manualshive.com logo in svg

H3C WA2620X-AGNP, Web-Based Configuration Manual, Page: 288 / 447

Share
Download
H3C WA2620X-AGNP Web-Based Configuration Manual Download Page 288

 

275 

Table 101

 

Configuration items 

Item Description 

Port Mode 

 

mac-else-userlogin-secure

—This mode is the combination of the 

mac-authentication and userlogin-secure modes, with MAC authentication 

having a higher priority. Upon receiving a non-802.1X frame, a port in this 
mode performs only MAC authentication; upon receiving an 802.1X 

frame, the port performs MAC authentication and then, if MAC 

authentication fails, 802.1X authentication.  

 

mac-else-userlogin-secure-ext

—This mode is similar to the 

mac-else-userlogin-secure mode, except that it supports multiple 802.1X 

and MAC authentication users on the port.  

 

userlogin-secure-or-mac

—This mode is the combination of the 

userlogin-secure and mac-authentication modes, with 802.1X 

authentication having a higher priority. For a wireless user, 802.1X 
authentication is performed first. If 802.1X authentication fails, MAC 

authentication is performed.  

 

userlogin-secure-or-mac-ext

—This mode is similar to the 

userlogin-secure-or-mac mode, except that it supports multiple 802.1X and 

MAC authentication users on the port.  

Select

 Wireless Service

 >

 Access Service

 from the navigation tree, and click 

MAC Authentication List

 to enter the page for configuring a MAC 

authentication list. On the page, enter the MAC address of the client. 

Max User 

Control the maximum number of users allowed to access the network through 
the port.  

Mandatory Domain 

Select an existing domain from the drop-down list. After a mandatory domain 
is configured, all 802.1X users accessing the port are forced to use the 
mandatory domain for authentication, authorization, and accounting.  
The default domain is 

system

. To create a domain, select 

Authentication

 > 

AAA

 from the navigation tree, click the 

Domain

 

Setup

 tab, and enter a new 

domain name in the 

Domain

 

Name

 field. 

 

Authentication Method 

 

EAP

—Use the Extensible Authentication Protocol (EAP). With EAP 

authentication, the authenticator encapsulates 802.1X user information in 

the EAP attributes of RADIUS packets and sends the packets to the RADIUS 

server for authentication; it does not need to repackage the EAP packets 
into standard RADIUS packets for authentication.  

 

CHAP

—Use the Challenge Handshake Authentication Protocol (CHAP). 

By default, CHAP is used. CHAP transmits usernames in plain text and 
passwords in cipher text over the network. Therefore this method is safer.  

 

PAP

—Use the Password Authentication Protocol (PAP). PAP transmits 

passwords in plain text. 

 

Handshake 

 

Enable

—Enable the online user handshake function so that the device can 

periodically send handshake messages to a user to check whether the user 

is online. By default, the function is enabled.  

 

Disable

—Disable the online user handshake function.  

Summary of Contents for WA2620X-AGNP

Page 1: ...H3C WA Series Access Points Web Based Configuration Guide Hangzhou H3C Technologies Co Ltd http www h3c com Document version 6W106 20130802 ...

Page 2: ...ngine SecPath SecCenter SecBlade Comware ITCMM and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensure accuracy of the contents but all stateme...

Page 3: ... refer to wireless bridges with fat AP functions This preface includes Audience Conventions About the H3C WA series access points documentation set Obtaining documentation Technical support Documentation feedback Audience This documentation is intended for Network planners Field technical support and servicing engineers Network administrators working with the WA series Conventions This section des...

Page 4: ...ding and other Layer 2 features Represents an access point Represents omnidirectional signals About the H3C WA series access points documentation set The H3C WA series access points documentation set includes Category Documents Purposes Product description and specifications Marketing brochures Describe product specifications and benefits Hardware specifications and installation Compliance and saf...

Page 5: ...ct documentation on the World Wide Web at http www h3c com Click the links on the top navigation bar to obtain different categories of product documentation Technical Support Documents Technical Documents Provides hardware installation software upgrading and software feature configuration and maintenance documentation Products Solutions Provides information about products and technologies as well ...

Page 6: ...tate 21 Device interface information 21 Recent system logs 22 Displaying WLAN service 22 Displaying detailed information of WLAN service 22 Displaying statistics of WLAN service 25 Displaying connection history information of WLAN service 25 Displaying radio 26 Displaying WLAN services bound to a radio 26 Displaying detailed radio information 26 Displaying WDS 29 Displaying client 30 Displaying cl...

Page 7: ...iguration example 61 TR 069 configuration 63 TR 069 configuration 63 Configuration guidelines 65 User management configuration 66 Creating a user 66 Setting the super password 67 Switching the user access level to the management level 68 SNMP configuration 69 SNMP overview 69 Configuration task list 69 Enabling SNMP 71 Configuring an SNMP view 72 Creating an SNMP view 72 Adding rules to an SNMP vi...

Page 8: ...Overview 114 Displaying the IPv4 active route table 114 Creating an IPv4 static route 115 Displaying the IPv6 active route table 117 Creating an IPv6 static route 118 IPv4 static route configuration example 119 IPv6 static route configuration example 121 Configuration guidelines 123 DHCP overview 124 Recommended configuration procedure 124 Enabling DHCP 125 Creating a static address pool for the D...

Page 9: ... to the web interface 158 Web user level 159 Introduction to the web based NM functions 159 Common web interface elements 167 Configuration guidelines 171 Troubleshooting web browser 172 Failure to access the device through the web interface 172 Radio configuration 175 Configuring radio 175 Configuring data transmit rates 179 Configuring 802 11a 802 11b 802 11g rates 179 Configuring 802 11n MCS 18...

Page 10: ...ring a local user 231 Configuring a user group 234 Configuring a guest 235 Procedure for a management level administrator to configure a guest 235 Procedure for a guest administrator to configure a guest 237 Certificate management 238 PKI overview 238 Configuring PKI 238 Recommended configuration procedure for manual request 239 Recommended configuration procedure for automatic request 240 Creatin...

Page 11: ...ccess service based VLAN configuration example 296 WPA PSK authentication configuration example 298 Local MAC authentication configuration example 303 Remote MAC authentication configuration example 307 Remote 802 1X authentication configuration example 316 Dynamic WEP encryption 802 1X authentication configuration example 328 802 11n configuration example 334 WDS configuration examples 337 WDS co...

Page 12: ...clients 396 Displaying radio statistics 397 Displaying client statistics 399 Setting rate limiting 400 Configuring the bandwidth guarantee function 401 Setting the reference radio bandwidth 401 Setting guaranteed bandwidth 402 Enabling bandwidth guarantee 403 Displaying guaranteed bandwidth settings 404 Wireless QoS configuration examples 404 CAC service configuration example 404 Static rate limit...

Page 13: ...rity configuration 425 WLAN security overview 425 WIDS attack detection 425 Blacklist and white list 426 Configuring WIDS 426 Configuring WIDS 426 Displaying history record 427 Displaying statistics information 427 Configuring the blacklist and white list functions 428 Configuring dynamic blacklist 428 Configuring static blacklist 429 Configuring white list 429 User isolation 431 Configuring user ...

Page 14: ... shows the applicable models and software versions Table 1 Applicable models and software versions Series Model WA2600 series WA2600 series access points indoors WA2612 AGN WA2620 AGN WA2610i GN WA2620i AGN WA2600 series access points enhanced WA2610E AGN WA2620E AGN WA2600 series access points outdoors WA2620X AGNP WA3600 series WA3600 series access points indoors WA3610i GN WA3620i AGN WA3628i A...

Page 15: ...bytes Wireless service Fast association Supported on the APs supporting both 2 4 GHz and 5 GHz radios Supported on the APs supporting both 2 4 GHz and 5 GHz radios Radio Radio 802 11n radio mode is supported Support for 802 11a b g depends on your AP model To check whether a radio mode is supported see the corresponding list on the web page 802 11n bandwidth mode is supported 802 11n radio mode is...

Page 16: ...r device available for use Quick Start wizard home page From the navigation tree select Quick Start to enter the home page of the Quick Start wizard Figure 1 Home page of the Quick Start wizard Basic configuration 1 On the home page of the Quick Start wizard click start The basic configuration page appears ...

Page 17: ...f the country where you are This field defines the radio frequency characteristics such as the power and the total number of channels for frame transmission Before configuring the device you need to configure the country code correctly If the Country Code field is grayed out it cannot be modified Time Zone Select a time zone for the system Time Specify the current time and date Admin configuration...

Page 18: ...Specify the password for user Admin to use to log into the device in cipher text Confirm Password Enter the password again to confirm the password Password Encryption Select the attribute for the password encryption method Reversible Irreversible IP configuration 1 On the Admin Configuration page click Next The IP configuration page appears ...

Page 19: ...g in to the device By default the IP address of VLAN interface 1 is 192 168 0 50 Mask Specify the IP address mask of VLAN interface 1 By default the mask is 24 bit long Default Gateway Specify the IP address of the default gateway that connects the device to the network By default no default gateway is available Wireless configuration 1 On the IP configuration page click Next The wireless configur...

Page 20: ...The default authentication type is None In that case skip the 5 8 Radius Configuration step Wireless Service Specify the Service Set Identifier SSID Encrypt Select this box to go to the 6 8 Encryption Configuration step By default no encryption is performed If this option is not selected the 6 8 Encryption Configuration step is skipped RADIUS configuration 1 On the wireless configuration page sele...

Page 21: ...ecifies the standard RADIUS server In this case the RADIUS client access device and the RADIUS server exchange packets based on the specifications and packet format definitions of the standard RADIUS protocols RFC 2138 RFC 2139 and the updates Authentication IP Enter the IP address of the RADIUS authentication server Authentication UDP Port Enter the port number of the RADIUS authentication server...

Page 22: ...c WEP keys Enable Use WEP keys provided automatically Disable Use static WEP keys By default static WEP keys are used After you select Enable WEP104 is displayed for WEP IMPORTANT Automatically provided WEP keys must be used together with 802 1X authentication Therefore This option is available only after you select User authentication 802 1X for Primary Service Authentication type on the wireless...

Page 23: ...alphanumeric characters or 26 hexadecimal characters When the key type is WEP128 the key length can be 16 alphanumeric characters or 32 hexadecimal characters WEP Key Enter the WEP key Figure 8 Encryption configuration page for TKIP or AES CCMP encryption Table 9 Configuration items Item Description Encryption Mode Encryption mode which can be TKIP or AES CCMP Security IE Wireless service type IE ...

Page 24: ...s on the country code and radio mode and varies with device models Auto Specifies the automatic channel mode With Auto specified the AP evaluates the quality of channels in the wireless network and selects the best channel as the working channel After the channel is changed the power list is refreshed Power Select the transmission power The maximum power of the radio depends on the country code wo...

Page 25: ...pen System encryption and WPA PSK and WPA2 PSK authentication To configure other wireless access methods for example MAC address authentication and remote 802 1X authentication select Wireless Service Access Service from the navigation tree and perform configuration on the relevant page For more information see the configuration examples in Configuring wireless service Simple text authentication c...

Page 26: ...e time parameters login password and login IP address as needed 2 Configure wireless service a On the IP configuration page click Next The wireless configuration page appears b Use default setting for Primary Service Authentication type specify the SSID as service and use default setting for Encrypt no encryption is performed Figure 12 Wireless configuration page c Click Next The radio configurati...

Page 27: ...onfigured service in Choose a wireless network service in this example and click Connect The client can access the WLAN network after being associated with the AP 2 You can view the online clients on the page you enter by selecting Summary Client from the navigation tree WEP Open System encryption configuration example Network requirements In a small office as shown in Figure 14 perform WEP Open S...

Page 28: ... a On the IP configuration page click Next to enter the wireless configuration page b To configure wireless service Use default setting for Primary Service Authentication type Specify the SSID as wep Select the Encrypt box Figure 15 Wireless configuration page c Click Next to enter the encryption configuration page d To perform encryption configuration Select WEP40 for Encryption Mode Select 1 for...

Page 29: ...dio configuration page f To perform radio configuration Select the 802 1 1n 2 4GHz box and bind wireless service wep to the 802 1 1n 2 4 GHz radio Use default settings for other parameters g Click Next Figure 17 Radio configuration page 3 Check and apply the configurations ...

Page 30: ...tion configuration example Network requirements In a small office as shown in Figure 18 perform WPA2 PSK wireless access configuration on the AP The following requirements must be satisfied The AP provides a WPA2 PSK wireless access service with SSID psk 802 1 1n 2 4 GHz is adopted to inter work with the existing 802 1 1g network and meet the high bandwidth requirement Figure 18 Network diagram Co...

Page 31: ...MP for Encryption Mode Select WPA2 for Security IE Select pass phrase from the Preshared Key Type list Enter the preshared key 12345678 Figure 20 Encryption configuration page e Click Next to enter the radio configuration page f To perform radio configuration Select the 802 1 1n 2 4GHz box and bind wireless service psk to the 802 1 1n 2 4 GHz radio ...

Page 32: ...k finish to apply the configurations Verifying the configuration Launch the wireless client and refresh the network list Select the configured service in Choose a wireless network psk in this example and click Connect In the dialog box that appears enter the preshared key 12345678 same as the preshared key configured on the AP The client can access the WLAN network after being associated with the ...

Page 33: ...Info menu Device information System resource state Device interface information Recent system logs at most five After logging in to the web interface you enter the Summary Device page Figure 22 Device info page NOTE The information displayed on the device info page varies with devices ...

Page 34: ...n select Device SNMP For more information see SNMP configuration SerialNum Display the serial number of the device Software Version Display the software version of the device Hardware Version Display the hardware version of the device Bootrom Version Display the Boot ROM version of the device Running Time Display the running time after the latest boot of the device System resource state Table 12 C...

Page 35: ... logs are generated Level Display the level of the system logs Description Display the contents of the system logs To know more information about system logs click the More hyperlink under the Recent System Operation Logs area to enter the Device Syslog Loglist page to view the logs For more information see Log management configuration Displaying WLAN service Select Summary WLAN Service from the n...

Page 36: ...tion used WLAN service of the clear type only uses open system authentication SSID hide Disable The SSID is advertised in beacon frames Enable Disable the advertisement of the SSID in beacon frames Service Template Status Status of service template Enable Enable WLAN service Disable Disable WLAN service Maximum clients per BSS Maximum number of associated clients per BSS The detailed information o...

Page 37: ...vertisement of the SSID in beacon frames Cipher Suite Cipher suite AES CCMP TKIP WEP40 WEP104 or WEP128 TKIP Countermeasure Time s TKIP countermeasure time in seconds PTK Life Time s PTK lifetime in seconds GTK Rekey GTK rekey configured GTK Rekey Method GTK rekey method configured packet based or time based GTK Rekey Time s Time for GTK rekey in seconds If Time is selected the GTK is refreshed af...

Page 38: ...um number of associated clients per BSS Displaying statistics of WLAN service Figure 25 Displaying WLAN service statistics Displaying connection history information of WLAN service Figure 26 Displaying the connection history information of WLAN service ...

Page 39: ...oise ration SNR by increasing the transmit power or reducing the noise floor The Service Type item in the figure has three options Access WDS and Client Mode If both Access and WDS are displayed the radio unit operates in Repeater mode Resource Usage represents the resource utilization of a radio within a certain period For example in a period of 10 seconds if a radio has occupied the channel for ...

Page 40: ...ually configured the configured channel number is displayed If the channel is automatically selected auto channel is displayed where channel is optimum channel automatically selected by the AC Secondary channel offset Secondary channel information for 802 11n radio mode SCA Second Channel Above The AP operates in 40 MHz bandwidth mode and the secondary channel has a higher bandwidth than the prima...

Page 41: ...ntenna Type Antenna type which depends on the device model Resource Usage Current radio resource usage Received 2 authentication frames 2 association frames Number of authentication and association frames received Sent out 2 authentication frames 2 association frames Number of authentication and association frames sent Stations 0 associating 2 associated Number of stations being associating and st...

Page 42: ...nted packets Number of discarded packets number of discarded bytes Number of failed RTS packets number of failed ACK packets Number of retransmitted frames number of transmission retries Displaying WDS Select Summary WDS from the navigation tree to enter the WDS page Figure 29 Displaying WDS The AP can operate in two modes Bridge mode The AP operates in the network as a Layer 2 device Route mode T...

Page 43: ...signal strength indicator is represented by four signal bars it indicates that 35 RSSI 45 If the signal strength indicator is represented by five signal bars it indicates that RSSI 45 Displaying client Displaying client detailed information Select Summary Client from the navigation tree to enter the Client page click the Detail Information tab on the page and click the name of the specified client...

Page 44: ... wireless mode depends on the device model Channel Band width Channel bandwidth 20 MHz or 40 MHz SM Power Save Enable SM Power Save enables a client to have one antenna in the active state and others in sleep state to save power Enabled SM Power Save is supported Disabled SM Power Save is not supported Short GI for 20MHz Whether the client supports short GI when its channel bandwidth is 20 MHz Sho...

Page 45: ...sage is sent to the client REKEYESTABLISHED Displayed when re keying is successful Encryption Cipher Encryption cipher clear or crypto Roam Status Display the roaming status Normal Up Time Time for which the client has been associated with the AP Table 20 Field description Field Description Refresh Refresh the current page Add to Blacklist Add the selected client to the static blacklist which you ...

Page 46: ...ress MAC Address of the client RSSI Received signal strength indication This value indicates the client signal strength detected by the AP Transmitted Frames Number of transmitted frames Back Ground Frames Bytes Statistics of background traffic in frames or in bytes Back Ground Frames Bytes Statistics of background traffic in frames or in bytes Best Effort Frames Bytes Statistics of best effort tr...

Page 47: ...e specified client to view the link test information of the client Figure 32 Displaying link test information Table 22 Field description Field Description No MCS Rate number for a non 802 1 1n client MCS value for an 802 1 1n client Rate Mbps Rate at which the radio interface sends wireless ping frames TxCnt Number of wireless ping frames that the radio interface sent RxCnt Number of wireless ping...

Page 48: ...stem logs an idle user off the web for security purposes after the configured period Configuring device basic information Configuring system name 1 Select Device Basic from the navigation tree The page for configuring the system name appears Figure 33 System name 2 Set the system name for the device 3 Click Apply Configuring web idle timeout period 1 Select Device Basic from the navigation tree 2 ...

Page 49: ...36 Figure 34 Configuring web idle timeout period 3 Set the web idle timeout period for a logged in user 4 Click Apply ...

Page 50: ...void performing any operation on the web interface during the upgrading procedure Otherwise the upgrade operation may be interrupted The device changes the original file name to another one extension name not changed after you get the target application file from the local host 1 Select Device Device Maintenance from the navigation tree The software upgrade configuration page appears Figure 35 Sof...

Page 51: ...PORTANT Support for this option depends on your device model For more information see Feature matrix Reboot after the upgrade is finished Specify whether to reboot the device to make the upgraded software take effect after the application file is uploaded Reboot CAUTION Before rebooting the device save the configuration Otherwise all unsaved configurations are lost after device reboot Re log in to...

Page 52: ...s much information as possible in one operation during daily maintenance or when system failure occurs the device supports generating diagnostic information When you perform the diagnostic information generation operation the system saves the running statistics of multiple functional modules to a file named default diag and then you can locate problems faster by checking this file 1 Select Device ...

Page 53: ...of time During this process do not perform any operation on the web page To view this file after the diagnostic file is generated successfully select Device File Management or download this file to the local host For more information see File management configuration ...

Page 54: ...s a huge amount of workload and cannot guarantee clock precision Defined in RFC 1305 the Network Time Protocol NTP synchronizes timekeeping among distributed time servers and clients NTP can keep consistent timekeeping among all clock dependent devices within the network and ensure a high clock precision so that the devices can provide diverse applications based on consistent time Displaying the s...

Page 55: ...e system uses the manually configured time after the synchronization recovers the system uses the synchronized time The IP address of an NTP server is a host address and cannot be a broadcast or a multicast address or the IP address of the local clock If the system time of the NTP server is ahead of the system time of the device and the difference between them exceeds the web idle time specified o...

Page 56: ...m log information administrators can take corresponding actions against network problems and security problems System logs can be stored in the log buffer or sent to the loghost Displaying syslog The web interface provides abundant search and sorting functions You can view syslogs through the web interface conveniently To display syslog 1 Select Device Syslog from the navigation tree The page for ...

Page 57: ...stem information levels The information is classified into eight levels by severity Emergency The system is unusable Alert Action must be taken immediately Critical Critical conditions Error Error conditions Warning Warning conditions Notification Normal but significant condition Informational Informational messages Debug Debug level messages Digest Displays the brief description of system logs De...

Page 58: ...iguration item Item Description Loghost IP Domain Set the IPv4 address domain name or IPv6 address of the loghost You can specify up to four loghosts Setting buffer capacity and refresh interval 1 Select Device Syslog from the navigation tree 2 Click the Logset tab The syslog configuration page appears ...

Page 59: ...uffer Capacity Set the number of logs that can be stored in the log buffer Refresh Interval Set the refresh period on the log information displayed on the web interface You can select manual refresh or automatic refresh Manual Click Refresh to refresh the web interface when displaying log information Automatic Refresh the web interface every 1 minute 5 minutes or 10 minutes ...

Page 60: ...ree The page for backing up configuration appears Figure 44 Backup configuration page 2 Click the upper Backup button A file download dialog box appears You can select to view the cfg file or to save the file locally 3 Click the lower Backup button A file download dialog box appears You can select to view the xml file or to save the file locally Restoring configuration Configuration restore provid...

Page 61: ...Saving the configuration takes some time The system does not support the operation of saving configuration of two or more consecutive users If such a case occurs the system prompts the latter users to try later The save configuration module provides the function to save the current configuration to the configuration file cfg file or xml file to be used at the next startup You can save the configur...

Page 62: ...iguration file Initializing configuration This operation restores the system to factory defaults delete the current configuration file and reboot the device To initialize configuration 1 Select Device Configuration from the navigation tree 2 Click the Initialize tab The initialize confirmation page appears Figure 47 Initialize confirmation dialog box 3 Click Restore Factory Default Settings to res...

Page 63: ... from the Please select disk list on the top of the page The page then displays used space free space and capacity of the disk at the right of the list and displays all files saved in this disk in the format of path filename file sizes and whether the boot file is a main or backup boot file is displayed if the file is an application file that is with the extension of bin or app Downloading a file ...

Page 64: ... 3 Click Browse to set the path and name of the file 4 Click Apply Removing a file 1 Select Device File Management from the navigation tree The page in Figure 48 appears 2 Select one or multiple files from the file list 3 Click Remove File NOTE You can also remove a file by clicking the icon Specifying the main boot file 1 Select Device File Management from the navigation tree The page in Figure 4...

Page 65: ...hanges the mask into a 32 bit mask Null interface A software only virtual interface A null interface is always up It cannot forward packets or be configured with an IP address or any link layer protocol However you cannot use it to forward data packets or configure an IP address or link layer protocol on it With a null interface specified as the next hop of a static route to a specific network seg...

Page 66: ...e 49 Interface management page 2 Click an interface name in the Name column to display the statistics of that interface The page for displaying interface statistics appears Figure 50 Statistics on an interface ...

Page 67: ...age in Figure 49 appears 2 Click Add The page for creating an interface appears Figure 51 Create an interface 3 Configure the interface as described in Table 28 4 Click Apply Table 28 Configuration items Item Description Interface Name Set the type and number of a logical interface ...

Page 68: ... and Mask fields DHCP Select the option for the interface to obtain an IP address through DHCP automatically BOOTP Select the option for the interface to obtain an IP address through BOOTP automatically PPP Negotiate Select the option for the interface to obtain an IP address through PPP negotiation Unnumbered Select this option to borrow the IP address of another interface on the same device for ...

Page 69: ... option is selected you must set the IPv6 Link Local Address field IPv6 Link Local Address If the Manual option is selected as the way for the interface to obtain an IPv6 link local address you must set an IPv6 link local address for the interface Modifying a Layer 2 interface 1 Select Device Interface from the navigation tree The page in Figure 49 appears 2 Click the icon corresponding to a Layer...

Page 70: ... 100 The auto negotiation rate of the interface is 10 Mbps or 100 Mbps Auto 10 1000 The auto negotiation rate of the interface is 10 Mbps or 1000 Mbps Auto 100 1000 The auto negotiation rate of the interface is 100 Mbps or 1000 Mbps Auto 10 100 1000 The auto negotiation rate of the interface is 10 Mbps 100 Mbps or 1000 Mbps Duplex Set the duplex mode of the interface Auto Auto negotiation Full Ful...

Page 71: ...ot determine the cable types When straight through cables are used the local MDI mode must be different from the remote MDI mode When crossover cables are used the local MDI mode must be the same as the remote MDI mode or the MDI mode of at least one end must be set to auto Flow Control Enables or disables flow control on the interface After flow control is enabled on both ends if there is traffic...

Page 72: ...n the box below pps Sets the maximum number of unicast packets that can be forwarded on an Ethernet interface per second When this option is selected you need to enter a number in the box below Table 30 Link type description Link type Description Access An access port can belong to only one VLAN and is usually used to connect a user device Hybrid A hybrid port can be assigned to multiple VLANs to ...

Page 73: ...ion items of modifying the Layer 3 interface are similar to those of creating an interface Table 31 describes configuration items proper to modifying a Layer 3 interface 4 Click Apply Table 31 Configuration items Item Description Interface Type Set the interface type which can be Electrical port Optical port or None ...

Page 74: ...isable the page displaying interface information appears IMPORTANT For an interface whose status cannot be changed the Enable or Disable button is not available Working Mode Set the interface to work in bridge mode or router mode Interface management configuration example Network requirements Create VLAN interface 100 and specify its IP address as 10 1 1 2 Configuration procedure 1 Create VLAN 100...

Page 75: ...ace 100 c Select Vlan interface from the Interface Name list enter the interface ID 100 select the Static Address option in the IP Config area enter the IP address 10 1 1 2 and select 24 255 255 255 0 from the Mask list d Click Apply ...

Page 76: ... network framework of TR 069 which has the following basic network elements ACS Auto Configuration Server which is the management device in the network CPE Customer Premise Equipment which is the managed device in the network DNS server Domain Name Server TR 069 defines that an ACS and a CPE use URLs to identify and access each other DNS is used to resolve the URLs DHCP server Dynamic host configu...

Page 77: ...e configuration on the ACS and that on the CPE must be the same CPE Username Configure the username used by the CPE to authenticate the connection sent from the ACS Password Configure the password used by the CPE to authenticate the connection sent from the ACS You can specify a username without a password that is used in the authentication If so the configuration on the ACS and that on the CPE mu...

Page 78: ...gher priority than that through the web interface You cannot use a configuration mode to modify parameters configured through a configuration mode with a higher priority To remove parameter configuration you need to select the box in front of a parameter clear its value and then click Apply to submit your configuration ...

Page 79: ...ng the current web user level to the management level Switch the current web user access level to the management level Creating a user 1 Select Device Users from the navigation tree 2 Click the Create tab The page for creating local users appears Figure 58 Create a user 3 Configure the user information as described in Table 33 4 Click Apply Table 33 Configuration items Item Description Username Se...

Page 80: ...agement Users of this level can perform any operations on the device Password Set the password for a user Confirm Password Enter the same password again Otherwise the system prompts that the two passwords enter are not consistent when you apply the configuration Service Type Set the service type including web FTP Telnet and terminal services You must select one of them Setting the super password U...

Page 81: ... the current user level to the management level Note the following Before switching make sure that the super password is already configured A user cannot switch to the management level without a super password The access level switchover of a user is valid for the current login only The access level configured for the user is not changed When the user re logs in to the web interface the access lev...

Page 82: ...unity name plays a similar role as a key word and can be used to control access from NMS to the agent SNMPv2c uses community name for authentication Compatible with SNMPv1 it extends the functions of SNMPv1 SNMPv2c provides more operation modes such as GetBulk and InformRequest it supports more data types such as Counter64 and it provides various error codes thus being able to distinguish errors i...

Page 83: ...SNMPv3 configuration task list Task Remarks Enabling SNMP Required The SNMP agent function is disabled by default IMPORTANT If SNMP is disabled all SNMP related configurations are removed Configuring an SNMP view Optional After creating SNMP views you can specify an SNMP view for an SNMP group to limit the MIB objects that can be accessed by the SNMP group Configuring an SNMP group Required After ...

Page 84: ...bling SNMP 1 Select Device SNMP from the navigation tree The SNMP configuration page appears Figure 61 Setup page 2 Configure SNMP settings on the upper part of the page as described in Table 37 3 Click Apply ...

Page 85: ...cket that the agent can receive send Contact Set a character string to describe the contact information for system maintenance If the device is faulty the maintainer can contact the manufacture factory according to the contact information of the device Location Set a character string to describe the physical location of the device SNMP Version Set the SNMP version run by the system Configuring an ...

Page 86: ...38 Configuration items Item Description View Name Set the SNMP view name Rule Select to exclude or include the objects in the view range determined by the MIB subtree OID and subtree mask MIB Subtree OID Set the MIB subtree OID such as 1 4 5 3 1 or name such as system MIB subtree OID identifies the position of a node in the MIB tree and it can uniquely identify a MIB subtree Subtree Mask Set the s...

Page 87: ...s Figure 65 Add rules to an SNMP view 4 Configure the parameters as described in Table 38 5 Click Apply NOTE You can modify the rules of a view in the page you enter by clicking the icon of that view Configuring an SNMP community 1 Select Device SNMP from the navigation tree 2 Click the Community tab The community tab page appears Figure 66 Configure an SNMP community 3 Click Add The Add SNMP Comm...

Page 88: ...munity name to access the agent Read and write The NMS can perform both read and write operations to the MIB objects when it uses this community name to access the agent View Specify the view associated with the community to limit the MIB objects that can be accessed by the NMS ACL Associate the community with a basic ACL to allow or prohibit the access to the agent from the NMS with the specified...

Page 89: ...MP group name Security Level Select the security level for the SNMP group The available security levels are NoAuth NoPriv No authentication no privacy Auth NoPriv Authentication without privacy Auth Priv Authentication and privacy Read View Select the read view of the SNMP group Write View Select the write view of the SNMP group If no write view is configured the NMS cannot perform the write opera...

Page 90: ...ACL with the group to restrict the source IP address of SNMP packets that is you can configure to allow or prohibit SNMP packets with a specific source IP address so as to restrict the intercommunication between the NMS and the agent Configuring an SNMP user 1 Select Device SNMP from the navigation tree 2 Click the User tab The user tab page appears Figure 70 SNMP user 3 Click Add The Add SNMP Use...

Page 91: ... privacy Auth Priv Authentication and privacy Group Name Select an SNMP group to which the user belongs When the security level is NoAuth NoPriv you can select an SNMP group with no authentication no privacy When the security level is Auth NoPriv you can select an SNMP group with no authentication no privacy or authentication without privacy When the security level is Auth Priv you can select an S...

Page 92: ... privacy password must be the same with the privacy password Confirm Privacy Password ACL Associate a basic ACL with the user to restrict the source IP address of SNMP packets that is you can configure to allow or prohibit SNMP packets with a specific source IP address so as to allow or prohibit the specified NMS to access the agent by using this user name Configuring SNMP trap function 1 Select D...

Page 93: ... UDP port number IMPORTANT The default port number is 162 which is the SNMP specified port used for receiving traps on the NMS Generally such as using iMC or MIB Browser as the NMS you can use the default port number To change this parameter to another value you need to make sure that the configuration is the same with that on the NMS Security Model Select the security model that is the SNMP versi...

Page 94: ...xample Network requirements The NMS connects to the agent an AP through an Ethernet The IP address of the NMS is 1 1 1 2 24 The IP address of the VLAN interface on the AP is 1 1 1 1 24 Configure SNMP to achieve the following purposes The NMS monitors the agent by using SNMPv3 The agent reports errors or faults to the NMS Figure 75 Network diagram Configuring the agent 1 Enable SNMP agent ...

Page 95: ...able SNMP b Select the Enable option c Select the v3 box d Click Apply 2 Configure an SNMP view a Click the View tab b Click Add The page for creating an SNMP view appears Figure 77 Create an SNMP view 1 c Enter view1 in the field d Click Apply The SNMP rule configuration page appears ...

Page 96: ...ID interfaces and click Add f Click Apply A configuration progress dialog box appears Figure 79 Configuration progress dialog box g Click Close after the configuration process is complete 3 Configure an SNMP group a Click the Group tab b Click Add The page for creating an SNMP group appears ...

Page 97: ...e select view1 from the Read View box and select view1 from the Write View box d Click Apply 4 Configure an SNMP user a Click the User tab b Click Add The page in Figure 81 appears c Enter user1 in the field of User Name and select group1 from the Group Name box d Click Apply ...

Page 98: ...able the agent to send SNMP traps a Click the Trap tab The page in Figure 82 appears b Select the Enable SNMP Trap box c Click Apply Figure 82 Enable the agent to send SNMP traps 6 Add target hosts of SNMP traps a Click Add on the Trap tab ...

Page 99: ...rity level According to the configured security level you must configure the related authentication mode authentication password privacy mode privacy password and so on You must also configure the aging time and retry times After these configurations you can configure the device as needed through the NMS For more information about NMS configuration see the manual provided for NMS Verifying the con...

Page 100: ... to check whether there is a chip failure related to the functions of the port In an external loopback test a self loop header is used on the port Packets forwarded by the port will be received by itself through the self loop header The external loopback test can be used to check whether there is a hardware failure on the port Loopback operation 1 Select Device Loopback from the navigation tree Th...

Page 101: ...nes When you perform a loopback test follow these guidelines You can perform an internal loopback test but not an external loopback test on a port that is physically down while you can perform neither test on a port that is manually shut down The system does not allow Rate Duplex Cable Type and Port Status configuration on a port under a loopback test An Ethernet port works in full duplex mode whe...

Page 102: ...s the frame for the source MAC address MAC SOURCE for example 2 Looks up the MAC address in the MAC address table If an entry is found updates the entry If no entry is found adds an entry for the MAC address and the receiving port Port A to the MAC address table When receiving a frame destined for MAC SOURCE the device looks up the MAC address table and forwards it from port A NOTE Dynamically lea...

Page 103: ...ect Network MAC from the navigation tree The system automatically displays the MAC tab which shows all the MAC address entries on the device as shown in Figure 87 Figure 87 The MAC tab 2 Click Add in the bottom to enter the page for creating MAC address entries as shown in Figure 88 ...

Page 104: ...ollowing types of MAC address entries Config static Static MAC address entries manually configured by the users Config dynamic Dynamic MAC address entries manually configured by the users Blackhole Blackhole MAC address entries Learned Dynamic MAC address entries learned by the device Other Other types of MAC address entries VLAN Set the ID of the VLAN to which the MAC address belongs Port Set the...

Page 105: ...guration example Network requirements Use the MAC address table management function of the Web based NMS Create a static MAC address 00e0 fc35 dc71 for GigabitEthernet 1 0 1 in VLAN 1 Creating a static MAC address entry 1 Select Network MAC from the navigation tree to enter the MAC tab 2 Click Add The page shown in Figure 90 appears 3 Enter MAC address 00e0 fc35 dc71 select static from the Type li...

Page 106: ...93 Figure 90 Create a static MAC address entry ...

Page 107: ...ained within it as shown in Figure 91 Figure 91 A VLAN diagram You can implement VLANs based on different criteria The Web interface is available only for port based VLANs Port based VLANs group VLAN members by port A port forwards traffic for a VLAN only after it is assigned to the VLAN NOTE For more information about VLAN see H3C WA Series Access Points Layer 2 Configuration Guide Recommended co...

Page 108: ...click Select and all undesired VLANs will be filtered out If you click Remove all VLANs within this range will be deleted 2 Click Add to enter the page for creating a VLAN as shown in Figure 93 3 Enter the ID of the VLAN you want to create 4 Click Apply Figure 93 Create a VLAN Modifying a VLAN 1 Select Network VLAN from the navigation tree The system automatically selects the VLAN tab and enters t...

Page 109: ...ntagged Member Tagged Member or Not a Member option for the port Untagged Indicates that the port sends the traffic of the VLAN with the VLAN tag removed Tagged Indicates that the port sends the traffic of the VLAN without removing the VLAN tag Not a Member Removes the port from the VLAN IMPORTANT When you configure an access port as a tagged member of a VLAN the link type of the port is automatic...

Page 110: ...ember option Untagged Indicates that the port sends the traffic of the VLAN with the VLAN tag removed Tagged Indicates that the port sends the traffic of the VLAN without removing the VLAN tag Not a Member Removes the port from the VLAN IMPORTANT You cannot configure an access port as an untagged member of a nonexistent VLAN When you configure an access port as a tagged member of a VLAN or configu...

Page 111: ...tagged member of VLAN 2 and VLANs 6 through 50 and then as an untagged member of VLAN 100 If you reverse the configuration order you must enter 1 and 100 in the VLAN ID field when you configure GigabitEthernet 1 0 1 as an untagged member of VLANs Otherwise the default VLAN ID of the port will change to 100 1 Create VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 a Select Network VLAN from the navigatio...

Page 112: ...igabitEthernet 1 0 1 as an untagged member of VLAN 100 a Click the icon of GigabitEthernet 1 0 1 b Select the Untagged option and enter VLAN ID 100 as shown in Figure 100 c Click Apply Figure 100 Configure GigabitEthernet 1 0 1 as an untagged member of VLAN 100 Configuring Switch Configure Switch in the same way as you configured the AP Configuration guidelines When you configure VLAN follow these...

Page 113: ...100 VLAN 1 is the default VLAN which cannot be manually created or removed Some VLANs are reserved for special purposes You cannot manually create or remove them Dynamic VLANs cannot be manually removed ...

Page 114: ... device sends a gratuitous ARP packet for either of the following purposes Determine whether its IP address is already used by another device If the IP address is already used the device will be informed of the conflict by an ARP reply Inform other devices of the change of its MAC address Learning of gratuitous ARP packets With this feature enabled a device upon receiving a gratuitous ARP packet a...

Page 115: ...age shown in Figure 101 2 Click Add to enter the New Static ARP Entry page as shown in Figure 102 Figure 102 Add a static ARP entry 3 Configure the static ARP entry as described in Table 48 4 Click Apply Table 48 Configuration items Item Description IP Address Enter an IP address for the static ARP entry MAC Address Enter a MAC address for the static ARP entry ...

Page 116: ...namic To remove all static ARP entries click Delete Static To remove all dynamic ARP entries click Delete Dynamic Configuring gratuitous ARP 1 Select Network ARP Management from the navigation tree 2 Click the Gratuitous ARP tab to enter the page shown in Figure 103 Figure 103 Gratuitous ARP configuration page 3 Configure gratuitous ARP as described in Table 49 Table 49 Configuration items Item De...

Page 117: ...ace VLAN interface 1 and log in to the web configuration page of the AP through VLAN interface 1 1 Create a static ARP entry a Select Network ARP Management from the navigation tree to enter the default ARP Table page b Click Add c To create a static ARP entry Enter 192 168 1 1 for IP Address Enter 00e0 fc01 0000 for MAC Address Select the Advanced Options box Enter 1 for VLAN ID Select GigabitEth...

Page 118: ...flooded to all devices at Layer 2 However when IGMP snooping is running on the switch multicast packets for known multicast groups are multicast to the receivers rather than broadcast to all hosts at Layer 2 Figure 106 Multicast forwarding before and after IGMP snooping runs IGMP snooping sends Layer 2 multicast packets to the intended receivers only This mechanism provides the following advantage...

Page 119: ...e IGMP snooping in a VLAN this function takes effect for ports in this VLAN only 3 Configuring IGMP snooping on a port Optional Configure the maximum number of multicast groups allowed and the fast leave function for ports in the specified VLAN IMPORTANT Multicast routing or IGMP snooping must be enabled globally before IGMP snooping can be enabled on a port IGMP snooping configured on a port take...

Page 120: ...ping from the navigation tree to enter the basic configuration page shown in Figure 107 2 Click the icon corresponding to the VLAN to enter the page you can configure IGMP snooping in the VLAN as shown in Figure 108 Figure 108 Configure IGMP snooping on the VLAN 3 Configure IGMP snooping as described in Table 50 ...

Page 121: ...ata enabled the device drops all the unknown multicast data received With the function of dropping unknown multicast data disabled the device floods unknown multicast data in the VLAN to which the unknown multicast data belong Querier Enable or disable the IGMP snooping querier function On a network without Layer 3 multicast devices no IGMP querier related function can be implemented because a Lay...

Page 122: ... configured threshold the system deletes all the forwarding entries persistent on that port from the IGMP snooping forwarding table and the hosts on this port need to join the multicast groups again Fast Leave Enable or disable the fast leave function for the port With the fast leave function enabled on a port the device when receiving an IGMP leave message on the port immediately deletes that por...

Page 123: ...n Figure 110 Figure 110 Display entry information 3 Clicking the icon corresponding to an entry to display the detailed information of the entry as shown in Figure 111 Figure 111 Detailed information of an entry Table 52 Field description Field Description VLAN ID ID of the VLAN to which the entry belongs Source Multicast source address where 0 0 0 0 indicates all multicast sources Group Multicast...

Page 124: ...own multicast packets is enabled on the AP to prevent the AP from flooding multicast packets in the VLAN if no corresponding Layer 2 forwarding entry exists Figure 112 Network diagram on a fat AP Configuring Router A Enable IP multicast routing enable PIM DM on each interface and enable IGMP on Ethernet 1 1 Details not shown Configuring AP 1 Enable IGMP snooping globally a Select Network IGMP snoo...

Page 125: ...Click Apply Figure 114 Configure the VLAN Verifying the configuration Display the IGMP snooping multicast entry information on the AP 1 Select Network IGMP snooping from the navigation tree to enter the basic configuration page 2 Click the plus sign in front of Show Entries to view IGMP snooping multicast entries as shown in Figure 115 Figure 115 IGMP snooping multicast entry information displayin...

Page 126: ...113 Figure 116 Information about an IGMP snooping multicast entry ...

Page 127: ...d sends them to the forwarding information base FIB table to guide packet forwarding Each router maintains a routing table and a FIB table Static routes are manually configured If a network s topology is simple you only need to configure static routes for the network to work properly Static routes cannot adapt to network topology changes If a fault or a topological change occurs in the network the...

Page 128: ...rence value for the IPv4 route The smaller the number the higher the preference Next Hop Next hop IP address of the IPv4 route Interface Outgoing interface of the IPv4 route Packets destined for the specified network segment will be sent out the interface Creating an IPv4 static route 1 Select Network IPv4 Routing from the navigation tree 2 Click the Create tab to enter the IPv4 static route confi...

Page 129: ...ter the mask of the destination IP address You can enter a mask length or a mask in dotted decimal notation Preference Set a preference value for the static route The smaller the number the higher the preference For example specifying the same preference for multiple static routes to the same destination enables load sharing on the routes while specifying different preferences enables route backup...

Page 130: ...ect Network IPv6 Routing from the navigation tree to enter the page shown in Figure 1 19 Figure 119 IPv6 active route table Table 55 Field description Field Description Destination IP Address Destination IP address and prefix length of the IPv6 route Prefix Length Protocol Protocol that discovered the IPv6 route Preference Preference value for the IPv6 route The smaller the number the higher the p...

Page 131: ... X X format The 128 bit destination IPv6 address is a hexadecimal address with eight parts separated by colons Each part is represented by a 4 digit hexadecimal integer Prefix Length Enter the prefix length of the destination IPv6 address Preference Set a preference value for the static route The smaller the number the higher the preference For example specifying the same preference for multiple s...

Page 132: ...hop and the other with AP as the next hop 3 On AP configure a default route with Switch B as the next hop Configuration procedure 1 Specify gateway 1 1 2 3 for Host A and gateway 1 1 3 3 for Host B 2 Configure a default route with the next hop address 1 1 4 2 on Switch A 3 Configure a static route with destination address 1 1 2 0 24 and next hop address 1 1 4 1 on Switch B 4 Configure a default ro...

Page 133: ...B from Host A assuming both hosts run Windows XP C Documents and Settings Administrator ping 1 1 3 2 Pinging 1 1 3 2 with 32 bytes of data Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Ping statistics for 1 1 3 2 Packets Sent 4 Received 4 Lost 0 0 loss Approximate r...

Page 134: ...p and the other with AP as the next hop 3 On AP configure a default route with Switch B as the next hop Configuration procedure 1 Specify gateway 1 1 for Host A and gateway 3 1 for Host B 2 Configure a default route with the next hop address 4 2 on Switch A 3 Configure a static route with destination address 1 64 and next hop address 4 1 on Switch B 4 Configure a default route on AP a Select Netwo...

Page 135: ...t B from Switch A SwitchA system view SwitchA ping ipv6 3 2 PING 3 2 56 data bytes press CTRL_C to break Reply from 3 2 bytes 56 Sequence 1 hop limit 254 time 63 ms Reply from 3 2 bytes 56 Sequence 2 hop limit 254 time 62 ms Reply from 3 2 bytes 56 Sequence 3 hop limit 254 time 62 ms Reply from 3 2 bytes 56 Sequence 4 hop limit 254 time 63 ms Reply from 3 2 bytes 56 Sequence 5 hop limit 254 time 6...

Page 136: ...oute does not take effect if you specify the next hop address first and then configure it as the IP address of a local interface such as an Ethernet interface and VLAN interface 3 When specifying the output interface note that If NULL 0 or a loopback interface is specified as the output interface there is no need to configure the next hop address If a point to point interface is specified as the o...

Page 137: ...etwork devices DHCP uses the client server model Figure 125 A typical DHCP application Recommended configuration procedure Step Remarks 1 Enabling DHCP Required Enable DHCP globally By default DHCP is disabled globally 2 Creating an address pool for the DHCP server Creating a static address pool for the DHCP server Creating a dynamic address pool for the DHCP server Required Use at least one appro...

Page 138: ...works on interfaces with IP addresses manually configured only 4 Display the information of assigned IP addresses Optional Enabling DHCP 1 Select Network DHCP from the navigation tree to enter the default DHCP Server page shown in Figure 126 2 Select the Enable option on the upper part of the page to enable DHCP globally Figure 126 DHCP configuration page Creating a static address pool for the DHC...

Page 139: ...e the IP address of any interface on the DHCP server Otherwise an IP address conflict may occur and the bound client cannot obtain an IP address correctly You can enter a mask length or a mask in dotted decimal notation Mask Client MAC Address Configure the client MAC address or the client ID for the static address pool IMPORTANT The client ID must be identical to the ID of the client to be bound ...

Page 140: ...ou need to specify a DNS server address Up to eight DNS servers can be specified in a DHCP address pool separated by commas WINS Server Address Enter the WINS server addresses for the client If b node is specified for the client you do not need to specify any WINS server address Up to eight WINS servers can be specified in a DHCP address pool separated by commas NetBIOS Node Type Select the NetBIO...

Page 141: ... server excludes the IP addresses used by gateways or FTP servers from dynamic allocation You can enter a mask length or a mask in dotted decimal notation Mask Lease Duration Unlimited Configure the address lease duration for the address pool Unlimited indicates the infinite duration days hours minutes seconds Client Domain Name Enter the domain name suffix for the client With the suffix assigned ...

Page 142: ...r Address Enter the WINS server addresses for the client If b node is specified for the client you do not need to specify any WINS server address Up to eight WINS servers can be specified in a DHCP address pool separated by commas NetBIOS Node Type Select the NetBIOS node type for the client Enabling the DHCP server on an interface 1 Select Network DHCP from the navigation tree to enter the defaul...

Page 143: ...sses dynamically from the DHCP server AP The IP address of VLAN interface 1 of the AP is 10 1 1 1 24 In subnet 10 1 1 0 24 the address lease duration is ten days and twelve hours and the gateway address is 10 1 1 2 Figure 130 Network diagram on a fat AP Configuration procedure 1 Enable DHCP a Select Network DHCP from the navigation tree to enter the default DHCP Server page b Select the Enable opt...

Page 144: ...er as shown in Figure 132 c Click Apply Figure 132 Enable the DHCP server on VLAN interface 1 3 Configure a dynamic address pool for the DHCP server a Select the Dynamic option in the Address Pool field default setting and click Add to enter the page as shown in Figure 133 b To configure a dynamic address pool for the DHCP server Enter test for IP Pool Name Enter 10 1 1 0 for IP Address Enter 255 ...

Page 145: ...132 Enter 10 1 1 2 for Gateway Address c Click Apply Figure 133 Configure a dynamic address pool for the DHCP server ...

Page 146: ...ed name to IP address mappings are stored in the local static name resolution table to improve efficiency Static domain name resolution Configuring static domain name resolution is to set up mappings between domain names and IP addresses manually IP addresses of the corresponding domain names can be found in the static domain resolution table when you use applications such as telnet Dynamic domain...

Page 147: ...l Not configured by default 4 Clearing dynamic DNS cache Optional Configuring static name resolution table 1 Select Network DNS from the navigation tree to enter the default static domain name resolution configuration page shown in Figure 134 Figure 134 Static domain name resolution configuration page 2 Click Add to enter the page shown in Figure 135 Figure 135 Create a static domain name resoluti...

Page 148: ...uring dynamic domain name resolution 1 Select Network DNS from the navigation tree 2 Click the Dynamic tab to enter the page shown in Figure 136 3 Select the Enable option for Dynamic DNS 4 Click Apply Figure 136 Dynamic domain name resolution configuration page Adding a DNS server address 1 Select Network DNS from the navigation tree 2 Click the Dynamic tab to enter the page shown in Figure 136 3...

Page 149: ...field 5 Click Apply Figure 138 Add a domain name suffix Clearing dynamic DNS cache 1 Select Network DNS from the navigation tree 2 Click the Dynamic tab to enter the page shown in Figure 136 3 Select the Clear Dynamic DNS cache box 4 Click Apply DNS configuration example Network requirements As shown in Figure 139 the AP wants to access the host by using an easy to remember domain name rather than...

Page 150: ...ration make sure that the AP and the host are accessible to each another via available routes and the IP addresses of the interfaces are configured as shown Figure 139 This configuration may vary with DNS servers The following configuration is performed on a PC running Windows server 2000 Configuring the DNS server 1 Create zone com a Select Start Programs Administrative Tools DNS b As shown in Fi...

Page 151: ... click zone com and then select New Host Figure 141 Add a host b In the dialog box as shown in Figure 142 enter host name host and IP address 3 1 1 1 c Click Add Host Figure 142 Add a mapping between domain name and IP address ...

Page 152: ... d Click Apply Figure 143 Enable dynamic DNS 2 Configure the IP address of the DNS server a In Figure 143 click Add IP to enter the page for adding a DNS server IP address as shown in Figure 144 b Enter the IP address 2 1 1 2 c Click Apply Figure 144 Add a DNS server IP address 3 Add a domain name suffix a In Figure 143 click Add Suffix b Enter the domain name suffix com as shown in Figure 145 ...

Page 153: ...n the AP and the host is normal and that the corresponding destination IP address is 3 1 1 1 1 Select Diagnostic Tools Ping from the navigation tree to enter the IPv4 Ping configuration page 2 Enter host in the Destination IP address or host name field 3 Click Start to execute the ping command 4 View the result in the Summary field Figure 146 Ping operation ...

Page 154: ... the MAC address of the access end and generates the PPPoE session ID PPP session phase where PPP packets are encapsulated in Ethernet frames before being sent to the peer In the frame the session ID must be the one determined in the discovery phase the MAC address must be that of the peer and the PPP packet section begins from the Protocol ID field In the session phase either end of the link can ...

Page 155: ...e the parameters for the PPPoE client as described in Table 61 4 Click Apply Table 61 Configuration items Task Remarks Dialer Interface Configure the number of the dialer interface Username Configure the username and password used by the PPPoE client in authentication The username and password must be configured together or not configured at all Password ...

Page 156: ... Online or Not Always Online Always Online When the physical link is up the device immediately initiates a PPPoE call to establish a PPPoE session The PPPoE session continues to exist until you delete it Not Always Online When the physical link is up the device does not initiate a PPPoE call unless there is data to be transmitted on the link When the PPPoE link stays in idle state longer than the ...

Page 157: ...umber of dropped packets which are received in the PPPoE session Sent Packets Number of transmitted packets in the PPPoE session Sent Bytes Number of transmitted bytes in the PPPoE session Dropped Packets Sent Number of dropped packets which are transmitted in the PPPoE session Displaying PPPoE client session summary information 1 Select Network PPPoE from the navigation tree 2 Click the Session t...

Page 158: ...the PPPoE client Server MAC MAC address of the PPPoE server Status PPPoE session state IDLE PPPoE client negotiation is not performed PADI PADI packets have been sent The interface is waiting for the PADO response PADR PADR packets have been sent The interface is waiting for the PADS response PPPNEG PPP negotiation is started PPPUP PPP negotiation is completed PPPoE client configuration example Ne...

Page 159: ...iguration mode PPP Negotiate Select the interface to be bound Vlan interface1 Select the session type Always Online d Click Apply Figure 153 Create a PPPoE client Configuring the PPPoE server You must enable the PPPoE protocol on the PPPoE server configure the PPPoE username and password that are the same as those configured on the PPPoE client and assign an IP address to the peer end of the PPP c...

Page 160: ... PPP negotiation is completed Figure 154 Display the summary information of PPPoE sessions Configuration guidelines The dialer interfaces you create on the page generated after you select Device Interface Management can also be displayed on the PPPoE client page where you can modify or remove these dialer interfaces However you cannot establish PPPoE sessions for them ...

Page 161: ... device can serve as the SFTP server allowing a remote user to log in to the SFTP server for secure file management and transfer The device can also serve as an SFTP client enabling a user to login from the device to a remote device for secure file transfer HTTP service The Hypertext Transfer Protocol HTTP is used for transferring web page information across the Internet It is an application layer...

Page 162: ...default SFTP Enable SFTP service Specifies whether to enable the SFTP service The SFTP service is disabled by default IMPORTANT When you enable the SFTP service the SSH service must be enabled HTTP Enable HTTP service Specifies whether to enable the HTTP service The HTTP service is disabled by default Port Number Sets the port number for HTTP service You can view this configuration item by clickin...

Page 163: ...used by other service ACL Associates the HTTPS service with an ACL Only the clients that pass the ACL filtering are permitted to use the HTTPS service You can view this configuration item by clicking the expanding button in front of HTTPS Certificate Sets the local certificate for the HTTPS service The list displays certificate subjects You can configure the available PKI domains by selecting Auth...

Page 164: ...tion include number of packets sent number of echo reply messages received percentage of messages not received and the minimum average and maximum response time Trace route By using the trace route command you can display the Layer 3 devices involved in delivering a packet from source to destination This function is useful for identification of failed node s in the event of network failure Executi...

Page 165: ... display the configurations of the advanced parameters of IPv4 ping operation as shown in Figure 156 Figure 156 IPv4 ping configuration page 3 Enter the IPv4 address or host name of the destination device in the Destination IP address or host name field 4 Set the advanced parameters for the IPv4 ping operation 5 Click Start to execute the ping command 6 View the result in the Summary field ...

Page 166: ...ng operation 1 Select Diagnostic Tools Ping from the navigation tree 2 Enter the IPv6 ping configuration page default setting 3 Expand Advanced Setup to display the configurations of the advanced parameters of IPv6 ping operation as shown in Figure 158 ...

Page 167: ... or host name of the destination device in the Destination IP address or host name field 5 Set the advanced parameters for the IPv6 ping operation 6 Click Start to execute the ping command 7 View the result in the Summary field as shown in Figure 159 ...

Page 168: ...he ip ttl expires enable command on the intermediate device to enable the sending of ICMP timeout packets and the ip unreachables enable command on the destination device to enable the sending of ICMP destination unreachable packets 1 Select Diagnostic Tools Trace Route from the navigation tree 2 Click the Trace Route tab to enter the Trace Route configuration page as shown in Figure 160 ...

Page 169: ...oute configuration page 3 Enter the destination IP address or host name 4 Click Start to execute the trace route command 5 View the result in the Summary field as shown in Figure 161 Figure 161 Trace route operation results ...

Page 170: ...t cable By default all ports belong to VLAN 1 2 Configure an IP address for the PC and make sure that the PC and device can reach each other For example assign the PC an IP address for example 192 168 0 2 within the network segment 192 168 0 0 24 except for 192 168 0 50 3 Open the browser and input the login information a Type the IP address http 192 168 0 50 in the address bar and press Enter The...

Page 171: ...f the web interface to quit web based network management The system does not save the current configuration before you log out of the web interface H3C recommends you to save the current configuration before logout CAUTION A logged in user cannot automatically log out by directly closing the browser Introduction to the web interface The web interface is composed of three parts navigation tree titl...

Page 172: ...n perform any operations for the device Introduction to the web based NM functions NOTE User level in Table 65 indicates that users of this level or users of a higher level can perform the corresponding operations Table 65 Description of web based NM functions Function menu Description User level Quick Start Perform quick configuration of the device Configure Summary Device Info Display and refres...

Page 173: ...st of the current user to the device for the next startup Management Save Save the current configuration to the configuration file for the next startup Configure Initialize Restore the system to factory defaults Configure File management Manage files on the device including displaying file list downloading a file uploading a file and removing a file Management Interface Management Display interfac...

Page 174: ...MP Snooping Basic Display global IGMP Snooping configuration information and the IGMP Snooping configuration information in a VLAN and view the IGMP Snooping multicast entry information Monitor Configure IGMP Snooping globally and in a VLAN Configure Advance Display the IGMP Snooping configuration information on a port Monitor Configure IGMP Snooping on a port Configure IPv4 Routing Summary Displa...

Page 175: ... result Visitor Trace Route Perform trace route operations and display the result Visitor WLAN Service Access Service Display an access service Monitor Create and configure an access service and add a MAC authentication list Configure WDS WDS Setup Displays a WDS service Monitor Configure a WDS service Configure WDS Global Setup Display WDS global configuration Monitor Configure WDS global paramet...

Page 176: ...ment Authentication Display the authentication method configuration information of an ISP domain Monitor Specify authentication methods for an ISP domain Management Authorization Display the authorization method configuration information of an ISP domain Monitor Specify authorization methods for an ISP domain Management Accounting Display the accounting method configuration information of an ISP d...

Page 177: ...a domain Configure Security WIDS WIDS Setup Display IDS configuration Monitor Configure IDS detection including flood attack detection spoofing attack detection and weak IV detection Configure History Record Display IDS attack detection history Monitor Clear history record of IDS attack detection and add the detected devices that initiate attacks to blacklist Configure Statistics Display statistic...

Page 178: ...n policy radio EDCA and client EDCA Configure Radio Statistics Display radio statistics including WMM status and detailed radio information Monitor Display radio statistics including WMM status and detailed radio information and clear the radio statistics Configure Client Statistics Display client statistics including client MAC address wireless service WMM status and detailed client information M...

Page 179: ...onitor Setup Apply a QoS policy to a port Configure Delete Remove the QoS policy from the port Configure Service Policy Display the QoS policy applied to a WLAN ESS port Monitor Configure the QoS policy applied to a WLAN ESS port Configure Advanced Settings Country Region code Display the country region code Monitor Modify the country region code Configure Switch to Fit AP Display the AP working m...

Page 180: ...ure not bring it into effect and go to the page of the next configuration procedure Typically locating at a configuration procedure page of the configuration wizard it allows you to save the configuration of the current configuration procedure not bring it into effect and return to the page of the previous configuration procedure Typically locating at a configuration procedure page of the configur...

Page 181: ...ist select a search item from the list and click Search to display the entries that match the criteria Figure 166 shows an example of searching for entries with 00e0 included in the MAC address Figure 166 Basic search function example Advanced search Advanced search function As shown in Figure 165 you can click the Advanced Search link to open the advanced search page as shown in Figure 167 Specif...

Page 182: ...ria on the advanced search page as shown in Figure 168 and click Apply The ARP entries with 000f at the beginning of the MAC address are displayed Figure 168 Advanced search function example I 2 Click the Advanced Search link specify the search criteria on the advanced search page as shown in Figure 169 and click Apply The ARP entries with 000f at the beginning of the MAC address and IP address ra...

Page 183: ...g function to display entries in certain orders On a list page you can click the blue heading item of each column to sort the entries based on the heading item you selected After your clicking the heading item is displayed with an arrow beside it as shown in Figure 171 The upward arrow indicates the ascending order and the downward arrow indicates the descending order ...

Page 184: ... websites in Compatibility View for Internet Explorer 9 0 and higher The web based configuration interface does not support the Back Next Refresh buttons provided by the browser Using these buttons may result in abnormal display of web pages The Windows firewall limits the number of TCP connections so when you use IE to log in to the web interface sometimes you may be unable to open the web interf...

Page 185: ...Microsoft Internet Explorer you can access the web interface only when these functions are enabled Run ActiveX controls and plug ins script ActiveX controls marked safe for scripting and active scripting If you use the Mozilla Firefox you can access the web interface only when JavaScript is enabled Configuring the Internet Explorer settings 1 Open the Internet Explorer and select Tools Internet Op...

Page 186: ...eX controls marked safe for scripting and active scripting Figure 173 Internet Explorer Setting II 5 Click OK in the Security Settings dialog box Configuring Firefox web browser settings 1 Open the Firefox web browser and then select Tools Options 2 Click the Content tab select the Enable JavaScript box and click OK ...

Page 187: ...174 Figure 174 Firefox web browser setting ...

Page 188: ...he selected AP s radios Radio Mode Display the selected AP s radio mode If you change the selected AP s radio mode the transmit power and working channel of the AP are restored to the default of the corresponding mode Transmit Power Maximum radio transmission power which varies with country codes channels AP models radio modes and antenna types If you adopt the 802 11n mode the maximum transmit po...

Page 189: ...Client 802 11n Only If you select the Client 802 11n Only box non 802 11n clients are prohibited from access If you want to provide access for all 802 11a b g clients you must disable this function IMPORTANT To allow only 802 11n clients to access the network you must configure mandatory MCS For the configuration of mandatory MCS see Configuring 802 11n rates A MSDU Select A MSDU to enable A MSDU ...

Page 190: ...and be ready for the real data There are two different kinds of preambles Short preamble A short preamble improves network performance Therefore this option is always selected Long preamble A long preamble ensures compatibility between access point and some legacy client devices Therefore you can select this option to make legacy client devices support short preamble 802 11a 802 11n 5 GHz does not...

Page 191: ...es to implement data collision avoidance and thus has a higher cost CTS to Self In this mode an AP uses its IP address to send a CTS packet before sending data to a client ensuring that all the devices within the coverage of the AP do not send data within the specified time The CTS to Self mechanism uses only one frame to avoid data collision However if another device is in the coverage of the cli...

Page 192: ...hich a frame received by an AP can stay in the buffer memory Configuring data transmit rates NOTE Support for this feature depends on the device model For more information see Feature matrix Configuring 802 11a 802 11b 802 11g rates 1 Select Radio Rate from the navigation tree Figure 177 Setting 802 11a 802 11b 802 11g rates 2 Configure 802 11a 802 11b 802 11g rates as described in Table 69 3 Clic...

Page 193: ...sion rate of multicasts in a BSS is selected from the mandatory rates supported by all the clients Configuring 802 11n MCS Introduction to MCS Configuration of mandatory and supported 802 1 1n rates is achieved by specifying the maximum Modulation and Coding Scheme MCS index The MCS data rate table shows relations between data rates MCS indexes and parameters that affect data rates Sample MCS data...

Page 194: ...M 130 0 144 4 16 3 BPSK 19 5 21 7 17 3 QPSK 39 0 43 3 18 3 QPSK 58 5 65 0 19 3 16 QAM 78 0 86 7 20 3 16 QAM 117 0 130 0 21 3 64 QAM 156 0 173 3 22 3 64 QAM 175 5 195 0 23 3 64 QAM 195 0 216 7 Table 71 MCS index table 40 MHz MCS index Number of spatial streams Modulation Data rate Mbps 800ns GI 400ns GI 0 1 BPSK 13 5 15 0 1 1 QPSK 27 0 30 0 2 1 QPSK 40 5 45 0 3 1 16 QAM 54 0 60 0 4 1 16 QAM 81 0 90...

Page 195: ...tes corresponding to MCS indexes 0 through 5 are configured as 802 1 1n mandatory rates Mandatory rates must be supported by the AP and the clients that want to associate with the AP Supported rates allow some clients that support both mandatory and supported rates to choose higher rates when communicating with the AP Multicast MCS Specifies 802 1 1n multicast data rates Configuring 802 11n rates ...

Page 196: ...st MCS takes effect the corresponding data rates defined for 20MHz are adopted no matter whether the 802 1 1n radio operates in 40 MHz mode or in 20 MHz mode Supported Maximum MCS Set the maximum MCS index for 802 11n supported rates The supported maximum MCS cannot be smaller than the mandatory maximum MCS NOTE For more information about MCS see H3C WA Series WLAN Access Points WLAN Configuration...

Page 197: ...el from the available channels When a radio selects a new working channel DFS happens and the channel switching information is displayed on the Channel Switch Info tab A radio can save three latest channel switching records at most Table 73 Channel switch information Field Description NO Display the sequence number of channel switching Chl After Before Display the channels before and after channel...

Page 198: ...o self packets to 802 11b devices which defer access to the medium Enable Enable 802 1 1g protection Close Disable 802 1 1g protection An AP running 802 11g uses the 802 11g protection function in the following two cases An 802 1 1b client is associated with it It detects APs or clients running 802 1 1b on the same channel IMPORTANT Enabling 802 1 1g protection reduces network performance Enabling...

Page 199: ...tection Mode Both RTS CTS and CTS to Self modes can be adopted The implementation of the two modes is the same as 802 11g 802 11n Protection Enable Enable 802 1 1n protection When non 802 1 1n wireless devices or non 802 1 1n clients exist within the coverage of the AP you must enable 802 1 1n protection Close Disable 802 1 1n protection Spectrum Management Enable Enable spectrum management Close ...

Page 200: ...ent to discover APs more easily Passive Passive scanning is used by a client when it wants to save battery power Typically VoIP clients adopt the passive scanning mode The default scanning type is passive scanning For an AP that has the monitoring function Active The AP simulates a client to send probe requests during the scanning process Passive The AP does not send probe requests during the scan...

Page 201: ...you configure this feature do not add all channels supported by the country code to the channel exclusion list This feature takes effect only for initial automatic channel selection DFS and mesh DFS If you add an automatically selected channel into the channel exclusion list the AC disables the radio enables the radio and then selects an available channel from the channels supported by the country...

Page 202: ...de Hybrid mode When an AP operates in hybrid mode it can both scan devices in the WLAN and act as an wireless access point as shown in Figure 184 Figure 184 Hybrid mode NOTE When an AP operates in monitor or hybrid mode it monitors the WLAN The administrator can monitor the WLAN by checking the monitoring records so as to adjust the WLAN settings when the interference is serious Configuring the AP...

Page 203: ...s its operating mode changed from normal or hybrid to monitor it does not restart When an AP has its operating mode changed from monitor to normal or hybrid it restarts NOTE If an AP operates in hybrid mode you must configure WLAN service so that the AP can both scan devices in the WLAN and provide WLAN data services If an AP operates in monitor mode the AP does not need to provide WLAN data servi...

Page 204: ... Radio Channel Detection from the navigation tree 2 Click the History Record tab 3 Configure the detect record aging time 4 Click Apply Figure 187 Configuring detection record aging time Displaying history record 1 Select Radio Channel Detection from the navigation tree 2 Click the History Record tab 3 View the history record for channel detection in the History Record area ...

Page 205: ...he aging time it is deleted from the detection record and added into the history record Antenna Select Radio Antenna to select an appropriate antenna for the corresponding radio Figure 189 Selecting an antenna NOTE All types of antennas supported by the corresponding radio mode are listed in the Antenna list ...

Page 206: ...g Records all network service usage information of users including the service type start time and traffic The accounting function not only provides the information required for charging but also allows for network security surveillance AAA usually uses a client server model The client runs on the network access server NAS and the server maintains user information centrally In an AAA network a NAS...

Page 207: ... domain named system which is the default ISP domain 2 Configuring authentication methods for the domain Optional Configure authentication methods for various types of users By default all types of users use local authentication 3 Configuring authorization methods for the domain Optional Specify the authorization methods for various types of users By default all types of users use local authorizat...

Page 208: ...fault domain Default Domain Specify whether to use the ISP domain as the default domain Options include Enable Uses the domain as the default domain Disable Uses the domain as a non default domain There can only be one default domain at a time If you specify a second domain as the default domain the original default domain becomes a non default domain Configuring authentication methods for the dom...

Page 209: ...ecify the HWTACACS scheme to be used Local Performs local authentication None Does not perform authentication This method trusts all users and is not for general use RADIUS Performs RADIUS authentication You must specify the RADIUS scheme to be used Not Set The device uses the default authentication setting which is local authentication Name Secondary Method LAN access AuthN Configure the authenti...

Page 210: ...t The device uses the settings in the Default AuthN area for login users Name Secondary Method PPP AuthN Not supported on the AP Name Secondary Method Portal AuthN Not supported on the AP Name Configuring authorization methods for the domain 1 Select Authentication AAA from the navigation tree 2 Click the Authorization tab to enter the authorization method configuration page Figure 193 Authorizati...

Page 211: ...ers Options include Local Performs local authorization None Does not perform authorization This method trusts all users and is not for general use RADIUS Performs RADIUS authorization You must specify the RADIUS scheme to be used Not Set The device uses the settings in the Default AuthZ area for LAN access users Name Secondary Method Login AuthZ Configure the authorization method and secondary aut...

Page 212: ... to enable the accounting optional feature With the feature enabled a user that will be disconnected otherwise can use the network resources even when there is no accounting server available or communication with the current accounting server fails If accounting for such a user fails the device does not send real time accounting updates for the user anymore Default Accounting Configure the default...

Page 213: ...S Performs HWTACACS accounting You must specify the HWTACACS scheme to be used Local Performs local accounting None Does not perform accounting RADIUS Performs RADIUS accounting You must specify the RADIUS scheme to be used Not Set The device uses the settings in the Default Accounting area for login users Name Secondary Method PPP Accounting Not supported on the AP Name Secondary Method Portal Ac...

Page 214: ...he password f Select Common User as the user type g Select Configure as the level h Select Telnet as the service type i Click Apply Figure 196 Configure the local user 2 Configure ISP domain test a Select Authentication AAA from the navigation tree The Domain Setup page appears as shown in Figure 197 b Enter test as the domain name c Click Apply ...

Page 215: ...AAA from the navigation tree b Click the Authentication tab c Select the domain test d Select the Login AuthN box and select the authentication method Local e Click Apply A configuration progress dialog box appears f After the configuration progress is complete click Close Figure 198 Configure the ISP domain to use local authentication ...

Page 216: ...ears f After the configuration progress is complete click Close Figure 199 Configure the ISP domain to use local authorization 5 Log in to the command line interface CLI enable Telnet service and configure the AP to use AAA for Telnet users AP system view AP telnet server enable AP user interface vty 0 4 AP ui vty0 4 authentication mode scheme AP ui vty0 4 quit 6 Verify the configuration Telnet to...

Page 217: ...ded to support additional access methods for example Ethernet and ADSL RADIUS provides access authentication and authorization services and its accounting function collects and records network resource usage information NOTE For more information about AAA and ISP see H3C WA Series WLAN Access Points Security Configuration Guide Configuring a RADIUS scheme A RADIUS scheme defines a set of parameter...

Page 218: ...mat Username Format Select the format of usernames to be sent to the RADIUS server A username is generally in the format of userid isp name of which isp name is used by the device to determine the ISP domain to which a user belongs If a RADIUS server such as a RADIUS server of some early version does not accept a username that contains an ISP domain name you can configure the device to remove the ...

Page 219: ...206 Figure 202 Common configuration area 6 Configure the advanced parameters ...

Page 220: ... device needs to send a request of the same type for another user it still tries to send the request to the server because the server is in active state You can use this parameter to control whether the device changes the status of an unreachable server For example if you determine that the primary server is unreachable because the device s port for connecting the server is out of service temporar...

Page 221: ...use if the physical interface is down the response packets from the server cannot reach the device RADIUS Packet Backup Source IP Specify the backup source IP address for the device to use in RADIUS packets sent to the RADIUS server In a stateful failover environment the backup source IP address must be the source IP address for the remote device to use in RADIUS packets sent to the RADIUS server ...

Page 222: ...ter the RADIUS server configuration page Figure 203 RADIUS server configuration page 8 Configure a RADIUS server for the RADIUS scheme as described in Table 83 9 Click Apply to add the server to the RADIUS scheme 10 Repeat step 7 through step 9 to add more RADIUS servers to the RADIUS scheme 11 On the RADIUS scheme configuration page click Apply Table 83 Configuration items Item Description Server...

Page 223: ...rver configure a Telnet user account with the username hello bbb and the password abc and set the EXEC privilege level to 3 for the user Set the shared keys for packet exchange between the AP and the RADIUS server to expert Figure 204 Network diagram Configuring the RADIUS server running on IMC NOTE This example assumes that the server runs IMC PLAT 3 20 R2606 and IMC UAM 3 60 E6206 1 Add the AP t...

Page 224: ...ick the User tab b Select Access User View Device Mgmt User from the navigation tree c Click Add to enter the device management user configuration page as shown in Figure 206 d Enter the username hello bbb e Enter the password abc and confirm the password f Select the service type Telnet g Set the EXEC privilege level to 3 This value identifies the privilege level of the Telnet user after login wh...

Page 225: ...elect the server type Extended and select the username format Without domain name d In the RADIUS Server Configuration area click Add to enter the RADIUS server configuration page e Select the server type Primary Authentication enter 10 1 1 1 as the IP address of the primary authentication server 1812 as the port number and expert as the key and click Apply to add the primary authentication server...

Page 226: ...ting as the server type enter 10 1 1 1 as the IP address of the primary accounting server enter the port number 1813 the key expert and click Apply as shown in Figure 208 The RADIUS scheme configuration page refreshes and the added servers appear in the server list as shown in Figure 209 h Click Apply to finish the scheme configuration Figure 208 RADIUS accounting server configuration page ...

Page 227: ...e 209 RADIUS scheme configuration 2 Create the ISP domain bbb a From the navigation tree select Authentication AAA The domain setup page appears as shown in Figure 210 b Enter the domain name test c Click Apply ...

Page 228: ... c Select the Default AuthN box and then select the authentication mode RADIUS d Select the RADIUS scheme system from the Name list to use it as the authentication scheme e Click Apply A configuration progress dialog box appears f After the configuration progress is complete click Close Figure 211 Configure an authentication method for the ISP domain ...

Page 229: ...ress is complete click Close Figure 212 Configure an authorization method for the ISP domain 5 Configure an accounting method for the ISP domain and enable accounting optional a Click the Accounting tab b Select the domain name bbb c Select the Accounting Optional box and then select Enable d Select the Default Accounting box and then select accounting mode RADIUS e Select the RADIUS scheme system...

Page 230: ...in to the CLI and configure the AP to use AAA for Telnet users AP system view AP user interface vty 0 4 AP ui vty0 4 authentication mode scheme AP ui vty0 4 quit Verifying the configuration Telnet to the AP and enter the username hello bbb and password abc You can log in and access commands of levels 0 through 3 Configuration guidelines When you configure the RADIUS client follow these guidelines ...

Page 231: ...he server again during the authentication or accounting process If no server is found reachable during one search process the device considers the authentication or accounting attempt a failure Once the accounting process of a user starts the device keeps sending the user s real time accounting requests and stop accounting requests to the same accounting server If you remove the accounting server ...

Page 232: ...uthentication and being authorized the users log in to the device and performs operations and the HWTACACS server records the commands that each user performs NOTE For more information about HWTACACS see H3C WA Series WLAN Access Points Security Configuration Guide Configuring HWTACACS NOTE The HWTACACS scheme configured through the Web interface is named system Recommended configuration procedure...

Page 233: ...ystem does not exist select Authentication HWTACACS from the navigation tree 2 When the page shown in Figure 215 appears click Add to create an HWTACACS scheme named system Figure 215 Create HWTACACS scheme system Configuring HWTACACS servers 1 Select Authentication HWTACACS from the navigation tree to enter the HWTACACS server configuration page Figure 216 HWTACACS server configuration 2 Configur...

Page 234: ...ndary server is specified the secondary server IP and the secondary server TCP port are empty If you leave the IP address field empty it means the secondary server if configured will be removed The specified IP address of the primary server cannot be the same as that of the secondary server Secondary Server TCP Port Enter the TCP port of the secondary server You must configure different TCP port n...

Page 235: ...l time accounting on users it is necessary to set the real time accounting interval After this parameter is specified the device will send the accounting information of online users to the HWTACACS server every the specified interval According to the protocol the device will not disconnect the online users even if the server does not make any response properly If you leave this field blank the rea...

Page 236: ...CACS server If you leave this field blank the response timeout period is restored to the default value IMPORTANT As HWTACACS is based on TCP the timeout of the server response timeout timer and or the TCP timeout timer will cause the NAS to be disconnected from the HWTACACS server Quiet Interval Specify the interval the primary server has to wait before being active If you leave this field blank t...

Page 237: ...net user Set the shared keys for authentication authorization and accounting exchanges with the HWTACACS server to expert Configure the AP to remove the domain name from a username before sending the username to the HWTACACS server Figure 218 Network diagram Configuring the HWTACACS server Set the shared keys to expert and add a Telnet user and specify a password for the user Details not shown Con...

Page 238: ...Server as the server type b Enter 10 1 1 1 as the IP address of the primary server c Enter 49 as the authorization port number of the primary server d Select the Shared Key box enter expert as the shared key and then confirm the password e Click Apply 4 Configure the HWTACACS accounting server a On the page as shown in Figure 220 select Accounting Server as the server type b Enter 10 1 1 1 as the ...

Page 239: ... tab c Select the username format without domain d Click Apply Figure 221 Configure the parameters for communication 6 Configure ISP domain test a From the navigation tree select Authentication AAA b Enter the domain name test c Click Apply ...

Page 240: ...c Select the Default AuthN box and then select the authentication mode HWTACACS d Select the HWTACACS scheme system from the Name list to use it as the authentication scheme e Click Apply A configuration progress dialog box appears f After the configuration progress is complete click Close Figure 223 Configure an authentication method for the ISP domain ...

Page 241: ...ress is complete click Close Figure 224 Configure an authorization method for the ISP domain 9 Configure an accounting method for the ISP domain and enable accounting optional a Click the Accounting tab b Select the domain name test c Select the Accounting Optional box and then select Enable d Select the Default Accounting box and then select accounting mode HWTACACS e Select the HWTACACS scheme s...

Page 242: ...erver IP address Except for deleting HWTACACS schemes and changing the IP addresses of the HWTACACS servers you can make any changes to HWTACACS parameters no matter whether there are users online or not HWTACACS authentication must work with HWTACACS authorization If only HWTACACS authentication is configured but HWTACACS authorization is not users cannot log in You can remove an authentication a...

Page 243: ...230 Number of users Real time accounting interval in minutes 500 to 999 12 1000 15 ...

Page 244: ...group All local users in a user group inherit the user attributes of the group but if you configure user attributes for a local user the settings of the local user take precedence over the settings for the user group By default every newly added local user belongs to a user group named system which is automatically created by the system Guest A guest is a local user for specific applications If Po...

Page 245: ... page appears On this page you can create a local user of any type except guest Figure 227 Local user configuration page 3 Configure a local user as described in Table 88 4 Click Apply Table 88 Configuration items Item Description Username Specify a name for the local user ...

Page 246: ...ta from the AP but cannot configure the AP Configure A user of this level can read data from the AP and configure the AP but cannot upgrade the AP software add delete modify users or backup restore configuration files Management A user of this level can perform all operations except for security log file reading and management A higher level user has all the rights of a lower level user IMPORTANT ...

Page 247: ...user profile for the local user IMPORTANT This option is only effective for common PPP and LAN users The AP does not support configuring user profiles Configuring a user group 1 Select Authentication Users from the navigation tree 2 Click the User Group tab Figure 228 User group list 3 Click Add to enter the user group configuration page Figure 229 User group configuration page 4 Configure the use...

Page 248: ... Specify the user profile for the user group IMPORTANT The AP does not support specifying a user profile Allow Guest Accounts Specify whether to allow a guest to join the user group IMPORTANT User group system is an optional group of guest accounts by default and cannot be modified Configuring a guest Two types of users can configure guests guest administrators and common users of the management l...

Page 249: ...r of Users Password Specify a password for the guest If you select the Same as the Username option you do not need to enter the password and confirm password and the guest password is the same as the username If you do not select the Same as the Username option you must enter the password and confirm password and they must be the same IMPORTANT Leading spaces of a password are ignored Same as the ...

Page 250: ...ccounts through the web interface 1 Log in to the AP as a guest administrator and select Authentication User from the navigation tree The guest management page appears Figure 232 Guest management page 2 Click Add to enter the guest configuration page Figure 233 Guest configuration page 3 Configure the guest as described in Table 90 4 Click Apply ...

Page 251: ...ome application examples VPN A virtual private network VPN is a private data communication network built on the public communication infrastructure A VPN can leverage network layer security protocols for instance IPsec in conjunction with PKI based encryption and digital signature technologies to achieve confidentiality Secure email Emails require confidentiality integrity authentication and non r...

Page 252: ...SSL and has only local significance 3 Generating an RSA key pair Required Generate a local RSA key pair By default no local RSA key pair exists Generating an RSA key pair is an important step in certificate request The key pair includes a public key and a private key The private key is kept by the user and the public key is transferred to the CA along with some other information IMPORTANT If a loc...

Page 253: ...pair you must destroy the existing RSA key pair Otherwise the certificate cannot be retrieved Destroying the existing RSA key pair also destroys the corresponding local certificate 7 Retrieving and displaying a certificate Required if you request a certificate in offline mode Retrieve an existing certificate and display its contents IMPORTANT If you request a certificate in offline mode you must r...

Page 254: ...ertificate 4 Retrieving and displaying a certificate Optional Retrieve an existing certificate and display its contents IMPORTANT Before retrieving a local certificate in online mode be sure to complete LDAP server configuration If a CA certificate already exists you cannot retrieve another CA certificate This restriction avoids inconsistency between the certificate and registration information du...

Page 255: ... identifier of an entity on the network It consists of a host name and a domain name and can be resolved to an IP address For example www whatever com is an FQDN where www indicates the host name and whatever com the domain name Country Region Code Country or region code of the entity State State or province of the entity Locality Locality of the entity Organization Organization name of the entity...

Page 256: ...tion Domain Name Name of the PKI domain CA Identifier Identifier of the trusted CA An entity requests a certificate from a trusted CA The trusted CA takes the responsibility of certificate registration distribution and revocation and query In offline mode this item is optional In other modes this item is required Entity Name Select the local PKI entity When submitting a certificate request to a CA...

Page 257: ...h value of the root certificate content This hash value is unique to every certificate If the fingerprint of the root certificate does not match the one configured for the PKI domain the entity rejects the root certificate If you specify MD5 as the hash algorithm enter an MD5 fingerprint The fingerprint must a string of 32 characters in hexadecimal notation If you specify SHA1 as the hash algorith...

Page 258: ...en the URL of the CRL distribution point is not set you should acquire the CA certificate and a local certificate and then acquire a CRL through SCEP IMPORTANT This item does not support domain name resolution Generating an RSA key pair 1 Select Authentication Certificate Management from the navigation tree 2 Click the Certificate tab to enter the page displaying existing PKI certificates Figure 2...

Page 259: ...do so you can use offline mode or online mode In offline mode you can retrieve a certificate by an out of band means like FTP disk email and then import it into the local PKI system To retrieve a certificate 1 Select Authentication Certificate Management from the navigation tree 2 Select the Certificate tab to enter the page displaying existing PKI certificates 3 Click Retrieve Cert to enter PKI c...

Page 260: ...saved on a local PC select Get File From PC and then specify the path to the file and select the partition of the device for saving the file Get File From PC Password Enter the password if you retrieve the certificate in offline mode The password is specified when the certificate is exported and used for protecting the private key 6 After retrieving a certificate click View Cert that corresponds t...

Page 261: ...Select this box to request a certificate in offline mode that is by an out of band means like FTP disk or email 5 Click Apply If you select the online mode the system gives a prompt that the request is submitted In this case click Apply again to finish the operation If you select the offline mode the offline certificate request information page appears In this case you must submit the information ...

Page 262: ... CRL for the domain to display the contents of the CRL Figure 246 CRL information PKI configuration example Network requirements As shown in Figure 247 configure the AP working as the PKI entity so that The AP submits a local certificate request to the CA server which runs the RSA Keon software The AP acquires CRLs for certificate verification ...

Page 263: ... CA server This includes selecting the proper extension profiles enabling the SCEP autovetting function and adding the IP address list for SCEP autovetting 3 Configure the CRL publishing behavior After you complete the configuration perform CRL related configurations In this example select the local CRL publishing mode of HTTP and set the HTTP URL to http 4 4 4 133 447 myca crl After the configura...

Page 264: ... request The URL must be in the format of http host port Issuing Jurisdiction ID where Issuing Jurisdiction ID is the hexadecimal string generated on the CA h Select Manual as the certificate request mode i Click the expansion button before Advanced Configuration to display the advanced configuration items j Click the Enable CRL Checking box k Enter http 4 4 4 133 447 myca crl as the CRL URL l Cli...

Page 265: ...cate tab b Click Create Key c Enter 1024 as the key length d Click Apply to generate an RSA key pair Figure 250 Generate an RSA key pair 4 Retrieve the CA certificate a Click the Certificate tab b Click Retrieve Cert c Select torsa as the PKI domain d Select CA as the certificate type ...

Page 266: ...ert c Select torsa as the PKI domain d Click Password and then enter challenge word as the password e Click Apply The system gives a prompt that the request is submitted f Click OK Figure 252 Request a local certificate 6 Retrieve the CRL a Click the CRL tab b Click Retrieve CRL of the PKI domain of torsa Figure 253 Retrieve the CRL ...

Page 267: ... are synchronous Otherwise the validity periods of certificates are abnormal The Windows 2000 CA server has some restrictions on the data length of a certificate request If the PKI entity identity information in a certificate request goes beyond a certain limit the server does not respond to the certificate request The SCEP plug in is required when you use the Windows Server as the CA In this case...

Page 268: ... Client A computer a laptop with a wireless Network Interface Card NIC or a terminal supporting WiFi can be a WLAN client Fat AP A fat AP controls and manages all associated wireless stations and bridges frames between wired and wireless networks SSID The service set identifier A client scans all networks at first and then selects a specific SSID to connect to a specific wireless network Wireless ...

Page 269: ... Active scanning falls into two modes according to whether a specified SSID is carried in a probe request A client sends a probe request with the SSID null that is the SSID IE length is 0 The client periodically sends a probe request frame on each of its supported channels to scan wireless networks APs that receive the probe request send a probe response which carries the available wireless networ...

Page 270: ...nels to get information about surrounding wireless networks Passive scanning is used by a client when it wants to save battery power Typically VoIP clients adopt the passive scanning mode The passive scanning process is as shown in Figure 257 Figure 257 Passive scanning Authentication To secure wireless links the wireless clients must be authenticated before accessing the AP and only wireless clie...

Page 271: ...ss a wireless network via an AP must be associated with that AP Once the client chooses a compatible network with a specified SSID and passes the link authentication to an AP it sends an association request frame to the AP The AP detects the capability information carried in the association request frame determines the capability supported by the wireless client and sends an association response t...

Page 272: ...ttackers get all encrypted data In addition periodical manual key update brings great management workload Dynamic WEP encryption Dynamic WEP encryption is a great improvement over static WEP encryption With dynamic WEP encryption WEP keys are negotiated between client and server through the 802 1X protocol so that each client is assigned a different WEP key which can be updated periodically to fur...

Page 273: ... the wireless client side and the AP side and the preshared key is used as the seed key for key negotiation During the negotiation process the seed key is used by two parties for verification The key negotiation succeeds only when the key setting is the same that is the wireless client successfully passes the PSK access authentication Otherwise the wireless client fails to pass the PSK access auth...

Page 274: ...t the AP operates as the RADIUS client and cooperates with the RADIUS server to perform the MAC authentication for the client After the RADIUS server finishes the authentication for the client the client can access the wireless network and the RADIUS server can issue the corresponding authorization information Figure 261 Remote MAC authentication When a RADIUS server is used for MAC authentication...

Page 275: ...ely reduces the channel idle time and improves channel utilization The short GI feature can increase the performance by about 10 percent Introduction to WDS WLAN distribution system WDS wireless bridging uses wireless links to connect two or more separate wired LANs or WLANs to provide connectivity between them Advantages of WDS 802 1 1 based WLAN technologies are widely applied in the home SOHO a...

Page 276: ...e versa Figure 262 WDS point to point bridge connection Point to multi point bridge connection In this topology a device acts as the centralized device and all the other devices set up wireless bridge connections with only the centralized device thus interconnecting multiple networks This topology conveniently connects multiple network islands to existing networks However all data exchanged betwee...

Page 277: ...or Client 1 and Client 2 In the aspect of applications an AP in repeater mode deployed in the network increases the wireless communication distance and WLAN coverage Figure 265 Repeater mode Workgroup bridge mode overview You can configure the AP as a workgroup bridge In workgroup bridge mode or client mode the AP connects to another AP as a client As shown in Figure 266 if you need to provide wir...

Page 278: ...265 Figure 266 Network diagram LAN Segment ...

Page 279: ...reless service Required Use either approach Complete the security settings as needed 3 Binding an AP radio to a wireless service Required 4 Enabling a wireless service Required 5 Enabling a radio Optional Creating a wireless service 1 Select Wireless Service Access Service from the navigation tree The page for configuring an access service appears Figure 267 Configure access service 2 Click Add Th...

Page 280: ... random string as the SSID because it only adds the Beacon frame length and usage complexity without any improvement to wireless security Wireless Service Type Select the wireless service type clear Indicates the SSID is not encrypted crypto Indicates the SSID is encrypted Configuring clear type wireless service Configuring basic settings for the clear type wireless service 1 Select Wireless Servi...

Page 281: ... the VLANs whose packets are to be sent untagged and tagged SSID HIDE Enable Disable the advertisement of the SSID in beacon frames Disable Enable the advertisement of the SSID in beacon frames By default the SSID in beacon frames is advertised IMPORTANT If the advertising of the SSID in beacon frames is disabled the SSID must be configured for the clients to associate with the AP Disabling the ad...

Page 282: ...the web interface management right of online clients MAC VLAN Enable Enable the MAC VLAN feature for the wireless service Disable Disable the MAC VLAN feature for the wireless service Fast Association Enable Enable fast association Disable Disable fast association By default fast association is disabled When fast association is enabled the device does not perform band navigation and load balancing...

Page 283: ...eless service 3 Configure the security settings for the clear type wireless service as described in Table 98 4 Click Apply Table 98 Configuration items Item Description Authentication Type For the clear type wireless service you can select Open System only ...

Page 284: ...xt This mode is similar to the userlogin secure or mac mode except that it supports multiple 802 1X and MAC authentication users on the port userlogin secure ext In this mode a port performs 802 1X authentication on users in macbased mode and supports multiple 802 1X users IMPORTANT There are multiple security modes To remember them easily follow these rules to understand part of the port security...

Page 285: ...to access the network through the port MAC Authentication Select the MAC Authentication option Domain Select an existing domain from the list The default domain is system To create a domain select Authentication AAA from the navigation tree click the Domain Setup tab and enter a new domain name in the Domain Name field The selected domain name applies to only the current wireless service and all c...

Page 286: ...enter a new domain name in the Domain Name field The selected domain name applies to only the current wireless service and all clients accessing the wireless service use this domain for authentication authorization and accounting Do not delete a domain name in use Otherwise the clients that access the wireless service are logged out Authentication Method EAP Use the Extensible Authentication Proto...

Page 287: ...By default the multicast trigger function is enabled Disable Disable the 802 1X multicast trigger function IMPORTANT For a WLAN the clients can actively initiate authentication or the AP can discover users and trigger authentication Therefore the ports do not need to send 802 1X multicast trigger messages periodically for initiating authentication You are recommended to disable the multicast trigg...

Page 288: ...nter the MAC address of the client Max User Control the maximum number of users allowed to access the network through the port Mandatory Domain Select an existing domain from the drop down list After a mandatory domain is configured all 802 1X users accessing the port are forced to use the mandatory domain for authentication authorization and accounting The default domain is system To create a dom...

Page 289: ...m To create a domain select Authentication AAA from the navigation tree click the Domain Setup tab and enter a new domain name in the Domain Name field The selected domain name applies to only the current wireless service and all clients accessing the wireless service use this domain for authentication authorization and accounting Do not delete a domain name in use Otherwise the clients that acces...

Page 290: ...airwise transient key PTK lifetime A PTK is generated through a four way handshake TKIP CM Time Set the TKIP countermeasure time By default the TKIP countermeasure time is 0 seconds that is the TKIP countermeasure policy is disabled If the TKIP countermeasure time is set to a value other than 0 the TKIP countermeasure policy is enabled Message integrity check MIC is designed to avoid hacker tamper...

Page 291: ... after a specified number of packets are transmitted By default the GTK rekeying method is time based and the interval is 86400 seconds GTK User Down Status Enable refreshing the GTK when some client goes offline By default the GTK is not refreshed when a client goes off line Fast Association Enable Enable fast association Disable Disable fast association By default fast association is disabled Wh...

Page 292: ... IMPORTANT WEP encryption can be used together with open system and shared key authentication Open system authentication When this authentication mode is used a WEP key is used for encryption only If the two parities do not use the same key a wireless link can still be established but all data is discarded Shared key authentication When this authentication mode is used a WEP key is used for both a...

Page 293: ...st frames is negotiated between client and server If the WEP default key is configured the WEP default key is used to encrypt multicast frames If not the device randomly generates a multicast WEP key WEP wep40 Indicates the WEP40 key option wep104 Indicates the WEP104 key option wep128 Indicates the WEP128 key option Key ID Configure the key index which can be 1 Key index 1 2 Key index 2 3 Key ind...

Page 294: ... succeeds userlogin secure ext Perform MAC based 802 1X authentication for access users In this mode the port supports multiple 802 1X users a Configure mac and psk Figure 278 mac and psk port security configuration page Table 104 Configuration items Item Description Port Mode mac and psk MAC based authentication must be performed on access users first If MAC based authentication succeeds an acces...

Page 295: ...haracters raw key Enter a PSK in the form of a hexadecimal number You must input a valid 64 bit hexadecimal number b Configure PSK Figure 279 psk port security configuration page Table 105 Configuration items Item Description Port Mode psk An access user must use the pre shared key PSK that is pre configured to negotiate with the device The access to the port is allowed only after the negotiation ...

Page 296: ... or mac userlogin secure or mac ext Crypto Open Syste m Selected Required WEP encryption is available The key ID can be 1 2 3 or 4 mac and psk psk userlogin secure ext Unselected Unavailable WEP encryption is required The key ID can be 1 2 3 or 4 mac authentication userlogin secure userlogin secure ext Shared Key Unavailable Unavailable WEP encryption is required The key ID can be 1 2 3 or 4 mac a...

Page 297: ...ireless service 3 Select the AP radio to be bound 4 Click Bind Enabling a wireless service 1 Select Wireless Service Access Service from the navigation tree The page for enabling a wireless service appears Figure 281 Enable a wireless service 2 Select the wireless service to be bound 3 Click Enable Enabling a radio Select Radio Radio Setup from the navigation tree to enter the radio setup page and...

Page 298: ...ck Apply Table 107 Configuration items Item Description Radio Unit Radio ID The actual value range depends on your device model Radio Mode Display the radio mode which depends on your device model Pass Phrase Specify the pass phrase format indicating that you should input the preshared key in a string Raw Key Specify the raw key format indicating that you should input the preshared key in a hex nu...

Page 299: ...e navigation tree 2 Select the radio mode to be configured and click the icon to enter the page for configuring a neighbor MAC address Figure 284 Configure a neighbor MAC address 3 Enter the MAC address in the Neighbor MAC Address field and click Add 4 Click Apply Configuring advanced WDS settings 1 Select Wireless Service WDS from the navigation tree 2 Click the WDS Setup tab 3 Click the icon cor...

Page 300: ...Table 108 5 Click Apply Table 108 Configuration items Item Description Mesh Identifier Set the mesh ID The default mesh identifier of a device depends on its radio mode Link Keep Alive Interval Configure the mesh link keep alive interval Link Backhaul Rate Configure the backhaul radio rate ...

Page 301: ... Maximum Number Set the maximum number of WDS links allowed IMPORTANT If an AP needs to establish more than two WDS links you must set this number as required Link Hold RSSI Set the link hold RSSI This is the minimum RSSI required to establish and hold a link Therefore the minimum RSSI must be ensured Otherwise the error rate can be very high and the link performance deteriorates ratemode fixed Th...

Page 302: ... 1 Select Wireless Service WDS from the navigation tree 2 Select the WDS Global Setup tab to enter the WDS Global Setup page Figure 286 WDS global setup page 3 Configure global WDS settings as described in Table 109 4 Click Apply Table 109 Configuration items Item Description Global STP Enable Enable STP globally Disable Disable STP globally By default STP is disabled globally Configuring a workin...

Page 303: ...ss Service WDS from the navigation tree 2 Select the WDS Setup tab to enter the WDS setup page Figure 287 Enable WDS service 3 Select the radio for which WDS is to be enabled 4 Click Enable Configuring the repeater service To configure the repeater service you must configure WDS and wireless access service on the AP and configure the radio to use a fixed channel For how to configuring wireless acc...

Page 304: ...port for radio modes depends on your device model You cannot enable an access service or WDS service on a radio interface with the client mode enabled To modify the radio mode select Radio Radio from the navigation tree click the icon corresponding to the target radio and change the radio mode in Radio Mode You can modify the radio mode only when the client mode is disabled If the 802 1 1 2 4GHz 8...

Page 305: ...s service list The SET CODE dialog box appears Figure 291 SET CODE 2 Configure the wireless service as described in Table 110 3 Click Apply Table 110 Configuration items Item Remarks AuthMode Specify the network authentication mode which can be Open System Open system authentication namely no authentication Shared Key Shared key authentication which requires the client and the device to be configu...

Page 306: ...ervice 2 Enter the specified wireless service in the Wireless Service Name field 3 Click Connect The dialog box in Figure 291 appears 4 Set the options on the dialog box according to the specified wireless service type 5 To configure the VLAN information about the workgroup bridge enter the VLAN ID in the VLAN field optional NOTE To configure VLAN information about the WLAN uplink interface of the...

Page 307: ... service1 Figure 294 Network diagram Configuring the AP 1 Assign an IP address to the fat AP a Select Network VLAN to create a VLAN on the fat AP b Select Device Interface Management to assign an IP address to the VLAN interface 2 Configure a wireless service a Select Wireless Service Access Service from the navigation tree b Click Add c On the page that appears enter the service name service1 sel...

Page 308: ... d Click Bind Figure 296 Bind an AP radio 4 Enable the wireless service a Select Wireless Service Access Service from the navigation tree to enter the page for enabling wireless service b Select the service1 box c Click Enable Figure 297 Enable the wireless service 5 Optional Enable 802 11n radio By default 802 11n 2 4GHz radio is enabled Select Radio Radio from the navigation tree to enter the Ra...

Page 309: ...rvice based VLAN configuration example Network requirements An AP can provide multiple wireless access services Different wireless access services can use different wireless security policies and can be bound to different VLANs to implement wireless access user isolation As shown in Figure 300 configure wireless VLANs to satisfy the following requirements Set up a wireless access service named res...

Page 310: ...Service Access Service from the navigation tree b Click Add c On the page that appears enter the service name research select the wireless service type crypto and click Apply d On the page that appears enter 2 in the VLAN Untagged field enter 2 in the Default VLAN field enter 1 in the Delete VLAN field and click Apply Before you perform these VLAN settings select Network VLAN to create VLAN 2 firs...

Page 311: ...ifying the configuration The client can successfully associate with the AP and access the WLAN network You can view the online clients on the page you enter by selecting Summary Client from the navigation tree Figure 303 View the online clients The page shows that the client 0014 6c8a 43ff which accesses the SSID office is in VLAN 3 while the client 0040 96b3 8a77 which accesses the SSID research ...

Page 312: ...eless service type crypto and click Apply Figure 305 Create a wireless service 3 Configure PSK authentication After you create a wireless service you enter the wireless service configuration page a In the Security Setup area select the Open System from the Authentication Type list b Select the Cipher Suite box select AES CCMP and TKIP select an encryption type as needed and select WPA from the Sec...

Page 313: ...he Bind link at the right side of the wireless service psk to enter the page as shown in Figure 307 c Select the box with radio mode 802 11n 2 4GHz d Click Bind Figure 307 Bind an AP radio 5 Enable the wireless service a Select Wireless Service Access Service from the navigation tree b On the page that appears select the psk box and click Enable ...

Page 314: ...adio Radio from the navigation tree to enter the Radio page Make sure 802 11n radio is enabled Configuring the client 1 Launch the client and refresh the network list 2 Select the configured service in Choose a wireless network psk in this example 3 Click Connect 4 In the popup dialog box enter the key 12345678 in this example 5 Click Connect ...

Page 315: ...302 Figure 309 Configure the client The client has the same preshared PSK key as the AP so the client can associate with the AP ...

Page 316: ...work You can view the online clients on the page you enter by selecting Summary Client from the navigation tree Local MAC authentication configuration example Network requirements As shown in Figure 31 1 perform MAC authentication on the client Figure 311 Network diagram Configuring the AP 1 Assign an IP address to the fat AP a Select Network VLAN to create a VLAN on the fat AP IP network L2 switc...

Page 317: ...s service 3 Configure local MAC authentication After you have created a wireless service you enter the wireless service configuration page a In the Security Setup area select the Open System from the Authentication Type list b Select the Port Set box and select mac authentication from the Port Mode list c Select the MAC Authentication box and select system from the Domain list To create a domain s...

Page 318: ...b Click the Bind link at the right side of the wireless service mac auth to enter the page as shown in Figure 314 c Select the box with radio mode 802 11n 2 4GHz d Click Bind Figure 314 Bind an AP radio 5 Enable the wireless service a Select Wireless Service Access Service from the navigation tree to enter the page as shown in Figure 315 ...

Page 319: ...d Click Add Figure 316 Add a MAC authentication list 7 Enable 802 11n radio By default 802 11n radio is enabled Therefore this step is optional Select Radio Radio from the navigation tree to enter the Radio page Make sure 802 11n is enabled Configuring the client 1 Launch the client and refresh the network list 2 Select the configured service in Choose a wireless network mac auth in this example 3...

Page 320: ...ter by selecting Summary Client from the navigation tree Remote MAC authentication configuration example Network requirements Perform remote MAC authentication on the client A RADIUS server an iMC server for authentication authorization and accounting is required On the RADIUS server the client s username and password the MAC address of the client and the shared key expert have been configured The...

Page 321: ... VLAN on the fat AP b Select Device Interface Management to assign an IP address to the VLAN interface 2 Configure a RADIUS scheme a Select Authentication RADIUS from the navigation tree b Click Add c On the page that appears add two servers in the RADIUS Server Configuration area specify the key expert enter mac auth in the Scheme Name field select the server type Extended select Without domain n...

Page 322: ...he ISP domain d On the Authorization tab select the ISP domain system select the LAN access AuthZ box select the authorization mode RADIUS select the authorization scheme mac auth from the Name list and click Apply Figure 321 Configure the AAA authorization method for the ISP domain e On the Accounting tab select the ISP domain system select the Accounting Optional box and select Enable from the A...

Page 323: ...he wireless service type clear and click Apply Figure 323 Create a wireless service 5 Configure MAC authentication After you create a wireless service you enter the wireless service configuration page a In the Security Setup area select the Open System from the Authentication Type list b Select the Port Set box and select mac authentication from the Port Mode list c Select the MAC Authentication b...

Page 324: ...nd link at the right side of the wireless service mac auth to enter the page as shown in Figure 325 c Select the box with radio mode 802 11n 2 4GHz d Click Bind Figure 325 Bind an AP radio 7 Enable the wireless service a Select Wireless Service Access Service from the navigation tree b On the page that appears select the mac auth box and click Enable ...

Page 325: ...s an example to illustrate the basic configuration of the RADIUS server 1 Add access device a Select the Service tab in the iMC management platform b Select Access Service Access Device from the navigation tree c Click Add d On the page that appears add expert for Shared Key add ports 1812 and 1813 for Authentication Port and Accounting Port respectively select LAN Access Service for Service Type ...

Page 326: ...hat appears set the service name to mac keep the default values for other parameters and click Apply Figure 328 Add service 3 Add account a Select the User tab b Select User All Access Users from the navigation tree c Click Add d On the page that appears enter a username 00146c8a43ff add an account and password 00146c8a43ff select the service mac and click Apply ...

Page 327: ...n access device a Select the Service tab in the iMC platform b Select User Access Manager Access Device Management from the navigation tree c Click Add d On the page that appears enter the shared key 12345678 keep the default values for other parameters select or manually add the access device with the IP address 10 18 1 1 and click Apply Figure 330 Add access device 2 Add service a Select the Ser...

Page 328: ...ee to enter the user page c Click Add d On the page that appears enter username 00146c8a43ff set the account name and password both to 00146c8a43ff select the service mac and click Apply Figure 332 Add account Verifying the configuration During authentication the client does not need to enter the username or password After the client passes MAC authentication the client can associate with the AP a...

Page 329: ...ert and configure the AP to remove the domain name of a username before sending it to the RADIUS server Figure 333 Network diagram Configuring the AP 1 Assign an IP address to the fat AP a Select Network VLAN to create a VLAN on the fat AP b Select Device Interface Management to assign an IP address to the VLAN interface 2 Configure a RADIUS scheme a Select Authentication RADIUS from the navigatio...

Page 330: ...t the ISP domain system select the LAN access AuthN box select the authentication mode RADIUS select the authentication scheme 802 1x from the Name list and click Apply Figure 335 Configure the AAA authentication method for the ISP domain d On the Authorization tab select the domain name system select the LAN access AuthZ box select the authorization mode RADIUS select the authorization scheme 802...

Page 331: ...ct the LAN access Accounting box select the accounting method RADIUS select the accounting scheme 802 1x from the Name list and click Apply Figure 337 Configure the AAA accounting method for the ISP domain 4 Configure wireless service a Select Wireless Service Access Service from the navigation tree b Click Add c On the page that appears set the service name to dot1x and select the wireless servic...

Page 332: ...her Suite box select AES CCMP from the Cipher Suite list and select WPA2 from the Security IE list c Select the Port Set box and select userlogin secure ext from the Port Mode list d Select system from the Mandatory Domain list e Select EAP from the Authentication Method list f Disable Handshake and Multicast Trigger recommended g Click Apply Figure 339 Security setup 6 Bind an AP radio to a wirel...

Page 333: ...igure 341 Enable the wireless service 8 Optional Enable 802 11n radio By default 802 11n radio is enabled Select Radio Radio from the navigation tree to enter the Radio page Make sure 802 11n is enabled Configuring the RADIUS server iMCv3 NOTE The following takes the iMC iMC PLAT 3 20 R2602 and iMC UAM 3 60 E6102 as an example to illustrate the basic configuration of the RADIUS server A license ha...

Page 334: ...ce Type list select or manually add an access device with the IP address 10 18 1 1 and click Apply Figure 342 Add access device 2 Add service a Select the Service tab b Select Access Service Access Device from the navigation tree c Click Add d On the page that appears set the service name to dot1x set the Certificate Type to EAP PEAP AuthN and the Certificate Sub Type to MS CHAPV2 AuthN and click ...

Page 335: ... Select the User tab b Select User All Access Users from the navigation tree c Click Add d On the page that appears enter a username user add an account user and password dot1x and select the service dot1x and click Apply Figure 344 Add account ...

Page 336: ... c Click Add d On the page that appears enter the shared key 12345678 keep the default values for other parameters select or manually add the access device with the IP address 10 18 1 1 and click Apply Figure 345 Add access device 2 Add a service a Select the Service tab b Select User Access Manager Service Configuration from the navigation tree c Click Add d On the page that appears set the servi...

Page 337: ...ername user set the account name to user and password to dot1x select the service dot1x and click Apply Figure 347 Add account Configuring the wireless card 1 Double click the icon at the bottom right corner of your desktop The Wireless Network Connection Status window appears 2 Click Properties on the General tab The Wireless Network Connection Properties window appears ...

Page 338: ... dot1x Properties window appears 4 On the Authentication tab select Protected EAP PEAP from the EAP type list and click Properties 5 In the popup window clear Validate server certificate and click Configure 6 In the popup dialog box clear Automatically use my Windows logon name and password and domain if any ...

Page 339: ...326 Figure 348 Configure the wireless card I ...

Page 340: ...327 Figure 349 Configure the wireless card II ...

Page 341: ...yption 802 1X authentication configuration example Network requirements Perform dynamic WEP encryption 802 1X authentication on the client More specifically Use the iMC as a RADIUS server for AAA On the RADIUS server configure the client s username as user password as dot1x and shared key as expert The IP address of the RADIUS server is 10 18 1 88 On the AP configure the shared key as expert and c...

Page 342: ...e dot1x and select the wireless service type crypto and click Apply Figure 352 Create a wireless service 5 Configure 802 1X authentication After you create a wireless service the wireless service configuration page appears a In the Security Setup area select Open System from the Authentication Type list b Select Encryption and select Enable from the Provide Key Automatically list c Select the Ciph...

Page 343: ...ess Service from the navigation tree b Click the Bind link at the right side of the wireless service dot1x to enter the page as shown in Figure 354 c Select the box with radio mode 802 11n 2 4GHz d Click Bind Figure 354 Bind an AP radio 7 Enable the wireless service a Select Wireless Service Access Service from the navigation tree b Select the dot1x box c Click Enable ...

Page 344: ... is enabled Configuring the wireless card 1 Double click the icon at the bottom right corner of your desktop The Wireless Network Connection Status window appears 2 Click Properties The Wireless Network window appears 3 In the Wireless Network window click Add Click the Association tab and enter dot1x in the Network name SSID field Make sure you have selected The key is provided for me automatical...

Page 345: ...ion tab select Protected EAP PEAP from the EAP type list and click Properties 5 In the popup window clear Validate server certificate and click Configure 6 In the popup dialog box clear Automatically use my Windows logon name and password and domain if any 7 Click OK ...

Page 346: ...333 Figure 357 Configure the wireless card II ...

Page 347: ... enter by selecting Summary Client from the navigation tree 802 11n configuration example Network requirements As shown in Figure 359 deploy an 802 1 1n network to provide high bandwidth access for multi media applications The AP provides a plain text wireless service with SSID 1 1nservice 802 1 1n 2 4 GHz is adopted to inter work with the existing 802 1 1g network and protect the current investme...

Page 348: ... select the wireless service type clear and click Apply Figure 360 Create a wireless service 3 Bind an AP radio to a wireless service a Select Wireless Service Access Service from the navigation tree b Click the Bind link at the right side of the wireless service 11nservice to enter the page as shown in Figure 361 c Select the box with radio mode 802 11n 2 4GHz d Click Bind Figure 361 Bind an AP r...

Page 349: ... can successfully associate with the AP and access the WLAN network You can view the online clients on the page you enter by selecting Summary Client from the navigation tree Figure 364 View online clients 0014 6c8a 43ff is an 802 1 1g client and 001e c144 473a is an 802 1 1n client In this example client types are not restricted Therefore both 802 1 1g and 802 1 1n clients can access the wireless...

Page 350: ...ation examples WDS configuration example Network requirements In an outdoor environment as shown in Figure 365 connecting the two LAN segments with cables is time consuming and cost ineffective Therefore you can connect the two LAN segments with a WDS link Connect AP 1 and AP 2 to different LAN segments Configure AP 1 and AP 2 to use channel 153 to establish the 802 1 1n 5GHz WDS link Configure pr...

Page 351: ... field leave the neighbor MAC address box blank indicating that the AP can establish a WDS link with any other AP and click Apply Figure 367 WDS setup page 3 Configure the working channel a Select Radio Radio from the navigation tree b Click the corresponding icon of the target radio unit to enter the Radio page c Select the channel to be used from the Channel list d Click Apply ...

Page 352: ...he Radio page Make sure 802 11n 5GHz is enabled 5 Enable WDS a Select Wireless Service WDS from the navigation tree to enter the WDS Setup page b Select the box corresponding to 802 11n 5GHz c Click Enable Figure 369 WDS setup page Verifying the configuration You can view the WDS information on the page you enter by selecting Summary WDS from the navigation tree ...

Page 353: ...mple Network requirements As shown in Figure 371 establish a WDS link between AP 1 and AP 2 AP 3 and AP 4 respectively The WDS point to multipoint configuration is the same as the normal WLAN WDS configuration Figure 371 Network diagram Configuration procedure WDS point to multipoint configuration is the same as normal WLAN WDS configuration For more information see WDS configuration example Verif...

Page 354: ...provide wireless access service for clients Use the 802 1 1n 2 4 GHz radio to set up a WDS link between AP 1 and the repeater Use the 802 1 1n 2 4 GHz radio to connect clients to the repeater The access service and WDS link must use the same channel In this example channel 1 1 in 802 1 1n 2 4 GHz radio mode is used as the working channel Configure WDS on AP 1 For the detailed configuration procedu...

Page 355: ... mode c Select the Pass Phrase box and enter 12345678 in the Preshared Key field d Click Apply Figure 374 WDS setup page 2 Configure the working channel a Select Radio Radio from the navigation tree b Click the icon of the target radio c On the page that appears select 4 in the Channel list and click Apply ...

Page 356: ... Enable WDS a Select Wireless Service WDS from the navigation tree b Select the box corresponding to 802 11n 2 4GHz c Click Enable Figure 376 WDS setup page 5 Configure the access service NOTE For how to configure the access service on the repeater see Wireless service configuration example You can strictly follow the steps in Wireless service configuration example to configure the access service ...

Page 357: ... Summary WDS from the navigation tree to enter the WDS page displaying the WDS information Click radio unit 2 to view the neighbor information Figure 378 The page displaying WDS information 2 The repeater mode has been configured successfully Select Summary Radio from the navigation tree and the page displaying radio information appears On the page you can see that the 802 11n 2 4GHz radio mode on...

Page 358: ... printers in the wired network and the wired network is connected to the wireless network through the workgroup bridge The AP accesses the wired LAN and the workgroup bridge with MAC address 000f e2333 5510 accesses the AP as a client The workgroup bridge accesses the wireless service psk by passing the WPA2 CCMP PSK authentication Client with MAC address 0014 6c8a 43ff also accesses the wireless ...

Page 359: ...client mode enabled you can check the existing wireless services in the wireless service list Figure 382 Check the wireless service list 2 Connect the wireless service a Click the Connect icon of the wireless service psk in the wireless service list b On the SET CODE dialog box that appears specify the AuthMode as WPA2 PSK specify the CipherSuite as AES CCMP and set the Password to that on the AP ...

Page 360: ...ess 000f e2333 5510 have been successfully associated with the AP The wired devices on the right such as printers and PCs can access the wireless network through the workgroup bridge Configuration guidelines As shown in Figure 385 the workgroup bridge has two radio interfaces Radio 1 connects the workgroup bridge to the AP and Radio 2 connects the workgroup bridge to the client To enable the clien...

Page 361: ...figure VLAN information about the WLAN uplink interface of the workgroup bridge make sure the VLAN ID of the WLAN uplink interface of the workgroup bridge is the same as the VLAN ID of the downlink Ethernet interface ...

Page 362: ...ced ACLs 3000 to 3999 IPv4 Source IPv4 address destination IPv4 address protocols over IPv4 and other Layer 3 and Layer 4 header fields IPv6 Source IPv6 address destination IPv6 address protocols over IPv6 and other Layer 3 and Layer 4 header fields Ethernet frame header ACLs 4000 to 4999 IPv4 and IPv6 Layer 2 header fields such as source and destination MAC addresses 802 1p priority and link laye...

Page 363: ...mand VoD The enterprise users expect to connect their regional branches together through VPN technologies to carry out operational applications for instance to access the database of the company or to monitor remote devices through Telnet These new applications have one thing in common and they all have special requirements for bandwidth delay and jitter For instance videoconference and VoD need l...

Page 364: ...ding a time range Optional A rule referencing a time range takes effect only during the specified time range 2 Adding an IPv6 ACL Required The category of the added IPv6 ACL depends on the ACL number that you specify 3 Configuring a rule for a basic IPv6 ACL Required Complete one of the steps according to the ACL category 4 Configuring a rule for an advanced IPv6 ACL Adding a time range 1 Select Q...

Page 365: ...d Thu Fri and Sat Select the day or days of the week on which the periodic time range is valid You can select any combination of the days of the week Absolute Time Range From Set the start time of the absolute time range The time of the day is in the hh mm format 24 hour clock and the date is in the MM DD YYYY format These items are available after you select the Absolute Time Range option To Set ...

Page 366: ...of the IPv4 ACL Match Order Set the match order of the ACL Config Packets are compared against ACL rules in the order that the rules are configured Auto Packets are compared against ACL rules in the depth first match order Description Set the description for the ACL Configuring a rule for a basic IPv4 ACL 1 Select QoS ACL IPv4 from the navigation tree 2 Click the Basic Setup tab to enter the rule ...

Page 367: ...r for the rule If you do not specify the rule number the system assigns one automatically IMPORTANT If the rule number you specify already exists the following operations modify the configuration of the rule Action Select the action to be performed for IPv4 packets matching the rule Permit Allows matching packets to pass Deny Drops matching packets Check Fragment Select this option to apply the ru...

Page 368: ...ber and number of matching packets Source IP Address Select the Source IP Address option and enter a source IPv4 address and source wildcard in dotted decimal notation Source Wildcard Time Range Select the time range during which the rule takes effect Configuring a rule for an advanced IPv4 ACL 1 Select QoS ACL IPv4 from the navigation tree 2 Click the Advanced Setup tab to enter the rule configur...

Page 369: ...IPv4 ACL 3 Configure an advanced IPv4 ACL rule as described in Table 114 4 Click Add Table 114 Configuration items Item Description ACL Select the advanced IPv4 ACL for which you want to configure rules Available ACLs are advanced IPv4 ACLs ...

Page 370: ...rce destination address source destination port number and number of matching packets IP Address Filter Source IP Address Select the Source IP Address option and enter a source IPv4 address and source wildcard in dotted decimal notation Source Wildcard Destination IP Address Select the Destination IP Address option and enter a destination IP address and source wildcard in dotted decimal notation D...

Page 371: ...ifferent operations have different configuration requirements for the port number fields Not Check The following port number fields cannot be configured Range The following port number fields must be configured to define a port range Other values The first port number field must be configured and the second must not Port Destination Operation Port Precedence Filter DSCP Specify the DSCP value TOS ...

Page 372: ...o configure rules Available ACLs are Ethernet frame header IPv4 ACLs Rule ID Select the Rule ID option and enter a number for the rule If you do not specify the rule number the system assigns one automatically IMPORTANT If the rule number you specify already exists the following operations modify the configuration of the rule Action Select the action to be performed for IPv4 packets matching the r...

Page 373: ... following items LSAP Type Indicates the frame encapsulation format LSAP Mask Indicates the LSAP wildcard IMPORTANT The LSAP Type option is mutually exclusive with the Protocol Type option LSAP Mask Protocol Type Select the Protocol Type option and specify the link layer protocol type by configuring the following items Protocol Type Indicates the frame type It corresponds to the type code field of...

Page 374: ...evice Match Order Select a match order for the ACL Available values are Config Packets are compared against ACL rules in the order the rules are configured Auto Packets are compared against ACL rules in the depth first match order Description Set the description for the ACL Configuring a rule for a basic IPv6 ACL 1 Select QoS ACL IPv6 from the navigation tree 2 Click the Basic Setup tab to enter t...

Page 375: ...he rule number you specify already exists the following operations modify the configuration of the rule Operation Select the operation to be performed for IPv6 packets matching the rule Permit Allows matching packets to pass Deny Drops matching packets Check Fragment Select this option to apply the rule to only non first fragments If you do no select this option the rule applies to all fragments a...

Page 376: ...exadecimal numbers and separated from its neighboring fields by colon Source Prefix Time Range Select the time range during which the rule takes effect Configuring a rule for an advanced IPv6 ACL 1 Select QoS ACL IPv6 from the navigation tree 2 Click the Advanced Setup tab to enter the rule configuration page for an advanced IPv6 ACL Figure 393 Configuring a rule for an advanced IPv6 ACL 3 Configu...

Page 377: ...Source IP Address Select the Source IP Address option and enter a source IPv6 address and prefix length The IPv6 address must be in a format like X X X X An IPv6 address consists of eight 16 bit long fields each of which is expressed with two hexadecimal numbers and separated from its neighboring fields by colon Source Prefix Destination IP Address Select the Destination IP Address option and ente...

Page 378: ...e priority of the packet depending on device status The set of QoS priority parameters decides the scheduling priority and forwarding priority of the packet The device provides various types of priority mapping tables or rather priority mappings By looking up a priority mapping table the device decides which priority value is to assign to a packet for subsequent packet processing You can configure...

Page 379: ...rts to be configured The interface types available for selection depend on your device model Trust Mode Select the priority trust mode Dot1p Uses the 802 1p priority of received packets for mapping Dscp Uses the DSCP value of received packets for mapping Dot1 1e Uses the 802 1 1e priority of received packets for mapping This option is applicable to only WLAN BSS interfaces IMPORTANT Support for pr...

Page 380: ... the class Traffic behavior A traffic behavior identified by a name defines a set of QoS actions for packets Policy A policy associates a class with a traffic behavior to define what actions to take on which class of traffic You can define multiple class traffic behavior associations in a policy You can apply a policy to a port to regulate traffic sent or received on the port A QoS policy can be a...

Page 381: ...takes effect 7 Apply the policy Applying a policy to a port Applying a QoS policy to a wireless service Use either approach Apply the QoS policy to a port or a wireless service Adding a class 1 Select QoS Classifier from the navigation tree 2 Click the Add tab to enter the page for adding a class Figure 395 Adding a class 3 Configure the class information as described in Table 120 4 Click Add Tabl...

Page 382: ...t belongs to a class only when the packet matches all the rules in the class Or Specifies the relationship between the rules in a class as logic OR The device considers a packet belongs to a class as long as the packet matches one of the rules in the class Configuring classification rules 1 Select QoS Classifier from the navigation tree 2 Click the Setup tab to enter the page for setting a class ...

Page 383: ...rogress dialog box appears 5 Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds Table 121 Configuration items Item Description Please select a classifier Select an existing classifier in the list Any Define a rule to match all packets Select the option to match all packets ...

Page 384: ...rule to match inbound interfaces IMPORTANT This configuration item is not supported RTP Port Define a rule to match a range of RTP ports Specify the start port in the from field and the end port in the to textbox IMPORTANT This configuration item is not supported Dot1p Service 802 1p Define a rule to match the service 802 1p precedence values If multiple such rules are configured for a class the n...

Page 385: ...ter a range of VLAN IDs such as 10 500 The number of VLAN IDs in the range is not limited Specify a combination of individual VLAN IDs and VLAN ID ranges such as 3 5 7 10 You can specify up to eight VLAN IDs in this way IMPORTANT This configuration item is not supported Customer VLAN Define a rule to match customer VLAN IDs If multiple such rules are configured for a class the new configuration do...

Page 386: ...373 Figure 397 Adding a traffic behavior Configuring actions for a traffic behavior 1 Select QoS Behavior from the navigation tree 2 Click the Setup tab to enter the page for setting a traffic behavior ...

Page 387: ...described in Table 122 4 Click Apply A progress dialog box appears 5 Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds Table 122 Configuration items Item Description Please select a behavior Select an existing behavior in the list ...

Page 388: ...g list Select Not Set to cancel the action of marking 802 1p precedence Local Precedence Configure the action of marking local precedence for packets Select the Local Precedence option and then select the local precedence value to be marked for packets in the following list Select Not Set to cancel the action of marking local precedence DSCP Configure the action of marking DSCP values for packets ...

Page 389: ...tion and select Enable or Disable in the following list to enable disable the traffic accounting action IMPORTANT This configuration item is not supported Adding a policy 1 Select QoS QoS Policy from the navigation tree 2 Click the Add tab to enter the page for adding a policy 3 Set the policy name 4 Click Add Figure 399 Adding a policy Configuring classifier behavior associations for the policy 1...

Page 390: ...tems Item Description Please select a policy Select an existing policy in the list Classifier Name Select an existing classifier in the list Behavior Name Select an existing behavior in the list Applying a policy to a port 1 Select QoS Port Policy from the navigation tree 2 Click the Setup tab to enter the page for applying a policy to a port ...

Page 391: ...h you want to apply the policy Inbound Applies the policy to the incoming packets of the specified ports Outbound Applies the policy to the outgoing packets of the specified ports Support for directions depends on your device model Please select port s Click the ports to which the QoS policy is to be applied in the port list You can select one or more ports Applying a QoS policy to a wireless serv...

Page 392: ...ss service to enter the service policy setup page Figure 403 Service policy setup 3 Apply the policy to the wireless service as described in Table 125 4 Click Apply Table 125 Configuration items Item Remarks Wlan Service Displays the specified wireless service ...

Page 393: ... hosts from accessing the FTP server from 8 00 to 18 00 every day 1 Add an ACL to prevent the hosts from accessing the FTP server from 8 00 to 18 00 every day 2 Configure a QoS policy to drop the packets matching the ACL 3 Apply the QoS policy in the inbound direction of the wireless service named service1 Figure 404 Network diagram Configuration procedure NOTE Before performing the following conf...

Page 394: ...1 Figure 405 Defining a time range covering 8 00 to 18 00 every day 2 Add an advanced IPv4 ACL a Select QoS ACL IPv4 from the navigation tree b Click the Add tab c Enter the ACL number 3000 d Click Apply ...

Page 395: ...Click the Advanced Setup tab b Select 3000 in the ACL list Select the Rule ID option and enter rule ID 2 Select Permit in the Action list c Select the Destination IP Address option and enter IP address 10 1 1 1 and destination wildcard 0 0 0 0 d Select test time in the Time Range list e Click Add ...

Page 396: ...383 Figure 407 Defining an ACL rule for traffic to the FTP server 4 Add a class a Select QoS Classifier from the navigation tree b Click the Add tab c Enter the class name class1 d Click Add ...

Page 397: ...Setup tab b elect the class name class1 in the list Select the ACL IPv4 option and select ACL 3000 in the following list c Click Apply A progress dialog box appears d Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds ...

Page 398: ...385 Figure 409 Defining classification rules 6 Add a traffic behavior a Select QoS Behavior from the navigation tree b Click the Add tab c Enter the behavior name behavior1 d Click Add ...

Page 399: ...the traffic behavior a Click the Setup tab b elect behavior1 in the list Select the Filter option and then select Deny in the following list c Click Apply A progress dialog box appears d Click Close when the progress dialog box prompts that the configuration succeeds ...

Page 400: ...387 Figure 411 Configuring actions for the behavior 8 Add a policy a Select QoS QoS Policy from the navigation tree b Click the Add tab c Enter the policy name policy1 d Click Add ...

Page 401: ...in the Behavior Name list c Click Apply Figure 413 Configuring classifier behavior associations for the policy 10 Apply the QoS policy in the inbound direction of the wireless service named service1 a Select QoS Service Policy from the navigation tree b Click the icon for wireless service service1 c Select the Inbound Policy option and select policy1 from the following list d Click Apply ...

Page 402: ...ursty traffic may be affected If an ACL is referenced by a QoS policy for defining traffic classification rules the operation of the QoS policy varies by interface The definition of software hardware interface varies with device models The specific process is as follows If the QoS policy is applied to a software interface and the referenced ACL rule is a deny clause the ACL rule does not take effe...

Page 403: ...s for voice and video applications in a wireless network EDCA Enhanced distributed channel access EDCA is a channel contention mechanism designed by WMM to preferentially transmit packets with high priority and allocate more bandwidth to such packets Access category WMM uses access categories ACs for handling channel contentions WMM assigns WLAN data into four access categories AC VO voice AC VI v...

Page 404: ...ing the following Arbitration inter frame spacing number AIFSN Different from the 802 1 1 protocol where the idle duration set using DIFS is a constant value WMM can define an idle duration per access category The idle duration increases as the AIFSN value increases see Figure 415 for the AIFS durations Exponent form of CWmin ECWmin and exponent form of CWmax ECWmax Determine the average backoff s...

Page 405: ... a trigger packet Both the trigger attribute and the delivery attribute can be modified when flows are established using CAC When a client sleeps the delivery enabled access category packets destined for the client are buffered The client needs to send a trigger enabled access category packet to get the buffered packets After the AP receives the trigger packet packets in the transmit queue are sen...

Page 406: ...o mode you must enable WMM Otherwise the associated 802 11n clients may fail to communicate properly Setting the SVP service NOTE SVP mapping is applicable to only non WMM client access 1 Select QoS Wireless QoS from the navigation tree By default the QoS Service tab is displayed Figure 417 Wireless QoS 2 Click the icon for the desired radio to enter the page for mapping SVP service to an access c...

Page 407: ... policy 3 Configure the CAC admission policy as described in Table 127 4 Click Apply Table 127 Configuration items Item Description Client Number Users based admission policy or the maximum number of clients allowed to be connected A client is counted only once even if it is using both AC VO and AC VI By default the users based admission policy applies with the maximum number of users being 20 Cha...

Page 408: ...Priority type Displays the priority type AIFSN Arbitration inter frame spacing number used by the AP TXOP Limit Transmission opportunity limit used by the AP ECWmin Exponent form of CWmin used by the AP ECWmax Exponent form of CWmax used by the AP No ACK If you select the option before No ACK the No ACK policy is used by the AP By default the normal ACK policy is used by the AP Table 129 Default r...

Page 409: ... Apply Table 130 Configuration items Item Description Radio Displays the selected AP s radio Priority type Displays the priority type AIFSN Arbitration inter frame spacing number used by clients TXOP Limit Transmission opportunity limit used by clients ECWmin Exponent form of CWmin used by clients ECWmax Exponent form of CWmax used by clients CAC Enable CAC Enable Enables CAC Disable Disables CAC ...

Page 410: ...ing CAC for AC VO does not enable CAC for AC VI Displaying radio statistics 1 Select QoS Wireless QoS from the navigation tree 2 Click the Radio Statistics tab to enter the page displaying radio statistics 3 Click a radio to see its details Figure 422 Displaying radio statistics Table 132 Field description Field Description Radio interface WLAN radio interface Client EDCA update count Number of cl...

Page 411: ...icy Admission control policy Threshold Threshold used by the admission control policy CAC Free s AC Request Policy Response policy used for CAC disabled ACs Response Success indicates that the response is successful CAC Unauthed Frame Policy Policy of processing frames unauthorized by CAC which can be Discard Drops frames Downgrade Decreases the priority of frames Disassociate Disassociates with t...

Page 412: ...ndicates that the client is a QoS client None Indicates that the client is a non QoS client Max SP length Maximum service period AC Access category State APSD attribute of an access category which can be T The access category is trigger enabled D The access category is delivery enabled T D The access category is both trigger enabled and delivery enabled L The access category is of legacy attribute...

Page 413: ...ate limit of a client is the configured total rate the number of online clients For example if the configure total rate is 10 Mbps and five clients are online the rate of each client is 2 Mbps Configure the maximum bandwidth that can be used by each client in the BSS This is called static mode For example if the configured rate is 1 Mbps the rate limit of each user online is 1 Mbps When the set ra...

Page 414: ... available bandwidth for other BSSs If you limit the rate of the BSS it cannot use the idle bandwidth of other BSSs To improve bandwidth use efficiency when ensuring bandwidth use fairness among wireless services use the bandwidth guarantee function Bandwidth guarantee makes sure that all traffic from each BSS can pass through freely when the network is not congested and each BSS can get the guara...

Page 415: ...width slightly lower than the maximum available bandwidth 802 11b Mode 802 11g Mode 802 11n Mode NOTE After you set the reference radio bandwidth values the new settings do not take effect for the radios with bandwidth guarantee enabled To make the new settings take effect you must disenable and then enable the radios Setting guaranteed bandwidth 1 Select the desired radio on the radio list and cl...

Page 416: ...dio bandwidth to each wireless service The total guaranteed bandwidth cannot exceed 100 of the ratio bandwidth Enabling bandwidth guarantee To validate the bandwidth guarantee settings for a radio unit enable its bandwidth guarantee function To enable the bandwidth guarantee function 1 Select the radio unit in a certain radio mode for which you are enabling bandwidth guarantee 2 Click Enable Figur...

Page 417: ... 429 a WMM enabled AP accesses the Ethernet Enable CAC for AC VO and AC VI on the AP To guarantee high priority clients AC VO and AC VI clients sufficient bandwidth use the user number based admission policy to limit the number of access users to 10 Figure 429 Network diagram Configuration procedure 1 Configure the wireless service For related configurations see Configuring wireless service You ca...

Page 418: ...igure 431 Enabling CAC g Enable CAC for AC_VI in the same way Details not shown h Select QoS Wireless QoS from the navigation tree By default the QoS Service tab is displayed i Click the icon for the desired radio unit to enter the page for configuring wireless QoS j Select the Client Number option and then enter 10 k Click Apply Figure 432 Setting CAC client number Verifying the configuration If ...

Page 419: ...edure 1 Configure the wireless service For the configuration procedure see Configuring wireless service You can follow the related configuration example to configure the wireless service 2 Configure static rate limiting a Select QoS Wireless QoS from the navigation tree b Click the Client Rate Limit tab c Click Add to enter the page for configuring rate limit settings for clients d Select service1...

Page 420: ...For the configuration procedure see Configuring wireless service You can follow the related configuration example to configure the wireless service 2 Configure dynamic rate limiting a Select QoS Wireless QoS from the navigation tree b Click the Client Rate Limit tab c Click Add to enter the page for configuring rate limit settings for clients d Select service2 from the wireless service list Select...

Page 421: ...twork To make sure that the enterprise network works properly guarantee the office service 20 of the bandwidth the research service 80 and the entertain service none Figure 437 Network diagram Configuration procedure 1 Configure the wireless services For the configuration procedure see Configuring wireless service You can follow the related configuration example to configure the wireless services ...

Page 422: ...research Set the guaranteed bandwidth percent to 20 for wireless service office Set the guaranteed bandwidth percent to 0 for wireless service entertain g Click Apply After you apply the guaranteed bandwidth settings the page for enabling bandwidth guarantee appears Figure 439 Setting guaranteed bandwidth h Select the option specific to 802 11a i Click Enable Figure 440 Enabling bandwidth guarante...

Page 423: ...raffic from the AP to all clients exceeds 10000 kbps Because you have enabled bandwidth guarantee for wireless services research and office the AP forwards traffic to Client 1 and Client 2 respectively at 2000 kbps and 8000 kbps and limits the traffic to Client 3 NOTE Guaranteed bandwidth in kbps reference radio bandwidth guaranteed bandwidth percent Set the reference radio bandwidth slightly lowe...

Page 424: ...nagement is achieved Continuous transmitting mode The continuous transmitting mode is used for test only Do not use the function unless necessary Uplink interface monitoring A fat AP connects to an uplink network through the Ethernet interface or radio interface in bridge mode as shown in Figure 441 and Figure 442 With uplink interface monitoring enabled the AP can detect uplink interface faults W...

Page 425: ...he client to the 5 GHz radio If the RSSI is lower than the value the AP does not direct the client to the 5 GHz band If the number of clients on the 5 GHz radio has reached the upper limit and the gap between the number of clients on the 5 GHz radio and that on the 2 4 GHz radio has reached the upper limit the AP denies the client s association to the 5 GHz radio and allows new clients to associat...

Page 426: ...ts to all the clients in the multicast entries If no match is found the AP directly sends the multicast packets To avoid performance degradation you can configure the maximum number of clients that multicast optimization can support When the maximum number is reached the device takes either of the following actions as configured Halt A new client can join a multicast group and receive multicast pa...

Page 427: ... the target market and is locked It cannot be changed Support for the district code configuration depends on the device model Switching the AP to operate in fit AP mode 1 Select Advanced Switch to Fit AP from the navigation tree 2 Click Switch Figure 445 Switching to fit AP mode NOTE Before switching the operating mode make sure the application file of the fit AP has been loaded to the AC or the u...

Page 428: ...mission rate 802 11b g When the radio mode is 802 1 1n the page as shown in Figure 448 appears Select an MCS index value to specify the 802 1 1n transmission rate For more information about MCS see Radio configuration Figure 448 Selecting an MCS index 802 11n 3 Click Apply To stop the continuous transmitting mode use either of the methods Click the icon corresponding to the target radio Select the...

Page 429: ...tatus of the WDS link bound to the radio Uplink Select the box to configure the interface as an uplink interface The radio interface with WLAN distribution system WDS enabled can be selected as an uplink interface For more information about uplink interface monitoring see Uplink interface monitoring For more information about WDS see Wireless service NOTE If no uplink interfaces are up the AP does...

Page 430: ... seconds NOTE Before the channel busy test completes do not start another test for the same channel Configuring band navigation NOTE When band navigation is enabled the client association efficiency is affected so this feature is not recommended in a scenario where most clients use 2 4 GHz Band navigation is not recommended in a delay sensitive network Support for the band navigation depends on th...

Page 431: ...n Disable Disable band navigation By default band navigation is disabled globally Session Threshold Session Threshold Session threshold for clients on the 5 GHz band Gap Session gap which is the number of clients on the 5 GHz band minus the number of clients on the 2 4 GHz band If the number of clients on the 5 GHz radio has reached the upper limit and the gap between the number of clients on the ...

Page 432: ...SI is lower than the value the AP does not direct the client to the 5 GHz band Aging Time Client information aging time The AP records the client information when a client tries to associate to it If the AP receives the probe request or association request sent by the client before the aging time expires the AP refreshes the client information and restarts the aging timer If not the AP removes the...

Page 433: ...packets and a multicast optimization entry can be created for the client However the multicast optimization function for all clients in the multicast group becomes invalid When the number of clients drops below the upper limit the multicast optimization function takes effect again Exclude New Clients for Multicast Optimization Reject new clients A new client can join a multicast group but no new m...

Page 434: ...ress MAC addresses of the clients that have joined the multicast group Advanced settings configuration examples Band navigation configuration example Network requirements As shown in Figure 455 Client 1 through Client 4 try to associate to AP 1 and the two radios of AP 1 operate at 5 GHz and 2 4 GHz respectively Client 1 Client 2 and Client 3 are dual band clients and Client 4 is a single band 2 4...

Page 435: ...ind for the wireless service band navigation to enter the page for binding an AP radio c Select the boxes before 802 11n 2 4GHz and 802 11n 5GHz d Click Bind Figure 456 Binding an AP radio 4 Enable 802 11n 2 4GHz and 802 11n 5GHz radios Optional By default 802 11n 2 4GHz and 802 11n 5GHz radios are enabled 5 Configure band navigation a Select Advance Band Navigation from the navigation tree b On t...

Page 436: ...s reached the session gap 1 Client 3 will be associated to the 2 4 GHz radio of the AP Multicast optimization configuration example Network requirements As shown in Figure 458 enable multicast optimization for the AP to convert multicast packets to unicast packets for up to two clients Figure 458 Network diagram Configuring the AP 1 Select Advanced Multicast Optimization from the navigation tree 2...

Page 437: ...lick Enable Figure 459 Configuring multicast optimization Verifying the configuration Client 1 and Client 2 are associated with a radio of the AP Because the number of clients on the radio has reached the upper limit 2 Client 3 cannot receive multicast packets ...

Page 438: ...within a short span of time When this occurs the WLAN devices are overwhelmed with frames from this device and frames from authorized clients get dropped WIDS attacks detection counters this flood attack by constantly keeping track of the density of traffic generated by each device When this density exceeds the tolerance limit the device is considered to be flooding the network Subsequent frames f...

Page 439: ...N clients and thereby implement client access control The WLAN client access control is accomplished through the following types of lists White list Contains the MAC addresses of all clients allowed to access the WLAN If the white list is used only permitted clients can access the WLAN and all frames from other clients are discarded Static blacklist Contains the MAC addresses of clients forbidden ...

Page 440: ...Detect If you select the box spoofing attack detection is enabled It is disabled by default Weak iv Attack Detect If you select the box Weak IV attack detection is enabled It is disabled by default Displaying history record 1 Select Security WIDS from the navigation tree 2 Click the History Record tab Figure 461 Displaying history information Displaying statistics information 1 Select Security WID...

Page 441: ...e dynamic blacklist as described in Table 144 3 Click Apply Table 144 Configuration items Item Description Dynamic Blacklist Enable Enable dynamic blacklist Disable Disable dynamic blacklist IMPORTANT Before you enable the dynamic blacklist function you must select the Flood Attack Detect box in the WIDS Setup page Lifetime Configure the lifetime of the entries in the blacklist When the lifetime o...

Page 442: ...Static Figure 464 Configuring static blacklist 4 Add a static blacklist as described in Table 145 5 Click Apply Table 145 Configuration items Item Description MAC Address Select MAC Address and then add a MAC address to the static black list Select Current Connect Client If you select the box the table below lists the current existing clients Select the boxes of the clients to add their MAC addres...

Page 443: ...pply Table 146 Configuration items Item Description MAC Address Select MAC Address and then add a MAC address to the white list Select Current Connect Client If you select the box the table below lists the current existing clients Select the clients to add their MAC addresses to the white list ...

Page 444: ...annot exchange Layer 2 packets Figure 466 Network diagram Configuring user isolation 1 Select Security User Isolation from the navigation tree Figure 467 Configuring user isolation 2 Configure user isolation as described in Table 147 3 Click Apply Table 147 Configuration items Item Description User Isolate Enable Enable user isolation on the AP to isolate the clients associated with it at Layer 2 ...

Page 445: ...onfiguring an ACL 350 Configuring an SNMP community 74 Configuring an SNMP group 75 Configuring an SNMP user 77 Configuring an SNMP view 72 Configuring calibration 183 Configuring channel detection 190 Configuring channel scanning 186 Configuring data transmit rates 179 Configuring device basic information 35 Configuring dynamic domain name resolution 135 Configuring gratuitous ARP 103 Configuring...

Page 446: ...nabling wireless QoS 392 Encryption configuration 9 F Feature matrix 1 H HWTACACS configuration example 224 HWTACACS overview 219 I IGMP snooping configuration example 1 1 1 Initializing configuration 49 Interface management configuration example 61 Introduction to the web interface 158 Introduction to the web based NM functions 159 Introduction to WDS 262 IP configuration 5 IPv4 static route conf...

Page 447: ...dress entries 91 Setting the log host 44 Setting the super password 67 Setting the SVP service 393 SNMP configuration example 81 SNMP overview 69 Software upgrade 37 Specifying the main boot file 51 Static ARP configuration example 104 Switching the user access level to the management level 68 T TR 069 configuration 63 Trace route operation 155 Troubleshooting web browser 172 U Uploading a file 51...

Reviews:

No comments