Configuration Guide - WLAN: Huawei AR1200 Series Enterprise Routers V200R001C01
Configuration Guide - WLAN: Huawei AR1200 Series Enterprise Routers V200R001C01
Configuration Guide - WLAN: Huawei AR1200 Series Enterprise Routers V200R001C01
V200R001C01
Issue 03
Date 2012-01-06
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Versions
The following table provides the mapping between versions.
VASP ARV200R001C01 -
V100R003C00
Intended Audience
This document provides the concepts, configuration procedures, and configuration examples
supported by the AR1200.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
&<1-n> The parameter before the & sign can be repeated 1 to n times.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Contents
1 WLAN Configuration
This chapter describes how to configure the wireless local area network (WLAN) service in the
fat AP networking mode.
Introduction to WLAN
A wireless local area network (WLAN) connects two or more computers or devices by using
the wireless telecommunication technology to provide fast Ethernet access. It allows terminals,
such as computers, to access a network through a wireless medium but not a physical cable. This
facilitates network construction and allows users to move around without interrupting
communication. Compared with a wired access network, a WLAN is easier to construct and
requires lower maintenance cost. One or more access points (APs) can provide wireless access
for a building or an area.
A WLAN uses wireless multiple access channels as the transmission media to provide LAN
services. Data is transmitted by radio waves on the WLAN. WLANs are popular on campus and
in business centers, airports, and other public areas.
WLAN Application
A WLAN system is not all wireless. The user access network is a wireless network, whereas
servers and the backbone network are deployed on a wired network.
Figure 1-1 shows a WLAN with fat APs.
IP backbone
WLAN NMS RADIUS server
BAS
MAN aggregate
network
Aggregate
switch
AP AP AP AP
Terms
l STA
A STA is a computer with a wireless network adapter.
l AP
An AP is a bridge that connects STAs to a LAN and converts frames exchanged between
STAs and the LAN.
l SSID
A service set identifier (SSID) identifies a service set. A STA scans all wireless networks
and selects a wireless network based on the SSID.
l Wireless medium
A wireless medium transmits frames between STAs. A WLAN system uses radios as
transmission media.
l Service set
A service set is a combination of WLAN service parameters. You can configure multiple
service sets and bind them to a radio of an AP to configure and deliver WLAN services
quickly.
l VAP
A visual access point (VAP) is a functional entity on an AP. You can create a VAP on a
radio interface of an AP by binding a service set to the radio.
RF Management
On a WLAN, the network environment changes frequently, and mobile obstacles or interference
from other radio frequencies (RFs) may affect transmission quality of radio signals.
The channels and transmit power of an AP must be adjusted to adapt to changes of the wireless
network environment. Manual adjustment increases maintenance costs; therefore, RFs are
managed by APs in a WLAN system.
The AR1200 uses security profiles to manage user access and supports four security policies:
Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, and Wireless LAN
Authentication and Privacy Infrastructure (WAPI).
On the AR1200, you can provide QoS of WLAN services by configuring Wi-Fi multimedia
(WMM) profiles and QoS profiles.
Create a Create a
Configure a fat AP 1/2/3. Configure
fat AP to deliver security profile traffic profile
WLAN service Apply to
Create a service
2. configure set
a service set
Create a Apply to
WMM profile
Bind to Create a VAP
Bind to on Wlan-
Create a VAP
Wlan-
Create a Radio0/0/0
Radio0/0/0
radio profile Delivery WLAN
interface
3. Configure service
1. Configure radios a VAP
Applicable Environment
A WLAN system uses radio frequencies as transmission media, and wireless devices compete
for channels to transmit data. To guarantee quality of different wireless access services, create
a Wi-Fi multimedia (WMM) profile and configure QoS parameters in the WMM profile. The
WMM profile needs to be bound to a radio profile in which radio parameters are configured.
The WMM profile is then applied to a radio together with the radio profile.
Pre-configuration Tasks
Before configuring the WLAN radio environment, complete the following tasks:
l Configuring basic WLAN attributes according to 1.4 Configuring the WLAN Service
Data Preparation
To configure the WLAN radio environment, you need the following data.
No. Data
Context
To configure a radio QoS policy, create a Wi-Fi multimedia (WMM) profile. After the WMM
profile is bound to a radio profile, the QoS policy is applied to the radio profile.
Procedure
Step 1 Run:
system-view
The following information shows the default configuration of the WMM profile wp.
[Huawei-wlan-view] display wmm-profile name wp
Profile ID : 2
Profile name : wp
WMM switch : enable
Client EDCA parameters:
---------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit
AC_VO 3 2 2 47
AC_VI 4 3 2 94
AC_BE 10 4 3 0
AC_BK 10 4 7 0
---------------------------------------------------
AP EDCA parameters:
---------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit Ack-Policy
AC_VO 3 2 1 47 normal
AC_VI 4 3 1 94 normal
AC_BE 6 4 3 0 normal
AC_BK 10 4 7 0 normal
---------------------------------------------------
NOTE
A STA communicates with an AP by sending radio signals over a channel. Four queues are provided for
radio packets. Packets in different queues have different opportunities to obtain transmission channels so
that differentiated services can be provided for radio packets.
The queues are AC_VO (voice queue), AC_VI (video queue), AC_BE (best effort queue), and AC_BK
(background queue) in descending order of priority.
You can change the priorities of the queues by modifying the Enhanced Distributed Channel Access
(EDCA) parameters, including the AIFSN, ECWmin, ECWmax, TXOPLimit, and ACK policy:
l AIFSN: determines the channel idle time. A greater AIFSN value indicates a longer channel idle time.
Different AIFSNs can be configured for ACs.
l ECWmin and ECWmax: ECWmin specifies the minimum backoff time, and ECWmax specifies the
maximum backoff time. They determine the average backoff time. A larger value indicates a longer
average backoff time.
l TXOPLimit: determines the maximum duration in which a STA can occupy a channel. A larger value
indicates a longer duration. If this parameter is set to 0, a STA can send only one packet every time it
occupies a channel.
l ACK policy: determines whether the packet receiver acknowledges received packets. Two policies are
available: normal ACK and no ACK.
Before occupying a channel to send packets, STAs monitor the channel. If the channel idle time is longer
than or equal to the AIFSN, each STA selects a random backoff time between ECWmin and ECWmax.
The STA whose backoff timer expires the first occupies the channel and starts to send packets over the
channel.
The EDCA parameters are configured for the four WMM queues of a STA.
The EDCA parameters are configured for the four WMM queues of an AP.
----End
Procedure
Step 1 Run:
system-view
The default power mode is auto. In this mode, the power of radios using the radio profile is set
automatically based on the WLAN radio environment.
The default channel mode is auto. In this mode, channels are selected for radios using the radio
profile automatically based on the WLAN radio environment.
Step 8 Run:
wmm-profile { id profile-id | name profile-name }
NOTE
A radio profile can be applied to a radio only after a WMM profile is bound to the radio profile.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface wlan-radio 0/0/0
Step 3 Run:
radio-profile { id profile-id | name profile-name }
----End
Context
A coverage hole is generated when an AP is removed or signals are blocked by an obstacle. An
AP periodically checks for coverage holes. If the AP detects a coverage hole, it calibrates radios
to eliminate the coverage hole.
Procedure
Step 1 Run:
system-view
Step 2 Run:
wlan
Step 3 Run:
radio-profile { id profile-id | name profile-name } *
After a radio profile is created, parameters in the profile use default values.
Step 4 Run:
channel-mode auto
The automatic channel mode is configured in the radio profile. In this mode, an AP can select a
channel for a radio based on the WLAN radio environment.
An AP periodically checks the network environment to determine whether to adjust its channels
and how to adjust the channels.
Step 5 Run:
power-mode auto
The automatic power mode is configured in the radio profile. In this mode, an AP can set the
transmit power for a radio based on the WLAN radio environment.
An AP periodically checks the network environment to determine whether to adjust the transmit
power so that the entire WLAN can be covered.
Step 6 Run:
calibrate-interval calibrate-interval
The calibration function ensures that the transmit power of a radio is not affected by interference
from other radios. An AP checks the radio environment at the specified interval. If the radio
environment deteriorates, the AP calibrates the radio parameters.
----End
Procedure
l Run the display wmm-profile { all | id profile-id | name profile-name } command to view
information about a WMM profile.
l Run the display radio-profile { all | id profile-id | name profile-name } command to view
information about a radio profile.
l Run the display binding radio-profile { id profile-id | name profile-name } command to
view information about the radios bound to a radio profile.
l Run the display actual channel-power interface wlan-radio0/0/0 command to view the
channel and power of a radio.
l Run the display radio config interface wlan-radio0/0/0 command to view the
configuration of a radio.
----End
Applicable Environment
If users need to access an Ethernet network by using wireless devices, the WLAN service must
be configured. For the WLAN service configuration roadmap, see 1.2 WLAN Features
Supported by the AR1200.
Pre-configuration Tasks
Before configuring the WLAN service, complete the following tasks:
l Configuring the WLAN radio environment according to 1.3 Configuring the WLAN
Radio Environment
Data Preparation
To configure the WLAN service, you need the following data.
No. Data
No. Data
Context
A WLAN-BSS interface is a virtual Layer 2 interface. Similar to a Layer 2 Ethernet interface
of the access type, a WLAN-BSS interface has Layer 2 attributes and supports multiple Layer
2 protocols.
After creating a WLAN-BSS interface, bind a service set to the interface.
Procedure
Step 1 Run:
system-view
NOTE
Step 4 Run:
dot1x authentication-method { chap | pap | eap }
NOTE
When the dot1x authentication method is set to chap or pap, no guest VLAN or restrict VLAN can be
configured on the interface.
----End
Context
WLAN supports the following authentication modes: Wired Equivalent Privacy (WEP)
authentication, Wi-Fi Protected Access (WPA) authentication, WPA2 authentication, and
WLAN Authentication and Privacy Infrastructure (WAPI) authentication.
Procedure
Step 1 Run:
system-view
The dot1x authentication and corresponding encryption mode are configured for the
WPA/WPA2 policy.
NOTE
The shared key authentication and corresponding encryption mode are configured for
the WPA/WPA2 policy.
l WAPI authentication
1. Run:
security-policy wapi
The AP certificate file, certificate of the AP certificate issuer, and ASU certificate file
are imported.
4. Run:
wapi import private-key file-name file_name
The interval for updating a base key (BK) and the BK lifetime percentage are set.
By default, the interval for updating a BK is 43200s, and the BK lifetime percentage
is 70%.
– Run:
wapi { msk-update-interval msk-interval | msk-update-packet msk-packet
| msk-retrans-count msk-count }
The interval for updating an MBMS service key (MSK), the number of packets
that will trigger MSK update, and the number of retransmissions of MSK
negotiation packets are set.
By default, the interval for updating an MSK is 86400s; the number of packets that
will trigger MSK update is 10000; the number of retransmissions of MSK
negotiation packets is 3.
– Run:
wapi cert-retrans-count cert-count
----End
Procedure
Step 1 Run:
system-view
2 2
3 3
4 4
5 5
6 6
7 7
----------------------------
Tunnel priority(down) Mapping Mode:ToS(inner) to ToS(outer)
----------------------------
ToS(inner) ToS(outer)
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7
----------------------------
NOTE
An AP converts the 802.11 packet sent from a STA into an 802.3 packet before sending it to an Ethernet
network. The AP may retain the packet priority, change the packet priority according to the VAP
configuration, or map the user priority to the 802.1p priority.
When receiving an 802.3 packet from the Ethernet network, the AP converts the 802.3 packet into an 802.11
packet and forwards it to the STA. The user priority in the packet is determined by DSCP-CoS mappings
or set in a traffic classifier.
An AP terminates 802.11 packets sent from STAs, converts the 802.11 packets into 802.3
packets, and sends the 802.3 packets to an AC. To ensure the service quality for 802.3 packets,
set packet priories to ensure proper scheduling.
The rate limit for upstream or downstream packets is set for a single STA or all STAs associated
with a VAP.
----End
Prerequisite
A security profile and a traffic profile have been created.
Context
A service set defines key service parameters. After the service set is bound to a specified radio
on an AP, the service parameters are applied to a WLAN service entity, namely, a virtual access
point (VAP).
Procedure
Step 1 Run:
system-view
Step 2 Run:
wlan
Step 3 Run:
service-set { name service-set-name | id service-set-id } *
Step 4 Run:
ssid ssid
Step 6 Run:
security-profile { name profile-name | id profile-id } *
Step 7 Run:
traffic-profile { name profile-name | id profile-id } *
NOTE
The security profile and traffic profile bound to a service set apply to all users using the service set.
Step 8 Run:
wlan-bss wlan-bss-number
----End
Prerequisite
l A radio profile has been bound to the specified radio according to 1.3.4 Binding a Radio
Profile to a Radio
l A service set has been configured according to 1.4.5 Configuring a WLAN Service Set.
Context
A VAP is a functional entity on an AP. You can create a VAP on a radio interface by binding a
service set to the radio interface.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run the display vap command to view the VAP configuration.
Step 2 Run the display security-profile { all | { id profile-id | name profile-name } [ detail ] } command
to view information about security profiles.
Step 3 Run the display traffic-profile { all | id profile-id | name profile-name } command to view
information about traffic profiles.
Step 4 Run the display service-set { all | id service-set-id | name service-set-name | ssid ssid }
command to view information about service sets.
----End
1.5.1 Resetting an AP
Reset an AP when it cannot work properly.
Context
CAUTION
Exercise caution when resetting an AP because services on the AP will be interrupted.
Procedure
Step 1 Run:
system-view
Step 2 Run:
wlan
Step 3 Run:
ap-reset
An AP is reset.
----End
Networking Requirements
As shown in Figure 1-3, an enterprise provides the WLAN service for users. The AR1200
functions as a fat AP to provide wireless Internet access service and as a DHCP server to allocate
IP addresses to users.
VLAN 100
STA1 Network
STA2 Router
(Fat AP)
RADIUS server
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic AR1200 attributes, including the country code and DHCP server address,
so that the AR1200 can allocate IP addresses to users.
2. Configure a WLAN-BSS interface and bind it to a service set so that radio packets can be
sent to the WLAN service module after reaching the AR1200.
3. Configure a radio profile on the AR1200 and bind it to a radio interface to enable STAs to
communicate with the AR1200.
4. Configure a service set on the AR1200 and bind the specified security profile and traffic
profile to it to ensure security and QoS for STAs.
5. Configure a VAP and deliver VAP parameters so that STAs can access the WLAN.
Procedure
Step 1 Configure basic AR1200 attributes.
# Configure the country code for the AR1200.
<Huawei> system-view
[Huawei] wlan global country-code cn
# Configure a VLANIF interface, assign an IP address to it for Layer 3 packet forwarding, and
enable the DHCP server function on it. In this example, an IP address pool is configured on
VLANIF 100 to assign IP addresses to STAs.
[Huawei] dhcp enable
[Huawei] vlan 100
[Huawei-vlan100] quit
[Huawei] interface vlanif100
[Huawei-Vlanif100] ip address 192.168.0.1 24
[Huawei-Vlanif100] dhcp select interface
[Huawei-Vlanif100] quit
# Create a radio profile radio-1 and bind the WMM profile wmm-1 to it.
[Huawei-wlan-view] radio-profile name radio-1
[Huawei-wlan-radio-prof-radio-1] wmm-profile name wmm-1
[Huawei-wlan-radio-prof-radio-1] quit
# Create a service set and bind the traffic profile, security profile, and WLAN-BSS interface to
the service set.
[Huawei-wlan-view] service-set name huawei-1
[Huawei-wlan-service-set-huawei-1] ssid huawei-1
[Huawei-wlan-service-set-huawei-1] traffic-profile name traffic-1
[Huawei-wlan-service-set-huawei-1] security-profile name security-1
[Huawei-wlan-service-set-huawei-1] wlan-bss 1
[Huawei-wlan-service-set-huawei-1] quit
----End
Configuration Files
#
sysname
Huawei
#
vlan 100
#
dhcp enable
#
wlan global country-code cn
#
interface Vlanif100
ip address 192.168.0.1 255.255.255.0
dhcp select interface
#
interface Wlan-Bss1
port hybrid tagged vlan 100
#
wlan
This chapter describes how to configure WLAN security in the fat AP networking mode.
Link Authentication
Open system authentication and shared key authentication are used for link authentication.
l Open system authentication
Open system authentication is the default and simplest authentication mode. Users do not
need to be authenticated in this mode.
Client AP
Authentication Request
Authentication Response
Client AP
Authentication Request
Currently, the AR1200 supports RC4 encryption, Temporal Key Integrity Protocol (TKIP)
encryption, and Counter Mode with Cipher Block Chaining Message Authentication Code
Protocol (CCMP) encryption.
The AR1200 supports four access security policies: Wired Equivalent Privacy (WEP), Wi-Fi
Protected Access (WPA), WPA2, and WLAN Authentication and Privacy Infrastructure
(WAPI).
User Isolation
The user isolation function prevents wireless users associated with the same AP from forwarding
Layer 2 packets to each other, which prevents these users from communicating directly.
On the AR1200, you can configure user isolation in a service set and configure port isolation on
a WLAN-BSS interface to implement Layer 2 isolation between wireless users associated with
the same AP.
Applicable Environment
WLAN channels are open to users, and malicious users can easily intercept, modify, and forward
data of authorized users. The WLAN technology provides security policies to prevent
unauthorized user access. Select a security policy based on the security level needed for your
network.
l Wired Equivalent Privacy (WEP) is an old security policy and has security risks. It can be
used in open scenarios that do not require high security, such as airports.
l Wi-Fi Protected Access (WPA) and WLAN Authentication and Privacy Infrastructure
(WAPI) provide higher security for devices.
Data Preparation
To configure an access security policy, you need the following data.
No. Data
No. Data
Procedure
Step 1 Run:
system-view
The dot1x authentication and corresponding encryption mode are configured for the
WPA/WPA2 policy.
NOTE
The pre-shared key authentication and corresponding encryption mode are configured
for the WPA/WPA2 security policy.
l WAPI authentication
1. Run:
security-policy wapi
The AP certificate file, certificate of the AP certificate issuer, and ASU certificate file
are imported.
4. Run:
wapi import private-key file-name file_name
The interval for updating a BK and the BK lifetime percentage are set.
By default, the interval for updating a BK is 43200s, and the BK lifetime percentage
is 70%.
– Run:
wapi { msk-update-interval msk-interval | msk-update-packet msk-packet
| msk-retrans-count msk-count }
The interval for updating an MSK, number of packets that will trigger MSK update,
and number of retransmissions of MSK negotiation packets are set.
By default, the interval for updating an MSK is 86400s; the number of packets that
will trigger MSK update is 10000; the number of retransmissions of MSK
negotiation packets is 3.
– Run:
wapi cert-retrans-count cert-count
----End
Encryption : WEP-40
Key 0 : *****
Key 1 : Empty
Key 2 : Empty
Key 3 : Empty
Default key ID : 0
------------------------------------------------------------
WPA's configuration
Authentication : WPA 802.1x + PEAP
Encryption : TKIP
------------------------------------------------------------
WPA2's configuration
Authentication : WPA2 802.1x + PEAP
Encryption : CCMP
------------------------------------------------------------
WAPI's configuration
CA certificate filename : -
ASU certificate filename : -
AC certificate filename : -
AC private key filename : -
Authentication server IP : -
Authentication method : WAPI PSK
WAI timeout(s) : 60
BK update interval(s) : 43200
BK lifetime threshold(%) : 70
USK update interval(s) : 600
USK update packet(k) : 10
MSK update interval(s) : 86400
MSK update packet(k) : 10
Cert auth retrans count : 3
USK negotiate retrans count : 3
MSK negotiate retrans count : 3
USK update method : Time-based
MSK update method : Time-based
------------------------------------------------------------
Applicable Environment
To prevent some STAs from accessing a WLAN network, add them to the STA blacklist. To
allow some STAs to access a WLAN, add them to the STA whitelist.
Pre-configuration Tasks
Before configuring the STA blacklist and whitelist, complete the following tasks:
l Configuring basic WLAN attributes according to 1.4 Configuring the WLAN Service
Data Preparation
To configure the STA blacklist and whitelist, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
Step 2 Run:
wlan
----End
------------------------------------------------------------------------------
ID
MAC
------------------------------------------------------------------------------
0
0026-0000-90a1
1
0026-0000-909f
------------------------------------------------------------------------------
Total number: 2
l Run the display sta-whitelist command to view the STA whitelist.
Check the STA whitelist.
<Huawei> display sta-whitelist
Station mac global white list
information:
------------------------------------------------------------------------------
ID
MAC
------------------------------------------------------------------------------
0 0025-9e26-
b9bd
1 001e-907a-
b6a6
2
0026-0000-90a1
------------------------------------------------------------------------------
Total number: 3
Networking Requirements
As shown in Figure 2-3, the AR1200 functions as a fat AP and provides WLAN services for
access users. Five WLANs are available for the users. The requirements are:
l Open system authentication and no encryption are used on the WLAN with the SSID
huawei-1.
l Shared key authentication and WEP-40 encryption are used on the WLAN with the SSID
huawei-2.
l WPA1 authentication and TKIP encryption are used on the WLAN with the SSID huawei-3.
l WPA2 authentication and CCMP encryption are used on the WLAN with the SSID
huawei-4.
l WAPI authentication is used on the WLAN with the SSID huawei-5.
BRAS
STA1
STA2
Network
STA3
Router
STA4 (FAT AP)
Item Data
Prerequisite
l The AP certificate file huawei-ap.cer, ASU certificate file huawei-asu.cer and Issuer
certificate file huawei-issuer.cer have been saved in the flash card of the AP.
Configuration Roadmap
The configuration roadmap is as follows:
4. Create virtual APs (VAPs) and deliver VAP parameters so that STAs access different
WLANs by using different security policies.
Procedure
Step 1 Enable 802.1x authentication and configure AAA globally.
l Enable 802.1x authentication.
<Huawei> system-view
[Huawei] dot1x enable
l Configure AAA.
# Set the IP address of the RADIUS server to 10.137.146.163 and set the shared key to
huawei.
[Huawei] radius-server template peap.radius.com
[Huawei-radius-peap.radius.com] radius-server authentication 10.137.146.163
1812
[Huawei-radius-peap.radius.com] radius-server accounting 10.137.146.163 1813
[Huawei-radius-peap.radius.com] radius-server shared-key simple huawei
[Huawei-radius-peap.radius.com] quit
Step 2 Create security profiles: security-1, security-2, security-3, security-4, and security-5.
[Huawei] wlan
[Huawei-wlan-view] security-profile name security-1
[Huawei-wlan-sec-prof-security-1] quit
[Huawei-wlan-view] security-profile name security-2
[Huawei-wlan-sec-prof-security-2] quit
[Huawei-wlan-view] security-profile name security-3
[Huawei-wlan-sec-prof-security-3] quit
[Huawei-wlan-view] security-profile name security-4
[Huawei-wlan-sec-prof-security-4] quit
[Huawei-wlan-view] security-profile name security-5
[Huawei-wlan-sec-prof-security-5] quit
l # Create service set ss-2, specify SSID huawei-2 for it, bind traffic profile ctc, security
profile security-2 and WLAN-BSS interface wlan-bss 1 to it, and deliver VAP parameters
to radio 0.
[Huawei]interface wlan-bss 1
[Huawei-Wlan-Bss1] port hybrid tagged vlan 2
[Huawei-Wlan-Bss1]quit
[Huawei] wlan
[Huawei-wlan-view] service-set name ss-2
[Huawei-wlan-service-set-ss-2] ssid huawei-2
[Huawei-wlan-service-set-ss-2] traffic-profile name ctc
[Huawei-wlan-service-set-ss-2] security-profile name security-2
[Huawei-wlan-service-set-ss-2] wlan-bss 1
[Huawei-wlan-service-set-ss-2] quit
[Huawei-wlan-view] quit
[Huawei] interface wlan-radio 0/0/0
[Huawei-Wlan-Radio0/0/0] service-set name ss-2
[Huawei-Wlan-Radio0/0/0] quit
l # Create service set ss-3, specify SSID huawei-3 for it, bind traffic profile ctc, security
profile security-3 and WLAN-BSS interface wlan-bss 2 to it, and deliver VAP parameters
to radio 0.
[Huawei]interface wlan-bss 2
[Huawei-Wlan-Bss2] port hybrid tagged vlan 3
[Huawei-Wlan-Bss2] dot1x-authentication enable
[Huawei-Wlan-Bss2] dot1x authentication-method eap
[Huawei-Wlan-Bss2]quit
[Huawei] wlan
[Huawei-wlan-view] service-set name ss-3
[Huawei-wlan-service-set-ss-3] ssid huawei-3
[Huawei-wlan-service-set-ss-3] traffic-profile name ctc
[Huawei-wlan-service-set-ss-3] security-profile name security-3
[Huawei-wlan-service-set-ss-3] wlan-bss 2
[Huawei-wlan-service-set-ss-3] quit
[Huawei-wlan-view] quit
[Huawei] interface wlan-radio 0/0/0
[Huawei-Wlan-Radio0/0/0] service-set name ss-3
[Huawei-Wlan-Radio0/0/0] quit
l # Create service set ss-4, specify SSID huawei-4 for it, bind traffic profile ctc, security
profile security-4 and WLAN-BSS interface wlan-bss 3 to it, and deliver VAP parameters
to radio 0.
[Huawei]interface wlan-bss 3
[Huawei-Wlan-Bss3] port hybrid tagged vlan 4
[Huawei-Wlan-Bss3] dot1x-authentication enable
[Huawei-Wlan-Bss3] dot1x authentication-method eap
[Huawei-Wlan-Bss3]quit
[Huawei] wlan
[Huawei-wlan-view] service-set name ss-4
[Huawei-wlan-service-set-ss-4] ssid huawei-4
[Huawei-wlan-service-set-ss-4] traffic-profile name ctc
[Huawei-wlan-service-set-ss-4] security-profile name security-4
[Huawei-wlan-service-set-ss-4] wlan-bss 3
[Huawei-wlan-service-set-ss-4] quit
[Huawei-wlan-view] quit
[Huawei] interface wlan-radio 0/0/0
[Huawei-Wlan-Radio0/0/0] service-set name ss-4
[Huawei-Wlan-Radio0/0/0] quit
l # Create service set ss-5, specify SSID huawei-5 for it, bind traffic profile ctc, security
profile security-5 and WLAN-BSS interface wlan-bss 4 to it, and deliver VAP parameters
to radio 0.
[Huawei]interface wlan-bss 4
[Huawei-Wlan-Bss4] port hybrid tagged vlan 5
[Huawei-Wlan-Bss4]quit
[Huawei] wlan
[Huawei-wlan-view] service-set name ss-5
[Huawei-wlan-service-set-ss-5] ssid huawei-5
[Huawei-wlan-service-set-ss-5] traffic-profile name ctc
[Huawei-wlan-service-set-ss-5] security-profile name security-5
[Huawei-wlan-service-set-ss-5] wlan-bss 4
[Huawei-wlan-service-set-ss-5] quit
[Huawei-wlan-view] quit
[Huawei] interface wlan-radio 0/0/0
[Huawei-Wlan-Radio0/0/0] service-set name ss-5
[Huawei-Wlan-Radio0/0/0] quit
----End
Configuration Files
#
dot1x enable
#
radius-server template peap.radius.com
radius-server authentication 10.137.146.163 1812
radius-server accounting 10.137.146.163 1813
#
interface Wlan-Bss0
port hybrid tagged vlan 1
#
interface Wlan-Bss1
port hybrid tagged vlan 2
#
interface Wlan-Bss2
port hybrid tagged vlan 3
dot1x-authentication enable
dot1x authentication-method eap
#
interface Wlan-Bss3
port hybrid tagged vlan 4
dot1x-authentication enable
dot1x authentication-method eap
#
interface Wlan-Bss4
port hybrid tagged vlan
5
#
wlan
This chapter describes how to configure the QoS service in the fat AP networking mode.
WMM
WMM provides QoS features for 802.11 networks and enables high-priority packets to be sent
first. This provides better quality for voice and video services on WLANs.
EDCA
Enhanced Distributed Channel Access (EDCA) is a channel preemption mechanism defined by
WMM, enabling high-priority packets to be sent first and allocated more bandwidth.
AC
WMM prioritizes queues of four access categories (ACs) in descending order: AC-voice (AC-
VO), AC-video (AC-VI), AC-best effort (AC-BE), and AC-background (AC-BK). This ensures
that packets in a high-priority queue have greater capabilities in channel preemption.
l ECWmin and ECWmax: determine the average backoff time. A larger value indicates a
longer average backoff time.
l Transmission opportunity limit (TXOPLimit): determines the maximum duration in which
an AP or a STA can occupy a channel. A greater TXOPLimit value indicates a longer
duration. If this parameter is set to 0, an AP or a STA can send only one packet each time
it occupies a channel.
l ACK policy: determines whether to send an ACK packet to confirm the receiving of a
unicast packet. In normal ACK mode, the receiver sends an ACK packet to confirm the
receiving of a unicast packet from the sender. In no ACK mode, if the communication
quality is good and interference is low, no ACK packet is sent to confirm the receiving of
a unicast packet from the sender. This prevents packet retransmission and improves the
transmission efficiency.
EDCA parameters and other WMM parameters are managed in a WMM profile. After a WMM
profile is created, it is bound to a radio profile and then applied to a radio together with the radio
profile.
802.1p priority in Specifies the 802.1p priority in 802.3 packets received by an AP. The
802.3 packets 802.1p priority can be set or mapped from the user priority in 802.11
packets sent by a STA.
After a traffic profile is created, it is bound to a service set and applied to the corresponding
VAP along with the service set.
Applicable Environment
A STA communicates with an AP by sending radio signals over a channel. To provide
differentiated services for wireless users, configure a Wi-Fi multimedia (WMM) profile.
Pre-configuration Tasks
Before configuring a radio QoS policy, complete the following tasks:
l Configuring basic WLAN attributes according to 1.4 Configuring the WLAN Service
Data Preparation
To configure a radio QoS policy, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
NOTE
A STA communicates with an AP by sending radio signals over a channel. Four queues are provided for
radio packets. Packets in different queues have different opportunities to obtain transmission channels so
that differentiated services can be provided for radio packets.
The queues are AC_VO (voice queue), AC_VI (video queue), AC_BE (best effort queue), and AC_BK
(background queue) in descending order of priority.
You can change the priorities of the queues by modifying the Enhanced Distributed Channel Access
(EDCA) parameters, including the AIFSN, ECWmin, ECWmax, TXOPLimit, and ACK policy:
l AIFSN: determines the channel idle time. A greater AIFSN value indicates a longer channel idle time.
Different AIFSNs can be configured for ACs.
l ECWmin and ECWmax: ECWmin specifies the minimum backoff time, and ECWmax specifies the
maximum backoff time. They determine the average backoff time. A larger value indicates a longer
average backoff time.
l TXOPLimit: determines the maximum duration in which a STA can occupy a channel. A larger value
indicates a longer duration. If this parameter is set to 0, a STA can send only one packet every time it
occupies a channel.
l ACK policy: determines whether the packet receiver acknowledges received packets. Two policies are
available: normal ACK and no ACK.
Before occupying a channel to send packets, STAs monitor the channel. If the channel idle time is longer
than or equal to the AIFSN, each STA selects a random backoff time between ECWmin and ECWmax.
The STA whose backoff timer expires the first occupies the channel and starts to send packets over the
channel.
The EDCA parameters are configured for the four WMM queues of a STA.
The EDCA parameters are configured for the four WMM queues of an AP.
----End
Applicable Environment
To forward an 802.11 packet sent from a STA to an Ethernet network, an AP converts the 802.11
packet into an 802.3 packet. The AP may retain the packet priority or change the packet priority
according to the VAP configuration to provide differentiated QoS services.
Pre-configuration Tasks
Before configuring a VAP QoS policy, complete the following tasks:
l Configuring basic WLAN attributes according to 1.4 Configuring the WLAN Service
Data Preparation
To configure a VAP QoS policy, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
Profile ID : 3
Profile name : traffic-profile-1
Client Limit Rate : 4294967295 Kbps(up)
: 4294967295 Kbps(down)
VAP Limit Rate : 4294967295 Kbps(up)
: 4294967295 Kbps(down)
802.1p Mapping Mode: mapping
----------------------------
User-priority 802.1p
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7
----------------------------
802.1p to User-priority Mapping List:
----------------------------
802.1p User-priority
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7
----------------------------
Tunnel priority(up) Mapping Mode:ToS(inner) to ToS(outer)
----------------------------
ToS(inner) ToS(outer)
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7
----------------------------
Tunnel priority(down) Mapping Mode:ToS(inner) to ToS(outer)
----------------------------
ToS(inner) ToS(outer)
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7
----------------------------
NOTE
When receiving an 802.3 packet from the Ethernet network, the AP converts the 802.3 packet into an 802.11
packet and forwards it to the STA. The user priority in the packet is determined by DSCP-CoS mapping
or set in a traffic classifier.
An AP terminates 802.11 packets sent from STAs, converts the 802.11 packets into 802.3
packets, and sends the 802.3 packets to an AC. To ensure the service quality for 802.3 packets,
set packet priories to ensure proper scheduling.
The rate limit for upstream or downstream packets is set for a single STA or all STAs associated
with a VAP.
----End
Networking Requirements
As shown in Figure 3-1, STA1 and STA2 are connected to the network through the AR1200.
The AR1200 functions as a fat AP, and STA2 is a VIP customer. The requirements are:
l Video service requirements of STA1 and STA2 are met first.
l Communication requirements of STA2 are met first when the network bandwidth is
insufficient.
VLAN 101
STA1
Network
VLAN 102
STA2 Router
(FAT AP)
RADIUS Server
l SSID: huawei-2
l Traffic profile: huawei-vip
l Security profile: huawei
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic attributes for the AR1200, including the country code and DHCP server
address, so that the AR1200 can assign IP addresses to users.
2. Configure a WLAN-BSS interface and bind it to a service set so that radio packets can be
sent to the WLAN service module after reaching the AR1200.
3. Create a WMM profile and set attributes for the profile. Create a radio profile and bind it
to the WMM profile to first meet video service requirements of users.
4. Create a traffic profile and set attributes for the profile to first meet communication
requirements of the VIP customer when the network bandwidth is insufficient.
5. Create a security profile to control STA access.
6. Create a service set and bind the security profile and traffic profile to the service set.
7. Configure a VAP to implement QoS control for STAs.
Procedure
Step 1 Configure basic AP attributes.
# Configure the country code for the AP.
<Huawei> system-view
[Huawei] wlan global country-code cn
# Configure VLANIF interfaces, assign IP addresses to them for Layer 3 packet forwarding, and
enable the DHCP server function on them. Configure an IP address pool on VLANIF 101 to
assign an IP address to STA1, and configure an IP address pool on VLANIF 102 to assign an
IP address to STA2.
[Huawei] dhcp enable
[Huawei] vlan batch 101 102
[Huawei] interface vlanif101
[Huawei-Vlanif101] ip address 192.168.0.1 24
[Huawei-Vlanif101] dhcp select interface
[Huawei-Vlanif101] quit
[Huawei] interface vlanif102
[Huawei-Vlanif102] ip address 192.168.1.1 24
Step 3 Configure a WMM profile and a radio profile for the AP.
l Create a WMM profile.
# Create a WMM profile huawei-vi and change the queue priority to enable the AC_VI
queue to have a higher priority than the AC_VO queue.
[Huawei] wlan
[Huawei-wlan-view] wmm-profile name huawei-vi
[Huawei-wlan-wmm-prof-huawei-vi] wmm edca ap ac-vi ecw ecwmin 1 ecwmax 1 aifsn
1 txoplimit 36 ack-policy normal
[Huawei-wlan-wmm-prof-huawei-vi] wmm edca client ac-vi ecw ecwmin 1 ecwmax 3
aifsn 1 txoplimit 36
[Huawei-wlan-wmm-prof-huawei-vi] quit
# Create a traffic profile huawei and limit the VAP upstream rate to 1024 kbit/s and STA
upstream rate to 512 kbit/s.
[Huawei-wlan-view] traffic-profile name huawei
[Huawei-wlan-traffic-prof-huawei] rate-limit client up 512
[Huawei-wlan-traffic-prof-huawei] rate-limit vap up 1024
[Huawei-wlan-traffic-prof-huawei] quit
# Create a traffic profile huawei-vip and limit the VAP upstream rate to 2048 kbit/s and STA
upstream rate to 1024 Kbit/s.
[Huawei-wlan-view] traffic-profile name huawei-vi
[Huawei-wlan-traffic-prof-huawei-vi] rate-limit client up 1024
[Huawei-wlan-traffic-prof-huawei-vi] rate-limit vap up 2048
[Huawei-wlan-traffic-prof-huawei-vi] quit
l # Create service set huawei-2, specify SSID huawei-2 for it, and bind traffic profile
huawei-vip, security profile huawei and wlan-bss interface wlan-bss 2 to it.
[Huawei-wlan-view] service-set name huawei-2
[Huawei-wlan-service-set-huawei-2] ssid huawei-2
[Huawei-wlan-service-set-huawei-2] traffic-profile name huawei-vi
[Huawei-wlan-service-set-huawei-2] security-profile name Huawei
[Huawei-wlan-service-set-huawei-2] wlan-bss 2
[Huawei-wlan-service-set-huawei-2] quit
# Bind the radio profile and service sets huawei-1 and huawei-2 to a radio interface on the AP.
Then VAP information is automatically created on the AR1200.
[Huawei] interface Wlan-Radio 0/0/0
[Huawei-Wlan-Radio0/0/0] radio-profile name huawei-vi
[Huawei-Wlan-Radio0/0/0] service-set name huawei-1
[Huawei-Wlan-Radio0/0/0] service-set name huawei-2
[Huawei-Wlan-Radio0/0/0] quit
Two WLANs with SSIDs huawei-1 and huawei-2 are available for STAs connected to the
AR1200. STA 1 and STA2 select WLANs with SSIDs huawei-1 and huawei-2.
----End
Configuration Files
#
vlan batch 101 to 102
#
dhcp enable
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
dhcp select interface
#
wlan
wmm-profile name huawei-vi id 1
wmm edca ap ac-vi aifsn 1 ecw ecwmin 1 ecwmax 1 txoplimit 36
wmm edca client ac-vi aifsn 1 ecw ecwmin 1 ecwmax 3 txoplimit 36
traffic-profile name huawei id 1
rate-limit client up 512
rate-limit vap up 1024
traffic-profile name huawei-vi id 2
rate-limit client up 1024
rate-limit vap up 2048
security-profile name huawei id 1
service-set name huawei-1 id 0
Wlan-Bss 1
ssid huawei-1
traffic-profile id 1
security-profile id 1
service-set name huawei-2 id 1
Wlan-Bss 2
ssid huawei-2
traffic-profile id 2
security-profile id 1
radio-profile name huawei-vi id 1
wmm-profile id 1
#
interface Wlan-Radio0/0/0
radio-profile id 1
service-set id 0 wlan 1
service-set id 1 wlan
2
#
interface Wlan-Bss1
port hybrid tagged vlan 101
#
interface Wlan-Bss2
port hybrid tagged vlan 102
#
return