The privilege of HCNA/HCNP/HCIE: With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
1、e-Learning Courses: Logon http://learning.huawei.com/en and enter Huawei Training/e-Learning
i e aw
If you have the HCIE certificate: You can access all the e-Learning courses which marked for HCIE Certification Users.
Methods to get the HCIE e-Learning privilege : Please associate HCIE certificate information with your Huawei account, and
hu . g
email the account to
[email protected] to apply for HCIE e-Learning privilege.
n i rn a le
2、 Training Material Download
Content: Huawei product training material and Huawei career certification training material.
Method:Logon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can download training material in the specific training introduction page.
n
If you have the HCNA/HCNP certificate:You can access Huawei Career Certification and Basic Technology e-Learning courses.
m o .c
/e
t t :h
3、 Priority to participate in Huawei Online Open Class (LVC)
// : p
The Huawei career certification training and product training covering all ICT technical domains like R&S, UC&C, Security,
s e rc
Storage and so on, which are conducted by Huawei professional instructors.
4、Learning Tools:
u o s e R
eNSP :Simulate single Router&Switch device and large network.
WLAN Planner :Network planning tools for WLAN AP products.
g n ni
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with Huawei experts , share exam experiences with others or be acquainted with Huawei Products.
L e r
Statement:
r a e
This material is for personal use only, and can not be used by any individual or organization for any commercial purposes.
o
M
HUAWEI TECHNOLOGIES CO., LTD.
Huawei Confidential
1
n e /
m o i.c
e w a u .h
t t h
g n i n r lea
// : p
M
: s e c HCNA-WALN Courseur o WLAN Engineers(CLI) Experiment Guidesfor Re g n i rn a e L e r o Issue
1.60
Date
2014-12-20
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
n e /
m o i.c
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.
e w a u .h
g n i n r lea
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.
: s e c r u Huawei Technologiesso Co., Ltd. Re g n i rn a e L e r o M Address:
t t h
// : p
Huawei Industrial Base Bantian, Longgang Shenzhen 518129
People's Republic of China
Website:
http://support.huawei.com/learning/Index!toTrainIndex
Email:
[email protected]
(2014-12-20)
Huawei Proprietary and Confidential Copyright © Huawei Technologies C., Ltd.
i
HCNA-WLAN
Huawei Certificate System
Huawei Certificate System
n e /
m o i.c
Relying on the strong technical strength and professional training system, Huawei provides a practical and professional four-level certificate system to meet various customer requirements on different WLAN technologies.
e w a u .h
Huawei Certified Network Associate-Wireless Local Area Network (HCNA-WLAN) is designed for Huawei local offices, online engineers in representative offices, and readers who want to understand Huawei WLAN products and technology. HCNA-WLAN covers WLAN basics, Control and Provisioning of Wireless Access Points (CAPWAP) protocol, WLAN networking, Huawei WLAN product features, security configuration, WLAN advanced technology, antennas, WLAN network planning and optimization, and WLAN fault troubleshooting.
g n i n r lea
The HCNA-WLAN certificate system introduces you to the industry and market, helps you in innovation, and enables you to stand atop the WLAN frontiers.
: s e c r u o
g n i n
t t h
// : p
s e R
r a e L e
or
M
(2014-12-20)
Huawei Proprietary and Confidential Copyright © Huawei Technologies C., Ltd.
ii
HCNA-WLAN
Huawei Certificate System
About This Document
n e /
Overview
m o i.c
This document is applicable to the candidates who are preparing for the HCNA-WLAN exam and the readers who want to understand the WLAN basics, the CAPWAP protocol, WLAN networking, Huawei WLAN product features, security configuration, WLAN advanced technology, antennas, WLAN network planning and optimization, and WLAN fault troubleshooting.
e w a u .h
Description
g n i n r lea
// : p
This experiment guide introduces the following seven experiments, covering basic configurations, and configurations and implementation of Layer 2 networking, security, Layer 3 networking, and the network management software eSight:
t t h
Experiment 1: Experiment environment preparations
: s e c r u o
This experiment includes checking whether all required devices are ready, connecting devices on the network, and clearing AC configurations. This experiment helps you know about HCNA-WLAN devices and network construction.
Experiment 2: AC configuration initialization
s e R
This experiment involves basis operations and configurations on an AC, helping you know the AC6605 and its basic functions.
g n i n
r a e L e
or
M
Experiment 3: AP authentication and WLAN configuration process This experiment lets you know basic WLAN network capabilities through basic WLAN configurations.
Experiment 4: WLAN security configuration This experiment mainly introduces 802.1x authentication, helping you know WLAN security and the configuration process.
Experiment 5: Bypass Layer 3 networking This experiment uses the AC6605 and Layer 3 networking. The Layer 3 network configuration helps you comprehensively know WLAN networking modes.
Experiment 6: WLAN configuration on eSight This experiment involves how to add WLAN devices to the eSight and deliver WLAN services using the configuration wizard.
Experiment 7: Configuration file backup and AC configuration clearance This experiment describes how to back up configuration files through File Transfer Protocol (FTP).
(2014-12-20)
Huawei Proprietary and Confidential Copyright © Huawei Technologies C., Ltd.
iii
HCNA-WLAN
Huawei Certificate System
Background Knowledge Required The intended audience should know basic WLAN knowledge, Huawei switching devices, and basic datacom knowledge.
n e /
m o i.c
e w a u .h
: s e c r u o
g n i n
t t h
g n i n r lea
// : p
s e R
r a e L e
or
M
(2014-12-20)
Huawei Proprietary and Confidential Copyright © Huawei Technologies C., Ltd.
iv
HCNA-WLAN
Huawei Certificate System
Common Icons
n e /
m o i.c
AC
AP
e w a Switch hu . g in n r a le
t t h
// : p
: s eSight Server eRADIUS Server c r u o s e R ing
STA
n
r a e L e
or
M
(2014-12-20)
Huawei Proprietary and Confidential Copyright © Huawei Technologies C., Ltd.
v
Experiment Environment Overview
n e /
Networking Introduction
i e w a u .h
m o .c
This experiment environment is prepared for WLAN engineers who are preparing for the HCNA-WLAN exam. Each suite of experiment environment includes 2-9 ACs, 2-9 APs, 1 core switch, and 1 Remote Authentication Dial In User Service (RADIUS) or eSight server. Each suite of experiment environment is applicable to 4 to 16 candidates.
Device Introduction
// : p
g n i n r lea
The following table lists devices recommended for HCNA-WLAN experiments and the mappings between the device name, model, and software version. Device Name
o M
L e r
s e c r ou
Software Version
Core switch
S3700-28TP-PWR-EI
Version 5.70 (S3700 V100R005C01SPC100)
AC
AC6605-26-PWR
AC6605 V200R005C00SPC200
AP6010DN-AGN
AP6010DN-AGN:V200R005C00SPC600
AP
r a e
t t :h
Model
g n i n
s e R
HCNA-WLAN
Contents
Contents
n e Huawei Certificate System ....................................................................................................... /ii miii About This Document .............................................................................................................. o c v . i Common Icons ............................................................................................................................. e w Experiment Environment Overview ......................................................................................... 1 a 1 Practice 1: Preparing the Lab Environment ........................................................................... 5 hu . g n i n r a e l // : tp t h : s 2 Basic Configuration of AC .................................................................................................... 12 e c r u o s Re g n i rn a e L e 3 APrAuthentication and WLAN Configuration Roadmap ................................................. 20 o M 1.1 About This Course ..................................................................................................................................... 5
1.2 Confirming the Readiness of the Devices ................................................................................................... 5 1.2.1 Confirming the Readiness of the Devices .......................................................................................... 5
1.3 Network Topology Description 1: Chain Networking ................................................................................. 6 1.4 Network Topology Description 2: Branched Networking ............................................................................ 7
1.5 Description the Connection of Console Cable............................................................................................. 8
1.6 Reset the Configuration of AC .................................................................................................................. 11
2.1 Objectives ................................................................................................................................................12 2.2 Networking Deployment Description ........................................................................................................12 2.3 Configuration Procedure ...........................................................................................................................13
2.3.1 Configuring Initialization Password .................................................................................................13 2.3.2 Configuring the Basic Information of AC .........................................................................................13 2.3.3 Confirming and Testing the Telnet/SSH Service (AAA Authentication) .............................................16
2.3.4 Save the Configuration.....................................................................................................................17
2.4 Configuration Reference ...........................................................................................................................17
3.1 Objectives ................................................................................................................................................20 3.2 Networking Deployment Description ........................................................................................................20 3.3 Configuration Procedure ...........................................................................................................................21 3.3.1 Configuring Roadmap ......................................................................................................................21 3.3.2 Configuring the Switch ....................................................................................................................21 3.3.3 Configuring the Basic Information of AC .........................................................................................22
3.3.4 Configuring AP Authentication and Connection with AC ..................................................................22 3.3.5 Configuring AP Radio ......................................................................................................................24
04/20/2014
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
ii
Hands-on Exercise Guide to WLAN Product Basic Operation and Maintenance
Contents
3.3.6 Configuring WLAN-ESS Interface ...................................................................................................24 3.3.7 Configuring Security Profile/Traffic Profile/WLAN Service-set .......................................................24 3.3.8 Configuring Service-set to AP ..........................................................................................................25 3.3.9 Verify the Configuration ..................................................................................................................26 3.4 Configuration Reference ...........................................................................................................................29 3.4.1 Configuration of AC ........................................................................................................................29
4 WLAN Security Configuration ............................................................................................. 33
n e /
4.1 Objectives ................................................................................................................................................33 4.2 Networking Deployment Description ........................................................................................................33
m o .c
4.3 Configuration Procedure ...........................................................................................................................34 4.3.1 Configuring WEP Authentication .....................................................................................................34
i e w a u .h
4.3.2 Configuring WPA PSK Authentication .............................................................................................36 4.3.3 Configuring WPA EAP Authentication .............................................................................................39 4.3.4 Configuring EAP Client ...................................................................................................................41 4.4 Security Policies Configuration Precautions ..............................................................................................44
g n i n r 5 eSight Management for WLAN (Optional) ........................................................................ 49 a e /: /l tp t h : s e c r u o s e 6 Branched NetworkingR + Layer 3 Networking Practice ...................................................... 59 g n i rn a e L e r o M 4.5 Configuration Reference ...........................................................................................................................45 4.5.1 AC’s configuration ...........................................................................................................................45
5.1 Objectives ................................................................................................................................................49 5.2 Networking Deployment Description ........................................................................................................49 5.3 Configuration Procedure ...........................................................................................................................49 5.3.1 Configuring AC SNMP Community .................................................................................................49 5.3.2 Configuring AC Discover AP ...........................................................................................................50 5.3.3 Configuring Service-set by eSight Wizard ........................................................................................51 5.3.4 Checking the Configuration by eSight ..............................................................................................57
5.4 Configuration Reference ...........................................................................................................................58
6.1 Objectives ................................................................................................................................................59 6.2 Networking Deployment Description ........................................................................................................59 6.3 Configuration Procedure ...........................................................................................................................60 6.3.1 Re-connecting AP to Switch .............................................................................................................60 6.3.2 Re-configuring VLAN and Trunk .....................................................................................................60 6.3.3 AP Online Configuration ..................................................................................................................61 6.3.4 Changing the Forwarding Mode to Tunnel Forwarding .....................................................................61
6.4 Configuration Reference ...........................................................................................................................63
7 Backup the Configuration and Reset the Device ............................................................... 67 7.1 Objectives ................................................................................................................................................67 7.2 Network Deployment Description .............................................................................................................67 7.3 Configuration Procedure ...........................................................................................................................67 7.3.1 Save the Configuration.....................................................................................................................67
Hands-on Exercise Guide to WLAN Product Basic Operation and Maintenance
Contents
7.3.2 Configuring FTP Service onAC........................................................................................................68 7.3.3 Backup the Configuration to PC .......................................................................................................68 7.3.4 Reset the Configuration ...................................................................................................................69 7.4 Configuration Reference ...........................................................................................................................69 7.4.1 Configuration of AC ........................................................................................................................69
8 Appendix: Configuration of the SW .................................................................................... 70 Figures
n e /
Figure 1-1 Devices List................................................................................................................................... 5
m o .c
Figure 1-2 Chain networking Topology ........................................................................................................... 6
i e w a u .h
Figure 1-3 Branched networking topology ...................................................................................................... 7 Figure 1-4 Network connection of console cable ............................................................................................. 8 Figure 1-5 Creating a connection .................................................................................................................... 9 Figure 1-6 Configuring the connection port ....................................................................................................10
g n i n r lea
Figure 1-7 Setting the communication parameters ..........................................................................................10 Figure 2-1 Networking deployment information .............................................................................................12 Figure 3-1 AP Authentication and WLAN configuration roadmap parameters description ...............................20
// : p
Figure 3-2 WLAN configuration roadmap......................................................................................................21
t t :h
Figure 4-1 WLAN security configuration parameters description ....................................................................33
s e c r ou
Figure 5-1 eSight network deployment ...........................................................................................................49 Figure 6-1 Branched networking topology .....................................................................................................59
r a e
o M
L e r
g n i n
s e R
HCNA-WLAN
1
Contents
Practice 1: Preparing the Lab Environmen / ent om
1.1 About This Course
g n i n r lea
c . i e w a u .h
This course helps you set up the lab environment of WLAN. This course covers the following contents:
Confirming the readiness of the devices
Understanding the topology of the practice
Reset the configuration of the devices
// : p
t t h of the Devices : 1.2 Confirming the Readiness s e c of the Devices 1.2.1 Confirming the Readiness r u o s e R g n i rn a e L e r o M
The following figure shows the devices which need to be used in this practice, please confirm it before the practice begin. Figure 1-1 Devices List Name
Huawei Quidway S3700 PoE switch or
Count
1 SW for all groups
All practice groups share the SW and the pre-configuration was ready
AC6605
1 AC per group
AC with PoE power module
AP6010DN
1 AP per group
Laptop or desktop PC
1 PC per group
Huawei Quidway S5700 PoE swithch
04/20/2014
Description
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
PC with wireless network card
5
HCNA-WLAN
1Practice 1: Preparing the Lab Environment
RJ-45 cables
4 cables for each group
Console Cable
1 cable per group
Each group please confirms the devices in advance:
One AC6605 device
One AP6010DN
One laptop or desktop PC
Three RJ-45 cables
Console cable
n e /
m o .c
i e w a 1.3 Network Topology Description 1: Chain Networking hu . g n i n r a e l // : tp t h : s e c r u o s e R g n i rn a e L e r o M Figure 1-2 Chain networking Topology
Radius Server 10.254.1.100
eSight Server 10.254.1.200
GE0/0/23
GE0/0/24
Core Switch
GE0/0/1
GE0/0/10
GE0/0/2
GE0/0/24
GE0/0/24
AC1
GE0/0/24
AC10
GE0/0/1
AC2
GE0/0/1
GE0/0/1
AP1
AP10
AP2
…………
Description of the chain networking:
The required practices of this exercise are based on the chain networking topology
The chain networking deployment suit to the small and medium-sized WLAN network
HCNA-WLAN
1Practice 1: Preparing the Lab Environment
For group 1: The 24th port of AC1 connect to switch port 1, the 1st port of AC connect to the AP1
For group 2: The 24th port of AC2 connect to switch port 2, the 1st port of AC connect to the AP2
For group 3: The 24th port of AC3 connect to switch port 3, the 1st port of AC connect to the AP3
And so on……
For group 10: The 24th port of AC10 connect to switch port 10, the 1st port of AC connect to the AP10
The configuration of the switch was ready and the students no need to configure it (You can reference it in the reference configuration part)
n e /
i e w a 1.4 Network Topology Description 2: Branched hu . g Networking n i n r a e l // : tp t h : s e c r u o s e R g n i rn a e L e r o M
m o .c
The radius server and eSight server was ready for using, no need to configure it
Figure 1-3 Branched networking topology
Radius Server 10.254.1.100
eSight Server 10.254.1.200
GE0/0/23
GE0/0/24
Core Switch
AC1
GE0/0/24
GE0/0/1
GE0/0/11
GE0/0/2
GE0/0/20
GE0/0/24
AP10
GE0/0/10
GE0/0/12
AP1
AC10
…………
GE0/0/24
AC2
AP2
HCNA-WLAN
1Practice 1: Preparing the Lab Environment
Description of the branched networking:
The branched networking deployment suit to the large-scale WLAN network, the optional practice of this exercise is based on this topology
For group 1: The 24th port of AC1 connect to switch port 1, the 11th port of SW connect to the AP1
For group 2: The 24th port of AC2 connect to switch port 2, the 12th port of SW connect to the AP2
For group 3: The 24th port of AC3 connect to switch port 3, the 13th port of SW connect to the AP3
And so on ……
For group 10: The 24th port of AC10 connect to switch port 10, the 20th port of SW connect to the AP10
The configuration of the switch was ready and the students no need to configure it (You can reference it in the reference configuration part)
The radius server and eSight server was ready for using, no need to configure it
i e w a u .h
g n i n Cable r 1.5 Description the Connection of Console a e l // : tp t h : s e c r u o s e R g n i rn a e L e r o M Figure 1-4 Network connection of console cable
n e /
m o .c
HCNA-WLAN
1Practice 1: Preparing the Lab Environment
As show in figure 1-4, please connect the console cable to the AC, and power on the devices, plug in the console cable to the laptop. This course takes the HyperTerminal of Windows XP as an example to explain how to log in to the AC6605 command line interface through the HyperTerminal. If other similar software such as the PuTTy and SecureCRT is used, refer to the user guide of related software. 1. Enable the HyperTerminal on the PC Choose Start > Programs > Accessories > Communications > HyperTerminal to start the HyperTerminal in Windows XP.
n e /
2. Create a connection
m o .c
As shown in Figure 1-5, enter the name of the new connection in the Name text box and choose a nicon, then click OK. Figure 1-5 Creating a connection
t t :h
// : p
g n i n r lea
i e w a u .h
s e c r ou
g n i n
s e R
3. Set the connection port
r a e
o M
L e r
In the Connection to dialog box as shown in Figure 1-6, choose the COM port of the computer, then click OK.
HCNA-WLAN
1Practice 1: Preparing the Lab Environment
Figure 1-6 Configuring the connection port
n e /
4. Set the communication parameter
g n i n r lea
i e w a u .h
m o .c
After the COM1 Properties dialog box displayed, set the COM1 properties as shown in Figure 1-7, or use the default settings by clicking Restore Defaults.
// : p
Figure 1-7 Setting the communication parameters
t t :h
s e c r ou
r a e
o M
L e r
g n i n
s e R
HCNA-WLAN
1Practice 1: Preparing the Lab Environment
After the preceding settings are complete, press Enter. Wait until the following message is displayed prompting you to set a login password. The system automatically saves the password setting. An initial password is required for the first login via the console. Set a password and keep it safe! Otherwise you will not be able to login via the console. Please configure the login password (6-16) Enter Password:
n e /
1.6 Reset the Configuration of AC
i e w a u .h
m o .c
We need to reset the configuration of the devices before the practice, so as to avoid the impacting to the practice, please following below procedures to reset the configuration and reboot the device. The login password is huawei123 in this exercise: Login authentication Password:huawei123 reset saved-configuration
g n i n r lea
This will delete the configuration in the flash memory.
// : p
The device configurations will be erased to reconfigure. Are you sure? (y/n)[n]:y
Clear the configuration in the device successfully.
t t :h
s e c r ou
Reboot the device: reboot
Info: The system is comparing the configuration, please wait.
s e R
Warning: All the configuration will be saved to the next startup configuration. Continue ? [y/n]:n
System will reboot! Continue ? [y/n]:y
g n i n
Info: system is rebooting ,please wait...
r a e
o M
L e r
You have finished practice 1!
HCNA-WLAN
2Basic Configuration of AC
2
Basic Configuration of AC
n e /
2.1 Objectives Upon completion of this task, you will be able to:
Configure the initialization password
Configure VLAN and routing in the AC
Configure telnet service of the AC
Save the configuration in the AC
g n i n 2.2 Networking Deployment Description r a e l // : tp t h : s e c r u o s e R g n i rn a e L e r o M
i e w a u .h
m o .c
We need to configure the device’s vlan, trunk and ip address in this exercise, after the students get the group number, please following below network development requires to configure the device.
Suppose the student belongs to group X (X=0, 1, 2, 3 … 10), please get the information as shown in Figure 2-1. Figure 2-1 Networking deployment information
Student belongs to Group X (X=1, 2, 3 … 10)
AC Parameters
Name
ACX
Initialization Password
huawei123
AP Management VLAN
VLAN: X0
IP: 10.1.X0.100
Service VLAN (Employee)
VLAN: X1
IP: 10.1.X1.100 Service VLAN (Voice VLAN)
VLAN: X2 IP: 10.1.X2.100
HCNA-WLAN
2Basic Configuration of AC
Service VLAN (Guest VLAN)
VLAN: X3 IP: 192.168.X.1
AC Interface (Link to Management PC)
MEth 0/0/1 IP: 192.168.100.200 GE0/0/1
AC Interface (Link to AP)
n e /
Allow-pass VLAN in the Trunk: X0 to X3 GE0/0/24
AC Interface (Link to Switch)
i e w a u .h
m o .c
Allow-pass VLAN in the Trunk: X0 to X2 Network topology: Chain Networking + Layer 2 Networking
In this practice, PC configured with IP 192.168.100.10, and test the telnet function of AC.
2.3 Configuration Procedure
// : p
g n i n r lea
2.3.1 Configuring Initialization Password
t t :h
Press Enter and Wait until the following message is displayed prompting you to set a login password.
s e c r ou
NOTE: The password value is a string of 6 to 16 case-sensitive characters. It must contain at least two types of characters, including upper-case and lower-case letters, digits, and special characters. The special characters cannot contain space or question mark (?). Password entered in interactive mode is not displayed on the terminal screen. When you log in to the AC using the password, you must enter the password set during your first login.
eL
r a e
g n i n
s e R
Please configure the login password (maximum length 16) Enter password:huawei123
or M2.3.2 Configuring the Basic Information of AC Confirm password:huawei123
system-view [AC6605]sysname AC1
Create management VLAN 10, service VLAN 11, 12, 13. [AC1]vlan batch 10 to 13
Configure the interface g0/0/1 which used to link the AP.
HCNA-WLAN
2Basic Configuration of AC [AC1]interface g0/0/1 [AC1-GigabitEthernet0/0/1]port link-type trunk [AC1-GigabitEthernet0/0/1]port trunk pvid vlan 10 [AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 13 [AC1-GigabitEthernet0/0/1]quit
Configure the interface g0/0/24 which used to link the switch. [AC1]interface g0/0/24 [AC1-GigabitEthernet0/0/24]port link-type trunk
n e /
[AC1-GigabitEthernet0/0/24]port trunk allow-pass vlan 10 to 12 [AC1-GigabitEthernet0/0/24]quit
Use command dis port vlan to check configure result. [AC1]dis port vlan Port
Link Type
PVID
Trunk VLAN List
i e w a u .h
m o .c
------------------------------------------------------------------------------GigabitEthernet0/0/1
trunk
10
1 10-13
GigabitEthernet0/0/2
hybrid
1
-
GigabitEthernet0/0/3
hybrid
1
-
GigabitEthernet0/0/4
hybrid
1
-
GigabitEthernet0/0/5
hybrid
1
-
GigabitEthernet0/0/6
hybrid
1
-
GigabitEthernet0/0/7
hybrid
1
-
GigabitEthernet0/0/8
hybrid
1
-
GigabitEthernet0/0/9
hybrid
1
-
GigabitEthernet0/0/10
hybrid
1
-
GigabitEthernet0/0/11
hybrid
1
-
GigabitEthernet0/0/12
hybrid
1
-
GigabitEthernet0/0/13
hybrid
-
GigabitEthernet0/0/14
hybrid
1
-
GigabitEthernet0/0/15
hybrid
1
-
GigabitEthernet0/0/16
es
1
hybrid
1
-
GigabitEthernet0/0/17
hybrid
1
-
GigabitEthernet0/0/18
hybrid
1
-
GigabitEthernet0/0/19
hybrid
1
-
GigabitEthernet0/0/20
hybrid
1
-
GigabitEthernet0/0/21
hybrid
1
-
GigabitEthernet0/0/22
hybrid
1
-
GigabitEthernet0/0/23
hybrid
1
GigabitEthernet0/0/24
trunk
1
XGigabitEthernet0/0/1
hybrid
1
-
XGigabitEthernet0/0/2
hybrid
1
-
c r ou
or M
eL
r a e
g n i n
s e R
t t :h
// : p
Configure the vlanif interface of the VLANs [AC1]interface vlan 10 [AC1-Vlanif10]ip address 10.1.10.100 24 [AC1-Vlanif10]quit [AC1]interface vlan 11 [AC1-Vlanif11]ip address 10.1.11.100 24 [AC1-Vlanif11]quit [AC1]interface vlan 12 [AC1-Vlanif11]ip address 10.1.12.100 24 [AC1-Vlanif11]quit
g n i n r lea
1 10-12
HCNA-WLAN
2Basic Configuration of AC
Enable the DHCP service, and configure the DHCP pool for WLAN guest VLAN (Notice: If you configure the AC as the service VLAN gateway, WLAN service-set must be configured to tunnel forwarding mode, but in direct forwarding mode, the gateway of the service VLAN can be configured in external switch). [AC1]dhcp enable [AC1]interface Vlanif 13 [AC1-Vlanif12]ip address 192.168.1.1 24 [AC1-Vlanif12]dhcp select interface [AC1-Vlanif13]dhcp server dns-list 8.8.8.8
n e /
Conform the status of the interfaces: [AC1]display ip interface brief …………
i e w a u .h
Interface
IP Address/Mask
Physical
Protocol
MEth0/0/1
192.168.100.200/24
down
down
NULL0
unassigned
up
Vlanif10
10.1.10.100/24
up
Vlanif11
10.1.11.100/24
up
Vlanif12
10.1.12.100/24
up
Vlanif13
192.168.1.1/24
up
g n i n r lea
m o .c
up(s) up up up
up
Checking the reachablility from AC to the Layer 3 switch, the IP address 100.100.100.100 is a loopback interface IP address, simulated to the public network, the destination should be unreachable right now.
t t :h
[AC1]ping -a 192.168.1.1 10.1.10.1 PING 10.1.10.1: 56
// : p
data bytes, press CTRL_C to break
Reply from 10.1.10.1: bytes=56 Sequence=1 ttl=255 time=11 ms
s e c r ou
Reply from 10.1.10.1: bytes=56 Sequence=2 ttl=255 time=11 ms Reply from 10.1.10.1: bytes=56 Sequence=3 ttl=255 time=10 ms Reply from 10.1.10.1: bytes=56 Sequence=4 ttl=255 time=11 ms Reply from 10.1.10.1: bytes=56 Sequence=5 ttl=255 time=20 ms
s e R
--- 10.1.10.1 ping statistics --5 packet(s) transmitted
g n i n
5 packet(s) received 0.00% packet loss
or M
eL
r a e
round-trip min/avg/max = 10/12/20 ms
[AC1]ping -a 192.168.1.1 100.100.100.100 PING 100.100.100.100: 56
data bytes, press CTRL_C to break
Request time out Request time out Request time out Request time out Request time out
Configure the static default route point to the switch in AC. [AC1]ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
Ping to the destination IP address 100.100.100.100 again: [AC1]ping -a 192.168.1.1 100.100.100.100 PING 100.100.100.100: 56
data bytes, press CTRL_C to break
HCNA-WLAN
2Basic Configuration of AC Reply from 100.100.100.100: bytes=56 Sequence=1 ttl=255 time=7 ms Reply from 100.100.100.100: bytes=56 Sequence=2 ttl=255 time=10 ms Reply from 100.100.100.100: bytes=56 Sequence=3 ttl=255 time=10 ms Reply from 100.100.100.100: bytes=56 Sequence=4 ttl=255 time=10 ms Reply from 100.100.100.100: bytes=56 Sequence=5 ttl=255 time=10 ms --- 100.100.100.100 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss
n e /
round-trip min/avg/max = 7/9/10 ms
2.3.3 Confirming and Testing the Telnet/SSH Service (AAA Authentication)
i e w a u .h
m o .c
Enable and configure telnet service in the AC, add account huawei for AAA authentication. [AC1]telnet server enable Info: TELNET server has been enabled. [AC1]stelnet server enable
g n i n r lea
Info: Succeeded in starting the STELNET server. [AC1]aaa
[AC1-aaa] local-user huawei password cipher huawei123 [AC1-aaa] local-user huawei service-type telnet ssh
// : p
[AC1-aaa]local-user huawei privilege level 15 [AC1-aaa]quit [AC1]user-interface vty 0 4
t t :h
[AC1-ui-vty0-4]authentication-mode aaa
Configure the management interface MEth0/0/1:
s e c r ou
[AC1]interface MEth 0/0/1
[AC1-MEth0/0/1]ip address 192.168.100.200 24
s e R
Connect the interface from PC to the AC management port(in left of the console port), configure PC’s IP address 192.168.100.10 255.255.255.0 and test the telnet service.
g n i n
C:\Users\zWX>ping 192.168.100.200
or M
eL
r a e
Pinging 192.168.100.200 with 32 bytes of data: Reply from 192.168.100.200:bytes=32 time=23ms TTL=255 Reply from 192.168.100.200:bytes=32 time=1ms TTL=255 Reply from 192.168.100.200:bytes=32 time=7ms TTL=255 Reply from 192.168.100.200:bytes=32 time=4ms TTL=255 Ping statistics for 192.168.100.200: Packets: Sent = 4,Received = 4,Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms,Maximum = 23ms,Average = 8ms C:\Users\zWX>telnet 192.168.100.200 Login authentication Username:huawei Password:huawei123 Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. sys
HCNA-WLAN
2Basic Configuration of AC Enter system view, return user view with Ctrl+Z. [AC1]display access-user -----------------------------------------------------------------------------UserID Username
IP address
MAC
-----------------------------------------------------------------------------132
huawei
192.168.100.10
-
------------------------------------------------------------------------------
2.3.4 Save the Configuration
n e /
Save the configuration of AC: save The current configuration will be written to the device. Are you sure to continue? (y/n)[n]:y
i e w a u .h
m o .c
It will take several minutes to save configuration file, please wait.......... . Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
2.4 Configuration Reference Take group 1 for example: # sysname AC1
t t :h
#
// : p
g n i n r lea
snmp-agent local-engineid 800007DB03FC48EFC76DB7
s e c r ou
undo snmp-agent community complexity-check disable snmp-agent #
http server enable
s e R
http secure-server ssl-policy default_policy http secure-server enable #
g n i n
vlan batch 10 to 13 #
or M
eL
r a e
dhcp enable #
diffserv domain default # pki realm default enrollment self-signed # ssl policy default_policy type server pki-realm default
# aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher
[email protected]
HCNA-WLAN
2Basic Configuration of AC local-user admin privilege level 15 local-user admin service-type telnet http local-user huawei password cipher huawei123 local-user huawei privilege level 15 local-user huawei service-type telnet ssh # interface Vlanif10 ip address 10.1.10.100 255.255.255.0 # interface Vlanif11
n e /
ip address 10.1.11.100 255.255.255.0 # interface Vlanif12 ip address 10.1.12.100 255.255.255.0 # interface Vlanif13 ip address 192.168.1.1 255.255.255.0 dhcp select interface dhcp server dns-list 8.8.8.8 # interface MEth0/0/1 ip address 192.168.100.200 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 10
// : p
port trunk allow-pass vlan 10 to 13
t t :h
#
interface GigabitEthernet0/0/2
g n i n r lea
s e c r ou
#
interface GigabitEthernet0/0/3 # ……………… #
s e R
interface GigabitEthernet0/0/24 port link-type trunk
g n i n
port trunk allow-pass vlan 10 to 12
#
or M
eL
r a e
interface XGigabitEthernet0/0/1 #
interface XGigabitEthernet0/0/2 # interface NULL0 # stelnet server enable # ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
# user-interface con 0 authentication-mode password set authentication password cipher huawei123 user-interface vty 0 4 authentication-mode aaa user privilege level 15 protocol inbound all
i e w a u .h
m o .c
HCNA-WLAN
2Basic Configuration of AC user-interface vty 16 20 # wlan # return #
You have finshed practice 2!
n e /
t t :h
s e c r ou
r a e
o M
L e r
g n i n
s e R
// : p
g n i n r lea
i e w a u .h
m o .c
HCNA-WLAN
3
3AP Authentication and WLAN Configuration Roadmap
AP Authentication and WLAN Configu ration Roadmap
n e /
3.1 Objectives Upon completion of this task, you will be able to:
Configure AP authentication
Understand WLAN configuration profile
Understand WLAN configuration roadmap
Configure open system authentication
g n i n r a e l 3.2 Networking Deployment Description // : tp t h : s e c r u o s e R g n i rn a e L e r o M
i e w a u .h
m o .c
Figure 3-1 AP Authentication and WLAN configuration roadmap parameters description
Suppose the student belongs to group X (X=1, 2, 3 … 10), for example the WMM profile name of group 1 is wmm-prof-guest1 Network topology
Chain Network + Layer 2 networking
AC Global Information
Country code: CN Carrier ID: other
WLAN source: VLAN X0
AP Authentication
AP authentication mode: mac-auth AP MAC address
WMM Profile
WMM profile: wmm-prof-X
Radio Profile
2.4G radio profile: radio0-prof-X 5G radio profile: radio1-prof-X
Service-set
SSID: huawei-guestX
HCNA-WLAN
3AP Authentication and WLAN Configuration Roadmap
Service VLAN:vlan13 Forwarding mode: direct-forward Traffic profile: traffic-prof-X Security profile: security-prof-X
n e /
Wlan-ess interface 0 User isolation: closed
3.3 Configuration Procedure 3.3.1 Configuring Roadmap
g n i n r lea
i e w a u .h
m o .c
Figure 3-2 WLAN configuration roadmap
t t :h
// : p
s e c r ou
r a e
g n i n
s e R
L e r
o M
3.3.2 Configuring the Switch Continue the configuration from practice 2, the configuration of the switch has been ready.
HCNA-WLAN
3AP Authentication and WLAN Configuration Roadmap
3.3.3 Configuring the Basic Information of AC Configure the global information of AC: [AC1]wlan ac-global country-code CN [AC1]wlan ac-global ac id 0 carrier id other
By default, the country-code parameter is CN, carrier IDs have four types and for enterprise is other: cmcc
China Mobile
ctc
China Telecom
cuc
China Unicom
other
other service provider (default value)
n e /
i e w a u .h
m o .c
3.3.4 Configuring AP Authentication and Connection with AC
Configure the DHCP pool of AP and the AP authtication mode, address discoverying use option 43 method. [AC1]ip pool vlan10
g n i n r lea
[AC1-ip-pool-vlan10]network 10.1.10.0 mask 255.255.255.0 [AC1-ip-pool-vlan10]excluded-ip-address 10.1.10.100 [AC1-ip-pool-vlan10]gateway-list 10.1.10.1
// : p
[AC1-ip-pool-vlan10]dns-list 10.254.1.100
[AC1-ip-pool-vlan10]option 43 sub-option 3 ascii 10.1.10.100
t t :h
[AC1]interface vlan 10
s e c r ou
[AC1-Vlanif10]dhcp select global [AC1-Vlanif10]quit
Then the AP will get the ip address: 10.1.X0.254, run ping command to test the connection between AP and AC.
s e R
[AC1]ping 10.1.10.254
PING 10.1.10.254: 56
g n i n
data bytes, press CTRL_C to break
Reply from 10.1.10.254: bytes=56 Sequence=1 ttl=64 time=2 ms Reply from 10.1.10.254: bytes=56 Sequence=2 ttl=64 time=11 ms
r a e
o M
L e r
Reply from 10.1.10.254: bytes=56 Sequence=3 ttl=64 time=11 ms Reply from 10.1.10.254: bytes=56 Sequence=4 ttl=64 time=11 ms Reply from 10.1.10.254: bytes=56 Sequence=5 ttl=64 time=11 ms
But we have not configured the AP authentication list yet, so run command display ap all there will be no AP displayed. [AC1-wlan-view]display ap all All AP information(Normal-0,UnNormal-0): -----------------------------------------------------------------------------AP
AP
AP
ID
Type
MAC
Profile ID
Region ID
AP State
----------------------------------------------------------------------------------------------------------------------------------------------------------Total number: 0
HCNA-WLAN
3AP Authentication and WLAN Configuration Roadmap
Configure the WLAN source interface and AP authentication: [AC1]wlan [AC1-wlan-view]wlan ac source interface Vlanif 10 [AC1-wlan-view]ap-auth-mode ? mac-auth
MAC authenticated mode, default authenticated mode
no-auth
No authenticated mode
sn-auth
SN authenticated mode
AP support three types authentication mode, by default, the AP authentication mode is MAC address authentication. But before we add the AP to the authentication list manually, we need to know the AP type and MAC address of the AP, V2R5 can support 12 types of AP currently, we can run command display ap-type all to view it:
n e /
[AC1-wlan-view]dis ap-type all All AP types information:
i e w a u .h
m o .c
-----------------------------------------------------------------------------ID
Type
-----------------------------------------------------------------------------17
AP6010SN-GN
19
AP6010DN-AGN
21
AP6310SN-GN
23
AP6510DN-AGN
25
AP6610DN-AGN
27
AP7110SN-GN
28
AP7110DN-AGN
29
AP5010SN-GN
30
AP5010DN-AGN
31
AP3010DN-AGN
33
AP6510DN-AGN-US
34
AP6610DN-AGN-US
35
AP5030DN
36
AP5130DN
s e c r ou
g n i n 38
t t :h
// : p
g n i n r lea
s e R
AP2010DN
------------------------------------------------------------------------------
or M
eL
r a e
Total number: 15
For our practice, the AP type is 6010DN, type ID is 19, the MAC address of AP for group 1 is cccc-8110-2260, so the command should be: [AC1-wlan-view]ap id 0 type-id 19 mac cccc-8110-2260
After we add the AP to the MAC address authentication list, the status of the AP will change from fault to config and final to the normal status, we need to wait for several minutes, if the status could not change to normal status, pls re-check your configuration. [AC1]dis ap all All AP information(Normal-1,UnNormal-0): -----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
State
Sysname
/Region ID
Type
MAC
ID
HCNA-WLAN
3AP Authentication and WLAN Configuration Roadmap -----------------------------------------------------------------------------0
AP6010DN-AGN
cccc-8110-2260
0/0
normal
ap-0
------------------------------------------------------------------------------
3.3.5 Configuring AP Radio Configure the WMM profile: [AC1-wlan-view]wmm-profile name wmm-prof-1
Configure 2.4G radio profile, binding to the WMM profile.
n e /
[AC1-wlan-view]radio-profile name radio2-prof-1 [AC1-wlan-radio-prof-radio2-prof-1]wmm-profile name wmm-prof-1
Configure 5G radio profile, binding to the WMM profile. [AC1-wlan-view]radio-profile name radio5-prof-1
i e w a u .h
[AC1-wlan-radio-prof-radio5-prof-1]wmm-profile name wmm-prof-1
Run command display radio-profile all to check the radio ID: [AC1]display radio-profile all
g n i n r lea
---------------------------------------------------ID
Name
---------------------------------------------------0
radio2-prof-1
1
radio5-prof-1
// : p
----------------------------------------------------
t t :h
Total: 2
Binding the radio profile to the AP:
s e c r ou
[AC1-wlan-view]ap 0 radio 0
[AC1-wlan-radio-0/0]radio-profile id 0 [AC1-wlan-view]ap 0 radio 1
s e R
[AC1-wlan-radio-0/1]radio-profile id 1
3.3.6 Configuring WLAN-ESS Interface
or M
eL
r a e
g n i n
The WLAN-ESS interface can’t be configured to trunk mode: [AC1]interface Wlan-Ess 0 [AC1-Wlan-Ess0]port hybrid pvid vlan 13 [AC1-Wlan-Ess0]port hybrid untagged vlan 13
3.3.7 Configuring Security Profile/Traffic Profile/WLAN Service-set [AC1-wlan-view]traffic-profile id 0 name traffic-prof-1 [AC1-wlan-traffic-prof-traffic-prof-1]quit [AC1-wlan-view]security-profile id 0 name security-prof-1 [AC1-wlan-sec-prof-security-prof-1]quit [AC1-wlan-view]service-set name Huawei-guest1 [AC1-wlan-service-set-huawei-wlan1]ssid Huawei-guest1 [AC1-wlan-service-set-huawei-wlan1]service-vlan 13 [AC1-wlan-service-set-Huawei-guest1]wlan-ess 0
m o .c
HCNA-WLAN
3AP Authentication and WLAN Configuration Roadmap [AC1-wlan-service-set-Huawei-guest1]security-profile id 0 [AC1-wlan-service-set-Huawei-guest1]traffic-profile id 0 [AC1-wlan-service-set-Huawei-guest1]forward-mode direct [AC1-wlan-service-set-Huawei-guest1]undo user-isolate [AC1-wlan-service-set-Huawei-guest1]quit
3.3.8 Configuring Service-set to AP [AC1-wlan-view]ap 0 radio 0 [AC1-wlan-radio-0/0]service-set id 0
n e /
[AC1-wlan-radio-0/0]ap 0 radio 1 [AC1-wlan-radio-0/1]service-set id 0 [AC1-wlan-radio-0/1]quit [AC1-wlan-view]commit ap 0
i e w a u .h
m o .c
Warning: Committing configuration may cause service interruption,continue?[Y/N ]Y
After commit the AP, AP will emit singal for service-set huawei-guestX, the authentication mode is open system authentication, the wireless station, for example PC and mobile phone, will detect the signal and get IP address 192.168.X.0/24, and can ping to the AC and Switch. Take laptop for example to connect to the AP:
t t :h
s e c r ou
r a e
o M
L e r
g n i n
s e R
// : p
g n i n r lea
HCNA-WLAN
3AP Authentication and WLAN Configuration Roadmap
n e /
t t :h
// : p
g n i n r lea
i e w a u .h
m o .c
C:\Users\zWX>ping 100.100.100.100
s e c r ou
Pinging 100.100.100.100 with 32 bytes of data: Reply from 100.100.100.100: bytes=32 time=57ms TTL=255 Reply from 100.100.100.100: bytes=32 time=169ms TTL=255
s e R
Reply from 100.100.100.100: bytes=32 time=7ms TTL=255 Reply from 100.100.100.100: bytes=32 time=9ms TTL=255
g n i n
Ping statistics for 100.100.100.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
r a e the Configuration 3.3.9 Verify L e r o M
Approximate round trip times in milli-seconds: Minimum = 7ms, Maximum = 169ms, Average = 60ms
Checking the service-set:
dis service-set all
---------------------------------------------------------------------------ID
Name
0
Huawei-guest1
SSID Huawei-guest1
---------------------------------------------------------------------------Total: 1 [AC1]dis service-set id 0 ---------------------------------------------------------------------------Service-set ID Service-Set name SSID
: 0 : Huawei-guest1 : Huawei-guest1
HCNA-WLAN
3AP Authentication and WLAN Configuration Roadmap Hide SSID
: disable
User isolate
: disable
Type
: service
Maximum number of user
: 32
Association timeout(min)
: 5
Traffic profile name
: traffic-prof-1
Security profile name
: security-prof-1
User profile name
: -
Wlan-ess interface Igmp mode
: Wlan-ess0 : off
Forward mode
: direct-forward
Service-vlan
: 13
DHCP snooping
: disable
IPSG switch
: disable
DHCP trust port
: disable
DAI switch
: disable
ARP attack threshold(pps) Protocol flag
: 15 : all
Offline-management switch Sta access-mode
: disable : disable
Sta blacklist profile
: -
g n i n r lea
Sta whitelist profile
: -
Dhcp option82 Insert
: Disable
Dhcp option82 Format
: Insert Ap-mac
Broadcast suppression(pps)
: -
Multicast suppression(pps) Unicast
n e /
: -
suppression(pps)
Traffic-filter inbound
: -
t t :h
acl : -
Traffic-filter outbound acl : -
s e c r ou
Service mode status
AutoOff service ess status
// : p
i e w a u .h
m o .c
: enable : disable
AutoOff service starttime
: 00:00:00
AutoOff service endtime
: 00:00:00
s e R
----------------------------------------------------------------------------
Run command display ap all to view the information of APs:
g n i n
dis ap all
All AP information(Normal-1,UnNormal-0):
r a e
o M
L e r
-----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
State
Sysname
/Region ID
Type
MAC
ID
-----------------------------------------------------------------------------0
AP6010DN-AGN
cccc-8110-2260
0/0
normal
ap-0
----------------------------------------------------------------------------[AC1]dis ap-run-info id 0 AP 0 run information: -----------------------------------------------------------------------------Software version: V200R003C00SPC200 Hardware version: Ver.C BIOS version: 078 Domain: CN CPU type: AR9344
HCNA-WLAN
3AP Authentication and WLAN Configuration Roadmap CPU frequency: 500 MHZ Memory type: H5PS5162GFR-S6C&1 AP System software description: AP6010DN-AGN:Ver.C AP System hardware description: AP6010DN-AGN:Ver.C AP manufacture: Huawei Technologies Co., Ltd. AP software name: Huawei Access Point Software AP software vendor: Huawei Technologies Co., Ltd. AP online time: 2948 S AP bom code: 000 Ip address: 10.1.10.254
n e /
Ip mask: 255.255.255.0 Gateway ip: 0.0.0.0 DNS server: 10.254.1.100 Memory size: 128 MB Flash size: 32 MB Run time: 22606 S Up ethernet port speed: 1000 Mbps Up ethernet port speed mode: auto Up ethernet port duplex: full Up ethernet port duplex mode: auto
g n i n r lea
i e w a u .h
m o .c
------------------------------------------------------------------------------
Using the display access-user command, you can view information about the sessions that meet the specified conditions: display access-user
// : p
------------------------------------------------------------------------------
t t :h
UserID Username
IP address
MAC
-----------------------------------------------------------------------------1171
74e50bd553b4
1172
f83dffb5a4f2
s e c r ou
192.168.1.254
74e5-0bd5-53b4
192.168.1.248
f83d-ffb5-a4f2
------------------------------------------------------------------------------
s e R
Total 2,2 printed
display station assoc-info ap 0
g n i n
------------------------------------------------------------------------------
or M
eL
r a e
STA MAC
AP-ID
RADIO-ID
SS-ID
SSID
-----------------------------------------------------------------------------f83d-ffb5-a4f2
0
0
0
Huawei-guest1
74e5-0bd5-53b4
0
0
0
Huawei-guest1
-----------------------------------------------------------------------------Total stations: 2
The display station assoc-info command displays status of an STA, including the SSID of the WLAN to which the STA connects, online duration, uplink signal noise ratio, and uplink receiving power of the STA. [AC1]dis station assoc-info sta 5c0a-5b36-4a71 -----------------------------------------------------------------------------Station mac-address Station ip-address
: 5c0a-5b36-4a71 : 0.0.0.0
HCNA-WLAN
3AP Authentication and WLAN Configuration Roadmap Station gateway
: 0.0.0.0
Associated SSID
: Huawei-guest1
Station online time(ddd:hh:mm:ss)
: 000:00:01:30
The upstream SNR(dB)
: 51.0
The upstream aggregate receive power(dBm) : -62.0 Station connect rate(Mbps)
: 44
Station connect channel
: 153
Station inactivity time(ddd:hh:mm:ss)
: 000:00:00:00
Station current state Authorized for data transfer
: YES
ERP enabled
: No
HT rates enabled
: YES
Auth reference held
: No
uAPSD enabled
: No
uAPSD triggerable
: No
uAPSD SP in progress
: No
This is an ATH node
: No
WDS workaround req
: No
WDS link Station's HT capability
: AWP
Station ERP element(dBm)
: 0
Station capabilities
://
: 33
Station's Noise(dBm)
tp t :h
Station's radio mode Station's AP ID Station's Radio ID
s e c r ou
Station's Authentication Method
: -113 : 11n
: 0 : 1 : OPEN : NO CIPHER
Station's User Name
: 5c0a5b364a71
Station's Vlan ID
: 13
s e R
Station's Channel Band-width Station's asso BSSID Station's state
g n i n
i e w a u .h
m o .c
: E
Station's RSSI(dB)
L e r
g n i n r lea
: No
Station's Cipher Type
n e /
: YES
Power save mode enabled
r a e
: YES
Qos enabled
: 20MHz : cccc-8110-2270 : Asso with auth
Station's Qos Mode
: NULL
Station's HT Mode
: HT40
Station's MCS value
: 7
Station's Short GI
: nonsupport
Station's roam state
: No
------------------------------------------------------------------------------
o
M3.4 Configuration Reference 3.4.1 Configuration of AC # sysname AC1 # http server enable http secure-server ssl-policy default_policy http secure-server enable
HCNA-WLAN
3AP Authentication and WLAN Configuration Roadmap # vlan batch 10 to 13 # dhcp enable # diffserv domain default # pki realm default enrollment self-signed #
n e /
ssl policy default_policy type server pki-realm default # ip pool vlan10 gateway-list 10.1.10.1 network 10.1.10.0 mask 255.255.255.0 excluded-ip-address 10.1.10.100 dns-list 10.254.1.100 option 43 sub-option 3 ascii 10.1.10.100 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin
// : p
g n i n r lea
local-user admin password cipher
[email protected]
t t :h
local-user admin privilege level 15
local-user admin service-type telnet http
s e c r ou
local-user huawei password cipher huawei123 local-user huawei privilege level 15 local-user huawei service-type telnet ssh #
s e R
interface Vlanif10
ip address 10.1.10.100 255.255.255.0 dhcp select global
g n i n #
interface Vlanif11
or M
eL
r a e
ip address 10.1.11.100 255.255.255.0
#
interface Vlanif12 ip address 10.1.12.100 255.255.255.0 # interface Vlanif13 ip address 192.168.1.1 255.255.255.0 dhcp select interface dhcp server dns-list 8.8.8.8 # interface MEth0/0/1 ip address 192.168.100.200 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 10 port trunk allow-pass vlan 10 to 13
i e w a u .h
m o .c
HCNA-WLAN
3AP Authentication and WLAN Configuration Roadmap # interface GigabitEthernet0/0/2 # interface GigabitEthernet0/0/3 # ………… interface GigabitEthernet0/0/23 # interface GigabitEthernet0/0/24 port link-type trunk
n e /
port trunk allow-pass vlan 10 to 12 # interface XGigabitEthernet0/0/1 # interface XGigabitEthernet0/0/2 # interface Wlan-Ess0 port hybrid pvid vlan 13 port hybrid untagged vlan 13 # interface NULL0 # stelnet server enable #
// : p
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1 # user-interface con 0
t t :h
authentication-mode password
g n i n r lea
i e w a u .h
set authentication password cipher huawei123
s e c r ou
user-interface vty 0 4
authentication-mode aaa user privilege level 15 protocol inbound all
s e R
user-interface vty 16 20 # wlan
g n i n
wlan ac source interface vlanif10 ap id 0 type-id 19 mac cccc-8110-2260 sn 210235448310C9000012
or M
eL
r a e
wmm-profile name radio-prof-1 id 0 traffic-profile name traffic-prof-1 id 0 security-profile name security-prof-1 id 0 service-set name Huawei-guest1 id 0 wlan-ess 0 ssid Huawei-guest1 traffic-profile id 0 security-profile id 0 service-vlan 13
radio-profile name radio2-prof-1 id 0 wmm-profile id 0 radio-profile name radio5-prof-1 id 1 radio-type 80211an wmm-profile id 0 ap 0 radio 0 radio-profile id 0 service-set id 0 wlan 1
m o .c
HCNA-WLAN
3AP Authentication and WLAN Configuration Roadmap ap 0 radio 1 radio-profile id 1 service-set id 0 wlan 1 # return
You have finished practice 3!
n e /
t t :h
s e c r ou
r a e
o M
L e r
g n i n
s e R
// : p
g n i n r lea
i e w a u .h
m o .c
HCNA-WLAN
4WLAN Security Configuration
4
WLAN Security Configuration
n e /
4.1 Objectives Upon completion of this task, you will be able to:
Configure WLAN security profile
Configure WEP authentication
Configure WPA/WPA2 PSK authentication
Configure WPA/WPA2 EAP authentication
Configure VAP
g n i n r a 4.2 Networking Deployment Description e l // : tp t h : s e c r u o s e R g n i rn a e L e r o M
i e w a u .h
m o .c
Figure 4-1 WLAN security configuration parameters description Suppose the student belongs to group X (X=1, 2, 3 … 10)
Network Topology Security Profile
Service-set
Chain Networking + Layer 2 Networking
Security-prof-wepX
ID:1 WEP password: guest
Security-prof-wpapskX
ID:2 WPA PSK password: Huaweipsk
Security-prof-wpaeapX
ID:3 Account: huawei, password: huawei
Huawei-guestX
Security profile: Security-prof-wepX
Huawei-voiceX
SSID:Huawei-voiceX Service VLAN:vlan12
Forwarding mode: direct forwarding Traffic profile: traffic-prof-X Security profile: Security-prof-wpapskX Wlan-ess interface 1
HCNA-WLAN
4WLAN Security Configuration
User isolate: closed Huawei-employeeX
SSID:Huawei-employeeX Service VLAN:vlan11 Forwarding mode: direct forwarding Traffice profile: traffic-prof-X Security profile: Security-prof-wpaeapX Wlan-ess interface 2
i e w a u .h
User isolate: closed
4.3 Configuration Procedure
g n i 4.3.1 Configuring WEP Authentication n r a e l // : tp t h : s e c r u o s e R g n i rn a e L e r o M
n e /
m o .c
The AC6605 supports five access security policies: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2,WPA-WPA2, and WLAN Authentication and Privacy Infrastructure (WAPI). [AC1-wlan-view]security-profile id 5 name test
[AC1-wlan-sec-prof-security-prof-1]security-policy ? wapi
WLAN authentication and privacy infrastructure
wep
Wired equivalent privacy
wpa
Wi-Fi protected access
wpa-wpa2 wpa2
Wi-Fi protected access version 1&2
Wi-Fi protected access version 2
The service-set Huawei-guestX used open system authentication, in this practice will change the authentication type to WEP share-key, set WEP key to WEP-40, password: guest. Create security profile Security-prof-wep1, encrypt key: guest.
We can set a WEP key with three types: WEP-40, WEP-104,WEP-128. If WEP-40 is used, the WEP key is 10 hexadecimal characters or 5 ASCII characters. If WEP-104 is used, the WEP key is 26 hexadecimal characters or 13 ASCII characters.
If WEP-128 is used, the WEP key is 32 hexadecimal characters or 16 ASCII characters. [AC1]wlan
[AC1-wlan-view]security-profile id 1 name Security-prof-wep1 [AC1-wlan-sec-prof-Security-prof-wep1]security-policy wep [AC1-wlan-sec-prof-Security-prof-wep1]wep authentication-method share-key [AC1-wlan-sec-prof-Security-prof-wep1]wep key wep-40 pass-phrase 0 cipher guest [AC1-wlan-sec-prof-Security-prof-wep1]quit
Configure security profile Huawei-guest1, and reset in the AP: [AC1-wlan-view]dis security-profile all
HCNA-WLAN
4WLAN Security Configuration -----------------------------------------------------------ID
Name
0
security-prof-1
1
Security-prof-wep1
-----------------------------------------------------------[AC1-wlan-view]dis service-set all ---------------------------------------------------------------------------ID
Name
0
Huawei-guest1
SSID Huawei-guest1
----------------------------------------------------------------------------
n e /
Total: 1 [AC1-wlan-view]service-set id 0 [AC1-wlan-service-set-Huawei-guest1]security-profile id 1 [AC1-wlan-service-set-Huawei-guest1]quit [AC1-wlan-view]commit ap 0
i e w a u .h
m o .c
Warning: Committing configuration may cause service interruption,continue?[Y/N ]Y
g n i n r lea
Using the display security-profile command, you can view configurations of security profiles. [AC1]display security-profile id 1
------------------------------------------------------------
// : p
Profile name
: Security-prof-wep1
Profile ID
: 1
t t :h
Authentication
: Share key
Encryption
: WEP-40
------------------------------------------------------------
es
Service-set ID
c r ou
0
SSID
Huawei-guest1
-----------------------------------------------------------Bridge-profile ID
s e R
Bridge Name
------------------------------------------------------------
Run command display access-user ssid xxxx to check the users with specified SSID.
ing
[AC1]display access-user
rn a e
ssid Huawei-guest1
------------------------------------------------------------------------------
UserID Username
o M
L e r
IP address
MAC
------------------------------------------------------------------------------
1188
5c0a5b364a71
192.168.1.252
5c0a-5b36-4a71
-----------------------------------------------------------------------------Total 1,1 printed
The display station assoc-info command displays status of an STA, including the SSID of the WLAN to which the STA connects, online duration, uplink signal noise ratio, and uplink receiving power of the STA. Below display result shows the STA 5c0a-5b36-4a71 cipher type is WEP-40: [AC1-wlan-view]dis station assoc-info sta
5c0a-5b36-4a71
-----------------------------------------------------------------------------Station mac-address
: 5c0a-5b36-4a71
Station ip-address
: 0.0.0.0
Station gateway
: 0.0.0.0
HCNA-WLAN
4WLAN Security Configuration Associated SSID
: Huawei-guest1
Station online time(ddd:hh:mm:ss)
: 000:00:01:03
The upstream SNR(dB)
: 54.0
The upstream aggregate receive power(dBm) : -59.0 Station connect rate(Mbps)
: 26
Station connect channel
: 153
Station inactivity time(ddd:hh:mm:ss)
: 000:00:02:15
Station current state Authorized for data transfer
: YES
Qos enabled
: YES
ERP enabled
: No
HT rates enabled Power save mode enabled
: YES
Auth reference held
: No
uAPSD enabled
: No
uAPSD triggerable
: No
uAPSD SP in progress
: No
This is an ATH node
: No
WDS workaround req
: No
WDS link
: No
Station's HT capability
: 0
Station capabilities
: EP
Station's RSSI(dB)
: 36
Station's Noise(dBm)
tp t :h
Station's AP ID
Station's Radio ID Station's Authentication Method
s e c r ou
Station's Cipher Type Station's User Name Station's Vlan ID
Station's Channel Band-width
s e R
Station's asso BSSID Station's state
Station's Qos Mode Station's HT Mode
L e r
://
i e w a u .h
m o .c
: -113
Station's radio mode
r a e
g n i n r lea
: Q
Station ERP element(dBm)
g n i n
n e /
: No
: 11a
: 0
: 1 : SHARE-KEY : WEP-40 : 5c0a5b364a71
: 13 : 20MHz : cccc-8110-2270 : Asso with auth : NULL : -
Station's MCS value
: 0
Station's Short GI
: nonsupport
Station's roam state
: No
------------------------------------------------------------------------------
4.3.2 Configuring WPA PSK Authentication
o M
Configure the authentication type for service-set Huawei-voiceX to WPA1-PSK. Huawei AC supports below WPA configuration option: WPA Type
Encryption Method
Authentication Method
WPA/WPA2/WPA1-2 Personal
CCMP or TKIP
PSK(password 8-64 characters)
WPA/WPA2/WPA1-2 Enterprise
CCMP or TKIP
Dot1x
HCNA-WLAN
4WLAN Security Configuration
Configure security profile Security-prof-wpapsk1, encryption mode TKIP, password of PSK is huawei. [AC1-wlan-view]security-profile id 2 name Security-prof-wpapsk1 [AC1-wlan-sec-prof-Security-prof-wpapsk1]security-policy wpa [AC1-wlan-sec-prof-Security-prof-wpapsk1]wpa authentication-method psk pass-phra se cipher Huaweipsk encryption-method tkip [AC1-wlan-sec-prof-Security-prof-wpapsk1]quit [AC1-wlan-view]quit
n e /
Configure WLAN-ESS interface which need to be used by service-set Huawei-voiceX: [AC1]interface Wlan-Ess 1 [AC1-Wlan-Ess1]port hybrid pvid vlan 12 [AC1-Wlan-Ess1]port hybrid untagged vlan 12 [AC1-Wlan-Ess1]quit
i e w a u .h
Create service-set Huawei-voiceX, set the parameters and binding the profiles: [AC1]wlan [AC1-wlan-view]service-set id 1 name Huawei-voice1
g n i n r lea
[AC1-wlan-service-set-Huawei-voice1]ssid Huawei-voice1 [AC1-wlan-service-set-Huawei-voice1]service-vlan 12
m o .c
[AC1-wlan-service-set-Huawei-voice1]wlan-ess 1
[AC1-wlan-service-set-Huawei-voice1]security-profile id 2 [AC1-wlan-service-set-Huawei-voice1]traffic-profile id 0
// : p
[AC1-wlan-service-set-Huawei-voice1]forward-mode direct-forward [AC1-wlan-service-set-Huawei-voice1]undo user-isolate
t t :h
[AC1-wlan-service-set-Huawei-voice1]quit
Using the batch command, you can create multiple virtual access points (VAPs) at a time.
s e c r ou
[AC1-wlan-view]batch ap 0 to 0 radio 0 to 1 service-set 1 Info: Command is being executed, please wait. Success: 2 Failure: 0
s e R
Using the commit command, you can commit configurations of one or all access points (APs).
g n i n
[AC1-wlan-view]commit all Warning: Committing configuration may cause service interruption,continue?[Y/N
r a e
o M
L e r
]Y
Then the configuration of WPA-PSK has been finished, we can test the connection:
HCNA-WLAN
4WLAN Security Configuration
n e /
C:\Users\zWX>ipconfig
g n i n r lea
i e w a u .h
m o .c
Wireless LAN adapter Wireless Network Connection:
// : p
Connection-specific DNS Suffix
. :
Link-local IPv6 Address . . . . . : fe80::2c32:9714:1276:b45b%14
t t :h
IPv4 Address. . . . . . . . . . . : 10.1.12.253 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.12.1
s e c r ou
C:\Users\zWX>ping 100.100.100.100 Pinging 100.100.100.100 with 32 bytes of data:
s e R
Reply from 100.100.100.100: bytes=32 time=36ms TTL=255 Reply from 100.100.100.100: bytes=32 time=6ms TTL=255 Reply from 100.100.100.100: bytes=32 time=7ms TTL=255
g n i n
Reply from 100.100.100.100: bytes=32 time=6ms TTL=255
or M
eL
r a e
Ping statistics for 100.100.100.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds: Minimum = 6ms, Maximum = 36ms, Average = 13ms
Run command display station assoc-info sta to check the STA status: display station assoc-info sta 74e5-0bd5-53b4 -----------------------------------------------------------------------------Station mac-address
: 74e5-0bd5-53b4
Station ip-address
: 0.0.0.0
Associated SSID Station online time(ddd:hh:mm:ss) The upstream SNR(dB)
: Huawei-voice1 : 000:00:01:04 : 85.0
The upstream aggregate receive power(dBm) : -44.0 Station connect rate(Mbps)
: 37
Station connect channel
: 1
HCNA-WLAN
4WLAN Security Configuration Station inactivity time(ddd:hh:mm:ss)
: 000:00:00:00
Station current state Authorized for data transfer
: YES
………… Station's Authentication Method
: WPA1-PSK
Station's Cipher Type
: TKIP
Station's User Name
: 74e50bd553b4
Station's Vlan ID
: 12
Station's Channel Band-width
: 20MHz
n e /
4.3.3 Configuring WPA EAP Authentication
m o .c
The authentication architecture of EAP consists of three parts: clients, authenticator and authentication server.
// : p
g n i n r lea
i e w a u .h
The authentication server of this practice had set an IP address 10.254.1.100, password: huawei, the authentication server was ready and test account: huawei, password: huawei.
t t :h
s e c r ou
Configure radius service in the AC:
[AC] radius-server template radius_huawei
s e R
[AC-radius-radius_huawei] radius-server authentication 10.254.1.100 1812 [AC-radius-radius_huawei] radius-server shared-key cipher huawei [AC1-radius-radius_huawei]undo radius-server user-name domain-included
g n i n
[AC-radius-radius_huawei] quit
or M
eL
r a e
Configure AAA: [AC] aaa [AC-aaa] authentication-scheme radius_huawei [AC-aaa-authen-radius_huawei] authentication-mode radius local [AC-aaa-authen-radius_huawei] quit [AC1-aaa]domain default [AC1-aaa-domain-default]authentication-scheme radius_huawei [AC1-aaa-domain-default]radius-server
radius_huawei
[AC] test-aaa huawei huawei radius-template radius_huawei Info: Account test succeed.
If the account test failed please ignore it first, and keep on configuring it. Configure security profile Security-prof-wpaeap1, encryption mode CCMP, authentication mode Dot1x PEAP:
HCNA-WLAN
4WLAN Security Configuration [AC1-wlan-view]security-profile id 3 name Security-prof-wpaeap1 [AC1-wlan-sec-prof-Security-prof-wpaeap1]security-policy wpa2 [AC1-wlan-sec-prof-Security-prof-wpaeap1]wpa2 authentication-method dot1x e ncryption-method ccmp [AC1-wlan-sec-prof-Security-prof-wpaeap1]quit
Create WLAN-ESS interface, and enable Dot1x authentication: [AC1]interface Wlan-Ess 2 [AC1-Wlan-Ess2]port hybrid pvid vlan 11
n e /
[AC1-Wlan-Ess2]port hybrid untagged vlan 11 [AC1-Wlan-Ess2]dot1x enable [AC1-Wlan-Ess2]dot1x authentication-method eap [AC1-Wlan-Ess2]quit
i e w a u .h
m o .c
Create service-set Huawei-employeeX, set the parameters and binding the profiles. [AC1-wlan-view]service-set id 2 name Huawei-employee1
[AC1-wlan-service-set-Huawei-employee1]ssid Huawei-employee1 [AC1-wlan-service-set-Huawei-employee1]service-vlan 11 [AC1-wlan-service-set-Huawei-employee1]wlan-ess 2
g n i n r lea
[AC1-wlan-service-set-Huawei-employee1]security-profile id 3 [AC1-wlan-service-set-Huawei-employee1]traffic-profile id 0
[AC1-wlan-service-set-Huawei-employee1]forward-mode direct-forward [AC1-wlan-service-set-Huawei-employee1]tunnel-forward protocol dot1x [AC1-wlan-service-set-Huawei-employee1]undo user-isolate
// : p
[AC1-wlan-service-set-Huawei-employee1]quit
t t :h
Using the batch command, you can create multiple virtual access points (VAPs) at a time. [AC1-wlan-view]batch ap 0 to 0 radio 0 to 1 service-set 2
s e c r ou
Info: Command is being executed, please wait. Success: 2 Failure: 0
Using the commit command, you can commit configurations of one or all access points (APs).
s e R
[AC1-wlan-view]commit all
Warning: Committing configuration may cause service interruption,continue?[Y/N
g n i n ]Y
or M
eL
r a e
Right now, the WPA-PSK configuration has been finshed, run command display current-configuration interface Wlan-Ess 2 to verify the configuration: [AC1]display current-configuration interface Wlan-Ess 2 # interface Wlan-Ess2 port hybrid pvid vlan 11 port hybrid untagged vlan 11 dot1x enable dot1x authentication-method eap
# [AC1]display security-profile id 2 -----------------------------------------------------------Profile name
: Security-prof-wpapsk1
Profile ID
: 2
Authentication Encryption
: WPA
PSK
: TKIP
------------------------------------------------------------
HCNA-WLAN
4WLAN Security Configuration Service-set ID
SSID
1
Huawei-voice1
-----------------------------------------------------------Bridge-profile ID
Bridge Name
-----------------------------------------------------------Mesh-profile ID
Mesh Id
-----------------------------------------------------------[AC1]dis service-set all ---------------------------------------------------------------------------ID
Name
0
Huawei-guest1
1
Huawei-voice1
Huawei-voice1
2
Huawei-employee1
Huawei-employee1
Huawei-guest1
i e w a u .h
m o .c
---------------------------------------------------------------------------[AC1]display access-user
-----------------------------------------------------------------------------UserID Username
IP address
MAC
-----------------------------------------------------------------------------1593
huawei
10.1.11.254
g n i n r lea
5c0a-5b36-4a71
-----------------------------------------------------------------------------Total 1,1 printed
4.3.4 Configuring EAP Client
t t :h
// : p
Set the wireless configuration in the PC manually, no need to download CA certificate.
r a e
o M
L e r
1.
Click the icon sharing center“
2.
Click“manage wireless network“
in the lower right corner of the PC and open“open network and
3.
Click“add“
4.
Click“manually create a network proflie“
5.
Set the parameters as shown in below figure, and click next:
s e c r ou
g n i n
n e /
SSID
s e R
HCNA-WLAN
4WLAN Security Configuration
n e /
6.
// : p
g n i n r lea
i e w a u .h
m o .c
Then click“change connection settings“, change the setting.
t t :h
s e c r ou
r a e
g n i n
s e R
L e r
o M
7.
Then the authentication window will popup, enter account: huawei and password: huawei.
HCNA-WLAN
4WLAN Security Configuration
n e /
8.
g n i n r lea
Then the user authenticate is successed, and will obtain the IP address.
t t :h
// : p
s e c r ou
r a e
g n i n
s e R
L e r
o M
9.
i e w a u .h
Then the PC can get the IP address, can ping to the switch C:\Users\zWX>
ipconfig
Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix
. :
m o .c
HCNA-WLAN
4WLAN Security Configuration Link-local IPv6 Address . . . . . : fe80::2c32:9714:1276:b45b%14 IPv4 Address. . . . . . . . . . . : 10.1.11.254 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.11.1 C:\Users\mWX64837>ping 100.100.100.100 Pinging 100.100.100.100 with 32 bytes of data: Reply from 100.100.100.100: bytes=32 time=41ms TTL=255 Reply from 100.100.100.100: bytes=32 time=10ms TTL=255
n e /
Reply from 100.100.100.100: bytes=32 time=10ms TTL=255 Reply from 100.100.100.100: bytes=32 time=177ms TTL=255 Ping statistics for 100.100.100.100:
i e w a u .h
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 10ms, Maximum = 177ms, Average = 59ms
m o .c
4.4 Security Policies Configuration Precautions ng
i n r a le
The following lists precautions for configuring security policies:
r a e
// : p
If the security policy uses 802.1x authentication, run the dot1x enable and dot1x authentication-method { chap | pap | eap } commands to enable 802.1x authentication on the WLAN-ESS interface and set the 802.1x authentication method for WLAN users.
If the security policy uses MAC address authentication, run the mac-authentication enable command in the WLAN-ESS interface view to set the authentication method on the WLAN-ESS interface to MAC address authentication.
If the security policy uses Portal authentication, run the web-authentication enable command in the WLAN-ESS interface view to set the authentication method on the WLAN-ESS interface to Portal authentication.
When 802.1x authentication and direct forwarding is used on a network, use either of the following methods to configure the switch between an AC and AP to transparently transmit Layer 2 protocol packets.
t t :h
s e c r ou
g n i n
L e r
o M
s e R
If a chassis switch is deployed between the AC and AP, run the bpdu bridge enable command in the interface view.
If a case-shaped switch is deployed between the AC and AP, run the l2protocol-tunnel user-defined-protocol protocol-name protocol-mac protocol-mac group-mac group-mac command in the system view. Then run the l2protocol-tunnel user-defined-protocol protocol-name enable and bpdu enable commands in the interface view.
In a Layer 3 networking where traffic is directly forwarded and 802.1 authentication is configured, traffic cannot be forwarded at Layer 3 because EAP packets used in 802.1x authentication are Layer 3 packets. Run the tunnel-forward protocol dot1x command to forward EAP packets tunnels, and the AP forwards EAP packets over tunnels to the AC, implementing authentication packet exchange with the AC.
Pay attention to the following points when configuring direct forwarding and tunnel forwarding mode:
HCNA-WLAN
4WLAN Security Configuration
When tunnel forwarding is used and the AC allocates IP addresses to users, run the dhcp enable command in the WLAN-ESS interface view to enable DHCP on the WLAN-ESS interface.
When tunnel forwarding is used, run the port hybrid pvid vlan vlan-id command in the WLAN-ESS interface view to configure the PVID.
When tunnel forwarding is used, the switch interface that directly connects to the AP cannot be added to the service VLAN, which prevents MAC address flapping.
When direct forwarding is used, add the switch interface that directly connects to the AP to the service VLAN.
4.5 Configuration Reference 4.5.1 AC’s configuration # sysname AC1 #
g n i n r lea
i e w a u .h
snmp-agent local-engineid 800007DB03FC48EFC76DB7
undo snmp-agent community complexity-check disable snmp-agent # http server enable
t t :h
// : p
http secure-server ssl-policy default_policy http secure-server enable #
s e c r ou
vlan batch 10 to 13 # dot1x enable #
s e R
dhcp enable #
diffserv domain default
g n i n #
radius-server template radius_huawei
or M
eL
r a e
radius-server authentication 10.254.1.100 1812 weight 80 undo radius-server user-name domain-included
# pki realm default enrollment self-signed # ssl policy default_policy type server pki-realm default # ip pool vlan10 gateway-list 10.1.10.1 network 10.1.10.0 mask 255.255.255.0 excluded-ip-address 10.1.10.100 dns-list 10.254.1.100 option 43 sub-option 3 ascii 10.1.10.100 # aaa
m o .c
n e /
HCNA-WLAN
4WLAN Security Configuration authentication-scheme default authentication-scheme radius_huawei authentication-mode radius local authorization-scheme default accounting-scheme default domain default authentication-scheme radius_huawei radius-server radius_huawei domain default_admin local-user admin password cipher
[email protected]
n e /
local-user admin privilege level 15 local-user admin service-type telnet http local-user huawei password cipher huawei123 local-user huawei privilege level 15 local-user huawei service-type telnet ssh # interface Vlanif10 ip address 10.1.10.100 255.255.255.0 dhcp select global # interface Vlanif11 ip address 10.1.11.100 255.255.255.0 # interface Vlanif12
// : p
ip address 10.1.12.100 255.255.255.0 # interface Vlanif13
t t :h
ip address 192.168.1.1 255.255.255.0 dhcp select interface
s e c r ou
dhcp server dns-list 8.8.8.8 #
interface MEth0/0/1
ip address 192.168.100.200 255.255.255.0 #
s e R
interface GigabitEthernet0/0/1 port link-type trunk
g n i n
port trunk pvid vlan 10 port trunk allow-pass vlan 10 to 13
or M
eL
r a e
#
interface GigabitEthernet0/0/2 #
interface GigabitEthernet0/0/3 # ……………… # interface GigabitEthernet0/0/23 # interface GigabitEthernet0/0/24 port link-type trunk port trunk allow-pass vlan 10 to 12 # interface XGigabitEthernet0/0/1 # interface XGigabitEthernet0/0/2 #
g n i n r lea
i e w a u .h
m o .c
HCNA-WLAN
4WLAN Security Configuration interface Wlan-Ess0 port hybrid pvid vlan 13 port hybrid untagged vlan 13 # interface Wlan-Ess1 port hybrid pvid vlan 12 port hybrid untagged vlan 12 # interface Wlan-Ess2 port hybrid pvid vlan 11
n e /
port hybrid untagged vlan 11 dot1x enable dot1x authentication-method eap # interface NULL0 # stelnet server enable # ip route-static 0.0.0.0 0.0.0.0 10.1.10.1 # user-interface con 0 authentication-mode password
g n i n r lea
i e w a u .h
m o .c
set authentication password cipher huawei123 user-interface vty 0 4 authentication-mode aaa user privilege level 15 protocol inbound all
t t :h
user-interface vty 16 20 #
// : p
s e c r ou
wlan
wlan ac source interface vlanif10
ap id 0 type-id 19 mac cccc-8110-2260 sn 210235448310C9000012 wmm-profile name radio-prof-1 id 0
s e R
traffic-profile name traffic-prof-1 id 0 security-profile name security-prof-1 id 0 security-profile name Security-prof-wep1 id 1
g n i n
wep authentication-method share-key wep key wep-40 pass-phrase 0 cipher guest
r a e
o M
L e r
security-profile name Security-prof-wpapsk1 id 2 security-policy wpa wpa authentication-method psk pass-phrase cipher Huaweipsk encryption-method tkip
security-profile name Security-prof-wpaeap1 id 3 security-policy wpa2 service-set name Huawei-guest1 id 0 wlan-ess 0 ssid Huawei-guest1 traffic-profile id 0 security-profile id 1 service-vlan 13 service-set name Huawei-voice1 id 1 wlan-ess 1 ssid Huawei-voice1 traffic-profile id 0 security-profile id 2 service-vlan 12
HCNA-WLAN
4WLAN Security Configuration service-set name Huawei-employee1 id 2 wlan-ess 2 ssid Huawei-employee1 traffic-profile id 0 security-profile id 3 service-vlan 11 radio-profile name radio2-prof-1 id 0 wmm-profile id 0 radio-profile name radio5-prof-1 id 1 radio-type 80211an
n e /
wmm-profile id 0 ap 0 radio 0 radio-profile id 0 service-set id 0 wlan 1 service-set id 1 wlan 2 service-set id 2 wlan 3 ap 0 radio 1 radio-profile id 1 service-set id 0 wlan 1 service-set id 1 wlan 2 service-set id 2 wlan 3 # return
You have finished practice 4!
t t :h
s e c r ou
r a e
o M
L e r
g n i n
s e R
// : p
g n i n r lea
i e w a u .h
m o .c
HCNA-WLAN
5
5eSight Management for WLAN (Optional)
eSight Management for WLAN (Optional)
n e /
5.1 Objectives Upon completion of this task, you will be able to:
Configure SNMP in AC
Understand the method of eSight discover AC
Configure WLAN with eSight wizard
Check the WLAN status by eSight
g n i n 5.2 Networking Deployment Description r a e l // : tp t h : s e c r u o s e R g n i rn a e L e r 5.3 Configuration Procedure o M5.3.1 Configuring AC SNMP Community
i e w a u .h
Figure 5-1 eSight network deployment
eSight Server IP
10.254.1.100
eSight Server password
User name: huawei Password: Abcd@1234
SNMP read only community
huaweiRO
SNMP read and write community
huaweiRW
Configure service-set by wizard
huawei-esithtX, PSK password: Huaweipsk
[AC1]snmp-agent community read huaweiRO [AC1]snmp-agent community write huaweiRW [AC1]snmp-agent sys-info version v2c
m o .c
HCNA-WLAN
5eSight Management for WLAN (Optional)
5.3.2 Configuring AC Discover AP After the PC connect to the WLAN, enter URL http://10.254.1.100:8080 to access eSight Server, user name: admin, password: Abcd@1234 (The initialized user name and password are: admin/changeme123, you need change the initial password when you first login eSight).
n e /
t t :h
// : p
g n i n r lea
i e w a u .h
m o .c
s e c r ou
r a e
o M
L e r
g n i n
s e R
,and click “Add Device”, After login in to eSight, select the pull-down menu“Resource” reference below parameters: IP Address
10.1.X0.100
Name
ACX
SNMP Version
V2C
Read Only Community
huaweiRO
Write Community
huaweiRW
HCNA-WLAN
5eSight Management for WLAN (Optional)
n e /
i e w a u .h
m o .c
Click”OK” when you finished, if displayed “Success”then means the configuring is successed.
t t :h
// : p
g n i n r lea
s e c r ou
s e RService-set by eSight Wizard 5.3.3 Configuring g n i rn a e L e r o M
Select“Business”and click“WLAN Management”, as shown in below figure, select “Configuration Wizard”: 1.
Selecting AC
First finish ssh client first-time enable configuration in AC, and click synchronize, synchronize all information about AC: [AC1]ssh client first-time enable
HCNA-WLAN
5eSight Management for WLAN (Optional)
n e /
to select a certain AC which needs to be configured, and click “Next”:
Click the icon
2.
i e w a u .h
m o .c
t t :h
Configuring the attributes of AC
// : p
g n i n r lea
The attributes of the AC had been configured in the past practices, so no need to configure it and click “Next”:
s e c r ou
r a e
g n i n
s e R
L e r
o M
3.
Selecting AP
Click “Add AP” and select the AP you want to configure it, then click “OK”:
HCNA-WLAN
5eSight Management for WLAN (Optional)
n e /
t t :h
If the AP is online, click “Next”:
// : p
g n i n r lea
i e w a u .h
s e c r ou
r a e
o M
L e r
g n i n 4.
s e R
Configuring the profiles RF profile choose radio2-prof-1(this profile is for 2.4GHz), and click OK.
m o .c
HCNA-WLAN
5eSight Management for WLAN (Optional)
n e /
t t :h
s e c r ou
or M
eL
r a e
g n i n
s e R
Then Bind ESS profile:
// : p
g n i n r lea
i e w a u .h
m o .c
HCNA-WLAN
5eSight Management for WLAN (Optional)
n e /
g n i n r lea
i e w a u .h
m o .c
Click “Create”, to create an ESS service-set, configure it as below (The password of WPA: Huaweipsk), and click OK:
t t :h
s e c r ou
r a e
o M
L e r
g n i n
s e R
// : p
HCNA-WLAN
5eSight Management for WLAN (Optional)
Select all ESS templates, then click “OK”:
n e /
Configure the parameters as below, and click “Next”:
t t :h
s e c r ou
r a e
g n i n
s e R
L e r
o M
5.
Apply to AP
Click “Deploy”:
// : p
g n i n r lea
i e w a u .h
m o .c
HCNA-WLAN
5eSight Management for WLAN (Optional)
If the“Deploy Status”displayed“Success”,then the wizard configuring finished.
n e /
5.3.4 Checking the Configuration by eSight 1.
Click “Overview” you can view all WLAN devices information:
t t :h
2.
r a e
g n i n r lea
// : p
s e c r ou
s e R
Click “Resource Management” and click “SSID”, can check the service-set and VAP:
g n i n
L e r
o M
3.
i e w a u .h
m o .c
Click “Local topology”to view the topology:
HCNA-WLAN
5eSight Management for WLAN (Optional)
4.
Click “Resource Management” and select “Client” can view the connected user information, click
to see the details of the STA:
t t :h
// : p
s e c r ou
g
s e R
in Reference 5.4 Configuration or M
eL
rn a e
snmp-agent snmp-agent community read snmp-agent community write
huaweiRO huaweiRW
snmp-agent sys-info version v2c v3 ssh client first-time enable
You have finished practice 5!
g n i n r lea
i e w a u .h
m o .c
n e /
HCNA-WLAN
6
6Branched Networking + Layer 3 Networking Practice
Branched Networking + Layer 3 Networking Practice
n e /
6.1 Objectives Upon completion of this task, you will be able to:
Understand the branched networking structure
Configure branched networking device
Configure tunnel forwarding
Verify the configuration
g n i n 6.2 Networking Deployment Description r a e l // : tp t h : s e c r u o s e R g n i rn a e L e r o M
i e w a u .h
Figure 6-1 Branched networking topology
Radius Server 10.25 4.1.100
eSight Server 10.254.1.200
GE0/0/23
GE0/0/24
Core Switch
AC1
GE0/0/24
GE0/0/1
GE0/0/11
GE0/0/2
GE0/0/20
GE0/0/24
AP10
GE0/0/10
GE0/0/12
AP1
AC10
…………
GE0/0/24
AC2
AP2
m o .c
HCNA-WLAN
6Branched Networking + Layer 3 Networking Practice
X is the group number of student (X= 1, 2, 3 … 10) Networking topology
Branched networking + Layer 3 networking + Tunnel forwarding
AP
APX connect with interface G0/0/1X of switch
AC
Add vlan 80X and trunk IP:10.1.201.1/24
n e /
Reconfigure WLAN source to vlan 80X
m o .c
Configure DHCP pool of AP vlan 1X to option 43
6.3 Configuration Procedure 6.3.1 Re-connecting AP to Switch
g n i n r lea
i e w a u .h
Connect APX to number 1X interface in the switch, the configuration of switch was ready. dis current-configuration interface Ethernet 0/0/11 # interface Ethernet0/0/11 port link-type access
t t :h
port default vlan 10 stp edged-port enable #
// : p
s e c r ou
6.3.2 Re-configuring VLAN and Trunk [AC1]vlan 801
s e R
[AC1]interface GigabitEthernet 0/0/24 [AC1-XGigabitEthernet0/0/1]port trunk allow-pass vlan 801 [AC1-XGigabitEthernet0/0/1]quit
g n i n
[AC1]interface Vlanif 801
r a e
o M
L e r
[AC1-Vlanif801]ip address 10.1.201.100 24
[AC1-Vlanif801]quit
Change the next-hop of default route: [AC1]undo ip route-static 0.0.0.0 0.0.0.0 [AC1]ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
Ping test from APX to vlan 80X: [AC1]ping 10.1.201.1 PING 10.1.201.1: 56
data bytes, press CTRL_C to break
Reply from 10.1.201.1: bytes=56 Sequence=1 ttl=255 time=14 ms Reply from 10.1.201.1: bytes=56 Sequence=2 ttl=255 time=10 ms Reply from 10.1.201.1: bytes=56 Sequence=3 ttl=255 time=10 ms Reply from 10.1.201.1: bytes=56 Sequence=4 ttl=255 time=10 ms Reply from 10.1.201.1: bytes=56 Sequence=5 ttl=255 time=10 ms
HCNA-WLAN
6Branched Networking + Layer 3 Networking Practice
--- 10.1.201.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 10/10/14 ms
6.3.3 AP Online Configuration
n e /
Change the configuration of DHCP and WLAN source: [AC1]ip pool vlan10 [AC1-ip-pool-vlan10]dis this # ip pool vlan10 gateway-list 10.1.10.1 network 10.1.10.0 mask 255.255.255.0 excluded-ip-address 10.1.10.100 dns-list 10.254.1.100 option 43 sub-option 3 ascii 10.1.10.100 # return [AC1-ip-pool-vlan10]undo option 43
// : p
g n i n r lea
i e w a u .h
m o .c
[AC1-ip-pool-vlan10]option 43 sub-option 3 ascii 10.1.201.100
t t :h
[AC1-ip-pool-vlan10]quit [AC1]wlan
s e c Mode to Tunnel Forwarding r 6.3.4 Changing the Forwarding u o s e R g n i rn a e L e r o M [AC1]undo wlan ac source interface
[AC1-wlan-view]wlan ac source interface Vlanif 801
[AC1]wlan
[AC1-wlan-view]service-set id 0
[AC1-wlan-service-set-Huawei-voice1]forward-mode tunnel [AC1-wlan-view]service-set id 1
[AC1-wlan-service-set-Huawei-voice1]forward-mode tunnel [AC1-wlan-service-set-Huawei-voice1]quit [AC1-wlan-view]service-set id 2
[AC1-wlan-service-set-Huawei-employee1]forward-mode tunnel [AC1-wlan-service-set-Huawei-employee1]quit [AC1-wlan-view]commit all
Warning: Committing configuration may cause service interruption,continue?[Y/N
]Y
Right now, the configuration has been finished, wait for the status changing to normal: [AC1]dis ap all All AP information(Normal-1,UnNormal-0): -----------------------------------------------------------------------------AP
AP
AP
Profile
AP
AP
State
Sysname
/Region ID
Type
MAC
ID
------------------------------------------------------------------------------
HCNA-WLAN
6Branched Networking + Layer 3 Networking Practice 0
AP6010DN-AGN
cccc-8110-2260
0/0
normal
ap-0
-----------------------------------------------------------------------------Total number: 1 [AC1]display station assoc-info ap 0 -----------------------------------------------------------------------------STA MAC
AP-ID
RADIO-ID
SS-ID
SSID
-----------------------------------------------------------------------------74e5-0bd5-53b4
0
0
2
Huawei-employee1
5c0a-5b36-4a71
0
0
0
huawei-guest1
m o .c
----------------------------------------------------------------------------[AC1]dis service-set id 2
i e w a u .h
---------------------------------------------------------------------------Service-set ID
: 2
Service-Set name
: Huawei-employee1
SSID
: Huawei-employee1
Hide SSID
: disable
User isolate
: disable
Type
: service
Maximum number of user
: 32
Association timeout(min)
: 5
Traffic profile name
: traffic-prof-1
Security profile name
: Security-prof-wpaeap1
User profile name
: -
t t :h
Wlan-ess interface Igmp mode
: Wlan-ess2
: off
s e c r ou
Forward mode Service-vlan DHCP snooping IPSG switch
: tunnel
: 11
: disable
: disable
s e R
DHCP trust port DAI switch
: disable
: disable
ARP attack threshold(pps)
g n i n
Protocol flag
: 15 : all
Offline-management switch
r a e
o M
L e r
// : p
g n i n r lea
Sta access-mode
: disable : disable
Sta blacklist profile
: -
Sta whitelist profile
: -
Dhcp option82 Insert
: Disable
Dhcp option82 Format
: Insert Ap-mac
Broadcast suppression(pps) Multicast suppression(pps) Unicast
suppression(pps)
Traffic-filter inbound
: : : -
acl : -
Traffic-filter outbound acl : Service mode status
: enable
AutoOff service ess status
: disable
AutoOff service starttime
: 00:00:00
AutoOff service endtime
: 00:00:00
n e /
-----------------------------------------------------------------------------
HCNA-WLAN
6Branched Networking + Layer 3 Networking Practice
6.4 Configuration Reference # sysname AC1 # snmp-agent local-engineid 800007DB03FC48EFC76DB7 snmp-agent community read publicRO snmp-agent community write publicRW undo snmp-agent community complexity-check disable
n e /
snmp-agent sys-info version v2c v3 snmp-agent # http server enable http secure-server ssl-policy default_policy http secure-server enable # vlan batch 10 to 13 801 # dot1x enable # dhcp enable # diffserv domain default #
// : p
radius-server template radius_huawei
g n i n r lea
i e w a u .h
radius-server authentication 10.254.1.100 1812 weight 80
t t :h
undo radius-server user-name domain-included # pki realm default
s e c r ou
enrollment self-signed #
ssl policy default_policy type server pki-realm default #
s e R
ip pool vlan10
gateway-list 10.1.10.1
g n i n
network 10.1.10.0 mask 255.255.255.0
or M
eL
r a e
dns-list 10.254.1.100 option 43 sub-option 3 ascii 10.1.201.100
#
aaa authentication-scheme default authentication-scheme radius_huawei authentication-mode radius local authorization-scheme default accounting-scheme default domain default authentication-scheme radius_huawei radius-server radius_huawei domain default_admin local-user admin password cipher
[email protected] local-user admin privilege level 15 local-user admin service-type telnet http local-user huawei password cipher huawei123 local-user huawei privilege level 15
m o .c
HCNA-WLAN
6Branched Networking + Layer 3 Networking Practice local-user huawei service-type telnet ssh # interface Vlanif10 ip address 10.1.10.100 255.255.255.0 dhcp select global # interface Vlanif11 ip address 10.1.11.100 255.255.255.0 # interface Vlanif12
n e /
ip address 10.1.12.100 255.255.255.0 # interface Vlanif13 ip address 192.168.1.1 255.255.255.0 dhcp select interface dhcp server dns-list 8.8.8.8 # interface Vlanif801 ip address 10.1.201.100 255.255.255.0 # interface MEth0/0/1 ip address 192.168.100.200 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 10
// : p
port trunk allow-pass vlan 10 to 13
t t :h
#
interface GigabitEthernet0/0/2
s e c r ou
# ……………… #
interface GigabitEthernet0/0/23 #
s e R
interface GigabitEthernet0/0/24 port link-type trunk
g n i n
port trunk allow-pass vlan 10 to 12 801
#
or M
eL
r a e
interface XGigabitEthernet0/0/1 #
interface XGigabitEthernet0/0/2 # interface Wlan-Ess0 port hybrid pvid vlan 13 port hybrid untagged vlan 13 # interface Wlan-Ess1 port hybrid pvid vlan 12 port hybrid untagged vlan 12 # interface Wlan-Ess2 port hybrid pvid vlan 11 port hybrid untagged vlan 11 dot1x enable dot1x authentication-method eap
g n i n r lea
i e w a u .h
m o .c
HCNA-WLAN
6Branched Networking + Layer 3 Networking Practice # interface NULL0 # stelnet server enable # ip route-static 0.0.0.0 0.0.0.0 10.1.201.1 # user-interface con 0 authentication-mode password set authentication password cipher huawei123
n e /
user-interface vty 0 4 authentication-mode aaa user privilege level 15 protocol inbound all user-interface vty 16 20 # wlan wlan ac source interface vlanif801
i e w a u .h
m o .c
ap id 0 type-id 19 mac cccc-8110-2260 sn 210235448310C9000012 wmm-profile name radio-prof-1 id 0 traffic-profile name traffic-prof-1 id 0
g n i n r lea
security-profile name security-prof-1 id 0
security-profile name Security-prof-wep1 id 1 wep authentication-method share-key
// : p
wep key wep-40 pass-phrase 0 cipher guest
security-profile name Security-prof-wpapsk1 id 2 security-policy wpa
t t :h
wpa authentication-method psk pass-phrase cipher Huaweipsk encryption-method tkip security-profile name Security-prof-wpaeap1 id 3
s e c r ou
security-policy wpa2
service-set name Huawei-guest1 id 0 forward-mode tunnel wlan-ess 0
s e R
ssid Huawei-guest1
traffic-profile id 0
security-profile id 1
g n i n
service-vlan 13
service-set name Huawei-voice1 id 1
or M
eL
r a e
forward-mode tunnel wlan-ess 1 ssid Huawei-voice1 traffic-profile id 0 security-profile id 2 service-vlan 12
service-set name Huawei-employee1 id 2 forward-mode tunnel wlan-ess 2 ssid Huawei-employee1 traffic-profile id 0 security-profile id 3 service-vlan 11 radio-profile name radio2-prof-1 id 0 wmm-profile id 0 radio-profile name radio5-prof-1 id 1 radio-type 80211an
HCNA-WLAN
6Branched Networking + Layer 3 Networking Practice wmm-profile id 0 ap 0 radio 0 radio-profile id 0 service-set id 0 wlan 1 service-set id 1 wlan 2 service-set id 2 wlan 3 ap 0 radio 1 radio-profile id 1 service-set id 0 wlan 1 service-set id 1 wlan 2
n e /
service-set id 2 wlan 3 #
t t :h
s e c r ou
r a e
o M
L e r
g n i n
s e R
// : p
g n i n r lea
i e w a u .h
m o .c
HCNA-WLAN
7
7Backup the Configuration and Reset the Device
Backup the Configuration and Reset th e Device
n e /
7.1 Objectives Upon completion of this task, you will be able to:
Save the configuration of AC
Configure FTP service in AC
Backup the configuration of AC
Reset the configuration of AC
g n i n r a e l 7.2 Network Deployment Description // : tp t h : s e c r u o s e R g n i n r a 7.3 Configuration Procedure e L the Configuration 7.3.1 Save e or M
i e w a u .h
m o .c
Ietm
Parameter
IP of management interface
192.168.100.200
File name of backup configuration
acvrpcfg.zip
FTP account
Account: ftp Password: huawei123
FTP path
Flash:/
We can use save command to save the current configuration to the storage device. save acvrpcfg.zip
Are you sure to save the configuration to flash:/acvrpcfg.zip?[Y/N]:Y Info: Save the configuration successfully.
Using the dir command, you can view information about the files and directories on the storage device. dir Directory of flash:/
HCNA-WLAN
7Backup the Configuration and Reset the Device Idx
Attr
0
-rw-
Size(Byte) 159
1
-rw-
2
drw-
11,650,584
3
-rw-
4
drw-
-
-
Date
Time(LMT)
Oct 21 2013 10:02:34
FileName portal_policy.txt
Oct 14 2013 11:04:48 Sep 18 2013 15:26:09
4,364,287
FitAP6X10XN_V200R003C00SPC200.bin dhcp
Sep 18 2013 17:57:32 Aug 31 2013 15:40:37
AC6605V200R003C00SPC200.001.web.zip corefile
5
-rw-
540
Sep 18 2013 15:26:51
rsa_server_key.efs
6
drw-
-
Sep 18 2013 15:26:17
security
7
-rw-
8
drw-
2,110 -
Oct 25 2013 05:40:48 Sep 18 2013 19:10:51
daemon.log.bak logfile
9
-rw-
1,891
Oct 29 2013 07:52:55
vrpcfg.zip
10
-rw-
1,314
Oct 29 2013 07:52:55
private-data.txt
11
-rw-
633
Oct 29 2013 05:02:21
daemon.log
12 13
-rw-rw-
14
-rw-
15
-rw-
1,260
Sep 18 2013 15:26:50
rsa_host_key.efs
16
-rw-
259,755
Oct 29 2013 05:03:15
mon_file.txt
146 Oct 21 2013 10:02:34 1,970 Oct 29 2013 08:31:09 45,075,085
portal_page.txt acvrpcfg.zip
Sep 18 2013 17:58:36
206,324 KB total (144,204 KB free)
7.3.2 Configuring FTP Service onAC [AC1]ftp server enable [AC1]aaa
// : p
i e w a u .h
n e /
m o .c
AC6605V200R003C00SPC200.cc
g n i n r lea
[AC1-aaa]local-user ftp password cipher huawei123 directory flash:/ [AC1-aaa]local-user ftp service-type ftp
t t :h
[AC1-aaa]local-user ftp privilege level 15
7.3.3 Backup the Configuration to PC
s e c r ou
Connect the cable to the management interface of AC. C:\Users\zWX>d:
s e R
D:\>ftp 192.168.100.200 connect 192.168.100.200。 220 FTP service ready.
g n i n
User(192.168.100.200:(none)): ftp 331 Password required for ftp.
or M
eL
r a e
password:ftp001 230 User logged in. ftp> get acvrpcfg.zip 200 Port command okay. 150 Opening ASCII mode data connection for acvrpcfg.zip. 226 Transfer complete. ftp: 1373 bytes received in 0.00Seconds 1373000.00Kbytes/sec. ftp>
Then the configuration file is backuped in the PC, find the file in D:/ and then can opent it by notepad or wordpad:
HCNA-WLAN
7Backup the Configuration and Reset the Device
n e /
7.3.4 Reset the Configuration
// : p
g n i n r lea
i e w a u .h
m o .c
After your practice finished, below steps helps you to reset the configuration of the device: reset saved-configuration
t t :h
The configuration will be erased to reconfigure. Continue? [Y/N]:Y reboot
s e c r ou
Otherwise, unsaved configuration will be lost. Continue?[Y/N]:Y Warning: All the configuration will be saved to the configuration file for the n ext startup:, Continue?[Y/N]:N System will reboot! Continue?[Y/N]:Y
s e R Reference 7.4 Configuration g n i 7.4.1 Configuration of AC rn a e L e r o M ftp server enable aaa
local-user ftp password simple ftp
local-user ftp ftp-directory flash:/ local-user ftp service-type ftp local-user ftp privilege level 15
Here, you have finshed all the practices of this exercise guide. Congratulation!
HCNA-WLAN
8Appendix: Configuration of the SW
8
Appendix: Configuration of the SW
n e /
dis current-configuration # !Software Version V100R005C01SPC100 sysname CoreSW3700 #
i e w a u .h
m o .c
vlan batch 10 to 12 20 to 22 30 to 32 40 to 42 50 to 52 60 to 62 70 to 72 80 to 82 90 to 92 100 to 102 vlan batch 800 to 810 900 # dhcp enable # undo http server enable # drop illegal-mac alarm # aaa authentication-scheme default
t t :h
authorization-scheme default accounting-scheme default domain default
s e c r ou
domain default_admin
// : p
local-user admin password simple admin local-user admin service-type http #
s e R
interface Vlanif10
ip address 10.1.10.1 255.255.255.0 #
g n i n
interface Vlanif11
or M
eL
r a e
ip address 10.1.11.1 255.255.255.0 dhcp select interface
#
interface Vlanif12 ip address 10.1.12.1 255.255.255.0 dhcp select interface # interface Vlanif20 ip address 10.1.20.1 255.255.255.0 # interface Vlanif21 ip address 10.1.21.1 255.255.255.0 dhcp select interface # interface Vlanif22 ip address 10.1.22.1 255.255.255.0 dhcp select interface #
g n i n r lea
HCNA-WLAN
8Appendix: Configuration of the SW interface Vlanif30 ip address 10.1.30.1 255.255.255.0 # interface Vlanif31 ip address 10.1.31.1 255.255.255.0 dhcp select interface # interface Vlanif32 ip address 10.1.32.1 255.255.255.0 dhcp select interface
n e /
# interface Vlanif40 ip address 10.1.40.1 255.255.255.0 # interface Vlanif41 ip address 10.1.41.1 255.255.255.0 dhcp select interface # interface Vlanif42 ip address 10.1.42.1 255.255.255.0 dhcp select interface # interface Vlanif50 ip address 10.1.50.1 255.255.255.0 # interface Vlanif51 ip address 10.1.51.1 255.255.255.0
t t :h
dhcp select interface #
s e c r ou
interface Vlanif52
ip address 10.1.52.1 255.255.255.0 dhcp select interface #
s e R
interface Vlanif60
ip address 10.1.60.1 255.255.255.0 #
g n i n
interface Vlanif61 ip address 10.1.61.1 255.255.255.0
or M
eL
r a e
dhcp select interface
#
interface Vlanif62 ip address 10.1.62.1 255.255.255.0 dhcp select interface # interface Vlanif70 ip address 10.1.70.1 255.255.255.0 # interface Vlanif71 ip address 10.1.71.1 255.255.255.0 dhcp select interface # interface Vlanif72 ip address 10.1.72.1 255.255.255.0 dhcp select interface #
// : p
g n i n r lea
i e w a u .h
m o .c
HCNA-WLAN
8Appendix: Configuration of the SW interface Vlanif80 ip address 10.1.80.1 255.255.255.0 # interface Vlanif81 ip address 10.1.81.1 255.255.255.0 dhcp select interface # interface Vlanif82 ip address 10.1.82.1 255.255.255.0 dhcp select interface
n e /
# interface Vlanif90 ip address 10.1.90.1 255.255.255.0 # interface Vlanif91 ip address 10.1.91.1 255.255.255.0 dhcp select interface # interface Vlanif92 ip address 10.1.92.1 255.255.255.0 dhcp select interface # interface Vlanif100 ip address 10.1.100.1 255.255.255.0 # interface Vlanif101
// : p
ip address 10.1.101.1 255.255.255.0
t t :h
dhcp select interface #
s e c r ou
interface Vlanif102
ip address 10.1.102.1 255.255.255.0 dhcp select interface #
s e R
interface Vlanif801
ip address 10.1.201.1 255.255.255.0 #
g n i n
interface Vlanif802 ip address 10.1.202.1 255.255.255.0
r a e
o M
L e r
#
interface Vlanif803 ip address 10.1.203.1 255.255.255.0
# interface Vlanif804 ip address 10.1.204.1 255.255.255.0 # interface Vlanif805 ip address 10.1.205.1 255.255.255.0 # interface Vlanif806 ip address 10.1.206.1 255.255.255.0 # interface Vlanif807 ip address 10.1.207.1 255.255.255.0 # interface Vlanif808
g n i n r lea
i e w a u .h
m o .c
HCNA-WLAN
8Appendix: Configuration of the SW ip address 10.1.208.1 255.255.255.0 # interface Vlanif809 ip address 10.1.209.1 255.255.255.0 # interface Vlanif810 ip address 10.1.210.1 255.255.255.0 # interface Vlanif900 ip address 10.254.1.1 255.255.255.0
n e /
# interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 to 12 801 # interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 20 to 22 801 to 802 # interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 30 to 32 803 # interface Ethernet0/0/4 port link-type trunk
// : p
g n i n r lea
port trunk allow-pass vlan 30 40 to 42 803 to 804 #
t t :h
interface Ethernet0/0/5 port link-type trunk
s e c r ou
port trunk allow-pass vlan 50 to 52 805 #
interface Ethernet0/0/6 port link-type trunk
s e R
port trunk allow-pass vlan 50 60 to 62 805 to 806 #
interface Ethernet0/0/7
g n i n
port link-type trunk port trunk allow-pass vlan 70 to 72 807
or M
eL
r a e
#
interface Ethernet0/0/8 port link-type trunk port trunk allow-pass vlan 70 80 to 82 807 to 808 # interface Ethernet0/0/9 port link-type trunk port trunk allow-pass vlan 90 to 92 809 # interface Ethernet0/0/10 port link-type trunk port trunk allow-pass vlan 90 100 to 102 809 to 810 # interface Ethernet0/0/11 port link-type access port default vlan 10 stp edged-port enable
i e w a u .h
m o .c
HCNA-WLAN
8Appendix: Configuration of the SW # interface Ethernet0/0/12 port link-type access port default vlan 20 stp edged-port enable # interface Ethernet0/0/13 port link-type access port default vlan 30 stp edged-port enable
n e /
# interface Ethernet0/0/14 port link-type access port default vlan 40 stp edged-port enable # interface Ethernet0/0/15 port link-type access port default vlan 50 stp edged-port enable # interface Ethernet0/0/16 port link-type access port default vlan 60 stp edged-port enable # interface Ethernet0/0/17
t t :h
port link-type access port default vlan 70
s e c r ou
stp edged-port enable #
interface Ethernet0/0/18 port link-type access
s e R
port default vlan 80
stp edged-port enable #
g n i n
interface Ethernet0/0/19 port link-type access
or M
eL
r a e
port default vlan 90 stp edged-port enable
#
interface Ethernet0/0/20 port link-type access port default vlan 100 stp edged-port enable # interface Ethernet0/0/21 port link-type access port default vlan 900 stp edged-port enable # interface Ethernet0/0/22 port link-type access port default vlan 900 stp edged-port enable
// : p
g n i n r lea
i e w a u .h
m o .c
HCNA-WLAN
8Appendix: Configuration of the SW # interface Ethernet0/0/23 port link-type access port default vlan 900 stp edged-port enable # interface Ethernet0/0/24 port link-type access port default vlan 900 stp edged-port enable
n e /
# interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface GigabitEthernet0/0/3 # interface GigabitEthernet0/0/4 # interface NULL0 # interface LoopBack100
g n i n r lea
ip address 100.100.100.100 255.255.255.255 # interface LoopBack200
// : p
ip address 200.200.200.200 255.255.255.255 #
t t :h
ip route-static 172.16.1.0 255.255.255.0 10.1.201.100 ip route-static 172.16.2.0 255.255.255.0 10.1.202.100
s e c r ou
ip route-static 172.16.3.0 255.255.255.0 10.1.203.100 ip route-static 172.16.4.0 255.255.255.0 10.1.204.100 ip route-static 172.16.5.0 255.255.255.0 10.1.205.100 ip route-static 172.16.6.0 255.255.255.0 10.1.206.100
s e R
ip route-static 172.16.7.0 255.255.255.0 10.1.207.100 ip route-static 172.16.8.0 255.255.255.0 10.1.208.100 ip route-static 172.16.9.0 255.255.255.0 10.1.209.100
g n i n
ip route-static 172.16.10.0 255.255.255.0 10.1.210.100 ip route-static 192.168.1.0 255.255.255.0 10.1.10.100
or M
eL
r a e
ip route-static 192.168.2.0 255.255.255.0 10.1.20.100 ip route-static 192.168.3.0 255.255.255.0 10.1.30.100 ip route-static 192.168.4.0 255.255.255.0 10.1.40.100 ip route-static 192.168.5.0 255.255.255.0 10.1.50.100 ip route-static 192.168.6.0 255.255.255.0 10.1.60.100 ip route-static 192.168.7.0 255.255.255.0 10.1.70.100 ip route-static 192.168.8.0 255.255.255.0 10.1.80.100 ip route-static 192.168.9.0 255.255.255.0 10.1.90.100 ip route-static 192.168.10.0 255.255.255.0 10.1.100.100
# snmp-agent snmp-agent local-engineid 000007DB7F00000100004E58 snmp-agent sys-info version v3 # user-interface con 0 idle-timeout 0 0 user-interface vty 0 4
i e w a u .h
m o .c
HCNA-WLAN
8Appendix: Configuration of the SW user privilege level 15 set authentication password simple huawei # return
n e /
t t :h
s e c r ou
r a e
o M
L e r
g n i n
s e R
// : p
g n i n r lea
i e w a u .h
m o .c
The privilege of HCNA/HCNP/HCIE: With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
1、e-Learning Courses: Logon http://learning.huawei.com/en and enter Huawei Training/e-Learning
i e aw
If you have the HCIE certificate: You can access all the e-Learning courses which marked for HCIE Certification Users.
Methods to get the HCIE e-Learning privilege : Please associate HCIE certificate information with your Huawei account, and
hu . g
email the account to
[email protected] to apply for HCIE e-Learning privilege.
n i rn a le
2、 Training Material Download
Content: Huawei product training material and Huawei career certification training material.
Method:Logon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can download training material in the specific training introduction page.
n
If you have the HCNA/HCNP certificate:You can access Huawei Career Certification and Basic Technology e-Learning courses.
m o .c
/e
t t :h
3、 Priority to participate in Huawei Online Open Class (LVC)
// : p
The Huawei career certification training and product training covering all ICT technical domains like R&S, UC&C, Security,
s e rc
Storage and so on, which are conducted by Huawei professional instructors.
4、Learning Tools:
u o s e R
eNSP :Simulate single Router&Switch device and large network.
WLAN Planner :Network planning tools for WLAN AP products.
g n ni
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with Huawei experts , share exam experiences with others or be acquainted with Huawei Products.
L e r
Statement:
r a e
This material is for personal use only, and can not be used by any individual or organization for any commercial purposes.
o
M
HUAWEI TECHNOLOGIES CO., LTD.
Huawei Confidential
1