are specified, the system considers them as one. The relationship between different Dot1p values is OR. After such configurations, all the Dot1p values are arranged in ascending order automatically.

TIP:


Customer 802.1p

Define a rule to match the customer 802.1p precedence values.


You can configure up to eight Dot1p values each time. If multiple identical Dot1p values are specified, the system considers them as one. The relationship between different Dot1p values is OR. After such configurations, all the Dot1p values are arranged in ascending order automatically.

517

Item Description

MAC

Source MAC

Define a rule to match a source MAC address.


A rule to match a source MAC address is significant only to Ethernet interfaces.

Destination MAC

Define a rule to match a destination MAC address.


A rule to match a destination MAC address is significant only to Ethernet interfaces.

VLAN

Service VLAN

Define a rule to match service VLAN IDs.


You can configure multiple VLAN IDs each time. If the same VLAN ID is specified multiple times, the system considers them as one. The relationship between different VLAN IDs is logical OR. After such a configuration. You can specify VLAN IDs in two ways: • Enter a range of VLAN IDs, such as 10-500. The number of VLAN IDs in the

range is not limited. • Specify a combination of individual VLAN IDs and VLAN ID ranges, such as

3, 5-7, 10. You can specify up to eight VLAN IDs in this way.

TIP:


Customer VLAN

Define a rule to match customer VLAN IDs.


You can configure multiple VLAN IDs each time. If the same VLAN ID is specified multiple times, the system considers them as one. The relationship between different VLAN IDs is logical OR. You can specify VLAN IDs in two ways: • Enter a range of VLAN IDs, such as 10-500. The number of VLAN IDs in the

range is not limited. • Specify a combination of individual VLAN IDs and VLAN ID ranges, such as

3, 5-7, 10. You can specify up to eight VLAN IDs in this way.

ACL ACL IPv4 Define an IPv4 ACL-based rule.

ACL IPv6 Define an IPv6 ACL-based rule.

Adding a traffic behavior 1. Select QoS > Behavior from the navigation tree.

2. Click the Add tab to enter the page for adding a traffic behavior, as shown in Figure 546.

3. Set the traffic behavior name.

4. Click Add.

518

Figure 546 Adding a traffic behavior

Configuring actions for a traffic behavior 1. Select QoS > Behavior from the navigation tree.

2. Click the Setup tab to enter the page for setting a traffic behavior, as shown in Figure 547.

519

Figure 547 Setting a traffic behavior

3. Configure the traffic behavior actions, as described in Table 176.

4. Click Apply.


5. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.


Item Description

Please select a behavior Select an existing behavior in the list.

520

Item Description

CAR

Enable/Disable Enable or disable CAR

CIR Set the committed information rate (CIR), the average traffic rate.

CBS Set the committed burst size (CBS), number of bits that can be sent in each interval.

Red

Discard Set the action to perform for exceeding packets.

After selecting the Red option, you can select one of the following options: • Discard—Drops the exceeding packet. • Pass—Permits the exceeding packet to pass through.

Pass

Remark

IP Precedence

Configure the action of marking IP precedence for packets.

Select the IP Precedence option and then select the IP precedence value to be marked for packets in the following list. Select Not Set to cancel the action of marking IP precedence.

TIP:


Dot1p

Configure the action of marking 802.1p precedence for packets.

Select the Dot1p option and then select the 802.1p precedence value to be marked for packets in the following list. Select Not Set to cancel the action of marking 802.1p precedence.

Local Precedence

Configure the action of marking local precedence for packets.

Select the Local Precedence option and then select the local precedence value to be marked for packets in the following list. Select Not Set to cancel the action of marking local precedence.

DSCP

Configure the action of marking DSCP values for packets.

Select the DSCP option and then select the DSCP value to be marked for packets in the following list. Select Not Set to cancel the action of marking DSCP values.

TIP:


Queue

EF

Max Bandwidth Configure the maximum bandwidth for expedited forwarding (EF).

TIP:

These configuration items are not supported.

CBS Configure the CBS for EF.

Percent Configure the percent of available bandwidth for EF.

CBS-Ratio Configure the ratio of CBS to CIR for EF.

AF

Min Bandwidth Configure the minimum guaranteed bandwidth for assured forwarding (AF).

Percent Configure the percent of available bandwidth for AF.

WFQ Configure WFQ for the default class by entering the total number of fair queues, which must be the power of two.

521

Item Description

Filter

Configure the packet filtering action.

After selecting the Filter option, select one item in the following list: • Permit—Forwards the packet. • Deny—Drops the packet. • Not Set—Cancels the packet filtering action.

Accounting

Configure the traffic accounting action.

Select the Accounting option and select Enable or Disable in the following list to enable/disable the traffic accounting action.

TIP:


Adding a policy 1. Select QoS > QoS Policy from the navigation tree.

2. Click the Add tab to enter the page for adding a policy, as shown in Figure 548.

3. Set the policy name.

4. Click Add.

Figure 548 Adding a policy

Configuring classifier-behavior associations for the policy 1. Select QoS > QoS Policy from the navigation tree.

2. Click the Setup tab to enter the page for setting a policy, as shown in Figure 549.

522

Figure 549 Setting a policy

3. Configure classifier-behavior associations, as described in Table 177.

4. Click Apply.


Item Description

Please select a policy Select an existing policy in the list.

Classifier Name Select an existing classifier in the list.

Behavior Name Select an existing behavior in the list.

Applying a policy to a port 1. Select QoS > Port Policy from the navigation tree.

2. Click the Setup tab to enter the page for applying a policy to a port, as shown in Figure 550.

523

Figure 550 Applying a policy to a port

3. Select a policy and apply the policy to the specified ports, as described in Table 178.

4. Click Apply.


Item Description

Please select a policy Select an existing policy in the list.

Direction Set the direction in which you want to apply the policy. • Inbound—Applies the policy to the incoming packets of the specified ports. • Outbound—Applies the policy to the outgoing packets of the specified ports.

Please select port(s) Click the ports to which the QoS policy is to be applied in the port list. You can select one or more ports.

Applying a QoS policy to a WLAN service 1. Select QoS > Service Policy from the navigation tree to enter the service policy page shown

in Figure 551.

524

Figure 551 Service policy

2. Click the icon for a wireless service to enter the service policy setup page shown in Figure 551.

Figure 552 Service policy setup

3. Apply the policy to the wireless service, as described in Table 179.

4. Click Apply.

525


Item Remarks

Wlan Service Display the specified WLAN service to which you want to apply a QoS policy.

Inbound Policy Apply the QoS policy to the packets received by the wireless service.

Outbound Policy Apply the QoS policy to the packets sent by the wireless service.

Trust Mode

Set the priority trust mode: • Untrust—Trusts the port priority. • Dscp—Uses the DSCP values of received packets for mapping. • 802.11e—Uses the 802.11e priority of received 802.11 packets for mapping.

QoS Priority Set the local precedence value.

ACL and QoS configuration example

Network requirements As shown in Figure 553, in the WLAN, the FTP server (10.1.1.1/24) is connected to the AC (SSID: service1), and the wireless clients are connected to the AC through APs and a Layer 2 switch and access the network resources.

Configure an ACL and a QoS policy on the AC to prohibit the wireless clients from accessing the FTP server from 8:00 to 18:00 every day:

1. Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.

2. Configure a QoS policy to drop the packets matching the ACL.

3. Apply the QoS policy in the inbound direction of the wireless service named service1.



NOTE:

Before performing the following configurations, make sure the AC has been configured with wireless service service1. For more information about the wireless service configuration, see "Configuring accessservices."

1. Define a time range to cover the time range from 8:00 to 18:00 every day:

FTP server

10.1.1.1/24

ACL2 switch

AP 1

AP 2

Client 1

Client 2

526

a. Select QoS > Time Range from the navigation tree.

b. Click the Add tab.

c. On the page as shown in Figure 554, enter the time range name test-time, select the Periodic Time Range option, set the Start Time to 8:00 and the End Time to 18:00, and select the options Sun through Sat.

d. Click Apply.

Figure 554 Defining a time range covering 8:00 to 18:00 every day

2. Add an advanced IPv4 ACL:

a. Select QoS > ACL IPv4 from the navigation tree.


c. Enter the ACL number 3000.

d. Click Apply.

527

Figure 555 Adding an advanced IPv4 ACL

3. Define an ACL rule for traffic to the FTP server:

a. Click the Advanced Setup tab.

b. On the page as shown in Figure 556, select 3000 in the ACL list, select the Rule ID option, and enter rule ID 2.

c. Select Permit in the Action list.

d. Select the Destination IP Address option, and enter IP address 10.1.1.1 and destination wildcard 0.0.0.0.

e. Select test-time in the Time Range list.

f. Click Add.

528

Figure 556 Defining an ACL rule for traffic to the FTP server

4. Add a class:

a. Select QoS > Classifier from the navigation tree.


c. On the page as shown in Figure 557, enter the class name class1.

d. Click Add.

529

Figure 557 Adding a class

5. Define classification rules:

a. Click the Setup tab.

b. On the page as shown in Figure 558, select the class name class1 in the list, select the ACL IPv4 option, and select ACL 3000 in the following list.

c. Click Apply.


d. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.

530

Figure 558 Defining classification rules

6. Add a traffic behavior:

a. Select QoS > Behavior from the navigation tree.


c. On the page as shown in Figure 559, enter the behavior name behavior1.

d. Click Add.

531

Figure 559 Adding a traffic behavior

7. Configure actions for the traffic behavior:


b. On the page as shown in Figure 560, select behavior1 in the list, select the Filter option, and then select Deny in the following list.

c. Click Apply.


d. Click Close when the progress dialog box prompts that the configuration succeeds.

532

Figure 560 Configuring actions for the behavior

8. Add a policy:

a. Select QoS > QoS Policy from the navigation tree.


c. On the page as shown in Figure 561, enter the policy name policy1.

d. Click Add.

533

Figure 561 Adding a policy

9. Configure classifier-behavior associations for the policy:


b. On the page as shown in Figure 562, select policy1, select class1 in the Classifier Name list, and select behavior1 in the Behavior Name list.

c. Click Apply.

Figure 562 Configuring classifier-behavior associations for the policy

10. Apply the QoS policy in the inbound direction of the wireless service named service1:

a. Select QoS > Service Policy from the navigation tree.

b. Click the icon for wireless service service1.

c. On the page as shown in Figure 563, select the Inbound Policy option, and select policy1 from the following list.

d. Click Apply.

534

Figure 563 Applying the QoS policy in the inbound direction of WLAN service service1

Verifying the configuration After you complete these configurations, the QoS policy is successfully applied to the wireless service named service1, and the wireless clients cannot access the FTP server at IP address 10.1.1.1/24 from 8:00 to 18:00 every day, but they can do that at any other time.

Configuration guidelines When you configure an ACL and QoS, follow these guidelines:

• You cannot add a ACL rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.

• You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.

• When you configure line rate and traffic policing for a behavior, make sure the ratio of CBS to CIR is more than 100:16. Otherwise, the handling for bursty traffic may be affected.

• If an ACL is referenced by a QoS policy for defining traffic classification rules, the operation of the QoS policy varies by interface (the definition of software/hardware interface varies with device models). The specific process is as follows:

If the QoS policy is applied to a software interface and the referenced ACL rule is a deny clause, the ACL rule does not take effect and packets go to the next classification rule.

If the QoS policy is applied to a hardware interface, packets matching the referenced ACL rule are organized as a class and the behavior defined in the QoS policy applies to the class regardless of whether the referenced ACL rule is a deny or permit clause.

• If a QoS policy is applied in the outbound direction of a port, the QoS policy cannot influence local packets. Local packets refer to the important protocol packets that maintain the normal operation of the device. QoS must not process such packets to avoid packet drop. Commonly used local packets are: link maintenance packets, ISIS packets, OSPF packets, RIP packets, BGP packets, LDP packets, RSVP packets, and SSH packets and so on.

• When you configure queuing for a traffic behavior:

535

In a policy, a traffic behavior with EF configured cannot be associated with the default class, and a traffic behavior with WFQ configured can only be associated with the default class.

In a policy, the total bandwidth assigned to the AF and EF classes cannot be greater than the available bandwidth of the interface to which the policy applies; the total bandwidth percentage assigned to the AF and EF classes cannot be greater than 100%.

In the same policy, the same bandwidth unit must be used to configure bandwidth for AF classes and EF classes, either absolute bandwidth value or percent.

536

Configuring wireless QoS

Overview An 802.11 network offers wireless access based on the carrier sense multiple access with collision avoidance (CSMA/CA) channel contention. All clients accessing the WLAN have equal channel contention opportunities, and all applications carried on the WLAN use the same channel contention parameters. A live WLAN, however, is required to provide differentiated access services to address diversified requirements of applications for bandwidth, delay, and jitter.

When IEEE 802.11e was being standardized, Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM) standard to allow QoS provision devices of different vendors to interoperate. WMM makes a WLAN network capable of providing QoS services.

Terminology WMM

WMM is a wireless QoS protocol designed to preferentially transmit packets with high priority, and guarantees better QoS services for voice and video applications in a wireless network.

EDCA

Enhanced distributed channel access (EDCA) is a channel contention mechanism designed by WMM to preferentially transmit packets with high priority and allocate more bandwidth to such packets.

AC

WMM uses access categories (ACs) for handling channel contentions. WMM assigns WLAN data into four access categories: AC-VO (voice), AC-VI (video), AC-BE (best-effort), and AC-BK (background), in the descending order of priority. Each access category uses an independent priority queue for transmitting data. When contention occurs, WMM guarantees that a high-priority access category preempts a low-priority access category.

CAC

Connection admission control (CAC) limits the number of clients that are using high-priority access categories (AC-VO and AC-VI) to guarantee sufficient bandwidth for existing high-priority traffic.

U-APSD

Unscheduled automatic power-save delivery (U-APSD) is a new power saving mechanism defined by WMM to enhance the power saving capability of clients.

SVP

SpectraLink voice priority (SVP) is a voice priority protocol designed by the Spectralink company to guarantee QoS for voice traffic.

WMM protocol overview The distributed coordination function (DCF) in 802.11 stipulates that access points (APs) and clients use the CSMA/CA access mechanism. APs or clients listen to the channel before they hold the channel for

537

data transmission. When the specified idle duration of the channel times out, APs or clients randomly select a backoff slot within the contention window to perform backoff. The device that finishes backoff first gets the channel. With 802.11, all devices have the same idle duration and contention window. They are equal when contending for a channel. In WMM, this fair contention mechanism is changed.

EDCA parameters

WMM assigns data packets to four access categories. By allowing a high-priority access category to have more channel contention opportunities than a low-priority access category, WMM offers different service levels to access categories.

WMM define a set of EDCA parameters for each access category, covering the following:

• Arbitration inter-frame spacing number (AIFSN)—Different from the 802.11 protocol where the idle duration (set using DIFS) is a constant value, WMM can define an idle duration per access category. The idle duration increases as the AIFSN value increases (see Figure 564 for the AIFS durations).

• Exponent of CWmin (ECWmin) and exponent of CWmax (ECWmax)—Determine the average backoff slots, which increases as the two values increase (see Figure 564 for the backoff slots).

• Transmission opportunity limit (TXOPLimit)—Indicates the maximum time for which a user can hold a channel after a successful contention. The greater the TXOPLimit is, the longer the user can hold the channel. The value 0 indicates that the user can send only one packet each time it holds the channel.

Figure 564 Per-AC channel contention parameters in WMM

CAC admission policies

CAC requires that a client obtain permission of the AP before it can use a high-priority access category for transmission, and guarantees bandwidth to the clients that have gained access. CAC controls real time traffic (AC-VO and AC-VI traffic) but not common data traffic (AC-BE and AC-BK traffic).

To use a high-priority access category, a client must send a request to the AP. The AP returns a positive or negative response based on either of the following admission control policy:

• Channel utilization-based admission policy—The AP calculates the total time that the existing high-priority access categories occupy the channel in one second, and then calculates the time that the requesting traffic will occupy the channel in one second. If the sum of the two values is smaller

538

than or equal to the maximum hold time of the channel, the client can use the requested access category. Otherwise, the request is rejected.

• Users-based admission policy—If the number of clients using high-priority access categories plus the requesting clients is smaller than or equal to the maximum number of high-priority access category clients, the request is accepted. Otherwise, the request is rejected. During calculation, a client is counted once even if it is using both AC-VO and AC-VI.

U-APSD power-save mechanism

U-APSD improves the 802.11 APSD power saving mechanism. When associating clients with access categories, specify some access categories as trigger-enabled, some access categories as delivery-enabled, and the maximum number of data packets that can be delivered after receiving a trigger packet. Both the trigger attribute and the delivery attribute can be modified when flows are established using CAC. When a client sleeps, the delivery-enabled AC packets destined for the client are buffered. The client needs to send a trigger-enabled AC packet to get the buffered packets. After the AP receives the trigger packet, packets in the transmit queue are sent. The number of sent packets depends on the agreement made when the client was admitted. Access categories without the delivery attribute store and transmit packets as defined in the 802.11 protocol.

SVP service

SVP service implements differentiated treatment of SVP packets by mapping each SVP packet (IP protocol number 119) to an access category, which corresponds to a transmit queue with certain priority.

ACK policy

WMM defines the following ACK policies:

• No ACK—When the no acknowledgement (No ACK) policy is used, the recipient does not acknowledge received packets during wireless packet exchange. This policy can improve transmission efficiency in the environment where communication quality is fine and interference is weak. However, in the environment where communication quality is poor, it can cause increased packet loss and deteriorated communication quality.

• Normal ACK—When the Normal ACK policy is used, the recipient acknowledges each received unicast packet.

Enabling wireless QoS 1. Select QoS > Wireless QoS from the navigation tree.

By default, the Wireless QoS tab is displayed, as shown in Figure 565.

Figure 565 Wireless QoS

2. Select the option in front of the radio unit to be configured.

3. Click Enable.

539

By default, wireless QoS is enabled.

NOTE:

The WMM protocol is the foundation of the 802.11n protocol. When the radio works in 802.11n (5 GHz)or 802.11n (2.4 GHz) radio mode, you must enable WMM. Otherwise, the associated 802.11n clients may fail to communicate.

Setting the SVP service

NOTE:

SVP mapping is applicable only to non-WMM clients.

1. Select QoS > Wireless QoS from the navigation tree.

By default, the Wireless QoS tab is displayed, as shown in Figure 566.

Figure 566 Mapping SVP service to an access category

2. Click the icon in the Operation column for the desired AP to enter the page for mapping SVP service to an access category, as shown in Figure 567.

Figure 567 Mapping SVP service to an access category

3. Configure SVP mapping, as described in Table 180.

4. Click Apply.


Item Description

AP Name Displays the selected AP.

540

Item Description

Radio Displays the selected AP's radio.

SVP Mapping

Select the option before SVP Mapping, and then select an access category for SVP service: • AC-VO. • AC-VI. • AC-BE. • AC-BK.

Setting CAC admission policy 1. Select QoS > Wireless QoS from the navigation tree.

By default, the Wireless QoS tab is displayed.

2. Click the icon in the Operation column for the desired AP to enter the page for setting CAC admission policy, as shown in Figure 568.

Figure 568 Setting CAC admission policy

3. Configure the CAC admission policy, as described in Table 181.

4. Click Apply.


Item Description

Client Number

Users-based admission policy, or the maximum number of clients allowed to be connected. A client is counted only once, even if it is using both AC-VO and AC-VI.

By default, the users-based admission policy applies, with the maximum number of users being 20.

Channel Utilization Channel utilization-based admission policy, or the rate of the medium time of the accepted AC-VO and AC-VI traffic to the valid time during the unit time. The valid time is the total time during which data is transmitted.

Setting radio EDCA parameters for APs 1. Select QoS > Wireless QoS from the navigation tree.


541

2. Click the icon in the Operation column for the desired AP to enter the page for configuring wireless QoS.

3. On the radio EDCA list, click the icon in the Operation column for the desired priority type (AC_BK, for example) to enter the page for setting radio EDCA parameters.

Figure 569 Setting radio EDCA parameters

4. Configure the radio EDCA parameters, as described in Table 182.

5. Click Apply.


Item Description



Priority type Displays the priority type.

AIFSN Arbitration inter-frame spacing number used by the AP.

TXOP Limit Transmission opportunity limit used by the AP.

ECWmin Exponent of CWmin used by the AP.

ECWmax Exponent of CWmax used by the AP.

No ACK If you select the option before No ACK, the No ACK policy is used by the AP.

By default, the normal ACK policy is used by the AP.

Table 183 Default radio EDCA parameters

Access category TXOP Limit AIFSN ECWmin ECWmax

AC-BK 0 7 4 10

AC-BE 0 3 4 6

AC-VI 94 1 3 4

AC-VO 47 1 2 3

NOTE:

• ECWmin cannot be greater than ECWmax.

• On an AP operating in 802.11b radio mode, H3C recommends that you set the TXOP-Limit to 0, 0, 188,and 102 for AC-BK, AC-BE, AC-VI, and AC-VO.

542

Setting client EDCA parameters for wireless clients 1. Select QoS > Wireless QoS from the navigation tree.



3. On the client EDCA list, click the icon in the Operation column for the desired priority type (AC_BK, for example) to enter the page for setting client EDCA parameters.

Figure 570 Setting client EDCA parameters

4. Configure the client EDCA parameters, as described in Table 184.

5. Click Apply.


Item Description



Priority type Displays the priority type.

AIFSN Arbitration inter-frame spacing number used by clients.

TXOP Limit Transmission opportunity limit used by clients.

ECWmin Exponent of CWmin used by clients.

ECWmax Exponent of CWmax used by clients.

CAC

Enable CAC: • Enable—Enable CAC. • Disable—Disable CAC.

AC-VO and AC-VI support CAC, which is disabled by default. This item is not available for AC-BE or AC-BK, because they do not support CAC.

Table 185 Default EDCA parameters for clients


AC-BK 0 7 4 10

AC-BE 0 3 4 10

AC-VI 94 2 3 4

543


AC-VO 47 2 2 3

NOTE:

• ECWmin cannot be greater than ECWmax.

• If all clients operate in 802.11b radio mode, set TXOPLimit to 188 and 102 for AC-VI and AC-VO.

• If some clients operate in 802.11b radio mode and some clients operate in 802.11g radio mode in the network, H3C recommends the TXOPLimit parameters in Table 185.

• Once you enable CAC for an access category, it is enabled automatically for all higher priority accesscategories. For example, if you enable CAC for AC-VI, CAC is also enabled for AC-VO. However, enabling CAC for AC-VO does not enable CAC for AC-VI.

Displaying the radio statistics 1. Select QoS > Wireless QoS from the navigation tree.

2. Click the Radio Statistics tab to enter the page displaying radio statistics.

3. Click an AP to see its details.

Figure 571 Displaying the radio statistics

Table 186 Filed description

Field Description

AP ID AP ID.

AP Name AP name.

Radio Radio ID.

Client EDCA update count Number of client EDCA parameter updates.

544

Field Description

QoS mode QoS mode: • WMM—Indicates that the client is a QoS client. • None—Indicates that the client is a non-QoS client.

Radio chip QoS mode Radio chip's support for the QoS mode.

Radio chip max AIFSN Maximum AIFSN allowed by the radio chip.

Radio chip max ECWmin Maximum ECWmin allowed by the radio chip.

Radio chip max TXOPLimit Maximum TXOPLimit allowed by the radio chip.

Radio chip max ECWmax Maximum ECWmax allowed by the radio chip.

Client accepted Number of clients that have been admitted to access the radio, including the number of clients that have been admitted to access the AC-VO and the AC-VI queues.

Total request mediumtime(us)

Total requested medium time, including that of the AC-VO and the AC-VI queues.

Calls rejected due to insufficient resource

Number of requests rejected due to insufficient resources.

Calls rejected due to invalid parameters

Number of requests rejected due to invalid parameters.

Calls rejected due to invalid mediumtime

Number of requests rejected due to invalid medium time.

Calls rejected due to invalid delaybound Number of requests rejected due to invalid delay bound.

Displaying the client statistics 1. Select QoS > Wireless QoS from the navigation tree.

2. Click the Client Statistics tab to enter the page displaying client statistics.

3. Click a client name to see its details.

545

Figure 572 Displaying the client statistics


Field Description

MAC address MAC address of the client.

SSID Service set ID (SSID)

QoS Mode QoS mode: • WMM—Indicates that QoS mode is enabled. • None—Indicates that QoS mode is not enabled.

Max SP length Maximum service period.

AC Access category.

State

APSD attribute of an access category: • T—The access category is trigger-enabled. • D—The access category is delivery-enabled. • T | D—The access category is both trigger-enabled and delivery-enabled. • L—The access category is of legacy attributes.

Assoc State APSD attribute of the four access categories when a client accesses the AP.

Uplink CAC packets Number of uplink CAC packets.

Uplink CAC bytes Number of uplink CAC bytes.

Downlink CAC packets Number of downlink CAC packets.

Downlink CAC bytes Number of downlink CAC bytes.

Downgrade packets Number of downgraded packets.

Downgrade bytes Number of downgraded bytes.

Discard packets Number of dropped packets.

Discard bytes Number of dropped bytes.

546

Setting rate limiting The WLAN provides limited bandwidth for each AP. Because the bandwidth is shared by wireless clients attached to the AP, aggressive use of bandwidth by a client will affect other clients. To ensure fair use of bandwidth, rate limit traffic of clients in either of the following approaches:

• Configure the total bandwidth shared by all clients in the same BSS. This is called "dynamic mode". The rate limit of a client is the configured total rate/the number of online clients. For example, if the configure total rate is 10 Mbps and five clients are online, the rate of each client is 2 Mbps.

• Configure the maximum bandwidth that can be used by each client in the BSS. This is called "static mode". For example, if the configured rate is 1 Mbps, the rate limit of each user online is 1 Mbps. When the set rate limit multiplied by the number of access clients exceeds the available bandwidth provided by the AP, no clients can get the guaranteed bandwidth.

Setting wireless service-based client rate limiting You can configure the access controller to limit client rates for a service within a BSS.

To set wireless service-based client rate limiting:

1. Select QoS > Wireless QoS from the navigation tree on the left.

2. Click the Client Rate Limit tab.

3. Click Add in the Service-Based Configuration area to enter the page for setting wireless service-based client rate limits, as shown in Figure 573.

Figure 573 Setting wireless service-based client rate limiting

4. Configure service-based client rate limiting, as described in Table 188.

5. Click Apply.


Item Description

Wireless Service Select an existing wireless service.

Direction

Set the traffic direction: • Inbound—Traffic from client to AP. • Outbound—Traffic from AP to client. • Both—Both inbound and outbound traffic.

547

Item Description

Mode Set a rate limiting mode: • Static—Limits the rate of each client to a fixed value. • Dynamic—Limits the total rate of all clients to a fixed value.

Rate

Set the rate of the clients. • If you select the static mode, Per-Client Rate is displayed, and the rate is the rate

of each client. • If you select the dynamic mode, Total Rate is displayed, and the rate is the total

rate of all clients.

Setting radio-based client rate limiting You can configure the access controller to limit client rates for a radio.

To set radio-based client rate limiting:


2. Click the Client Rate Limit tab.

3. Click Add in the Radio-Based Configuration area to enter the page for setting radio-based client rate limiting, as shown in Figure 573.

Figure 574 Setting radio-based client rate limiting

4. Configure radio-based client rate limiting, as described in Table 189.

5. Click Apply.

548


Item Description

Radio List List of radios available. You can create the rate limiting rules for one or multiple radios.

Direction

Traffic direction: • Inbound—Traffic from clients to the AP. • Outbound—Traffic from the AP to clients. • Both—Includes inbound traffic (traffic from clients to the AP) and outbound traffic

(traffic from the AP to clients)

Mode Rate limiting mode: • Static—Limits the rate of each client to a fixed value. • Dynamic—Limits the total rate of all clients to a fixed value.

Rate

Set the rate of the clients: • If you select the static mode, Per-Client Rate is displayed, and the rate is the rate

of each client. • If you select the dynamic mode, Total Rate is displayed, and the rate is the total

rate of all clients.

Configuring the bandwidth guarantee function When traffic is heavy, a BSS without any rate limitation may aggressively occupy the available bandwidth for other BSSs. If you limit the rate of the BSS, it cannot use the idle bandwidth of other BSSs.

To improve bandwidth use efficiency when ensuring bandwidth use fairness among wireless services, use the bandwidth guarantee function. Bandwidth guarantee makes sure all traffic from each BSS can pass through freely when the network is not congested, and each BSS can get the guaranteed bandwidth when the network is congested.

For example, suppose you guarantee SSID1, SSID2, and SSID3 25%, 25%, and 50% of the bandwidth. When the network is not congested, SSID1 can use all idle bandwidth in addition to its guaranteed bandwidth. When the network is congested, SSID1 can use at least its guaranteed bandwidth, 25% of the bandwidth.

NOTE:

Bandwidth guarantees apply only to the traffic from AP to client.

Setting the reference radio bandwidth 1. Select QoS > Wireless QoS from the navigation tree.

2. Click the Bandwidth Guarantee tab to enter the page for configuring bandwidth guarantees, as shown in Figure 575.

549

Figure 575 Setting the reference radio bandwidth

3. Set the reference radio bandwidth, as described in Table 190.

4. Click Apply.

NOTE:

The reference radio bandwidth modification does not immediately take effect on the radios with the bandwidth guarantee function enabled. To make the modification take effect, disable and then enable theradios.


Item Description

802.11a Mode Set the reference radio bandwidth.

IMPORTANT:

Set the reference radio bandwidth slightly lower than the maximum available bandwidth..

802.11b Mode

802.11g Mode

802.11n Mode

Setting guaranteed bandwidth percents 1. Select a radio from the radio list, and click the icon for the radio in the Operation column to

enter the page for setting guaranteed bandwidth, as shown in Figure 576.

550

Figure 576 Setting guaranteed bandwidth

2. Set the guaranteed bandwidth, as described in Table 191.

3. Click Apply.


Item Description

Guaranteed Bandwidth Percent (%)

Allocate guaranteed bandwidth as a percentage of the radio bandwidth to each wireless service. The total guaranteed bandwidth cannot exceed 100% of the ratio bandwidth.

Enabling bandwidth guaranteeing To validate the bandwidth guarantee settings for a radio unit, enable its bandwidth guarantee function.

To enable the bandwidth guarantee function:


2. Click the Bandwidth Guarantee tab to enter the page for configuring bandwidth guarantee.

3. Select the AP and the corresponding radio mode for which you want to enable bandwidth guarantee on the list under the Bandwidth Guarantee title bar.

4. Click Enable.

Figure 577 Enabling the bandwidth guarantee function

551

Displaying guaranteed bandwidth settings 1. Select QoS > Wireless QoS from the navigation tree on the left.

2. Click Bandwidth Guarantee.

3. Click the specified radio unit of the AP on the list under the Bandwidth Guarantee title bar to view the wireless services bound to the radio unit and the guaranteed bandwidth setting for each wireless service.

Figure 578 Displaying guaranteed bandwidth settings

CAC service configuration example

Network requirements As shown in Figure 579, a WMM-enabled AP accesses the Ethernet.

Enable CAC for AC-VO and AC-VI on the AP. To guarantee high priority clients (AC-VO and AC-VI clients) sufficient bandwidth, use the user number-based admission policy to limit the number of access users to 10.


Configuring the wireless service 1. Configure the AP, and establish a connection between the AC and the AP.

For related configurations, see "Configuring access services." Follow the steps in the related configuration example to establish a connection between the AC and the AP.

Configuring wireless QoS 1. Select QoS > Wireless QoS from the navigation tree.


552

2. Make sure WMM is enabled.

Figure 580 Wireless QoS configuration page (1)

3. As shown in Figure 580, select the AP to be configured on the list and click the icon for the AP in the Operation column to enter the page for configuring wireless QoS.

4. On the Client EDCA list, select the priority type (AC_VO, for example) to be modified, and click the icon for the priority type in the Operation column to enter the page for setting client EDCA

parameters.

5. Select Enable from the CAC list.

6. Click Apply.

Figure 581 Enabling CAC

7. Enable CAC for AC_VI in the same way. (Details not shown.)

8. Select QoS > Wireless QoS from the navigation tree.



10. Select the Client Number option, and then enter 10.

11. Click Apply.

553

Figure 582 Setting CAC client number

Verifying the configuration If the number of existing clients in the high-priority access categories plus the number of clients requesting for high-priority access categories is smaller than or equal to the user-defined maximum number of users allowed in high-priority access categories, which is 10 in this example, the request is allowed. Otherwise, the request is rejected.

Wireless service-based static rate limiting configuration example

Network requirements As shown in Figure 583, two wireless clients access the WLAN through a SSID named service1.

Limit the maximum bandwidth per wireless client to 128 kbps for traffic from the wireless clients to the AP.


Configuring the wireless service For the configuration procedure, see "Configuring access services."

Configuring static rate limiting 1. Select QoS > Wireless QoS from the navigation tree.

2. Click Client Rate Limit.

554

3. Click Add in the Service-Based Configuration area to enter the page for configuring wireless service-based rate limit settings for clients, as shown in Figure 584.

4. Configure static rate limiting:

a. Select service1 from the Wireless Service list.

b. Select Inbound from the Direction list.

c. Select Static from the Mode list.

d. Enter 128 in the Per-Client Rate field.

5. Click Apply.

Figure 584 Configuring static rate limiting

Verifying the configuration 1. Client1 and Client2 access the WLAN through the SSID named service1.

2. Check that traffic from Client1 is rate limited to around 128 kbps, so is traffic from Client2.

Wireless service-based dynamic rate limiting configuration example

Network requirements As shown in Figure 585, wireless clients access the WLAN through a SSID named service2.

Configure all wireless clients to share 8000 kbps of bandwidth in any direction.


555

Configuring the wireless service For the configuration procedure, see "Configuring access services."

Configuring dynamic rate limiting 1. Select QoS > Wireless QoS from the navigation tree.

2. Click Client Rate Limit.

3. Click Add in the Service-Based Configuration area to enter the page for configuring wireless service-based rate limit settings for clients, as shown in Figure 586.

4. Configure dynamic rate limiting:

a. Select service2 from the Wireless Service list.

b. Select Both from the Direction list.

c. Select Dynamic from the Mode list.

d. Enter 8000 in the Total Rate field.

5. Click Apply.

Figure 586 Configuring dynamic rate limiting

Verifying the configuration Check that:

1. When only Client1 accesses the WLAN through SSID service2, its traffic can pass through at a rate as high as 8000 kbps.

2. When both Client1 and Client2 access the WLAN through SSID service2, their traffic flows can each pass through at a rate as high as 4000 kbps.

Bandwidth guarantee configuration example

Network requirements As shown in Figure 587, three wireless clients use wireless services research, office, and entertain to access the wireless network.

To make sure the enterprise network works properly, guarantee the office service 20% of the bandwidth, the research service 80%, and the entertain service none.

556


Configuring the wireless services For the configuration procedure, see "Configuring access services." Follow the related configuration example to configure the wireless services.

Configuring bandwidth guaranteeing 1. Select QoS > Wireless QoS from the navigation tree.

2. Click Bandwidth Guarantee to enter the page for configuring bandwidth guarantee, as shown in Figure 588.

3. Use the default reference radio bandwidth for 802.11a.

4. Click Apply.

557

Figure 588 Setting the reference radio bandwidth

5. Click the icon in the Operation column for 802.11a to enter the page for setting guaranteed bandwidth, as shown in Figure 589.

6. Set the guaranteed bandwidth:

a. Set the guaranteed bandwidth percent to 80 for wireless service research.

b. Set the guaranteed bandwidth percent to 20 for wireless service office.

c. Set the guaranteed bandwidth percent to 0 for wireless service entertain.

7. Click Apply.

After you apply the guaranteed bandwidth settings, the page for enabling bandwidth guarantee appears, as shown in Figure 590.

558

Figure 589 Setting guaranteed bandwidth

8. Select the option specific to 802.11a.

9. Click Enable.

559

Figure 590 Enabling bandwidth guarantee

Verifying the configuration • Send traffic from the AP to the three wireless clients at a rate lower than 30000 kbps. The rate of

traffic from the AP to the three wireless clients is not limited.

• Send traffic at a rate higher than 6000 kbps from the AP to Client 1 and at a rate higher than 24000 kbps from the AP to Client 2. The total rate of traffic rate from the AP to the two wireless clients exceeds 30000 kbps. Because you have enabled bandwidth guarantee for wireless services research and office, the AP forwards traffic to Client 1 and Client 2 respectively at 6000 kbps and 24000 kbps, and limits the traffic to Client 3.

NOTE:

• Guaranteed bandwidth in kbps = reference radio bandwidth × guaranteed bandwidth percent.

• Set the reference radio bandwidth slightly lower than the available maximum bandwidth.

• The guaranteed bandwidth configuration applies to only the traffic from the AP to clients.

560

Advanced settings

Advanced settings overview

Country/Region code Radio frequencies for countries and regions vary based on country regulations. A country/region code determines characteristics such as frequency range, channel, and transmit power level. Configure the valid country/region code for a WLAN device to meet the specific country regulations.

1+1 AC backup

NOTE:

Support for the 1+1 backup feature may vary depending on your device model. For more information, see"Feature matrixes."

Dual-link backup

1. Dual links

Dual links allow for AC backup. An AP establishes links with two different ACs. The active AC provides services for APs in the network and the standby AC provides backup service for the active AC. If the active AC fails, the standby AC takes over to provide services for the APs.

Figure 591 Dual link topology

AC 1 is operating in active mode and providing services to AP 1, AP 2, AP 3, and AP 4. AC 2 is operating in standby mode. APs are connected to AC 2 through backup links. When AC 1 is down, AC 2 converts to operate in active mode even when AC 1 is up again, in which case, AC 1 is in standby mode. However, this is not so if an AC is configured as the primary AC. For more information about primary AC, see "Primary AC recovery."

561

2. Using fast link fault detection, you can configure 1+1 fast backup (see "1+1 fast backup") to provide uninterrupted services.

3. Primary AC recovery

Primary AC provides a mechanism to make sure the primary AC is chosen in precedence by APs as an active AC. When the primary AC goes down, the APs switch to connect to the standby AC. As soon as the active AC recovers, the APs automatically connect to the primary AC again.

Figure 592 Primary AC recovery

AC 1 is the primary AC with the connection priority of 7, and it establishes a connection with the AP. AC 2 acts as the secondary AC. If AC 1 goes down, AC 2 takes over to provide services to AP until AC 1 recovers. Once the primary AC is reachable again, the AP automatically establishes a connection with the primary AC. For more information about priority configuration, see "Configuring AP connection priority."

1+1 fast backup

Fast link fault detection allows two ACs in 1+1 backup to detect the failure of each other in time. To achieve this, a heartbeat detection mechanism is used. When the active AC goes down, the standby AC can quickly detect the faults and become the new active AC.

NOTE:

Support for the 1+1 fast backup feature may vary depending on your device model. For more information, see "Feature matrixes."

1+N AC backup 1+N AC backup allows an AC to operate as a backup for multiple ACs. The active ACs independently provide services for APs that connect to them, and the only one standby AC provides backup service for the active ACs. If an active AC goes down, the APs connecting to it can detect the failure quickly and make connections to the standby AC. As soon as the active AC recovers, the APs automatically connect to the original active AC again. This makes sure the standby AC operates as a dedicated backup for the active ACs. 1+N AC backup delivers high reliability and saves network construction cost greatly.

562

Continuous transmitting mode The continuous transmitting mode is used for test only. Do not use the function unless necessary.

Channel busy test The channel busy test is a tool to test how busy a channel is. It tests channels supported by the country/region code one by one, and provides a busy rate for each channel. This avoids the situation that some channels are heavily loaded and some are idle.

During a channel busy test, APs do not provide any WLAN services. All the connected clients are disconnected and WLAN packets are discarded.

WLAN load balancing WLAN load balancing dynamically adjusts loads among APs to ensure adequate bandwidth for clients. It is mainly used in high-density WLAN networks.

Requirement of WLAN load-balancing implementation

As shown in Figure 593, Client 6 wants to associate with AP 3. AP 3 has reached its maximum load, so it rejects the association request. Then, Client 6 tries to associate with AP 1 or AP 2, but it cannot receive signals from these two APs, so it has to resend an association request to AP 3.

Therefore, to implement load-balancing, the APs must be managed by the same AC, and the clients can find the APs.

Figure 593 Requirement of WLAN load-balancing implementation

Load-balancing modes

The AC supports two load balancing modes, session mode and traffic mode.

• Session mode load-balancing

Session-mode load balancing is based on the number of clients associated with the AP/radio.

As shown in Figure 594, Client 1 is associated with AP 1, and Client 2 through Client 6 are associated with AP 2. The AC has session-mode load balancing configured: the maximum number

563

of sessions is 5 and the maximum session gap is 4. Then, Client 7 sends an association request to AP 2. The maximum session threshold and session gap have been reached on AP 2, so it rejects the request. At last, Client 7 associates with AP 1.

Figure 594 Network diagram for session-mode load balancing

• Traffic mode load-balancing

Traffic snapshot is considered for traffic mode load balancing.

As shown in Figure 595, Client 1 and Client 2 that run 802.11g are associated with AP 1. The AC has traffic-mode load balancing configured: the maximum traffic threshold is 10% and the maximum traffic gap is 20%. Then, Client 3 wants to access the WLAN through AP 1. The maximum traffic threshold and traffic gap (between AP 1 and AP 2) have been reached on AP 1, so it rejects the request. At last, Client 3 associates with AP 2.

Figure 595 Network diagram for traffic-mode load balancing

564

Load-balancing methods

The AC supports AP-based load balancing and group-based load balancing.

1. AP-based load balancing

AP-based load balancing can be either implemented among APs or among the radios of an AP.

AP-based load balancing—APs can carry out either session-mode or traffic-mode load balancing as configured. An AP starts load balancing when the maximum threshold and gap are reached, and does not accept any association requests unless the load decreases below the maximum threshold or the gap is less than the maximum gap. However, if a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate to any other AP and accepts the association request from the client.

Radio-based load balancing—The radios of an AP that is balanced can carry out either session-mode or traffic-mode load balancing as configured. A radio starts load balancing when the maximum threshold and gap are reached and will reject any association requests unless the load decreases below the maximum threshold or the gap is less than the maximum gap. However, if a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate to any other AP and accepts the association request from the client.

2. Group-based load balancing

To balance loads among the radios of different APs, you can add them to the same load balancing group.

The radios in a load balancing group can carry out either session-mode or traffic-mode load balancing as configured. The radios that are not added to any load balancing group do not carry out load balancing. A radio in a load balancing group starts load balancing when the maximum threshold and gap are reached on it, and the radio does not accept any association requests unless the load decreases below the maximum threshold or the gap is less than the maximum gap. However, if a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate to any other AP and accepts the association request from the client.

AP version setting A fit AP is a zero-configuration device. It can automatically discover an AC after power-on. To make sure a fit AP can associate with an AC, their software versions must be consistent by default, which complicates maintenance. This task allows you to designate the software version of an AP on the AC, so that they can associate with each other even if their software versions are inconsistent.

Switching to fat AP You can switch the working mode of an AP between the fit mode and the fat mode.

Wireless location Wireless location is a technology to locate, track and monitor specified devices by using WiFi-based Radio Frequency Identification (RFID) and sensors. With this function enabled, APs send Tag or MU messages to an AeroScout Engine (referred to as AE hereinafter), which performs location calculation and then sends the data to the graphics software. You can get the location information of the assets by maps, forms, or reports. Meanwhile, the graphics software provides the search, alert and query functions to facilitate your operations.

565

Wireless location can be applied to medical monitoring, asset management, and logistics, helping users effectively manage and monitor assets.

Architecture of the wireless location system

A wireless location system is composed of three parts: devices or sources to be located, location information receivers and location systems.

• Devices or sources to be located, which can be Tags (small, portable RFIDs, which are usually placed or glued to the assets to be located) of Aero Scout or Mobile Units (MU). The MUs are wireless terminals or devices running 802.11. The tags and MUs can send wireless messages periodically.

• Location information receivers, for example, 802.11 APs, and AeroScout Exciters that are standard compliant Tags to send wireless messages but do not collect location information.

• Location systems, including location server, AE calculation software, and different types of graphics software.

Wireless locating process

A wireless location system can locate wireless clients, APs, rogue APs, rogue clients, Tags and other devices supporting WLAN protocols. Except Tags, all wireless devices will be identified as MUs by the wireless location system.

1. Send Tag and MU messages

A Tag message is a message sent by an RFID. A Tag message contains the channel number so that an AP can filter Tag messages whose channel numbers are not consistent with the AP's operating channel. To make sure more Tags can be detected by the AP, a Tag sends messages on different channels. A Tag periodically sends messages on one or multiple pre-configured channels, and then sends location messages on channels 1, 6, and 11 in turn periodically.

MU messages are sent by standard wireless devices. An MU message does not contain the channel number, so an AP cannot filter MU messages whose channel numbers are not consistent with the AP's operating channel or illegal packets, which is done by the location server according to a certain algorithm and rules.

2. Collect Tag and MU messages

The working mode of an AP determines how it collects Tag and MU messages:

When the AP operates in monitor mode or hybrid mode, it can locate wireless clients or other wireless devices that are not associated with it.

When the AP operates in normal mode, it can only locate wireless clients associated with it. The wireless location system considers wireless clients associated with the AP as wireless clients, and considers wireless clients or other wireless devices not associated with the AP as unknown devices.

NOTE:

• For more information about monitor mode and hybrid mode, see "WLAN security configuration."

• An AP operates in normal mode when it functions as a WLAN access point. For more information, see"Configuring access services."

After the processes, the AP begins to collect Tag and MU messages.

• Upon receiving Tag messages (suppose that the Tags mode has been configured on the AC, and the location server has notified the AP to report Tag messages), the AP checks the Tag messages, encapsulates those passing the check and reports them to the location server. The AP encapsulates

566

Tag messages by copying all the information (message header and payload inclusive) except the multicast address, and adding the BSSID, channel, timestamp, data rate, RSSI, SNR and radio mode of the radio on which the relevant Tag messages were received.

• Upon receiving MU messages (suppose that the MUs mode has been configured on the AC, and the location server has notified the AP to report MU messages), the AP checks the messages, encapsulates those that pass the check and reports the messages to the location server. The AP encapsulates an MU message by copying its source address, Frame Control field and Sequence Control field, and adding the BSSID, channel, timestamp, data rate, RSSI, SNR and radio mode of the radio on which the relevant Tag messages were received.

3. Calculate the locations of Tags or MUs

After receiving Tag and MU messages from APs, the location server uses an algorithm to calculate the locations of the Tag and MU devices according to the RSSI, SNR, radio mode and data rate carried in the messages, and displays the locations on the imported map. Typically, a location server can calculate the locations as long as more than 3 APs operating in monitor or hybrid report Tag or MU messages.

Wireless sniffer In a wireless network, it is difficult to locate signal interference or packet collision by debugging information or terminal display information of WLAN devices. To facilitate the troubleshooting, configure an AP as a packet sniffer to listen to, capture, and record wireless packets. The sniffed packets are recorded in the .dmp file for troubleshooting.

As shown in Figure 596, enable wireless sniffer on the Capture AP. The Capture AP is able to listen to the wireless packets in the network, including the packets from other APs, rouge APs, and clients. Administrators can download the .dmp file to the PC and make further analysis.


Band navigation The 2.4 GHz band is often congested. Band navigation enables APs to accept dual-band (2.4 GHz and 5 GHz) clients on their 5 GHz radio, increasing overall network performance.

When band navigation is enabled, the AP directs clients to its 2.4 GHz or 5 GHz radio by following these principles:

• For a 2.4 GHz client, the AP associates to the client after rejecting it several times.

Switch

Capture AP

AP 1

AP 2

Client

Rogue AP AC

PDAPC

567

• For a dual-band client, the AP directs the client to its 5 GHz radio.

• For a 5 GHz- client, the AP associates to the client on its 5 GHz radio.

The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz radio. If the RSSI is lower than the value, the AP does not direct the client to the 5 GHz band.

If the number of clients on the 5 GHz radio reaches the upper limit, and the gap between the number of clients on the 5 GHz radio and that on the 2.4 GHz radio reaches the upper limit, the AP denies the client’s association to the 5 GHz radio, and allows new clients to associate to the 2.4 GHz radio. If a client has been denied more than the maximum times on the 5 GHz radio, the AP considers that the client is unable to associate to any other AP, and allows the 5 GHz radio to accept the client.

Configuring WLAN advanced settings

Setting a country/region code 1. Select Advanced > Country/Region Code from the navigation tree to enter the page for setting a

country/region code.

Figure 597 Setting a country/region code

2. Configure a country/region code as described in Table 192.

3. Click Apply.


Item Description

Country/Region Code

Select a country/region code.

Configure the valid country/region code for a WLAN device to meet the country regulations.

If the list is grayed out, the setting is preconfigured to meet the requirements of the target market and is locked. It cannot be changed.

If you do not specify a country/region code for an AP, the AP uses the global country/region code configured on this page. For how to specify the country/region code for an AP, see "Quick start." If an AP is configured with a country/region code, the AP uses its own country code.

Some ACs and fit APs have fixed country/region codes, whichever is used is determined as follows: An AC's fixed country/region code cannot be changed, and all managed fit APs whose country/region codes are not fixed must use the AC's fixed country/region code. A fit AP's fixed country/region code cannot be changed and the fit AP can only use the country/region code. If an AC and a managed fit AP use different fixed country/region codes, the fit AP uses its own fixed country/region code.

568

Configuring 1+1 AC backup Configuring AP connection priority

1. Select AP > AP Setup from the navigation tree.

2. Click the icon corresponding to the target AP to enter the configuration page.

3. Expand the Advanced Setup area.

Figure 598 Configuring connection priority

4. Configure an AP connection priority as described in Table 193.

5. Click Apply.


Item Description

AP Connection Priority Set the priority for the AP connection to the AC.

Configure 1+1 AC backup

1. Select Advanced > AC Backup from the navigation tree.

569

Figure 599 Configuring AC backup

2. Configure an IP address and switch delay time for the backup AC as described in Table 194.

3. Click Apply.


Item Description

IPv4 Select IPv4, and enter the IPv4 address of the backup AC.

If the backup AC is configured on the page you enter by selecting AP > AP Setup, the configuration is used in precedence. For more information, see "AP configuration."

The access mode configuration on the two ACs should be the same.

Specify the IP address of one AC on the other AC in an AC backup.

IPv6 Select IPv6, and enter the IPv6 address of the backup AC.

Switch Delay Time Delay time for the AP to switch from the primary AC to the backup AC.

Configuring 1+1 fast backup


570

Figure 600 Configuring fast backup

2. Configure fast backup as described in Table 195.

3. Click Apply.


Item Description

Fast Backup Mode

• disable—Disable fast backup. • enable—Enable fast backup.

By default, fast backup is disabled.

Hello Interval Heartbeat interval for an AC connection. If no heartbeat is received during the continuous three intervals, the device considers the peer is down.

The value range varies with devices. For more information, see "Feature matrixes."

VLAN ID ID of the VLAN to which the port where the backup is performed belongs.

Backup Domain ID ID of the domain to which the AC belongs.

Displaying status information of 1+1 fast backup


2. Click the Status tab to enter the page as shown in Figure 601.

571

Figure 601 Status information


Field Description

AP Name Select to display the AP connecting to the AC.

Status Current status of the current AC.

Vlan ID ID of the VLAN to which the port belongs.

Domain ID Domain to which the AC belongs.

Link State

Link status of the AC connection: • Close—No connection is established. • Init—The connection is being set up. • Connect—The connection has been established.

Peer Board MAC MAC address of the peer AC.

Peer Board State

Status of the peer AC. • Normal—The peer AC is normal. • Abnormal—The peer AC is malfunctioning. • Unknown—No connection is present.

Hello Interval Heartbeat interval for an AC connection.

Configuring 1+N AC backup Configuring AP connection priority




572

Figure 602 Configuring connection priority

4. Configure a connection priority as described in Table 197.

5. Click Apply.


Item Description

AP Connection Priority Set the priority for the AP connection to the AC.

Configuring 1+N AC backup




573

Figure 603 Configuring 1+N AC backup

4. Configure 1+N back as described in Table 198.

5. Click Apply.


Item Description

Backup AC IPv4 Address Set the IPv4 address of the backup AC.

If the global backup AC is also configured on the page you enter by selecting Advanced > AC Backup, this configuration is used in precedence. Backup AC IPv6 Address

Set the IPv6 address of the backup AC.

Configuring continuous transmitting mode 1. Select Advanced > Continuous Transmit from the navigation tree to enter the continuous

transmitting mode configuration page.

574

Figure 604 Configuring continuous transmitting mode

2. Click the icon corresponding to the target radio to enter the page for configuring transmission rate. The transmission rate varies with radio mode.

When the radio mode is 802.11a/b/g, the page as shown in Figure 605 appears. Select a transmission rate from the list.

Figure 605 Selecting a transmission rate (802.11b/g)

When the radio mode is 802.11n, the page as shown in Figure 606 appears. Select an MCS index value to specify the 802.11n transmission rate. For more information about MCS, see "Radio configuration."

Figure 606 Selecting an MCS index (802.11n)

3. Click Apply.

To stop the continuous transmitting mode, click the icon of the target radio. After the continuous transmit is stopped, the transmission rate value on the page as shown in Figure 605 displays as 0.

NOTE:

When the continuous transmit is enabled, do not make any operations other than transmission rate configuration.

Configuring a channel busy test 1. Select Advanced > Channel Busy Test from the navigation tree to enter the channel busy test

configuration page.

575

Figure 607 Configuring channel busy test

2. Click the icon corresponding to a target AP to enter channel busy testing page.

Figure 608 Test busy rate of channels

3. Configure channel busy test as described in Table 199.

4. Click Start to start the testing.


Item Description

AP Name Display the AP name.

Radio Unit Display the radio unit of the AP.

Radio Mode Display the radio mode of the AP.

Test time per channel Set a time period in seconds within which a channel is tested.

It defaults to 3 seconds.

NOTE:

• During a channel busy test, the AP does not provide any WLAN services. All the connected clients aredisconnected.

• Before the channel busy test completes, do not start another test for the same channel.

576

Configuring load balancing Band navigation and load balancing can be used simultaneously.


Before you configure load balancing, make sure:

• The target APs are associated with the same AC.

• The clients can find the APs.

• The fast association function is disabled. By default, the fast association function is disabled. For more information about fast association, see "Configuring access services."


Task Remarks 1. Configuring a load balancing mode Required.

2. Configuring AP-based load balancing Required.

Use either approach. • AP-based load balancing—After you complete Configuring a

load balancing mode, the AC adopts AP-based load balancing by default.

• Group-based load balancing—H3C recommends that you complete Configuring a load balancing mode first. A load balancing group takes effect only when a load balancing mode is configured.

3. Configuring group-based load balancing

4. Configuring parameters that affect load balancing

Optional.

This configuration takes effect for both AP-based load balancing and radio group based load balancing.

Configuring a load balancing mode

NOTE:

If the AC has a load balancing mode configured but has no load balancing group created, it uses AP-based load balancing by default.

1. Configure session-mode load balancing

a. Select Advanced > Load Balance from the navigation tree to enter the page for setting load balancing.

b. Select Session from the Loadbalance Mode list.

c. Click Apply.

577

Figure 609 Setting session-mode load balancing


Item Description

Loadbalance Mode Select Session.

The function is disabled by default.

Threshold Load balancing is carried out for a radio when the session threshold and session gap threshold are reached.

Gap Load balancing is carried out for a radio when the session threshold and session gap threshold are reached.

2. Configure traffic-mode load balancing

a. Select Advanced > Load Balance from the navigation tree to enter the page for setting load balancing.

b. Select Traffic from the Loadbalance Mode list.

c. Click Apply.

Figure 610 Setting traffic-mode load balancing

578


Item Description

Loadbalance Mode Select Traffic.

The function is disabled by default.

Traffic Load balancing is carried out for a radio when the traffic threshold and traffic gap threshold are reached.

Gap Load balancing is carried out for a radio when the traffic threshold and traffic gap threshold (the traffic gap between the two APs) are reached.

NOTE:

If you select the traffic-mode load balancing, the maximum throughput of 802.11g/802.11a is 30 Mbps.

Configuring group-based load balancing

NOTE:

H3C recommends you to complete Configuring a load balancing mode on the Load Balance tab page.A load balancing group takes effect only when a load balancing mode is configured.

1. Select Advanced > Load Balance from the navigation tree.

2. Click the Load Balance Group tab to enter the page for configuring a load balancing group.

3. Click Add.

Figure 611 Configuring a load balancing group

4. Configure a load balancing group as described in Table 202.

5. Click Apply.

579


Item Remarks

Group ID Display the ID of the load balancing group

Description Configure a description for the load balancing group.

By default, the load balancing group has no description.

Radio List

• In the Radios Available area, select the target radios, and then click << to add them into the Radios Selected area.

• In the Radios Selected area, select the radios to be removed, and then click >> to remove them from the load balancing group.

Configuring parameters that affect load balancing

1. Select Advanced > Load Balance from the navigation tree. See Figure 609.

2. Configure parameters that affect load balancing as described in Table 203.

3. Click Apply.


Item Remarks

Max Denial Count

Maximum denial count of client association requests.

If a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate to any other AP and accepts the association request from the client.

RSSI Threshold

Load balancing RSSI threshold.

A client may be detected by multiple APs. An AP considers a client whose RSSI is lower than the load balancing RSSI threshold as not detected. If only one AP can detect the client, the AP increases the access probability for the client even if it is over-loaded.

Configuring AP Upgrading AP version

1. Select Advanced > AP from the navigation tree.

2. On the AP Module tab, select the desired AP.

3. Click Version Update to enter the page for AP version upgrade.

Figure 612 AP version update

4. Configure AP upgrade as described in Table 204.

580

5. Click Apply.


Item Description

AP Model Display the selected AP model.

Software Version Enter the software version of the AC in a correct format.

Switching to fat AP

1. Select Advanced > AP Setup from the navigation tree.

2. Click the Switch to Fat AP tab.

3. Select the desired AP.

4. Click Switch to Fat AP to perform AP working mode switchover.

Figure 613 Switching to fat AP

NOTE:

Before you switch the work mode, you must download the fat AP software to the AP.

Configuring wireless location 1. Select Advanced > Wireless Location from the navigation tree to enter the page for displaying and

configuring wireless location on an AC.

581

Figure 614 Configuring wireless location

2. Configure wireless location as described in Table 205.

3. Click Apply.


Item Description

Location Function

• Enable—Enables the wireless location function globally. The device begins to listen to packets when wireless location is enabled.

• Disable—Disables wireless location globally.

To ensure the location function, complete the configuration on the location server and AC: • On the location server—Configure whether to locate Tags or MUs, Tag

message multicast address, and dilution factor on the location server. These settings will be notified to the APs through the configuration message. For more information about location server and configuration parameters, see the location server manuals.

• On the AC—Configure the AP mode settings, and enable the wireless location function.

When configurations are correctly made, APs wait for the configuration message sent by the location server, and after receiving that message, start to receive and report Tag and MU messages.

Vendor Port Set listening port number for vendors. The port number must be the same as that defined in AE.

Tag Mode Select this option to enable the Tag report function on the radio (you also need to enable Tags mode on the AE).

MU Mode Select this option to enable the MU report function on the radio (you also need to enable the MUs mode on the AE).

582

An AP reports IP address change and device reboot events to the location server so that the location server is able to respond in time. The AP reports a reboot message according to the IP address and port information of the location server recorded in its flash.

• The AP updates the data in the flash after receiving a configuration message. To protect the flash, the AP does not update the flash immediately after receiving a configuration message, but waits for 10 minutes. If receiving another configuration message within 10 minutes, the AP only updates the configuration information in the cache, and when the 10-minute timer is reached, saves the cache information in the flash.

• If the AP reboots within 10 minutes after receiving the first configuration message, and no configuration is saved in the flash, it does not send a reboot message to the location server.

Configuring wireless sniffer 1. Select Advanced > Wireless Sniffer from the navigation tree to enter the wireless sniffer

configuration page.

Figure 615 Configuring wireless sniffer

2. To enable the wireless sniffer function for a specified radio, click the icon of the radio.

Before you enable wireless sniffer, make sure the AP operates in normal mode and in run state. Wireless sniffer can be enabled for only one radio configured with a fixed channel.

When you configure wireless sniffer, follow these guidelines:

• Auto APs do not support wireless sniffer.

• Wireless sniffer can be enabled for one radio at one time.

• When the Capture AP is capturing packets, if the radio for which the wireless sniffer is disabled, the Capture AP is deleted, the Capture AP is disconnected from the AC, or the number of captured packets reaches the upper limit, the sniffer operation is stopped and the packets are saved to the specified .dmp file. The default storage medium varies with device models.

• You can click Stop to stop the wireless sniffer, and choose whether to save the packets to a CAP file. If not, no CAP file is generated.

583

• The working mode of the AP cannot be changed when it is capturing packets.

NOTE:

Do not enable or run wireless services for the radio with wireless sniffer enabled. Disable all wireless services before enabling wireless sniffer.

3. Configure wireless sniffer as described in Table 206.

4. Click Apply.


Item Description

Capture Limit

The maximum number of packets that can be captured. Once the limit is exceeded, the device stops capturing packets.

IMPORTANT:

You cannot change the value when the device is capturing packets.

Filename

Name of the CAP file to which the packets are saved.

By default, the name is SnifferRecord.

IMPORTANT:

You cannot change the fine name when the device is capturing packets.

Configuring band navigation When band navigation is enabled, the client association efficiency is affected, so this feature is not recommended in a scenario where most clients use 2.4 GHz.

Band navigation is not recommended in a delay-sensitive network.

Band navigation and load balancing can be used simultaneously.


To enable band navigation to operate properly, make sure of the following:

• The fast association function is disabled. By default, the fast association function is disabled. For more information about fast association, see "Configuring access services."

• Band navigation is enabled for the AP. By default, band navigation is enabled for the AP.

• The SSID is bound to the 2.4 GHz and 5 GHz radios of the AP.

Configuring band navigation

1. Select Advance > Band Navigation from the navigation tree.

584

Figure 616 Configuring band navigation

2. Configure band navigation as described in Table 207.

3. Click Apply.


Item Description

Band Navigation

• Enable—Enable band navigation. • Disable—Disable band navigation.

By default, band navigation is disabled globally.

Session Threshold • Session Threshold—Session threshold for clients on the 5 GHz band. • Gap—Session gap, which is the number of clients on the 5 GHz band minus the

number of clients on the 2.4 GHz band.

If the number of clients on the 5 GHz radio has reached the upper limit, and the gap between the number of clients on the 5 GHz radio and that on the 2.4 GHz radio has reached the upper limit, the AP denies the client’s association to the 5 GHz radio, and allows new clients to associate to the 2.4 GHz radio.

When band navigation is enabled, the value is 0 by default. To restore the default value 0, delete the configured number.

Gap

Max Denial Count

Maximum denial count of client association requests.

If a client has been denied more than the maximum times on the 5 GHz radio, the AP considers that the client is unable to associate to any other AP, and allows the 5 GHz radio to accept the client.

When band navigation is enabled, the value is 0 by default. To restore the default value 0, delete the configured number.

RSSI Threshold

Band navigation RSSI threshold.

The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz radio. If the RSSI is lower than the value, the AP does not direct the client to the 5 GHz band.

585

Item Description

Aging Time

Client information aging time.

The AP records the client information when a client tries to associate to it. If the AP receives the probe request or association request sent by the client before the aging time expires, the AP refreshes the client information and restarts the aging timer. If not, the AP removes the client information, and does not count the client during band navigation.

Advanced settings configuration examples

1+1 fast backup configuration example Network requirements

As shown in Figure 617, AC 1 and AC 2 backing up each other, with AC 1 acting as the active AC. When the active AC fails, the standby AC takes over to provide services, ensuring no service interruption.

• Assign a higher priority to the AP connection to AC 1, 6 in this example, to make sure AP will first establish a connection with AC 1. In this way, AC 1 acts as the active AC.

• When AC 1 is down, AC 2 becomes the new active AC.

• When the AC 1 recovers, no switchover to AC 1 occurs, in which case AC 2 remains the active and AC 1 acts as the standby AC. This is because the AP connection priority on AC 1 is not the highest.


Configuring AC 1

1. Configure AP to establish a connection between AC 1 and AP. For more information about configurations, see "Configuring access services."




5. Set the connection priority to 6.

6. Click Apply.

586

Figure 618 Configuring the AP connection priority

7. Select Advance > AC Backup from the navigation tree.

8. On the page that appears, set the IP address of the backup AC to 1.1.1.5 and select enable to enable the fast backup mode.

9. Click Apply.

Figure 619 Configuring the IP address of the backup AC

587

Configuring AC 2

1. Configure AP to establish a connection between AC 2 and AP.

For more information about configurations, see "Configuring access services."

2. Leave the default value of the AP connection priority unchanged. (Details not shown.)


4. On the page that appears, set the address of the backup AC to 1.1.1.4 and select enable to enable the fast backup mode.

5. Click Apply.

Figure 620 Configuring the address of the backup AC


1. When AC 1 operates properly, view the AP status on AC 1 and AC 2 respectively. The AP connection priority on AC 1 is set to 6, the higher one, so AC 1 become the active AC. The AP establishes a connection to AC 1 in precedence.

a. On AC 1, select Advanced > AC Backup from the navigation tree.

b. Click the Status tab to enter the page as shown in Figure 621.

The status information shows that AC 1 is the active AC.

588

Figure 621 Displaying the AP status on AC 1

c. On AC 2, select Advanced > AC Backup from the navigation tree.

d. Click the Status tab.

The information shows that AC 1 is acting as the standby AC.

Figure 622 Displaying the AP status on AC 2

2. When AC 1 operates properly, display the client status on AC 1 and AC 2. Client establish connections with the AP through AC 1 and AC 2 has backed up the client status.

a. On AC 1, select Summary > Client from the navigation tree.

b. Click the Detail Information tab.

c. Click the name of the specified client to view the detailed information of the client.

The information shows that Client is running and is connecting to AC 1 through an active link.

589

Figure 623 Displaying the client information on AC 1

d. On AC 2, select Summary > Client from the navigation tree.

e. Click the Detail Information tab.

f. Click the name of the specified client to view the detailed information of the client.

The information shows that Client is running and is connecting to AC 2 through a standby link.

Figure 624 Displaying the client information on AC 2

3. When AC 1 goes down, the standby AC, AC 2 detects the failure immediately through the heartbeat detection mechanism. Then AC 2 takes over to become the new active AC, providing services to AP.

On AC 2 (the new active AC), display the AP status. (Details not shown.)

The information shows that AC 2 has become the active AC.

On AC 2, display the client information. (Details not shown.)

590

The value for the State field becomes Running, which indicates that Client is connecting to AC 2 through an active link.

4. When AC 1 recovers, AC 2 still acts as the active AC and AC 1 becomes the standby AC. AC 1 establishes a backup link with the AP and backs up the client status.


• The wireless services configured on the two ACs should be consistent.

• Specify the IP address of the backup AC on each AC.

• AC backup has no relation with the access authentication method; however, the authentication method of the two ACs must be the same.

1+N backup configuration example Network requirements

As shown in Figure 625, AC 1 and AC 2 are active ACs and AC 3 acts as the standby AC. When an active AC fails, AC 3, the standby AC, takes over to provide services. As soon as the active AC recovers, the AP connects to the original active AC again.

• AP connects to AC 1, AC 2, and AC 3 through a Layer 2 switch. The IP addresses of AC 1, AC 2 and AC 3 are 1.1.1.3, 1.1.1.4, and 1.1.1.5 respectively.

• Assign the highest AP connection priority of 7 on AC 1 and AC 2, to make sure AP 1 establishes a connection with AC 1, and AP 2 establishes a connection with AC 2.

• If any of the two active AC is down, AC 3 becomes the new active AC.

• When the faulty AC recovers, AP that connects to AC 3 automatically connects to the original active AC. This is because the AP connection priority on the active AC is the highest. In this way, AC 3 can always act as a dedicated standby AC to provide backup services for AC 1 and AC 2.


Configuring AC 1

1. Configure AC 1 so that a connection is set up between AC 1 and AP 1.





5. Set the connection priority to 7.

6. Click Apply.

591

Figure 626 Configuring the AP connection priority for AP 1

Configuring AC 2

1. Configure AC 2 so that a connection is set up between AC 2 and AP 2.


2. Set the AP connection priority to 7.

The configuration steps are the same as those on AC 1 (Details not shown.).

3. Configure AC 3 (the backup AC)

a. Configure the related information of AP 1 and AP 2.


b. Select AP > AP Setup from the navigation tree.

c. Click the icon corresponding to the target AP to enter the configuration page.

d. Expand Advanced Setup.

e. Enter 1.1.1.3 in the Backup AC IPv4 Address field.

f. Click Apply.

592

Figure 627 Backing up the IP address of AC 1

g. Select AP > AP Setup from the navigation tree.

h. Click the icon corresponding to the target AP to enter the configuration page.

i. Expand Advanced Setup.

j. Enter 1.1.1.4 in the Backup AC IPv4 Address field.

k. Click Apply.

593

Figure 628 Backing up the IP address of AC 2


1. When AC 1 goes down, AC 3 becomes the new active AC.

2. When AC 1 recovers, the AP connecting to AC 3 connects to AC 1 again. This is because the highest AP connection priority of 7 on AC 1 ensures an automatic switchover.

AP-based session-mode load balancing configuration example Network requirements

• As shown in Figure 629, all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client 2 through Client 6 are associated with AP 2.

• Configure session-mode load balancing on the AC. The threshold, that is, the maximum number of sessions, is 5, and the session gap is 4.

594



1. Before you configure load balancing, configure AP 1 and AP 2 on the AC to establish a connection between the AC and each AP.

For the related configuration, see "Configuring access services."

2. Configure session-mode load balancing:

a. Select Advanced > Load Balance from the navigation tree.

b. On the Load Balance tab, select the Session mode, enter the threshold 5, and use the default value for the gap.

c. Use the default values for Max Denial Count and RSSI Threshold.

d. Click Apply.

Figure 630 Setting session-mode load balancing

595


Client 1 is associated with AP 1, and Client 2 through Client 6 are associated with AP 2. Because the number of clients associated with AP 1 reaches 5, and the session gap between AP 2 and AP 1 reaches 4, Client 7 is associated with AP 1.


An AP starts session-mode load balancing only when both the maximum sessions and maximum session gap are reached.

AP-based traffic-mode load balancing configuration example Network requirements

• As shown in Figure 631, all APs operate in 802.11g mode. Client 1 and Client 2 are associated with AP 1, and no client is associated with AP 2.

• Configure traffic-mode load balancing on the AC. The traffic threshold is 3 Mbps that corresponds to the threshold value of 10 in percentage, and the traffic gap is 12 Mbps that corresponds to the traffic gap value 40 in percentage.





2. Configure traffic-mode load balancing:


b. On the Load Balance tab, select the Traffic mode, enter the threshold 10, and the traffic gap 40.


d. Click Apply.

596

Figure 632 Setting traffic-mode load balancing


Client 1 and Client 2 are associated with AP 1. Add Client 3 to the network. When the maximum traffic threshold and traffic gap are reached on AP 1, Client 3 is associated with AP 2.


An AP starts traffic-mode load balancing only when both the maximum traffic threshold and maximum traffic gap are reached.

Group-based session-mode load balancing configuration example Network requirements

• As shown in Figure 633, all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client 2 through Client 6 are associated with AP 2, and no client is associated with AP 3.

• Configure session-mode load balancing on the AC. The maximum number of sessions is 5 and the maximum session gap is 4.

• Session-mode load balancing is required on only radio 2 of AP 1 and radio 2 of AP 2. Therefore, add them into a load balancing group.

597





2. Configure load balancing:


b. On the Load Balance tab, select Session from the Loadbalance Mode list, enter the threshold 5, and use the default value for the gap.


d. Click Apply..

Figure 634 Configuring session-mode load balancing

3. Configure a load balancing group:

AC

L2 Switch

AP 1Client 1

Client 4Client 5

Client 3Client 2

AP 2

AP 3

Client 7

598


b. Click the Load Balance Group tab to enter the load balancing group configuration page.

c. Click Add.

d. On the page that appears, select ap1. radio 2 and ap2. radio 2 in the Radios Available area, and click << to add them into the Radios Selected area and click Apply.



• Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group, and the radio of AP 3 does not belong to any load balancing group. Because load balancing takes effect on only radios in a load balancing group, AP 3 does not take part in load balancing.

• Assume Client 7 wants to associate with AP 2. The number of clients associated with radio 2 of AP 2 reaches 5 and the session gap between radio 2 of AP 2 and AP 1 reaches 4, so Client 7 is associated with AP 1.

Group-based traffic-mode load balancing configuration example Network requirements

• As shown in Figure 636, all APs operate in 802.11g mode. Client 1 and Client 2 are associated with AP 1, and no client is associated with AP 2 and AP 3.

• Configure traffic-mode load balancing on the AC. The maximum traffic threshold is 10% and the maximum traffic gap is 20%.

• Traffic-mode load balancing is required on only radio 2 of AP 1 and radio 2 of AP 2. Therefore, add them to a load balancing group.

599





2. Configure load balancing:


b. On the Load Balance tab, select Traffic from the Loadbalance Mode list, enter the threshold 10 and the gap 40.


d. Click Apply.

600

Figure 637 Configuring traffic load balancing

3. Configure a load balancing group:


b. Click the Load Balance Group tab to enter the load balancing group configuration page.

c. Click Add.

d. On the page that appears, select ap1. radio 2 and ap2. radio 2 in the Radios Available area, click << to add them into the Radios Selected area, and click Apply.



• Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group, and the radio of AP 3 does not belong to any load balancing group. Because load balancing takes effect on only radios in a load balancing group, AP 3 does not take part in load balancing.

601

• Assume Client 3 wants to associate with AP 1. Because the maximum traffic threshold and traffic gap have been reached on radio 2 of AP 1, Client 3 is associated with AP 2.

Wireless location configuration example Network requirements

As shown in Figure 639, AP 1, AP 2, and AP 3 operate in monitor mode, and send the collected tag and MU messages to an AE (the location server), which performs location calculation and then sends the data to the graphics software. You can get the location information of the rogue AP, APs, and clients by maps, forms or reports.


Configuring the AE

1. Configure the IP addresses of AP 1, AP 2, and AP 3 on the AE, or select broadcast for the AE to discover APs.

2. Perform configuration related to wireless location on the AE.

Configuring AP 1 to operate in monitor mode

AP 1, AP 2, and AP 3 are configured similarly, and the following only describes how to configure AP 1 for illustration.


2. Click Add.

3. On the page that appears, enter the AP name ap1, select the model WA2620-AGN, select manual from the Serial ID list, enter the AP serial ID in the field, and click Apply.

Switch AP 2

AP 1

AP 3

Client

Rogue AP

AP

AE (location server)

AC

602


4. Select Security > Rogue Detection from the navigation tree.

5. On the AP Monitor tab, click the icon corresponding to the target AP to enter the page for configuring the work mode.

6. Select the work mode Monitor.

7. Click Apply.

Figure 641 Setting the work mode

Enabling 802.11n

1. Select Radio > Radio from the navigation tree to enter the page for configuring radio.

2. Select the target AP.

3. Click Enable.

Figure 642 Enabling 802.11n (2.4 GHz)

603

Enabling wireless location.

1. Select Advanced > Wireless Location from the navigation tree.

2. On the page that appears, select Enable, select the tag mode and MU mode for 802.11n (2.4 GHz).

3. Click Apply.

Figure 643 Enabling wireless location


You can display the location information of the rogue AP, APs, and clients by maps, forms or reports.


• Before you enable the wireless location function, make sure at least three APs operate in monitor or hybrid mode so that the APs can detect Tags and clients not associated with them, and the AE can implement location calculation.

• An AP monitors clients on different channels periodically, so if the Tag message sending interval is configured as 1 second, the AP scans and reports Tag messages every half a minute. If higher location efficiency is required, you can set the Tag sending interval to the smallest value, 124 milliseconds.

Wireless sniffer configuration example Network requirements

As shown in Figure 644, configure a Capture AP, and enable wireless sniffer on this AP to capture wireless packets. The captured packets are then saved in a .dmp file for troubleshooting.

604


Configuring Capture_AP


2. Click Add.

3. On the page that appears, enter the AP name capture_ap, select the model WA2620-AGN., select manual from the Serial ID list, enter the AP serial ID in the field, and click Apply.

Figure 645 Creating a Capture AP


5. Click the icon of the Capture_AP to enter the radio configuration page.

6. Select 6 from the Channel list.

7. Click Apply.

Switch

Capture AP

AP 1

AP 2

Client

Rogue AP AC

PDAPC

605

Figure 646 Setting the channel


9. Select the target AP.

10. Click Enable.

Figure 647 Enabling 802.11n (2.4 GHz)

Configuring and enabling wireless sniffer

1. Select Advanced > Wireless Sniffer from the navigation tree.

2. On the page that appears, enter the capture limit 5000, enter the file name CapFile, and click Apply.

3. Click the icon corresponding to the target radio to enable wireless sniffer for the radio.

606

Figure 648 Configuring and enabling wireless sniffer


• Capture AP captures wireless packets and saves the packets to a CAP file in the default storage medium. Administrators can download the file to the PC and get the packet information by using tools like Ethereal.

• When the total number of captured packets reaches the upper limit, Capture AP stops capturing packets.

Band navigation configuration example Network requirements

As shown in Figure 649, Client 1 through Client 4 try to associate to AP 1, and the two radios of AP 1 operate at 5 GHz and 2.4 GHz. Client 1, Client 2, and Client 3 are dual-band clients, and Client 4 is a single-band (2.4 GHz) client. Configure band navigation to direct clients to different radios of the AP.

607


Configuring the AC

To enable band navigation to operate properly, make sure of the following:

• The fast association function is disabled. By default, the fast association function is disabled.

• Band navigation is enabled for the AP. By default, band navigation is enabled for the AP.

1. Create an AP:


b. Click New.

c. On the page that appears, enter the AP name ap 1, select the model WA2620E-AGN, select manual from the Serial ID list, and enter the AP serial ID in the field.

d. Click Apply.



b. Click Add.

c. On the page that appears, set the service name to band-navigation, select the wireless service type Clear, and click Apply.



b. Set the band-navigation box.

c. Click Enable.

4. Bind an AP radio to the wireless service:


b. Click the icon for the wireless service band-navigation to enter the page for binding an AP radio.

c. Select the boxes before ap1 with radio types 802.11n(2.4GHz) and 802.11n(5GHz).

d. Click Bind.

608


5. Enable 802.11n(2.4GHz) and 802.11n(5GHz) radios:

a. Select Radio > Radio Setup from the navigation tree.

b. Select the boxes before ap1 with the radio mode 802.11n(2.4GHz) and 802.11n(5GHz).

c. Click Enable.

6. Configure band navigation:

a. Select Advance > Band Navigation from the navigation tree.

b. On the page that appears, click Enable, and type the Session Threshold 2 and Gap 1. Use the default values for other options.

c. Click Apply.

Figure 651 Configuring band navigation


Client 1 and Client 2 are associated to the 5 GHz radio of AP 1, and Client 4 can only be associated to the 2.4 GHz radio of AP 1. Because the number of clients on the 5 GHz radio has reached the upper limit 2, and the gap between the number of clients on the 5 GHz radio and 2.4 GHz radio has reached the session gap 1, Client 3 will be associated to the 2.4 GHz radio of AP 1.

609

Configuring stateful failover

NOTE:

Support for the stateful failover feature may vary depending on your device model. For more information,see "Feature matrixes."

Overview

Introduction to stateful failover Some customers require their wireless networks to be highly reliable to ensure continuous data transmission. In Figure 652, deploying only one AC (even with high reliability) risks a single point of failure and therefore cannot meet the requirement.

Figure 652 Network with one AC deployed

The stateful failover feature (supporting portal service) was introduced to meet the requirement. In Figure 653, two ACs that are enabled with stateful failover are deployed in the network. You need to specify a VLAN on the two ACs as the backup VLAN, and add the interfaces between the ACs to the backup VLAN. The backup VLAN is like a failover link, through which the two ACs exchange state negotiation messages periodically. After the two ACs enter the synchronization state, they back up the service entries of each other to make sure that the service entries on them are consistent. If one AC fails, the other AC, which has already backed up the service information, can take over the services, thus avoiding service interruption.

610

Figure 653 Network diagram for stateful failover

Introduction to stateful failover states The stateful failover states include:

• Silence: Indicates that the device has just started, or is transiting from synchronization state to independence state.

• Independence: Indicates that the silence timer has expired, but no failover link is established.

• Synchronization: Indicates that the device has completed state negotiation with the other device and is ready for data backup.

The following figure shows state relations.

Figure 654 Stateful failover state diagram

Configuring stateful failover 1. Select High reliability > Stateful Failover from the navigation tree to enter the stateful failover

configuration page, as shown in Figure 655.

2. View the current stateful failover state at the lower part of the page as described in Table 209.

611

Figure 655 Stateful failover configuration page

3. Configure stateful failover parameters at the upper part of the page as described in Table 208.

4. Click Apply.


Item Description

Enable Stateful Failover Enable/disable the stateful failover feature.

Backup Type

Select whether to support asymmetric path. • Unsupport Asymmetric Path. In this mode, sessions enter and leave the internal

network through one device. The two devices work in the active/standby mode. • Support Asymmetric Path. In this mode, sessions enter and leave the internal

network through different devices to achieve load sharing. The two devices work in the active/active mode.

Backup VLAN

Set the backup VLAN.

After a VLAN is configured as a backup VLAN, the interface(s) in the VLAN is used to transmit stateful failover packets.

IMPORTANT: • A device uses VLAN tag+protocol number to identify stateful failover packets,

and broadcasts stateful failover packets to the peer within the backup VLAN. Therefore, H3C does not recommend that you configure other services (such as voice VLAN) for a backup VLAN to avoid impact on the operation of stateful failover.

• An interface added to the backup VLAN can transmit other packets besides stateful failover packets.


Field Description

Current Status Displays the failover state of the device.

Stateful failover configuration example Network requirements

In Figure 656, the IP address of VLAN-interface 1 on AC 1 is 8.190.1.60/16, and that on AC 2 is 8.190.1.61/16. The client and AP each obtain an IP address from the DHCP server at 8.190.0.13/16, and

612

the ACs perform portal authentication through the IMC server. Configure stateful failover on AC 1 and AC 2 so that when one AC fails, the other AC can take over portal and other services.


NOTE:

The portal group configuration on the two ACs must be consistent.

Configuring AC 1

1. Configure the backup AC and enable fast backup:

a. Select Advanced > AC Backup from the navigation tree to enter the default Setup page, as shown in Figure 657.

b. Select the IPv4 box and type the IP address of AC 2 (8.190.1.61) as the backup AC address, and select enable from the Fast Backup Mode list.

c. Click Apply.

613

Figure 657 Setup page

2. Configure stateful failover:

a. Select High reliability > Stateful Failover from the navigation tree, as shown in Figure 658.

b. Select the Enable Stateful Failover box, select Unsupport Asymmetric Path from the Backup Type list, and Type 2 for Backup VLAN.

c. Click Apply.

Figure 658 Configuring stateful failover

3. Configure RADIUS scheme system:


b. Click Add to enter the RADIUS scheme configuration page.

c. Type system for Scheme Name, select Extended for Server Type, and select Without domain name for Username Format.

d. Click Add in the RADIUS Server Configuration field to enter the page as shown in Figure 659.

e. Select Primary Authentication for Server Type, specify an IPv4 address 8.1.1.16 and 1812 as the port number.

f. Type expert for Key and expert for Confirm Key.

g. Click Apply.

614

Figure 659 Configuring a primary RADIUS authentication server

h. Click Add in the RADIUS Server Configuration field to enter the page as shown in Figure 660.

i. Select Primary Accounting for Server Type, and specify an IPv4 address 8.1.1.16 and 1813 as the port number.

j. Type expert for Key and expert for Confirm Key.

k. Click Apply.

Figure 660 Configuring a RADIUS accounting server

l. After the configurations are complete, the RADIUS scheme configuration page is as shown in Figure 661. Click Apply.

615

Figure 661 RADIUS scheme configuration page

4. Configure AAA authentication scheme for ISP domain system:


b. Select system from the Select an ISP domain list, and select the Default AuthN box.

c. Select RADIUS from the list, and system from the Name list.

d. Click Apply.

A dialog box appears, showing the configuration progress.

e. After the configuration is successfully applied, click Close.

Figure 662 Configuring AAA authentication scheme for the ISP domain

616

5. Configure AAA authorization scheme for ISP domain system:


b. Select system from the Select an ISP domain list, and select the Default AuthZ box.

c. Select RADIUS from the list and system from the Name list.

d. Click Apply.


e. After the configuration is successfully applied, click Close.

Figure 663 Configuring AAA authorization scheme for the ISP domain

6. Configure AAA accounting scheme for ISP domain system:


b. Select system from the Select an ISP domain list, and select the Accounting Optional box.

c. Select Enable from the list, and select the Default Accounting box.

d. Select RADIUS from the list and system from the Name list.

e. Click Apply.


f. After the configuration is successfully applied, click Close.

617

Figure 664 Configuring AAA accounting scheme for the ISP domain

7. Configure portal authentication:

a. Select Authentication > Portal from the navigation tree to enter the default Portal Server configuration page as shown in Figure 665.

b. Click Add.

c. Select Vlan-interface1 from the Interface list, Add from the Portal Server list, and Direct from the Method list, and select system for Authentication Domain.

d. Type newpt for Server Name, 8.1.1.16 for IP, expert for Key, 50100 for Port, and http://8.1.1.16:8080/portal for URL.

e. Click Apply.

618

Figure 665 Configuring a portal server

8. Add a portal-free rule:

a. Click the Free Rule tab.

b. Click Add.

c. Type 0 for Number, and select GigabitEthernet1/0/1 as the source interface.

d. Click Apply.

619

Figure 666 Adding a portal-free rule

9. Configure portal to support stateful failover at the command line interface (CLI):

# Specify AC 1's device ID to be used in stateful failover mode as 1, and specify portal group 2 for interface VLAN-interface 1. <AC1>system-view

[AC1]nas device-id 1

[AC1]interface Vlan-interface 1

[AC1-Vlan-interface1]portal backup-group 2

# Configure the virtual IP address of VRRP group 1 as 8.190.1.100, and specify the priority of AC 1 as 200. AC 2 uses the default priority. [AC1-Vlan-interface1]vrrp vrid 1 virtual-ip 8.190.1.100

[AC1-Vlan-interface1]vrrp vrid 1 priority 200

[AC1-Vlan-interface1]quit

# Configure the source IP address for RADIUS packets as 8.190.1.100. [AC1]radius nas-ip 8.190.1.100

# Configure the source IP address for portal packets as 8.190.1.100 (same as the AC's IP address configured on the IMC server for portal authentication). [AC1-Vlan-interface1]portal nas-ip 8.190.1.100

Configuring AC 2.

The configuration on AC 2 is similar to that on AC 1 except that:

• When you configure AC backup, specify AC 1's IP address as the backup AC address.

• Specify the device ID to be used in stateful failover mode as 2.

For more information, see the configuration on AC 1.

Configuration guidelines When you configure stateful failover, follow these guidelines:

• You must configure the 1+1 AC backup function to make sure that the traffic can automatically switch to the other device if one device fails. For more information, see "Advanced settings."

620

• To back up portal related information from the active device to the standby device, you must configure portal to support stateful failover besides the configurations described in this chapter. For more information, see WX Series Access Controllers Security Configuration Guide.

• Stateful failover can be implemented only between two devices rather than among more than two devices.

621

Index

A B C D E F G I L M N O P Q R S T U V W A

AAA configuration example,414 AAA overview,406 AC-AP connection,213 Access control methods,377 Access controller module network scenario,2 Access controller network scenario,2 Access service overview,223 ACL and QoS configuration example,525 ACL overview,493 Adding a DNS server address,198 Adding a domain name suffix,199 Adding a license,64 Admin configuration,10 Advanced settings configuration examples,585 Advanced settings overview,560 Antenna,369 AP configuration,17 AP connection priority configuration example,221 AP group,213 Auto AP,213 Auto AP configuration example,256 Automatic power adjustment configuration example,372

B

Backing up the configuration,82 Bandwidth guarantee configuration example,555 Basic configuration,9

C

CAC service configuration example,551 Certificate management configuration example,461 Clearing dynamic DNS cache,199 Common Web interface elements,35 Configuration examples,102 Configuration guidelines,534 Configuration guidelines,430 Configuration guidelines,466

Configuration guidelines,127 Configuration guidelines,104 Configuration guidelines,140 Configuration guidelines,619 Configuration guidelines,77 Configuration guidelines,170 Configuration guidelines,39 Configuration procedure,432 Configuration summary,19 Configuring 802.1X,378 Configuring a guest,444 Configuring a local user,441 Configuring a MAC address entry,129 Configuring a QoS policy,512 Configuring a RADIUS scheme,419 Configuring a user group,443 Configuring a user profile,447 Configuring AAA,406 Configuring access service,230 Configuring an ACL,494 Configuring an AP,214 Configuring an AP group,220 Configuring an SNMP view,111 Configuring and displaying clients' IP-to-MAC bindings,184 Configuring ARP detection,149 Configuring authorized IP,491 Configuring auto AP,218 Configuring calibration,361 Configuring channel scanning,360 Configuring data transmit rates,356 Configuring DHCP snooping functions on an interface,186 Configuring DNS proxy,198 Configuring dynamic domain name resolution,197 Configuring enhanced licenses,65 Configuring gratuitous ARP,143 Configuring IGMP snooping on a port,155

622

Configuring IGMP snooping on a VLAN,154 Configuring licenses,64 Configuring line rate,508 Configuring mesh service,311 Configuring other ARP attack protection functions,150 Configuring PKI,450 Configuring portal authentication,386 Configuring rogue device detection,471 Configuring service management,205 Configuring stateful failover,610 Configuring static name resolution table,196 Configuring system name,67 Configuring the bandwidth guarantee function,548 Configuring the blacklist and white list functions,480 Configuring the priority trust mode of a port,509 Configuring user isolation,488 Configuring Web idle timeout period,67 Configuring WIDS,479 Configuring WLAN advanced settings,567 Configuring WLAN roaming,336 Creating a DHCP server group,182 Creating a dynamic address pool for the DHCP server,176 Creating a static address pool for the DHCP server,175 Creating a static ARP entry,142 Creating a user,105 Creating a VLAN,133 Creating an interface,89 Creating an IPv4 static route,164 Creating an IPv6 static route,166

D

Device information,43 DHCP relay agent configuration example,190 DHCP server configuration example,188 DHCP snooping configuration example,192 Displaying AP,49 Displaying ARP entries,141 Displaying clients,57 Displaying clients' IP-to-MAC bindings,187 Displaying file list,85 Displaying IGMP snooping multicast entry information,157 Displaying information about assigned IP addresses,178 Displaying interface information and statistics,87

Displaying SNMP packet statistics,119 Displaying syslog,78 Displaying the client statistics,544 Displaying the IPv4 active route table,163 Displaying the IPv6 active route table,165 Displaying the radio statistics,543 Displaying the system time,73 Displaying WLAN service,45 DNS configuration example,199 Downloading a file,86 Dynamic WEP encryption-802.1X authentication configuration example,297

E

Enabling DHCP,174 Enabling DHCP and configuring advanced parameters for the DHCP relay agent,180 Enabling DHCP snooping,185 Enabling IGMP snooping globally,153 Enabling the DHCP relay agent on an interface,183 Enabling the DHCP server on an interface,178 Enabling wireless QoS,538 Encryption configuration,16

F

Feature matrix for the WX3024E,8 Feature matrix for the WX5000 series,4 Feature matrix for the WX6000 series,5

G

Generating the diagnostic information file,71

I

IGMP snooping configuration examples,158 Initializing the configuration,84 Inter-AC roaming configuration example,342 Interface management configuration example,97 Interface management overview,87 Intra-AC roaming configuration example,338 Introduction to port mirroring,99 Introduction to portal authentication,385 Introduction to the Web interface,21 Introduction to the Web-based NM functions,23 IP configuration,11 IPv4 static route configuration example,167 IPv6 static route configuration example,168

L

623

Local EAP service configuration example,433 Local MAC authentication configuration example,268 Logging in to the Web interface,20 Logging out of the Web interface,21 Loopback operation,126

M

MAC address configuration example,131 Manual channel adjustment configuration example,370 Mesh DFS configuration example,333 Mesh overview,304 Mesh point-to-multipoint configuration example,331 Modifying a Layer 2 interface,92 Modifying a Layer 3 interface,95 Modifying a port,135 Modifying a VLAN,134

N

Normal WLAN mesh configuration example,326

O

Overview,133 Overview,491 Overview,440 Overview,128 Overview,195 Overview,609 Overview,163 Overview,536 Overview,152 Overview,204 Overview,141

P

Ping operation,208 PKI overview,450 Port mirroring configuration task list,100 Portal authentication configuration example,397 Portal configuration,15

Q

QoS overview,493 Quick start wizard home page,9

R

Radio group configuration example,373 Radio overview,347

Radio setup,350 RADIUS configuration,13 RADIUS configuration example,425 RADIUS overview,419 Rebooting the device,70 Recommended configuration procedure,133 Recommended configuration procedure,153 Recommended configuration procedure,195 Recommended configuration procedure (for DHCP relay agent),179 Recommended configuration procedure (for DHCP server),173 Recommended configuration procedure (for DHCP snooping),185 Remote 802.1X authentication configuration example,284 Remote MAC authentication configuration example,273 Removing a file,86 Removing ARP entries,143 Restoring the configuration,82 Rogue detection configuration example,484

S

Saving the configuration,83 Setting buffer capacity and refresh interval,80 Setting CAC admission policy,540 Setting client EDCA parameters for wireless clients,542 Setting radio EDCA parameters for APs,540 Setting rate limiting,546 Setting the log host,79 Setting the super password,106 Setting the SVP service,539 SNMP configuration example,120 SNMP configuration task list,108 SNMP overview,108 Software upgrade,69 Specifying the main boot file,86 Stateful failover configuration example,611 Static ARP configuration example,144 Subway WLAN mesh configuration example,330 Switching the user access level to the management level,107 System time configuration example,76

T

624

Trace route operation,211 Tri-radio mesh configuration example,332 Troubleshooting Web browser,40

U

Uploading a file,86 User isolation configuration example,489 User isolation overview,487

V

VLAN configuration examples,137

W

Web user level,22 Wireless configuration,12 Wireless service configuration example,253 Wireless service-based dynamic rate limiting configuration example,554 Wireless service-based static rate limiting configuration example,553 Wireless switch network scenario,3 WLAN roaming configuration examples,338 WLAN RRM overview,347 WLAN security overview,467 WPA-PSK authentication configuration example,263