Hcip-Wlan Lab Guide: Huawei WLAN Certification Training
Hcip-Wlan Lab Guide: Huawei WLAN Certification Training
Hcip-Wlan Lab Guide: Huawei WLAN Certification Training
HCIP-WLAN
Lab Guide
ISSUE: 2.0
2
Copyright © Huawei Technologies Co., Ltd. 2022. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any
means without prior written consent of Huawei Technologies Co., Ltd.
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of
their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made
between Huawei and the customer. All or part of the products, services and features
described in this document may not be within the purchase scope or the usage scope.
Unless otherwise specified in the contract, all statements, information, and
recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
a warranty of any kind, express or implied.
Overview
This document is applicable to the candidates who are preparing for the HCIA-WLAN
exam and the readers who want to understand the WLAN networking architecture,
WLAN roaming, RRM, access authentication, WLAN planning and optimization, and
WLAN fault troubleshooting.
Description
This lab guide consists of 12 labs, covering basic configurations, and configurations and
implementation of WLAN networking, reliability, cloud management, access
authentication, roaming, network planning, O&M, and troubleshooting.
⚫ Lab 1: WAC + Fit AP networking. Through basic operations and configurations, this
lab helps readers further understand the WAC + Fit AP networking and understand
basic AP onboarding configurations.
⚫ Lab 2: Leader AP networking. Through basic networking configurations, this lab helps
readers further understand the WAC + Fit AP networking and understand basic AP
onboarding configurations.
⚫ Lab 3: VRRP HSB. This lab focuses on the VRRP HSB networking in the WAC
reliability networking, helping you understand the WLAN reliability networking
architecture and construction method.
⚫ Lab 4: Cloud management networking. This lab helps you get familiar with the
architecture of Huawei cloud management solution and master the methods of
managing WACs and APs on the cloud management platform.
⚫ Lab 5: 802.1X authentication. This lab describes 802.1X authentication security
features and instructs you to deploy 802.1X authentication.
⚫ Lab 6: Portal authentication. This lab describes Portal authentication security features
and instructs you to deploy Portal authentication.
⚫ Lab 7: WLAN roaming. This lab focuses on inter-WAC Layer 3 roaming and its
deployment, helping you get familiar with the WLAN roaming solutions.
⚫ Lab 8: radio resource management. This lab focuses on WLAN radio calibration, band
steering, load balancing, and user CAC, helping you get familiar with network
optimization methods and implementation methods.
⚫ Lab 9: Indoor WLAN planning. This lab provides instructions on designing an indoor
WLAN so that you can understand how to use the network planning tool and learn
network planning details.
⚫ Lab 10: Outdoor WLAN planning. This lab provides instructions on designing an
outdoor WLAN so that you can understand how to use the network planning tool
and learn network planning details.
HCIP-WLAN V2.0 Lab Guide Page 4
⚫ Lab 11: CampusInsight intelligent O&M. This lab uses CampusInsight to perform
O&M management, helping you get familiar with CampusInsight functions.
⚫ Lab 12: Comprehensive troubleshooting. This lab focuses on troubleshooting faults in
Portal authentication scenarios, helping you rectify faults on a WLAN.
Common Icons
Device Introduction
To meet the HCIP-WLAN lab requirements, it is recommended that each lab environment
adopt the following configurations.
The following table lists the devices, models, and versions.
Lab Topology
Contents
1.1 Introduction
1.1.1 About This Lab
This lab instructs you to configure WAC + Fit AP networking to enable APs and STAs to
go online on the WLAN.
1.1.2 Objectives
⚫ Understand the basic configuration process of the WLAN service.
⚫ Configure APs and STAs to go online.
⚫ Describe the WAC + Fit AP networking architecture.
PVID: 1
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
SW-Core
PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
SW-Access
PVID: 100
MultiGE0/0/2 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/3 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
WAC1 GE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
AP group ap-group1
Password a12345678
SSID wlan-net
# Configure the access switch SW-Access. Create VLANs 100 and 101. Configure the
downlink interface to allow packets from VLANs 100 and 101 to pass through, and set
the PVID to 100. Configure the uplink interface to allow packets from VLANs 100 and 101
to pass through and set the PVID to 1.
# Create VLANs 100 and 101 on SW-Access.
<Huawei> system-view
[Huawei] sysname SW-Access
[SW-Access] vlan batch 100 101
# Configure the type of the downlink interface on SW-Access and the VLAN to which the
interface belongs.
[SW-Access-MultiGE0/0/2] quit
[SW-Access] interface MultiGE 0/0/3
[SW-Access-MultiGE0/0/3] port link-type trunk
[SW-Access-MultiGE0/0/3] port trunk allow-pass vlan 100 101
[SW-Access-MultiGE0/0/3] port trunk pvid vlan 100
[SW-Access-MultiGE0/0/3] quit
# Configure the type of the uplink interface on SW-Access and the allowed VLANs for the
interface.
# Configure the core switch SW-Core. Create VLANs 100 and 101. Configure the downlink
interface and MultiGE0/0/1 connected to WAC1 to allow packets from VLANs 100 and
101 to pass through.
# Create VLANs 100 and 101 on SW-Core.
<Huawei> system-view
[Huawei] sysname SW-Core
[SW-Core] vlan batch 100 101
# Configure the type of the downlink interface on SW-Core and the allowed VLANs for
the interface.
# Configure the type of the interface connecting SW-Core to WAC1 and the allowed
VLANs for the interface.
# Configure WAC1. Create VLANs 100 and 101. Change the type of GE0/0/1 to trunk and
configure the interface to allow packets from VLANs 100 and 101 to pass through.
# Create VLANs 100 and 101 on WAC1.
<AirEngine9700-M1> system-view
[AirEngine9700-M1] sysname WAC1
[WAC1] vlan batch 100 101
# Configure the type of GE0/0/1 on WAC1 and the allowed VLANs for the interface.
# Enable the DHCP service and configure VLANIF 100 on SW-Core to assign IP addresses
to APs.
# Configure the CAPWAP source interface on WAC1. Ensure that the following
parameters have been configured in advance:
DTLS PSK: a1234567
Inter-WAC DTLS PSK: a1234567
HCIP-WLAN V2.0 Lab Guide Page 18
# Create an AP group.
[WAC1] wlan
[WAC1-wlan-view] ap-group name ap-group1
[WAC1-wlan-ap-group-ap-group1] quit
[WAC1-wlan-view] quit
[WAC1] wlan
[WAC1-wlan-view] ap auth-mode mac-auth
[WAC1-wlan-view] quit
# Add APs on WAC1. (The APs' MAC addresses here are for reference only. Replace them
as required.)
[WAC1] wlan
[WAC1-wlan-view] ap-id 0 ap-mac 9cb2-e82d-54f0
[WAC1-wlan-ap-0] ap-group ap-group1
[WAC1-wlan-ap-0] ap-name AP1
[WAC1-wlan-ap-0] quit
[WAC1-wlan-view] ap-id 1 ap-mac 9cb2-e82d-5410
[WAC1-wlan-ap-1] ap-group ap-group1
[WAC1-wlan-ap-1] ap-name AP2
[WAC1-wlan-ap-1] quit
[WAC1-wlan-view] ap-id 2 ap-mac 9cb2-e82d-5110
[WAC1-wlan-ap-2] ap-group ap-group1
[WAC1-wlan-ap-2] ap-name AP3
[WAC1-wlan-ap-2] quit
[WAC1-wlan-view] quit
HCIP-WLAN V2.0 Lab Guide Page 19
# Run the display ap all command to verify that the three APs are online and in normal
state.
# Configure the country code in a regulatory domain profile. The default country code is
CN. (If the device is located outside China, change the country code accordingly.)
[WAC1] wlan
[WAC1-wlan-view] regulatory-domain-profile name domain1
[WAC1-wlan-regulate-domain-domain1] country-code CN
[WAC1-wlan-regulate-domain-domain1] quit
# Create the security profile wlan-net and configure a security policy in the profile.
[WAC1] wlan
[WAC1-wlan-view] security-profile name wlan-net
[WAC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a12345678 aes
[WAC1-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
# Create the VAP profile wlan-net, set the data forwarding mode and service VLAN, and
bind the security profile and SSID profile to the VAP profile.
# Bind the VAP profile to the AP group and apply configurations in the VAP profile wlan-
net to radios 0 and 1 on APs in the AP group.
1.3 Verification
1.3.1 Checking the AP Onboarding Status and SSID Information
# Run the display ap all command on WAC1 to check the AP onboarding result.
# The preceding command output shows AP information, including the MAC address, AP
group, dynamically obtained IP address, model, and onboarding status of each AP on
WAC1.
# Run the display vap all command on WAC1 to check VAP information.
# The preceding command output shows VAP information, including the AP name, BSSID
name, SSID name, and authentication mode of a VAP.
# Test the network connectivity between the STA and the service gateway.
HCIP-WLAN V2.0 Lab Guide Page 22
#
interface Ethernet0/0/47
ip address 169.254.3.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
capwap source interface vlanif100
capwap dtls psk %^%#yo9h*3&U`Ry!ihRA+uoI~E6I,`g2w1U~T9Z3-A^+%^%#
capwap dtls inter-controller psk %^%#Vro-.X&7';8.D+~k{]a0*6,H7.{2[McU1_Q1qxPY%^%#
capwap dtls no-auth enable
#
wlan
temporary-management psk %^%#PwFE@vw_"@\n9{>}k<,-;9CD7K;0/%e,LB)9,^FX%^%#
ap username admin password cipher %^%#PBMhAQ{@}1q,vb:X0*)B\.KXW7QH=Ogpvg'K*Y)I%^%#
traffic-profile name default
security-profile name default
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#51sYLQj@,Ph}m2@A1j:Of3n/)t5j=+!I"K+9yB{.%^%# aes
security-profile name default-wds
security-profile name default-mesh
ssid-profile name default
ssid-profile name wlan-net
ssid wlan-net
vap-profile name default
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-whitelist-profile name default
wids-profile name default
wireless-access-specification
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
ap-group name default
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 144 ap-mac 9cb2-e82d-54f0
ap-name AP1
HCIP-WLAN V2.0 Lab Guide Page 24
ap-group ap-group1
ap-id 1 type-id 144 ap-mac 9cb2-e82d-5410
ap-name AP2
ap-group ap-group1
ap-id 2 type-id 144 ap-mac 9cb2-e82d-5110
ap-name AP3
ap-group ap-group1
provision-ap
#
return
1.5 Quiz
During the WLAN service configuration on a WAC, engineers usually group APs and
configure services based on AP groups. Why is it not recommended that WLAN services
be configured based on a single AP?
Answer:
To configure WLAN services on a single AP, the administrator needs to configure WLAN
service parameters on each AP. When there are a large number of APs, the configuration
workload increases. Additionally, when the configuration changes, the administrator
needs to modify the configuration of each AP one by one, which is inconvenient for O&M
and management. This problem can be easily resolved by performing configurations
based on AP groups.
HCIP-WLAN V2.0 Lab Guide Page 26
2.1 Introduction
2.1.1 About This Lab
This lab instructs you to configure and verify the leader AP networking to enable APs and
STAs to go online.
2.1.2 Objectives
⚫ Describe the leader AP networking architecture.
⚫ Understand the WLAN service configuration method in the leader AP networking.
⚫ Understand the service check method of the leader AP.
PVID: 1
SW-Core MultiGE0/0/9 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
SW-Access MultiGE0/0/2 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/3 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/4 Trunk
Allow-pass: VLANs 100 and 101
AP group default
Password a12345678
HCIP-WLAN V2.0 Lab Guide Page 28
SSID wlan-net
AP Zone default
<Huawei> system-view
[Huawei] sysname SW-Access
[SW-Access] vlan batch 100 101
# Configure the type of the downlink interface on SW-Access and the VLAN to which the
interface belongs.
# Configure the type of the uplink interface on SW-Access and the allowed VLANs for the
interface.
# Configure the core switch SW-Core. Create VLANs 100 and 101, and configure the
downlink interface to allow packets from VLANs 100 and 101 to pass through.
# Create VLANs 100 and 101 on SW-Core.
<Huawei> system-view
[Huawei] sysname SW-Core
[SW-Core] vlan batch 100 101
# Configure the type of the downlink interface on SW-Core and the VLAN to which the
interface belongs.
# On SW-Core, check the IP addresses obtained by AP1, AP2, AP3, and AP4.
HCIP-WLAN V2.0 Lab Guide Page 30
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
10.23.100.1 10.23.100.254 254 4 250(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
116 10.23.100.117 9cb2-e82d-5110 DHCP 86299 Used
170 10.23.100.171 eca1-d1f7-7dd0 DHCP 86299 Used
213 10.23.100.214 9cb2-e82d-5410 DHCP 86329 Used
224 10.23.100.225 9cb2-e82d-54f0 DHCP 86304 Used
-------------------------------------------------------------------------------------
# The command output shows that AP1 through AP4 have obtained IP addresses.
# By default, an AP works in Fit AP mode. You need to switch AP4 to the Fat AP mode
first.
# This lab assumes the MAC address of AP4 as eca1-d1f7-7dd0 and the default IP
address of the leader AP as 169.254.2.1/24.
# Enable the management PC to search for the WLAN with the SSID hw_manage_7dd0
and connect the PC to the WLAN. The wireless network adapter of the management PC
automatically obtains an IP address on the 169.254.2.0/24 network segment. If the IP
address cannot be automatically obtained, manually set the IP address of the
management PC, for example, to 169.254.2.100/24.
HCIP-WLAN V2.0 Lab Guide Page 31
# Visit https://169.254.2.1 on a browser to manage AP4. Upon your first login to AP4, you
need to configure the user name and password. In this lab, the user name is admin and
the password is Huawei@123.
# Change the working mode of AP4 to Fat. Then AP4 automatically restarts.
# After AP4 restarts, enable the PC to search for the SSID HUAWEI-LeaderAP-7DD0 and
connect the PC to this SSID. If the AP version is V200R021C00 or earlier, visit
https://192.168.1.1; if the AP version is V200R021C01 or later, visit https://169.254.2.1.
# Upon your first login to the leader AP, you need to configure basic information such as
the user name, password, and console port authentication type. In this lab, set the
password to Huawei@123.
HCIP-WLAN V2.0 Lab Guide Page 33
# On the page that is displayed, configure the Fit AP account and offline VAP, and set
their passwords both to Huawei@123.
# After you log in to AP4, the system prompts you to configure the AP name and system
time.
# Set the AP name to Leader AP. Set the country and time zone based on the site
requirements. In this lab, set the country to China, time zone to UTC +08:00:00, system
time to Manual, click PC Time, and click Apply.
HCIP-WLAN V2.0 Lab Guide Page 34
# Configure WLAN services using the configuration wizard. Choose Wizard > Config
Wizard and click Multi-AP Configuration, as shown in the following figure.
HCIP-WLAN V2.0 Lab Guide Page 35
# Set Internet access mode to Bridging. In this lab, SW-Core serves as both the AP
gateway and service gateway, the management VLAN of the AP is VLAN 100, and the
service VLAN is VLAN 101.
# Configure Wi-Fi signals. Set Wireless network name to wlan-net, Service VLAN ID to
101, Encryption mode to Password authentication, and Key to a12345678. Select all valid
radios and click Apply.
2.3 Verification
2.3.1 Checking the AP Onboarding Status and SSID Information
# On the web page, choose Monitoring > Summary. The onboarding status, SSID, and
device status of each AP on the leader AP are displayed.
HCIP-WLAN V2.0 Lab Guide Page 36
# Test the network connectivity between the STA and the service gateway.
interface MultiGE0/0/6
#
interface MultiGE0/0/7
#
interface MultiGE0/0/8
#
interface MultiGE0/0/9
port link-type trunk
port trunk allow-pass vlan 100 to 101
return
#
http secure-server ssl-policy default_policy
http secure-server server-source -i Vlanif1
http server enable
#
vlan batch 100 to 101
#
dhcp enable
#
acl name nat 2000
rule 1 permit
#
interface Vlanif1
nat outbound 2000
ip address dhcp-alloc unicast
#
interface Vlanif100
ip address 169.254.2.1 255.255.255.0
dhcp select interface
dhcp server dns-list 169.254.2.1
#
interface Vlanif101
#
interface Ethernet0/0/47
ip address 169.254.3.1 255.255.255.0
#
interface GigabitEthernet0/0/0
port hybrid tagged vlan 2 to 4094
dhcp snooping trusted
#
interface MultiGE0/0/0
port hybrid tagged vlan 2 to 4094
dhcp snooping trusted
#
interface NULL0
#
interface LoopBack1023
ip address 192.168.254.254 255.255.255.255
#
capwap dtls control-link encrypt off
#
wlan
temporary-management psk %^%#G6e>(-F%#0224pAP=ww-{d9uW99'GH<=Ls829jd2%^%#
ap username admin password cipher %^%#2:|"2joHRTx#3S:3RhXG.C)-HN+d--t@^y<1i8E,%^%#
traffic-profile name default
traffic-profile name huawei-leaderap
traffic-profile name webf0BpYGRa8w7E
security-profile name default
security-profile name huawei-leaderap
security open
security-profile name webf0BpYGRa8w7E
security wpa-wpa2 psk pass-phrase %^%#.F}COC([W0!x-j"1FZJK),9M<:I]KL1%8NY)]I65%^%# aes
ssid-profile name default
ssid-profile name huawei-leaderap
ssid HUAWEI-LeaderAP-7DD0
HCIP-WLAN V2.0 Lab Guide Page 41
2.5 Quiz
What are the differences between the bridge mode and gateway mode in the leader AP
networking?
Answer:
A leader AP in bridge mode functions as a network bridge and works with an
independent gateway in the uplink direction. The leader AP and Fit APs communicate
with each other on a Layer 2 network. The independent gateway has the DHCP service
enabled to assign IP addresses to STAs and APs. The direct forwarding mode is used,
which reduces the load on the leader AP.
HCIP-WLAN V2.0 Lab Guide Page 42
3.1 Introduction
3.1.1 About This Lab
This lab provides instructions on configuring and commissioning WLAN reliability
networking so that you can understand how to deploy Huawei WLAN reliability
networking solutions.
3.1.2 Objectives
⚫ Describe WLAN reliability networking modes.
⚫ Understand how to configure VRRP HSB networking.
PVID: 1
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
SW-Core MultiGE0/0/2 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
SW-Access
PVID: 100
MultiGE0/0/2 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/3 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
WAC1 GE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
WAC2 GE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
AP group ap-group1
Password a12345678
SSID wlan-net
# Configure the core switch SW-Core. Create VLANs 100 and 101, configure the modes of
interfaces, and configure the interfaces to allow packets from VLANs 100 and 101 to pass
through.
# Create VLANs 100 and 101 on SW-Core.
HCIP-WLAN V2.0 Lab Guide Page 46
<Huawei> system-view
[Huawei] sysname SW-Core
[SW-Core] vlan batch 100 101
# Configure the type of the downlink interface on SW-Core and the allowed VLANs for
the interface.
# Configure the types of the interfaces connecting SW-Core to WAC1 and WAC2, and the
allowed VLANs for the interface.
# Configure the access switch SW-Access. Create VLANs 100 and 101. Configure the
downlink interface to allow packets from VLANs 100 and 101 to pass through, and set
the PVID to 100. Configure the uplink interface to allow packets from VLANs 100 and 101
to pass through and set the PVID to 1.
# Create VLANs 100 and 101 on SW-Access.
<Huawei> system-view
[Huawei] sysname SW-Access
[SW-Access] vlan batch 100 101
# Configure the types, PVIDs, and allowed VLANs for the downlink interfaces on SW-
Access.
# Configure the type of the uplink interface on SW-Access and the allowed VLANs for the
interface.
# Configure WAC1. Create VLANs 100 and 101. Change the type of GE0/0/1 to trunk and
configure the interface to allow packets from VLANs 100 and 101 to pass through.
# Create VLANs 100 and 101 on WAC1.
<AirEngine9700-M1> system-view
[AirEngine9700-M1] sysname WAC1
[WAC1] vlan batch 100 101
# Configure the type of GE0/0/1 on WAC1 and the allowed VLANs for the interface.
# Configure WAC2. Create VLANs 100 and 101. Change the type of GE0/0/1 to trunk and
configure the interface to allow packets from VLANs 100 and 101 to pass through.
# Create VLANs 100 and 101 on WAC2.
<AirEngine9700-M1> system-view
[AirEngine9700-M1] sysname WAC2
[WAC2] vlan batch 100 101
# Configure the type of GE0/0/1 on WAC2 and the allowed VLANs for the interface.
# Configure SW-Core as a DHCP server to assign IP addresses to STAs and APs. Enable
the DHCP service on SW-Core, configure VLANIF 100 to assign IP addresses (excluding
some IP addresses reserved for VRRP) to APs.
# Create a management VRRP group on WAC 1. Set the priority of WAC 1 in the
management VRRP group to 120 and the preemption delay to 1800 seconds.
# Create an HSB service on WAC1 and configure the IP addresses and port numbers for
the active and standby channels. Set the retransmission time and interval of the HSB
service.
[WAC1] hsb-service 0
[WAC1-hsb-service-0] service-ip-port local-ip 10.23.100.1 peer-ip 10.23.100.2 local-data-port 10241
peer-data-port 10241
[WAC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
HCIP-WLAN V2.0 Lab Guide Page 49
[WAC1-hsb-service-0] quit
# Create an HSB group on WAC1, and bind the HSB service and the management VRRP
group to the HSB group.
[WAC1] hsb-group 0
[WAC1-hsb-group-0] bind-service 0
[WAC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[WAC1-hsb-group-0] quit
[WAC1] hsb-group 0
[WAC1-hsb-group-0] hsb enable
[WAC1-hsb-group-0] quit
# Create an HSB service on WAC2 and configure the IP addresses and port numbers for
the active and standby channels. Set the retransmission time and interval of the HSB
service.
[WAC2] hsb-service 0
[WAC2-hsb-service-0] service-ip-port local-ip 10.23.100.2 peer-ip 10.23.100.1 local-data-port 10241
peer-data-port 10241
[WAC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[WAC2-hsb-service-0] quit
HCIP-WLAN V2.0 Lab Guide Page 50
# Create an HSB group on WAC2, and bind the HSB service and the management VRRP
group to the HSB group.
[WAC2] hsb-group 0
[WAC2-hsb-group-0] bind-service 0
[WAC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[WAC2-hsb-group-0] quit
[WAC2] hsb-group 0
[WAC2-hsb-group-0] hsb enable
[WAC2-hsb-group-0] quit
[WAC1] wlan
[WAC1-wlan-view] master controller
[WAC1-master-controller] master-redundancy peer-ip ip-address 10.23.100.2 local-ip ip-address
10.23.100.1 psk Huawei@123
[WAC1-master-controller] master-redundancy track-vrrp vrid 1 interface Vlanif 100
[WAC1-master-controller] quit
[WAC2] wlan
[WAC2-wlan-view] master controller
[WAC2-master-controller] master-redundancy peer-ip ip-address 10.23.100.1 local-ip ip-address
10.23.100.2 psk Huawei@123
[WAC2-master-controller] master-redundancy track-vrrp vrid 1 interface Vlanif 100
[WAC2-master-controller] quit
# Configure the CAPWAP source address on WAC1. Ensure that the following parameters
have been configured in advance:
DTLS PSK: a1234567
Inter-WAC DTLS PSK: a1234567
Fit AP management parameters (user name/password): admin/Huawei@123
Global login password of the offline management VAP: a1234567
# Configure the CAPWAP source address on WAC2. Ensure that the following parameters
have been configured in advance:
DTLS PSK: a1234567
Inter-WAC DTLS PSK: a1234567
Fit AP management parameters (user name/password): admin/Huawei@123
Global login password of the offline management VAP: a1234567
# Create an AP group.
[WAC1] wlan
[WAC1-wlan-view] ap-group name ap-group1
[WAC1-wlan-ap-group-ap-group1] quit
[WAC1-wlan-view] quit
[WAC1] wlan
[WAC1-wlan-view] ap auth-mode mac-auth
[WAC1-wlan-view] quit
# Add APs on WAC1. (The APs' MAC addresses here are for reference only. Replace them
as required.)
[WAC1] wlan
[WAC1-wlan-view] ap-id 0 ap-mac 9cb2-e82d-54f0
[WAC1-wlan-ap-0] ap-group ap-group1
[WAC1-wlan-ap-0] ap-name AP1
[WAC1-wlan-ap-0] quit
[WAC1-wlan-view] ap-id 1 ap-mac 9cb2-e82d-5410
[WAC1-wlan-ap-1] ap-group ap-group1
[WAC1-wlan-ap-1] ap-name AP2
[WAC1-wlan-ap-1] quit
[WAC1-wlan-view] ap-id 2 ap-mac 9cb2-e82d-5110
[WAC1-wlan-ap-2] ap-group ap-group1
[WAC1-wlan-ap-2] ap-name AP3
[WAC1-wlan-ap-2] quit
[WAC1-wlan-view] quit
# Create the security profile wlan-net and configure a security policy in the profile.
HCIP-WLAN V2.0 Lab Guide Page 53
[WAC1] wlan
[WAC1-wlan-view] security-profile name wlan-net
[WAC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a12345678 aes
[WAC1-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
# Create the VAP profile wlan-net, set the data forwarding mode and service VLAN, and
bind the security profile and SSID profile to the VAP profile.
# Bind the VAP profile to the AP group and apply configurations in the VAP profile wlan-
net to radios 0 and 1 on APs in the AP group.
[WAC1] synchronize-configuration
3.3 Verification
3.3.1 Checking the AP Onboarding Status
# Run the display ap all command on WAC1 to verify that the three APs are online and in
normal state.
# Run the display ap all command on WAC2. The three APs are in standby state.
Total: 6
# Check the wireless configuration synchronization status on WAC2. The Status field
displays up, indicating that the configurations have been synchronized.
# Test the network connectivity between the STA and the service gateway.
HCIP-WLAN V2.0 Lab Guide Page 59
provision-ap
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif100
master-redundancy peer-ip ip-address 10.23.100.2 local-ip ip-address 10.23.100.1
psk %^%#W;HBAZCAY'c:L6*55/MVqK/#T~/{"O(fuW,7OFI'%^%#
#
return
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
temporary-management psk %^%#PwFE@vw_"@\n9{>}k<,-;9CD7K;0/%e,LB)9,^FX%^%#
ap username admin password cipher %^%#PBMhAQ{@}1q,vb:X0*)B\.KXW7QH=Ogpvg'K*Y)I%^%#
traffic-profile name default
security-profile name default
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#51sYLQj@,Ph}m2@A1j:Of3n/)t5j=+!I"K+9yB{.%^%# aes
ssid-profile name default
ssid-profile name wlan-net
ssid wlan-net
vap-profile name default
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
ap-group name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 144 ap-mac 9cb2-e82d-54f0
ap-name AP1
ap-group ap-group1
ap-id 1 type-id 144 ap-mac 9cb2-e82d-5410
ap-name AP2
ap-group ap-group1
ap-id 2 type-id 144 ap-mac 9cb2-e82d-5110
ap-name AP3
ap-group ap-group1
provision-ap
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif100
master-redundancy peer-ip ip-address 10.23.100.1 local-ip ip-address 10.23.100.2
psk %^%#h$UW(fq2a2o7Gl/GL#JE}gjg1:Fn0*Z&]gVje!B>%^%#
#
return
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.254 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.100.1 10.23.100.9
#
interface Vlanif101
ip address 10.23.101.254 255.255.255.0
dhcp select interface
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
interface MultiGE0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface MultiGE0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface MultiGE0/0/4
#
interface MultiGE0/0/5
#
interface MultiGE0/0/6
#
interface MultiGE0/0/7
#
interface MultiGE0/0/8
#
interface MultiGE0/0/9
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
3.5 Quiz
In this lab, the hsb-service-type dhcp hsb-group 0 command is used to bind the DHCP
service to an HSB group, and wireless configuration synchronization is configured. What
information is synchronized in the preceding configuration?
Answer:
Two WACs function as DHCP servers in active/standby mode. If the active DHCP server
fails, information about user address assignment will be synchronized to the standby
DHCP server before traffic is switched to the standby DHCP server. This mechanism
ensures that the standby DHCP server can assign IP addresses to users without IP address
conflicts.
HCIP-WLAN V2.0 Lab Guide Page 65
4.1 Introduction
4.1.1 About This Lab
This lab instructs you to configure the cloud WAC + Fit AP and the cloud AP networking
modes.
4.1.2 Objectives
⚫ Understand the basic configuration process of the WLAN service.
⚫ Understand the cloud WAC + Fit AP networking architecture and cloud-based WAC
configuration.
⚫ Understand the cloud AP networking architecture and cloud-based AP configuration.
PVID: 1
MultiGE0/0/3 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/2 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/3 Trunk
SW-Access Allow-pass: VLANs 100 and 101
PVID: 1
MultiGE0/0/5 Trunk
Allow-pass: VLAN 200 201
PVID: 1
MultiGE0/0/9 Trunk Allow-pass: VLANs 100, 101, 200, and
201
PVID: 1
WAC1 GE 0/0/1 Trunk
Allow-pass: VLANs 100 and 101
VLANIF 99 172.21.39.253/17
Management
100
VLAN
AP group ap-group1
Password a12345678
SSID wlan-net
Management
200
VLAN
AP group default
Password a12345678
SSID ap5
HCIP-WLAN V2.0 Lab Guide Page 68
<Huawei> system-view
[Huawei] sysname SW-Access
[SW-Access] vlan batch 100 101 200 201
# Configure the types, PVIDs, and allowed VLANs for the downlink interfaces on SW-
Access.
# Configure the type of the uplink interface on SW-Access and the allowed VLANs for the
interface.
<Huawei> system-view
[Huawei] sysname SW-Core
[SW-Core] vlan batch 100 101 200 201
# Configure the type of the downlink interface on SW-Core and the VLAN to which the
interface belongs.
# Configure the type of the interface connecting SW-Core to WAC3 and the allowed
VLANs for the interface.
# Configure WAC3. Create VLANs 100 and 101. Change the type of GE0/0/1 to trunk and
configure the interface to allow packets from VLANs 100 and 101 to pass through.
# Create VLANs 100 and 101 on WAC3.
<AirEngine9700-M1> system-view
[AirEngine9700-M1] sysname WAC3
[WAC3] vlan batch 100 101
# Configure the type of GE0/0/1 on WAC3 and the allowed VLANs for the interface.
# The IP address and gateway of NCE have been configured during software installation
and are not described in this lab.
# The IP address of NCE is 172.21.39.88/17, and the gateway address is 172.21.39.253 (on
SW-Core).
# Configure VLAN and IP address information for SW-Core.
[SW-Core] vlan 99
[SW-Core-vlan99] name Manage
[SW-Core-vlan99] quit
[SW-Core] interface MultiGE 0/0/4
[SW-Core-MultiGE0/0/4] port link-type access
[SW-Core-MultiGE0/0/4] port default vlan 99
[SW-Core-MultiGE0/0/4] quit
[SW-Core] interface Vlanif 99
[SW-Core-Vlanif99] ip address 172.21.39.253 17
[SW-Core-Vlanif99] quit
# Configure a default route for WAC3 and set the next hop address to SW-Core.
# Configure WAC3 to work in cloud mode and specify the IP address and port number of
NCE.
[WAC3] cloud-mng controller ip-address 172.21.39.88 port 10020 source-interface Vlanif 100
[WAC3] pnp startup-vlan receive enable
# Log in to NCE and choose Design > Site Management from the main menu. Create a
site named HCIP-WAC, select LSW and WAC in Device type, and click OK in the lower
right corner.
HCIP-WLAN V2.0 Lab Guide Page 72
# Choose Design > Device Management from the main menu. Select the site HCIP-WAC
and choose Add Device > Add.
# On the Manual Add page that is displayed, set Protocol type to NETCONF, Site to
HCIP-WAC, and Mode to Device Model, and click Add.
HCIP-WLAN V2.0 Lab Guide Page 73
# On the page that is displayed, set the following parameters and click OK.
# Change the device name to WAC3, enter the ESN, set the description to HCIP, and click
OK.
# On the Device Management page, the status of WAC3 is Normal, indicating that it has
been managed by NCE.
# SW-Core functions as a DHCP server to assign IP addresses to AP1, AP2, AP3, and STAs.
# On SW-Core, enable the DHCP service and configure VLANIF 100 on SW-Core to assign
IP addresses to APs.
# After NCE manages WAC3, APs go online and WLAN services are still configured on
WAC3. The following uses CLI commands as an example.
# Configure AP1, AP2, and AP3 to go online on WAC3. Enable the function of establishing
CAPWAP DTLS sessions in none authentication mode. (V200R021C00 and later versions)
# Configure the CAPWAP source interface on WAC3. Ensure that the following
parameters have been configured in advance:
DTLS PSK: a1234567
Inter-WAC DTLS PSK: a1234567
Fit AP management parameters (user name/password): admin/Huawei@123
Global login password of the offline management VAP: a1234567
[WAC3] wlan
[WAC3-wlan-view] ap auth-mode sn-auth
[WAC3-wlan-view] quit
# Choose Design > Device Management from the main menu. Select the site HCIP-WAC
and click WAC3. The WAC3 management page is displayed.
HCIP-WLAN V2.0 Lab Guide Page 75
# Three devices are not managed. Select them and then click Repair.
# In the dialog box that is displayed, select HCIP-WAC and click OK.
# In the Result dialog box that is displayed, the three devices have been repaired
successfully and are managed by NCE.
HCIP-WLAN V2.0 Lab Guide Page 76
# On the WAC3 management page, the status of the three APs is Normal and the
running status is normal.
# Identify and change the AP name based on the AP SN. For example, to change the
name of AP1, click the modify icon in the Operation column corresponding to SN
2102353VUR10N5119370 on the device management page.
HCIP-WLAN V2.0 Lab Guide Page 77
# After the names of AP1, AP2, and AP3 are changed, the following information is
displayed.
# Create the AP group ap-group1 on WAC3 and add AP1, AP2, and AP3 to the AP group.
[WAC3] wlan
[WAC3-wlan-view] ap-group name ap-group1
[WAC3-wlan-ap-group-ap-group1] quit
[WAC3-wlan-view] ap-id 0
[WAC3-wlan-ap-0] ap-group ap-group1
[WAC3-wlan-ap-0] quit
[WAC3-wlan-view] ap-id 1
[WAC3-wlan-ap-1] ap-group ap-group1
[WAC3-wlan-ap-1] quit
[WAC3-wlan-view] ap-id 2
[WAC3-wlan-ap-2] ap-group ap-group1
[WAC3-wlan-ap-2] quit
# Run the display ap all command to verify that the three APs are online and in normal
state.
Total AP information:
nor : normal [3]
ExtraInfo : Extra information
--------------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------------
0 9cb2-e82d-5110 AP3 ap-group1 10.23.100.218 AirEngine5761-11 nor 0 11M:29S -
1 9cb2-e82d-54f0 AP1 ap-group1 10.23.100.27 AirEngine5761-11 nor 0 11M:11S -
2 9cb2-e82d-5410 AP2 ap-group1 10.23.100.222 AirEngine5761-11 nor 0 11M:5S -
--------------------------------------------------------------------------------------------------------
Total: 3
[WAC3] wlan
[WAC3-wlan-view] regulatory-domain-profile name domain1
[WAC3-wlan-regulate-domain-domain1] country-code CN
[WAC3-wlan-regulate-domain-domain1] quit
# Create the security profile wlan-net and configure a security policy in the profile.
[WAC3] wlan
[WAC3-wlan-view] security-profile name wlan-net
[WAC3-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a12345678 aes
[WAC3-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
# Create the VAP profile wlan-net, set the data forwarding mode and service VLAN, and
bind the security profile and SSID profile to the VAP profile.
# Bind the VAP profile to the AP group and apply configurations in the VAP profile wlan-
net to radios 0 and 1 on APs in the AP group.
# Configure SW-Core as a DHCP server to assign IP addresses to AP5 and STAs. Configure
VLANIF 200 on SW-Core to assign an IP address for AP5, change the AP5 mode to cloud
mode through the DHCP Option 148 field, and carry the NCE's IP address and port
number in DHCP messages. (AP5 has only delivery configuration and is not configured.)
# Configure VLANIF 201 on SW-Core to assign IP addresses to STAs associated with AP5.
Option-subcode : --
Option-type : ascii
Option-value : "agilemode=agile-cloud;agilemanage-mode=ip;agilemanage-
domain=172.21.39.88;agilemanage-port=10020;ap-agilemode=agile-cloud;"
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Position : Interface
Status : Unlocked
Gateway-0 :-
Network : 10.23.200.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :1
Idle :253 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
10.23.200.1 10.23.200.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
221 10.23.200.222 9cb2-e82d-5230 DHCP 86400 Used
-------------------------------------------------------------------------------------
# Obtain the device ESN of AP5. You can view the label on the rear of AP5 or run a
command to obtain the ESN.
# Choose Design > Site Management from the main menu of NCE. Create a site named
HCIP-AP and select AP in Device type. In the Add Device area, click By Model, set Device
Type to AP, Device Model to AirEngine5761-11, Quantity to 1, and Role to AP, and click
OK.
HCIP-WLAN V2.0 Lab Guide Page 81
# Change the device name to AP5, enter the ESN, set the description to HCIP-AP5, and
click OK.
# Choose Design > Device Management. AP5 has been managed by NCE.
HCIP-WLAN V2.0 Lab Guide Page 82
# Choose Design > Device Management and click AP5. The AP5 management page is
displayed. Click Command Line in the upper right corner to perform the CLI-based
configuration for AP5.
<AP5> system-view
[AP5] vlan batch 200 201
# Create the security profile ap5 and configure a security policy in the profile.
[AP5] wlan
[AP5-wlan-view] security-profile name ap5
[AP5-wlan-sec-prof-ap5] security wpa-wpa2 psk pass-phrase a12345678 aes
[AP5-wlan-sec-prof-ap5] quit
# Create the SSID profile ap5 and set the SSID name to ap5.
# Create the VAP profile ap5, set the data forwarding mode and service VLAN, and bind
the security profile and SSID profile to the VAP profile.
[AP5-wlan-view] ap-id 0
[AP5-wlan-ap-0] vap-profile ap5 wlan 1 radio 0
[AP5-wlan-ap-0] vap-profile ap5 wlan 1 radio 1
[AP5-wlan-ap-0] quit
[AP5-wlan-view] quit
4.3 Verification
4.3.1 Checking Cloud Management Information on WAC3
# Run the display cloud-mng info command on WAC3 to check the cloud management
configuration and status.
AC status : Online
Controller URL : -
Controller IP address : 172.21.39.88
Controller port : 10020
Source interface : Vlanif100
Controller address source: configuration
------------------------------------------------------------
HCIP-WLAN V2.0 Lab Guide Page 84
C:\Users\admin>ipconfig
Wireless LAN adapter WLAN:
Connection-specific DNS Suffix . . . . . . :
Link-local IPv6 Address . . . . . . . : fe80::3ce1:b4f7:546e:45a1%14
IPv4 Address . . . . . . . . . . . : 10.23.101.40
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . . . . : 10.23.101.254
C:\Users\admin>ping 10.23.101.254
Pinging 10.23.101.254 with 32 bytes of data:
Reply from 10.23.101.254: bytes=32 time=9ms TTL=254
Reply from 10.23.101.254: bytes=32 time=7ms TTL=254
Reply from 10.23.101.254: bytes=32 time=5ms TTL=254
Reply from 10.23.101.254: bytes=32 time=8ms TTL=254
Ping statistics for 10.23.101.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss);
Approximate round trip times in milli-seconds:
Minimum = 5ms, Maximum = 9ms, Average = 7ms
# Connect the STA to the SSID ap5 and test the connectivity.
C:\Users\admin>ipconfig
Wireless LAN adapter WLAN:
Connection-specific DNS Suffix . . . . . . :
Link-local IPv6 Address . . . . . . . : fe80::3ce1:b4f7:546e:45a1%14
IPv4 Address . . . . . . . . . . . : 10.23.201.133
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . . . . : 10.23.201.254
C:\Users\admin>ping 10.23.201.254
Pinging 10.23.201.254 with 32 bytes of data:
Reply from 10.23.201.254: bytes=32 time=5ms TTL=254
Reply from 10.23.201.254: bytes=32 time=8ms TTL=254
Reply from 10.23.201.254: bytes=32 time=6ms TTL=254
Reply from 10.23.201.254: bytes=32 time=4ms TTL=254
Ping statistics for 10.23.201.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss);
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 8ms, Average = 5ms
interface NULL0
#
wmi-server
server ip-address 172.21.39.88 port 10032
collect-item device-data interval 300
collect-item radio-data interval 300
collect-item ssid-data interval 300
collect-item interface-data interval 300
collect-item terminal-data interval 300
collect-item log-data disable
collect-item location-data disable
collect-item security-data disable
collect-item application-statistics-data disable
collect-item neighbor-device-data interval 300
collect-item emdi-data disable
collect-item cpcar-data disable
collect-item dns-data enable
collect-item dns-data interval 300
collect-item non-wifi-data enable
collect-item non-wifi-data interval 300
#
wmi-server2
collect-item log-data disable
#
wlan
temporary-management psk %^%#NPjnC\Vs5V}Ov3Y^%kJS*rP[K4iix2Dn`+@0aSGB%^%#
traffic-profile name default
security-profile name ap5
security wpa-wpa2 psk pass-phrase %^%#FzDm;<bTwKdpY@!7Zs(;$]BnEt(sp&U3Z5&MZzjK%^%#
aes
security-profile name default
security-profile name default-mesh
ssid-profile name ap5
ssid ap5
ssid-profile name default
vap-profile name ap5
service-vlan vlan-id 201
ssid-profile ap5
security-profile ap5
vap-profile name default
mesh-profile name default
regulatory-domain-profile name default
air-scan-profile name 5G
air-scan-profile name 2.4G
air-scan-profile name default
rrm-profile name 5G
calibrate min-tx-power 12
airtime-fair-schedule enable
smart-roam quick-kickoff-threshold disable
sta-load-balance dynamic disable
rrm-profile name 2.4G
calibrate min-tx-power radio-5g 9
airtime-fair-schedule enable
smart-roam quick-kickoff-threshold disable
sta-load-balance dynamic disable
HCIP-WLAN V2.0 Lab Guide Page 90
interface MultiGE0/0/6
#
interface MultiGE0/0/7
#
interface MultiGE0/0/8
#
interface MultiGE0/0/9
port link-type trunk
port trunk allow-pass vlan 100 to 101 200 to 201
#
interface NULL0
#
return
shutdown
#
interface MultiGE0/0/8
shutdown
#
interface MultiGE0/0/9
port link-type trunk
port trunk allow-pass vlan 100 to 101 200 to 201
#
interface NULL0
#
return
4.5 Quiz
In the preceding lab, AP5 is switched to the cloud mode through DHCP. In addition to the
DHCP mode, what methods can be used to switch a Fit AP to the cloud mode?
Answer:
A cloud AP can switch the working mode and obtain the iMaster NCE-Campus address in
the following ways:
Using a DHCP server: This method has the highest priority and is preferred if the AP can
use multiple methods to obtain the IP address of the iMaster NCE-Campus.
Obtaining through the registration query center: Low priority.
Through manual configuration on the CLI or web platform: The priority of this method is
lower than that using a DHCP server but higher than that using the registration query
center.
HCIP-WLAN V2.0 Lab Guide Page 94
5.1 Introduction
5.1.1 About This Lab
This lab instructs you to master the basic implementation and configuration methods of
802.1X access authentication.
5.1.2 Objectives
⚫ Understand the basic configuration process of the WLAN service.
⚫ Understand the basic implementation and configuration methods of 802.1X access
authentication.
PVID: 1
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
SW-Core PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
SW-Access
PVID: 100
MultiGE0/0/2 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/3 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
WAC1 GE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
VLANIF 99 172.21.39.253/17
Management
100
VLAN
HCIP-WLAN V2.0 Lab Guide Page 96
AP group ap-group1
SSID wlan-net
Name: p1
Bound profiles and schemes:
Authentication 802.1X access profile: d1
profile RADIUS server template: radius_huawei
RADIUS authentication scheme: radius_huawei
RADIUS accounting scheme: scheme1
Configure the access switch SW-Access. Create VLANs 100 and 101. Configure the
downlink port to allow packets from VLANs 100 and 101 to pass through, and set the
PVID to 100. Configure the uplink port to allow packets from VLANs 100 and 101 to pass
through and set the PVID to 1.
# Create VLANs 100 and 101 on SW-Access.
<Huawei> system-view
[Huawei] sysname SW-Access
[SW-Access] vlan batch 100 101
# Configure the types, PVIDs, and allowed VLANs for the downlink interfaces on SW-
Access.
# Configure the type of the uplink interface on SW-Access and the allowed VLANs for the
interface.
Configure the core switch SW-Core. Create VLANs 100 and 101. Configure the downlink
interface and MultiGE0/0/1 connected to WAC1 to allow packets from VLANs 100 and
101 to pass through.
# Create VLANs 100 and 101 on SW-Core.
<Huawei> system-view
HCIP-WLAN V2.0 Lab Guide Page 98
# Configure the type of the downlink interface on SW-Core and configure the interface to
allow packets from VLANs 100 and 101 to pass through.
# Configure the type of the interface connecting SW-Core to WAC1 and the allowed
VLANs for the interface.
Configure WAC1. Create VLANs 100 and 101. Change the type of GE0/0/1 to trunk and
configure the interface to allow packets from VLANs 100 and 101 to pass through.
# Create VLANs 100 and 101 on WAC1.
<AirEngine9700-M1> system-view
[AirEngine9700-M1] sysname WAC1
[WAC1] vlan batch 100 101
# Configure the type of GE0/0/1 on WAC1 and the allowed VLANs for the interface.
# Configure SW-Core as a DHCP server to assign IP addresses to STAs and APs. Enable
the DHCP service on SW-Core and configure VLANIF 100 on SW-Core to assign IP
addresses to APs.
The IP address and gateway of NCE have been configured during software installation
and are not described in this lab. The IP address of NCE is 172.21.39.88/17, and the
gateway address is 172.21.39.253 (on SW-Core).
# Configure VLAN and IP address information for SW-Core.
[SW-Core] vlan 99
[SW-Core-vlan99] name Manage
[SW-Core-vlan99] quit
[SW-Core] interface MultiGE 0/0/4
[SW-Core-MultiGE0/0/4] port link-type access
[SW-Core-MultiGE0/0/4] port default vlan 99
[SW-Core-MultiGE0/0/4] quit
[SW-Core] interface Vlanif 99
[SW-Core-Vlanif99] ip address 172.21.39.253 17
[SW-Core-Vlanif99] quit
# Configure a default route for WAC1 and set the next hop address to SW-Core.
# Configure the CAPWAP source interface on WAC1. Ensure that the following
parameters have been configured in advance:
DTLS PSK: a1234567
Inter-WAC DTLS PSK: a1234567
HCIP-WLAN V2.0 Lab Guide Page 100
# Create an AP group.
[WAC1] wlan
[WAC1-wlan-view] ap-group name ap-group1
[WAC1-wlan-ap-group-ap-group1] quit
[WAC1-wlan-view] quit
[WAC1] wlan
[WAC1-wlan-view] ap auth-mode mac-auth
[WAC1-wlan-view] quit
# Add APs on WAC1. (The APs' MAC addresses here are for reference only. Replace them
as required.)
[WAC1] wlan
[WAC1-wlan-view] ap-id 0 ap-mac 9cb2-e82d-54f0
[WAC1-wlan-ap-0] ap-group ap-group1
[WAC1-wlan-ap-0] ap-name AP1
[WAC1-wlan-ap-0] quit
[WAC1-wlan-view] ap-id 1 ap-mac 9cb2-e82d-5410
[WAC1-wlan-ap-1] ap-group ap-group1
[WAC1-wlan-ap-1] ap-name AP2
[WAC1-wlan-ap-1] quit
[WAC1-wlan-view] ap-id 2 ap-mac 9cb2-e82d-5110
[WAC1-wlan-ap-2] ap-group ap-group1
[WAC1-wlan-ap-2] ap-name AP3
[WAC1-wlan-ap-2] quit
[WAC1-wlan-view] quit
HCIP-WLAN V2.0 Lab Guide Page 101
# Run the display ap all command to verify that the three APs are online and in normal
state.
[WAC1] aaa
[WAC1-aaa] authentication-scheme radius_huawei
[WAC1-aaa-authen-radius_huawei] authentication-mode radius
[WAC1-aaa-authen-radius_huawei] quit
# The accounting realtime command sets the real-time accounting interval, in minutes.
# Configure the 802.1X access profile d1.
[WAC1-dot1x-access-profile-d1] quit
# Configure the authentication profile p1. Create the authentication profile p1, and bind
the 802.1X access profile d1, RADIUS server template radius_huawei, authentication
scheme radius_huawei, and accounting scheme scheme1 to the authentication profile.
# Create the security profile wlan-net and configure a security policy in the profile.
[WAC1] wlan
[WAC1-wlan-view] security-profile name wlan-net
[WAC1-wlan-sec-prof-wlan-net] security wpa2 dot1x aes
[WAC1-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
# Create the VAP profile wlan-net, set the data forwarding mode and service VLAN, and
bind the security profile and SSID profile to the VAP profile.
Before configuring access authentication on NCE, you need to create a tenant account
and password, which is not described here.
Create the user name and password for 802.1X authentication on NCE.
HCIP-WLAN V2.0 Lab Guide Page 103
# Choose Admission > Admission Resources > User Management from the main menu.
# Choose User Management > User, click +, and create a user group named HCIP-WLAN.
# Select the HCIP-WLAN user group and click Create. On the page that is displayed, set
User name to dot1x-user, Password to Huawei@123, and Available login mode to 802.1X
& Portal 2.0 for 802.1X authentication, and click OK.
HCIP-WLAN V2.0 Lab Guide Page 104
# Click Third-party Admission Device and click Create to create a third-party admission
device.
# Set parameters according to the following figure. Set Accounting key and Authorization
key both to Huawei@123, and Accounting interval (min) to 3, which are the same as
those configured on WAC1.
HCIP-WLAN V2.0 Lab Guide Page 105
# Click Authentication Rules, click Create, and configure an authentication rule according
to the following figure.
HCIP-WLAN V2.0 Lab Guide Page 106
# Click Authorization Rules, click Create, and configure an authorization rule according to
the following figure.
HCIP-WLAN V2.0 Lab Guide Page 107
HCIP-WLAN V2.0 Lab Guide Page 108
5.3 Verification
5.3.1 Checking the AP Onboarding Status
# Run the display vap all command on WAC1 to check VAP information.
# In the dialog box that is displayed, select Manually connect to a wireless network and
click Next.
# Enter a network name, set Security type and Encryption type, select Start this
connection automatically, and click Next.
# Click the Security tab. Select Microsoft: Protected EAP (PEAP) from the drop-down list
below Choose a network authentication method, and click Settings.
# Deselect Verify the server's identity by validating the certificate, select Secure password
(EAP-MSCHAP v2) from the drop-down list box below Select Authentication Method, and
click Configure. In the dialog box that is displayed, deselect Automatically use my
Windows logon name and password and click OK.
HCIP-WLAN V2.0 Lab Guide Page 111
# On the 802.1X settings tab page, select User authentication from the drop-down list
below Specify authentication mode, and click OK.
# Click OK. The 802.1X parameters in the Windows 10 operating system are set.
HCIP-WLAN V2.0 Lab Guide Page 112
# After all settings are complete, select the SSID wlan-net and click Connect.
# Enter the correct user name and password (dot1x-user and Huawei@123, respectively,
in this example).
# After the connection is set up, run the ipconfig command to verify that the IP address
obtained by the wireless network adapter is on the network segment 10.23.101.0/24. Run
the ping command to test the network connectivity.
HCIP-WLAN V2.0 Lab Guide Page 113
# Choose RADIUS Login and Logout logs > RADIUS Authentication Logs to check
terminal authentication records. The authentication rule is 802.1X, the authorization rule
is 802.1X, and the authentication result is Success.
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-Dbss17497
User vlan event : Success
QinQVlan/UserVlan : 0/101
User vlan source : user request
User access time : XXXX
User accounting session ID : WAC1000000000001011d****010004d
User accounting mult session ID : 9CB2E82D54F0081F715390B46321B****F061063
User access type : 802.1x
AP name : AP1
Radio ID :1
AP MAC : 9cb2-e82d-54f0
SSID : wlan-net
Online time : 788(s)
User Group Priority :0
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method :-
Current accounting method : RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
#
sysname SW-Access
#
vlan batch 100 to 101
#
interface Vlanif1
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
interface MultiGE0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface MultiGE0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface MultiGE0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface MultiGE0/0/9
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
5.5 Quiz
In this lab, the authentication mode for 802.1X users is set to EAP. What other
authentication modes can be configured for 802.1X users?
Answer:
Run the dot1x authentication-method command to configure the authentication mode
for 802.1X users. The authentication mode for 802.1X users can be set to EAP, CHAP, or
PAP.
EAP: indicates relay authentication using the Extensible Authentication Protocol (EAP).
CHAP: indicates EAP termination authentication using the Challenge Handshake
Authentication Protocol (CHAP).
PAP: EAP termination authentication using the Password Authentication Protocol (PAP)
HCIP-WLAN V2.0 Lab Guide Page 119
6.1 Introduction
6.1.1 About This Lab
This lab instructs you to master the basic implementation and configuration methods of
Portal access authentication.
6.1.2 Objectives
⚫ Understand the basic configuration process of the WLAN service.
⚫ Understand the basic implementation and configuration methods of Portal access
authentication.
PVID: 1
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
SW-Core PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
SW-Access
PVID: 100
MultiGE0/0/2 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/3 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
WAC1 GE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
VLANIF 99 172.21.39.253/17
AP group ap-group1
SSID wlan-net
Name: abc
IP address: 172.21.39.88
URL: https://172.21.39.88:19008/portal
Portal server template
Destination port number in the packets sent by
WAC1 to the Portal server: 50200
Portal shared key: Huawei@123
Name: portal1
Portal access profile
Bound profile: Portal server template abc
Name: p1
Bound profiles and schemes:
Portal access profile portal1
Authentication profile RADIUS server template radius_huawei
RADIUS authentication scheme radius_huawei
RADIUS accounting scheme scheme1
Authentication-free rule profile free1
HCIP-WLAN V2.0 Lab Guide Page 122
[WAC1] aaa
HCIP-WLAN V2.0 Lab Guide Page 123
# Configure a URL template. When NCE functions as a Portal server, the default port
number of the Portal page is 19008.
# Configure a Portal server template. When NCE functions as a Portal server, the default
listening port is 50200.
# Create the Portal access profile portal1 and configure Layer 2 Portal authentication.
# An authentication-free rule profile is used to permit basic network access rights, such
as accessing the DNS server, downloading patches, and updating the antivirus signature
database. Only the IP address of the NCE server is permitted in this lab.
# Create the authentication profile p1, and bind the Portal access profile portal1,
authentication-free rule profile free1, RADIUS server template radius_huawei,
HCIP-WLAN V2.0 Lab Guide Page 124
# Create the security profile wlan-net and configure a security policy in the profile.
[WAC1] wlan
[WAC1-wlan-view] security-profile name wlan-net
[WAC1-wlan-sec-prof-wlan-net] security open
[WAC1-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
# Create the VAP profile wlan-net, set the data forwarding mode and service VLAN, and
bind the security profile and SSID profile to the VAP profile.
Create the user name and password for Portal authentication on NCE.
# Choose Admission > Admission Resources > User Management from the main menu.
HCIP-WLAN V2.0 Lab Guide Page 125
# Choose User Management > User, click +, and create a user group named HCIP-WLAN.
# Select the HCIP-WLAN user group and click Create. On the page that is displayed, set
User name to portal-user, Password to Huawei@123, and Available login mode to Portal
and 802.1X & Portal 2.0 for Portal authentication, and click OK.
HCIP-WLAN V2.0 Lab Guide Page 126
# Click Third-party Admission Device and click Create to create a third-party admission
device.
# Set parameters according to the following figure. Set Accounting key and Authorization
key both to Huawei@123, and Accounting interval (min) to 3, which are the same as
those configured on WAC1.
HCIP-WLAN V2.0 Lab Guide Page 127
# Click Authorization Rules, click Create, and configure an authorization rule according to
the following figure.
HCIP-WLAN V2.0 Lab Guide Page 130
HCIP-WLAN V2.0 Lab Guide Page 131
Configure the Portal page push policy on NCE. (If there is no special requirement, use the
default page.)
# Choose Admission > Admission Resources > Page Management to manage Portal
pages.
# Click the Portal Page Push Policy tab, click Create, set the parameters
according to the following figures, and click OK.
HCIP-WLAN V2.0 Lab Guide Page 132
6.3 Verification
6.3.1 Checking the AP Onboarding Status
# Run the display ap all command on WAC1 to check the AP onboarding status. If the
State field of an AP displayed as nor, the AP goes online successfully. The IP address of
the AP is dynamically obtained through DHCP. The actual IP address is subject to the lab
result.
# You are redirected to the Portal authentication page, where you can enter the user
name portal-user and password Huawei@123, and select User notice to log in.
HCIP-WLAN V2.0 Lab Guide Page 134
# Verification succeeded is displayed, indicating that you can access network resources.
# Click the Portal Login and Logout Logs tab to check Portal terminal authentication
records.
AAA:
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method :-
Current accounting method : RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
interface MultiGE0/0/7
#
interface MultiGE0/0/8
#
interface MultiGE0/0/9
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
6.5 Quiz
The DNS server is not configured in the preceding lab. What is the function of a DNS
server in Portal authentication?
Answer:
HCIP-WLAN V2.0 Lab Guide Page 141
The DNS server parses the domain name sent by a terminal so that the AP can redirect
the terminal to the Portal authentication page. That is, the terminal can be redirected to
the Portal authentication page when accessing any domain name.
HCIP-WLAN V2.0 Lab Guide Page 142
7.1 Introduction
7.1.1 About This Lab
This lab activity provides instructions on configuring and commissioning intra-WAC Layer
2 and inter-WAC Layer 3 roaming so that you can understand how to deploy Huawei
WLAN roaming.
7.1.2 Objectives
⚫ Understand the intra-WAC Layer 2 roaming network configuration.
⚫ Understand the inter-WAC Layer 3 roaming network configuration.
PVID: 1
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
MultiGE0/0/2 Trunk
SW-Core Allow-pass: VLANs 200 and 201
PVID: 1
MultiGE0/0/9 Trunk Allow-pass: VLANs 100, 101, 200,
and 201
PVID: 1
MultiGE0/0/9 Trunk Allow-pass: VLANs 100, 101, 200,
and 201
PVID: 100
MultiGE0/0/1 Trunk
SW-Access Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/2 Trunk
Allow-pass: VLANs 100 and 101
PVID: 200
MultiGE0/0/3 Trunk
Allow-pass: VLANs 200 and 201
PVID: 1
WAC1 GE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
WAC2 GE0/0/1 Trunk
Allow-pass: VLANs 200 and 201
Management
100
VLAN
AP group ap-group1
Password a12345678
SSID wlan-net
Management
200
VLAN
AP group ap-group2
Password a12345678
SSID wlan-net
HCIP-WLAN V2.0 Lab Guide Page 145
<Huawei> system-view
[Huawei] sysname SW-Access
[SW-Access] vlan batch 100 101 200 201
# Configure the types, PVIDs, and allowed VLANs for the downlink interfaces on SW-
Access.
# Configure the type of the uplink interface on SW-Access and the allowed VLANs for the
interface.
<Huawei> system-view
[Huawei] sysname SW-Core
[SW-Core] vlan batch 100 101 200 201
# Configure the type of the downlink interface on SW-Core and configure the interface to
allow packets from VLANs 100, 101, 200, and 201 to pass through.
# Configure the type of the interface connecting SW-Core to WAC1 and the allowed
VLANs for the interface.
# Configure the type of the interface connecting SW-Core to WAC2 and the allowed
VLANs for the interface.
Configure WAC1.
# Create VLANs 100 and 101 on WAC1.
<AirEngine9700-M1> system-view
[AirEngine9700-M1] sysname WAC1
[WAC1] vlan batch 100 101
# Configure the type of GE0/0/1 on WAC1 and the allowed VLANs for the interface.
Configure WAC2.
# Create VLANs 200 and 201 on WAC2.
<AirEngine9700-M1> system-view
[AirEngine9700-M1] sysname WAC2
[WAC2] vlan batch 200 201
HCIP-WLAN V2.0 Lab Guide Page 147
# Configure the type of GE0/0/1 on WAC2 and the allowed VLANs for the interface.
# Configure WAC1 as a DHCP server to assign IP addresses to AP1, AP2, and STAs.
# Configure the CAPWAP source interface on WAC1. Ensure that the following
parameters have been configured in advance:
DTLS PSK: a1234567
Inter-WAC DTLS PSK: a1234567
Fit AP management parameters (user name/password): admin/Huawei@123
Global login password of the offline management VAP: a1234567
# Create the AP group ap-group1 to which AP1 and AP2 will be added.
HCIP-WLAN V2.0 Lab Guide Page 149
[WAC1] wlan
[WAC1-wlan-view] ap-group name ap-group1
[WAC1-wlan-ap-group-ap-group1] quit
[WAC1-wlan-view] quit
[WAC1] wlan
[WAC1-wlan-view] ap auth-mode mac-auth
[WAC1-wlan-view] quit
# Add APs on WAC1. (The APs' MAC addresses here are for reference only. Replace them
as required.)
[WAC1] wlan
[WAC1-wlan-view] ap-id 0 ap-mac 9cb2-e82d-54f0
[WAC1-wlan-ap-0] ap-group ap-group1
[WAC1-wlan-ap-0] ap-name AP1
[WAC1-wlan-ap-0] quit
[WAC1-wlan-view] ap-id 1 ap-mac 9cb2-e82d-5410
[WAC1-wlan-ap-1] ap-group ap-group1
[WAC1-wlan-ap-1] ap-name AP2
[WAC1-wlan-ap-1] quit
[WAC1-wlan-view] quit
# Configure the CAPWAP source interface on WAC2. Ensure that the following
parameters have been configured in advance:
DTLS PSK: a1234567
Inter-WAC DTLS PSK: a1234567
Fit AP management parameters (user name/password): admin/Huawei@123
Global login password of the offline management VAP: a1234567
[WAC2-wlan-view] quit
[WAC2] capwap source interface vlanif 200
Warning: Ensure that the management VLAN and service VLAN are different. Otherwise, services may
be interrupted.
Warning: Before an added device goes online for the first time, enable DTLS no-auth if it runs a
version earlier than V200R021C00 or enable DTLS certificate-mandatory-match if it runs
V200R021C00 or later.
[WAC2] wlan
[WAC2-wlan-view] ap-group name ap-group2
[WAC2-wlan-ap-group-ap-group2] quit
[WAC2-wlan-view] quit
[WAC2] wlan
[WAC2-wlan-view] ap auth-mode mac-auth
[WAC2-wlan-view] quit
# Add APs on WAC2. (The APs' MAC addresses here are for reference only. Replace them
as required.)
[WAC2] wlan
[WAC2-wlan-view] ap-id 0 ap-mac 9cb2-e82d-5110
[WAC2-wlan-ap-0] ap-group ap-group2
[WAC2-wlan-ap-0] ap-name AP3
[WAC2-wlan-ap-0] quit
[WAC2-wlan-view] quit
# Configure the country code in a regulatory domain profile. The default country code is
CN. (If the device is located outside China, change the country code accordingly.)
[WAC1] wlan
[WAC1-wlan-view] regulatory-domain-profile name domain1
[WAC1-wlan-regulate-domain-domain1] country-code CN
[WAC1-wlan-regulate-domain-domain1] quit
# Create the security profile wlan-net and configure a security policy in the profile.
[WAC1] wlan
[WAC1-wlan-view] security-profile name wlan-net
HCIP-WLAN V2.0 Lab Guide Page 151
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
# Create the VAP profile wlan-net1, set the data forwarding mode and service VLAN, and
bind the security profile and SSID profile to the VAP profile.
# Configure the country code in a regulatory domain profile. The default country code is
CN. (If the device is located outside China, change the country code accordingly.)
[WAC2] wlan
[WAC2-wlan-view] regulatory-domain-profile name domain1
[WAC2-wlan-regulate-domain-domain1] country-code CN
[WAC2-wlan-regulate-domain-domain1] quit
# Create the security profile wlan-net and configure a security policy in the profile.
[WAC2] wlan
[WAC2-wlan-view] security-profile name wlan-net
[WAC2-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a12345678 aes
[WAC2-wlan-sec-prof-wlan-net] quit
HCIP-WLAN V2.0 Lab Guide Page 152
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
# Create the VAP profile wlan-net2, set the data forwarding mode and service VLAN, and
bind the security profile and SSID profile to the VAP profile.
# Create a mobility group on WAC1, and add WAC1 and WAC2 to the mobility group.
[WAC1] wlan
[WAC1-wlan-view] mobility-group name mob1
[WAC1-mc-mg-mob1] member ip-address 10.23.100.1
[WAC1-mc-mg-mob1] member ip-address 10.23.200.1
[WAC1-mc-mg-mob1] quit
# Create a mobility group on WAC2, and add WAC1 and WAC2 to the mobility group.
[WAC2] wlan
[WAC2-wlan-view] mobility-group name mob1
[WAC2-mc-mg-mob1] member ip-address 10.23.100.1
[WAC2-mc-mg-mob1] member ip-address 10.23.200.1
[WAC2-mc-mg-mob1] quit
The pre-shared key for DTLS encryption between WACs has been configured in the
previous steps. Therefore, you do not need to configure it again.
# Enable DTLS encryption for inter-WAC tunnels on WAC1.
7.3 Verification
7.3.1 Checking the AP Onboarding Status
# Run the display ap all command on WAC1 to check the onboarding status of AP1 and
AP2.
# Run the display ap all command on WAC2 to check the onboarding status of AP3.
Total: 4
# Run the display vap all command on WAC2 to check VAP information.
# Check STA access on WAC1. The command output shows that the STA is connected to
AP1.
----------------------------------------------------------------------------------------------------------
081f-7153-90b4 0 AP1 1/1 5G 11ac 156/144 -31 101 10.23.101.83 wlan-net
----------------------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# As the STA gradually moves to the coverage area of AP2, it is found that the STA
roams to AP2.
# As the STA moves to the coverage area of AP3, it is found that the STA roams to AP3.
#
interface Vlanif101
ip address 10.23.101.254 255.255.255.0
dhcp select interface
#
interface MEth0/0/1
ip address 169.254.1.1 255.255.255.0
#
interface Ethernet0/0/47
ip address 169.254.3.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.254
#
capwap source interface vlanif100
capwap dtls inter-controller control-link encrypt on
capwap dtls psk %^%#GE$'=NySIMd>$B62GoO'Mkw:TmVsCChcg,Ni(--%%^%#
capwap dtls inter-controller psk %^%#ntHh31}TQ:k#NH4i%We/,E>xRRT}{Dnduu,AM,^E%^%#
capwap dtls no-auth enable
#
wlan
temporary-management psk %^%#peYt1<1l-Bs8Jm-DJ)}*/_jF1LDN!+ILS/"\s"wL%^%#
ap username admin password cipher %^%#O/dj$>]yQ$1V=ZTXMsa'FHcAAV!ApO5S$-;RB8D$%^%#
traffic-profile name default
security-profile name default
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#N.vo7TDv>20UvyQiZvqNw<IMUJnR!0%4#{JPK;sG%^%#
aes
security-profile name default-wds
security-profile name default-mesh
ssid-profile name default
ssid-profile name wlan-net
ssid wlan-net
vap-profile name default
vap-profile name wlan-net1
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-whitelist-profile name default
wids-profile name default
HCIP-WLAN V2.0 Lab Guide Page 158
wireless-access-specification
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
mobility-group name mob1
member ip-address 10.23.100.1
member ip-address 10.23.200.1
ap-group name default
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-net1 wlan 1
radio 1
vap-profile wlan-net1 wlan 1
ap-id 0 type-id 144 ap-mac 9cb2-e82d-54f0 ap-sn 2102353VUR10N5119370
ap-name AP1
ap-group ap-group1
ap-id 1 type-id 144 ap-mac 9cb2-e82d-5410 ap-sn 2102353VUR10N5119363
ap-name AP2
ap-group ap-group1
provision-ap
#
return
7.5 Quiz
The same security policy is configured during roaming verification. If different security
policies are configured before and after roaming, can STAs roam successfully?
Answer:
If two roaming APs are configured with different security policies, STAs do not trigger
roaming.
HCIP-WLAN V2.0 Lab Guide Page 163
8 RRM Lab
8.1 Introduction
8.1.1 About This Lab
This lab provides instructions on the radio resource management (RRM) configuration,
helping you master the deployment and configuration of RRM technologies.
8.1.2 Objectives
⚫ Understand how to configure WLAN radio calibration.
⚫ Understand how to configure WLAN band steering.
⚫ Understand how to configure WLAN load balancing.
⚫ Understand how to configure CAC for WLAN users.
PVID: 1
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
SW-Core
PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLAN 100 101
PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
SW-Access
PVID: 100
MultiGE0/0/2 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/3 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
WAC1 GE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
Vlanif100 10.23.100.254/24
SW-Core
Vlanif101 10.23.101.254/24
Management
100
VLAN
AP group ap-group1
Password a12345678
SSID wlan-net
# Set the radio calibration mode to auto and the default calibration interval to 1440
minutes.
# Enable global Dynamic Frequency Assignment (DFA) function and set the redundant
radio processing mode to auto-switch.
# Enable the Dynamic Channel Assignment (DCA) and Transmit Power Control (TPC)
functions on the 2.4 GHz frequency band.
# Enable the DCA, TPC, and Dynamic Bandwidth Selection (DBS) functions on the 5 GHz
frequency band. (The DBS function takes effect only on 5 GHz radios.)
# Enable band steering for a VAP. (By default, this function is enabled.)
# Create an RRM profile and configure band steering parameters. Set the start threshold
for the number of access STAs to 90, the percentage threshold for access STAs on 5 GHz
radios to 80%, and the start SNR threshold for 5G-prior access to 18 dB.
# Create radio profiles and bind the RRM profile to the radio profiles.
# Bind the 2.4 GHz radio profile wlan-2g to radio 0 in the AP group and bind the 5 GHz
radio profile wlan-5g to radio 1 in the AP group.
# Configure dynamic load balancing based on the number of STAs. Set the start
threshold for the number of access STAs to 12, the RSSI difference threshold to 5, and the
RSSI threshold of members in a dynamic load balancing group to –63 dBm.
# Configure the user CAC function. Enable CAC based on the number of users and set the
access and roaming thresholds to 40. Enable the function of forbidding access from
weak-signal STAs and set the SNR threshold to 13 dB.
# Enable automatic SSID hiding when the number of access STAs reaches the threshold.
8.3 Verification
8.3.1 Checking RRM Profile Information
# Check the RRM profile configuration on WAC1.
CCA threshold(dBm) :-
High PER threshold(%) : 80
Low PER threshold(%) : 20
Training interval(s) : auto
Training mpdu num : 640
Throughput trigger training threshold (%) : 10
Autonavigation roam optimize beacon interval(TUs): 60
VIP user bandwidth reservation ratio (%) : 20
--------------------------------------------------------------------
AP EDCA parameters:
------------------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit(32us) Ack-Policy
AC_VO 3 2 1 47 normal
AC_VI 4 3 1 94 normal
AC_BE 6 4 3 0 normal
AC_BK 10 4 7 0 normal
------------------------------------------------------------
Rrm-profile : wlan-rrm
Air-scan-profile : default
Smart-antenna : default
Agile-antenna-polarization : disable
CCA threshold(dBm) :-
High PER threshold(%) : 80
Low PER threshold(%) : 20
Training interval(s) : auto
Training mpdu num : 640
Throughput trigger training threshold (%) : 10
Autonavigation roam optimize beacon interval(TUs): 60
VIP user bandwidth reservation ratio (%) : 20
--------------------------------------------------------------------
AP EDCA parameters:
------------------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit(32us) Ack-Policy
AC_VO 3 2 1 47 normal
AC_VI 4 3 1 94 normal
AC_BE 6 4 3 0 normal
AC_BK 10 4 7 0 normal
------------------------------------------------------------
interface MultiGE0/0/4
#
interface MultiGE0/0/5
#
interface MultiGE0/0/6
#
interface MultiGE0/0/7
#
interface MultiGE0/0/8
#
interface MultiGE0/0/9
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
8.5 Quiz
In a radio calibration solution, the 2.4 GHz calibration channel set contains channels 1, 6,
and 11 by default. Why are these channels selected in the 2.4 GHz calibration channel
set?
Answer:
Channels 1, 6, and 11 are non-overlapping channels on the 2.4 GHz frequency band,
which can avoid signal interference.
HCIP-WLAN V2.0 Lab Guide Page 177
9.1 Introduction
9.1.1 About This Lab
This lab uses the WLAN Planner to plan and design WLANs for indoor scenarios to meet
customers' wireless requirements.
9.1.2 Objectives
⚫ Understand the indoor WLAN planning process.
⚫ Master the basic operations of the WLAN Planner.
9.1.4 Preparations
Preparation for WLAN planning consists of requirements collection and site survey.
Switch location ELV room in the lower left corner of the floor plan
Determining
There is no interference source in the WLAN coverage area.
interference sources
Based on the requirements collection and site survey, the following parameters are
obtained.
Country Code CN
Laptop, mobile phone, and tablet that support 2x2 MIMO and 40
Terminal type
MHz frequency bandwidth @ 5 GHz
Power supply
Power supply by a PoE switch
mode
Switch location ELV room, meeting the PoE power supply distance requirement
Acceptance items
No special requirements
and criteria
HCIP-WLAN V2.0 Lab Guide Page 182
Calculate the number of APs required in each area based on the proportions of services in
indoor scenarios and single-AP concurrency specifications.
E-whiteboard
(wireless 32 16 0% 0% 0% 10%
projection)
Gaming 2 1 8% 5% 10% 0%
Instant
0.512 0.256 35% 20% 10% 10%
messaging
Dual Radios (5
Single Radio (5
GHz) Three Radios (2.4 GHz + 5
GHz)
Access Maximum GHz-1 + 5 GHz-2)
No. Maximum
Bandwidth Number of Maximum Number of
Number of
Concurrent Concurrent STAs
Concurrent STAs
STAs
1 2 Mbps 56 85 141
2 4 Mbps 39 56 95
3 6 Mbps 27 38 65
4 8 Mbps 21 30 51
5 16 Mbps 12 18 30
Calculate the maximum number of concurrent STAs in each coverage area based on the
collected information. The calculation process is as follows:
There are 40 cubicles in each open office area, with two STAs at each cubicle and a
concurrency rate of 100%. Therefore, the total number of STAs in the open office area is:
160 = 40 x 2 x 2 x 100%.
There are a total of 30 seats in a conference room, with one STA at each seat and a
concurrency rate of 100%. Therefore, the maximum number of concurrent STAs in the
conference room is: 30 = 30 x 1 x 100%.
There are a total of 8 seats in each meeting room, with one STA at each seat and a
concurrency rate of 100%. Therefore, the maximum number of concurrent STAs in the
meeting room is: 8 = 8 x 1 x 100%.
There are a total of 12 seats in the reception room, with two STAs at each seat and a
concurrency rate of 80%. Therefore, the maximum number of concurrent STAs in the
reception room is around: 19 = 12 x 2 x 80%.
Each user in an office has five STAs, with a concurrency rate of 100%. Therefore, the
maximum number of concurrent STAs in the office is: 5 = 1 x 5 x 100%.
Calculate the number of APs required in each coverage area based on the single-AP
concurrency specifications. The calculation formula is as follows: Maximum number of
concurrent STAs/Maximum number of concurrent STAs on a single AP radio to meet the
user access bandwidth. The calculation process is as follows:
In the open office area, the bandwidth requirement is 4 Mbps, and the maximum number
of concurrent dual-radio APs is 56. In this case, the number of required APs is 2 (160/56 ≈
2).
HCIP-WLAN V2.0 Lab Guide Page 184
In a conference room, the bandwidth requirement is 8 Mbps, and the maximum number
of concurrent dual-radio APs is 30. In this case, the number of required APs is 1 (30/30 =
1).
In a meeting room, the bandwidth requirement is 8 Mbps, and the maximum number of
concurrent dual-radio APs is 30. In this case, the number of required APs is 1 (8/30 ≈ 1).
In the reception room, the bandwidth requirement is 16 Mbps, and the maximum
number of concurrent dual-radio APs is 18. In this case, the number of required APs is 1
(19/18 ≈ 1).
In the single-person office room, the bandwidth requirement is 16 Mbps, and the
maximum number of concurrent dual-radio APs is 18. In this case, the number of
required APs is 1 (5/18 ≈ 1).
The WLAN Planner is available on the ServiceTurbo Cloud platform, and all users can
apply for the tool. The link is as follows:
https://serviceturbo-cloud-
cn.huawei.com/serviceturbocloud/#/toolsummary?entityId=d59de9ac-e4ef-409e-bbdc-
eff3d0346b42
# Click Running.
# Read the security management regulations on customer network data and click
Confirm.
HCIP-WLAN V2.0 Lab Guide Page 185
# Enter project information based on the site requirements, select I have read and agree
to the Terms of Use, and click OK.
# Create a floor and import the floor plan. In the Create dialog box that is displayed, set
Type to Indoor, enter the name, and click Select File to import the corresponding floor
plan.
HCIP-WLAN V2.0 Lab Guide Page 186
# Select a WLAN scenario. For this project, select Office and click Next.
# You can specify a built-in network construction standard as required. For this project,
select Other and click OK.
HCIP-WLAN V2.0 Lab Guide Page 187
Set the environment and regions based on the customer requirements collection
checklists and site survey information.
# Set the scale.
# The floor plan width is 45 m. Select any position on the floor plan and set the scale
length to 45 m from left to right.
HCIP-WLAN V2.0 Lab Guide Page 189
# Draw obstacles. Draw frames using insulation boundaries to draw frames, indoor walls
using 240 mm thickened brick walls, and the break room, reception desk, and print room
using 12 mm thickened glass. The following figure shows the final effect.
Select key coverage areas and common coverage areas based on customer requirements,
as shown in the following figure.
# Set region parameters for the conference room (assuming 30 STAs) and meeting
rooms (each assuming 8 STAs).
HCIP-WLAN V2.0 Lab Guide Page 192
# You can manually deploy APs one by one or configure automatic deployment and then
manually adjust the number and positions of APs.
# Because only one floor is involved in this project, select Current Floor and click Next.
# Select the required AP model. This project uses the AirEngine 5760-51.
HCIP-WLAN V2.0 Lab Guide Page 197
# After the number and positions of APs are manually adjusted, the final effect is as
shows.
HCIP-WLAN V2.0 Lab Guide Page 199
Adjust AP parameters.
# Right-click an AP in the activity area and choose Property from the shortcut menu.
(You can drag-select all APs and right-click them for the setting). The AP Attributes page
is displayed.
HCIP-WLAN V2.0 Lab Guide Page 200
# Because the customer requires APs to be mounted on the ceiling, retain the default
installation mode of T-rail, height of 2.6 m, working mode of dual-radio mode, and other
parameters. Set the attributes of APs in other areas in the same way.
# Deploy a switch in the ELV room in the lower left corner on the floor plan.
HCIP-WLAN V2.0 Lab Guide Page 201
Cables can be routed above the ceilings to directly connect APs and switches.
Check the signal RSSI in key coverage areas (≥ –65 dBm). If an area has no color covered,
the RSSI is lower than –65 dBm.
# Set the signal strength in the simulation diagram to –65 dBm and click Open
simulation.
# In this project, you only need to pay attention to the signal coverage in open office
areas, offices, meeting rooms, and reception room.
HCIP-WLAN V2.0 Lab Guide Page 203
Check the signal RSSI in common coverage areas (≥ –70 dBm). If an area has no color
covered, the RSSI is lower than –70 dBm.
# Adjust the signal strength in the simulation diagram to –70 dBm.
# In this project, you only need to pay attention to the signal coverage in the corridor.
HCIP-WLAN V2.0 Lab Guide Page 204
If the signal coverage is poor, adjust the number and positions of APs repeatedly to
ensure normal signal simulation.
Check the coverage satisfaction degree to determine whether there are areas with poor
signal coverage.
Before exporting the report, you can check the WLAN planning.
# Check whether there is any problem. If there is any warning item, confirm it. If there is
no problem, export the WLAN planning report.
HCIP-WLAN V2.0 Lab Guide Page 206
9.3 Quiz
1. What information needs to be confirmed during requirements collection during the
early phase of WLAN planning and design?
Answer:
1. Laws and regulations: EIRP restrictions and available channels
HCIP-WLAN V2.0 Lab Guide Page 207
2. An open office area has 120 cubicles, each of which involves two STAs with a
concurrency rate of 70%. In this case, how many APs need to be deployed to meet the 4
Mbps bandwidth and requirement for each STA?
Answer:
Number of access STAs: 120 x 2 = 240
Number of concurrent STAs: 240 x 70% = 168
Based on the single-AP concurrency specifications in this lab, the number of required APs
is calculated as follows: 168/56 = 3.
HCIP-WLAN V2.0 Lab Guide Page 208
10.1 Introduction
10.1.1 About This Lab
This lab uses the WLAN Planner to plan and design WLANs for outdoor scenarios to meet
customers' wireless requirements.
10.1.2 Objectives
⚫ Understand the outdoor WLAN planning process.
⚫ Master the basic operations of the WLAN Planner.
10.1.4 Preparations
Preparation for WLAN planning consists of requirements collection and site survey.
Number of access STAs 300 persons during peak hours, one STA for each person
Determining
There is no interference source in the WLAN coverage area.
interference sources
AP installation mode Wall mounting for APs near stores; pole mounting for APs in
HCIP-WLAN V2.0 Lab Guide Page 211
Based on the requirements collection and site survey, the following parameters are
obtained.
Country Code CN
Pedestrian street and rest areas (in peak hours): 300 STAs, 4
Bandwidth
Mbps, 60% concurrency rate
Mobile phone and tablet that support 2x2 MIMO and 40 MHz
Terminal type
frequency bandwidth @ 5 GHz
Power supply Wall-mounted APs can be powered by PoE switches, and pole-
mode mounted APs can be powered by PoE adapters.
Acceptance items
No special requirements
and criteria
Calculate the number of APs required in each area based on the proportions of services in
outdoor scenarios and single-AP concurrency specifications.
Streaming
16 12 10% 10% 20%
media (1080p)
Instant
0.5 0.25 20% 20% 15%
messaging
Dual Radios (5
Single Radio (5
GHz) Three Radios (2.4 GHz + 5
GHz)
Maximum GHz-1 + 5 GHz-2)
Access Maximum
No. Number of Maximum Number of
Bandwidth Number of
Concurrent Concurrent STAs (Single-
Concurrent STAs
STAs (Single- Radio)
(Single-Radio)
Radio)
1 2 Mbps 56 85 141
2 4 Mbps 39 56 95
3 6 Mbps 27 38 65
4 8 Mbps 21 30 51
5 16 Mbps 12 18 30
Calculate the maximum number of concurrent STAs in each coverage area based on the
collected information. The calculation process is as follows:
During peak hours in the pedestrian street, there are 300 people, with one STA per user
and a concurrency rate of 60%. Therefore, the total number of terminals in the
pedestrian street scenario is 180 (300 x 1 x 60%).
Calculate the number of APs required in each coverage area based on the single-AP
concurrency specifications. The calculation formula is as follows: Maximum number of
concurrent STAs/Maximum number of concurrent STAs on a single AP radio to meet the
user access bandwidth. The calculation process is as follows:
In the pedestrian street, the bandwidth requirement is 4 Mbps, and the maximum
number of concurrent dual-radio APs is 56. In this case, the number of required APs is 5
(300/18 ≈ 5).
The WLAN Planner is available on the ServiceTurbo Cloud platform, and all users can
apply for the tool. The link is as follows:
https://serviceturbo-cloud-
cn.huawei.com/serviceturbocloud/#/toolsummary?entityId=d59de9ac-e4ef-409e-bbdc-
eff3d0346b42
# Click Running.
HCIP-WLAN V2.0 Lab Guide Page 214
# Read the security management regulations on customer network data and click
Confirm.
# Enter project information based on the site requirements, select I have read and agree
to the Terms of Use, and click OK.
HCIP-WLAN V2.0 Lab Guide Page 215
# Add a region, import a floor plan. In the Create dialog box that is displayed, set Type to
Outdoor, enter the area name, and click Select to select a scenario.
# Select a WLAN scenario. For this project, select Road/Walking Street and click Next.
HCIP-WLAN V2.0 Lab Guide Page 216
Set the environment and regions based on the customer requirements collection
checklists and site survey information.
# Set the scale.
# The floor plan width is 95 m. Select any position on the floor plan and set the scale
length to 95 m from left to right.
HCIP-WLAN V2.0 Lab Guide Page 218
In outdoor scenarios, skip the region setting step and directly go to the device
deployment step. In outdoor scenarios, only manual AP deployment is supported.
# Select a proper AP model on the toolbar and manually deploy APs.
HCIP-WLAN V2.0 Lab Guide Page 220
# In this project, the AirEngine 5761R-11 is used as the wall-mounted AP, and the
AirEngine 5761R-11E is used as the pole-mounted AP. The following figure shows the
manual deployment effect.
HCIP-WLAN V2.0 Lab Guide Page 221
Adjust AP parameters.
# Right-click an AP in a store area and choose Property from the shortcut menu. (You
can drag-select all APs and right-click them for the setting). The AP Attributes page is
displayed.
# Because the customer requires APs in these areas to be mounted on the walls, set the
installation mode to Hanging and the height to 3 m, and retain default settings of other
parameters. Set the downtilt of both 2.4 GHz and 5 GHz radios to 15 degrees. Set the
attributes of APs in other areas in the same way.
HCIP-WLAN V2.0 Lab Guide Page 222
# The APs in the parking lots are installed on poles. The AirEngine 5761R-11E model is
used. Set the parameters as follows.
HCIP-WLAN V2.0 Lab Guide Page 223
Check the signal RSSI in key coverage areas (≥ –65 dBm). If an area has no color covered,
the RSSI is lower than –65 dBm.
# Set the signal strength in the simulation diagram to –65 dBm and click Open
simulation.
HCIP-WLAN V2.0 Lab Guide Page 224
# In this project, you only need to pay attention to the signal coverage of the pedestrian
street and rest areas.
Check the signal RSSI in common coverage areas (≥ –70 dBm). If an area has no color
covered, the RSSI is lower than –70 dBm.
# Adjust the signal strength in the simulation diagram to –70 dBm.
# In this project, you only need to pay attention to the signal coverage in the parking
lots.
HCIP-WLAN V2.0 Lab Guide Page 225
If the signal coverage is poor, adjust the number and positions of repeatedly to ensure
normal signal simulation.
Check the coverage satisfaction degree to determine whether there are areas with poor
signal coverage.
HCIP-WLAN V2.0 Lab Guide Page 226
Before exporting the report, you can check the network planning.
# Check whether there is any problem. If there is any warning item, confirm it. If there is
no problem, export the network planning report.
HCIP-WLAN V2.0 Lab Guide Page 227
10.3 Quiz
1. Which of the following information needs to be determined during requirements
collection in outdoor WLAN planning and design?
Answer:
1. Laws and regulations: EIRP restrictions and available channels
HCIP-WLAN V2.0 Lab Guide Page 228
2. What are the differences between the application scenarios of outdoor APs with
omnidirectional and directional antennas? What are their coverage ranges in a scenario
in China?
Answer:
It is recommended that omnidirectional antennas be used in open outdoor areas with a
coverage radius of 60 m to 80 m.
It is recommended that directional antennas be used in outdoor street scenarios with a
coverage length of 120 m to 150 m and a coverage width of 20 m to 35 m.
HCIP-WLAN V2.0 Lab Guide Page 229
11.1 Introduction
11.1.1 About This Lab
This lab instructs you to deploy the CampusInsight intelligent O&M platform, helping you
understand how to perform WLAN inspection using the intelligent O&M platform.
11.1.2 Objectives
⚫ Understand how to configure the interconnection between the WAC and
CampusInsight.
⚫ Understand basic O&M functions of CampusInsight.
172.21.0.0/17. WAC1 interworks with the CampusInsight server to report service run logs
and data to the CampusInsight server. The administrator can perform unified and
intelligent O&M on the WLAN through CampusInsight.
PVID: 1
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
SW-Core PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLAN 100 101
PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
SW-Access
PVID: 100
MultiGE0/0/2 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/3 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
WAC1 GE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
Vlanif100 10.23.100.254/24
Vlanif99 172.21.39.253/17
AP group ap-group1
Password a12345678
SSID wlan-net
The IP address and gateway of CampusInsight have been configured during software
installation and are not described in this lab. The IP address of CampusInsight is
172.21.39.99/17, and the gateway address is 172.21.39.253 (on SW-Core).
# Configure VLAN and IP address information for SW-Core.
HCIP-WLAN V2.0 Lab Guide Page 232
[SW-Core] vlan 99
[SW-Core-vlan99] name Manage
[SW-Core-vlan99] quit
[SW-Core] interface MultiGE 0/0/5
[SW-Core-MultiGE0/0/5] port link-type access
[SW-Core-MultiGE0/0/5] port default vlan 99
[SW-Core-MultiGE0/0/5] quit
[SW-Core] interface Vlanif 99
[SW-Core-Vlanif99] ip address 172.21.39.253 17
[SW-Core-Vlanif99] quit
# Configure a default route for WAC1 and set the next hop address to SW-Core.
WAC1 can be added to CampusInsight for management only after the SNMP protocol is
configured on the device.
# SNMPv2c is an insecure protocol. You are advised to configure SNMPv3, which is more
secure.
# This lab assumes that the SNMP user name is test-user, authentication password is
Huawei@123, and encryption password is Huawei@456. These parameters must be the
same as those configured on CampusInsight.
By default, the device log reporting function supports HTTP/2 and UDP channels. HTTP/2
is recommended.
# Configure the HTTP/2 channel for WAC1.
[WAC1] wlan
[WAC1-wlan-view] wmi-server name test
[WAC1-wlan-wmi-server-prof-test] server ip-address 172.21.39.99 port 27371
[WAC1-wlan-wmi-server-prof-test] collect-item log-data interval 60
[WAC1-wlan-wmi-server-prof-test] ap log module mid FF600000
[WAC1-wlan-wmi-server-prof-test] ap log module mid D0410000
[WAC1-wlan-wmi-server-prof-test] ap log module mid FF620000
[WAC1-wlan-wmi-server-prof-test] ap log module mid FFED0000
[WAC1-wlan-wmi-server-prof-test] ap log module mid FFEF0000
[WAC1-wlan-wmi-server-prof-test] ap log module mid FFF30000
[WAC1-wlan-wmi-server-prof-test] ap log module mid FF2B0000
[WAC1-wlan-wmi-server-prof-test] ap log module mid FE011004
[WAC1-wlan-wmi-server-prof-test] quit
[WAC1-wlan-view] ap-system-profile name default
[WAC1-wlan-ap-system-prof-default] wmi-server test index 2
[WAC1-wlan-ap-system-prof-default] quit
[WAC1-wlan-view] ap-group name ap-group1
[WAC1-wlan-ap-group-ap-group1] ap-system-profile default
[WAC1-wlan-ap-group-ap-group1] quit
HCIP-WLAN V2.0 Lab Guide Page 234
Step 7 Configure the function of reporting WLAN service performance metric data.
# This configuration enables the device to proactively report WLAN service performance
metric data to CampusInsight for analysis.
# Add a site. Set the site name to HCIP-test and Parent node to Global, and click OK.
# Choose Inventory > Wired Device, click Add Device, and add a single device.
# After WAC1 is added to CampusInsight, the APs managed by WAC1 are automatically
added to the AP list of CampusInsight. Click Wireless Device. The three APs are online.
# Add a building to the HCIP-test site. Choose Inventory > Site-Region, select HCIP-test,
and click Add.
HCIP-WLAN V2.0 Lab Guide Page 237
# Add a floor to Building_01. Choose Inventory > Site-Region, select Building_01, and
click Add.
# Set Type to Floor and Name to First floor, and click Confirm.
HCIP-WLAN V2.0 Lab Guide Page 238
# Choose Inventory > Wireless Device, select three APs, and click Move to move the three
APs to First floor.
# Detailed metrics include the access success rate, access time consumption, roaming
fulfillment rate, signal and interference, capacity, and throughput.
HCIP-WLAN V2.0 Lab Guide Page 240
HCIP-WLAN V2.0 Lab Guide Page 241
11.3 Verification
11.3.1 Checking the SNMP Configuration on WAC1
# Run the display snmp-agent mib-view command on WAC1 to view SNMP MIB
information.
# Run the display snmp-agent group command on WAC1 to view SNMP group
information.
Total number is 1
# Run the display snmp-agent usm-user command on WAC1 to view SNMP user
information.
Total number is 1
ssid-profile wlan-net
security-profile wlan-net
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-whitelist-profile name default
wids-profile name default
wireless-access-specification
wmi-server name test
server ip-address 172.21.39.99 port 27371
collect-item device-data interval 60
collect-item radio-data interval 60
collect-item terminal-data interval 60
collect-item log-data interval 60
collect-item non-wifi-data enable
ap log module mid FF2B0000
ap log module mid FE011004
ap log module mid FF600000 name PORTAL
ap log module mid D0410000 name SHELL
ap log module mid FF620000 name DHCP
ap log module mid FFED0000 name SEA
ap log module mid FFEF0000 name WSRV
ap log module mid FFF30000 name WLAN
ap-system-profile name default
lldp report enable
wmi-server test index 2
port-link-profile name default
wired-port-profile name default
ap-group name default
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-net wlan 1
wids device detect enable
spectrum-analysis enable
channel-monitor enable
radio 1
vap-profile wlan-net wlan 1
wids device detect enable
spectrum-analysis enable
channel-monitor enable
ap-id 0 type-id 144 ap-mac 9cb2-e82d-54f0 ap-sn 2102353VUR10N5119370
ap-name AP1
ap-group ap-group1
ap-id 1 type-id 144 ap-mac 9cb2-e82d-5410 ap-sn 2102353VUR10N5119363
ap-name AP2
ap-group ap-group1
ap-id 2 type-id 144 ap-mac 9cb2-e82d-5110 ap-sn 2102353VUR10N5119339
HCIP-WLAN V2.0 Lab Guide Page 246
ap-name AP3
ap-group ap-group1
provision-ap
#
return
11.5 Quiz
In this lab, CampusInsight is used to perform intelligent O&M on a WLAN. What are the
advantages of intelligent O&M compared with traditional O&M on the WAC's web page?
Answer:
Visualized experience: Telemetry-based second-level data collection is supported,
visualizing experience of any user in any application at any moment.
Minute-level proactive identification and root cause locating for potential faults: Identify
potential faults based on dynamic baselines and big data association. Accurately locate
root causes based on KPI association analysis and protocol playback.
Predictive network optimization: AI technologies are used to intelligently analyze the load
trend of APs to complete predictive optimization of wireless networks.
HCIP-WLAN V2.0 Lab Guide Page 248
12.1 Introduction
12.1.1 About This Lab
This lab instructs you to troubleshoot common faults.
12.1.2 Objectives
⚫ Describe the fault symptoms and related configurations.
⚫ Understand troubleshooting methods.
PVID: 1
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
SW-Core PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLAN 100 101
PVID: 1
MultiGE0/0/9 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
SW-Access
PVID: 100
MultiGE0/0/2 Trunk
Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/3 Trunk
Allow-pass: VLANs 100 and 101
PVID: 1
WAC1 GE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
Vlanif100 10.23.100.254/24
Vlanif99 172.21.39.253/17
Management
100
VLAN
HCIP-WLAN V2.0 Lab Guide Page 250
AP group ap-group1
SSID wlan-net
Name: abc
Portal server
IP address: 172.21.39.88
template
Portal shared key: Huawei@123
Authentication-
Name: default_free_rule
free rule profile
Name: p1
Bound profiles and schemes:
Portal access profile portal1
Authentication
RADIUS server template radius_huawei
profile
RADIUS authentication scheme radius_huawei
RADIUS accounting scheme scheme1
Authentication-free rule profile default_free_rule
HCIP-WLAN V2.0 Lab Guide Page 251
#
portal-access-profile name portal_access_profile
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
accounting-scheme scheme1
accounting-mode radius
accounting realtime 3
local-aaa-user password policy administrator
domain default
authentication-scheme default
accounting-scheme default
radius-server default
domain default_admin
authentication-scheme default
accounting-scheme default
#
interface Vlanif1
ip address dhcp-alloc unicast
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
management-interface
#
interface MEth0/0/1
ip address 169.254.1.1 255.255.255.0
#
interface Ethernet0/0/47
ip address 169.254.3.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.254
#
capwap source interface vlanif100
capwap dtls psk %^%#EJVsX!hYu4YZ2_G4#DzXA@:RKv34&REZ}|-y_]mY%^%#
capwap dtls inter-controller psk %^%#{9Wo7!%#BFZ<@EQ|:JG>Rp<|47s,v>YPa.#^!]A9%^%#
capwap dtls no-auth enable
#
wlan
calibrate flexible-radio auto-switch
temporary-management psk %^%#PwFE@vw_"@\n9{>}k<,-;9CD7K;0/%e,LB)9,^FX%^%#
ap username admin password cipher %^%#PBMhAQ{@}1q,vb:X0*)B\.KXW7QH=Ogpvg'K*Y)I%^%#
traffic-profile name default
security-profile name default
security-profile name wlan-net
security open
security-profile name default-wds
security-profile name default-mesh
ssid-profile name default
HCIP-WLAN V2.0 Lab Guide Page 253
#
interface Vlanif99
ip address 172.21.39.253 255.255.128.0
#
interface Vlanif100
ip address 10.23.100.254 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.254 255.255.255.0
dhcp select interface
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
interface MultiGE0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface MultiGE0/0/4
port link-type access
port default vlan 99
#
interface MultiGE0/0/5
#
interface MultiGE0/0/6
#
interface MultiGE0/0/7
#
interface MultiGE0/0/8
#
interface MultiGE0/0/9
port link-type trunk
port trunk allow-pass vlan 100 to 101
return
# Pre-configure the authentication server. For details, see Step 7 in section 6.2.2
"Configuration Procedure."
# Search for SSIDs on a STA. The STA fails to detect the radio signal wlan-net. In this
case, check whether the AP is online on WAC1.
# The three APs are online, but AP3 is not in the AP group ap-group1. To ensure that
WAC1 delivers unified policies to APs, add AP3 to the correct AP group.
[WAC1] wlan
[WAC1-wlan-view] ap-id 2
[WAC1-wlan-ap-2] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configurations of the radio, Whether to continue? [Y/N]: y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[WAC1-wlan-ap-2] quit
# Check AP information on WAC1 again. The command output shows that the three APs
are all online and belong to ap-group1.
--------------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------------
0 9cb2-e82d-54f0 AP1 ap-group1 10.23.100.225 AirEngine5761-11 nor 0 17M:12S -
1 9cb2-e82d-5410 AP2 ap-group1 10.23.100.214 AirEngine5761-11 nor 0 16M:42S -
2 9cb2-e82d-5110 AP3 ap-group1 10.23.100.117 AirEngine5761-11 nor 0 10S -
--------------------------------------------------------------------------------------------------------
Total: 3
# The command output shows that no AP is associated with any VAP. Check the
configuration of WAC1. The command output shows that the VAP profile is not bound to
any AP group. In this case, modify the configuration as follows.
[WAC1] wlan
[WAC1-wlan-view] ap-group name ap-group1
[WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[WAC1-wlan-ap-group-ap-group1] quit
# Check VAP information again. It is found that the three APs have released the SSID
wlan-net, but the status of radio 1 on the APs is OFF, indicating that the 5 GHz radios are
disabled and need to be manually enabled.
[WAC1] wlan
[WAC1-wlan-view] ap-group name ap-group1
HCIP-WLAN V2.0 Lab Guide Page 257
[WAC1-wlan-ap-group-ap-group1] radio 1
[WAC1-wlan-group-radio-ap-group1/1] undo radio disable
[WAC1-wlan-group-radio-ap-group1/1] quit
Step 3 Troubleshoot STAs' failures to obtain IP addresses after associating with radio
signals.
# After a STA connects to wlan-net, it cannot obtain an IP address. The check result
shows that the data forwarding mode of the VAP is tunnel forwarding, but WAC1 does
not have service VLAN information. In this case, manually create VLAN 101 on WAC1.
# Disconnect the STA from wlan-net and then reconnect the STA to wlan-net. The STA
can obtain an IP address. Run the ipconfig command to verify this.
C:\Users\admin>ipconfig
Wireless LAN adapter WLAN:
# After a STA connects to the SSID wlan-net, open the browser and enter any IP address
in the address box. The Portal authentication page is not displayed.
HCIP-WLAN V2.0 Lab Guide Page 258
# There are many reasons for a failure to display the Portal authentication
page. Check whether the authentication profile is correctly bound to the VAP
profile. The VAP configuration is correct.
authentication-profile name p1
authentication-scheme radius_huawei
accounting-scheme scheme1
radius-server radius_huawei
# Check the authentication profile configuration. The command output shows that the
Portal access profile portal1 has been configured in WAC1 and bound to the
authentication profile.
# The Portal authentication page still cannot be displayed on the STA. Check the
configuration of the Portal server template. The IP address and port number of the Portal
server are incorrect. The correct IP address is 172.21.39.88, and the correct port number is
50200.
#
web-auth-server abc
server-ip 172.21.39.89
port 50100
shared-key cipher %^%#N[ePT/1o_2@zKz/>v:dTE_H%#s@Cy<{-|g:s'&\8%^%#
url-template url1
source-ip 10.23.100.1
server-detect
#
# Configure a correct server address and set the shared key to Huawei@123 to ensure
that the shared key is the same as that on NCE.
# Check the Portal service status. The Portal server is in DOWN state.
# Check the configuration. It is found that the Portal server detection function is enabled
on the device, but the authentication server is not configured. Therefore, you need to
manually disable the Portal server detection function.
# Check the status of the Portal server again. The status is UP, as shown in the following
figure.
Ip-address Status
172.21.39.88 UP
# Use the STA to perform the test again. It is found that the Portal authentication page
still cannot be displayed. The port number of the redirected page is 8445, but the default
port number of NCE that functions as the Portal server is 19008. Check the URL template
on WAC1. It is found that the port number in the URL is incorrect, as shown in the
following figure.
#
url-template name url1
url https://172.21.39.88:8445/portal
url-parameter redirect-url redirect-url ssid ssid user-ipaddress userip user-mac usermac device-ip ac-
ip
#
# Disconnect the STA from wlan-net and reconnect the STA to wlan-net. The Portal
authentication page is displayed. After the user name and password are entered, Portal
authentication succeeds.
12.3 Verification
12.3.1 Checking VAP Information
# Run the display vap all command on WAC1 to check VAP information.