0% found this document useful (0 votes)

178 views879 pages

Manual Controladoras HP850

Manual para controladoras HP

Uploaded by

Nayairi Perez

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

178 views879 pages

Manual Controladoras HP850

Manual para controladoras HP

Uploaded by

Nayairi Perez

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 879

HP Unified Wired-WLAN Products

Web-Based Configuration Guide

HP 830 Unified Wired-WLAN PoE+ Switch Series
HP 850 Unified Wired-WLAN Appliance
HP 870 Unified Wired-WLAN Appliance
HP 11900/10500/7500 20G Unified Wired-WLAN Module

Part number: 5998-4801

Software version:
3507P22 (HP 830 PoE+ Switch Series)
2607P22 (HP 850 Appliance)
2607P22 (HP 870 Appliance)
2507P22 (HP 11900/10500/7500 20G Module)
Document version: 6W101-20140418
Legal and notice information

© Copyright 2014 Hewlett-Packard Development Company, L.P.

No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or use
of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents

About the Web-based configuration guide for HP unified wired-WLAN products ················································· 1
Typical network scenarios ················································································································································ 1
HP 850 unified wired-WLAN appliance network scenario ················································································· 1
HP 11900/10500/7500 20G module network scenario ················································································· 2
HP 830 switch/HP 870 appliance network scenario ·························································································· 2
Feature matrix ···································································································································································· 3

Web overview ······························································································································································ 6

Web interface ··································································································································································· 6
Web user level ·································································································································································· 7
Web-based NM functions ················································································································································ 7
Common items on the Web pages ······························································································································ 20

Logging in to the Web interface ······························································································································· 25

Restrictions and guidelines ············································································································································ 25
Operating system requirements ··························································································································· 25
Web browser requirements ·································································································································· 25
Others ····································································································································································· 28
Logging in to the Web interface··································································································································· 29
Logging out of the Web interface ································································································································ 30

Quick Start ·································································································································································· 32

Quick Start wizard home page ···································································································································· 32
Basic configuration ························································································································································ 32
Admin configuration ······················································································································································ 33
IP configuration ······························································································································································ 34
Wireless configuration··················································································································································· 35
RADIUS configuration ···················································································································································· 36
Portal configuration ························································································································································ 38
Encryption configuration ··············································································································································· 39
AP configuration····························································································································································· 40
Configuration summary ················································································································································· 42

Displaying information summary ······························································································································ 43

Device information ························································································································································· 43
Device info ····························································································································································· 43
System resource state ············································································································································ 44
Device interface information ································································································································ 44
Recent system logs················································································································································· 45
Displaying WLAN service ············································································································································· 45
Displaying detailed information about WLAN service ····················································································· 45
Displaying WLAN service statistics ····················································································································· 49
Displaying connection history information for the WLAN service ··································································· 50
Displaying AP ································································································································································· 50
Displaying WLAN service information for an AP ······························································································ 50
Displaying AP connection history information···································································································· 51
Displaying AP radio information ························································································································· 52
Displaying tunnel latency information ················································································································· 54
Displaying AP detailed information····················································································································· 55
Displaying AP connection records ······················································································································· 59
Displaying clients ··························································································································································· 60

i
Displaying client detailed information ················································································································ 61
Displaying client statistics ····································································································································· 63
Displaying client roaming information ················································································································ 65
Displaying RF ping information ··························································································································· 65
Displaying beacon measurement reports············································································································ 66

Managing licenses ····················································································································································· 68

Registering an enhanced license ·································································································································· 68
Displaying registered enhanced licenses ···················································································································· 69

Configuring basic device settings ····························································································································· 70

Configuring system name ·············································································································································· 70
Configuring Web idle timeout ······································································································································ 70

Maintaining devices··················································································································································· 72

Upgrading software ······················································································································································· 72
Rebooting the device ····················································································································································· 73
Generating the diagnostic information file ·················································································································· 74

Configuring the system time ······································································································································ 76

Configuration guidelines ··············································································································································· 76
Displaying the system time ············································································································································ 76
Configuring the system time ·········································································································································· 77
Configuring the network time ······································································································································· 77
Configuring the time zone and daylight saving time ································································································· 79
System time configuration example ····························································································································· 80

Managing logs ··························································································································································· 82

Displaying syslog ··························································································································································· 82
Setting the log host························································································································································· 83
Setting buffer capacity and refresh interval ················································································································ 84

Managing the configuration······································································································································ 86

Backing up the configuration ········································································································································ 86
Restoring the configuration ··········································································································································· 86
Saving the configuration ··············································································································································· 87
Initializing the configuration ········································································································································· 88

Managing files ··························································································································································· 89

Displaying file list ··························································································································································· 89
Downloading a file ························································································································································ 89
Uploading a file ····························································································································································· 90
Removing a file······························································································································································· 90
Specifying the main boot file ········································································································································ 90

Managing interfaces ·················································································································································· 91

Interface management overview ·································································································································· 91
Displaying interface information and statistics ··········································································································· 91
Creating an interface ····················································································································································· 92
Modifying a Layer 2 interface ······································································································································ 94
Modifying a Layer 3 interface ······································································································································ 97
Interface management configuration example ··········································································································· 99

Configuring port mirroring ····································································································································· 101

ii
Configuring ports for a mirroring group···················································································································· 103
Port mirroring configuration example ························································································································ 104
Network requirements ········································································································································· 104
Configuration procedure ···································································································································· 105

Managing users ······················································································································································ 108

Creating a user····························································································································································· 108
Setting the super password ········································································································································· 109
Switching the user access level to the management level ······················································································· 110

Configuring SNMP·················································································································································· 111

SNMP overview···························································································································································· 111
SNMP configuration task list ······································································································································· 111
Enabling SNMP agent ················································································································································· 112
Configuring an SNMP view ········································································································································ 114
Creating an SNMP view····································································································································· 114
Adding rules to an SNMP view ························································································································· 116
Configuring an SNMP community ····························································································································· 116
Configuring an SNMP group······································································································································ 117
Configuring an SNMP user ········································································································································· 119
Configuring SNMP trap function ································································································································ 121
Displaying SNMP packet statistics ····························································································································· 123
SNMPv1/SNMPv2c configuration example ············································································································· 123
SNMPv3 configuration example ································································································································ 126

Configuring loopback ············································································································································· 132

OAP management··················································································································································· 135

Configuring MAC addresses·································································································································· 136

Configuring VLANs ················································································································································· 141

Configuring ARP ······················································································································································ 150

iii
Configuring ARP attack protection························································································································· 157
Overview······································································································································································· 157
ARP detection ······················································································································································· 157
Source MAC address based ARP attack detection ·························································································· 157
ARP active acknowledgement ···························································································································· 157
ARP packet source MAC address consistency check ······················································································ 158
Configuring ARP detection ·········································································································································· 158
Configuring other ARP attack protection functions ··································································································· 159

Configuring IGMP snooping ·································································································································· 161

Configuring IPv4 and IPv6 routing ························································································································ 172

Configuring DHCP ·················································································································································· 180

DHCP overview ···························································································································································· 180
DHCP snooping overview ··········································································································································· 181
Recording IP-to-MAC mappings of DHCP clients ····························································································· 181
Enabling DHCP clients to obtain IP addresses from authorized DHCP servers ············································ 181
Recommended configuration procedure (for DHCP server) ···················································································· 181
Enabling DHCP ···················································································································································· 182
Creating a static address pool for the DHCP server························································································ 183
Creating a dynamic address pool for the DHCP server ·················································································· 185
Enabling the DHCP server on an interface ······································································································· 186
Displaying information about assigned IP addresses ······················································································ 187
Recommended configuration procedure (for DHCP relay agent) ··········································································· 188
Enabling DHCP and configuring advanced parameters for the DHCP relay agent ···································· 189
Creating a DHCP server group ·························································································································· 190
Enabling the DHCP relay agent on an interface ······························································································ 191
Configuring and displaying clients' IP-to-MAC bindings ················································································ 192
Recommended configuration procedure (for DHCP snooping) ··············································································· 193
Enabling DHCP snooping ··································································································································· 193
Configuring DHCP snooping functions on an interface ·················································································· 194
Displaying clients' IP-to-MAC bindings ············································································································· 195
DHCP configuration examples ···································································································································· 196
DHCP server configuration example ················································································································· 196
DHCP relay agent configuration example ········································································································ 198
DHCP snooping configuration example ··········································································································· 200

Configuring link aggregation and LACP ··············································································································· 203

iv
Basic concepts of link aggregation ··················································································································· 203
Link aggregation modes ····································································································································· 204
Load sharing mode of an aggregation group·································································································· 206
Configuration guidelines ············································································································································· 206
Recommended link aggregation and LACP configuration procedures ·································································· 207
Recommended static aggregation group configuration procedure ······························································· 207
Recommended dynamic aggregation group configuration procedure ························································· 207
Creating a link aggregation group ···························································································································· 208
Displaying aggregate interface information ············································································································· 208
Setting LACP priority ···················································································································································· 210
Displaying LACP-enabled port information ··············································································································· 211
Link aggregation and LACP configuration example································································································· 212

Configuring DNS ···················································································································································· 215

Configuring DDNS ·················································································································································· 225

Configuring PPPoE ·················································································································································· 232

Managing services ·················································································································································· 239

Using diagnostic tools············································································································································· 242

Ping ················································································································································································ 242
Trace route ···································································································································································· 242
Ping operation ······························································································································································ 243
IPv4 ping operation············································································································································· 243
IPv6 ping operation············································································································································· 244
Trace route operation ·················································································································································· 245

v
Configuring NAT ····················································································································································· 247
Overview······································································································································································· 247
NAT control ·························································································································································· 248
NAT implementation ··········································································································································· 248
Low-priority address pool ··································································································································· 251
Configuration guidelines ············································································································································· 251
Recommended configuration procedure···················································································································· 251
Configuring address translation························································································································· 251
Configuring an internal server ··························································································································· 252
Creating an address pool ··········································································································································· 252
Configuring dynamic NAT ·········································································································································· 254
Creating a static address mapping ···························································································································· 255
Enabling static NAT on an interface ·························································································································· 256
Configuring an internal server ···································································································································· 257
Configuring basic internal server settings ········································································································· 257
Configuring advanced internal server settings ································································································· 258
Configuring a DNS mapping ····································································································································· 260
NAT configuration examples ······································································································································ 261
Address translation configuration example ······································································································ 261
Internal server configuration example ··············································································································· 263

Configuring ALG ····················································································································································· 267

ALG process ································································································································································· 267
Configuration procedure ············································································································································· 269
ALG configuration examples ······································································································································ 269
FTP ALG configuration example ························································································································ 269
SIP ALG configuration example ························································································································· 273
NBT ALG configuration example ······················································································································· 276

Configuring APs ······················································································································································ 280

AC-AP tunnel ································································································································································· 280
Auto AP ········································································································································································· 280
AP group ······································································································································································· 280
Overview ······························································································································································ 280
Client access control ··········································································································································· 281
Configuring an AP ······················································································································································· 281
Creating an AP ···················································································································································· 281
Setting AP parameters ········································································································································ 282
Configuring advanced settings ·························································································································· 284
Configuring auto AP ···················································································································································· 288
Enabling auto AP ················································································································································· 288
Configuring auto-AP authentication··················································································································· 289
Converting auto APs to configured APs ············································································································ 292
Configuring an AP group ············································································································································ 294
Creating an AP group········································································································································· 294
Configuring IP address match criteria for an AP group ··························································································· 294
Adding an AP into an AP group························································································································ 295
Configuring an AP group ··································································································································· 296
Configuring AP-based client access control ·············································································································· 301
Configuring a user profile ·································································································································· 301
AP configuration examples ········································································································································· 303
Auto AP configuration example ························································································································· 303
Auto-AP authentication configuration example ································································································ 307

Configuring access services ··································································································································· 311

Access service overview ·············································································································································· 311

vi
Terminology ························································································································································· 311
Client access ························································································································································ 311
WLAN data security ··········································································································································· 314
Client access authentication ······························································································································· 315
802.11n ······························································································································································· 316
Configuring access service ········································································································································· 317
Recommended configuration procedure ··········································································································· 317
Creating a WLAN service ·································································································································· 317
Configuring clear-type wireless service············································································································· 318
Configuring crypto-type wireless service ·········································································································· 330
Security parameter dependencies ····················································································································· 341
Configuring an authentication mode ················································································································ 342
Configuring source IP address verification ······································································································· 344
Enabling a wireless service ································································································································ 347
Binding an AP radio to a wireless service ········································································································ 347
Enabling a radio ················································································································································· 350
Displaying detailed information about a wireless service ·············································································· 350
Configuring policy-based forwarding ························································································································ 355
Creating a forwarding policy ···························································································································· 355
Applying a forwarding policy to an access service ························································································ 357
Applying a forwarding policy to a user profile ······························································································· 359
Wireless service configuration example ···················································································································· 359
WPA-PSK authentication configuration example ······································································································ 362
Local MAC authentication configuration example ··································································································· 367
Remote MAC authentication configuration example································································································ 372
Remote 802.1X authentication configuration example ··························································································· 378
Dynamic WEP encryption-802.1X authentication configuration example ····························································· 389
Backup client authentication configuration example ································································································ 395
Local client authentication configuration example ··································································································· 403
Policy-based forwarding configuration example ······································································································ 409

Configuring mesh services······································································································································ 415

Mesh overview ····························································································································································· 415
Basic concepts in WLAN mesh ·························································································································· 415
Advantages of WLAN mesh ······························································································································ 415
Deployment scenarios ········································································································································· 416
Configuring mesh service ············································································································································ 417
Configuring mesh service ··································································································································· 417
Configuring a mesh policy ································································································································· 421
Mesh global setup ··············································································································································· 426
Configuring a working channel ························································································································· 427
Enabling radio ····················································································································································· 428
Configuring a peer MAC address ····················································································································· 429
Configuring mesh DFS ········································································································································ 430
Displaying the mesh link status ·························································································································· 431
WLAN mesh configuration example ·························································································································· 432
Mesh point-to-multipoint configuration example ······························································································ 436
Mesh DFS configuration example ······························································································································ 437

Configuring an IACTP tunnel and WLAN roaming ······························································································ 442

IACTP tunnel ································································································································································· 442
WLAN roaming overview ··········································································································································· 442
Configuring an IACTP tunnel ······································································································································ 442
Adding a member to the IACTP tunnel ······················································································································ 443
Configuring WLAN roaming ······································································································································ 445

vii
Configuring WLAN roaming ····························································································································· 445
Displaying client information······························································································································ 445
WLAN roaming configuration examples··················································································································· 446
Intra-AC roaming configuration example ········································································································· 446
Inter-AC roaming configuration example·········································································································· 449

Configuring WLAN RRM ········································································································································ 455

Radio overview····························································································································································· 455
WLAN RRM overview·················································································································································· 455
Dynamic frequency selection ····························································································································· 455
Transmit power control ······································································································································· 456
Spectrum analysis ························································································································································ 458
Configuring radios ······················································································································································· 459
Configuring radio parameters ··························································································································· 459
Enabling a radio ················································································································································· 465
Locking the channel ············································································································································· 466
Locking the power ··············································································································································· 467
Configuring data transmit rates ·································································································································· 467
Configuring 802.11a/802.11b/802.11g rates ···························································································· 467
Configuring 802.11n MCS································································································································ 469
Configuring 802.11ac NSS ······························································································································ 471
Configuring channel scanning···································································································································· 474
Configuring calibration ··············································································································································· 476
Executing channel persistence ··························································································································· 476
Configuring power persistence ·························································································································· 477
Setting parameters ·············································································································································· 478
Configuring a radio group ································································································································· 482
Calibration operations ········································································································································ 484
Selecting an antenna ··················································································································································· 486
Configuring spectrum analysis ··································································································································· 487
Configuring the operating mode for an AP ······································································································ 487
Configuring spectrum analysis ··························································································································· 487
Enabling spectrum analysis on a radio············································································································· 490
Displaying interference device state·················································································································· 490
Displaying channel quality information ············································································································ 490
Manual channel adjustment configuration example ································································································ 491
Automatic power adjustment configuration example ······························································································· 493
Radio group configuration example ·························································································································· 496
Spectrum analysis configuration example ················································································································· 498

Configuring 802.1X ··············································································································································· 501

Configuring portal authentication ·························································································································· 509

viii
Configuring the portal service ···································································································································· 511
Configuring advanced parameters for portal authentication ·················································································· 515
Configuring a portal-free rule ····································································································································· 517
Customizing authentication pages ····························································································································· 518
File name rules ····················································································································································· 518
Page request rules ··············································································································································· 519
Post request attribute rules ·································································································································· 519
Page file compression and saving rules ············································································································ 520
File size and content rules ·································································································································· 520
Logging off a user who closes the logon success or online page ·································································· 520
Redirecting authenticated users to a specific webpage ·················································································· 521
Portal authentication configuration example ············································································································· 521

Configuring AAA ···················································································································································· 533

Configuring RADIUS ··············································································································································· 546

Configuring the local EAP service·························································································································· 559

Configuration procedure ············································································································································· 559
Local EAP service configuration example ·················································································································· 560

Configuring users ···················································································································································· 567

Managing certificates ············································································································································· 579

ix
Retrieving and displaying a CRL ································································································································ 591
Certificate management configuration example ······································································································· 591

Configuring WLAN security ··································································································································· 597

WLAN security overview ············································································································································· 597
Terminology ························································································································································· 597
WIDS attack detection ········································································································································ 599
Blacklist and whitelist ·········································································································································· 600
Configuring rogue device detection··························································································································· 601
Recommended configuration procedure ··········································································································· 601
Configuring AP operating mode ······················································································································· 601
Configuring detection rules ································································································································ 603
Configuring detection rule lists··························································································································· 605
Enabling countermeasures and configuring aging time for detected rogue devices ··································· 606
Displaying monitor record ·································································································································· 607
Displaying history record···································································································································· 608
Configuring WIDS ······················································································································································· 609
Configuring WIDS ··············································································································································· 609
Displaying history record···································································································································· 609
Displaying statistics information························································································································· 610
Configuring the blacklist and whitelist functions ······································································································· 611
Configuring dynamic blacklist ··························································································································· 611
Configuring static blacklist ································································································································· 611
Configuring whitelist ··········································································································································· 613
Rogue detection configuration example ···················································································································· 614

Configuring user isolation ······································································································································ 619

User isolation overview ··············································································································································· 619
Before user isolation is enabled ························································································································· 619
After user isolation is enabled ··························································································································· 620
Configuring user isolation ··········································································································································· 620
Configuring user isolation ·································································································································· 620
Displaying user isolation information ················································································································ 621
User isolation configuration example ························································································································ 622

Configuring authorized IP ······································································································································ 624

Configuring session management·························································································································· 625
Displaying session table information ························································································································· 628

Configuring ACL and QoS ····································································································································· 630

ACL overview ······························································································································································· 630
QoS overview ······························································································································································· 630
Configuration guidelines ············································································································································· 631
Configuring an ACL ····················································································································································· 632
Recommended ACL configuration procedures ································································································· 632
Adding a time range··········································································································································· 634
Adding an ACL ···················································································································································· 636
Configuring a rule for an IPv4 basic ACL········································································································· 637
Configuring a rule for an IPv4 advanced ACL ································································································· 638
Configuring a rule for an Ethernet frame header ACL ···················································································· 641
Configuring a rule for a WLAN-AP ACL ··········································································································· 643
Adding an IPv6 ACL ··········································································································································· 644
Configuring a rule for an IPv6 basic ACL········································································································· 645
Configuring a rule for an IPv6 advanced ACL ································································································· 646
Configuring rate limit ··················································································································································· 649
Configuring the priority trust mode of a port ············································································································ 651

x
Priority mapping overview ································································································································· 651
Configuring priority mapping ···························································································································· 651
Configuring a QoS policy ··········································································································································· 654
Class ····································································································································································· 654
Traffic behavior ··················································································································································· 654
Policy ···································································································································································· 654
QoS policy configuration procedure ················································································································· 655
Adding a class ····················································································································································· 655
Configuring traffic classification rules ··············································································································· 656
Adding a traffic behavior ··································································································································· 660
Configuring actions for a traffic behavior ········································································································ 660
Adding a policy ··················································································································································· 663
Configuring classifier-behavior associations for the policy ············································································ 663
Applying a policy to a port ································································································································ 664
Applying a QoS policy to a WLAN service ····································································································· 665
ACL and QoS configuration example························································································································ 667
Network requirements ········································································································································· 667
Configuration procedure ···································································································································· 667
Verifying the configuration ································································································································· 676

Configuring wireless QoS ······································································································································ 677

Overview······································································································································································· 677
Terminology ························································································································································· 677
WMM protocol overview ··································································································································· 678
Enabling wireless QoS ················································································································································ 679
Setting the SVP service ················································································································································ 680
Setting CAC admission policy ···································································································································· 681
Setting radio EDCA parameters for APs ···················································································································· 682
Setting EDCA parameters for wireless clients ··········································································································· 683
Configuration restrictions and guidelines ········································································································· 683
Configuration procedure ···································································································································· 684
Displaying radio statistics············································································································································ 685
Displaying client statistics ············································································································································ 686
Setting rate limiting ······················································································································································ 687
Setting wireless service-based client rate limiting ···························································································· 687
Setting radio-based client rate limiting·············································································································· 688
Configuring the bandwidth guarantee function ········································································································ 689
Setting the reference radio bandwidth ············································································································· 690
Setting guaranteed bandwidth percents ··········································································································· 691
Enabling bandwidth guaranteeing ···················································································································· 691
Displaying guaranteed bandwidth settings ······································································································ 692
CAC service configuration example ·························································································································· 692
Network requirements ········································································································································· 692
Configuring the wireless service ························································································································ 693
Configuring CAC ················································································································································ 693
Verifying the configuration ································································································································· 694
Wireless service-based static rate limiting configuration example ········································································· 694
Network requirements ········································································································································· 694
Configuring the wireless service ························································································································ 695
Configuring static rate limiting ··························································································································· 695
Verifying the configuration ································································································································· 695
Wireless service-based dynamic rate limiting configuration example ··································································· 695
Network requirements ········································································································································· 695
Configuring the wireless service ························································································································ 696
Configuring dynamic rate limiting ····················································································································· 696

xi
Verifying the configuration ································································································································· 696
Bandwidth guarantee configuration example ··········································································································· 697
Network requirements ········································································································································· 697
Configuring the wireless services ······················································································································ 697
Configuring bandwidth guaranteeing··············································································································· 697
Verifying the configuration ································································································································· 699

Configuring advanced settings ······························································································································ 700

Advanced settings overview ······································································································································· 700
Country/Region code ········································································································································· 700
1+1 AC backup ·················································································································································· 700
1+N AC backup·················································································································································· 701
Client information backup ·································································································································· 702
Continuous transmitting mode ···························································································································· 703
Channel busy test ················································································································································ 703
WLAN load balancing ······································································································································· 703
Configuring the AC to accept APs with a different software version ···························································· 706
Upgrading APs ···················································································································································· 706
Switching to fat AP ·············································································································································· 706
Wireless location ················································································································································· 706
Wireless sniffer ···················································································································································· 708
AP provision ························································································································································· 709
Band navigation ·················································································································································· 709
VLAN pool···························································································································································· 709
Multicast optimization ········································································································································· 710
Guest access tunnel ············································································································································· 711
Bonjour gateway ················································································································································· 711
Configuring WLAN advanced settings ······················································································································ 713
Setting a country/region code ··························································································································· 713
Configuring 1+1 AC backup ····························································································································· 714
Configuring 1+N AC backup ···························································································································· 717
Configuring client information backup ············································································································· 719
Configuring continuous transmitting mode ······································································································· 719
Configuring a channel busy test ························································································································ 720
Configuring load balancing ······························································································································· 721
Configuring AP ···················································································································································· 725
Configuring wireless location ···························································································································· 726
Configuring wireless sniffer ································································································································ 728
Configuring AP provision ··································································································································· 730
Configuring band navigation····························································································································· 734
Configuring a VLAN pool ·································································································································· 736
Configuring multicast optimization ···················································································································· 738
Configuring a guest access tunnel ····················································································································· 741
Configuring Bonjour gateway···························································································································· 743
Advanced settings configuration examples ··············································································································· 747
1+1 fast backup configuration example··········································································································· 747
1+N backup configuration example ················································································································· 753
Client information backup configuration example··························································································· 756
AP-based session-mode load balancing configuration example ···································································· 759
AP-based traffic-mode load balancing configuration example ······································································ 760
Group-based session-mode load balancing configuration example ····························································· 762
Group-based traffic-mode load balancing configuration example ································································ 764
AP version upgrade configuration example ····································································································· 767
Wireless location configuration example ········································································································· 771
Wireless sniffer configuration example············································································································· 776

xii
AP provision configuration example ················································································································· 780
Band navigation configuration example··········································································································· 784
VLAN pool configuration example ···················································································································· 786
Multicast optimization configuration example ································································································· 789
Guest access tunnel configuration example ····································································································· 791
Bonjour gateway configuration example·········································································································· 792

Configuring stateful failover ··································································································································· 796

Configuring IKE ······················································································································································· 807

Configuring IPsec ···················································································································································· 827

Support and other resources ·································································································································· 856

Contacting HP ······························································································································································ 856

xiii
Subscription service ············································································································································ 856
Related information ······················································································································································ 856
Documents ···························································································································································· 856
Websites······························································································································································· 856
Conventions ·································································································································································· 857

Index ········································································································································································ 859

xiv
About the Web-based configuration guide for
HP unified wired-WLAN products

The Web-based configuration guide describes the Web functions of the HP 830 series PoE+ unified
wired-WLAN switches, HP 850/870 unified wired-WLAN appliances, and HP 11900/10500/7500
20G unified wired-WLAN modules. The functions include quick start, Web login, wireless service
configuration, security and authentication configurations, QoS configuration, and advanced settings.
The Web-based configuration guide uses the webpages of the HP 11900/10500/7500 20G module in
configuration procedures. For features not available on the module, this book uses the webpages of the
HP 850/870 appliance or HP 830 24-port switch.
The interface types and displayed webpages vary by device model.
If a function or parameter is grayed out, it is either not supported or cannot be modified.

Typical network scenarios

HP 850 unified wired-WLAN appliance network scenario
As shown in Figure 1, an HP 850 unified wired-WLAN appliance is installed on a Layer 2 or Layer 3
switch, which is connected to APs directly or over an IP network.
Figure 1 Figure 3 HP 850 unified wired-WLAN appliance network scenario

1
HP 11900/10500/7500 20G module network scenario
As shown in Figure 2:
• The HP 11900/10500/7500 20G module is installed on a Layer 2 or Layer 3 switch.
• The switch is connected to APs directly or over an IP network.
• Clients access the network through the APs.
Figure 2 Network diagram

HP 830 switch/HP 870 appliance network scenario

NOTE:
The network scenarios of HP 830 switches and HP 870 appliances are the same. This document uses the
HP 830 switch network scenario.

As shown in Figure 3:
• The switch that has both AC and switch functions is connected to APs directly or over an IP network.
• Clients access the network through the APs.

2
Figure 3 Network diagram

Feature matrix
The HP 11900/10500/7500 20G module adopts the OAA architecture. It works as an OAP card on a
switch to exchange data and status and control information with the switch through their internal
interfaces. Do not configure services such as QoS rate limit and 802.1X authentication on the internal
interfaces.
The controller engine and switching engine of an HP 830 switch or HP 870 appliance adopt the OAA
architecture. The switching engine is integrated on the controller engine as OAP software. You actually
log in to the controller engine when you log in to the switch by default.
HP recommends not configuring QoS rate limiting or 802.1X authentication on the internal aggregate
interfaces (BAGG1) between the switching engine and the controller engine on an HP 830 switch or HP
870 appliance. Inappropriate rate limiting or authentication settings on the internal aggregate interfaces
can cause communication problems between the switching engine and the controller engine.
• On the HP 830 24-port switch, the switching engine's internal aggregate interface is formed by
GigabitEthernet 1/0/29 and GigabitEthernet 1/0/30. On the HP 830 8-port switch, the switching
engine's internal aggregate interface is formed by GigabitEthernet 1/0/11 and GigabitEthernet
1/0/12. On all HP 830 switches, the controller engine's internal aggregate interface is formed by
GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
• On the HP 870 appliance, the switching engine's internal aggregate interface is formed by
interfaces Ten-GigabitEthernet 1/0/29 through Ten-GigabitEthernet 1/0/32. The controller
engine's internal aggregate interface is formed by interfaces Ten-GigabitEthernet 1/0/1 through
Ten-GigabitEthernet 1/0/4.
This document only describes the feature matrix for the controller engines of HP 830 switches and HP 870
appliances. For feature and configuration information about the switching engines of HP 830 switches
and HP 870 appliances, see related switching engine manuals.

3
Table 1 Feature matrix

HP 830 HP 830
HP 24-port 8-port HP 870
HP 850
11900/105 PoE+ PoE+ unified
Unified
00/7500 unified unified wired-WLA
Module Feature Wired-WLA
20G unified wired-WL wired-WL N appliance
N
wired-WLA AN switch AN switch controller
Appliance
N module controller controller engine
engine engine
Supports 256
Supports 128 Supports 24 Supports 12 Supports 0
concurrent
concurrent concurrent concurrent concurrent
APs by
Licens Enhanc APs by APs by APs by APs by
default, and
e ed default, and default, and default, and default, and
can be
mana license can be can be can be can be
extended to
geme manag extended to extended to extended to extended to
support
nt ement support 1024 support 60 support 24 support 512
1536
concurrent concurrent concurrent concurrent
concurrent
APs. APs. APs. APs.
APs.

CF Flash CF CF CF
Device File management
supported. supported. supported. supported. supported.

Port mirroring No. No. No. Yes. No.

Internal Internal Internal

loopback loopback loopback
testing only testing only testing only
Loopback test Yes. Yes.
supported on supported supported
XGE on GE on GE
interfaces. interfaces. interfaces.

OAP
No. Yes. Yes. No. Yes.
management

The The The The

The maximum
maximum maximum maximum maximum
number of
number of number of number of number of
multicast
multicast multicast multicast multicast
groups is in
IGMP Snooping groups is in groups is in groups is in groups is in
the range of 1
the range of the range of the range of the range of
to 256 and
1 to 64 and 1 to 64 and 1 to 256 and 1 to 256 and
Network defaults to
defaults to defaults to defaults to defaults to
256.
64. 64. 256. 256.

Link aggregation
No. No. No. Yes. No.
and LACP

DDNS No. Yes. Yes. No. No.

PPPoE No. Yes. Yes. No. No.

Supports a Supports a Supports a Supports a Supports a

maximum of maximum of maximum of maximum of maximum of
AP AP group
1024 AP 60 AP 24 AP 512 AP 1536 AP
groups. groups. groups. groups. groups.

4
HP 830 HP 830
HP 24-port 8-port HP 870
HP 850
11900/105 PoE+ PoE+ unified
Unified
00/7500 unified unified wired-WLA
Module Feature Wired-WLA
20G unified wired-WL wired-WL N appliance
N
wired-WLA AN switch AN switch controller
Appliance
N module controller controller engine
engine engine
AC backup Yes. No. No. Yes. Yes.

Yes. (The Yes. (The

Yes. (The
hello interval hello interval
Advance hello interval
is in the is in the
d settings 1+1 fast backup is in the range
No. No. range of 30 range of 30
(Hello interval) of 30 to 2000
to 2000 and to 2000 and
and defaults
defaults to defaults to
to 2000.)
2000.) 2000.)

High
availabili Stateful failover Yes. No. No. Yes. Yes.
ty

VPN VPN No. Yes. Yes. No. No.

5
Web overview

This chapter describes the Web interface, functions available on the Web interface, Web user levels you
must have to perform a function, and common icons and buttons on the Web pages.

Web interface
The Web interface consists of the navigation tree, title area, and body area.
Figure 4 Web-based configuration interface

(1) Navigation area (2) Body area (3) Title area

• Navigation area—Organizes the Web-based NM function menus in the form of a navigation tree,
where you can select function menus as needed. The result is displayed in the body area. The Web
network management functions not supported by the device are not displayed in the navigation
area.
• Body area—The area where you can configure and display a function.
• Title area—On the left, displays the path of the current configuration interface in the navigation
area; on the right, provides the Save button to quickly save the current configuration, the Help button
to display the Web related help information, and the Logout button to log out of the Web interface.

6
Web user level
Web user levels, ranging from low to high, are visitor, monitor, configure, and management. A user with
a higher level has all the operating rights of a user with a lower level.
• Visitor—Users can use the network diagnostic tools ping and Trace Route, but they can neither
access the device data nor configure the device.
• Monitor—Users can only access the device data, but they cannot configure the device.
• Configure—Users can access device data and configure the device, but they cannot upgrade the
host software, add/delete/modify users, or backup/restore configuration files.
• Management—Users of this level can perform any operations to the device.

Web-based NM functions
Support for the configuration items depends on the device model. For more information, see "About the
Web-based configuration guide for HP unified wired-WLAN products."
A user level in Table 2 indicates that users of this level or users of a higher level can perform the
corresponding operations.
Table 2 Web-based NM function description

Function menu Description User level

Quick Start Perform quick configuration of the device. Configure

Display and refresh system resource state,

Device Info device interface information, and recent system Monitor
operation logs.

Display the information of the queried WLAN

Wireless Service service, including the detailed information, Monitor
statistics, and connection history.

Display the information of the queried AP,

Summary including wireless service, connection history, Monitor
AP radio, and detailed information.

Reboot an AP. Configure

Display the detailed information, statistics,

Monitor
roaming, and link information of the client.
Client
Clear statistics of the client, disconnect the
Configure
connection, and add the client into the blacklist.

Display license information. Monitor

License
Add licenses. Configure
License
Display enhanced license information. Management
Enhanced License
Device Register enhanced licenses. Management

System Name Display and configure the system name. Configure

Basic Display and configure the idle timeout time for a
Web Idle Timeout Configure
logged-in user.

7
Function menu Description User level
Software Upload the file to be upgraded from the local
Management
Upgrade host to upgrade the system software.
Device
Mainte Reboot Reboot the device. Management
nance
Diagnostic Generate a diagnostic information file, view the
Management
Information file, or save the file to the local host.

Display the system date and time. Configure

System Time
Manually set the system date and time. Configure

Display configurations about system time zone

Configure
and daylight saving time.
Time Zone
System Configure system time zone and daylight
Time Configure
saving time.

Display time synchronization status and

Configure
network time configuration.
Net Time
Set local and external clock sources and system
Configure
time zone.

Display and refresh system logs. Monitor

Loglist
Clear system logs. Configure
Syslog Loghost Display and configure the loghost. Configure

Display and configure the buffer capacity, and

Log Setup Configure
refresh interval for displaying system logs.

Back up the configuration file for the next

Backup Management
startup to the host of the current user.

Upgrade the configuration file on the host of the

Configu Restore Management
current user to the device for the next startup.
ration
Save the current configuration to the
Save Configure
configuration file for the next startup.

Initialize Restore the system to factory defaults. Management

Manage files on the device, including

displaying file list, downloading a file,
File management Management
uploading a file, removing a file, and setting the
main boot file.

Display interface information and statistics. Monitor

Interface Create, modify, and delete an interface, and
Configure
clear interface statistics.

Display the configuration information of a port

Summary Monitor
mirroring group.
Port Add Create a port mirroring group. Configure
Mirroring
Remove Remove a port mirroring group. Configure

Modify Port Configure ports for a mirroring group. Configure

Display brief information of Web, FTP and

Users Summary Monitor
Telnet users.

8
Function menu Description User level
Configure the password for a lower-level user to
Super
switch from the current access level to the Configure
Password
management level.

Create Create a Web, FTP, or Telnet user. Configure

Modify Modify Web, FTP, or Telnet user information. Configure

Remove Remove a Web, FTP, or Telnet user. Configure

Switch To
Switch the current user level to the management
Managemen Monitor
level.
t

Display and refresh SNMP configuration and

Management
Setup statistics information.

Configure SNMP. Management

Display SNMP community information. Management

Community Create, modify, and delete an SNMP
Management
community.

Display SNMP group information. Management

Group
Create, modify, and delete an SNMP group. Management
SNMP
Display SNMP user information. Management
User
Create, modify, and delete an SNMP user. Management

Display the status of the SNMP trap function

Management
and information about target hosts.
Trap
Enable or disable the SNMP trap function, or
Management
create, modify, and delete a target host.

Display SNMP view information. Management

View
Create, modify, and delete an SNMP view. Management

Perform the loopback test on Ethernet

Loopback Monitor
interfaces.

Display MAC address information. Monitor

MAC
Create or remove MAC addresses. Configure
MAC
Display and configure MAC address aging
Setup Configure
time.

Display all VLANs on the device and

Monitor
VLAN information about their member ports.
Network
Create, modify, and delete VLANs. Configure
VLAN
Display VLANs to which a port on the device
Monitor
Port belongs.

Modify the VLANs to which a port belongs. Configure

ARP Display ARP table information. Monitor

ARP Table
Management Add, modify, or delete an ARP entry. Configure

9
Function menu Description User level
Display configuration information of gratuitous
Gratuitous Monitor
ARP.
ARP
Configure gratuitous ARP. Management

Display the configuration information of ARP

ARP Monitor
detection.
Detection
Configure ARP detection. Management

Display the configuration information of source

ARP MAC address based ARP attack detection, ARP
Monitor
Anti-Attack active acknowledgement, and ARP packet
Advanced source MAC address consistency check.
Configurati
on Configure source MAC address based ARP
attack detection, ARP active acknowledgement,
Management
and ARP packet source MAC address
consistency check.

Display global IGMP Snooping configuration

information and the IGMP Snooping
Monitor
configuration information in a VLAN, and view
Basic the IGMP Snooping multicast entry information.
IGMP Configure IGMP Snooping globally and in a
Snooping Configure
VLAN.

Display the IGMP Snooping configuration

Monitor
Advance information on a port.

Configure IGMP Snooping on a port. Configure

Summary Display the IPv4 active route table. Monitor

IPv4 Routing Create Create an IPv4 static route. Configure

Remove Delete the selected IPv4 static routes. Configure

Summary Display the IPv6 active route table. Monitor

IPv6 Routing Create Create an IPv6 static route. Configure

Remove Delete the selected IPv6 static routes. Configure

Display the DHCP service status, the DHCP

address pool information, the DHCP server Monitor
DHCP status on an interface, and addresses in use.
Server Set the DHCP service status, add, modify, or
delete a DHCP address pool, and modify the Configure
DHCP server status on an interface.
DHCP
Display the status of a DHCP service and
advanced configuration information of DHCP
relay, display information of a DHCP group,
DHCP Relay Monitor
and status of the DHCP relay agent on an
interface, and view the DHCP relay user
information.

10
Function menu Description User level
Configure the status of a DHCP service and
advanced configuration information of DHCP
relay, add or delete a DHCP group, and modify Configure
the status of the DHCP relay agent on an
interface.

Display the status of the DHCP Snooping

function, and the trusted and untrusted attributes
Monitor
of a port, and view the DHCP Snooping user
DHCP information.
Snooping
Configure the status of the DHCP Snooping
function, and modify the trusted and untrusted Configure
attributes of a port.

Display information about the aggregate

Summary Monitor
interface and member ports.
Link Create Create a link aggregation group. Configure
Aggregation
Modify Modify the selected link aggregation group. Configure

Remove Delete the selected link aggregation group. Configure

Display information about LACP-enabled ports

Summary Monitor
LACP and their remote ports.

Setup Configure the LACP priority. Configure

Display, create, modify, or delete a static host

Static Configure
name-to-IP address mapping.

Display and configure related parameters for

DNS dynamic domain name resolution. Display,
Dynamic Configure
create, or delete an IP address and the domain
name suffix.

DDNS Display information about DDNS. Monitor

Client Display information about PPPoE client. Monitor

Information Create, modify, or delete a PPPoE client. Configure
PPPoE
Session Display brief information and statistics about
Monitor
Information PPPoE sessions.

Display the states of the services: enabled or

Monitor
disabled.
Service
Specify whether to enable various services, and
Management
set related parameters.

Ping an IPv4 address or host and display the

IPv4 Ping Visitor
result.

Diagnostic Ping an IPv6 address or host and display the

IPv6 Ping Visitor
Tools result.

Perform trace route operations and display the

Trace Route Visitor
result.

Display information about address pool, and

NAT Dynamic Address Translation Monitor
configure dynamic address translation.

11
Function menu Description User level
Create, modify, or delete an address pool, and
Configure
configure dynamic address translation.

Display information about static address

mapping, and configure static address Monitor
translation.
Static Address Translation
Create, modify, or delete a static address
mapping, and configure static address Configure
translation.

Display information about internal server and

Monitor
DNS mapping.
Internal Server
Create, modify, or delete an internal server and
Configure
DNS mapping.

Display configurations of application layer

Monitor
Application Layer Protocol Detection protocol detection.

Configure application layer protocol detection. Configure

Display AP-related information, including AP

name, AP IP address, serial ID, model and Monitor
AP Setup status.

Add an AP and modify the AP configuration. Configure

Display auto AP information after auto AP is

AP enabled, including AP name, model, serial ID Monitor
Auto AP and IP address.

Enable auto AP. Configure

Display AP group information. Monitor

AP Group
Create and configure an AP group. Configure

Display an access service, including security

type, detailed information, service status, and Monitor
Access binding status.
Service Create and configure an access service, map
Access
Service an access service to an AP radio, and add a Configure
MAC authentication list.

Forwarding Display forwarding policy and rule. Monitor

Policy Configure forwarding policy and rule. Configure

Wireless Display a mesh service, including its detailed

Monitor
Service information, status, and binding information.
Mesh Service
Create and configure a mesh service, including
Configure
security settings.

Mesh Display mesh policies. Monitor

Mesh Policy
Service Create and configure a mesh policy. Configure

Display mesh global setting, including basic

Monitor
setting, mesh DFS, and mesh portal service.
Global Setup
Configure mesh global setting, including basic
Configure
setting, mesh DFS, and mesh portal service.

12
Function menu Description User level

Mesh Display radio information and channel switch

Monitor
Channel information in a mesh network.
Optimize Configure mesh channel optimization. Configure

Display mesh link status information. Monitor

Mesh Link
Info Monitor mesh link status and refresh mesh link
Monitor
status information.

Mesh Link Display mesh link test results. Monitor

Test Test mesh links and refresh mesh link test results. Configure

Display a roaming group and its members. Monitor

Roam Group Configure a roaming group and add a group
Configure
member.
Roam
Display client information, including MAC
Roam Client address, BSSID, VLAN ID, home AC and Monitor
roaming direction.

Display radio status, including radio mode and

Monitor
radio status.
Radio
Configure radio parameters, including
Configure
802.11n settings.

Display rate settings. Monitor

Rate
Configure rates, including MCS index. Configure

Display channel scanning, including scanning

Monitor
mode, scanning type and scanning interval.
Channel Scan
Configure channel scanning, including
Configure
scanning mode and scanning type.

Display or refresh AP status, including channel

status, neighbor information, and history Monitor
Operation information.

Manual calibration Configure

Radio
Calibration Display basic setup, channel setup and power
Monitor
Parameters setup.

Configure channel calibration parameters. Configure

Display radio group configuration. Monitor

Radio Group
Configure a radio group. Configure

Antenna Switch Configure the antenna of an AP. Configure

Display spectrum analysis configuration of a 5

Monitor
802.11a GHz radio.

Configure spectrum analysis on a 5 GHz radio. Configure

Spectrum
Analysis Display spectrum analysis configuration of a
Monitor
2.4 GHz radio.
802.11bg
Configure spectrum analysis on a 2.4 GHz
Configure
radio.

13
Function menu Description User level
Display spectrum analysis status. Monitor
Radio
Enable spectrum analysis. Configure

Interfering
Display and refresh interfering device status. Monitor
Device

Channel
Display and refresh channel quality status. Monitor
Quality

Display the global 802.1X information and

Monitor
802.1X information of a port.
802.1X
Configure the global 802.1X features and
Configure
802.1X features of a port.

Display configuration information about the

portal server and advanced parameters for Monitor
Portal Server portal authentication.

Add and delete a portal server, and modify

Portal Configure
advanced parameters for portal authentication.

Display the portal-free rule configuration

Monitor
Free Rule information.

Add and delete a portal-free rule. Configure

Domain Display ISP domain configuration information. Monitor

Setup Add and remove ISP domains. Management

Display the authentication method

Monitor
Authenticati configuration information of an ISP domain.
on Specify authentication methods for an ISP
Management
Authenticat domain.
ion AAA Display the authorization method configuration
Monitor
Authorizatio information of an ISP domain.
n Specify authorization methods for an ISP
Management
domain.

Display the accounting method configuration

Monitor
Accounting information of an ISP domain.

Specify accounting methods for an ISP domain. Management

Display and add, modify, and delete a RADIUS

RADIUS Management
scheme.

Display the configuration information of the

Monitor
Local EAP Server local EAP service.

Configure the local EAP service. Configure

Display local users' configuration information. Monitor

Local User
Add, modify, and remove local users. Management

Users Display user groups' configuration information. Monitor

User Group
Add, modify, and remove user groups. Management

Guest Display guest users' configuration information. Monitor

14
Function menu Description User level
Add, modify, and remove guest users. Management

Display user profile configuration information. Monitor

User Profile Add, modify, remove, enable, and disable user
Configure
profiles.

Display information about PKI entities. Monitor

Entity
Add, modify, and delete a PKI entity. Configure

Display information about PKI domains. Monitor

Domain
Add, modify, and delete a PKI domain. Configure

Certificate Display the certificate information of PKI

Monitor
Management domains and view the contents of a certificate.
Certificate Generate a key pair, destroy a key pair,
retrieve a certificate, request a certificate, and Configure
delete a certificate.

Display the contents of the CRL. Monitor

CRL
Receive the CRL of a domain. Configure

Display AP operating mode. Monitor

AP Monitor
Configure AP operating mode. Configure

Display list types for the rogue device detection

Monitor
and the detection rules.
Rule List
Configure list types for rogue device detection
Configure
and the rules.
Rogue
Detection Display monitor record of rogue device
Monitor
Monitor detection.
Record Clear monitor record of rogue device detection,
Configure
and add rogue devices to blacklist.

Display rogue device detection history. Monitor

History
Record Clear history of rogue device detection and add
Security Configure
rogue devices to blacklist.

Display IDS configuration. Monitor

WIDS Setup Configure IDS detection, including flood attack

detection, spoofing attack detection, and weak Configure
IV detection.

Display IDS attack detection history. Monitor

WIDS
History Clear history record of IDS attack detection and
Record add the detected devices that initiate attacks to Configure
blacklist.

Display statistics of IDS attack detection. Monitor

Statistics
Clear the statistics. Configure

Filter Blacklist Display dynamic and static blacklists. Monitor

15
Function menu Description User level
Clear dynamic blacklist and static blacklist;
enable dynamic blacklist; add entries to the Configure
static blacklist.

Display white list. Monitor

White List
Clear white list and add entries to the white list. Configure

Display the configurations of the authorized IP,

Summary the associated IPv4 ACL rule list, and the Management
Authorized IP associated IPv6 ACL rule list.

Setup Configure the authorized IP. Management

Display, add, modify, and remove user

User Isolation Management
isolation configuration.

Display the session list on the device. Monitor

Session List
Delete the session list on the device. Configure
Session
Display configurations about one-way flow
Management
Basic detection, long connection session rule, session
Monitor
Settings layer protocol ageing time, and application
layer protocol aging time.

Summary Display time range configuration information. Monitor

Time Range Add Create a time range. Configure

Remove Delete a time range. Configure

Summary Display IPv4 ACL configuration information. Monitor

Add Create an IPv4 ACL. Configure

Basic Setup Configure a rule for a basic IPv4 ACL. Configure

Advanced
Configure a rule for an advanced IPv4 ACL. Configure
ACL IPv4 Setup

Link Setup Create a rule for an Ethernet frame header ACL. Configure

Wireless
Configure a rule for a WLAN-AP ACL. Configure
Setup
QoS Remove Delete an IPv4 ACL or its rules. Configure

Summary Display IPv6 ACL configuration information. Monitor

Add Create an IPv6 ACL. Configure

Basic Setup Configure a rule for a basic IPv6 ACL. Configure

ACL IPv6
Advanced
Configure a rule for an advanced IPv6 ACL. Configure
Setup

Remove Delete an IPv6 ACL or its rules. Configure

Display wireless QoS, including SVP mapping,

CAC admission policy, radio EDCA and client Monitor
Wireless EDCA.
Wireless QoS
QoS Configure wireless QoS, including SVP
mapping, CAC admission policy, radio EDCA Configure
and client EDCA.

16
Function menu Description User level
Display radio statistics, including WMM status
Monitor
and detailed radio information.
Radio
Statistics Display radio statistics, including WMM status
and detailed radio information, and clear the Configure
radio statistics.

Display client statistics, including WMM status

Monitor
and detailed client information.
Client
Statistics Display client statistics, including WMM status
and detailed client information, and clear the Configure
client statistics.

Display the configured client rate limit

Monitor
Client Rate information.
Limit Configure and modify client rate limiting mode,
Configure
direction and rate.

Display bandwidth settings for different radio

Bandwidth Monitor
types.
Guarantee
Configure bandwidth guarantee settings. Configure

Summary Display line rate configuration information. Monitor

Line Rate
Setup Configure the line rate. Configure

Display the priority and trust mode of a port. Monitor

Port Priority
Modify the priority and trust mode of a port. Configure

Display priority trust mode configuration

Management
Trust Mode information.

Configure the priority trust mode. Management

Summary Display classifier configuration information. Monitor

Add Create a class. Configure

Classifier
Setup Configure the classification rules for a class. Configure

Remove Delete a class or its classification rules. Configure

Display traffic behavior configuration

Summary Monitor
information.

Behavior Add Create a traffic behavior. Configure

Setup Configure actions for a traffic behavior. Configure

Remove Delete a traffic behavior. Configure

Summary Display QoS policy configuration information. Monitor

Add Create a QoS policy. Configure

QoS Policy Configure the classifier-behavior associations

Setup Configure
for a QoS policy.

Delete a QoS policy or its classifier-behavior

Remove Configure
associations.

Port Policy Summary Display the QoS policy applied to a port. Monitor

17
Function menu Description User level
Setup Apply a QoS policy to a port. Configure

Remove Remove the QoS policy from the port. Configure

Display the QoS policy applied to a WLAN-ESS

Monitor
port.
Service Policy
Configure the QoS policy applied to a
Configure
WLAN-ESS port.

Display the country/region code. Monitor

Country/Region Code
Modify the country/region code. Configure

Display the address of the backup AC. Monitor

Setup
AC Backup Configure the address of the backup AC. Configure

Status Display the status of the AC. Monitor

Display the continuous transmitting mode of an

Monitor
AP.
Continuous Transmit
Switch the continuous transmitting mode of an
Configure
AP.

Display channel busy rate test results. Monitor

Channel Busy Test Test busy rate of channels, and output test
Configure
results.

Display the load balancing mode and the

Monitor
Load current connection status.
Balance Configure the load balancing mode and refresh
Load Configure
the current connection status.
Balancing
Load Display load balancing group configuration. Monitor
Advanced Balance
Group Configure a load balancing group. Configure

Display the AP version, including the AP model

Monitor
AP Module and software version.

AP Match and upgrade the software. Configure

Switch to fat Display the model and IP address of the AP. Monitor
AP Switch to fat AP. Configure

Display wireless location settings. Monitor

Wireless Location Configure, enable, and disable wireless
Configure
location.

Display wireless sniffer configuration. Monitor

Wireless Sniffer Configure, enable, and disable wireless sniffer
Configure
parameters.

Display AP provision, non AP provision, and

Monitor
global AP provision settings.
AP Provision
Set AP provision, non AP provision, and global
Configure
AP provision.

Band Navigation Display band navigation settings. Monitor

18
Function menu Description User level
Set band navigation parameters. Configure

Display BAS AC settings. Monitor

BAS AC Configure an AC as BAS AC and set BAS AC
Configure
parameters.

Display VLAN pool information, number of

online clients for each VLAN, and VLAN pool Monitor
VLAN Pool binding information.

Create a VLAN pool and set VLAN pool

Configure
parameters.

Display multicast optimization settings. Monitor

Multicast Optimization
Configure multicast optimization. Configure

Display guest access tunnel configurations and

Monitor
status.
Guest Access Tunnel
Set AC type and guest access tunnel
Configure
parameters.

High Display stateful failover information. Monitor

Stateful Failover
Reliability Modify stateful failover configuration. Configure

Global
Display and modify IKE global parameters. Configure
Setting

Display IKE DPD information. Monitor

DPD
Create, modify, or delete an IKE DPD. Configure

Display IKE peer information. Monitor

Peer
IKE Create, modify, or delete an IKE peer. Configure

Display IKE security proposal information. Monitor

Security
Proposal Create, modify, or delete an IKE security
Configure
proposal.

Security Display IKE security association information. Monitor

Associat
ion Delete an IKE security association. Configure
VPN
Display IPsec policy groups adopted on the
Monitor
Applicat interface of the device.
ion Enable or disable IPsec policy groups on the
Configure
interface of the device.

Display IPsec security proposal information. Monitor

Security
Proposal Create, modify, or delete an IPsec security
IPSec Configure
proposal.

Templat Display information about IPsec security policy

Monitor
e template.
Configur Create, modify, or delete an IPsec security
ation Configure
policy template.

Policy Display IPSec security policy information. Monitor

19
Function menu Description User level
Create, modify, or delete an IPsec security
Configure
policy.

Security Display IPsec security association information. Monitor

Associat
ion Delete an IPsec security association. Configure

Packet Display IPsec packet statistics. Monitor

Statistics Clear IPsec packet statistics. Configure

Common items on the Web pages

Buttons and icons
Table 3 Commonly used buttons and icons

Button and icon Description

Applies the configuration on the current page.

Cancels the configuration on the current page, and returns to the

corresponding list page or the Device Info page.

Refreshes the current page.

Clears all entries in a list or all statistics.

Adds an item.

Removes the selected items.

Selects all the entries in a list, or selects all ports on the device panel.

Clears all the entries in a list, or clears all ports on the device panel.

Restores the values of all the entries on the current page to the default.

Buffers settings you made and proceeds to the next step without applying
the settings.
This button is typically present on the configuration wizard.

Buffers settings you made and returns to the previous step without applying
the settings.
This button is typically present on the configuration wizard.

Applies all settings you made at each step and finishes the configuration
task.
This button is typically present on the configuration wizard.

Accesses a configuration page to modify settings.

This icon is typically present in the Operation column in a list,

Deletes an entry.
This icon is typically present in the Operation column in a list,

20
Page display
The Web interface can display contents by pages, as shown in Figure 5. You can set the number of
entries displayed per page, and view the contents on the first, previous, next, and last pages, or go to any
page that you want to check.

NOTE:
A list can contain a maximum of 20000 entries if displayed in pages.

Figure 5 Content display by pages

Search function
The Web interface provides you with the basic and advanced search functions to display only the entries
that match specific searching criteria.
• Basic search—As shown in Figure 5, input the keyword in the text box above the list, select a search
item from the list and click Search to display the entries that match the criteria. Figure 6 shows an
example of searching for entries with 00e0 included in the MAC address.
Figure 6 Basic search function example

21
• Advanced search—Advanced search function: As shown in Figure 5, you can click the Advanced
Search link to open the advanced search page, as shown in Figure 7. Specify the search criteria,
and click Apply to display the entries that match the criteria.
Figure 7 Advanced search

Take the ARP table shown in Figure 5 as an example. If you want to search for the ARP entries with 000f
at the beginning of the MAC address, and IP address range being 192.168.100.130 to 192.168.100.140,
follow these steps:
1. Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 8, and click Apply. The ARP entries with 000f at the beginning of the MAC address are
displayed.
Figure 8 Advanced search function example (1)

2. Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 9, and click Apply. The ARP entries with 000f at the beginning of the MAC address and
IP address range 192.168.1.130 to 192.168.1.140 are displayed as shown in Figure 10.

22
Figure 9 Advanced search function example (2)

Figure 10 Advanced search function example (3)

Sort function
The Web interface provides you with the basic functions to display entries in certain orders.
On a list page, you can click the blue heading item of each column to sort the entries based on the
heading item you selected. After your clicking, the heading item is displayed with an arrow beside it as
shown in Figure 11. The upward arrow indicates the ascending order, and the downward arrow indicates
the descending order.

23
Figure 11 Basic sorting function example (based on IP address in the descending order)

24
Logging in to the Web interface

You can log in to the Web interface of the switching engine through HTTP.
Figure 12 Web-based network management environment

Restrictions and guidelines

To ensure a successful login, verify that your operating system and Web browser meet the requirements,
and follow the guidelines in this section.

Operating system requirements

• The device supports the following operating systems:
Linux
MAC OS
Windows 2000
Windows 7
Windows Server 2003 Enterprise Edition
Windows Server 2003 Standard Edition
Windows Vista
Windows XP
• If you are using a Windows operating system, turn off the Windows firewall. The Windows firewall
limits the number TCP connections. When the limit is reached, you cannot log in to the Web
interface.

Web browser requirements

• The device supports the following Web browsers:
Google Chrome 2.0.174.0 or higher
Microsoft Internet Explorer 6.0 SP2 or higher. Select Display all websites in Compatibility View
for Microsoft Internet Explorer 9.0 or higher.
Mozilla Firefox 3.0 or higher
• If you are using a Microsoft Internet Explorer browser, you must enable the security settings (see
"Enabling securing settings in a Microsoft Internet Explorer browser"), including Run ActiveX
controls and plug-ins, Script ActiveX controls marked safe for scripting, and Active scripting.

25
• If you are using a Mozilla Firefox browser, you must enable JavaScript (see "Enabling JavaScript in
a Firefox browser").

Enabling securing settings in a Microsoft Internet Explorer browser

1. Launch the Internet Explorer, and select Tools > Internet Options from the main menu.
2. Select the Security tab, and select the content zone where the target Website resides, as shown
in Figure 13.
Figure 13 Internet Explorer settings (1)

3. Click Custom Level.

4. In the Security Settings dialog box, enable Run ActiveX controls and plug-ins, Script ActiveX
controls marked safe for scripting, and Active scripting.

26
Figure 14 Internet Explorer settings (2)

5. Click OK to save your settings.

Enabling JavaScript in a Firefox browser

1. Launch the Firefox browser, and select Tools > Options.
2. In the Options dialog box, click the Content icon, and select Enable JavaScript.

27
Figure 15 Firefox browser settings

3. Click OK to save your settings.

Others
• Make sure the management PC and the device can reach each other.
• Do not use the Back, Next, Refresh buttons provided by the browser. Using these buttons might
result in Web page display problems.
• To ensure correct display of Web page contents after software upgrade or downgrade, clear data
cached by the browser before you log in.
• Up to 24 users can concurrently log in to the device through the Web interface.
• After logging in to the Web interface, you can select Device > Users from the navigation tree, create
a new user, and select Wizard or Network > VLAN interface to configure the IP address of the
VLAN interface acting as the management interface.
• You can also log in to the Web interface through HTTPS, but you must enable HTTPS on the device,
and the address you input in the address bar must start with https://. For more information, see
"Configuring service management."
• If you have configured the auto authentication mode for an HTTPS login user by using the web
https-authorization mode command, the user is automatically authenticated by the PKI certificate,
without inputting any username and password. For more information, see Fundamentals
Configuration Guide.

28
Logging in to the Web interface
You can use the following default settings to log in to the Web interface through HTTP:
• Username—admin
• Password—admin
• IP address of VLAN-interface 1 of the device—192.168.0.100.
To log in to the switching engine through HTTP:
1. Connect the GigabitEthernet interface of the device to a PC by using a crossover Ethernet cable.
By default, all interfaces belong to VLAN 1.
The PC in this procedure is used for configuring basic device settings, and it is not necessarily the
PC you use for Web-based management.
2. Configure an IP address for the PC and make sure the PC and device can reach each other.
For example, assign the PC an IP address 192.168.0.0/24 (excluding 192.168.0.100,
192.168.0.2 for example).
3. Open the browser, and input the login information.
a. In the address bar, type the IP address http://192.168.0.100, and press Enter.
The login page of the Web interface (see Figure 16) appears.
b. Enter the username admin and password admin, and click Login.
Figure 16 Logging in to the Web interface

c. Select a country/region code from the Country/Region list, and click Apply.

29
Figure 17 Selecting a country/region code

Logging out of the Web interface

CAUTION:
You cannot log out by directly closing the browser.

To log out of the Web interface:

1. Save the current configuration.
Because the system does not save the current configuration automatically, HP recommends that
you perform this step to avoid loss of configuration.
2. Click Logout in the upper-right corner of the Web interface, as shown in Figure 18.

30
Figure 18 Web-based configuration interface

(1) Navigation area (2) Body area (3) Title area

31
Quick Start

Quick Start wizard home page

From the navigation tree, select Quick Start to enter the home page of the Quick Start wizard.
Figure 19 Home page of the Quick Start wizard

Basic configuration
1. On the home page of the Quick Start wizard, click start.
The basic configuration page appears.

32
Figure 20 Basic configuration page

2. Configure the parameters as described in Table 4.

Table 4 Configuration items

Item Description
Specify the name of the current device.
System Name
By default, the system name of the device is HP.

Select the code of the country in which you are located. This field defines the
radio frequency characteristics, such as the power and the total number of
Country/Region Code channels for frame transmission. Before configuring the device, you need to
configure the country/region code correctly. If the Country/Region Code field
is grayed out, it cannot be modified.

Time Zone Select a time zone for the system.

Time Specify the current time and date.

Admin configuration
1. On the basic configuration page, click Next.
The Admin Configuration page appears.

33
Figure 21 Admin Configuration page

2. Configure the parameters as described in Table 5.

Table 5 Configuration items

Item Description
Password Specify the password for user Admin to use to log into the device, in cipher text.

Confirm Password Enter the password again to confirm the password.

Select the attribute for the password encryption method:

Password Encryption • Reversible
• Irreversible

IP configuration
1. On the Admin Configuration page, click Next.
The IP Configuration page appears.

34
Figure 22 IP Configuration page

2. Configure the parameters as described in Table 6.

Table 6 Configuration items

Item Description
Specify the IP address of VLAN-interface 1. This IP address is used for logging in to
IP Address the device.
The default is 192.168.0.100.

Specify the IP address mask of VLAN-interface 1.

Mask
By default, the mask is 24 bits long.

Specify the IP address of the default gateway that connects the device to the
Default Gateway network.
By default, the IP address of the default gateway is not specified.

Wireless configuration
1. On the IP Configuration page, click Next.
The wireless configuration page appears.

35
Figure 23 Wireless configuration page

2. Configure the parameters as described in Table 7.

Table 7 Configuration items

Item Description
Select the authentication type for the wireless service:
Primary Service • None—Performs no authentication.
Authentication type • User authentication (802.1X)—Performs 802.1X authentication.
• Portal—Performs Portal authentication.
Wireless Service Specify the Service Set Identifier (SSID).

Select this box to go to the 7/13: Encryption Configuration step.

Encrypt By default, no encryption is performed. If this option is not selected, the 7/13:
Encryption Configuration step is skipped.

RADIUS configuration
1. On the wireless configuration page, select User authentication (802.1X) or Portal for the Primary
Service Authentication Type field.
2. Click Next.
3. The RADIUS Configuration page appears.

36
Figure 24 RADIUS Configuration page

4. Configure the parameters as described in Table 8.

Table 8 Configuration items

Item Description
Select the type of the RADIUS server:
• extended—Specifies extended RADIUS server, which is usually an IMC
server. In this case, the RADIUS client (access device) and the RADIUS
server exchange packets based on the specifications and packet format
Service Type definitions of a private RADIUS protocol.
• standard—Specifies the standard RADIUS server. In this case, the RADIUS
client (access device) and the RADIUS server exchange packets based on
the specifications and packet format definitions of the standard RADIUS
protocols (RFC 2138, RFC 2139, and the updates).

Authentication IP Enter the IP address of the RADIUS authentication server.

Authentication UDP Port Enter the port number of the RADIUS authentication server.

Authentication Key Enter the shared key of the RADIUS authentication server.

Accounting IP Enter the IP address of the RADIUS accounting server.

Accounting UDP Port Enter the port number of the RADIUS accounting server.

Accounting Key Enter the shared key of the RADIUS accounting server.

37
Portal configuration
1. On the wireless configuration page, select Portal for the Primary Service Authentication Type field.
2. Click Next.
The RADIUS Configuration page appears.
3. After you complete RADIUS configuration, click Next.
The Portal Configuration page appears.
Figure 25 Portal configuration page

4. Configure the parameters as described in Table 9.

Table 9 Configuration items

Item Description
Server-name Specify the system name of the portal server.

Server-IP Enter the IP address of the portal server.

Port Enter the port number of the portal server.

Redirect-URL Enter the URL of the portal authentication server.

38
Item Description
Specify the portal authentication method to be used:
• Direct—Before authentication, a user manually configures an IP address or
directly obtains a public IP address through DHCP, and can access only the
portal server and predefined free websites. After passing authentication,
the user can access the network resources. The authentication process of
direct authentication is simpler than that of the re-DHCP authentication.
Method • Layer3—Layer 3 authentication is similar to direct authentication but allows
Layer 3 forwarding devices to be present between the authentication client
and the access device.
• Redhcp—Before authentication, a user gets a private IP address through
DHCP and can access only the portal server and predefined free websites.
After passing authentication, the user is allocated a public IP address and
can access the network resources.

Encryption configuration
1. To use the encryption service, select the Encrypt option on the wireless configuration page
in Figure 23.
If you have selected portal or 802.1X authentication on that page, you enter the encryption
configuration page (see Figure 26) after completing the authentication configuration. If none of the
authentication methods is selected, you directly enter the encryption configuration page.
Figure 26 Encryption Configuration page

2. Configure the parameters as described in Table 10.

39
Table 10 Configuration items

Item Description
Specify whether to use WEP keys provided automatically or use static WEP keys.
• Enable—Use WEP keys provided automatically.
• Disable—Use static WEP keys.
By default, static WEP keys are used.
Provide Key
Automatically After you select Enable, WEP104 is displayed for WEP.

IMPORTANT:
Automatically provided WEP keys must be used together with 802.1X authentication.
Therefore, this option is available only after you select User authentication (802.1X)
for Primary Service Authentication type on the wireless configuration page.
Select the key type of the WEP encryption mechanism: WEP40, WEP104, or WEP
WEP
128.

Select the WEP key index: 1, 2, 3, or 4. Each number represents one of the four
static keys of WEP. The selected key index will be used for frame encryption and
decryption.
Key ID
IMPORTANT:
If you select the option to enable Provide Key Automatically, only 1, 2, and 3 are
available for the Key ID option.
Select the key length.
• When the key type is WEP40, the key length can be five alphanumeric
characters or 10 hexadecimal characters.
Key Length • When the key type is WEP104, the key length can be 13 alphanumeric
characters or 26 hexadecimal characters.
• When the key type is WEP128, the key length can be 16 alphanumeric
characters or 32 hexadecimal characters.

WEP Key Enter the WEP key.

AP configuration
1. On the guest service configuration page, click Next.
The AP Configuration page appears.
2. Configure an AP and click Add.
You can configure multiple APs on the page. The section at the bottom of the page displays all
existing APs.

40
Figure 27 AP Configuration page

3. Configure the parameters as described in Table 11.

Table 11 Configuration items

Item Description
AP Name Enter the name of the AP.

Model Select the model of the AP.

Specify the serial ID of the AP.

• If the Auto box is not selected, you need to manually enter a serial ID.
• If the Auto box is selected, the AC automatically searches the serial ID of the
Serial ID AP. Use this option together with the auto AP function to implement
automatic AP discovery so that the AP can connect with the AC
automatically. If there are a large number of APs, the automatic AP
discovery function can avoid repeated configuration of AP serial numbers.
For information about configuring auto AP, see "Configuring APs."

Select a country/region code for the AP.

By default, no country/region code is configured for the AP and the AP uses
Country/Region Code the global country/region code (which is configured on the AC). If the
country/region code is specified on this page, the AP uses this configuration.
For information about the country/region code configured on the AC, see
"Configuring advanced settings."

Radio Radio unit of the AP. The radio unit varies depending on the AP model.

Mode Select the radio mode. The radio mode varies depending on the AP model.

41
Item Description
Select the working channel.
The channel list for the radio depends on the country/region code and radio
mode, and it varies with device models.
Channel Auto: Specifies the automatic channel mode. With Auto specified, the AC
evaluates the quality of channels in the wireless network, and selects the best
channel as the working channel.
After the channel is changed, the power list is refreshed.

Select the transmission power.

The maximum power of the radio depends on the country/region code,
Power working channel, AP model, radio mode, and antenna type. If 802.11n is
specified as the radio mode, the maximum power of the radio also depends
on the bandwidth mode.

Configuration summary
1. On the AP Configuration page, click Next.
The configuration summary page appears, displaying all configurations you have made.
Figure 28 Configuration summary page

2. Click Finish to save your configurations.

42
Displaying information summary

Device information
You can view the following information on the Device Info menu:
• Device information
• System resource state
• Device interface information
• Recent system logs (five at most)
After logging in to the Web interface, you enter the Summary > Device Info page.
Figure 29 Device info page

Select the refresh mode from the Refresh Period list.

• If you select a specific refresh period (for example, 1 minute), the system periodically refreshes the
Device Info page according to the selected refresh period.
• If you select Manual, you need to click Refresh to refresh the page.

Device info
Table 12 Field description

Field Description
Device Name Display the device model.

43
Field Description
Product Information Display the product information.

Display the location of the device.

Device Location To configure the device location information, select Device > SNMP > Setup.
For more information, see "Configuring SNMP."

Display the contact information for device maintenance.

Contact Information To configure the contact information, select Device > SNMP > Setup. For more
information, see "Configuring SNMP."

SerialNum Display the serial number of the device.

Software Version Display the software version of the device.

Hardware Version Display the hardware version of the device.

Bootrom Version Display the Boot ROM version of the device.

Running Time Display the running time after the latest boot of the device.

System resource state

Table 13 Field description

Field Description
CPU Usage Display the real-time CPU usage.

Memory Usage Display the real-time memory usage and the total memory size.

Temperature Display the temperature of the device.

Device interface information

Table 14 Field description

Field Description
Interface Display interface name and interface number.

IP Address/Mask Display the IP address and mask of an interface.

Display interface status.

• —The interface is up and is connected.
Status
• —The interface is up, but not connected.
• —The interface is down.

For more information about device interfaces, click More below the Device Interface Information area to
enter the Device > Interface page to view and operate the interfaces. For more information, see
"Managing interfaces."

44
Recent system logs
Table 15 Field description

Field Description
Time Display the time when the system logs are generated.

Level Display the level of the system logs.

Description Display the contents of the system logs.

For more information about system logs, click More below the Recent System Operation Logs area to
enter the Device > Syslog > Loglist page to view the logs. For more information, see "Managing logs."

Displaying WLAN service

1. Select Summary > Wireless Service from the navigation tree.
2. Click the specified WLAN service to view the detailed information, statistics, or connection history.

Displaying detailed information about WLAN service

Figure 30 shows the page that displays detailed information about clear-type WLAN services. Table 16
describes the fields on the page.
Figure 30 Displaying detailed information about the WLAN service (clear type)

45
Table 16 Field description

Field Description
Service Template Number Service template number.

SSID Service set identifier (SSID) for the ESS.

Description for the service template. If no description is configured, this field

Description
displays Not Configured.

Binding Interface Name of the interface bound with the service template.

Service Template Type Service template type.

Type of authentication used.

Authentication Method
WLAN service of the clear type only uses open system authentication.

Authentication mode:
• Central—Uses AC central authentication.
Authentication Mode
• Local—Uses AP local authentication.
• Backup—Uses backup authentication.
Beacon-measurement Enable—Enables beacon measurement.

Beacon-measurement Interval Intervals (in seconds) at which beacon measurement requests are sent.

Beacon-measurement Type Beacon measurement type: Passive, Active, or Beacon-table.

• Disable—The SSID is advertised in beacon frames.
SSID-hide
• Enable—Disables the advertisement of the SSID in beacon frames.
Forwarding mode:
Bridge Mode • Local forwarding—Uses local forwarding in the service template.
• Remote forwarding—Uses AC remote forwarding in the service template.
Status of management frame protection:
• Disable—Management frame protection is disabled.
PMF Status
• Optional—Management frame protection is enabled and all clients can
associate with the AP..
• Mandatory—Management frame protection is enabled and only clients
supporting management frame protection can associate with the AP..

Status of service template:

Service Template Status • Enable—WLAN service is enabled.
• Disable—WLAN service is disabled.
Maximum clients per BSS Maximum number of associated clients per BSS.

Status of IPv4 source address verification:

ip verify source • Enable—Verifies the source address of an IPv4 client.
• Disable—Does not verify the source address of an IPv4 client.
Status of IPv6 source address verification:
ipv6 verify source • Enable—Verifies the source address of an IPv6 client.
• Disable—Does not verify the source address of an IPv6 client.
Bonjour Policy Name of the Bonjour policy applied to the service template.

Figure 31 shows the page that displays detailed information about crypto-type WLAN services. Table 17
describes the fields on the page.

46
Figure 31 Displaying detailed information about the WLAN service (crypto type)

Table 17 Field description

Field Description
Service Template Number Service template number.

SSID SSID for the ESS.

Description for the service template. If no description is configured, this

Description
field displays Not Configured.

Binding Interface Name of the interface bound with the service template.

Service Template Type Service template type.

Security IE Security IE: WPA or WPA2 (RSN)

Authentication Method Authentication method: open system or shared key.

Authentication mode:
• Central—Uses AC centralized authentication.
Authentication Mode
• Local—Uses AP local authentication.
• Backup—Uses backup authentication.
Beacon-measurement Enable—Enables beacon measurement.

Beacon-measurement Interval Intervals (in seconds) at which beacon measurement requests are sent.

Beacon-measurement Type Beacon measurement type: Passive, Active, or Beacon-table.

47
Field Description
• Disable—The SSID is advertised in beacon frames.
SSID-hide
• Enable—Disables the advertisement of the SSID in beacon frames.
WEP Key Index WEP key index used for encrypting or decrypting frames.

WEP key mode:

WEP Key Mode • HEX—The WEP key is a hexadecimal number string.
• ASCII—The WEP key is a character string.
WEP Key WEP key.

Cipher Suite Cipher suite: AES-CCMP, TKIP, WEP40, WEP104, or WEP128.

TKIP Countermeasure Time(s) TKIP countermeasure time in seconds.

PTK Life Time(s) PTK lifetime in seconds.

GTK Rekey GTK rekey configured.

GTK Rekey Method GTK rekey method configured: packet based or time based.

Time for GTK rekey in seconds.

• If Time is selected, the GTK will be refreshed after a specified period
GTK Rekey Time(s) of time.
• If Packet is selected, the GTK will be refreshed after a specified
number of packets are transmitted.

Forwarding mode:
• Local forwarding—Uses local forwarding in the service template.
Bridge Mode
• Remote forwarding—Uses AC remote forwarding in the service
template.

Status of service template:

Service Template Status • Enable—Enables WLAN service.
• Disable—Disables WLAN service.
Maximum clients per BSS Maximum number of associated clients per BSS.

Status of IPv4 source address verification:

48
Displaying WLAN service statistics
Figure 32 Displaying WLAN service statistics

49
Displaying connection history information for the WLAN
service
Figure 33 Displaying connection history information for the WLAN service

Displaying AP
Displaying WLAN service information for an AP
1. Select Summary > AP from the navigation tree.
2. Click the Wireless Service tab on the page.
3. Click the name of the specified AP to view the WLAN service information for the AP.

50
Figure 34 Displaying WLAN service information

Displaying AP connection history information

1. Select Summary > AP from the navigation tree.
2. Click the Connection History tab.
3. Click the name of the specified AP to view the connection history information for the AP.

51
Figure 35 Displaying AP connection history information

Displaying AP radio information

1. Select Summary > AP from the navigation tree.
2. Click the Radio tab.
3. Click the name of the specified AP to view the radio statistics about the AP.

52
Figure 36 Displaying AP radio information

The Noise Floor item in the table indicates various random electromagnetic waves that occur during the
wireless communication. For an environment with a high noise floor, you can improve the signal-to-noise
ratio (SNR) by increasing the transmit power or reducing the noise floor.
The Service Type item in the table has these options: None, Access, and Mesh.
Resource Usage represents the resource utilization of a radio within a certain period. For example, in a
period of 10 seconds, if a radio has occupied the channel for five seconds, the resource utilization of the
radio is 5 seconds divided by 10 seconds: 50%.
Table 18 Field description

Field Description
AP name Access point name.

Radio Id Radio ID.

Transmitted Frames Statistics Statistics of transmitted frames.

53
Field Description
Total number of frames (probe response frames and beacon frames)
transmitted.
Total Frames
Total Frames = Unicast Frames + Broadcast/Multicast Frames +
Others.

Number of unicast frames (excluding probe response frames)

Unicast Frames
transmitted.

Number of broadcast or multicast frames (excluding beacon frames)

Broadcast/Multicast Frames
transmitted.

Others Total number of other type of frames transmitted.

Discard Frames Number of frames discarded.

Retry Count Number of transmission retries.

Multiple Retry Count Number of frames that have been retransmitted.

Authentication Frames Number of authentication responses transmitted.

Failed RTS Number of RTSs failed during transmission.

Successful RTS Number of RTSs transmitted successfully.

Number of transmitted frames for which no acknowledgement is

Failed ACK
received.

Association Frames Number of association responses transmitted.

Packet Count Statistics Based on Size Packet statistics classified by packet size.

Packet Count Statistics Based on Rate Packet statistics classified by rate.

Packet Count Statistics Based on Packet statistics classified by 802.11n rate. The field is not displayed
802.11n Rate if the device does not support 802.11n.

Received Frames Statistics Statistics of received frames.

Total Frames Number of frames received.

Unicast Frames Number of unicast frames received.

Broadcast/Multicast Frames Number of broadcast or multicast frames received.

Fragmented Frames Number of fragmented frames received.

FCS Failures Number of frames dropped due to FCS failure.

Authentication Frames Number of authentication requests received.

Duplicate Frames Number of duplicate frames received.

Decryption Errors Number of frames dropped due to decryption error.

Association Frames Number of association requests received.

Displaying tunnel latency information

1. Select Summary > AP from the navigation tree.
2. Click the Tunnel Latency tab.
3. Click the name of the specified AP to view the tunnel latency information for the AP.

54
Figure 37 Displaying tunnel latency information

Displaying AP detailed information

1. Select Summary > AP from the navigation tree.
2. Click the Detail tab on the page.
3. Click the name of the specified AP to view the detailed information about the AP.
Figure 38 Displaying AP detailed information

55
Table 19 Field description

Field Description
APID Access point identifier.

AP System Name Access point name.

Map Configuration Configuration file mapped to the AP.

Current state of the AP:

• ImageDownload—The AP is downloading the version. If the
ImageDownload state persists, check the following: 1) The version of the
fit AP saved on the AC matches with the version that the AC requires; 2)
The space of the flash is enough.
• Idle—The AP is idle. If the Idle state persists, check the following: 1) If the
fields of Latest IP Address and Tunnel Down Reason are displayed as
-NA-, it indicates that the AP has never connected to the AC successfully.
You need to check the network cable, power supply of the fit AP, and the
State AP serial number if the serial number was manually entered. 2) If the
fields of Latest IP Address and Tunnel Down Reason are displayed as
other contents, it indicates that the AP has connected to the AC
successfully. See the output of the Tunnel Down Reason field for the
detailed reason.
• Run—The AP is operating. It indicates that the AP has connected to the
AC successfully.
• Config—The AC is delivering a configuration file to the fit AP, and the fit
AP is collecting radio information through the radio interface and
reporting to the AC. This state is an instantaneous state.

Time duration for which the AP has been connected to the AC. NA indicates
Up Time(hh:mm:ss)
AP is not connected to the AC.

Model AP model name.

Serial-ID Serial ID of the AP.

IP Address IP address of the AP.

H/W Version Hardware version of the AP.

S/W Version Software version of the AP.

Boot-Rom version Boot ROM version of the AP.

Description Description of the AP.

Connection Type AP connection type: Master or Backup.

Peer AC MAC Address Peer AC MAC address in case of AC backup.

Priority Level AP connection priority.

Echo Interval(s) Interval for sending echo requests, in seconds.

Statistics report Interval(s) Interval for sending statistics messages, in seconds.

Cir (Kbps) Committed information rate in kbps.

Cbs (Bytes) Committed burst size in bytes.

Jumboframe Threshold Threshold value of jumbo frames.

Transmitted control packets Number of transmitted control packets.

Received control packets Number of received control packets.

56
Field Description
Transmitted data packets Number of transmitted data packets.

Received data packets Number of received data packets.

Configuration Failure Count Count of configuration request message failures.

Last Failure Reason Last configuration request failure reason.

Last reboot reason of the AP:

• Normal—The AP was powered off.
• Crash—The AP crashed, and the information is needed for analysis.
Last Reboot Reason • Tunnel Initiated—The reset wlan ap command is executed on the AC (in
this case, the Tunnel Down Reason is displayed as Reset AP).
• Tunnel Link Failure—The fit AP rebooted abnormally because an error
occurred when the AP was establishing a connection with the AC.

Latest IP Address IP address of the last AP.

The tunnel between the AC and the AP is down when one of the following
occurs:
• Neighbor Dead Timer Expire—The AC does not receive an Echo request
from the AP within three times the handshake interval.
• Response Timer Expire—The AC sends a control packet to the AP but
Tunnel Down Reason
does not receive any response within the specified waiting time.
• Reset AP—The AP is rebooted by the execution of a command on the AC.
• AP Config Change—The corresponding configurations are modified on
the AC.
• No Reason—Other reasons.
Connection count between the AP and AC. This field is reset in one of the
following situations:
• AC is rebooted.
Connection Count
• You re-configure an AP template after deleting the old one.
If you click Reboot on this page to reboot the AP, the connection count will
not be reset.

Bonjour Policy Name of the Bonjour policy applied to the AP.

AP Mode Mode supported by the AP. Currently only the split MAC mode is supported.

Operation mode of AP. Currently Normal and Monitor modes are

AP operation mode
supported.

Portal Service Whether the portal service is enabled.

Device Detection Whether device detection is enabled.

Maximum Number of Radios Maximum number of radios supported by the AP.

Current Number of Radios Number of radios in use on the AP.

Interval to detect clients segregated from the system due to various reasons
Client Keep-alive Interval
(such as power failure or crash) and disconnect them from the AP.

If the client is idle for more than the specified interval (if the AP does not
Client Idle Interval(s) receive any data from the client within the specified interval), the client will
be removed from the network.

Broadcast-probe Reply Status Whether the AP is enabled to respond to broadcast probe requests.

57
Field Description
Basic BSSID MAC address of the AP.

Current BSS Count Number of BSSs connected with the AP.

Running Clients Count Number of clients currently running.

Wireless Mode Wireless mode: 802.11a, 802.11b, 802.11g, 802.11an, or 802.11gn.

• Enabled—Only 802.11n clients can be associated with the AP.
Client Dot11n-only
• Disabled—802.11a/b/g/n clients can be associated with the AP.
Channel Band-width Channel bandwidth: 20 MHz or 40 MHz.

Secondary channel information for 802.11n radio mode:

• SCA (Second Channel Above)—The AP operates in 40 MHz bandwidth
mode, and the secondary channel is above the primary channel.
Secondary channel offset
• SCB (Second Channel Below)—The AP operates in 40 MHz bandwidth
mode, and the secondary channel is below the primary channel.
• SCN—The AP operates in 20 MHz bandwidth mode.
802.11n protection modes:
• no protection mode(0)—The clients associated with the AP, and the
wireless devices within the coverage of the AP operate in 802.11n mode,
and all the clients associated with the AP operate in either 40 MHz or 20
MHz mode.
• Non-member mode(1)—The clients associated with the AP operate in
HT protection mode 802.11n mode, but non-802.11n wireless devices exist within the coverage
of the AP.
• 20 MHz mode(2)—The radio mode of the AP is 40 MHz. The clients
associated with the AP and the wireless devices within the coverage of the
AP operate in 802.11n mode, and at least one 802.11n client operating in
20 MHz mode is associated with the radio of the AP.
• Non-HT mix mode(3)—All situations except the above three.
Short GI for 20MHz Whether the AP supports short GI when it operates in 20 MHz mode.

Short GI for 40MHz Whether the AP supports short GI when it operates in 40 MHz mode.

Mandatory MCS Set Mandatory MCS for the AP.

Supported MCS Set Supported MCS for the AP.

A-MSDU Status of the A-MSDU function: enable or disable.

A-MPDU Status of the A-MPDU function: enable or disable.

Operating channel:
• If the channel is manually configured, the configured channel number is
displayed.
Configured Channel • If the channel is automatically selected, auto(channel) is displayed, where
channel is the optimal channel automatically selected by the AC.
• If the AP operates in 802.11n radio mode and 40 MHz bandwidth mode,
this field displays the primary channel.

58
Field Description
Transmission power on the radio:
• If one-time (transmit power control) is adopted, the configured transmit
power is displayed.
Configured Power(dBm)
• If auto TPC is adopted, two values are displayed, with the first being the
maximum power, and the second auto (number), where number in the
brackets represents the actual power.

Interference (%) Interference observed on the operating channel, in percentage.

Channel Load (%) Load observed on the operating channel, in percentage.

Utilization (%) Utilization rate of the operating channel, in percentage.

Co-channel Neighbor Count Number of neighbors found on the operating channel.

Channel Health Status of the channel.

Preamble Type Type of preamble that the AP can support: short or long.

Radio Policy Radio policy used.

Service Template Service template number.

SSID SSID for the ESS.

Port WLAN-DBSS interface associated with the service template.

Mesh Policy Mesh policy adopted.

ANI Support ANI (Adaptive Noise Immunity) status: enable or disable.

11g Protection 802.11g protection status: enable or disable.

Admin State Administrative state of the radio.

Physical State Physical state of the radio.

Operational Rates (Mbps) Operational rates in Mbps.

Radar detected Channels Channels on which radar signals are detected.

Antenna Type Antenna type of the radio.

Resource Using Ratio Resource utilization of the radio.

Noise Floor Noise floor of the radio.

Displaying AP connection records

1. Select Summary > AP from the navigation tree.
2. Click the AP Connection Record tab to view the connection records.

59
Figure 39 Displaying AP connection records

Table 20 Field description

Field Description
Connection status:
• Discovery—The AC only receives discovery packets from the AP.
• Join—The AP fails to connect with the AC due to tunnel failure.
Status • Run—The AP has successfully connected with the AC, and the AP
is running.
• Offline—The AP has successfully connected with the AC, but the
AP is offline.

The meaning of this field varies with the connection status of the AP:
• Discovery—Last time the AC received a discovery request.
Time • Join—Last time the AC received a Join packet.
• Run—Time when the AP entered the Run state.
• Offline—Time when the AP went offline.

Displaying clients
Select Summary > Client from the navigation tree.
Figure 40 Displaying clients

Table 21 Field description

Field Description
Refresh Refresh the current page.

60
Field Description
Add the selected client to the static blacklist, which you can display by
Add to Blacklist
selecting Security > Filter from the navigation tree.

Reset Statistic Clear statistics of the specified client.

Disconnect Log off the selected client.

Displaying client detailed information

1. Select Summary > Client from the navigation tree.
2. Click the Detail Information tab on the page.
3. Click the name of the specified client to view the detailed information about the client.
Figure 41 Displaying client detailed information

Table 22 Field description

Field Description
MAC address MAC address of the client.

AID Association ID of the client.

61
Field Description
Username of the client.
• The field is displayed as –NA– if the client adopts plain-text
authentication or an authentication method that does not require a
User Name username.
• The field is irrelevant to the portal authentication method. If the client
uses the portal authentication method, the field does not display the
portal username of the client.

AP Name Name of the AP.

Radio Id Radio ID of the client.

Service Template Number Service template number of the client.

SSID SSID of the AP.

BSSID BSSID of the AP.

Port WLAN-DBSS interface associated with the client.

VLAN VLAN to which the client belongs.

State of the client.

State
Backup indicates a backup client.

Power Save Mode Client's power save mode: active or sleep.

Wireless mode such as 802.11a, 802.11b, 802.11g, 802.11an, or

Wireless Mode
803.11gn.

Channel Band-width Channel bandwidth: 20 MHz or 40 MHz.

SM Power Save enables a client to have one antenna in active state,

and others in sleep state to save power.
SM Power Save Enable
• Enabled—SM Power Save is supported.
• Disabled—SM Power Save is not supported.
Whether the client supports short GI when its channel bandwidth is 20
MHz:
Short GI for 20MHz
• Not Supported.
• Supported.
Whether the client supports short GI when its channel bandwidth is 40
MHz:
Short GI for 40MHz
• Not Supported.
• Supported.
Support MCS Set MCS supported by the client.

BLOCK ACK is negotiated based on QoS priority ID:

• OUT—Outbound direction.
BLOCK ACK-TID 0
• IN—Inbound direction.
• BOTH—Both directions.
QoS Mode Whether the AP supports the WMM function.

Specifies how often the client wakes up to receive frames saved in the
Listen Interval (Beacon Interval)
AP and is expressed in units of beacon intervals.

Received signal strength indication. This value indicates the client

RSSI
signal strength detected by the AP.

62
Field Description
Represents the frame transmission/reception rate of the client,
including data, management, and control frames. For the AC + fit AP
Rx/Tx Rate
mode, there is a delay because the Rx Rate is transmitted from AP to AC
periodically depending on the statistics interval.

Client Type Client type: RSN, WPA, or Pre-RSN.

Authentication Method Authentication method: open system or shared key.

AKM Method AKM suite used: Dot1X or PSK.

Key derivation type:

• SHA1—Applies the HMAC-SHA1 hash algorithm.
Key Derivation • SHA256—Applies the HMAC-SHA256 hash algorithm.
• -NA—The authentication type that the client is using does not involve
any key derivation algorithm.

Displays the 4-way handshake states:

• IDLE—Displayed in initial state.
4-Way Handshake State • PTKSTART—Displayed when the 4–way handshake is initialized.
• PTKNEGOTIATING—Displayed after valid message 3 was sent.
• PTKINITDONE—Displayed when the 4-way handshake is successful.

Displays the group key states:

• IDLE—Displayed in initial state.
Group Key State • REKEYNEGOTIATE—Displayed after the AC sends the initial
message to the client.
• REKEYESTABLISHED—Displayed when re-keying is successful.
Encryption Cipher Encryption password: clear or crypto.

Status of management frame protection:

• Active—Supports management frame protection.
PMF Status • Inactive—Does not support management frame protection.
• -NA—The authentication type that the client is using does not involve
management frame protection.

Roam Status Displays the roaming status: Normal or Fast Roaming.

Roaming count of the client:

• For intra-AC roaming, this field is reset after the client is
Roam Count disassociated from the AP connected to the AC.
• For inter-AC roaming, this field is reset after the client leaves the
mobility group to which the AC belongs.

Up Time Time for which the client has been associated with the AP.

Displaying client statistics

1. Select Summary > Client from the navigation tree.
2. Click the Statistic Information tab on the page.
3. Click the name of the specified client to view the statistics of the client.

63
Figure 42 Displaying client statistics

Table 23 Field description

Field Description
AP Name Name of the associated access point.

Radio Id Radio ID.

SSID SSID of the AP.

BSSID BSSID of the AP.

MAC Address MAC Address of the client.

Received signal strength indication. This value indicates the client signal
RSSI
strength detected by the AP.

Transmitted Frames Number of transmitted frames.

Back Ground(Frames/Bytes) Statistics of background traffic, in frames or in bytes.

Best Effort(Frames/Bytes) Statistics of best effort traffic, in frames or in bytes.

Video(Frames/Bytes) Statistics of video traffic, in frames or in bytes.

Voice(Frames/Bytes) Statistics of voice traffic, in frames or in bytes.

Received Frames Number of received frames.

Discarded Frames Number of discarded frames.

You can collect statistics of priority queues such as Back Ground, Best Effort, Video and Voice on a QoS
client only. The Best Effort priority queue includes traffic including SVP packets sent and received on a
client where QoS is not enabled. Therefore, the queues collected might be different from the queues

64
actually sent. You can collect statistics of priority queues carried in Dot11E or WMM packets. Otherwise,
statistics collection of priority queues on the receive end might fail.

Displaying client roaming information

1. Select Summary > Client from the navigation tree.
2. Click the Roam Information tab on the page.
3. Click the name of the specified client to view the roaming information about the client.
Figure 43 Displaying client roaming information

Table 24 Field description

Field Description
BSSID BSSID of the AP associated with the client.

Online-time Online time of the client.

The IP address of the AC connected with the client. When the configured roaming
AC-IP-address
channel type is IPv6, the IPv6 address of the AC is displayed.

Displaying RF ping information

Radio Frequency Ping (RF Ping) is a ping function performed on wireless links. This function enables you
to obtain the connection information between the AP and its associated clients, such as signal strength,
packet re-transmission attempts, and round trip time (RTT).
1. Select Summary > Client from the navigation tree.

65
2. Click the Link Test Information tab on the page.
3. Click the name of the specified client to view the link test information about the client.
Figure 44 Displaying link test information

Table 25 Field description

Field Description
• Rate number for a non-802.11n client.
No./MCS
• MCS value for an 802.11n client.
Rate(Mbps) Rate at which the radio interface sends wireless ping frames.

TxCnt Number of wireless ping frames that the radio interface sent.

RxCnt Number of wireless ping frames that the radio interface received from the client.

Received signal strength indication. This value indicates the client signal strength
RSSI
detected by the AP.

Retries Total number of retransmitted ping frames.

RTT(ms) Round trip time.

Displaying beacon measurement reports

1. Select Summary > Client from the navigation tree.
2. Click the Beacon Measurement Report tab.
3. Click the name of the specified client to view the beacon measurement reports of the client.

66
Figure 45 Displaying beacon measurement reports

Table 26 Field description

Field Description
MAC Address MAC address of the client.

Total Number of Reports Number of beacon measurement reports.

Channel Channel number.

BSSID Basic service set identifier.

Regulatory class: 12 or 5.
Regulatory Class
For more information, see the 802.11k protocols.

Antenna ID Antenna identifier.

SSID Service set identifier.

67
Managing licenses

Some features can be used only after you register them by using an enhanced license. A license is
purchased. It provides the serial number for registering the features and includes a description for the
features.

Registering an enhanced license

IMPORTANT:
After registering an enhanced license, you must reboot the device to validate the newly added features.

To register an enhanced license:

1. Select Device > License from the navigation tree.
2. Click the Enhanced License tab.
The page in Figure 46 appears.
Figure 46 Enhanced license

3. Configure enhanced license information, as described in Table 27.

4. Click Add.
Table 27 Configuration items

Item Description
Select the name of the feature to be registered. The device supports only the AP feature.
Feature Name
AP—Increases the number of allowed APs.

Activation key of the license.

License Key The license key is in the format of XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX,

where X represents a character, including case-sensitive letters, digits, plus sign (+), and
slash (/).

68
Displaying registered enhanced licenses
1. Select Device > License from the navigation tree.
2. Click the Enhanced License tab.
The page in Figure 46 appears.
3. View the registered enhanced licenses at the lower part of the page.
Table 28 Field description

Field Description
Feature Name Name of the feature registered.

Activation key of the license.

License Key The license key is in the format of

XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX, where X represents a character,
including case-sensitive letters, digits, plus sign (+), and slash (/).

Time left for the license. After the time elapses, the license expires.
Available Time Left
The value Forever means that the license is an official license.

AP Number Number of APs that the license supports.

69
Configuring basic device settings
The device basic information feature allows you to:
• Set the system name of the device. The configured system name will be displayed at the top of the
navigation bar.
• Set the idle timeout period for a logged-in user. The system logs an idle user off the Web for security
purposes after the configured period.

Configuring system name

1. Select Device > Basic from the navigation tree
The page for configuring the system name appears.
Figure 47 Configuring the system name

2. Set the system name for the device.

3. Click Apply.

Configuring Web idle timeout

1. Select Device > Basic from the navigation tree.
2. Click the Web Idle Timeout tab.
The page for configuring Web idle timeout period appears.
Figure 48 Configuring Web idle timeout

70
3. Set the Web idle timeout for a logged-in user.
4. Click Apply.

71
Maintaining devices

Upgrading software
IMPORTANT:
During a software upgrade, avoid performing any operation on the Web interface. Otherwise, the
upgrade operation might be interrupted.

A boot file, also known as the system software or device software, is an application file used to boot the
device. Software upgrade allows you to obtain a target application file from the local host and set the file
as the boot file to be used at the next reboot. You can keep the original filename after you obtain the
target application file from the local host. In addition, you can select whether to reboot the device to
make the upgrade software take effect.
To upgrade software:
1. Select Device > Device Maintenance from the navigation tree.
The software upgrade configuration page appears.
Figure 49 Software upgrade configuration page

2. Configure the software upgrade parameters, as described in Table 29.

3. Click Apply.
Table 29 Configuration items

Item Description
Specify the path of the local application file, which must be
File
with the extension .app or .bin.

72
Item Description
Specify the type of the boot file for the next boot:
• Main—Boots the device.
File Type
• Backup—Boots the device when the main boot file is
unavailable.

Specify whether to overwrite the file with the same name.

If a file with the same name already exists, If you do not select the option, when you rename a file with the
overwrite it without any prompt same name, the system prompts "The file has existed.", and
you cannot upgrade the software.

Specify whether to reboot the device to make the upgraded

Reboot after the upgrade is finished.
software take effect after the application file is uploaded.

Rebooting the device

CAUTION:
Before rebooting the device, save the configuration. Otherwise, all unsaved configurations are lost after
device reboot.

1. Select Device > Device Maintenance from the navigation tree.

2. Click the Reboot tab.
The reboot tab page appears.
Figure 50 Device reboot page

3. Clear the box before "Check whether the current configuration is saved in the next startup
configuration file" or keep it selected.
4. Click Apply.
A confirmation dialog box appears.
5. Click OK.
If you select the box next to Check whether the current configuration is saved in the next startup
configuration file, the system checks the configuration before rebooting the device. If the check
succeeds, the system reboots the device. If the check fails, the system displays a dialog box to
inform you that the current configuration and the saved configuration are inconsistent, and does
not reboot the device. You must save the current configuration manually before you can reboot
the device.

73
If you do not select the box next to Check whether the current configuration is saved in the next
startup configuration file, the system reboots the device automatically.
6. Log in again in to the Web interface after the device reboots.

Generating the diagnostic information file

Each module has its own running information. Typically, you need to view the output information for each
individual module. You can generate the diagnostic information file to record as much information as
possible in one operation for routine maintenance or when system failure occurs. When you generate the
diagnostic information file, the system saves the running statistics of multiple modules to a file named
default.diag. You can use the file to locate problems.
To generate the diagnostic information file:
1. Select Device > Device Maintenance from the navigation tree.
2. Click the Diagnostic Information tab.
The diagnostic information tab page appears.
Figure 51 Diagnostic information

3. Click Create Diagnostic Information File.

The system begins to generate the diagnostic information file, and after the file is generated, the
page in Figure 52 appears.
Figure 52 The diagnostic information file is created

4. Click Click to Download.

The File Download dialog box appears. You can select to open this file or save this file to the local
host.

74
NOTE:
• During the generation of the diagnostic file, do not perform any operation on the Web interface.
• To view this file after the diagnostic file is generated successfully, select Device > File Management, or
download this file to the local host. For more information, see "Managing files."

75
Configuring the system time

Configure a correct system time so that the device can work with other devices correctly. System time
allows you to display and set the device system time, system time zone, and daylight saving time on the
Web interface.
You can set the system time using manual configuration or automatic synchronization of NTP server time.
Changing the system clock on each device within a network is time-consuming and does not guarantee
clock precision.
Defined in RFC 1305, the Network Time Protocol (NTP) synchronizes timekeeping among distributed
time servers and clients.
NTP can keep consistent timekeeping among all clock-dependent devices within the network so that the
devices can provide diverse applications based on consistent time. For a local system running NTP, it can
synchronize, be synchronized by, or mutually synchronize with other clocks.

Configuration guidelines
• A device can act as a server to synchronize the clock of other devices only after its clock has been
synchronized. If a server's clock has a stratum level higher than or equal to that of a client's clock,
the client will not synchronize its clock to the server's clock.
• Because the synchronization process takes a period of time, the clock status may be displayed as
unsynchronized after your configuration. Refresh the page to update the clock status.
• All online Web users are logged out if the following conditions exist:
The system time of the NTP server is ahead of the system time of the device.
The difference between them exceeds the Web idle time specified on the device.

Displaying the system time

1. Select Device > System Time from the navigation tree.
The page for configuring system time appears.
Figure 53 Displaying the system time

2. View the current system time on the top of the page.

76
Configuring the system time
1. Select Device > System Time from the navigation tree.
The page in Figure 53 appears.
2. Click the System Time Configuration calendar button.
The calendar page appears.
Figure 54 Configuring the system time

3. Modify the system time either in the System Time Configuration field, or through the calendar
page.
You can perform the following operations on the calendar page:
a. Click Today to set the current date on the calendar to the current system date of the local host.
The time is not changed.
b. Set the year, month, date and time, and then click OK.
4. Click Apply in the system time configuration page to save your configuration.

Configuring the network time

1. Select Device > System Time from the navigation tree.
2. Click Net Time.
The network time page appears.

77
Figure 55 Configuring the network time

3. Configure system time parameters, as described in Table 30.

4. Click Apply.
Table 30 Configuration items

Item Description
Clock status Display the synchronization status of the system clock.

Set the IP address of the local clock source to 127.127.1.u, where u is

in the range of 0 to 3, representing the NTP process ID.
• If the IP address of the local clock source is specified, the local
Local Reference Source clock is used as the reference clock, and can provide time for other
devices.
• If the IP address of the local clock source is not specified, the local
clock is not used as the reference clock.

Set the stratum level of the local clock.

The stratum level of the local clock determines the precision of the local
Stratum clock. A higher value indicates a lower precision. A stratum 1 clock
has the highest precision, and a stratum 16 clock is not synchronized
and cannot be used as a reference clock.

Set the source interface for an NTP message.

To prevent the IP address of a specific interface on the local device
from becoming the destination address of response messages, you
Source Interface can specify the source interface for NTP messages. Therefore, the
source IP address in the NTP messages becomes the primary IP
address of this interface. If the specified source interface is down, the
source IP address of the NTP messages sent is the primary IP address
of the outbound interface.

78
Item Description
Key 1 Set NTP authentication key.
The NTP authentication feature should be enabled for a system
running NTP in a network where there is a high security demand. This
feature enhances the network security by means of client-server key
authentication, which prohibits a client from synchronizing with a
device that has failed authentication.
Key 2
You can set two authentication keys, each of which is composed of a
key ID and key string.
• ID is the ID of a key.
• Key string is a character string for MD5 authentication key.
NTP Server Specify the IP address of an NTP server, and configure the
1/Reference authentication key ID used for the association with the NTP server. The
Key ID device synchronizes its time to the NTP server only if the key provided
by the server is the same with the specified key.

External Reference You can configure two NTP servers. The clients will choose the optimal
Source reference source.
NTP Server
2/Reference IMPORTANT:
Key ID
The IP address of an NTP server is a unicast address, and cannot be a
broadcast or a multicast address, or the IP address of the local clock
source.

Configuring the time zone and daylight saving time

1. Select Device > System Time from the navigation tree.
2. Click Time Zone.
The time zone page appears.
Figure 56 Configuring the time zone

3. Configure the time zone and daylight saving time, as described in Table 31.
4. Click Apply.
Table 31 Configuration items

Item Description
Time Zone Set the time zone for the system.

79
Item Description
Adjust the system clock for daylight saving time changes, which means adding one
hour to the current system time.
Click Adjust clock for daylight saving time changes to expand the option, as shown
in Figure 57. You can configure the daylight saving time changes in either of the
following ways:

Adjust clock for • Specify that the daylight saving time starts on a specific date and ends on a
daylight saving time specific date. The time range must be greater than one day and smaller than one
changes year. For example, configure the daylight saving time to start on August 1st, 2006
at 06:00:00 a.m., and end on September 1st, 2006 at 06:00:00 a.m.
• Specify that the daylight saving time starts and ends on the corresponding
specified days every year. The time range must be greater than one day and
smaller than one year. For example, configure the daylight saving time to start on
the first Monday in August at 06:00:00 a.m., and end on the last Sunday in
September at 06:00:00 a.m.

Figure 57 Configuring the daylight saving time

System time configuration example

Network requirements
• As shown in Figure 58, the local clock of the switch is set as the reference clock.
• The AC operates in client mode, and uses the switch as the NTP server.
• NTP authentication is configured on both the AC and switch.
Figure 58 Network diagram

Configuring the switch

Configure the local clock as the reference clock, with the stratum of 2, configure authentication, with the
key ID of 24, and trusted key as aNiceKey. (Details not shown.)

Configuring the AC
To configure the switch as the NTP server of the AC:
1. Select Device > System Time from the navigation tree.

80
2. Click the Net Time tab.
The Net Time tab page appears.
Figure 59 Configuring the switch as the NTP server of the AC

3. Enter 24 for the ID of key 1, and aNiceKey for the key string. Enter 1.0.1.12 in the NTP Server 1
box and 24 in the Reference Key ID box.
4. Click Apply.

Verifying the configuration

After you complete the configuration, the current system time displayed on the System Time page is the
same for AC and Switch.

81
Managing logs
System logs contain a large amount of network and device information, including running status and
configuration changes. System logs allow administrators to monitor network and device operation. With
system logs, administrators can take corresponding actions against network and security problems.
The system sends system logs to the following destinations:
• Console.
• Monitor terminal, which is a user terminal that has login connections through the AUX, VTY, or TTY
user interface.
• Log buffer.
• Loghost.
• Web interface.

Displaying syslog
The Web interface provides abundant search and sorting functions for viewing logs.
To display syslog:
1. Select Device > Syslog from the navigation tree.
The page for displaying syslog appears.
Figure 60 Displaying syslogs

TIP:
• You can click Reset to clear all system logs saved in the log buffer on the Web interface.
• You can click Refresh to manually refresh the page, or set the refresh interval on the Log Setup page
to enable the system to automatically refresh the page. For more information, see "Setting buffer
capacity and refresh interval."

82
2. View system logs.
Table 32 Field description

Field Description
Time/Date Display the time/date when system logs are generated.

Source Display the module that generates system logs.

Display the system information levels. The information is classified into eight
levels depending on severity:
• Emergency—The system is unusable.
• Alert—Action must be taken immediately.
• Critical—Critical conditions.
Level
• Error—Error conditions.
• Warning—Warning conditions.
• Notification—Normal but significant condition.
• Information—Informational messages.
• Debug—Debug-level messages.

Digest Display the brief description of system logs.

Description Display the contents of system logs.

Setting the log host

You can set the loghost on the Web interface to enable the system to output syslogs to the log host. You
can specify a maximum of four different log hosts.
To set the log host:
1. Select Device > Syslog from the navigation tree.
2. Click the Loghost tab.
The loghost configuration page appears.

83
Figure 61 Setting the loghost

3. Configure the log host, as described in Table 33.

4. Click Apply.
Table 33 Configuration items

Item Description
IPv4/Domain
Set the IPv4 address, domain name, or IPv6 address of the log host.
IPv6
You can specify up to four log hosts.
Loghost IP/Domain

Setting buffer capacity and refresh interval

1. Select Device > Syslog from the navigation tree.
2. Click the Log Setup tab.
The syslog configuration page appears.

84
Figure 62 Syslog configuration page

3. Configure buffer capacity and refresh interval, as described in Table 34.

4. Click Apply.
Table 34 Configuration items

Item Description
Buffer Capacity Set the number of logs that can be stored in the log buffer of the Web interface.

Set the refresh period on the log information displayed on the Web interface.
You can select manual refresh or automatic refresh:
Refresh Interval • Manual—Click Refresh to refresh the Web interface when displaying log
information.
• Automatic—You can select to refresh the Web interface every 1, 5, or 10 minutes.

85
Managing the configuration

Backing up the configuration

Configuration backup allows you to perform the following operations:
• Open and view the configuration file for the next startup.
• Back up the configuration file for the next startup to the host of the current user.
To back up the configuration:
1. Select Device > Configuration from the navigation tree.
The page for backing up configuration appears.
Figure 63 Backing up the configuration

2. Click the upper Backup button.

A file download dialog box appears. You can select to view the .cfg file or to save the file locally.

Restoring the configuration

IMPORTANT:
The restored configuration file takes effect at the next device reboot.

Configuration restore can upload the .cfg file on the host of the current user to the device for the next
startup.
To restore the configuration:
1. Select Device > Configuration from the navigation tree.
2. Click the Restore tab.
The page for restoring configuration appears.

86
Figure 64 Restoring the configuration

3. Click the upper Browse button.

The file upload dialog box appears. You can select the .cfg file to be uploaded.
4. Click Apply.

Saving the configuration

IMPORTANT:
• HP recommends that you do not perform any operation on the Web interface while the configuration is
being saved.
• The system does not support saving the configuration of two or more consecutive users. The system
prompts the users to try again if one user's configuration is being saved.

The save configuration module provides the function to save the current configuration to the configuration
file (.cfg file) to be used at the next startup. You can save the configuration by using one of the following
ways: fast or common.

Fast
Click the Save button at the upper right of the auxiliary area, and you can save the configuration to the
configuration file.
Figure 65 Saving the configuration

Common
1. Select Device > Configuration from the navigation tree.
2. Click the Save tab.
The page in Figure 65 appears.
3. Click Save Current Settings to save the current configuration to the configuration file.

87
Initializing the configuration
This operation restores the system to factory defaults, delete the current configuration file, and reboot the
device.
To initialize the configuration:
1. Select Device > Configuration from the navigation tree.
2. Click the Initialize tab.
The initialize confirmation page appears.
Figure 66 Initializing the configuration

3. Click Restore Factory-Default Settings to restore the system to factory defaults.

88
Managing files

The device saves critical files, such as host, software and configuration files, into the storage device, and
the system provides file management for users to manage those files.
There are different types of storage media, such as flash and compact flash (CF). Different devices
support different types of storage devices. For more information, see "About the Web-based
configuration guide for HP unified wired-WLAN products."

Displaying file list

1. Select Device > File Management from the navigation tree.
The file management page appears.
Figure 67 File management

2. Select a disk from the Please select disk list on the top of the page.
3. View the used space, free space and capacity of the disk at the right of the list.
4. View all files saved in this disk (in the format of path + filename), file sizes, and the boot file types.
For example, Main or Backup is displayed if the file is an application file with the extension of .bin
or .app.

Downloading a file
1. Select Device > File Management from the navigation tree.
The page in Figure 67 appears.

89
2. Select a file from the list.
You can select one file at a time.
3. Click Download File.
The File Download dialog box appears. You can select to open the file or to save the file to a
specified path.

Uploading a file
IMPORTANT:
HP recommends that you do not perform any operation on the Web interface during the upgrade
procedure.

1. Select Device > File Management from the navigation tree.

The page in Figure 67 appears.
2. Select the disk to save the file in the Upload File box.
3. Click Browse to set the path and name of the file.
4. Click Apply.

Removing a file
1. Select Device > File Management from the navigation tree.
The page in Figure 67 appears.
2. Select one or multiple files from the file list,
3. Click Remove File.

NOTE:
You can also remove a file by clicking the icon.

Specifying the main boot file

1. Select Device > File Management from the navigation tree.
The page in Figure 67 appears.
2. Select the box to the left of an application file (with the extension of .bin or .app).
You can set one file at a time.
3. Click Set as Main Boot File to set the main boot file to be used at the next startup.

90
Managing interfaces

Interface management overview

An interface is the point of interaction for exchanging data between entities. There are two types of
interfaces: physical and logical. A physical interface refers to an interface that physically exists as a
hardware component, for example, Ethernet interfaces. A logical interface is an interface that can
implement data switching but does not exist physically, and must be created manually, for example,
VLAN interfaces.
You can use the interface management feature on the Web-based configuration interface to manage the
following types of interfaces:
• Layer 2 Ethernet interface—Physical interface operating on the data link layer for forwarding Layer
2 protocol packets.
• Management Ethernet interface—Physical interface operating on the network layer. You can
configure IP addresses for a management Ethernet interface. To manage the device, you can log in
to the device through a management Ethernet interface.
• Loopback interface—A loopback interface is a software-only virtual interface. The physical layer
state and link layer protocols of a loopback interface are always up unless the loopback interface
is manually shut down. You can enable routing protocols on a loopback interface, and a loopback
interface can send and receive routing protocol packets. When you assign an IPv4 address whose
mask is not 32-bit, the system automatically changes the mask into a 32-bit mask.
• Null interface—A null interface is a completely software-based logical interface, and is always up.
However, you cannot use it to forward data packets or configure an IP address or link layer protocol.
With a null interface specified as the next hop of a static route to a specific network segment, any
packets routed to the network segment are dropped. The null interface provides a method to filter
packets than ACL. You can filter uninteresting traffic by transmitting it to a null interface instead of
applying an ACL.
• VLAN interface—Virtual Layer 3 interface used for Layer 3 communications between VLANs. A
VLAN interface corresponds to a VLAN. You can assign an IP address to a VLAN interface, and
then specify it as the gateway of the corresponding VLAN. In this way, the interface can forward
traffic destined for an IP network segment different from that of the VLAN.
• Virtual template (VT) interface—Template used for configuring virtual access (VA) interfaces.
• Bridge-Aggregation interface (BAGG)—Multiple Layer 2 Ethernet interfaces can be combined to
form a Layer 2 aggregation group. The logical interface created for the group is called an
aggregate interface.
With the interface management feature, you can view interface information, create/remove logical
interfaces, change interface status, and reset interface parameters.

Displaying interface information and statistics

1. Select Device > Interface from the navigation tree.
The interface management page appears. The page displays the interfaces' names, IP addresses,
masks, and status.

91
Figure 68 Displaying interface information

2. Click an interface name in the Name column to display the statistics of that interface.
The page for displaying interface statistics appears.
Figure 69 Displaying interface statistics

Creating an interface
1. Select Device > Interface from the navigation tree.
The page in Figure 68 appears.

92
2. Click Add.
The page for creating an interface appears.
Figure 70 Creating an interface

3. Configure the interface, as described in Table 35.

4. Click Apply.
Table 35 Configuration items

Item Description
Interface Name Set the type and number of a logical interface.

If you are creating a Layer 3 Ethernet subinterface, set the VLANs associated with
the subinterface.
This parameter is available only for Layer 3 Ethernet subinterfaces.
VID
IMPORTANT:
This configuration item is not configurable because the device does not support Layer
3 Ethernet subinterfaces.
Set the maximum transmit unit (MTU) that is allowed to pass the interface.
The MTU value affects fragmentation and reassembly of IP packets.
MTU
Support for this configuration item depends on the interface type. All Layer 3
interfaces support MTU.

93
Item Description
Set the maximum segment size (MSS) for IP packets on the interface.
TCP MSS Support for this configuration item depends on the interface type. All Layer 3
interfaces support MTU

Set the way for the interface to obtain an IP address, include:

• None—Select this option if you do not want to assign an IP address for the
interface.
• Static Address—Select the option to manually assign an IP address and mask for
the interface. If this option is selected, you must set the IP Address and Mask
fields.
• DHCP—Select the option for the interface to obtain an IP address through DHCP
automatically.
• BOOTP—Select the option for the interface to obtain an IP address through
IP Config
BOOTP automatically.
• PPP Negotiate—Select the option for the interface to obtain an IP address
through PPP negotiation.
• Unnumbered—Select this option to borrow the IP address of another interface
on the same device for the interface. If this option is selected, you must select the
interface whose IP address you want to borrow in the Unnumbered Interfaces
list.
Support for the way of obtaining an IP address depends on the device model and
the interface type.

IP Address/Mask After selecting the Static Address option for IP Config, you need to set the primary
IP address and mask, and secondary IP addresses and masks for the interface.

IMPORTANT:
Secondary IP • The primary and secondary IP addresses cannot be 0.0.0.0.
Address/Mask • For a loopback interface, the mask is fixed to 32 bits and is not configurable.
• The number of secondary IP addresses supported by the device depends on the
device model.

If the Unnumbered option is selected as the way for the interface to obtain an IP
Unnumbered Interface
address, you must set the interface whose IP address is to be borrowed.

Set the option for the interface to obtain an IPv6 link-local address, include.
• None—Select this option if you do not want to assign an IPv6 link-local address
to the interface.
IPv6 Config • Auto—Select this option for the system to automatically assign an IPv6 link-local
address to the interface.
• Manual—Select this option to manually assign an IPv6 link-local address to the
interface. If this option is selected, you must set the IPv6 Link Local Address field.

If the Manual option is selected for the interface to obtain an IPv6 link-local address,
IPv6 Link Local Address
you must set an IPv6 link-local address for the interface.

Modifying a Layer 2 interface

1. Select Device > Interface from the navigation tree.
The page in Figure 68 appears.
2. Click the icon corresponding to a Layer 2 interface.

94
The page for modifying a Layer 2 interface appears.
Figure 71 Modifying a Layer 2 physical interface

3. Modify the information about the Layer 2 physical interface, as described in Table 36.
4. Click Apply.
Table 36 Configuration items

Item Description
Enable or disable the interface.

Port State In some cases, modification to the interface parameters does not take effect
immediately. You need to shut down and then bring up the interface to make the
modification take effect.

Set the transmission rate of the interface.

Available options include:
• 10—10 Mbps.
• 100—100 Mbps.
• 1000—1000 Mbps.
• Auto—Auto-negotiation.
• Auto 10—The auto-negotiation rate of the interface is 10 Mbps.
• Auto 100—The auto-negotiation rate of the interface is 100 Mbps.
Speed
• Auto 1000—The auto-negotiation rate of the interface is 1000 Mbps.
• Auto 10 100—The auto-negotiation rate of the interface is 10 Mbps or 100
Mbps.
• Auto 10 1000—The auto-negotiation rate of the interface is 10 Mbps or 1000
Mbps.
• Auto 100 1000—The auto-negotiation rate of the interface is 100 Mbps or 1000
Mbps.
• Auto 10 100 1000—The auto-negotiation rate of the interface is 10 Mbps, 100
Mbps or 1000 Mbps.

95
Item Description
Set the duplex mode of the interface.
• Auto—Auto-negotiation.
Duplex
• Full—Full duplex.
• Half—Half duplex.
Set the link type of the current interface, which can be access, hybrid, or trunk. For
more information, see Table 37.
Link Type IMPORTANT:
To change the link type of a port from trunk to hybrid or vice versa, you must first set
its link type to access.
Set the default VLAN ID of the hybrid or trunk port.
PVID IMPORTANT:
The trunk ports at the two ends of a link must have the same PVID.
Set the Medium Dependent Interface (MDI) mode for the interface.
Two types of Ethernet cables can be used to connect Ethernet devices: crossover
and straight-through. To accommodate these two types of cables, an Ethernet
interface on the device can operate in one of the following MDI modes:
• Across mode.
• Normal mode.
• Auto mode.
An Ethernet interface is composed of eight pins. By default, each pin has its
particular role. For example, pin 1 and pin 2 are used for transmitting signals; pin
3 and pin 6 are used for receiving signals. Pin roles are set as a result of how you
set the MDI mode:
MDI • In across mode, pin 1 and pin 2 are used for transmitting signals, and pin 3 and
pin 6 are used for receiving signals.
• In auto mode, the pin roles are determined through auto negotiation.
• In normal mode, pin 1 and pin 2 are used for receiving signals while pin 3 and
pin 6 are used for transmitting signals.
Configure the MDI mode depending on the cable types:
• Typically, the auto mode is recommended. The other two modes are useful only
when the device cannot determine the cable types.
• When straight-through cables are used, the local MDI mode must be different
from the remote MDI mode.
• When crossover cables are used, the local MDI mode must be the same as the
remote MDI mode, or the MDI mode of at least one end must be set to auto.

Enable or disable flow control on the interface.

Enabling flow control on both ends might result in traffic congestion on the device
on the local end. If traffic congestion occurs, the device sends information to notify
Flow Control the peer end to stop sending packets temporarily. To avoid packet loss, the peer
end and the device stop sending packets when the device receives the information.

IMPORTANT:
Flow control can be realized only when it is enabled on both ends.
Jumbo Frame
Enable or disable the forwarding of jumbo frames.
Forwarding

96
Item Description
Set the maximum number of MAC addresses the interface can learn. Available
options include:
Max MAC Count
• User Defined—Select this option to set the limit manually.
• No Limited—Select this option to set no limit.
Set broadcast suppression. You can suppress broadcast traffic by percentage or by
PPS:
• ratio—Sets the maximum percentage of broadcast traffic to the total transmission
capability of an Ethernet interface. When this option is selected, you need to
Broadcast Suppression
enter a percentage in the box below this option.
• pps—Sets the maximum number of broadcast packets that can be forwarded on
an Ethernet interface every second. When this option is selected, you need to
enter a number in the box below this option.

Set multicast suppression. You can suppress multicast traffic by percentage or by

PPS:
• ratio—Sets the maximum percentage of multicast traffic to the total transmission
capability of an Ethernet interface. When this option is selected, you need to
Multicast Suppression
enter a percentage in the box below this option.
• pps—Sets the maximum number of multicast packets that can be forwarded on
an Ethernet interface per second. When this option is selected, you need to enter
a number in the box below this option.

Set unicast suppression. You can suppress unicast traffic by percentage or by PPS:
• ratio—Sets the maximum percentage of unicast traffic to the total transmission
capability of an Ethernet interface. When this option is selected, you need to
Unicast Suppression enter a percentage in the box below this option.
• pps—Sets the maximum number of unicast packets that can be forwarded on an
Ethernet interface every second. When this option is selected, you need to enter
a number in the box below this option.

Table 37 Link type description

Link type Description

An access port can belong to only one VLAN and is typically used to connect a user
Access
device.

A hybrid port can be assigned to multiple VLANs to receive and send packets for the
Hybrid VLANs. A hybrid port allows packets of multiple VLANs to pass through untagged.
Hybrid ports can be used to connect network devices and user devices.

A trunk port can be assigned to multiple VLANs to receive and send packets for the
VLANS. A trunk port allows only packets of the default VLAN to pass through
Trunk untagged.
Trunk ports are typically used to connect network devices.

Modifying a Layer 3 interface

1. Select Device > Interface from the navigation tree.
The page in Figure 68 appears.
2. Click the icon corresponding to a Layer 3 interface.

97
The page for modifying a Layer 3 interface appears.
Figure 72 Modifying a Layer 3 physical interface

3. Modify the information about the Layer 3 interface.

The configuration items of modifying the Layer 3 interface are similar to those for creating an
interface. Table 38 describes configuration items that apply to modifying a Layer 3 interface.
4. Click Apply.
Table 38 Configuration items

Item Description
Interface Type Set the interface type, which can be Electrical port, Optical port, or None.

98
Item Description
Display and set the interface status.
• Connected indicates that the current status of the interface is up and connected.
You can click Disable to shut down the interface.
• Not connected indicates that the current status of the interface is up but not
connected. You can click Disable to shut down the interface.
Interface Status • Administratively Down indicates that the interface is shut down by the
administrator. You can click Enable to bring up the interface.
After you click Enable or Disable, the page displaying interface information appears.

IMPORTANT:
For an interface whose status cannot be changed, the Enable or Disable button is not
available.
Working Mode Set the interface to work in bridge mode or router mode.

Interface management configuration example

Network requirements
Create VLAN-interface 100 and specify its IP address as 10.1.1.2.

Configuration procedure
1. Create VLAN 100:
a. Select Network > VLAN from the navigation tree.
The VLAN tab page appears.
b. Click Add.
The page for creating VLANs appears.
Figure 73 Creating VLAN 100

c. Enter VLAN ID 100.

d. Click Apply.
2. Create VLAN-interface 100 and assign an IP address for it:
a. Select Device > Interface from the navigation tree.
b. Click Add.
The page for creating an interface appears.

99
Figure 74 Creating VLAN-interface 100

c. Select Vlan-interface from the Interface Name list, and enter the interface ID 100.
d. Select the Static Address option for IP Config, enter the IP address 10.1.1.2, and select 24
(255.255.255.0) from the Mask list.
e. Click Apply.

100
Configuring port mirroring

Port mirroring includes local port mirroring and remote port mirroring. Unless otherwise specified, port
mirroring described in this chapter refers to local port mirroring.
Support for port mirroring depends on the device model. For more information, see "About the
Web-based configuration guide for HP unified wired-WLAN products."

Overview
Port mirroring is to copy the packets passing through one or multiple ports (called mirroring ports) to a
port (called the monitor port) on the local device. The monitor port is connected to a monitoring device.
By using the monitoring device to analyze the packets mirrored to the monitor port, you can monitor the
network and troubleshoot possible network problems.
Figure 75 A port mirroring implementation

IP network

Monitor port

Mirroring port
Data monitoring
device

Port mirroring is implemented through mirroring groups. The mirroring ports and the monitor port are in
the same mirroring group. With port mirroring enabled, the device copies packets passing through the
mirroring ports to the monitor port.

Configuration guidelines
When you configure port mirroring, follow these guidelines:
• Depending on the device model, you can assign the following types of ports to a mirroring group
as mirroring ports:
Layer 2 Ethernet
Layer 3 Ethernet

101
POS
CPOS
Serial
MP-group
• Depending on the device model, you can configure the following types of ports as the monitor port:
Layer 2 Ethernet
Layer 3 Ethernet
Tunnel
• To ensure normal operation of your device, do not enable STP, MSTP, or RSTP on the monitor port.
• On some types of devices, you can configure a member port in link aggregation as the monitor
port.
• Other restrictions on the monitor port depend on the device model.
• You can configure multiple mirroring ports, but only one monitor port for a mirroring group.
• A port can be assigned to only one mirroring group.

Port mirroring configuration task list

Task Remarks
Required.
Add a mirroring group Select the mirroring group type local in the Type list.
For more information, see "Adding a mirroring group."

Required.
Configure the mirroring ports During configuration, select the port type Mirror Port.
For more information, see "Configuring ports for a mirroring group."

Required.
Configure the monitor port During configuration, select the port type Monitor Port.
For more information, see "Configuring ports for a mirroring group."

Adding a mirroring group

1. Select Device > Port Mirroring from the navigation tree.
2. Click the Add tab.
The page for adding a mirroring group appears.

102
Figure 76 Adding a mirroring group

3. Configure the mirroring group, as described in Table 39.

4. Click Apply.
Table 39 Configuration items

Item Description
Mirroring Group ID ID of the mirroring group.

Specify the type of the mirroring group.

Type
Local means adding a local mirroring group.

Configuring ports for a mirroring group

1. Select Device > Port Mirroring from the navigation tree.
2. Click Modify Port.
The page for configuring ports for a mirroring group appears.

103
Figure 77 Configuring ports for a mirroring group

3. Configure port information for the mirroring group, as described in Table 40.
4. Click Apply and the progress bar appears.
5. Click Close when the progress bar prompts that the configuration is complete.
Table 40 Configuration items

Item Description
Mirroring Group ID ID of the mirroring group to be configured.

Set the types of the ports to be configured:

Port Type • Monitor Port—Configures the monitor port for the mirroring group.
• Mirror Port—Configures mirroring ports for the mirroring group.
Set the direction of the traffic mirrored by the mirroring port of the mirroring group.
This configuration item is available when Mirror Port is selected from the Port Type list:
Stream Orientation • both—Mirrors both received and sent packets on mirroring ports.
• inbound—Mirrors only packets received by mirroring port.
• outbound—Mirrors only packets sent by mirroring ports.
interface name Select the ports to be configured from the interface name list.

Port mirroring configuration example

Network requirements
As shown in Figure 78:

104
• Packets from the AP access the AC through GigabitEthernet 1/0/1.
• The server is connected to GigabitEthernet 1/0/2 of the AC.
Configure port mirroring to monitor the bidirectional traffic on GigabitEthernet 1/0/1 of the AC on the
server.
To meet the network requirements, perform the following tasks on the AC:
• Configure GigabitEthernet 1/0/1 of the AC as a mirroring port.
• Configure GigabitEthernet 1/0/2 of the AC as the monitor port.
Figure 78 Network diagram

Configuration procedure
1. Add a mirroring group:
a. Select Device > Port Mirroring from the navigation tree.
b. Click Add.
c. Enter 1 for Mirroring Group ID, and select Local from the Type list.
d. Click Apply.
Figure 79 Adding a mirroring group

2. Configure the mirroring port:

105
a. Click the Modify Port tab.
b. Select 1 – Local for Mirroring Group ID, Mirror Port for Port Type, both for Stream Orientation,
and GigabitEthernet 1/0/1 from the interface name list.
c. Click Apply.
The progress bar appears.
d. Click Close when the progress bar prompts that the configuration is complete.
Figure 80 Configuring a mirroring port

3. Configure the monitor port:

a. Click the Modify Port tab.
b. Select 1 – Local for Mirroring Group ID, Monitor Port for Port Type, and GigabitEthernet 1/0/2
from the interface name list.
c. Click Apply.
A progress bar appears.
d. Click Close when the progress bar prompts that the configuration is complete.

106
Figure 81 Configuring the monitor port

107
Managing users

In the user management part, you can perform the following configuration:
• Create a local user, and set the password, access level, and service type for the user.
• Set the super password for switching the current Web user level to the management level.
• Switch the current Web user access level to the management level.

Creating a user
1. Select Device > Users from the navigation tree.
2. Click the Create tab.
The page for creating local users appears.
Figure 82 Creating a user

3. Configure the user information, as described in Table 41.

4. Click Apply.
Table 41 Configuration items

Item Description
Username Set the username for a user.

108
Item Description
Set the access level for a user. Users of different levels can perform different
operations.
The following Web user levels, from low to high, are available:.
• Visitor—Users of this level can perform the ping and traceroute operations, but they
cannot access the device data or configure the device.
Access Level • Monitor—Users of this level can only access the device data but cannot configure
the device.
• Configure—Users of this level can access data on the device and configure the
device. They cannot upgrade the host software, add/delete/modify users, or back
up/restore the application file.
• Management—Users of this level can perform any operations on the device.
Password Set the password for a user.

Enter the same password again. Otherwise, the system prompts that the two
Confirm Password
passwords are not consistent when you apply the configuration.

Set the encryption method for storing users' passwords:

Passsword Encryption • Reversible—The device stores passwords by using reversible encryption.
• Irreversible—The device stores passwords by using irreversible encryption.
Set the service type, including Web, FTP, and Telnet services. You must select at least
Service Type
one service type.

Setting the super password

Management level users can specify the password for a lower-level user to switch from the current access
level to the management level. If this password is not configured, the switchover will fail.
To set the super password:
1. Select Device > Users from the navigation tree.
2. Click the Super Password tab.
The super password configuration page appears.
Figure 83 Setting the super password

109
3. Set the super password, as described in Table 42.
4. Click Apply.
Table 42 Configuration items

Item Description
Set the operation type:
Create/Remove • Create—Configure or modify the super password.
• Remove—Remove the current super password.
Password Set the password for a user to switch to the management level.

Enter the same password again. Otherwise, the system prompts that the two
Confirm Password
passwords are not consistent when you apply the configuration.

Set the encryption method for storing users' passwords:

Passsword Encryption • Reversible—The device stores passwords by using reversible encryption.
• Irreversible—The device stores passwords by using irreversible encryption.

Switching the user access level to the management

level
This function is provided for a user to switch the current user level to the management level. Note the
following:
• Before switching, make sure that the super password is already configured. A user cannot switch to
the management level without a super password.
• The access level switchover of a user is valid for the current login only. The access level configured
for the user is not changed. When the user logs in again to the Web interface, the access level of
the user is still the original level.
To switch the user access level to the management level:
1. Select Device > Users from the navigation tree.
2. Click the Switch To Management tab.
The access level switching page appears.
Figure 84 Switching to the management level

3. Enter the super password.

4. Click Login.

110
Configuring SNMP

SNMP overview
Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a
management station to access and manage the devices on a network. SNMP shields the physical
differences between various devices and realizes automatic management of products from different
manufacturers.
An SNMP enabled network comprises the network management system (NMS) and agents.
The NMS manages agents by exchanging management information through SNMP. The NMS and
managed agents must use the same SNMP version to communicate with each other.
SNMP agents support SNMPv1, SNMPv2c, and SNMPv3.
• SNMPv1—Uses community names for authentication. Like the password, a community name is
used to restrict the communication between the NMS and the Agent. To access an SNMP agent, an
NMS must use the same community name as the name that is set on the SNMP agent. If the
community name used by the NMS is different from that set on the agent, the NMS cannot establish
an SNMP session to access the agent. Also, the NMS cannot receive traps or notifications from the
agent.
• SNMPv2c—Uses community names for authentication. SNMPv2c is compatible with SNMPv1 and
supports more operation modes, data types, and error codes.
• SNMPv3—Uses a user-based security model (USM) to secure SNMP communication. You can
configure authentication and privacy mechanisms to authenticate and encrypt SNMP packets for
integrity, authenticity, and confidentiality.
For more information about SNMP, see Network Management and Monitoring Configuration Guide.

SNMP configuration task list

SNMPv3 differs from SNMPv1 and SNMPv2c in configurations. The following describes their
configuration procedures separately.

SNMPv1 or SNMPv2c configuration task list

Perform the tasks in Table 43 to configure SNMPv1 or SNMPv2c.
Table 43 SNMPv1 or SNMPv2c configuration task list

Task Remarks
Required.
The SNMP agent function is disabled by default.
Enabling SNMP agent
IMPORTANT:
If SNMP agent is disabled, all SNMP agent-related configurations are
removed.

111
Task Remarks
Optional.

Configuring an SNMP view After creating SNMP views, you can specify an SNMP view for an
SNMP group to limit the MIB objects that can be accessed by the
SNMP group.

Configuring an SNMP community Required.

Optional.
Allows you to configure that the agent can send SNMP traps to the
Configuring SNMP trap function NMS, and configure information about the target host of the SNMP
traps.
By default, an agent is allowed to send SNMP traps to the NMS.

Displaying SNMP packet statistics Optional.

SNMPv3 configuration task list

Perform the tasks in Table 44 to configure SNMPv3.
Table 44 SNMPv3 configuration task list

Task Remarks
Required.
The SNMP agent function is disabled by default.
Enabling SNMP agent
IMPORTANT:
If SNMP agent is disabled, all SNMP agent-related configurations are
removed.
Optional.
Configuring an SNMP view After creating SNMP views, you can specify an SNMP view for an SNMP
group to limit the MIB objects that can be accessed by the SNMP group.

Required.

Configuring an SNMP group After creating an SNMP group, you can add SNMP users to the group
when creating the users. Therefore, you can realize centralized
management of users in the group through the management of the group.

Required.
Configuring an SNMP user Before creating an SNMP user, you need to create the SNMP group to
which the user belongs.

Optional.
Allows you to configure that the agent can send SNMP traps to the NMS,
Configuring SNMP trap function
and configure information about the target host of the SNMP traps
By default, an agent is allowed to send SNMP traps to the NMS.

Displaying SNMP packet

Optional.
statistics

Enabling SNMP agent

1. Select Device > SNMP from the navigation tree.

112
The SNMP configuration page appears.
Figure 85 Configuring SNMP settings

2. Configure SNMP settings on the upper part of the page, as described in Table 45.
3. Click Apply.
Table 45 Configuration items

Item Description
SNMP Specify to enable or disable SNMP agent.

113
Item Description
Configure the local engine ID.

Local Engine ID The validity of a user after it is created depends on the engine ID of the SNMP
agent. If the engine ID when the user is created is not identical to the current
engine ID, the user is invalid.

Configure the maximum size of an SNMP packet that the agent can
Maximum Packet Size
receive/send.

Set a character string to describe the contact information for system

Contact
maintenance.

Location Set a character string to describe the physical location of the device.

SNMP Version Set the SNMP version run by the system.

Configuring an SNMP view

Creating an SNMP view
1. Select Device > SNMP from the navigation tree.
2. Click the View tab.
The view page appears.
Figure 86 View page

3. Click Add.
The Add View window appears.

114
Figure 87 Creating an SNMP view (1)

4. Enter the view name.

5. Click Apply.
The page in Figure 88 appears.
Figure 88 Creating an SNMP view (2)

6. Configure the parameters, as described in Table 46.

7. Click Add.
8. Repeat steps 6 and 7 to add more rules for the SNMP view.
9. Click Apply.
To cancel the view, click Cancel.
Table 46 Configuration items

Item Description
View Name Set the SNMP view name.

Select to exclude or include the objects in the view range determined by the
Rule
MIB subtree OID and subtree mask.

Set the MIB subtree OID (such as 1.4.5.3.1) or name (such as system).
MIB Subtree OID MIB subtree OID identifies the position of a node in the MIB tree, and it can
uniquely identify a MIB subtree.

Set the subtree mask.

Subtree Mask If no subtree mask is specified, the default subtree mask (all Fs) will be used
for mask-OID matching.

115
Adding rules to an SNMP view
1. Select Device > SNMP from the navigation tree.
2. Click the View tab.
The page in Figure 89 appears.

3. Click the icon of the target view.

The Add rule for the view ViewDefault window appears.
Figure 89 Adding rules to an SNMP view

4. Configure the parameters, as described in Table 46.

5. Click Apply.

NOTE:
You can modify the rules of a view in the page you enter by clicking the icon of that view.

Configuring an SNMP community

1. Select Device > SNMP from the navigation tree.
2. Click the Community tab.
The community tab page appears.
Figure 90 Configuring an SNMP community

3. Click Add.
The Add SNMP Community page appears.

116
Figure 91 Creating an SNMP Community

4. Configure SNMP community settings, as described in Table 47.

5. Click Apply.
Table 47 Configuration items

Item Description
Community Name Set the SNMP community name.

Configure the access rights:

• Read only—The NMS can perform read-only operations to the MIB objects
Access Right when it uses this community name to access the agent.
• Read and write—The NMS can perform both read and write operations to
the MIB objects when it uses this community name to access the agent.

Specify the view associated with the community to limit the MIB objects that
View
can be accessed by the NMS.

Associate the community with a basic ACL to allow or prohibit the access to
ACL
the agent from the NMS with the specified source IP address.

Configuring an SNMP group

1. Select Device > SNMP from the navigation tree.
2. Click the Group tab.
The group tab page appears.

117
Figure 92 SNMP group

3. Click Add.
The Add SNMP Group page appears.
Figure 93 Creating an SNMP group

4. Configure SNMP group settings, as described in Table 48.

5. Click Apply.
Table 48 Configuration items

Item Description
Group Name Set the SNMP group name.

Select the security level for the SNMP group:

• NoAuth/NoPriv—No authentication no privacy.
Security Level
• Auth/NoPriv—Authentication without privacy.
• Auth/Priv—Authentication and privacy.
Read View Select the read view of the SNMP group.

Select the write view of the SNMP group.

Write View If no write view is configured, the NMS cannot perform the write operations to all MIB
objects on the device.

118
Item Description
Select the notify view of the SNMP group. The notify view can send trap messages.
Notify View
If no notify view is configured, the agent does not send traps to the NMS.

Associate a basic ACL with the group to restrict the source IP address of SNMP
ACL packets. You can configure to allow or prohibit SNMP packets with a specific source
IP address to restrict the intercommunication between the NMS and the agent.

Configuring an SNMP user

1. Select Device > SNMP from the navigation tree.
2. Click the User tab.
The user tab page appears.
Figure 94 SNMP user

3. Click Add.
The Add SNMP User page appears.

119
Figure 95 Creating an SNMP user

4. Configure SNMP user settings, as described in Table 49.

5. Click Apply.
Table 49 Configuration items

Item Description
User Name Set the SNMP user name.

Select the security level for the SNMP group:

• NoAuth/NoPriv—No authentication no privacy.
Security Level
• Auth/NoPriv—Authentication without privacy.
• Auth/Priv—Authentication and privacy.
Select an SNMP group to which the user belongs.
• When the security level is NoAuth/NoPriv, you can select an SNMP
group with no authentication no privacy.

Group Name
• When the security level is Auth/NoPriv, you can select an SNMP
group with no authentication no privacy or authentication without
privacy.
• When the security level is Auth/Priv, you can select an SNMP group
of any security level.

Select an authentication mode (including MD5 and SHA) when the

Authentication Mode
security level is Auth/NoPriv or Auth/Priv.

120
Item Description
Authentication Password Set the authentication password when the security level is Auth/NoPriv
or Auth/Priv.
Confirm Authentication Password The confirm authentication password must be the same as the
authentication password.

Select a privacy mode (including DES56, AES128, and 3DES) when the
Privacy Mode
security level is Auth/Priv.

Privacy Password Set the privacy password when the security level is Auth/Priv.
The confirm privacy password must be the same as the privacy
Confirm Privacy Password
password.

Associate a basic ACL with the user to restrict the source IP address of
SNMP packets. You can configure to allow or prohibit SNMP packets
ACL
with a specific source IP address to allow or prohibit the specified NMS
to access the agent by using name of the associated user.

Configuring SNMP trap function

1. Select Device > SNMP from the navigation tree.
2. Click the Trap tab.
The trap configuration page appears.
Figure 96 Traps configuration

3. Select Enable SNMP Trap.

4. Click Apply.
5. Click Add.
The page for adding a target host of SNMP traps appears.

121
Figure 97 Adding a target host of SNMP traps

6. Configure the settings for the target host, as described in Table 50.
7. Click Apply.
Table 50 Configuration items

Item Description
Set the destination IP address or domain.

Destination IP Address Select the IP address type: IPv4/Domain or IPv6, and then type the
corresponding IP address or domain in the field according to the IP
address type.

Set the security name, which can be an SNMPv1 community name,

Security Name
an SNMPv2c community name, or an SNMPv3 user name.

Set UDP port number.

IMPORTANT:
The default port number is 162, which is the SNMP-specified port used
UDP Port
for receiving traps on the NMS. Typically (such as using IMC or MIB
Browser as the NMS), you can use the default port number. To change
this parameter to another value, you need to make sure that the
configuration is the same as the configuration on the NMS.
Select the security model, which is the SNMP version. The model
Security Model must be the same as the model running on the NMS. Otherwise, the
NMS cannot receive any trap.

Set the authentication and privacy mode for SNMP traps when the
security model is selected as v3. The available security levels are: no
Security Level
authentication no privacy, authentication but no privacy, and
authentication and privacy.

122
Displaying SNMP packet statistics
1. Select Device > SNMP from the navigation tree.
The page for displaying SNMP packet statistics appears.
Figure 98 SNMP packet statistics

SNMPv1/SNMPv2c configuration example

Network requirements
As shown in Figure 99, the NMS (1.1.1.2/24) uses SNMPv1 or SNMPv2c to manage the AC (1.1.1.1/24),
and the AC automatically sends traps to report events to the NMS.
Figure 99 Network diagram
Vlan-int2
1.1.1.1/24

AC
NMS
Agent
1.1.1.2/24

Configuring the AC (SNMP agent)

1. Enable SNMP agent:
a. Select Device > SNMP from the navigation tree.
The page in Figure 100 appears.
b. Select the Enable option.

123
c. Select the v1 and v2c boxes, as shown in Figure 100.
d. Click Apply.
Figure 100 Enabling SNMP agent

2. Configure an SNMP read-only community:

a. Click the Community tab.
b. Click Add.
c. Enter public in the Community Name field and select Read only from the Access Right list, as
shown in Figure 101.
d. Click Apply.
Figure 101 Creating an SNMP read-only community

3. Configure an SNMP read/write community:

a. Click Add on the Community tab.
b. Enter private in the Community Name field and select Read and write from the Access Right list,
as shown in Figure 102.
c. Click Apply.

124
Figure 102 Creating an SNMP read/write community

4. Enable the agent to send SNMP traps:

a. Click the Trap tab.
b. Select the Enable SNMP Trap box.
c. Click Apply.
Figure 103 Enabling the agent to send SNMP traps

5. Configure an SNMP trap target host:

a. Click the Trap tab.
b. Click Add.
c. Select the IPv4/Domain option, enter the destination address 1.1.1.2, enter public in the
Security Name field, and select v1 from the Security Model list, as shown in Figure 104.
To make sure the NMS can receive traps, specify the same SNMP version as configured on the
NMS.
d. Click Apply.

125
Figure 104 Adding an SNMP trap target host

Configuring the NMS

IMPORTANT:
The configuration on the NMS must be consistent with the configuration on the agent. Otherwise, you
cannot perform corresponding operations.

To configure the NMS:

1. Specify the SNMPv1 or SNMPv2c version.
2. Create a read-only community named public.
3. Create a read/write community named private.
For more information about configuration procedure on the NMS, see the NMS user manual.

Verifying the configuration

Verify that the NMS can access and set some MIB variables on the AC.
Shut down and bring up an idle interface on the AC, and verify that the NMS can receive the link traps
from the AC.

SNMPv3 configuration example

Network requirements
As shown in Figure 105, the NMS (1.1.1.2/24) uses SNMPv3 to manage the AC (1.1.1.1/24), and the AC
automatically sends traps to report events to the NMS.
The NMS and the AC perform authentication when they set up an SNMP session. The authentication
algorithm is MD5 and the authentication key is authkey. The NMS and the agent also encrypt the SNMP
packets between them by using the DES56 algorithm and the privacy key prikey.

126
Figure 105 Network diagram
Vlan-int2
1.1.1.1/24

AC
NMS
Agent
1.1.1.2/24

Configuring the AC (SNMP agent)

1. Enable SNMP agent:
a. Select Device > SNMP from the navigation tree.
b. Select the Enable option to enable the SNMP agent, and select v3 for SNMP Version, as shown
in Figure 106.
c. Click Apply.
Figure 106 Enabling SNMP agent

2. Configure an SNMP view:

a. Click the View tab.
b. Click Add.
The page in Figure 107 appears.
c. Enter view1 in the field.
d. Click Apply.
The page in Figure 108 appears.
e. Select the Included radio box, enter the MIB subtree OID interfaces, and click Add.
f. Click Apply.
A configuration progress dialog box appears.
g. Click Close after the configuration process is complete.

127
Figure 107 Creating an SNMP view (1)

Figure 108 Creating an SNMP view (2)

3. Configure an SNMP group:

a. Click the Group tab.
b. Click Add.
The page in Figure 109 appears.
c. Enter group1 in the field of Group Name, select view1 from the Read View box, and select
view1 from the Write View box.
d. Click Apply.

128
Figure 109 Creating an SNMP group

4. Configure an SNMP user:

a. Click the User tab.
b. Click Add.
The page in Figure 110 appears.
c. Enter user1 in the User Name field.
d. Select Auth/Priv from the Security Level list.
e. Select group1 from the Group Name list.
f. Select MD5 from the Authentication Mode list.
g. Enter authkey in the Authentication Password and Confirm Authentication Password fields.
h. Select DES56 from the Privacy Mode list.
i. Enter prikey in the Privacy Password and Conform Privacy Password fields.
j. Click Apply.

129
Figure 110 Creating an SNMP user

5. Enable the agent to send SNMP traps:

a. Click the Trap tab
The page in Figure 111 appears.
b. Select the Enable SNMP Trap box.
c. Click Apply.
Figure 111 Enabling the agent to send SNMP traps

130
6. Add target hosts of SNMP traps:
a. Click Add on the Trap tab.
The page in Figure 112 appears.
b. Select the destination IP address type as IPv4/Domain, enter the destination address 1.1.1.2.
c. Enter the user name user1, select v3 from the Security Model list, and select Auth/Priv from the
Security Level list.
d. Click Apply.
Figure 112 Adding target hosts of SNMP traps

Configuring the NMS

IMPORTANT:
The configuration on the NMS must be consistent with the configuration on the agent. Otherwise, you
cannot perform corresponding operations.

To configure the NMS:

1. Specify the SNMPv3 version.
2. Set the username to user1, authentication algorithm to MD5, authentication key to authkey,
encryption algorithm to DES56, and privacy key to prikey.
For more information about configuring the NMS, see the NMS user manual.

Verifying the configuration

Verify that the NMS can access and set some MIB variables on the AC.
Shut down and bring up an idle interface on the AC, and verify that the NMS can receive the link traps
from the AC.

131
Configuring loopback

You can check whether an Ethernet port works correctly by performing the Ethernet port loopback test.
During the test the port cannot correctly forward data packets.
Ethernet port loopback test can be an internal loopback test or an external loopback test.
• In an internal loopback test, self loop is established in the switching chip to check whether there is
a chip failure related to the functions of the port.
• In an external loopback test, a self-loop header is used on the port. Packets forwarded by the port
will be received by itself through the self-loop header. The external loopback test can be used to
check whether there is a hardware failure on the port.
Support of Ethernet ports for internal or external loopback test depends on the device model. For more
information, see "About the Web-based configuration guide for HP unified wired-WLAN products."

Configuration guidelines
When you perform a loopback test, follow these guidelines:
• You can perform an internal loopback test but not an external loopback test on a port that is
physically down. However, you can perform neither test on a port that is manually shut down.
• The system does not allow Rate, Duplex, Cable Type, and Port Status configuration on a port under
a loopback test.
• An Ethernet port operates in full duplex mode when the loopback test is performed, and restores its
original duplex mode after the loopback test.

Loopback operation
1. Select Device > Loopback from the navigation tree.
The loopback test configuration page appears.

132
Figure 113 Loopback test configuration page

2. Configure the loopback test parameters, as described in Table 51.

Table 51 Configuration items

Item Description

Testing External Set the loopback test type to External or Internal.

type Internal Support for the test type depends on the device model.

3. Click Test to start the loopback test.

After the test is completed, the test result appears in the Result box.

133
Figure 114 Loopback test result (for internal loopback test)

134
OAP management

Overview
An Open Application Platform (OAP) module can work in synergy with a device within OAA. For an
NMS that is based on SNMP UDP domain, the device and the OAP module are separate SNMP agents.
Physically, the two SNMP agents are at the same managed object. Logically, the two SNMP agents
belong to different systems and manage their own MIB objects independently. To manage the device and
the OAP module through the same interface, the NMS must first obtain their management IP addresses
and relationships between them. You can configure a management IP address for an OAP module
through the Web interface.
Support for OAP management depends on the device model. For more information, see "About the
Web-based configuration guide for HP unified wired-WLAN products."

Configuring a management IP address

IMPORTANT:
To manage an OAP module through the NMS, assign an IP address to the module, and configure the IP
address as the management IP address on the device.

1. Select Device > OAP Management from the navigation tree.

The OAP management configuration page appears.
Figure 115 OAP Management configuration page

2. Enter an IP address for the Management IP address field, as shown in Figure 115.
3. Click Apply.

135
Configuring MAC addresses

MAC address configurations related to interfaces apply only to Layer 2 Ethernet interfaces.
This chapter provides information about the management of static and dynamic MAC address entries. It
does not provide information about multicast MAC address entries.

Overview
A device maintains a MAC address table for frame forwarding. Each entry in this table indicates the
MAC address of a connected device, to which interface this device is connected and to which VLAN the
interface belongs. A MAC address table consists of two types of entries: static and dynamic. Static
entries are manually configured and never age out. Dynamic entries can be manually configured or
dynamically learned and will age out.
When a frame arrives at a port, Port A for example, the device performs the following tasks:
1. Checks the frame for the source MAC address (MAC-SOURCE for example).
2. Looks up the MAC address in the MAC address table.
If an entry is found, updates the entry.
If no entry is found, adds an entry for the MAC address and the receiving port (Port A) to the
MAC address table.
When receiving a frame destined for MAC-SOURCE, the device looks up the MAC address in the MAC
address table and forwards the frame from port A.

NOTE:
Dynamically learned MAC addresses cannot overwrite static MAC address entries, but the static MAC
address entries can overwrite dynamically learned MAC addresses.

When forwarding a frame, the device uses the following forwarding modes based on the MAC address
table:
• Unicast mode—If an entry matching the destination MAC address exists, the device forwards the
frame directly from the outgoing port recorded in the entry.
• Broadcast mode—The device broadcasts the frame to all the ports except the receiving port if either
of the following conditions exist:
The device receives a frame with a destination address of all Fs.
No entry matches the destination MAC address.

136
Figure 116 MAC address table of the device

MAC address Port

MAC A 1

MAC B 1

MAC C 2

MAC D 2

MAC A MAC C

MAC B MAC D

Port 1 Port 2

Configuring a MAC address entry

1. Select Network > MAC from the navigation tree. The system automatically displays the MAC tab,
which shows all the MAC address entries on the device.
Figure 117 The MAC tab

2. Click Add in the bottom to enter the page for creating MAC address entries.

137
Figure 118 Creating a MAC address entry

3. Configure the MAC address entry, as described in Table 52.

4. Click Apply.
Table 52 Configuration items

Item Description
MAC Set the MAC address to be added.

Set the type of the MAC address entry:

• static—Static MAC address entries that never age out.
• dynamic—Dynamic MAC address entries that will age out.
• blackhole—Blackhole MAC address entries that never age out.
The tab displays the following types of MAC address entries:
Type • Config static—Static MAC address entries manually configured by the users.
• Config dynamic—Dynamic MAC address entries manually configured by the
users.
• Blackhole—Blackhole MAC address entries.
• Learned—Dynamic MAC address entries learned by the device.
• Other—Other types of MAC address entries.
VLAN ID Set the ID of the VLAN to which the MAC address belongs.

Port Set the port to which the MAC address belongs.

Setting the aging time of MAC address entries

1. Select Network > MAC from the navigation tree.
2. Click the Setup tab.
The page for setting the MAC address entry aging time appears.

138
Figure 119 Setting the aging time for MAC address entries

3. Set the aging time, as described in Table 53.

4. Click Apply.
Table 53 Configuration items

Item Description
No-aging Specify that the MAC address entry never ages out.

Aging Time Set the aging time for the MAC address entry.

MAC address configuration example

Network requirements
Use the MAC address table management function of the Web-based NMS. Create a static MAC address
00e0-fc35-dc71 for Ten-GigabitEthernet 1/0/1 in VLAN 1.

Configuration procedure
Create a static MAC address entry:
1. Select Network > MAC from the navigation tree to enter the MAC tab.
2. Click Add.
The page shown in Figure 120 appears.
3. Enter MAC address 00e0-fc35-dc71, select static from the Type list, select 1 from the VLAN list,
and select Ten-GigabitEthernet1/0/1 from the Port list.
4. Click Apply.

139
Figure 120 Creating a static MAC address entry

140
Configuring VLANs

Overview
Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect
(CSMA/CD) mechanism. The medium is shared, so collisions and excessive broadcasts are common on
an Ethernet. To address this issue, virtual LAN (VLAN) was introduced to break a LAN down into
separate VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all
broadcast traffic is contained within it, as shown in Figure 121.
Figure 121 A VLAN diagram

You can implement VLANs based on a variety of criteria. However, the Web interface is available only
for port-based VLANs, which group VLAN members by port. A port forwards traffic for a VLAN only after
it is assigned to the VLAN.
For more information about VLAN, see Layer 2 Configuration Guide.

Configuration guidelines
When you configure a VLAN, follow these guidelines:
• VLAN 1 is the default VLAN, which cannot be manually created or removed.
• Some VLANs are reserved for special purposes. You cannot manually create or remove them.
• Dynamic VLANs cannot be manually removed.
• By default, an access port is not a tagged member of a VLAN, and a hybrid or trunk port is a
tagged member of VLAN 2 to VLAN 4049.

141
Recommended configuration procedure
Step Remarks
1. Creating a VLAN Required.
2. Modifying a VLAN Required.
Select either task.
3. Modifying a port Configure the untagged member ports and tagged member ports
of the VLAN, or remove ports from the VLAN.

Creating a VLAN
1. Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab
and enters the page shown in Figure 122.
Figure 122 VLAN configuration page

TIP:
To easily configure a specific range of VLANs, enter a VLAN range in the VLAN Range field and click
Select, and all undesired VLANs will be filtered out. If you click Remove, all VLANs within this range
will be deleted.

2. Click Add to enter the page for creating a VLAN.

3. On the page that appears, enter the ID of the VLAN you want to create.
4. Click Apply.

142
Figure 123 Creating a VLAN

Modifying a VLAN
1. Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab
and enters the page shown in Figure 122.
2. Click the icon of the VLAN you want to modify to enter the page shown in Figure 124.
Figure 124 Modifying a VLAN

3. Configure the description and port members for the VLAN, as described in Table 54.
4. Click Apply.
Table 54 Configuration items

Item Description
ID Display the ID of the VLAN to be modified.

Set the description string of the VLAN.

Description By default, the description string of a VLAN is its VLAN ID, such as VLAN
0001.

143
Item Description
Find the port to be modified and select the Untagged Member, Tagged
Member, or Not a Member option for the port:
Untagged Member
• Untagged—Indicates that the port sends the traffic of the VLAN with the
VLAN tag removed.
• Tagged—Indicates that the port sends the traffic of the VLAN without
Port removing the VLAN tag.
Tagged Member • Not a Member—Removes the port from the VLAN.
IMPORTANT:

Not a Member When you configure an access port as a tagged member of a VLAN, the link
type of the port is automatically changed into hybrid.

Modifying a port
1. Select Network > VLAN from the navigation tree
2. Click the Port tab.
Figure 125 Port configuration page

3. Click the icon for the port to be modified.

Figure 126 Modifying a port

4. Configure the port, as described in Table 55.

5. Click Apply.

144
Table 55 Configuration items

Item Description
Port Display the port to be modified.

Untagged Member Display the VLAN(s) to which the port belongs as an untagged member.

Tagged Member Display the VLAN(s) to which the port belongs as a tagged member.

Untagged Select the Untagged, Tagged, or Not a Member option:

• Untagged—Indicates that the port sends the traffic of the VLAN with the VLAN
Tagged tag removed.
• Tagged—Indicates that the port sends the traffic of the VLAN without removing
the VLAN tag.
• Not a Member—Removes the port from the VLAN.

Member IMPORTANT:
Type • You cannot configure an access port as an untagged member of a nonexistent
Not a VLAN.
Member • The link type of the port is automatically changed into hybrid when either of the
following conditions exist:
You configure an access port as a tagged member of a VLAN.
You configure a trunk port as an untagged member of multiple VLANs in bulk.
• You can configure a hybrid port as a tagged or untagged member of a VLAN
only if the VLAN is an existing, static VLAN.

VLAN ID Specify the VLAN to which the port belongs.

VLAN configuration example

Network requirements
As shown in Figure 127:
• The switch is installed with the HP 11900/10500/7500 20G Unified Wired-WLAN module to act
as the AC.
• GigabitEthernet 3/0/1 of the AC is connected to GigabitEthernet 1/0/1 of Switch.
• Ten-GigabitEthernet 1/0/1 is the access port with VLAN 1 as the default VLAN.
Configure Ten-GigabitEthernet 1/0/1 to permit packets of VLAN 2, VLAN 6 through VLAN 50, and
VLAN 100 to pass through.
Figure 127 Network diagram
GE3/0/1 GE1/0/1

AC Switch

Configuring the AC
1. Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100:
a. Select Network > VLAN from the navigation tree to enter the VLAN tab.
b. Click Add.

145
c. Enter VLAN IDs 2,6-50,100.
d. Click Apply.
Figure 128 Creating a VLAN

2. Configure Ten-GigabitEthernet 1/0/1 as an untagged member of VLAN 100:

a. Enter 100 in the VLAN Range field.
b. Click Select to display only the information of VLAN 100.

146
Figure 129 Selecting a VLAN

c. Click the icon of VLAN 100.

d. On the page that appears, select the Untagged Member option for port Ten-GigabitEthernet
1/0/1.
e. Click Apply.

147
Figure 130 Modifying a VLAN

3. Configure Ten-GigabitEthernet 1/0/1 as a tagged member of VLAN 2, and VLAN 6 through

VLAN 50:
a. Select Network > VLAN from the navigation tree and then select the Port tab.
b. Click the icon of port Ten-GigabitEthernet 1/0/1.
c. On the page that appears, select the Tagged option, and enter VLAN IDs 2, 6-50.
Figure 131 Modifying a port

d. Click Apply. A dialog box appears asking you to confirm the operation.
e. Click Apply in the dialog box.

148
Figure 132 Confirmation dialog box

Configuring the switch

The configuration on Switch is similar to the configuration on the AC.

149
Configuring ARP

Overview
Introduction to ARP
The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or
physical address).
In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding
MAC address.
For more information about ARP, see Layer 3 Configuration Guide.

Introduction to gratuitous ARP

Gratuitous ARP packets
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the
sending device. The sender MAC address is the MAC address of the sending device. The target MAC
address is the broadcast address ff:ff:ff:ff:ff:ff.
A device sends a gratuitous ARP packet for either of the following purposes:
• Determine whether its IP address is already used by another device. If the IP address is already used,
the device will be informed of the conflict by an ARP reply.
• Inform other devices of the change of its MAC address.

Learning of gratuitous ARP packets

With this feature enabled, a device adds its ARP table an ARP entry that contains the sender IP and MAC
addresses in the received gratuitous ARP packet. If the corresponding ARP entry exists, the device
updates the ARP entry.
With this feature disabled, the device uses the received gratuitous ARP packets to update existing ARP
entries, but not to create new ARP entries.

Displaying ARP entries

Select Network > ARP Management from the navigation tree. The ARP Table page appears, as shown
in Figure 133. All ARP entries are displayed on the page.

150
Figure 133 Displaying ARP entries

Creating a static ARP entry

1. Select Network > ARP Management from the navigation tree to enter the default ARP Table page
shown in Figure 133.
2. Click Add .
The New Static ARP Entry page appears.
Figure 134 Adding a static ARP entry

3. Configure the static ARP entry, as described in Table 56.

4. Click Apply.
Table 56 Configuration items

Item Description
IP Address Enter an IP address for the static ARP entry.

151
Item Description
MAC Address Enter a MAC address for the static ARP entry.

Enter a VLAN ID and specify a port for the static ARP entry.
VLAN ID
Advanced The VLAN ID must be the ID of the VLAN that has already been created,
Options and the port must belong to the VLAN. The corresponding VLAN
Port interface must have been created.

Removing ARP entries

1. Select Network > ARP Management from the navigation tree to enter the default ARP Table page
shown in Figure 133.
2. Remove ARP entries:
To remove specific ARP entries, select target ARP entries, and click Del Selected.
To remove all static and dynamic ARP entries, click Delete Static and Dynamic.
To remove all static ARP entries, click Delete Static.
To remove all dynamic ARP entries, click Delete Dynamic.

Configuring gratuitous ARP

1. Select Network > ARP Management from the navigation tree.
2. Click the Gratuitous ARP tab.
Figure 135 Configuring gratuitous ARP

3. Configure gratuitous ARP, as described in Table 57.

4. Click Apply.
Table 57 Configuration items

Item Description
Disable gratuitous ARP packets Disable learning of ARP entries according to gratuitous ARP packets.
learning function Enabled by default.

Send gratuitous ARP packets when Enable the device to send gratuitous ARP packets when it receives ARP
receiving ARP requests from another requests from another network segment.
network segment Disabled by default.

152
Static ARP configuration example
Network requirements
As shown in Figure 136:
• The switch is installed with the HP 11900/10500/7500 20G Unified Wired-WLAN module to act
as the AC.
• GigabitEthernet 3/0/1 of the AC is connected to the router, and belongs to VLAN 100.
To enhance communication security between the AC and the router, configure a static ARP entry on the
AC.
Figure 136 Network diagram

Configuration procedure
1. Create VLAN 100:
a. Select Network > VLAN from the navigation tree to enter the default VLAN page.
b. Click Add.
c. Enter 100 for VLAN ID.
d. Click Apply.
Figure 137 Creating VLAN 100

2. Add Ten-GigabitEthernet 1/0/1 to VLAN 100:

a. On the VLAN page, click the icon of VLAN 100.
b. Select the Untagged Member option for Ten-GigabitEthernet1/0/1.
c. Click Apply.

153
Figure 138 Adding Ten-GigabitEthernet 1/0/1 to VLAN 100

3. Configure VLAN-interface 100 and its IP address:

a. Select Device > Interface from the navigation tree.
b. Click Add.
The configuration page appears.
c. Select Vlan-interface from the Interface Name list, and enter 100.
d. Select the Static Address option for IP Config, enter 192.168.1.2 for IP Address, and select 24
(255.255.255.0) for Mask.
e. Click Apply.

154
Figure 139 Configuring VLAN-interface 100

4. Create a static ARP entry:

a. Select Network > ARP Management from the navigation tree to enter the default ARP Table
page.
b. Click Add.
The page for creating a static ARP entry appears.
c. Enter 192.168.1.1 for IP Address, enter 00e0-fc01-0000 for MAC Address, and select the
Advanced Options option.
d. Enter 100 for VLAN ID, and select Ten-GigabitEthernet1/0/1 from the Port list.
e. Click Apply.

155
Figure 140 Creating a static ARP entry

156
Configuring ARP attack protection

Overview
Although ARP is easy to implement, it does not provide any security mechanism and is prone to network
attacks and viruses, which threaten LAN security. This chapter describes features that a device can use to
detect and prevent attacks.

ARP detection
The ARP detection feature enables access devices to block ARP packets from unauthorized clients to
prevent user spoofing and gateway spoofing attacks.
ARP detection provides the following functions:
• User validity check—The device compares the sender IP and MAC addresses of a received ARP
packet against the static IP source guard binding entries, DHCP snooping entries, 802.1X security
entries, or OUI MAC addresses. If no match is found, the ARP packet is discarded.
• ARP packet validity check—The device does not check ARP packets received from an ARP trusted
port. Upon receiving an ARP packet from an ARP untrusted port, the device checks the ARP packet
based on source MAC address, destination MAC address, or source and destination IP addresses.
ARP packets that fail the check are discarded.
For more information about ARP detection, see Security Configuration Guide.

Source MAC address based ARP attack detection

This feature allows the device to check the source MAC address of ARP packets delivered to the CPU. If
the number of ARP packets from a MAC address exceeds the specified threshold within 5 seconds, the
device considers this an attack. Then, the device adds the MAC address to the attack detection table.
Before the attack detection entry is aged out, the device performs either of the following actions:
• In filter mode, the device generates a log message when it receives an ARP packet sourced from that
MAC address. Then, it filters out subsequent ARP packets from that MAC address.
• In monitor mode, the device generates a log message upon receiving an ARP packet sourced from
that MAC address.
A gateway or critical server may send a large number of ARP packets. To prevent these ARP packets from
being discarded, you can specify the MAC address of the gateway or server as a protected MAC
address. A protected MAC address is excluded from ARP attack detection even if it is an attacker.

ARP active acknowledgement

The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP
packets.

157
ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid
generating any incorrect ARP entry. For more information about its working mechanism, see ARP Attack
Protection Technology White Paper.

ARP packet source MAC address consistency check

This feature enables a gateway device to filter out ARP packets with the source MAC address in the
Ethernet header different from the sender MAC address in the ARP message. The gateway device can
thus learn correct ARP entries.

Configuring ARP detection

IMPORTANT:
To check user validity, you must configure DHCP snooping entries, or 802.1X security entries. Otherwise,
all ARP packets received from an ARP untrusted port are discarded.

1. Select Network > ARP Anti-Attack from the navigation tree to enter the default ARP Detection page
shown in Figure 141.
Figure 141 ARP Detection configuration page

2. Configure ARP detection, as described in Table 58.

3. Click Apply.
Table 58 Configuration items

Item Description
Select VLANs on which ARP detection is to be enabled.
To add VLANs to the Enabled VLANs list box, select one or multiple VLANs from the
VLAN Settings Disabled VLANs list box and click the << button.
To remove VLANs from the Enabled VLANs list box, select one or multiple VLANs from the
list box and click the >> button.

158
Item Description
Select trusted ports and untrusted ports.
To add ports to the Trusted Ports list box, select one or multiple ports from the Untrusted
Trusted Ports Ports list box and click the << button.
To remove ports from the Trusted Ports list box, select one or multiple ports from the list box
and click the >> button.

Select the ARP packet validity check mode:

• Discards the ARP packet whose sender MAC address is different from the source MAC
address in the Ethernet header.
• Discards the ARP packet whose target MAC address is all 0s, all 1s, or inconsistent with
the destination MAC address in the Ethernet header.
ARP Packet
Validity Check • Discards the ARP request whose source IP address is all 0s, all 1s, or a multicast address.
Discards the ARP reply whose source and destination IP addresses are all 0s, all 1s, or
multicast addresses.
ARP packet validity check takes precedence over user validity check. If none of the ARP
packet validity check modes are selected, the system does not check the validity of ARP
packets

Configuring other ARP attack protection functions

Other ARP attack protection functions include source MAC address-based ARP attack detection, ARP
active acknowledgement, and ARP packet source address consistency check.
1. Select Network > ARP Anti-Attack from the navigation tree.
2. Click the Advanced Configuration tab.
Figure 142 Advanced Configuration page

3. Configure ARP attack protection parameters, as described in Table 59.

4. Click Apply.

159
Table 59 Configuration items

Item Description
Select the detection mode for source MAC address based ARP attack
detection:
• Disable—The source MAC address attack detection is disabled.
• Filter Mode—The device generates an alarm and filters out ARP packets
Detection Mode sourced from a MAC address if the number of matching ARP packets
exceeds the specified value within 5 seconds.
• Monitor Mode—The device only generates an alarm if the number of
ARP packets sent from a MAC address exceeds the specified value within
5 seconds.
Source
MAC Enter the aging time of the source MAC address based ARP attack detection
Address Aging Time
entries.
Attack
Detection Threshold Enter the threshold of source MAC address based ARP attack detection.

To add a protected MAC address:

1. Expand Protected MAC Configuration to display information, as shown
in Figure 143.
Protected MAC 2. Enter a MAC address.
Configuration 3. Click Add to add a protected MAC address.
A protected MAC address is excluded from ARP attack detection even if it is
an attacker. You can specify certain MAC addresses as a protected MAC
address, for example, a gateway or a specific server.

Enable ARP Packet Active

Enable or disable ARP packet active acknowledgement.
Acknowledgement

Enable Source MAC Address

Enable or disable source MAC address consistency check.
Consistency Check

Figure 143 Protected MAC configuration

160
Configuring IGMP snooping

Overview
IGMP snooping runs on a Layer 2 switch as a multicast constraining mechanism to improve multicast
forwarding efficiency. It creates Layer 2 multicast forwarding entries from IGMP packets that are
exchanged between the hosts and the router.
As shown in Figure 144, when IGMP snooping is not enabled, the Layer 2 switch floods multicast packets
to all hosts. When IGMP snooping is enabled, the Layer 2 switch forwards multicast packets of known
multicast groups to only the receivers.
Figure 144 Multicast forwarding before and after IGMP snooping runs

For more information about IGMP snooping, see IP Multicast Configuration Guide.

Recommended configuration procedure

Step Remarks
Required.
1. Enabling IGMP snooping globally
By default, IGMP snooping is disabled.

161
Step Remarks
Required.
Enable IGMP snooping in the VLAN and configure the IGMP
snooping version and querier feature.
By default, IGMP snooping is disabled in a VLAN.

2. Configuring IGMP snooping on a IMPORTANT:

VLAN • IGMP snooping must be enabled globally before it can be
enabled in a VLAN.
• After enabling IGMP snooping in a VLAN, do not enable IGMP or
PIM on the corresponding VLAN interface, and vice versa.
• When you enable IGMP snooping in a VLAN, this function takes
effect for ports in this VLAN only.

Optional.
Configure the maximum number of multicast groups allowed and the
fast leave function for ports in the specified VLAN.

3. Configuring IGMP snooping on a IMPORTANT:

port • Multicast routing or IGMP snooping must be enabled globally
before IGMP snooping can be enabled on a port.
• IGMP snooping configured on a port takes effect only after IGMP
snooping is enabled in the VLAN or IGMP is enabled on the
VLAN interface.
4. Displaying IGMP snooping
Optional.
multicast entry information

Enabling IGMP snooping globally

1. Select Network > IGMP snooping from the navigation tree to enter the basic configuration page,
as shown in Figure 145.
2. Select Enable, and click Apply.

162
Figure 145 Basic IGMP snooping configurations

Configuring IGMP snooping on a VLAN

1. Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
shown in Figure 145.
2. Click the icon corresponding to the VLAN to enter the page where you can configure IGMP
snooping in the VLAN, as shown in Figure 146.

163
Figure 146 Configuring IGMP snooping in the VLAN

3. Configure IGMP snooping, as described in Table 60.

4. Click Apply.
Table 60 Configuration items

Item Description
VLAN ID This field displays the ID of the VLAN to be configured.

Enable or disable IGMP snooping in the VLAN.

IGMP snooping
You can proceed with the subsequent configurations only if Enable is selected.

By configuring an IGMP snooping version, you configure the versions of IGMP

messages that IGMP snooping can process.
• IGMP snooping version 2 can process IGMPv1 and IGMPv2 messages, but
not IGMPv3 messages, which will be flooded in the VLAN.
Version • IGMP snooping version 3 can process IGMPv1, IGMPv2, and IGMPv3
messages.

IMPORTANT:
If you change IGMPv3 snooping to IGMPv2 snooping, the system clears all IGMP
snooping forwarding entries that are dynamically added.
Enable or disable the function of dropping unknown multicast packets.
Unknown multicast data refers to multicast data for which no entries exist in the
IGMP snooping forwarding table.

Drop Unknown • With the function of dropping unknown multicast data enabled, the device
drops all the received unknown multicast data.
• With the function of dropping unknown multicast data disabled, the device
floods unknown multicast data in the VLAN to which the unknown multicast
data belong.

164
Item Description
Enable or disable the IGMP snooping querier function.
On an IP multicast network that runs IGMP, a Layer 3 device acts as an IGMP
querier. It sends IGMP queries, establishes and maintains multicast forwarding
entries for correct multicast traffic forwarding at the network layer.
Querier On a network without Layer 3 multicast devices, no IGMP querier-related
function can be implemented because a Layer 2 device does not support
IGMP. To implement IGMP querier-related function, you can enable IGMP
snooping querier on a Layer 2 device so that the device can generate and
maintain multicast forwarding entries at data link layer.

Query interval Configure the IGMP query interval.

General Query Source IP Source IP address of IGMP general queries.

Special Query Source IP Source IP address of IGMP group-specific queries.

Configuring IGMP snooping on a port

1. Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.
2. Click the Advance tab.
Figure 147 Advanced configuration

3. Configure IGMP snooping on a port, as described in Table 61.

4. Click Apply.

165
Table 61 Configuration items

Item Description
Select the port on which advanced IGMP snooping features are to be configured.
Port After a port is selected, advanced features configured on this port are displayed at
the lower part of the page.

Specify a VLAN in which you can configure the fast leave function for the port or the
VLAN ID
maximum number of multicast groups allowed on the port.

Configure the maximum number of multicast groups that the port can join.
With this feature, you can regulate multicast traffic on the port.

IMPORTANT:
When the number of multicast groups a port has joined reaches the configured
Group Limit
threshold, the system deletes all the forwarding entries persistent on that port from the
IGMP snooping forwarding table. The hosts on the port must join the multicast groups
again.
Support for the group limit depends on the device model. For more information, see
"About the Web-based configuration guide for HP unified wired-WLAN products."
Enable or disable the fast leave function for the port.
With fast-leave enabled on a port, the device, when receiving an IGMP leave
message on the port, immediately deletes that port from the outgoing port list of the
corresponding forwarding entry. Then, when receiving IGMP group-specific queries
for that multicast group, the device will not forward them to that port.
You can enable IGMP snooping fast-leave processing on a port that has only one
Fast Leave receiver host attached to save bandwidth and resources. You should not enable
IGMP snooping fast-leave processing on a port if the following conditions exist:
• The port has multiple hosts attached.
• The function of dropping unknown multicast packets has been enabled on the
switch or in the VLAN where the port resides.
Otherwise, other hosts attached to this port in the same multicast group cannot
receive the multicast data for the group.

Displaying IGMP snooping multicast entry

information
1. Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
shown in Figure 145.
2. Click the plus sign (+) in front of Show Entries to display IGMP snooping multicast entries, as shown
in Figure 148.

166
Figure 148 Displaying entry information

3. Click the icon corresponding to an entry to display the detailed information of the entry, as
shown in Figure 149.
Figure 149 Detailed information of an entry

Table 62 Field description

Field Description
VLAN ID ID of the VLAN to which the entry belongs.

Source Multicast source address, where 0.0.0.0 indicates all multicast sources.

Group Multicast group address.

Router port All router ports.

Member port All member ports.

IGMP snooping configuration example

Network requirements
As shown in Figure 150:
• The switch is installed with the HP 11900/10500/7500 20G Unified Wired-WLAN module to act
as the AC.
• The multicast source sends multicast data to group 224.1.1.1. Host A is a receiver of the multicast
group.
• IGMPv2 runs on Router A and IGMPv2 snooping runs on AC. Router A acts as the IGMP querier.
Perform the configuration so Host A can receive the multicast data addressed to the multicast group
224.1.1.1, and AC drops unknown multicast data instead of flooding it in the VLAN.

167
Figure 150 Network diagram

Configuring Router A
Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/1.
(Details not shown.)

Configuring the AC
1. Create VLAN 100:
a. Select Network > VLAN from the navigation tree to enter the VLAN displaying page.
b. Click Add.
c. Enter the VLAN ID 100.
d. Click Apply.
Figure 151 Creating VLAN 100

2. Configure Ten-GigabitEthernet 1/0/1 as untagged members of VLAN 100:

a. Click the icon of VLAN 100 to enter its configuration page.
b. Select the Untagged Member option for Ten-GigabitEthernet 1/0/1, as shown in Figure 152.
c. Click Apply.

168
Figure 152 Adding a port to the VLAN

3. Enable IGMP snooping globally:

a. Select Network > IGMP snooping from the navigation tree to enter the basic configuration
page.
b. Select the Enable option for IGMP Snooping.
c. Click Apply.
Figure 153 Enabling IGMP snooping globally

4. Enable IGMP snooping and the function for dropping unknown multicast data on VLAN 100:
a. Click the icon corresponding to VLAN 100.
b. On the page that appears, select the Enable option for IGMP Snooping, select the 2 option for
Version, and select the Enable option for Drop Unknown.
c. Click Apply.

169
Figure 154 Configuring the VLAN

Configuring the switch

Configure GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 as the untagged members of VLAN 100.
(Details not shown.)

Verifying the configuration

Display the IGMP snooping multicast entry information on AC.
1. Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.
2. Click the plus sign (+) in front of Show Entries to view IGMP snooping multicast entries, as shown
in Figure 155.
Figure 155 IGMP snooping multicast entry information displaying page

3. Click the icon corresponding to the multicast entry to view information about this entry, as
shown in Figure 156.
The page shows that Ten-GigabitEthernet 1/0/2 of AC is added to multicast group 224.1.1.1.

170
Figure 156 Information about an IGMP snooping multicast entry

171
Configuring IPv4 and IPv6 routing

The term router in this document refers to routers, access controllers, unified switches, and access
controller modules.

Overview
Upon receiving a packet, a router determines the optimal route based on the destination address and
forwards the packet to the next router in the path. When the packet reaches the last router, it forwards the
packet to the destination host. Routing provides the path information that guides the forwarding of
packets.
A router selects optimal routes from the routing table, and sends them to the forwarding information base
(FIB) table to guide packet forwarding. Each router maintains a routing table and a FIB table.
Static routes are manually configured. If a network's topology is simple, you only need to configure static
routes for the network to work correctly. Static routes cannot adapt to network topology changes. If a fault
or a topological change occurs in the network, the network administrator must modify the static routes
manually.
For more information about routing table and static routing, see Layer 3 Configuration Guide.

Configuration guidelines
When you configure a static route, follow these guidelines:
• If you do not specify the preference when you configure a static route, the default preference is used.
Reconfiguration of the default preference applies only to newly created static routes. The Web
interface does not support configuration of the default preference.
• Do not configure the next hop address of a static route as the IP address of a local interface, such
as an Ethernet interface or VLAN interface. Otherwise, the static route does not take effect.
• When specifying the output interface, note that the following guidelines:
If NULL 0 or a loopback interface is specified as the output interface, you do not need to
configure the next hop address.
If a point-to-point interface is specified as the output interface, you do not need to specify the
next hop or change the configuration after the peer address has changed. For example, a PPP
interface obtains the peer's IP address through PPP negotiation, and you only need to specify it
as the output interface.
A broadcast interface (such as an Ethernet interface, virtual template, or VLAN interface) might
have multiple next hops. If you want to specify a broadcast interface as the output interface, you
must specify the next hop at the same time.

Displaying the IPv4 active route table

Select Network > IPv4 Routing from the navigation tree to enter the page shown in Figure 157.

172
Figure 157 IPv4 active route table

Table 63 Field description

Field Description
Destination IP Address
Destination IP address and subnet mask of the IPv4 route.
Mask

Protocol Protocol that discovered the IPv4 route.

Preference value for the IPv4 route.

Preference
The smaller the number, the higher the preference.

Next Hop Next hop IP address of the IPv4 route.

Outgoing interface of the IPv4 route. Packets destined for the specified
Interface
network segment will be sent out of the interface.

Creating an IPv4 static route

1. Select Network > IPv4 Routing from the navigation tree.
2. Click the Create tab.

173
Figure 158 Creating an IPv4 static route

3. Specify relevant information, as described in Table 64.

4. Click Apply.
Table 64 Configuration items

Item Description
Destination IP Address Enter the destination host or network IP address, in dotted decimal notation.

Enter the mask of the destination IP address.

Mask
You can enter a mask length or a mask in dotted decimal notation.

Set a preference value for the static route. The smaller the number, the higher the
preference.
Preference For example, specifying the same preference for multiple static routes to the
same destination enables load sharing on the routes, while specifying different
preferences enables route backup.

Next Hop Enter the next hop IP address in dotted decimal notation.

Select the outgoing interface.

You can select any available Layer 3 interface of the device, for example, a
Interface virtual interface. If you select NULL 0, the destination IP address is unreachable.
If you select this option, leave the Next Hop field blank. Otherwise, your
configuration does not take effect.

Displaying the IPv6 active route table

Select Network > IPv6 Routing from the navigation tree to enter the page shown in Figure 159.

174
Figure 159 Displaying the IPv6 active route table

Table 65 Field description

Field Description
Destination IP Address
Destination IP address and prefix length of the IPv6 route.
Prefix Length

Protocol Protocol that discovered the IPv6 route.

Preference value for the IPv6 route.

Preference
The smaller the number, the higher the preference.

Next Hop Next hop IP address of the IPv6 route.

Outgoing interface of the IPv6 route. Packets destined for the

Interface
specified network segment will be sent out the interface.

Creating an IPv6 static route

1. Select Network > IPv6 Routing from the navigation tree.
2. Click the Create tab.

175
Figure 160 Creating an IPv6 static route

3. Specify relevant information, as described in Table 66.

4. Click Apply.
Table 66 Configuration items

Item Description
Enter the destination host or network IP address, in the X:X::X:X format. The
128-bit destination IPv6 address is a hexadecimal address with eight parts
Destination IP Address
separated by colons (:). Each part is represented by a 4-digit hexadecimal
integer.

Prefix Length Enter the prefix length of the destination IPv6 address.

Next Hop Enter the next hop address, in the same format as the destination IP address.

Select the outgoing interface.

Interface You can select any available Layer 3 interface, for example, a virtual interface,
of the device. If you select NULL 0, the destination IPv6 address is unreachable.

IPv4 and IPv6 static route configuration examples

IPv4 static route configuration example
Network requirements
The IP addresses of devices are shown in Figure 161. IPv4 static routes must be configured on Switch A,
Switch B and AC for Host A and Host B to communicate with each other.

176
Figure 161 Network diagram

Configuration outlines
1. On Switch A, configure a default route with Switch B as the next hop.
2. On Switch B, configure one static route with Switch A as the next hop and the other with AC as the
next hop.
3. On AC, configure a default route with Switch B as the next hop.

Configuration procedure
1. Configure a default route with the next hop address 1.1.4.2 on Switch A.
2. Configure two static routes on Switch B: one with destination address 1.1.2.0/24 and next hop
address 1.1.4.1, and the other with destination address 1.1.3.0/24 and next hop address
1.1.5.6.
3. Configure a default route on AC:
a. Select Network > IPv4 Routing from the navigation tree.
b. Click the Create tab to enter the IPv4 static route configuration page, as shown in Figure 162.
c. Enter 0.0.0.0 for Destination IP Address, 0 for Mask, and 1.1.5.5 for Next Hop.
d. Click Apply.
Figure 162 Configuring a default route

177
Verifying the configuration
1. Display the route table:
Enter the IPv4 route page of Switch A, Switch B, and AC, respectively, to verify that the newly
configured static routes are displayed as active routes on the page.
2. Ping Host B from Host A (assuming both hosts run Windows XP):
C:\Documents and Settings\Administrator>ping 1.1.3.2

Pinging 1.1.3.2 with 32 bytes of data:

Reply from 1.1.3.2: bytes=32 time=1ms TTL=128

Reply from 1.1.3.2: bytes=32 time=1ms TTL=128
Reply from 1.1.3.2: bytes=32 time=1ms TTL=128
Reply from 1.1.3.2: bytes=32 time=1ms TTL=128

Ping statistics for 1.1.3.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms

IPv6 static route configuration example

Network requirements
The IP addresses of devices are shown in Figure 163. IPv6 static routes must be configured on Switch A,
Switch B and AC for Host A and Host B to communicate with each other.
Figure 163 Network diagram

Configuration procedure
1. Configure a default route with the next hop address 4::2 on Switch A.
2. Configure two static routes on Switch B: one with destination address 1::/64 and next hop
address 4::1, and the other with destination address 3::/64 and next hop address 5::1.
3. Configure a default route on AC:

178
a. Select Network > IPv6 Routing from the navigation tree.
b. Click the Create tab to enter the IPv6 static route configuration page, as shown in Figure 164.
c. Enter :: for Destination IP Address, select 0 for Prefix Length, and enter 5::2 for Next Hop.
d. Click Apply.
Figure 164 Configuring a default route

Verifying the configuration

1. Display the route table:
Enter the IPv6 route page of Switch A, Switch B, and AC, respectively, to verify that the newly
configured static routes are displayed as active routes on the page.
2. Ping Host B from Switch A:
<SwitchA> system-view
[SwitchA] ping ipv6 3::2
PING 3::2 : 56 data bytes, press CTRL_C to break
Reply from 3::2
bytes=56 Sequence=1 hop limit=254 time = 63 ms
Reply from 3::2
bytes=56 Sequence=2 hop limit=254 time = 62 ms
Reply from 3::2
bytes=56 Sequence=3 hop limit=254 time = 62 ms
Reply from 3::2
bytes=56 Sequence=4 hop limit=254 time = 63 ms
Reply from 3::2
bytes=56 Sequence=5 hop limit=254 time = 63 ms

--- 3::2 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/62/63 ms

179
Configuring DHCP

DHCP overview
After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and
other configuration parameters from the DHCP server. This facilitates configuration and centralized
management. For more information about the DHCP client configuration, see "Managing interfaces."
For more information about DHCP, see Layer 3 Configuration Guide.
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration
information to network devices.
DHCP uses the client/server model. Figure 165 shows a typical a DHCP application.
Figure 165 A typical DHCP application

A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet through a DHCP relay agent.
Figure 166 DHCP relay agent application

180
DHCP snooping overview
IMPORTANT:
The DHCP snooping-enabled device must be between the DHCP client and relay agent, or between the
DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.

As a DHCP security feature, DHCP snooping can implement the following functionality:
• Records IP-to-MAC mappings of DHCP clients.
• Ensures DHCP clients to obtain IP addresses from authorized DHCP servers.

Recording IP-to-MAC mappings of DHCP clients

DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record
DHCP snooping entries. The entries contain the following information: MAC addresses of clients, IP
addresses obtained by the clients, ports that connect to DHCP clients, and VLANs to which the ports
belong. ARP uses DHCP snooping entries to perform ARP detection (user validity check).
For more information about ARP detection, see "Configuring ARP attack protection."

Enabling DHCP clients to obtain IP addresses from authorized

DHCP servers
If there is an unauthorized DHCP server on a network, DHCP clients may obtain invalid IP addresses and
network configuration parameters, and cannot correctly communicate with other network devices. With
DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients to
obtain IP addresses from authorized DHCP servers.
• Trusted—A trusted port forwards DHCP messages correctly.
• Untrusted—An untrusted port discards the DHCP-ACK or DHCP-OFFER messages received from
any DHCP server.
Configure ports connected to a DHCP server or another DHCP snooping device as trusted ports and
configure other ports as untrusted ports.

Recommended configuration procedure (for DHCP

server)
Step Remarks
Required.
1. Enabling DHCP Enable DHCP globally.
By default, global DHCP is disabled.

181
Step Remarks
Required.
Use at least one method.

IMPORTANT:
2. Creating an address pool for the DHCP server • If the DHCP server and DHCP clients are on the
same subnet, make sure the address pool is on the
Creating a static address pool for the DHCP
same network segment as the DHCP server
server
enabled-interface. Otherwise, the clients will fail to
Creating a dynamic address pool for the DHCP
obtain IP addresses.
server
• If a DHCP client obtains an IP address via a DHCP
relay agent, an IP address pool on the same
network segment as the DHCP relay agent
interface must be configured. Otherwise, the client
will fail to obtain an IP address.

Optional.
When receiving a client's request on an interface with
the DHCP server enabled, the DHCP server will assign
an IP address from its address pool to the DHCP client.
With DHCP enabled, interfaces operate in DHCP
server mode.
3. Enabling the DHCP server on an interface
IMPORTANT:
• An interface cannot serve as both the DHCP server
and the DHCP relay agent. The most recent
configuration takes effect.
• The DHCP server works on interfaces with IP
addresses manually configured only.
4. Displaying information about assigned IP
Optional.
addresses

Enabling DHCP
1. Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 167.
2. Select the Enable option on the upper part of the page to enable DHCP globally.

182
Figure 167 Enabling DHCP

Creating a static address pool for the DHCP server

1. Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 167.
2. Select the Static option in the Address Pool field to view all static address pools.
3. Click Add.

183
Figure 168 Creating a static address pool

4. Configure the static address pool, as described in Table 67.

5. Click Apply.
Table 67 Configuration items

Item Description
IP Pool Name Enter the name of a static address pool.

IP Address Enter an IP address and select a subnet mask for the static address pool.
The IP address cannot be the IP address of any interface on the DHCP server.
Otherwise, an IP address conflict may occur and the bound client cannot obtain an
Mask IP address correctly.
You can enter a mask length or a mask in dotted decimal notation..

Client MAC Address Configure the client MAC address or the client ID for the static address pool.

IMPORTANT:
Client ID The client ID must be identical to the ID of the client to be bound. Otherwise, the client
cannot obtain an IP address.
Enter the domain name suffix for the client.
Client Domain Name With the suffix assigned, the client only needs to enter part of a domain name, and
the system adds the domain name suffix for name resolution.

Enter the gateway addresses for the client.

A DHCP client that wants to access an external host needs to send requests to a
gateway. You can specify gateways in each address pool and the DHCP server will
Gateway Address
assign gateway addresses while assigning an IP address to the client.
Up to eight gateways can be specified in a DHCP address pool, separated by
commas.

184
Item Description
Enter the DNS server addresses for the client.
To allow the client to access a host on the Internet through DNS, you need to specify
DNS Server Address a DNS server address.
Up to eight DNS servers can be specified in a DHCP address pool, separated by
commas.

Enter the WINS server addresses for the client.

If b-node is specified for the client, you do not need to specify any WINS server
WINS Server Address address.
Up to eight WINS servers can be specified in a DHCP address pool, separated by
commas.

NetBIOS Node Type Select the NetBIOS node type for the client.

Creating a dynamic address pool for the DHCP server

1. Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 167.
2. Select the Dynamic option in the Address Pool field to view all dynamic address pools.
3. Click Add.
Figure 169 Creating a dynamic address pool

4. Configure the dynamic address pool, as described in Table 68.

5. Click Apply.
Table 68 Configuration items

Item Description
IP Pool Name Enter the name of a dynamic address pool.

185
Item Description
Enter an IP address segment for dynamic allocation.
IP Address
To avoid address conflicts, the DHCP server excludes the IP
addresses used by gateways or FTP servers from dynamic
allocation.
Mask You can enter a mask length or a mask in dotted decimal
notation.

Lease Unlimited. Configure the address lease duration for the address pool.
Duration days/hours/minutes/seconds. Unlimited indicates the infinite duration.

Enter the domain name suffix for the client.

Client Domain Name With the suffix assigned, the client only needs to enter part of a
domain name, and the system will add the domain name suffix
for name resolution.

Enter the gateway addresses for the client.

DHCP clients that want to access hosts outside the local subnet
request gateways to forward data. You can specify gateways in
Gateway Address each address pool for clients and the DHCP server will assign
gateway addresses while assigning an IP address to the client.
Up to eight gateways can be specified in a DHCP address pool,
separated by commas.

Enter the DNS server addresses for the client.

To allow the client to access a host on the Internet via the host
DNS Server Address name, you need to specify DNS server addresses.
Up to eight DNS servers can be specified in a DHCP address
pool, separated by commas.

Enter the WINS server addresses for the client.

If b-node is specified for the client, you do not need to specify any
WINS Server Address WINS server address.
Up to eight WINS servers can be specified in a DHCP address
pool, separated by commas.

NetBIOS Node Type Select the NetBIOS node type for the client.

Enabling the DHCP server on an interface

1. Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 167.
2. Click the icon next to a specific interface to enter the page shown in Figure 170.
3. Select the Enable option for DHCP Server.
4. Click Apply.

186
Figure 170 Configuring a DHCP server interface

Displaying information about assigned IP addresses

1. Select Network > DHCP > DHCP Server from the navigation tree to enter the page, as shown
in Figure 167.
2. Click Addresses in Use in the Address In Use field on the lowest part of the page to view
information about the IP address assigned from the address pool.
Figure 171 Displaying addresses in use

Table 69 Field description

Field Description
IP Address Assigned IP address.

Client MAC Address/Client ID Client MAC address or client ID bound to the IP address.

Pool Name Name of the DHCP address pool where the IP address belongs.

Lease Expiration Lease time of the IP address.

187
Recommended configuration procedure (for DHCP
relay agent)
Step Remarks

1. Enabling DHCP and configuring Required.

advanced parameters for the Enable DHCP globally and configure advanced DHCP parameters.
DHCP relay agent
By default, global DHCP is disabled.

Required.
To improve reliability, you can specify several DHCP servers as a
2. Creating a DHCP server group group on the DHCP relay agent and correlate a relay agent interface
with the server group. When the interface receives requesting
messages from clients, the relay agent will forward them to all the
DHCP servers of the group.

Required.
Enable the DHCP relay agent on an interface, and correlate the
interface with a DHCP server group.
With DHCP enabled, interfaces work in the DHCP server mode by
default.

IMPORTANT:
• An interface cannot serve as both the DHCP server and the DHCP
3. Enabling the DHCP relay agent relay agent. The most recent configuration takes effect.
on an interface • If the DHCP relay agent is enabled on an Ethernet subinterface, a
packet received from a client on this interface must contain a VLAN
tag. The VLAN tag must be the same as the VLAN ID of the
subinterface. Otherwise, the packet is discarded.
• The DHCP relay agent works on interfaces with only IP addresses
manually configured.
• If an Ethernet subinterface serves as a DHCP relay agent, it conveys
IP addresses only to subinterfaces of DHCP clients. In this case, a
PC cannot obtain an IP address as a DHCP client.

Optional.
Create a static IP-to-MAC binding, and view static and dynamic
bindings.

4. Configuring and displaying The DHCP relay agent can dynamically record clients' IP-to-MAC
clients' IP-to-MAC bindings bindings after clients get IP addresses. It also supports static bindings.
You can manually configure IP-to-MAC bindings on the DHCP relay
agent so that users can access external network using fixed IP
addresses.
By default, no static binding is created.

188
Enabling DHCP and configuring advanced parameters for the
DHCP relay agent
1. Select Network > DHCP from the navigation tree.
2. Click the DHCP Relay tab.
Figure 172 DHCP relay agent configuration page

3. Select the Enable option for DHCP Service.

4. Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration
field, as shown in Figure 173.

189
Figure 173 Advanced DHCP relay agent configuration field

5. Configure the advanced DHCP relay agent parameters, as described in Table 70.
6. Click Apply. You must also click Apply for enabling the DHCP service.
Table 70 Configuration items

Item Description
Enable or disable unauthorized DHCP server detection.
There are unauthorized DHCP servers on networks, which reply to DHCP clients with
incorrect IP addresses.
When this feature is enabled, the DHCP relay agent will record the following
information:
Unauthorized Server • IP address of any DHCP server that assigned an IP address to the DHCP client.
Detect
• Interfaces through which the DHCP relay agent receive DHCP requests.
The administrator can use this information to monitor and performs subsequent
actions for DHCP unauthorized servers. The device creates a record once for each
DHCP server for the administrator to determine unauthorized DHCP servers. After the
information of recorded DHCP servers is cleared, the relay agent will record server
information again.

Enable or disable periodic refresh of dynamic client entries, and set the refresh
interval.
Through the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast
Dynamic Bindings message to the DHCP server to relinquish its IP address. The DHCP relay agent
Refresh conveys the message to the DHCP server, but does not remove the IP address from
dynamic client entries. To solve this problem, use the periodic refresh of dynamic
client entries feature.
When this feature is enabled, the DHCP relay agent uses the IP address of a client
and the MAC address of the DHCP relay agent interface to periodically send a
DHCP-REQUEST message to the DHCP server.
• If the server returns a DHCP-ACK message or does not return any message within
a specified interval, which means that the IP address is assignable, the DHCP
relay agent will age out the client entry.
Track Timer Interval
• If the server returns a DHCP-NAK message, which means the IP address is still in
use, the relay agent will not age it out.
If the Auto option is selected, the refresh interval is calculated by the relay agent
according to the number of client entries.

Creating a DHCP server group

1. Select Network > DHCP from the navigation tree.

190
2. Click the DHCP Relay tab to enter the page shown in Figure 172.
3. In the Server Group field, click Add to enter the page shown in Figure 174.
Figure 174 Creating a server group

4. Specify the DHCP server group information, as described in Table 71.

5. Click Apply.
Table 71 Configuration items

Item Description
Enter the ID of a DHCP server group.
Server Group ID
You can create up to 20 DHCP server groups.

Enter the IP address of a server in the DHCP server group.

IP Address The server IP address cannot be on the same subnet as the IP address of the DHCP
relay agent. Otherwise, the client cannot obtain an IP address.

Enabling the DHCP relay agent on an interface

1. Select Network > DHCP from the navigation tree.
2. Click the DHCP Relay tab to enter the page shown in Figure 172.
3. In the Interface Config field, click the icon of a specific interface to enter the page shown
in Figure 175.
Figure 175 Configuring a DHCP relay agent interface

4. Configure the parameters, as described in Table 72.

5. Click Apply.

191
Table 72 Configuration items

Item Description
Interface Name This field displays the name of a specific interface.

Enable or disable the DHCP relay agent on the interface.

DHCP Relay
If the DHCP relay agent is disabled, the DHCP server is enabled on the interface.

Enable or disable IP address check.

With this function enabled, the DHCP relay agent checks whether a requesting
Address Match Check client's IP and MAC addresses match a binding (dynamic or static) on the DHCP relay
agent. If not, the client cannot access outside networks via the DHCP relay agent. This
prevents invalid IP address configuration.

Correlate the interface with a DHCP server group.

Server Group ID
A DHCP server group can be correlated with multiple interfaces.

Configuring and displaying clients' IP-to-MAC bindings

1. Select Network > DHCP from the navigation tree
2. Click the DHCP Relay tab to enter the page shown in Figure 172.
3. In the User Information field, click User Information to view static and dynamic bindings.
Figure 176 Displaying clients' IP-to-MAC bindings

4. Click Add to enter the page shown in Figure 177.

Figure 177 Creating a static IP-to-MAC binding

5. Configure static IP-to-MAC binding, as described in Table 73.

6. Click Apply.

192
Table 73 Configuration items

Item Description
IP Address Enter the IP address of a DHCP client.

MAC Address Enter the MAC address of the DHCP client.

Select the Layer 3 interface connected with the DHCP client.

Interface Name IMPORTANT:

The interface of a static binding entry must be configured as a DHCP relay agent.
Otherwise, address entry conflicts may occur.

Recommended configuration procedure (for DHCP

snooping)
Step Remarks
Required.
1. Enabling DHCP snooping
By default, DHCP snooping is disabled.

Required.
Specify an interface as trusted and configure DHCP snooping to support
Option 82.
By default, an interface is untrusted and DHCP snooping does not support
2. Configuring DHCP snooping
Option 82.
functions on an interface
IMPORTANT:
You need to specify the ports connected to the authorized DHCP servers as
trusted to make sure DHCP clients can obtain valid IP addresses. The trusted
port and the port connected to the DHCP client must be in the same VLAN.
3. Displaying clients' IP-to-MAC Optional.
bindings Display clients' IP-to-MAC bindings recorded by DHCP snooping.

Enabling DHCP snooping

1. Select Network > DHCP from the navigation tree.
2. Click the DHCP Snooping tab.
3. Select the Enable option for DHCP Snooping.

193
Figure 178 Enabling DHCP snooping

Configuring DHCP snooping functions on an interface

1. Select Network > DHCP from the navigation tree.
2. Click the DHCP Snooping tab to enter the page shown in Figure 178.
3. In the Interface Config field, click the icon of a specific interface.
Figure 179 Configuring DHCP snooping functions on an interface

4. Configure the parameters, as described in Table 74.

5. Click Apply.
Table 74 Configuration items

Item Description
Interface Name This field displays the name of a specific interface.

194
Item Description
Interface State Configure the interface as trusted or untrusted.

Option 82 Support Configure DHCP snooping to support Option 82 or not.

Select the handling strategy for DHCP requests containing Option 82. The strategies
include:
• Drop—The message is discarded if it contains Option 82.
Option 82 Strategy
• Keep—The message is forwarded without its Option 82 being changed.
• Replace—The message is forwarded after its original Option 82 is replaced with
the Option 82 padded in normal format.

Displaying clients' IP-to-MAC bindings

1. Select Network > DHCP from the navigation tree.
2. Click the DHCP Snooping tab to enter the page shown in Figure 178.
3. Click User Information to enter the DHCP snooping user information page, as shown in Figure
180.
Figure 180 DHCP snooping user information

4. View clients' IP-to-MAC bindings recorded by DHCP snooping, as described in Table 75.
Table 75 Configuration items

Item Description
IP Address This field displays the IP address assigned by the DHCP server to the client.

MAC Address This field displays the MAC address of the client.

This field displays the client type, which can be:

• Dynamic—The IP-to-MAC binding is generated dynamically.
Type
• Static—The IP-to-MAC binding is configured manually. Static bindings are
not supported.

Interface Name This field displays the device interface to which the client is connected.

VLAN This field displays the VLAN to which the device belongs.

Remaining Lease Time This field displays the remaining lease time of the IP address.

195
DHCP configuration examples
DHCP server configuration example
Network requirements
As shown in Figure 181, the DHCP client on subnet 10.1.1.0/24 obtains an IP address dynamically from
the DHCP server (AC). The IP address of VLAN-interface 2 of the AC is 10.1.1.1/24.
In subnet 10.1.1.0/24, the address lease duration is ten days and twelve hours and the gateway address
is 10.1.1.1.
Figure 181 Network diagram

Configuration procedure
1. Enable DHCP:
a. Select Network > DHCP from the navigation tree to enter the default DHCP Server page.
b. Select the Enable option for DHCP Service.

196
Figure 182 Enabling DHCP

2. Enable the DHCP server on VLAN-interface 2: (This operation can be omitted because the DHCP
server is enabled on the interface by default.)
a. In the Interface Config field, click the icon of VLAN-interface 2.
b. Select the Enable option for DHCP Server.
c. Click Apply.
Figure 183 Enabling the DHCP server on VLAN-interface 2

3. Configure a dynamic address pool for the DHCP server:

a. Select the Dynamic option in the Address Pool field (default setting), and click Add.
The page for configuring a dynamic address pool appears.
b. Enter test for IP Pool Name, enter 10.1.1.0 for IP Address, and enter 255.255.255.0 for Mask.

197
c. Enter 10 days 12 hours 0 minutes 0 seconds for Lease Duration, and enter 10.1.1.1 for
Gateway Address.
d. Click Apply.
Figure 184 Configuring a dynamic address pool for the DHCP server

DHCP relay agent configuration example

Network requirements
As shown in Figure 185, VLAN-interface 1 on the DHCP relay agent (AC) connects to the network where
DHCP clients reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and the IP address of
VLAN-interface 2 is 10.1.1.1/24. VLAN-interface 2 is connected to the DHCP server whose IP address is
10.1.1.1/24.
The AC forwards messages between DHCP clients and the DHCP server.
Figure 185 Network diagram

Configuration procedure
Because the DHCP relay agent and server are on different subnets, you must configure a static route or
dynamic routing protocol so they can communicate.
1. Enable DHCP:
a. Select Network > DHCP from the navigation tree.
b. Click the DHCP Relay tab.
c. Select the Enable option for DHCP Service.

198
d. Click Apply.
Figure 186 Enabling DHCP

2. Configure a DHCP server group:

a. In the Server Group field, click Add.
b. Enter 1 for Server Group ID, and 10.1.1.1 for IP Address.
c. Click Apply.
Figure 187 Adding a DHCP server group

3. Enable the DHCP relay agent on VLAN-interface 1:

a. In the Interface Config field, click the icon of VLAN-interface 1.

199
b. Select the Enable option for DHCP Relay, and select 1 for Server Group ID.
c. Click Apply.
Figure 188 Enabling the DHCP relay agent on an interface and correlate it with a server group

DHCP snooping configuration example

Network requirements
As shown in Figure 189, a DHCP snooping device (the switch) is installed with the HP
11900/10500/7500 20G Unified Wired-WLAN module to act as the AC. The AC is connected to a
DHCP server through GigabitEthernet 3/0/2, and to an AP through GigabitEthernet 3/0/1.
• Enable DHCP snooping on the AC.
• Configure the AC to record clients' IP-to-MAC address bindings in DHCP-REQUEST messages and
DHCP-ACK messages received by the AC.
Figure 189 Network diagram

GE3/0/1 GE3/0/2

Host AP AC
DHCP server
DHCP client DHCP client DHCP snooping

Configuration procedure
1. Enable DHCP snooping:
a. Select Network > DHCP from the navigation tree.
b. Click the DHCP Snooping tab.
c. Select the Enable option for DHCP Snooping.

200
Figure 190 Enabling DHCP snooping

2. Configure DHCP snooping functions on Ten-GigabitEthernet 1/0/1:

a. Click the icon of Ten-GigabitEthernet 1/0/1 on the interface list.
b. Select the Trust option for Interface State.
c. Click Apply.
Figure 191 Configuring DHCP snooping functions on Ten-GigabitEthernet 1/0/1

3. Display clients' IP-to-MAC bindings:

a. Select Network > DHCP from the navigation tree.
b. Click the DHCP Snooping tab.
c. Click User Information to enter the DHCP snooping user information page, as shown in Figure
192.

201
Figure 192 Displaying clients' IP-to-MAC bindings

202
Configuring link aggregation and LACP

Overview
Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an
aggregation group.
It allows you to increase bandwidth by distributing traffic across the member ports in the aggregation
group. In addition, it provides reliable connectivity because these member ports can dynamically back
up each other.
Support for link aggregation depends on the device model. For more information, see "About the
Web-based configuration guide for HP unified wired-WLAN products."

Basic concepts of link aggregation

Aggregate interface
An aggregate interface is a logical interface.

Aggregation group
An aggregation group is a collection of Ethernet interfaces. When you create an aggregate interface, an
aggregation group numbered the same is automatically created.
The creation of a Layer 2 aggregate interface leads to the creation of a Layer 2 aggregation group. You
can assign only Layer 2 Ethernet interfaces to the group.

States of the member ports in an aggregation group

A member port in an aggregation group can be in one of the following states:
• Selected—A Selected port can forward user traffic.
• Unselected—An Unselected port cannot forward user traffic.
The rate of an aggregate interface is the sum of the selected member ports' rates. The duplex mode of
an aggregate interface is consistent with that of the selected member ports. All selected member ports
use the same duplex mode.
For information about how to determine the state of a member port, see "Static aggregation mode" and
"Dynamic aggregation mode."

LACP protocol
The Link Aggregation Control Protocol (LACP) is defined in IEEE 802.3ad. It uses LACPDUs for
information exchange between LACP-enabled devices.
LACP is automatically enabled on interfaces in a dynamic aggregation group. An LACP-enabled
interface sends LACPDUs to notify the remote system (the partner) of its system LACP priority, system MAC
address, LACP port priority, port number, and operational key. Upon receiving an LACPDU, the partner
compares the received information with the information received on other interfaces, and then
determines the interfaces that can operate as Selected interfaces. This allows the two systems to reach an
agreement on which link aggregation member ports should be placed in Selected state.

203
Operational key
An operational port is a configuration set that link aggregation control automatically assigns each port
based on port attributes when aggregating ports. The configuration set contains the port rate, duplex
mode, and link state configuration.
In an aggregation group, all Selected ports are assigned the same operational key.

Class-two configurations
The contents of class-two configurations are listed in Table 76. In an aggregation group, if the class-two
configurations of a member port are different than those of the aggregate interface, the member port
cannot be a Selected port.
Table 76 Class-two configurations

Type Considerations
Whether a port has joined an isolation group, and the isolation group to which the
Port isolation
port belongs.

Permitted VLAN IDs, default VLAN, link type (trunk, hybrid, or access), IP
VLAN
subnet-based VLAN configuration, protocol-based VLAN configuration, tag mode.

MAC address learning capability, MAC address learning limit, forwarding of frames
MAC address learning with unknown destination MAC addresses after the upper limit of the MAC address
table is reached.

Some configurations are called class-one configurations. Such configurations, for example, MSTP, can
be configured on aggregate interfaces and member ports. However, these configurations are not
involved in operational key calculation.
Changing class-two configuration might affect the Select state of link aggregation member ports and the
ongoing service. To prevent unconsidered changes, the system displays a warning when you attempt to
change a class-two setting. You can decide whether to continue your change operation.

Link aggregation modes

Depending on the link aggregation procedure, link aggregation operates in one of the following modes:
• Static aggregation mode
• Dynamic aggregation mode

Static aggregation mode

LACP is disabled on member ports in a static aggregation group. In a static aggregation group, the
system sets a port to Selected or Unselected state by the following rules:
• The system uses a reference port-based method:
a. The system selects a port as the reference port from the ports that are in up state and that have
the same class-two configurations as the associated aggregate interface. These ports are
selected in the order of full duplex/high speed, full duplex/low speed, half duplex/high speed,
and half duplex/low speed. If two ports have the same duplex mode/speed pair, the one with
the lower port number wins.
b. The up ports that have the same port attributes and class-two configurations as the reference
port are set as the candidate selected ports. The system sets all other ports in Unselected state.

204
• Static aggregation limits the number of Selected ports in an aggregation group. When the upper
limit is not reached, all the candidate selected ports become Selected ports. When the upper limit
is exceeded, the system sets the candidate selected ports with larger port numbers to Unselected
state to keep the number of Selected ports in the correct range.
• If all member ports are down, the system sets their states to Unselected.
• The system sets the ports that cannot aggregate with the reference port due to hardware constraints
to the Unselected state. An example of hardware constraints is inter-board aggregation restriction.
When the number of Selected ports reaches the upper limit, a port joining the aggregation group will not
be placed in Selected state. This can prevent the ongoing traffic on the current Selected ports from being
interrupted. However, you should avoid the situation because this might cause the Selected/Unselected
state of a port to change after a reboot.

Dynamic aggregation mode

LACP is enabled on member ports in a dynamic aggregation group.
In a dynamic aggregation group, member ports process LACPDUs depending on their states:
• A Selected port can receive and transmit LACPDUs.
• An Unselected port can receive and send LACPDUs only when it is up and has the same
configurations as the aggregate interface.
In a dynamic aggregation group, the port state is set by the following rules:
• The local system (the actor) negotiates with the remote system (the partner) based on port IDs on the
end that has the preferred system ID to determine the port state:
a. The system compares the system ID (containing the system LACP priority and the system MAC
address) of the actor with that of the partner. The system with the lower LACP priority wins. If
they are the same, the system with the smaller MAC address wins.
b. The system compares the port IDs of the ports on the system with the smaller system ID. A port
ID contains a port LACP priority and a port number. The port with the lower LACP priority wins.
If two ports have the same LACP priority, the port with the smaller port number is selected as the
reference port.
c. A port is set as a candidate selected port when it meets the following conditions. Otherwise,
the system sets the port to the Unselected state.
− The port is up and has the same port attributes and class-two configuration as the reference
port.
− The peer port has the same port attributes and class-two configurations as the peer port of
the reference port.
• Dynamic aggregation limits the number of Selected ports in an aggregation group. When the
upper limit is not reached, all the candidate selected ports are set to Selected state. When the upper
limit is exceeded, the system sets the candidate selected ports with larger port numbers to
Unselected state to keep the number of Selected ports in the correct range. At the same time, the
peer device, being aware of the changes, also changes the state of its ports.
• The system sets the ports that cannot aggregate with the reference port due to hardware constraints
to the Unselected state. An example of hardware constraints is inter-board aggregation restriction.

Guidelines
The following guidelines apply to static and dynamic aggregation modes:
• The maximum number of Selected ports allowed in an aggregation group depends on the device
model.

205
• In an aggregation group, a candidate Selected port must have the same port attributes and
class-two configurations as the reference port. To keep these configurations consistent, you should
configure the port correctly.
• Changing port attributes or class-two configuration for a port might change the Select state of the
port and other member ports. This might affect services. HP recommends that you do change
operations with caution.

Load sharing mode of an aggregation group

A link aggregation groups operates in load sharing aggregation mode or non-load sharing mode.
The system sets the load sharing mode of an aggregation group by the following rules:
• When hardware resources are available, a link aggregation group that has at least two Selected
ports operates in load sharing mode.
• When the number of created aggregation groups reaches the upper threshold, all new link
aggregation groups operate in non-load sharing mode.
• A load-sharing aggregation group contains at least one Selected port, but a non-load-sharing
aggregation group can only have a maximum of one Selected port.
• When hardware resources are insufficient, all new link aggregation groups operate in non-load
sharing mode. They will not provide load sharing even after resources become sufficient again. To
provide load sharing, you can re-enable their associated aggregation interfaces by shutting down
and then bringing up the interfaces.

Configuration guidelines
When you configure a link aggregation group, follow these guidelines:
• In an aggregation group, a candidate Selected port must have the same port attributes and
class-two configurations as the reference port. To keep these configurations consistent, you should
configure the port correctly.
• For a reference port, it is selected from the up ports that have the same class-two configurations as
the associated aggregate interface. These ports are selected in the order of full duplex/high speed,
full duplex/low speed, half duplex/high speed, and half duplex/low speed. If two ports have the
same duplex mode/speed pair, the one with the lower port number wins.
• Port attributes contain port rate, duplex mode, and link state. For more information about class-two
configurations, see "Class-two configurations."
• To provide successful static aggregation, make sure the ports at the two ends of each aggregated
link have the same Selected/Unselected state. To provide successful dynamic aggregation, make
sure the local ports and peer ports are both aggregated. In dynamic aggregation, the two ends can
automatically negotiate the Select state of the ports.
• Removing a Layer 2 aggregate interface also removes the associated aggregation group.
Meanwhile, the member ports of the aggregation group, if any, are also removed from the
aggregation group.
• When a load-sharing aggregation group becomes a non-load-sharing aggregation group because
of insufficient load sharing resources, one of the following problems might have occurred:
The number of Selected ports of the actor is inconsistent with that of the partner, which might
result in incorrect traffic forwarding.

206
The peer port of a Selected port is an Unselected port, which might result in exceptions in
upper-layer protocol and traffic forwarding.

Recommended dynamic aggregation group configuration

procedure
Task Remarks
Required.
Create a dynamic aggregate interface and configure member
ports for the dynamic aggregation group automatically created
Creating a link aggregation group.
by the system when you create the aggregate interface. LACP is
enabled automatically on all member ports.
By default, no link aggregation group exists.

Optional.
Displaying aggregate interface information. Perform this task to view detailed information of an existing
aggregation group.

Optional.
Perform this task to set LACP priority for the local system and link
aggregation member ports.
Setting LACP priority. Changes of LACP priorities affect the Selected/Unselected state
of link aggregation member ports.
The default port LACP priority and system LACP priority are both
32768.

207
Task Remarks
Optional.
Displaying LACP-enabled port information. Perform this task to view detailed information of LACP-enabled
ports and the corresponding remote (partner) ports.

Creating a link aggregation group

1. Select Network > Link Aggregation from the navigation tree.
2. Click Create.
Figure 193 Creating a link aggregation group

3. Configure a link aggregation group as described in Table 77.

4. Click Apply.
Table 77 Configuration items

Item Description
Enter Link Aggregation Assign an ID to the link aggregation group to be created.
Interface ID You can view the result in the Summary area at the bottom of the page.

Set the type of the link aggregation interface to be created:

Specify Interface Type • Static (LACP Disabled).
• Dynamic (LACP Enabled).
Select port(s) for the link
Select one or multiple ports to be assigned to the link aggregation group.
aggregation interface

Displaying aggregate interface information

1. Select Network > Link Aggregation from the navigation tree.

208
The Summary tab is displayed by default. The list on the upper part of the page displays
information about all the aggregate interfaces.
2. Select an aggregate interface from the list.
The list on the lower part of the page displays detailed information about the member ports of the
associated link aggregation group.
Figure 194 Displaying aggregate interface information

Table 78 Field description

Field Description
Type and ID of the aggregate interface.
Aggregation interface
Bridge-Aggregation represents a Layer 2 aggregate interface.

Type of the aggregate interface:

Link Type • Static.
• Dynamic.
Partner ID ID of the remote device, containing its LACP priority and MAC address.

Number of Selected ports in each link aggregation group.

Selected Ports
Only Selected ports can transmit and receive user data.

Number of Unselected ports in each link aggregation group.

Standby Ports
Unselected ports cannot transmit or receive user data.

Member Port Member ports of the aggregate interface.

Selected states of the member ports:

State • Selected.
• Unselected.

209
Field Description
Reason why the state of a member port is Unselected. For a selected member
Reason for being Unselected
port, this field displays a hyphen (-).

Setting LACP priority

1. Select Network > LACP from the navigation tree.
2. Click Setup.
Figure 195 Setup tab

3. In the Set LACP enabled port(s) parameters area, set the port priority, and select the desired ports.
4. Click Apply in the area.
Table 79 Configuration items

Item Description
Port Priority Set the LACP priority.

Select port(s) to Select the ports for which you want to set the LACP priority.
apply Port Priority You can set the LACP priority for both LACP-enabled ports and LACP-disabled ports.

5. In the Set global LACP parameters area, set the system priority.
6. Click Apply in the area.

210
Displaying LACP-enabled port information
1. Select Network > LACP from the navigation tree.
The Summary tab is displayed by default. The upper part of the page displays a list of all
LACP-enabled ports on the device and information about them. Table 80 describes the fields.
2. Select a port on the port list.
3. Click View Details.
Detailed information about the peer port appears on the lower part of the page. Table 81
describes the fields.
Figure 196 Displaying LACP-enabled port information

Table 80 Field description for local ports

Field Description
Unit Member device ID in an IRF.

211
Field Description
Port Port where LACP is enabled.

LACP State State of LACP on the port.

Port Priority LACP priority of the port.

Active state of the port. If a port is Selected, its state is active and the ID of the
State
aggregation group it belongs to will be displayed.

Reason code indicating why a port is inactive (or Unselected) for

Inactive Reason receiving/transmitting user data. For the meanings of the reason codes, see
the bottom of the page shown in Figure 196.

Partner Port Name of the peer port.

State information of the peer port:

• A—Indicates that LACP is enabled.
• B—Indicates that LACP short timeout has occurred. If B does not appear, it
—Indicates that LACP long timeout has occurred.
• C—Indicates that the link is considered aggregatable by the sending
system.
• D—Indicates that the link is considered as synchronized by the sending
system.
Partner Port State
• E—Indicates that the sending system considers that collection of incoming
frames is enabled on the link.
• F—Indicates that the sending system considers that distribution of outgoing
frames is enabled on the link.
• G—Indicates that the receive state machine of the sending system is using
the default operational partner information.
• H—Indicates that the receive state machine of the sending system is in
expired state.

Oper Key Operational key of the local port.

Table 81 Field description for peer ports

Field Description
Unit Number of the partner system.

Port Name of the peer port.

Partner ID LACP priority and MAC address of the partner system.

Partner Port Priority LACP priority of the peer port.

Partner Oper Key Operational key of the peer port.

Link aggregation and LACP configuration example

Network requirements
As shown in Figure 197, aggregate the ports on each device to form a link aggregation group, balancing
incoming/outgoing traffic across the member ports.

212
Figure 197 Network diagram

Configuration procedure
You can create a static or dynamic link aggregation group to achieve load balancing.
Method 1: Create a static link aggregation group
1. Select Network > Link Aggregation from the navigation tree.
2. Click Create.
3. Configure static link aggregation group 1:
a. Enter link aggregation interface ID 1.
b. Select the Static (LACP Disabled) option for the aggregate interface type.
c. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3.
4. Click Apply.
Figure 198 Creating static link aggregation group 1

Method 2: Create a dynamic link aggregation group

5. Select Network > Link Aggregation from the navigation tree.
6. Click Create.

213
7. Configure dynamic aggregation group 1:
a. Enter link aggregation interface ID 1.
b. Select the Dynamic (LACP Enabled) option for aggregate interface type.
c. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3.
8. Click Apply.
Figure 199 Creating dynamic link aggregation group 1

214
Configuring DNS

Overview
Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain
names into corresponding IP addresses. With DNS, you can use simple domain names in some
applications and the DNS server translates them into correct IP addresses.
There are two types of DNS services: static and dynamic. After a user specifies a name, the device checks
the local static name resolution table for an IP address. If no IP address is available, it contacts the DNS
server for dynamic name resolution, which takes more time than static name resolution. Therefore, to
improve efficiency, frequently queried name-to-IP address mappings are stored in the local static name
resolution table.

Static domain name resolution

Static domain name resolution requires you to set up mappings between domain names and IP
addresses manually. IP addresses of the corresponding domain names can be found in the static domain
resolution table when you use applications such as telnet.

Dynamic domain name resolution

Dynamic domain name resolution is implemented by querying the DNS server.

DNS proxy
A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server.
A DNS client considers the DNS proxy as the DNS server and sends a DNS request to the DNS proxy.
The DNS proxy forwards the request to the designated DNS server, and conveys the reply from the DNS
server to the client.
The DNS proxy simplifies network management. When the DNS server address is changed, you only
need to change the configuration on the DNS proxy, instead of on each DNS client.
For more information about DNS, see Layer 3 Configuration Guide.

215
Recommended configuration procedure
Configuring static name resolution table
Step Remarks
Required.
Configuring static name resolution table By default, no host name-to-IP address mappings are
configured in the static domain name resolution table.

Configuring dynamic domain name resolution

Step Remarks
Required.
1. Configuring dynamic domain name resolution
This function is disabled by default.

Required.
2. Adding a DNS server address
Not configured by default.

Optional.
3. Adding a domain name suffix
Not configured by default.
4. Clearing dynamic DNS cache Optional.

Configuring DNS proxy

Step Remarks
Required.
1. Configuring DNS proxy
By default, the device is not a DNS proxy.

Required.
2. Adding a DNS server address
Not configured by default.

Configuring static name resolution table

1. Select Network > DNS from the navigation tree to enter the default static domain name resolution
configuration page shown in Figure 200.

216
Figure 200 Static domain name resolution configuration page

2. Click Add.
Figure 201 Creating a static domain name resolution entry

3. Configure the parameters, as described in Table 82.

4. Click Apply.
Table 82 Configuration items

Item Description

Host Name Configure the mapping between a host name and an IP address in the static domain
mane table.
Each host name corresponds to only one IP address. If you configure multiple IP
Host IP Address
addresses for a host name, the most recently configured IP address takes effect..

Configuring dynamic domain name resolution

1. Select Network > DNS from the navigation tree.
2. Click the Dynamic tab.
3. Select the Enable option for Dynamic DNS.
4. Click Apply.

217
Figure 202 Dynamic domain name resolution configuration page

Configuring DNS proxy

1. Select Network > DNS from the navigation tree.
2. Click the Dynamic tab to enter the page shown in Figure 202.
3. Select the Enable option for DNS Proxy.
4. Click Apply.

Adding a DNS server address

1. Select Network > DNS from the navigation tree.
2. Click the Dynamic tab to enter the page shown in Figure 202.
3. Click Add IP to enter the page shown in Figure 203.
4. Enter an IP address in the DNS Server IP Address field.
5. Click Apply.

218
Figure 203 Adding a DNS server address

Adding a domain name suffix

1. Select Network > DNS from the navigation tree.
2. Click the Dynamic tab to enter the page shown in Figure 202.
3. Click Add Suffix to enter the page shown in Figure 204.
4. Enter a DNS suffix in the DNS Domain Name Suffix field.
5. Click Apply.
Figure 204 Adding a domain name suffix

Clearing dynamic DNS cache

1. Select Network > DNS from the navigation tree.
2. Click the Dynamic tab to enter the page shown in Figure 202.
3. Select the Clear Dynamic DNS cache box.
4. Click Apply.

219
DNS configuration example
Network requirements
As shown in Figure 205:
• The IP address of the DNS server is 2.1.1.2/16 and the DNS server has a com zone, which stores the
mapping between domain name host and IP address 3.1.1.1/16.
• The AC serves as a DNS client, and uses dynamic domain name resolution.
Configure the AC so that the AC can access the host by using a simple domain name rather than an IP
address.
Figure 205 Network diagram

NOTE:
• Before performing the following configuration, make sure the AC and the host are reachable to each
another, and the IP addresses of the interfaces are configured. See Figure 205.
• This configuration might vary with DNS servers. The following configuration is performed on a PC
running Windows Server 2000.

Configuring the DNS server

1. Create a zone named com:
a. Select Start > Programs > Administrative Tools > DNS.
b. As shown in Figure 206, right click Forward Lookup Zones and select New Zone.
c. Follow the instructions to create a new zone named com.

220
Figure 206 Creating a zone

2. Create a mapping between host name and IP address:

a. In Figure 207, right click zone com, and then select New Host.
Figure 207 Adding a host

b. In the dialog box shown in Figure 208, enter host name host and IP address 3.1.1.1.
c. Click Add Host.

221
Figure 208 Adding a mapping between domain name and IP address

Configuring the AC
1. Enable dynamic domain name resolution.
a. Select Network > DNS from the navigation tree.
b. Click the Dynamic tab
c. Select the Enable option for Dynamic DNS.
d. Click Apply.
Figure 209 Enabling dynamic domain name resolution

2. Configure the DNS server address:

222
a. Click Add IP in Figure 209 to enter the page for adding a DNS server IP address.
b. Enter 2.1.1.2 for DNS Server IP Address.
c. Click Apply.
Figure 210 Adding a DNS server address

3. Configure the domain name suffix:

• Click Add Suffix in Figure 209.
• Enter com for DNS Domain Name Suffix.
• Click Apply.
Figure 211 Adding a DNS domain name suffix

Verifying the configuration

# Verify that the communication between the AC and the host is correct and verify that the corresponding
destination IP address is 3.1.1.1.
1. Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.
2. Enter host in the Destination IP address or host name field.
3. Click Start to execute the ping command
4. View the result in the Summary field.

223
Figure 212 Ping operation

224
Configuring DDNS

Support for DDNS depends on the device model. For more information, see "About the Web-based
configuration guide for HP unified wired-WLAN products."

Overview
DNS allows you to access nodes in networks using their domain names. However, it provides only the
static mappings between domain names and IP addresses. When you use a domain name to access a
node whose IP address has changed, your access fails because DNS leads you to the IP address where
the node no longer resides.
Dynamic Domain Name System (DDNS) dynamically updates the mappings between domain names
and IP addresses for DNS servers. Through DDNS, you can always access the latest IP address
corresponding to a domain name.
As shown in Figure 213, DDNS works on the client-server model.
• DDNS client—A device that needs the DNS server to update the mapping between the domain
name and IP address of the device dynamically. An Internet user typically uses a domain name to
access a server that provides application layer services, such as an HTTP server or an FTP server.
When the IP address of such a server changes, the server runs as a DDNS client. The DDNS client
sends a request to the DDNS server for updating the mapping between the domain name and the
IP address.
• DDNS server—Informs the DNS server of latest mappings. After receiving the mapping update
request from a DDNS client, the DDNS server tells the DNS server to re-map between the domain
name and the DDNS client's IP address. Therefore, the Internet users can use the same domain
name to access the DDNS client even if the IP address of the DDNS client has changed.
Figure 213 DDNS networking application

The DDNS update process does not have a unified standard and depends on the DDNS server that the
DDNS client contacts. The well-known DDNS service providers include www.3322.org, www.oray.cn
(also known as the PeanutHull server), and www.dyndns.com.

225
With the DDNS client configured, a device can dynamically update the latest mapping between its
domain name and IP address on the DNS server through DDNS servers at www.3322.org or
www.oray.cn for example.

Configuration prerequisites
• Visit the website of a DDNS service provider, register an account, and apply for a domain name for
the DDNS client. When the DDNS client updates the mapping between the domain name and the
IP address through the DDNS server, the DDNS server checks the following information:
Whether the account information is correct.
Whether the domain name to be updated belongs to the account.
• Specify the primary IP address and security zone for the interface configured with DDNS and make
sure the DDNS server and the interface can reach each other.
• Configure static or dynamic domain name resolution to translate the domain name of the DDNS
server into an IP address.

Configuration procedure
1. Select Network > DNS > DDNS from the navigation tree.
The DDNS configuration page appears, as shown in Figure 214.
Figure 214 DDNS configuration page

2. Click Add.
The page for creating a DDNS entry appears, as shown in Figure 215.

226
Figure 215 Creating a DDNS entry

3. Configure DDNS, as described in Table 83.

4. Click Apply.
Table 83 Configuration items

Item Description
Domain Name Specify the DDNS entry name, which uniquely identifies the DDNS entry.

Server
Select the DDNS server provider, which can be 3322.org or PeanutHull.
Provider

Specify the DDNS server's domain name.

After a server provider is selected, its DDNS server domain name appears
automatically:.
Server
• If the server provider is 3322.org, the server domain name is
settings
Server Name members.3322.org. HP recommends that you do not change the server
name.
• If the server provider is PeanutHull, the server domain name is
phservice2.oray.net. The server names provided by PeanutHull include
phservice2.oray.net, phddns60.oray.net, client.oray.net, and
ph031.oray.net. Change the server name as needed.

227
Item Description
Specify the interval for sending DDNS update requests after DDNS update is
enabled.

IMPORTANT:
• A DDNS update request is immediately initiated when the primary IP address
Interval of the interface changes or the link state of the interface changes from Down
to Up, no matter whether the interval expires.
• If you specify the interval as 0 day-0 hour-0 minute, your device does not
periodically initiate any DDNS update request, but initiate a DDNS update
request when the primary IP address of the interface is changed or when the
link state of the interface changes from Down to Up.

Account Username Specify the username used for logging in to the DDNS server.
settings Password Specify the password used for logging in to the DDNS server.

Select an interface to which the DDNS policy is applied.

The IP address in the host name-to-IP address mapping for update is the primary
Associated IP address of the interface.
Interface
IMPORTANT:
You can bind up to four DDNS entries to an interface.
Specify the FQDN in the IP-to-FQDN mapping for update.
Other The FQDN is the only identification of a node in the network. An FQDN consists
settings of a local host name and a parent domain name and can be translated into an
IP address.

FQDN • If the DDNS service is provided by www.3322.org, the FQDN must be

specified. Otherwise, DDNS update might fail.
• If the DDNS server is a PeanutHull server and no FQDN is specified, the
DDNS server updates all the corresponding domain names of the DDNS
client account. If an FQDN is specified, the DDNS server updates only the
specified IP-to-FQDN mapping.

DDNS configuration example

Network requirements
The AC is a Web server with the domain name whatever.3322.org.
The AC acquires its IP address through DHCP. Through DDNS service provided by www.3322.org, the
AC informs the DNS server of the latest mapping between its domain name and IP address.
The IP address of the DNS server is 1.1.1.1. the AC uses the DNS server to translate www.3322.org into
the corresponding IP address.

228
Figure 216 Network diagram
www.3322.org
DDNS server

Dialer 1
IP network

AC
DDNS client

1.1.1.1

DNS server

Configuration prerequisite
Before configuring DDNS on the AC, complete the following tasks:
• Create an account at http://www.3322.org/ (account name: steven and password: nevets).
• Add the AC's host name-to-IP address mapping to the DNS server.
• Make sure the devices are reachable to each other.

Configuring the AC
1. Enable dynamic domain name resolution:
a. Select Network > DNS > Dynamic from the navigation tree.
b. Select the Enable option for Dynamic DNS, as shown in Figure 217.
c. Click Apply.
Figure 217 Enabling dynamic domain name resolution

229
2. Configure the DNS server IP address:
a. Select Network > DNS > Dynamic from the navigation tree.
The page for enabling dynamic domain name resolution appears, as shown in Figure 217.
b. Click Add IP.
c. Enter 1.1.1.1 for DNS Server IP Address, as shown in Figure 218.
d. Click Apply.
Figure 218 Configuring the DNS server IP address

3. Configure DDNS:
a. Select Network > DNS > DDNS from the navigation tree.
b. Click Add.
The page for configuring DDNS appears.
c. Enter 3322 for Domain Name, and select 3322.org from the Server Provider list.
d. Enter steven for Username, and enter nevets for Password.
e. Select Dialer 1 from the Associated Interface list, and enter whatever.3322.org for FQDN.
f. Click Apply.

230
Figure 219 Configuring DDNS

Verifying the configuration

# Verify that the AC notifies the DNS server of its new domain name-to-IP address mapping through the
DDNS server provided by www.3322.org whenever its IP address changes.
Therefore, the AC can always provide Web service at whatever.3322.org.

231
Configuring PPPoE

Support for PPPoE depends on the device model. For more information, see "About the Web-based
configuration guide for HP unified wired-WLAN products."

Overview
Point-to-Point Protocol over Ethernet (PPPoE) uses the client/server model. It establishes point-to-point links
over Ethernet, and encapsulates PPP packets in Ethernet frames.
APs configured as PPPoE clients can be connected to the Internet through a remote access device, and
access control and accounting can be implemented on a per-AP basis.
PPPoE undergoes two phases:
• Discovery phase—Where a PPPoE session is initiated. In this phase, the client obtains the MAC
address of the access end and generates the PPPoE session ID.
• PPP session phase—Where PPP packets are encapsulated in Ethernet frames before being sent to
the peer.
In the frame, the session ID must be the one determined in the discovery phase. The MAC address
must be that of the peer. The PPP packet section begins from the Protocol ID field. In the session
phase, either end of the link can terminate the session by sending PPPoE Active Discovery
Terminate (PADT) packets.
For more information about PPPoE, see RFC 2516.
Figure 220 PPPoE application scenario

Configuration guidelines
The dialer interfaces that you create on the page by selecting Device > Interface Management can also
be displayed on the PPPoE client page. On this page, you can modify or remove these dialer interfaces
as well. However, you cannot establish PPPoE sessions for them.

232
Configuring a PPPoE client
1. Select Network > PPPoE from the navigation tree.
The system automatically enters the Client page.
Figure 221 PPPoE client information

2. Click Add to enter the page for creating a PPPoE client.

Figure 222 Creating a PPPoE client

3. Configure the parameters for the PPPoE client, as described in Table 84.
4. Click Apply.

233
Table 84 Configuration items

Task Remarks
Dialer Interface Configure the number of the dialer interface.

Username Configure the username and password used by the PPPoE client in authentication.
Password The username and password must be configured together, or not configured at all.

Configure the way the dialer interface obtains its IP address:

• None—Does not configure an IP address.
• Static Address—Statically configures an IP address and subnet mask for the
IP Config
interface.
• PPP Negotiate—Obtains an IP address through PPP negotiation.
• Unnumbered—Borrows the IP address of another interface on the same device.
IP Address Configure an IP address and subnet mask for the dialer interface.
Mask If you select Static Address for the dialer interface, you must configure both items.

Unnumbered Interfaces on the same device whose IP addresses are borrowed.

Interface If you select Unnumbered for the dialer interface, you must configure this item.

Bundled Interface Configure the interfaces bound to the PPPoE client.

Set the session type of the PPPoE client:

• Always Online—When the physical link is up, the device immediately initiates a
PPPoE call to establish a PPPoE session. The PPPoE session continues to exist until you
delete it.
Session Type • Not Always Online—When the physical link is up, the device does not initiate a
PPPoE call unless there is data to be transmitted on the link. When the PPPoE link
stays in idle state longer than the timeout timer set by the user, the device terminates
the current PPPoE session automatically. When you select the non-permanent
connection mode, you must set an idle-timeout timer.

Set an idle-timeout timer for the PPPoE link.

Idle Time
This item is required when you set the session type to Not Always Online.

Displaying PPPoE client session statistic information

1. Select Network > PPPoE from the navigation tree.
2. Click the Session tab to enter the page for displaying the session information.
3. Select Statistic Information for Information Type, as shown in Figure 223.
4. Display PPPoE client session statistic information, as described in Table 85.

234
Figure 223 Statistics

Table 85 Field description

Field Description
Ethernet interface where the PPPoE session belongs. This field is null when the
Interface
PPPoE session is bundled with a VLAN interface.

Session Number PPPoE session ID.

Received Packets Number of received packets in the PPPoE session.

Received Bytes Number of received bytes in the PPPoE session.

Dropped Packets
Number of dropped packets which are received in the PPPoE session.
(Received)

Sent Packets Number of transmitted packets in the PPPoE session.

Sent Bytes Number of transmitted bytes in the PPPoE session.

Dropped Packets (Sent) Number of dropped packets which are transmitted in the PPPoE session.

Displaying PPPoE client session information

1. Select Network > PPPoE from the navigation tree.
2. Click the Session tab to enter the page for displaying the session information.
3. Select Summary Information for Information Type, as shown in Figure 224.
4. Displaying PPPoE client session information, as described in Table 86.

235
Figure 224 Summary

Table 86 Field description

Field Description
Session Number PPPoE session ID.

Dialer Interface
Number of the dialer interface corresponding to the PPPoE session.
Number

Ethernet interface where the PPPoE session belongs. This field is null when the PPPoE
Interface
session is bundled with a VLAN interface.

Client-MAC MAC address of the PPPoE client.

Server-MAC MAC address of the PPPoE server.

PPPoE session state:

• IDLE—PPPoE client negotiation is not performed.
• PADI—PADI packets have been sent. The interface is waiting for the PADO
response.
Status
• PADR—PADR packets have been sent. The interface is waiting for the PADS
response.
• PPPNEG—PPP negotiation is started.
• PPPUP—PPP negotiation is completed.

PPPoE client configuration example

Network requirements
Configure PPPoE client on the AC and enable the PPPoE client to communicate with the PPPoE server, as
shown in Figure 225.
Figure 225 Network diagram

236
Configuring the PPPoE client
1. Configure the PPPoE client:
a. Select Network > PPPoE from the navigation tree. The system automatically enters the Client
page.
b. Click Add.
The page for creating a PPPoE client appears, as shown in Figure 226.
c. Enter 1 as the dialer interface name.
d. Enter user1 as the username.
e. Enter hello as the password.
f. Select PPP Negotiate for IP config.
g. Select Vlan-interface1 for Bundled Interface.
h. Select Always Online for Session Type.
i. Click Apply.
Figure 226 Creating a PPPoE client

2. Configure the PPPoE server:

a. Enable PPPoE on the PPPoE server. (Details not shown.)
b. Configure the PPPoE username and password that are the same as those configured on the
PPPoE client. (Details not shown.)
c. Assign an IP address to the peer end of the PPP connection. (Details not shown.)

Verifying the configuration

To display the summary information of the PPPoE session on an AC:

237
1. Select Network > PPPoE from the navigation tree of the AC, and click the Session tab.
2. Select Summary Information for Information Type.
Figure 227 shows that the PPP session is completed.
Figure 227 Displaying the summary information of PPPoE of sessions

238
Managing services

Overview
The service management module provides the following types of services: FTP, Telnet, SSH, SFTP, HTTP
and HTTPS. You can enable or disable the services as needed to enhance the performance and security
of the system, and achieve secure management of the device.
To prevent attacks of illegal users on services, the service management module allows you to do the
following configurations:
• Modify HTTP and HTTPS port numbers.
• Associate the FTP, HTTP, or HTTPS service with an ACL.

FTP service
The File Transfer Protocol (FTP) is an application-layer protocol for sharing files between server and client
over a TCP/IP network.

Telnet service
The Telnet protocol is an application layer protocol that provides remote login and virtual terminal
functions on the network.

SSH service
Secure Shell (SSH) offers an approach to securely log in to a remote device. It protects devices against
attacks such as IP spoofing and plain text password interception using encryption and authentication.

SFTP service
The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to
provide secure data transfer. The device can serve as the SFTP server, allowing a remote user to log in to
the SFTP server for secure file management and transfer. The device can also serve as an SFTP client,
enabling a user to login from the device to a remote device for secure file transfer.

HTTP service
The Hypertext Transfer Protocol (HTTP) is used for transferring Web page information across the Internet.
It is an application-layer protocol in the TCP/IP protocol suite.
You can log in to the device using the HTTP protocol with HTTP service enabled, accessing and
controlling the device with Web-based network management.

HTTPS service
The Hypertext Transfer Protocol Secure (HTTPS) refers to the HTTP protocol that supports the Security
Socket Layer (SSL) protocol.
The SSL protocol of HTTPS enhances the security of the device in the following ways:
• Uses the SSL protocol to ensure legal clients' secure access to the device and prohibit illegal clients.
• Encrypts the data exchanged between the HTTPS client and the device to ensure the data security
and integrity.

239
• Defines certificate attribute-based access control policy for the device to control the access right of
the client, to avoid attacks from illegal clients.

Configuring service management

1. Select Network > Service from the navigation tree to enter the service management configuration
page.
Figure 228 Service management

2. Enable or disable various services on the page, as described in Table 87.

3. Click Apply.
Table 87 Configuration items

Item Description
Enable FTP Specify whether to enable the FTP service.
service The FTP service is disabled by default.

FTP Associate the FTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the FTP service.
ACL
You can view this configuration item by clicking the expanding button in
front of FTP.

Enable Telnet Specify whether to enable the Telnet service.

Telnet
service The Telnet service is enabled by default.

Enable SSH Specify whether to enable the SSH service.

SSH
service The SSH service is disabled by default.

Specify whether to enable the SFTP service.

Enable SFTP The SFTP service is disabled by default.

SFTP
service
IMPORTANT:
When you enable the SFTP service, the SSH service must be enabled.

Enable HTTP Specify whether to enable the HTTP service.

HTTP
service The HTTP service is enabled by default.

240
Item Description
Set the port number for HTTP service.
You can view this configuration item by clicking the expanding button in
Port Number front of HTTP.

IMPORTANT:
When you modify a port, make sure the port is not used by another service.
Associate the HTTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTP service.
ACL
You can view this configuration item by clicking the expanding button in
front of HTTP.

Enable HTTPS Specify whether to enable the HTTPS service.

service The HTTPS service is disabled by default.

Select a local certificate for the HTTPS service from the Certificate
dropdown list.
You can configure the certificates available in the dropdown list in
Authentication > Certificate Management. For more information, see
"Managing certificates."

Certificate IMPORTANT:
• The service management, portal authentication, and local EAP service
modules always reference the same PKI domain. Changing the
referenced PKI domain in any of the three modules also changes the PKI
HTTPS domain referenced in the other two modules.
• If no certificate is specified, the HTTPS service generates its own
certificate.

Set the port number for HTTPS service.

You can view this configuration item by clicking the expanding button in
Port Number front of HTTPS.

IMPORTANT:
When you modify a port, make sure the port is not used by another service.
Associate the HTTPS service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTPS service.
ACL
You can view this configuration item by clicking the expanding button in
front of HTTPS.

241
Using diagnostic tools

Ping
You can use the ping function to check whether a device with a specified address is reachable, and to
examine network connectivity.
A successful execution of the ping command includes the following steps:
1. The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device.
2. The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source
device after receiving the ICMP echo request.
3. The source device displays related statistics after receiving the reply.
Output of the ping command includes the following:
• The ping command can be applied to the destination's host name or IP address. If the destination's
host name is unknown, the prompt information is displayed.
• If the source device does not receive an ICMP echo reply when the timeout timer expires, it displays
the prompt information and the statistics during the ping operation. Otherwise, it displays the
number of bytes of the echo reply, the message sequence number, Time to Live (TTL), the response
time, and the statistics during the ping operation. Statistics displayed during the ping operation
include number of packets sent, number of echo reply messages received, percentage of messages
not received, and the minimum, average, and maximum response time.

Trace route
By using the trace route command, you can display the Layer 3 devices involved in delivering a packet
from source to destination. In the event of network failure, this function can identify failed nodes.
The trace route command includes the following steps in its execution:
1. The source device sends a packet with a TTL value of 1 to the destination device.
2. The first hop (the Layer 3 device that first receives the packet) responds by sending a TTL-expired
ICMP message to the source, with its IP address encapsulated. In this way, the source device can
obtain the address of the first Layer 3 device.
3. The source device sends a packet with a TTL value of 2 to the destination device.
4. The second hop responds with a TTL-expired ICMP message, which gives the source device the
address of the second Layer 3 device.
5. This process continues until the ultimate destination device is reached. In this way, the source
device can trace the addresses of all the Layer 3 devices involved in reaching the destination
device.
The traceroute command can be applied to the destination's host name or IP address. If the destination's
host name is unknown, the prompt information is displayed.

242
Ping operation
IPv4 ping operation
1. Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.
2. Click the expansion button before Advanced Setup to display the configurations of the advanced
parameters of IPv4 ping operation.
Figure 229 IPv4 ping configuration page

3. Enter the IPv4 address or host name of the destination device in the Destination IP address or host
name field.
4. Set the advanced parameters for the IPv4 ping operation.
5. Click Start to execute the ping command.
6. View the result in the Summary field.

243
Figure 230 IPv4 ping operation results

IPv6 ping operation

1. Select Diagnostic Tools > Ping from the navigation tree.
2. Click the IPv6 Ping tab to enter the IPv6 ping configuration page.
3. Expand Advanced Setup to display the configurations of the advanced parameters of IPv6 ping
operation.
Figure 231 IPv6 ping

244
4. Enter the IPv6 address or host name of the destination device in the Destination IP address or host
name field.
5. Set the advanced parameters for the IPv6 ping operation.
6. Click Start to execute the ping command.
7. View the result in the Summary field.
Figure 232 IPv6 ping operation results

Trace route operation

The Web interface does not support trace route on IPv6 addresses.
Before performing the trace route operations, complete the following tasks:
• Execute the ip ttl-expires enable command on the intermediate device to enable the sending of
ICMP timeout packets.
• Execute the ip unreachables enable command on the destination device to enable the sending of
ICMP destination unreachable packets.
To perform a traceroute operation:
1. Select Diagnostic Tools > Trace Route from the navigation tree.
2. Click the Trace Route tab to enter the Trace Route configuration page.

245
Figure 233 Trace Route configuration page

3. Enter the destination IP address or host name in the field.

4. Click Start to execute the trace route command.
5. View the result in the Summary field.
Figure 234 Trace route operation results

246
Configuring NAT

Overview
Network Address Translation (NAT) provides a way to translate an IP address in the IP packet header to
another IP address. NAT enables a large number of private users to access the Internet by using a small
number of public IP addresses. NAT effectively alleviates the depletion of IP addresses.
A private IP address is used only in an internal network, and a public or external IP address is used on
the Internet and is globally unique.
According to RFC 1918, three blocks of IP addresses are reserved for private networks:
• Class A—10.0.0.0 through 10.255.255.255.
• Class B—172.16.0.0 through 172.31.255.255.
• Class C—192.168.0.0 through 192.168.255.255.
No host with an IP address in the above three ranges exists on the Internet. You can use those IP
addresses in an enterprise network freely without requesting them from an ISP or registration center.
In addition to translating private addresses to public addresses, NAT also performs address translation
between any two networks. In this document, the two networks refer to an internal network and an
external network. Generally a private network is an internal network, and a public network is an external
network.
Figure 235 shows the NAT operation.
Figure 235 NAT operation

Direction Before NAT After NAT

Outbound 192.168.1.3 20.1.1.1

Src : 192.168.1.3 Src : 20.1.1.1

Host Dst : 1.1.1.2 Dst : 1.1.1.2 Server
NAT
192.168.1.1 20.1.1.1

Intranet Internet
192.168.1.3 1.1.1.2
Src : 1.1.1.2 Src : 1.1.1.2
Dst : 192.168.1.3 Dst : 20.1.1.1

1. The internal host at 192.168.1.3 sends an IP packet to the external server at 1.1.1.2 through the
NAT device.
2. After receiving the packet, the NAT device checks the IP header. Finding that the packet is destined
to the external network, the NAT device translates the private source IP address 192.168.1.3 to
the globally unique IP address 20.1.1.1. Then, it forwards the packet to the external server.
Meanwhile, the NAT device records the mapping between the two addresses in its NAT table.
3. The external server responds to the internal host with an IP packet whose destination IP address is
20.1.1.1. After receiving the packet, the NAT device performs the following actions:
a. Checks the IP header.

247
b. Looks up its NAT table for the mapping.
c. Replaces the destination address with the private address of 192.168.1.3.
d. Sends the new packet to the internal host.
The NAT operation is transparent to the terminals involved. The external server believes that the IP
address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As a result, NAT
hides the private network from external networks.
Despite the advantages of allowing internal hosts to access external resources and providing privacy,
NAT has the following disadvantages:
• Because NAT involves translation of IP addresses, the IP headers cannot be encrypted. This is also
true to the application protocol packets when the contained IP address or port number needs to be
translated. For example, you cannot encrypt an FTP connection. Otherwise, its port command
cannot work correctly.
• Network debugging becomes more difficult. For example, when a host in a private network tries to
attack other networks, it is harder to pinpoint the attacking host because its internal IP address is
hidden.

NAT control
Typically, an enterprise allows some hosts in the internal network to access external networks and
prohibits others. The enterprise can achieve this through the NAT control mechanism. If a source IP
address is in the denied address list, the NAT device does not translate the address. In addition, the NAT
device only translates private addresses to specified public addresses.
You can achieve NAT control through an access control list (ACL) and an address pool.
• Only packets matching the ACL rules are served by NAT.
• An address pool is a collection of consecutive public IP addresses for address translation. You can
specify an address pool based on the number of available public IP addresses, the number of
internal hosts, and network requirements. The NAT device selects an address from the address pool
as the public address of an IP packet.

NAT implementation
Basic NAT
When an internal host accesses an external network, NAT uses an external or public IP address to
replace the original internal IP address. As shown in Figure 235, NAT uses the IP address of the outbound
interface on the NAT device. All internal hosts use the same external IP address to access external
networks and only one host can access external networks at a given time.
A NAT device can also hold multiple public IP addresses to support concurrent access requests.
Whenever a new external network access request comes from the internal network, NAT performs the
following actions:
1. Chooses an available public IP address (if any) to replace the source IP address.
2. Forwards the packet.
3. Records the mapping between the two addresses.
In this way, multiple internal hosts can access external networks simultaneously.

248
The number of public IP addresses that a NAT device needs is usually less than the number of internal
hosts because not all internal hosts access external networks simultaneously. The number of public IP
addresses is related to the number of internal hosts that might access external networks simultaneously
during peak hours.

NAPT
Network Address Port Translation (NAPT) is a variation of basic NAT. It allows multiple internal addresses
to be mapped to the same public IP address, which is called multiple-to-one NAT.
NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple
internal hosts are mapped to the same external IP address with different port numbers.
Figure 236 NAPT operation

Direction Before NAT After NAT

Outbound 192.168.1.2:1111 20.1.1.1:1001

Outbound 192.168.1.2:2222 20.1.1.1:1002

Outbound 192.168.1.3:1111 20.1.1.1:1003

Host A Packet 1 Packet 1

Src : 192.168.1.2:1111 Src : 20.1.1.1:1001

Packet 2 Packet 2 Server

192.168.1.2 Src : 192.168.1.2:2222 NAT Src : 20.1.1.1:1002
192.168.1.1 20.1.1.1

Host B Intranet Internet

Packet 3 Packet 3 1.1.1.2
Src : 192.168.1.3:1111 Src : 20.1.1.1:1003

192.168.1.3

As shown in Figure 236, three IP packets arrive at the NAT device. Packets 1 and 2 are from the same
internal address but have different source port numbers. Packets 1 and 3 are from different internal
addresses but have the same source port number. NAPT maps their source IP addresses to the same
external address but with different source port numbers. Therefore, the packets can still be discriminated.
When response packets arrive, the NAT device can forward them to corresponding hosts based on the
destination addresses and port numbers.
NAPT can better utilize IP address resources, enabling more internal hosts to access the external network
at the same time.

Easy IP
Easy IP uses the public IP address of an interface on the device as the translated source address to save
IP address resources. It also uses ACLs to permit only certain internal IP addresses to be NATed.

Internal server
NAT hides the internal network structure and the identities of internal hosts. However, some internal hosts
such as an internal Web server or FTP server might need to be accessed by external hosts. NAT satisfies
this need by supporting internal servers.
You can configure an internal server on the NAT device by mapping a public IP address and port number
to the internal server's private IP address and port number. For example, you can configure an address
like 20.1.1.12:8080 as an internal Web server's external address and port number.

249
In Figure 237, when the NAT device receives a packet destined for the public IP address of the internal
server, it performs the following actions:
1. Looks up the NAT entries.
2. Translates the destination address and port number in the packet to the private IP address and port
number of the internal server.
When the NAT device receives a response packet from the internal server, it translates the source private
IP address and port number of the packet into the public IP address and port number of the internal
server.
Figure 237 Internal server operation

Direction Before NAT After NAT

Inbound 20.1.1.1:8080 192.168.1.3:8080

Dst : 192.168.1.3:8080 Dst : 20.1.1.1:8080

Server Host
NAT
192.168.1.1 20.1.1.1

Intranet Internet
192.168.1.3 1.1.1.2
Src : 192.168.1.3:8080 Src : 20.1.1.1:8080

DNS mapping
Generally, the DNS server and users that need to access internal servers reside on the public network.
You can specify an external IP address and a port number for an internal server on the public network
interface of a NAT device. Thus, external users can access the internal server using its domain name or
pubic IP address. As shown in Figure 238, an internal host wants to access an internal Web server by
using its domain name, and the DNS server is located on the public network. Typically, the DNS server
replies with the public address of the internal server to the host and thus the host cannot access the
internal server. The DNS mapping feature can solve the problem.
Figure 238 Diagram for NAT DNS mapping operation

A DNS mapping entry records the domain name, public address, public port number, and protocol type
of an internal server. After receiving a DNS reply, the NAT-enabled interface matches the domain name
in the message against the DNS mapping entries. If a match is found, the interface replaces the public
IP address in the reply with the private IP address of the internal server. Then, the host can use the private
address to access the internal server.

250
Low-priority address pool
An address pool is a set of consecutive public IP addresses used for dynamic NAT. A NAT gateway
selects addresses from the address pool and uses them as the translated source IP addresses.
To implement NAT for stateful failover (asymmetric-path), you must configure the same address pool on
both devices so that one device can take over when the other device fails. However, if the two devices
select the same IP address from their address pool and assign the same port number, reverse sessions on
the two devices are the same. As a result, they cannot back up session data.
To solve the problem, the low-priority address pool attribute is introduced to NAT. Configure a
non-low-priority address pool on a device and configure a low-priority address pool on the other device.
The two address pools have the same address range, but have different port number ranges so that the
devices can back up session data.
For more information about stateful failover, see "Configuring stateful failover."

Configuration guidelines
When you configure address pools, follow these guidelines:
• On certain types of devices, an address pool cannot include the following IP addresses:
IP addresses in other address pools.
IP addresses of interfaces with Easy IP enabled.
Public IP addresses of internal servers.
• Low-priority address pools cannot include IP addresses in non low-priority address pools, external
IP addresses for one-to-one NAT, and public IP addresses of internal servers.
• The address pool, dynamic NAT, static NAT, and internal server configurations can be modified
through Web pages. The modification you make takes effect after the former configuration is
removed by the system.

Recommended configuration procedure

Configuring address translation
A NAT device can be configured with or dynamically generate mapping entries to translate between
internal and external network addresses. Address translation can be classified into dynamic and static
NAT.

Dynamic NAT
A dynamic NAT entry is generated dynamically. Dynamic NAT is implemented by associating an ACL
with an address pool (or the address of an interface in the case of Easy IP). This association defines what
packets can use the addresses in the address pool (or the interface's address) to access the external
network. Dynamic NAT is applicable when a large number of internal users must access external
networks. An IP address is selected from the associated address pool to translate an outgoing packet.
After the session terminates, the selected IP address is released.

251
Table 88 Dynamic NAT configuration task list

Task Remarks
Creating an address pool Required for configuring NAPT and many-to-many NAT.

Required.
Configuring dynamic NAT
Configure dynamic NAT on an interface.

Static NAT
Mappings between external and internal network addresses are manually configured. Static NAT can
meet fixed access requirements of a few users.
Table 89 Static NAT configuration task list

Task Remarks
Required.
Creating a static address mapping
Static NAT supports two modes, one-to-one and net-to-net.

Required.
Enabling static NAT on an interface
Configure static NAT on an interface.

Configuring an internal server

Task Remarks
Required.

Configuring an internal server After you map the private IP address/port number of an internal server to a
public IP address/port number, hosts in external networks can access the
server located in the private network.

Optional.

Configuring a DNS mapping The DNS mapping feature enables an internal host to use the domain name
to access an internal server located on the same private network, while the
DNS server resides on the public network.

Creating an address pool

1. Select Network > NAT from the navigation tree.
The Dynamic NAT page appears.

252
Figure 239 Dynamic NAT

TIP:
You can click the ID link of an ACL to view details about the ACL, and create and delete ACL rules. For
more information about ACL configuration, see "Configuring ACLs."

2. Click Add in the Address Pool area.

The Add NAT Address Pool page appears.
Figure 240 Adding a NAT address pool

3. Create an IP address pool, as described in Table 90.

4. Click Apply.
Table 90 Configuration items

Item Description
Index Specify the index of an address pool.

Start IP Address Specify the start IP address of the address pool.

Specify the end IP address of the address pool.

End IP Address
The end IP address must be identical to or higher than the start IP address.

253
Item Description
Configure the address pool as a low-priority or a non low-priority address pool.

Low priority IMPORTANT:

This configuration item is applicable for asymmetric-path stateful failover only. The low
priority settings for the local and peer devices must be different.

Configuring dynamic NAT

1. Select Network > NAT from the navigation tree.
The Dynamic NAT page appears.
2. Click Add in the Dynamic NAT area to enter the Add Dynamic NAT page.
Figure 241 Adding dynamic NAT

3. Configure dynamic NAT on an interface, as described in Table 91.

4. Click Apply.
Table 91 Configuration items

Item Description
Interface Specify an interface on which dynamic NAT is to be enabled.

Specify an ACL for dynamic NAT.

You cannot associate an ACL with multiple NAT address pools, or associate an ACL
with both Easy IP and an address pool.

ACL IMPORTANT:
On some devices, the rules of an ACL applied to an interface cannot conflict with one
another. Rules with the same source IP address, destination IP address, and VPN instance
are considered as a conflict. In a basic ACL (numbering 2000 to 2999), rules with the
same source IP address and VPN instance are considered as a conflict.

254
Item Description
Select an address translation mode:
• PAT—Refers to NAPT. In this mode, associating an ACL with an address pool
translates both IP addresses and port numbers.
• No-PAT—Refers to many-to-many NAT. In this mode, associating an ACL with an
Address Transfer
address pool translates only IP addresses.
• Easy IP—In this mode, the NAT gateway directly uses an interface's public IP address
as the translated IP address, and uses an ACL to match IP packets.
Only one mode can be selected for an address pool.

Specify the index of a NAT address pool for dynamic NAT.

The NAT address pool must have been configured through NAT address configuration.
Address Pool Index
If Easy IP is selected for Address Transfer, you do not need to enter an address pool
index.

Configure whether to associate dynamic NAT on an interface with a VRRP group.

Specify the VRRP group to be associated if you associate dynamic NAT on an interface
Enable track to VRRP
with a VRRP group.
When two network devices implement both stateful failover and dynamic NAT, follow
these guidelines:
• Make sure each address pool on an interface is associated with only one VRRP
group. Otherwise, the system associates the address pool with the VRRP group
VRRP Group having the highest group ID.
• To ensure normal switchovers between the two devices, you must add the devices to
the same VRRP group, and associate dynamic NAT with the VRRP group.

Creating a static address mapping

1. Select Network > NAT from the navigation tree, and click Static NAT.
The Static NAT page appears.
Figure 242 Static NAT

255
2. Click Add in the Static Address Mapping area.
The Add Static Address Mapping page appears.
Figure 243 Adding static address mapping

3. Configure a static address mapping, as described in Table 92.

4. Click Apply.
Table 92 Configuration items

Item Description
Internal IP Address Enter an internal IP address for the static address mapping.

Global IP Address Enter a public IP address for the static address mapping.

Mask Enter a mask for the IP address.

ACL Enter an ACL ID for the static address mapping.

Enabling static NAT on an interface

1. Select Network > NAT from the navigation tree, and click Static NAT.
The Static NAT page appears, as shown in Figure 242.
2. Click Add in the Interface Static Translation area to enter the page for enabling interface static
translation.
Figure 244 Enabling interface static translation

256
3. Enable static NAT on an interface, as described in Table 93.
4. Click Apply.
Table 93 Configuration items

Item Description
Interface Name Select an interface to which static NAT is applied.

Enable track to VRRP Configure whether to associate static NAT on an interface with a VRRP group, and
specify the VRRP group to be associated.
When two network devices implement both stateful failover and dynamic NAT, to
VRRP Group
ensure normal switchovers between the two devices, you need to add the devices to
the same VRRP group, and associate dynamic NAT with the VRRP group.

Configuring an internal server

This section describes basic and advanced internal server settings. In the basic configuration page, you
can specify the service type without setting internal ports, which use the default ports of services. In the
advanced configuration page, you need to specify the protocol type and internal ports.

Configuring basic internal server settings

1. Select Network > NAT from the navigation tree.
2. Click the Internal Server tab.
The Internal Server page appears.
Figure 245 Internal server

3. Click Add in the Internal Server area.

The Add Internal Server page appears.

257
Figure 246 Adding an internal server

4. Configure the internal server, as described in Table 94.

5. Click Apply.

Configuring advanced internal server settings

1. Click Advanced in the page shown in Figure 247.
The Advanced Configuration page appears.
Figure 247 Internal server advanced configuration

2. Configure the internal server, as described in Table 94.

258
3. Click Apply.
Table 94 Configuration items

Item Description
Interface Specify an interface to which the internal server policy is applied.

Select the protocol to be carried by IP (Only available in advanced configuration).

Select from the drop-down list.
Protocol Type For advanced configuration, if the selected protocol type is neither 6(TCP) nor 17(UDP),
you can only specify a mapping between an internal IP address and an external IP
address. Configuration items for internal and the global ports are not available.

Specify the public IP address for the internal server.

External IP Address
You can enter an IP address, or use the IP address of an interface.

Specify the global port numbers for the internal server.

This option is available when 6(TCP) or 17(UDP) is selected as the protocol type. You
can:
• For basic configuration: Use the single box to specify a global port. The value of 0
represents the default port of the specified service type. If the selected service type is
Global Port any(TCP) or any(UDP), the global port is any port. Use the double boxes to specify a
range of global ports, which have a one-to-one correspondence with the specified
range of internal IP addresses.
• For advanced configuration: Set the global port only when the protocol type is 6(TCP)
or 17(UDP). Use the single box to specify a fixed port and 0 represents the specified
internal port. Use the double boxes to specify a range of global ports that have a
one-to-one correspondence with the specified range of internal IP addresses.

Specify the internal IP addresses for the internal server.

• For basic configuration: Use the single box to specify a fixed internal IP address if
you use the single box for Global Port to set a global port. Use the double boxes to
specify a range of internal IP addresses if you use the double boxes for Global Port
to set a range of global ports. The specified range of internal IP addresses has a
one-to-one correspondence with the specified range of global ports. The number of
internal IP addresses must be identical to the number of specified global ports.
Internal IP • For advanced configuration: When the protocol type is neither 6(TCP) nor 17(UDP),
or you specify a fixed global port in the single box for Global Port, specify a fixed
internal IP address in the single box. When the protocol type is 6(TCP) or 17(UDP),
and you set a range of global ports in the double boxes for Global Port, specify a
range of internal IP addresses in the double boxes. The specified range of internal IP
addresses has a one-to-one correspondence with the specified range of global ports.
The number of internal addresses must be identical to the number of specified global
ports.

Specify the internal port number of the internal server. (Only available in advanced
configuration.)
Internal Port This option is available when 6(TCP) or 17(UDP) is selected for the protocol type. If you
enter 0 in the field, all types of services are provided. This configuration indicates a
static connection between internal addresses and external addresses.

ACL Specify the ACL ID for the internal server.

259
Item Description
Configure whether to associate the internal server on an interface with a VRRP group,
Enable track to VRRP and specify the VRRP group to be associated.
When two network devices deliver both stateful failover and dynamic NAT, follow these
guidelines:
• Make sure the public address of an internal server on an interface is associated with
only one VRRP group. Otherwise, the system associates the public address with the
VRRP Group VRRP group having the highest group ID.
• To ensure normal switchovers between the two devices, you need to add the devices
to the same VRRP group, and associate dynamic NAT with the VRRP group.

Configuring a DNS mapping

1. Select Network > NAT from the navigation tree.
2. Click the Internal Server tab.
The Internal Server page appears, as shown in Figure 245.
3. Click Add in the DNS-MAP area.
The page for adding DNS-MAP appears.
Figure 248 Adding DNS-MAP

4. Configure a DNS mapping, as described in Table 95.

5. Click Apply.
Table 95 Configuration items

Item Description
Protocol Select the protocol supported by an internal server.

Global IP Specify the external IP address of the internal server.

Global Port Specify the port number of the internal server.

Domain Specify the domain name of the internal server.

260
NAT configuration examples
Address translation configuration example
Network requirements
As shown in Figure 249, a company has three public IP addresses ranging from 202.38.1.1/24 to
202.38.1.3/24, and a private network segment of 10.110.0.0/16. Specifically, the company requires
that the internal users on subnet 10.110.10.0/24 can access the Internet through NAT.
Figure 249 Network diagram

Configuring the AC
1. Configure an ACL 2001 to permit internal users in subnet 10.110.10.0/24 to access the Internet:
a. Select QoS > ACL IPv4 from the navigation tree.
b. Click Add.
c. Enter 2001 for ACL Number, as shown in Figure 250.
d. Click Apply.
Figure 250 Defining ACL 2001

e. Click the Basic Setup tab.

The page for basic setup appears.
f. Select 2001 for ACL, and Permit for Action. Select the Source IP Address box and enter
10.110.10.0. Enter 0.0.0.255 for Source Wildcard.
g. Click Add.

261
Figure 251 Configuring ACL 2001 to permit users on network 10.110.10.0/24 to access the
Internet

To prohibit other users to access the Internet:

a. Select Deny for Action, as shown in Figure 252.
b. Click Add.
Figure 252 Configuring ACL 2001 to prohibit other users to access the Internet

2. Configure a NAT address pool 0, including public addresses of 202.38.1.2 and 202.38.1.3.
a. Select Network > NAT from the navigation tree.
The Dynamic NAT page appears.
b. Click Add in Address Pool.
The Add NAT Address Pool page appears, as shown in Figure 253.
c. Enter 0 for Index, enter 202.38.1.2 for Start IP Address, and enter 202.38.1.3 for End IP
Address.
d. Click Apply.

262
Figure 253 Configuring NAT address pool 0

3. Configure dynamic NAT:

a. Click Add in the Dynamic NAT area.
The Add Dynamic NAT page appears.
b. Select Vlan-interface2 for Interface and enter 2001 for ACL.
c. Select PAT for Address Transfer.
d. Enter 0 for Address Pool Index.
e. Click Apply.
Figure 254 Configuring dynamic NAT

Internal server configuration example

Network requirements
As illustrated in Figure 255, a company provides two Web servers and one FTP server for external users
to access. The internal network address is 10.110.0.0/16. The internal address for the FTP server is
10.110.10.3/16, for the Web server 1 is 10.110.10.1/16, and for the Web server 2 is 10.110.10.2/16. The
company has three public IP addresses from 202.38.1.1/24 through 202.38.1.3/24. Specifically, the
company has the following requirements:

263
• External hosts can access internal servers using public address 202.38.1.1/24.
• Port 8080 is used for Web server 2.
Figure 255 Network diagram

Configuring the internal server

1. Configure the FTP server:
a. Select Network > NAT from the navigation tree.
b. Click the Internal Server tab.
c. Click Add in the Internal Server area.
The Add Internal Server page appears.
d. Select Vlan-interface2 for Interface.
e. Select the Assign IP Address option, and enter 202.38.1.1.
f. Select the first option for Global Port and enter 21.
g. Enter 10.110.10.3 for Internal IP.
h. Select ftp for Service Type.
i. Click Apply.
Figure 256 Configuring an internal FTP server

264
2. Configure Web server 1:
a. Click Add in the Internal Server area.
The Add Internal Server page appears.
b. Select Vlan-interface2 for Interface
c. Select the Assign IP Address option, and enter 202.38.1.1.
d. Select the first option for Global Port and enter 80.
e. Enter 10.110.10.1 for Internal IP.
f. Select www for Service Type.
g. Click Apply.
Figure 257 Configuring internal Web server 1

3. Configure Web server 2:

a. Click Add in the Internal Server area.
The Add Internal Server page appears.
b. Select Vlan-interface2 for Interface
c. Select the Assign IP Address option, and enter 202.38.1.1.
d. Select the first option for Global Port and enter 8080.
e. Enter 10.110.10.2 for Internal IP.
f. Select www for Service Type.
g. Click Apply.

265
Figure 258 Configuring internal Web server 2

266
Configuring ALG

Application Level Gateway (ALG) processes the payload information of application layer packets to
make sure data connections can be established.
Usually, NAT translates only IP address and port information in packet headers and does not analyze
fields in application layer payloads. However, the packet payloads of some protocols may contain IP
address or port information, which might cause problems if not translated. For example, an FTP
application involves both data connection and control connection, and data connection establishment
dynamically depends on the payload information of the control connection.
ALG can work with NAT and ASPF to implement the following functions:
• Address translation—Resolves the source IP address, port, protocol type (TCP or UDP), and remote
IP address information in packet payloads.
• Data connection detection—Extracts information required for data connection establishment and
establishing data connections for data exchange.
• Application layer status checking—Inspects the status of the application layer protocol in packets.
Packets with correct states have their status updated and are sent for further processing, whereas
packets with incorrect states are dropped.
Support for these functions depends on the application layer protocol.
ALG can process the following protocol packets:
• DNS
• FTP
• ILS
• MSN/QQ
• NBT
• PPTP
• RTSP
• SCCP
• SIP
• SQLNET, a language in Oracle
• TFTP

ALG process
The following example describes the FTP operation of an ALG-enabled device.
As shown in Figure 259, the host on the external network accesses the FTP server on the internal network
in passive mode through the ALG-enabled device.

267
Figure 259 ALG-enabled FTP application in passive mode
Inside network Outside network
NAT

FTP server Device Host

FTP-ALG enabled

FTP_CMD(“PASV”)

FTP_EnterPassive(“IP1, Port1”)

ALG
IP1, Port1-------> IP2, Port2

FTP_EnterPassive(“IP2, Port2”)

FTP_Connet(IP2, Port2)

FTP_Connet(IP1, Port1)

The communication process includes the following steps:

1. Establishing a control connection.
The host sends a TCP connection request to the server. If a TCP connection is established, the server
and the host enter the user authentication stage.
2. Authenticating the user.
The host sends to the server an authentication request, which contains the FTP commands (user and
password) and the contents.
When the request passes through the ALG-enabled device, the commands in the payload of the
packet are resolved and used to check whether the protocol state transition is correctly proceeding.
If not, the request will be dropped. In this way, ALG protects the server against clients that send
packets with state errors or log in to the server with unauthorized user accounts.
An authentication request with the correct state is forwarded by the ALG-enabled device to the
server, which authenticates the host according to the information in the packet.
3. Establishing a data connection.
If the host passes the authentication, a data connection is established between the host and the
server. If the host is accessing the server in passive mode, the server sends to the host a PASV
response by using its private network address and port number (IP1, Port1). When the response
arrives at the ALG-enabled device, the device performs the following actions:
a. Resolves the packet.
b. Translates the server's private network address and port number into the server's public
network address and port number (IP2, Port2).
c. Uses the public network address and port number to establish a data connection with the host.
4. Exchanging data.
The host and the FTP server exchange data through the established data connection.

268
Configuration procedure
By default, ALG is enabled for all protocols.
To enable ALG for protocols:
1. Select Network > ALG from the navigation tree.
The Application Layer Inspection page appears.
Figure 260 ALG configuration

2. Add target application protocols to the Selected Application Protocols list to enable ALG for them.
3. Click Apply.

ALG configuration examples

The following examples describe only ALG-related configurations, assuming that other required
configurations on the server and client have been done.

FTP ALG configuration example

Network requirements
As shown in Figure 261, a company uses the private network segment 192.168.1.0/24, and has four
public network addresses: 5.5.5.1, 5.5.5.9, 5.5.5.10, and 5.5.5.11. The company wants to provide FTP
services to the outside.
Configure NAT and ALG on the AC so that hosts on the external network can access the FTP server on the
internal network.

269
Figure 261 Network diagram

Internet
192.168.1.1/24 Vlan-int1
5.5.5.1/24
FTP server AC Host
Local: 192.168.1.2
Global: 5.5.5.10

Configuration procedure
1. Enable ALG for FTP. (By default, ALG is enabled for FTP, and this step can be skipped.)
a. Select Network > ALG from the navigation tree.
b. Add ftp to the Selected Application Protocols list, as shown in Figure 262.
c. Click Apply.
Figure 262 Enabling ALG for FTP

2. Configure ACL 2001:

a. Select QoS > ACL IPv4 from the navigation tree.
b. Click the Add tab.
c. Enter 2001 for ACL Number, as shown in Figure 263.
d. Click Apply.

270
Figure 263 Adding basic ACL

e. Click the Basic Setup tab.

f. Select 2001 for ACL.
g. Select Permit for Action, as shown in Figure 264.
h. Click Apply.
Figure 264 Configuring a rule for basic ACL

3. Configure the NAT address pool:

a. Select Network > NAT from the navigation tree.
The Dynamic NAT page appears.
b. Click Add in the Address Pool area.
The Add NAT Address Pool page appears.
c. Enter 1 for Index.
d. Enter 5.5.5.9 for Start IP Address.
e. Enter 5.5.5.11 for End IP Address.
f. Click Apply.

271
Figure 265 Adding a NAT address pool

4. Configure dynamic NAT:

a. Click Add in the Dynamic NAT area.
The Add Dynamic NAT page appears.
b. Select Vlan-interface1 for Interface..
c. Enter 2001 for ACL.
d. Select PAT for Address Transfer.
e. Enter 1 for Address Pool Index.
f. Click Apply.
Figure 266 Configuring dynamic NAT

5. Configure an internal FTP server

a. Select Network > NAT from the navigation tree.
b. Click the Internal Server tab.
c. Click Add in the Internal Server area.
The Add Internal Server page appears.
d. Select Vlan-interface1 for Interface.
e. Select the Assign IP Address option, and enter 5.5.5.10.
f. Select the first option for Global Port and enter 21.

272
g. Enter 192.168.1.2 for Internal IP.
h. Select ftp for Service Type.
i. Click Apply.
Figure 267 Adding an internal FTP server

SIP ALG configuration example

Network requirements
As shown in Figure 268, a company uses the private network segment 192.168.1.0/24, and has four
public network addresses: 5.5.5.1, 5.5.5.9, 5.5.5.10, and 5.5.5.11. SIP UA 1 is on the internal network
and SIP UA 2 is on the outside network.
Configure NAT and ALG on the AC so that SIP UA 1 and SIP UA 2 can communicate by using their
aliases. SIP UA 1 selects an IP address from the range 5.5.5.9 to 5.5.5.11 when registering with the SIP
server on the external network.
Figure 268 Network diagram

Configuration procedure
1. Enable ALG for SIP. (By default, ALG is enabled for SIP, and this step can be skipped.)
a. Select Network > ALG from the navigation tree.
b. Add sip to the Selected Application Protocols list, as shown in Figure 269.

273
c. Click Apply.
Figure 269 Enabling ALG for SIP

2. Configure ACL 2001:

a. Select QoS > ACL IPv4 from the navigation tree.
b. Click the Add tab.
c. Enter 2001 for ACL Number, as shown in Figure 270.
d. Click Apply.
Figure 270 Adding basic ACL

e. Click the Basic Setup tab.

f. Select 2001 for ACL, and Permit for Action. Select the Source IP Address box and enter
192.168.1.0. Enter 0.0.0.255 for Source Wildcard, as shown in Figure 264.
g. Click Add.

274
Figure 271 Configuring an ACL rule to permit packets sourced from 192.168.1.0/24

To prohibit other users to access the Internet:

a. Select Deny for Action, as shown in Figure 272.
b. Click Add.
Figure 272 Configuring an ACL rule to deny packets

3. Configure the NAT address pool:

275
Figure 273 Adding a NAT address pool

4. Configure dynamic NAT:

a. Click Add in the Dynamic NAT area.
The Add Dynamic NAT page appears.
b. Select Vlan-interface2 for Interface..
c. Enter 2001 for ACL.
d. Select PAT for Address Transfer.
e. Enter 1 for Address Pool Index.
f. Click Apply.
Figure 274 Configuring dynamic NAT

NBT ALG configuration example

Network requirements
As shown in Figure 275, a company using the private network segment 192.168.1.0/24 wants to provide
NBT services to the outside.
Configure NAT and ALG on the AC to meet the following requirements:
• Host A uses 5.5.5.9 as its external IP address.

276
• The WINS server uses 5.5.5.10 as its external IP address.
• Host B can access the WINS server and Host A by using host names.
Figure 275 Network diagram

Configuration procedure
1. Enable ALG for NBT. (By default, ALG is enabled for NBT, and this step can be skipped.)
a. Select Network > ALG from the navigation tree.
b. Add nbt to the Selected Application Protocols list.
c. Click Apply.
Figure 276 Enabling ALG for NBT

2. Configure static NAT:

a. Select Network > NAT from the navigation tree.
b. Click the Static NAT tab.
The Static NAT page appears.
c. Click Add in the Static Address Mapping area.
The Add Static Address Mapping page appears.
d. Enter 192.168.1.3 for Internal IP Address.

277
e. Enter 5.5.5.9 for Global IP Address.
f. Click Apply.
Figure 277 Adding a static address mapping

3. Configure static NAT for an interface:

a. Click Add in the Interface Static Translation area.
b. Select Vlan-interface2 for Interface Name, as shown in Figure 278.
c. Click Apply.
Figure 278 Configuring static NAT for an interface

4. Configure an internal WINS server:

a. Select Network > NAT > Internal Server from the navigation tree.
b. Click the Internal Server tab.
c. Click Add in the Internal Server area.
d. Click Advanced Configuration.
e. Select Vlan-interface2 for Interface.
f. Select 17(UDP) for Protocol Type.
g. Enter 5.5.5.10 as the external IP address and 137 as the global port.
h. Enter 192.168.1.2 as the internal IP address and 137 as the internal port.
i. Click Apply.

278
Figure 279 Configuring an internal WINS server

j. Click Add in the Internal Server area. Configure an interval WINS server, which is similar to
the configuration shown in Figure 279.
k. Click Advanced Configuration.
l. Select Vlan-interface2 for Interface.
m. Select 17(UDP) as the protocol type.
n. Enter 5.5.5.10 as the external IP address and 138 as the global port.
o. Enter 192.168.1.2 as the internal IP address and 138 as the internal port.
p. Click Apply.
q. Click Add in the Internal Server area. Configure an interval WINS server, which is similar to
the configuration shown in Figure 279.
r. Click Advanced Configuration.
s. Select Vlan-interface2 for Interface.
t. Select 6(UDP) as the protocol type.
u. Enter 5.5.5.10 as the external IP address, and 139 as the global port.
v. Enter 192.168.1.2 as the internal IP address, and 138 as the internal port.
w. Click Apply.

279
Configuring APs

AC-AP tunnel
As shown in Figure 280, an AC and an AP establish a data tunnel to forward data packets and a control
tunnel to forward control packets used for AP configuration and management. The AC can automatically
configure and manage APs based on the information provided by the administrator.
Figure 280 Network diagram

Auto AP
The auto AP feature enables an AC to automatically associate with APs. It can greatly reduce your
workload when you deploy a wireless network with many APs.
You can enable auto AP in the following ways:
• Specify an auto-AP template and enable the auto-AP function.
After you create an auto-AP template on the AP > AP Setup page and enable the auto-AP function,
the AC automatically associates with the APs of the model specified in the template, names the APs
by using their MAC addresses, and assigns configurations in the template to APs. Clients can
associate with auto APs but the administrator cannot change the configuration of auto APs.
• Enable the auto-AP function.
After you enable the auto-AP function, the AC automatically associates with all APs and names the
APs by using their MAC addresses. Clients can associate with the auto APs but the administrator
cannot change the configuration of the auto APs.

AP group
Overview
AP group enables you to configure multiple APs at a time, which reduces your workload.
If you do not create any AP groups, the system takes the AP group named default_group as the default
AP group. All APs created belong to the default AP group by default. You can modify but not delete the
default AP group.
You can add APs with the same configurations or in the same subnet to the same AP group. The APs use
the configuration of the AP group. If you add an auto AP template into a non-default AP group, the auto
APs getting online through the template belong to the group. The auto APs use the configuration of the AP
group to which the auto AP template belongs.

280
When you delete an AP from an AP group (equal to adding the AP to the default AP group) or add an
AP to an AP group, the AP restarts, and clears its configuration except the serial number. After the AP is
added to the new AP group, the AP uses the configuration of the new AP group.
The following operations might fail on some member APs:
• Select 5 GHz wireless services.
• Select 2.4 GHz wireless services.
• Enable a 5 GHz radio.
• Enable a 2.4 GHz radio.
• Set a working mode.
• Set a country/region code.

Client access control

Some wireless service providers need to control the access positions of clients. For example, as shown
in Figure 281, to meet security needs, it is required to connect wireless clients 1 and 2 to the wired
network through AP 1 or AP 2, and connect client 3 through AP 3. To achieve this, you can configure the
AP groups that the clients can be associated with and then apply the AP groups in a user profile. For more
information about user profile, see "Configuring users."
Figure 281 Client access control

RADIUS server

AP 1 Client 1

Internet AP 2 Client 2
AC

AP 3
Client 3

Configuring an AP
Creating an AP
1. Select AP > AP Setup from the navigation tree.
2. Click Add.

281
Figure 282 Adding an AP

3. Create the AP as described in Table 96.

4. Click Apply.
Table 96 Configuration items

Item Description
AP Name Set the AP name.

Model AP model.

Specify the serial ID:

• Auto—Use the auto serial ID function together with the auto AP function. For more
Serial ID information about configuring auto AP, see "Configuring auto AP."
• Manual—Enter an AP serial ID.
By default, Auto is used.

Setting AP parameters
1. Select AP > AP Setup from the navigation tree.

2. Click the icon for the target AP.

282
Figure 283 AP setup

3. Configure the AP as described in Table 97.

4. Click Apply.
Table 97 Configuration items

Item Description
AP Name Rename the AP.

Select a country/region code.

By default, no country/region code is configured for an AP, and the global
country/region code applies. If both country/region code and global country/region
code are configured, the AP uses its own country/region code. For how to configure
the global country/region code, see "Configuring advanced settings."

IMPORTANT:

Country/Region Some ACs and APs have fixed country/region codes, whichever is used is determined as
Code follows:
• An AC's fixed country/region code cannot be changed, and all managed APs
whose country/region codes are not fixed must use the AC's fixed country/region
code.
• An AP's fixed country/region code cannot be changed and the AP can only use the
country/region code.
If an AC and a managed AP use different fixed country/region codes, the AP uses its
own fixed country/region code.

Radio Number Select the number of the radios on the AP. The value depends on the AP model.

283
Item Description
Select the radio type, which can be one of the following values:
• 802.11a.
• 802.11b.
Radio Type • 802.11g.
• 802.11n (2.4 GHz)
• 802.11n (5 GHz)
The value depends on the AP model and radio type.

Specify the serial ID:

• Auto—Use the auto serial ID function together with the auto AP function. For how to
configure auto AP, see "Configuring auto AP."
• Manual—Enter an AP serial ID.
Serial ID
IMPORTANT:
A serial ID uniquely identifies an AP. If the AP has connected to the AC, changing or
deleting its serial ID renders the tunnel down and the AP needs to discover the AC to
connect again.
Description Description for the AP.

Configuring advanced settings

1. Select AP > AP Setup from the navigation tree.
2. Click the icon for the target AP.
3. On the page that appears, expand Advanced Setup.

284
Figure 284 Advanced setup

4. Configure advanced settings for the AP as described in Table 98.

5. Click Apply.
Table 98 Configuration items

Item Description
AP connection priority.
AP Connection Specify the AP connection priority on the AC. A greater value represents a high priority.
Priority This option needs to be used together with the AC backup function. For more
information about AC backup, see "Configuring advanced settings."
• Enable—Enable the AP to respond to broadcast probe requests. The AP will respond
to broadcast probe requests with the SSID null.
Broadcast Probe
• Disable—Disable the AP from responding to broadcast probe requests. The AP will
reply
respond to broadcast probe requests with the specified SSID.
By default, this option is enabled.

285
Item Description
Specify a name for the configuration file (the file must exist in the storage medium of the
AC) and map the specified configuration file to the AP. The configuration file takes effect
when the tunnel is in Run state. When the configuration file takes effect, the AP uses the
commands in the configuration file, but does not save the configuration.
When local forwarding is enabled, you can use the configuration file to configure the
Configuration File AP. For example, when you configure a user profile when local forwarding is enabled,
you must write the user profile, QoS policy, and ACL commands to the configuration
file, and download the configuration file to the AP. For more information about local
forwarding, see "Configuring access service."

IMPORTANT:
The commands in the configuration file must be in their complete form.
Allow the AP to send jumbo frames to the AC and set the maximum size of jumbo
frames.
When this function is enabled, the AP can send frames whose size does not exceed the
Jumbo Frame Size
maximum size to the AC. If this field is not specified, the AP cannot send jumbo frames
to the AC.
By default, the AP cannot send jumbo frames to the AC.

Set the interval for sending echo requests.

There is a keep-live mechanism between AP and AC, to confirm whether or not the
AP Echo Interval tunnel is working. An AP periodically sends echo requests to an AC. The AC responds
to echo requests by sending echo responses. If the AC does not receive any echo
requests within three echo intervals, or the AP does not receive any echo responses
within three echo intervals, the AC or AP terminates the tunnel.

Set the client keep alive interval.

The keep-alive mechanism is used to detect clients segregated from the system due to
reasons such as power failure or crash, and disconnect them from the AP.
Client Alive Time By default, the client keep-alive function is disabled.
HP recommends that you enable the client keep-alive function for the AP because
information about clients that do not exist occupies AC memory and decreases AC
performance.

Maximum interval for which the link between the AP and a client can be idle. A
Client Free Time
connection that remains idle for the specified period of time is removed.

Backup AC IPv4 Set the IPv4 address of the backup AC • You can set both the IPv4 and IPv6
Address for the AP. addresses of the backup AC for the AP.
• If you configure the global backup AC
information both in Advanced Setup > AC
Backup and AP > AP Setup, the
Backup AC IPv6 Set the IPv6 address of the backup AC configuration in AP > AP Setup takes
Address for the AP. precedence. For more information about
AC backup, see "Configuring advanced
settings."

286
Item Description
Remote AP provides a wireless solution for remote branches and offices. It enables you
to configure and control remote APs from the headquarters over the Internet without
deploying an AC in each office or branch.
As shown in the figure below, the AC manages the remote APs over the Internet. The AP
automatically enables local forwarding (whether or not local forwarding is configured
on the AC) to provide wireless access for logged-in clients when the tunnel between the
AP and AC is terminated. However, it does not allow new clients. When a tunnel is
established between the AP and AC again, the AP automatically switches to centralized
forwarding mode and logs off all clients on the remote AP.

Remote AP

• Enable—Enable the remote AP function.

• Disable—Disable the remote AP function.
By default, the remote AP function is disabled.

IMPORTANT:
• If an AP establishes tunnels with both the primary AC and a backup AC, it uses the
backup tunnel to provide wireless access for logged-in clients when the primary
tunnel fails. For more information about AC backup, see "Configuring advanced
settings."
• The remote AP and mesh functions cannot be used simultaneously.
• Enable—Enable band navigation.
Band Navigation • Disable—Disable band navigation.
By default, band navigation is disabled.

Enable CAR for the AP to avoid frequent reboots caused by excessive traffic.
AP CAR Select this box to configure the CIR and CBS for the AP.
By default, CAR is not enabled for an AP.

CIR Committed information rate, in kbps.

Committed burst size, in bytes.

CBS When AP CAR is enabled, the CBS is the number of bytes transmitted in 500 ms at the
rate of CIR. For example, if the CIR is 100, the CBS is 50000 bytes by default.

Configure the AP version upgrade function.

You can configure the AP version upgrade function on the Advanced Setup > AC Setup,
Version Upgrade AP > AP Group, or AP > AP Setup page. You can upgrade specified APs by configuring
AP version upgrade functions on different pages. For more information, see
"Configuring advanced settings."

287
Item Description
• Enable—Enable Bonjour gateway for the AP.
• Disable—Disable Bonjour gateway for the AP.
By default, Bonjour gateway is enabled for the AP.
Bonjour Gateway
Bonjour gateway takes effect only after you enable it both globally and for an AP. You
can enable Bonjour gateway for the AP on the AP > AP Setup or AP > AP Group page,
and enable Bonjour gateway globally on the Advanced Setup > Bonjour Gateway
page.

Apply the specified Bonjour policy. For more information, see "Configuring advanced
Bonjour Policy
settings."

Configuring auto AP
You can enable an AP to connect to an AC by configuring the serial ID of the AP, specifying an auto-AP
template, or enabling the auto AP function. The priorities of these configurations are in descending order.
For example, if you configure the serial ID of an AP and enable the auto AP function, the AP gets online
as a configured AP.

Enabling auto AP
You can enable auto AP in the following ways:
• Specify an auto-AP template and enable the auto-AP function.
a. On the page for adding an AP, select the AP model and select Auto from the Serial ID list.
Do not use the MAC address of an AP as the AP name because the AC names auto APs by
using their MAC addresses.
b. Enable the auto AP function.
• Enable the auto-AP function.
a. Select AP > Auto AP from the navigation tree.

288
Figure 285 Configuring auto AP

b. Enable auto AP as described in Table 99.

c. Click Apply.
Table 99 Configuration items

Item Description
• Enable—Enable the auto AP function. You must also select Auto
from the Serial ID list on the AP setup page to use the auto AP
function.
• Disable—Disable the auto AP function.
Auto AP By default, the auto AP function is disabled.

IMPORTANT:
For network security, disable the auto-AP function when all APs have
connected to the AC.

Clients can associate with the auto APs, but you cannot change the configuration of an auto AP.

Configuring auto-AP authentication

The auto-AP authentication function enables you to control and manage auto APs. It only takes effect for
auto APs. APs in this section refer to auto APs.

Configuring auto-AP authentication

Auto-AP authentication has two modes:

289
• Local auto-AP authentication
In local authentication mode, the AC directly authenticates APs by serial ID or by MAC address,
and uses the ACL option to specify the ACL rules for authenticating auto APs.
Assume you adopt local authentication by serial ID. When an auto AP connects to the AC, the AC
uses the serial ID of the AP to match ACL rules. If the serial ID matches a permit rule, the auto AP
passes the authentication and connects to the AC. If the serial ID matches a deny rule, the auto AP
fails the authentication and cannot connect to the AC. If the serial ID does not match any rule, the
AP is an unauthenticated AP. The ACL can be manually configured or imported from a file.
• Remote auto-AP authentication
In remote authentication mode, the AC contacts a remote authentication server to authenticate
auto APs. The AC uses the serial ID or MAC address of an auto AP as the username and password
and sends them to the authentication server. If the remote authentication succeeds, the AC accepts
the AP. If not, the AC denies the AP.
The "unauthenticated AP" status is only available for local authentication. For remote authentication, the
authentication result can only be "authentication failed" or "authentication succeeded."
To configure auto-AP authentication:
1. Select AP > Auto AP from the navigation tree.
Figure 286 Configuring auto-AP authentication

2. Configure auto-AP authentication as described in Table 100.

3. Click Apply.

290
Table 100 Configuration items

Item Description
• Enable—Enable the auto-AP authentication function.
• Disable—Disable the auto-AP authentication function.
By default, auto APs are not authenticated.
AP Authentication
IMPORTANT:
• Auto-AP authentication only takes effect on auto APs.
• Auto-AP authentication does not take effect on online auto APs.
• MAC Address—The AC authenticates APs by MAC address.
Authenticate Method • Serial ID—The AC authenticates APs by serial ID.
By default, the AC authenticates APs by MAC address.
• If you select this option, the AC accepts unauthenticated auto APs, but
the auto APs cannot provide WLAN services.
Allow Unauthenticated AP
• If you do not select this option, the AC denies unauthenticated auto APs.
Connect
By default, the AC accepts unauthenticated auto APs, but the auto APs
cannot provide WLAN services.

Select an ACL number from the list for auto-AP authentication.

ACL Before you select an ACL number, create ACL rules on the QoS > ACL IPv4
page. For more information about ACL, see "Configuring QoS."

Import a file for auto-AP authentication, and the system then generates
corresponding ACL rules.
• In the file, the MAC addresses must be in the format of
HH-HH-HH-HH-HH-HH, separated by commas. The serial IDs must be in
the format of serial-id1, serial-id2, serial-id3, separated by commas.
Local • Before you execute this command, use the wlan ap-authentication acl
Authentication command to specify an ACL number. The ACL rules generated will be
Import
added to the specified ACL.
Authenticate
File • When generating ACL rules, the system automatically assigns a rule ID.
This rule ID is the nearest higher multiple of the numbering step to the
current highest rule ID, starting from 0. For example, if the rule
numbering step is 5 and the current highest rule ID is 28, the rule is
numbered 30. The value range for a WLAN-AP ACL rule number is 0 to
65534. A number exceeding 65534 causes error and operation
failure.
• The file must have an extension of .txt.
Remote Authenticate
Specify an authentication domain for auto-AP authentication.
Authentication Domain

To re-authenticate an online auto AP, click Reset on the page shown in Figure 288 to log off the auto AP.

Enabling unauthenticated auto APs to pass authentication and provide WLAN services
Whether an unauthenticated AP can connect to the AC is determined by the Allow Unauthenticated AP
Connect option. If you select this option, you can click Accept to enable the unauthenticated AP to pass
authentication and provide WLAN services, or click Reject to disable the unauthenticated AP from
passing authentication and providing WLAN services.

291
Figure 287 Enabling unauthenticated auto APs to pass authentication and provide WLAN services

• Click Accept to change the status of an auto AP to Permitted and add the MAC address or serial ID
of the auto AP to the specified ACL number. The system generates a permit rule.
• Click Reject to deny the access of an unauthenticated auto AP and add the MAC address or serial
ID of the auto AP to the specified ACL number. The system generates a deny rule.
You can only perform the Accept or Reject operation on unauthenticated auto APs.

Displaying auto AP status

Click Refresh and you can view the auto AP status on the page shown in Figure 288. This page displays
only unauthenticated and permitted auto APs.
Figure 288 Auto AP list

Converting auto APs to configured APs

You can convert unauthenticated and authenticated auto APs to configured APs through the following
ways. Configured APs are the same as APs that go online by serial ID and you can modify the
parameters of the APs on the AP > AP Setup page.

Renaming an AP
1. To modify the auto AP name, click the icon in the Operation column.

292
Figure 289 Renaming an AP

2. Select AP Rename, and enter a new AP name.

3. Click Apply.

Converting an auto AP to a configured AP

The configured APs are named by their MAC addresses.
To convert an auto AP to a configured AP:
1. Select the boxes for the target auto APs when auto APs appear on the Web interface of the AC.
2. Click Persistent.
Figure 290 Converting an auto AP to a configured AP

Enabling converting auto APs to configured APs

1. Select AP > Auto AP from the navigation tree.
2. Click Enable to the right of Auto Persistent.
3. Click Apply.
Figure 291 Enabling converting auto APs to configured APs

293
Table 101 Configuration items

Item Description
• Enable—Enable the function.
• Disable—Disable the function.
Auto Persistent By default, this function is disabled.
This option takes effect only for auto APs that go online. To convert APs that have been
online to configured APs, you can only use the previous two methods.

Configuring an AP group
Creating an AP group
1. Select AP > AP Group from the navigation tree.
2. Click Add.
Figure 292 Creating an AP group

3. Enter an AP group name, which cannot be a, al, or all.

4. Click Apply.
Support for the number of AP groups depends on your device model. For more information, see "About
the Web-based configuration guide for HP unified wired-WLAN products."

Configuring IP address match criteria for an AP

group
Perform this task to manage APs by matching IP addresses.

Configuration guidelines
• The IP address match criteria take effect when an AP requests to associate with the AC. Any change
of the criteria does not affect associated APs.
• An AP that associates with the AC by matching IP address does not support VRRP even if it
disassociates and then associates with the AC again. To enable the AP to support VRRP, manually
add it to another AP group where the members are not in the same subnet as the AP.
• An AP (configured or auto) that has been manually added to an AP group is always in the group
even if its IP address matches the subnet of another AP group.

294
• For an auto AP that is already in the default group default_group, if its IP address matches the
subnet of a non-default AP group, the AC adds it to this AP group.

Configuration procedure
1. Select AP > AP Group from the navigation tree.
2. Click the icon for the target AP group.
Figure 293 Configuring the IP address match criteria for an AP group

3. Configuring the IP address match criteria as described in Table 102.

4. Click Apply.
Table 102 Configuration items

Item Description
IPv4 Address /Mask Length When an AP requests to associate with the AC, the AC matches the IP address
of the AP against the subnets of the AP groups. If its IP address matches the
subnet of a group, the AP is added into the group.
IPv6 Address/Prefix Length
IMPORTANT:
The IP address ranges of different AP groups cannot overlap.

Adding an AP into an AP group

1. Select AP > AP Group from the navigation tree.
2. Click the icon for the target AP group.

295
Figure 294 Adding an AP into an AP group

3. Configure the AP group as described in Table 103.

4. Click Apply.
Table 103 Configuration items

Item Description
AP Group Name Display the name of the selected AP group.

Description Select this option to configure a description for the AP group.

Add an AP into an AP group.

• To add the APs to the Selected AP List, click the APs to be added to the AP
group, and click the << button in the AP List area.
• To delete the selected APs from the AP group, select the APs to be deleted
in the Selected AP List, and click the >> button.
Create the APs to be added in AP List by selecting AP > AP Setup first.

Selected AP List IMPORTANT:

• When you delete an AP from an AP group (equal to adding the AP to the
default AP group) or add an AP to an AP group, the AP restarts, and
clears its configuration except the serial number. After the AP is added to
the new AP group, the AP uses the configuration of the new AP group.
• By default, an auto AP connected to the AC by the auto AP function
belongs to the same AP group with the AP template. An auto AP cannot
be added into other AP groups before being converted to configured AP.

Configuring an AP group
You can configure an AP on the AP > AP Setup page, or configure multiple APs on the AP > AP Group
page. New configurations override the existing ones.

296
The following operations might fail on some member APs:
• Select 5 GHz wireless services.
• Select 2.4 GHz wireless services.
• Enable a 5 GHz radio.
• Enable a 2.4 GHz radio.
• Set a working mode.
• Set a country/region code

Configuring basic settings

1. Select AP > AP Group from the navigation tree.
2. Click the icon for the target AP group.

297
Figure 295 Configuring basic settings

3. Configure the AP group as described in Table 104.

4. Click Apply.
Table 104 Configuration items

Item Description
AP Group Name Name of the specified AP group.

Description Select this option to configure a description for the AP group.

298
Item Description
Bind a wireless service to the 5 GHz radio.
Selected 5GHz You can bind a wireless service to the radio of the AP on the AP > AP Group page and
Wireless Service then on the Wireless Service > Access Service page. However, the total number of
List wireless services bound to the radio on the two pages cannot exceed the maximum
number of wireless services allowed by the radio.

Bind a wireless service to the 2.4 GHz radio.

Selected 2.4GHz You can bind a wireless service to the radio of the AP on the AP > AP Group page and
Wireless Service then on the Wireless Service > Access Service page. However, the total number of
List wireless services bound to the radio on the two pages cannot exceed the maximum
number of wireless services allowed by the radio.
• Enable—Enable the 5 GHz radio.
• Disable—Disable the 5 GHz radio.
By default, the 5 GHz radio is disabled.
5GHz Radio
An AP examines the configuration before it uses the configuration of the AP group to
which it belongs. An AP might fail to implement the configuration due to configuration
conflicts such as a disconnected uplink with uplink detection enabled.
• Enable—Enable the 2.4 GHz radio.
• Disable—Disable the 2.4 GHz radio.
By default, the 2.4 GHz radio is disabled.
2.4GHz Radio
An AP examines the configuration before inheritance. An AP might fail to implement the
configuration because of configuration conflicts such as a disconnected uplink with
uplink detection enabled.

299
Configuring advanced settings
Figure 296 Configuring advanced settings

Table 105 Configuration items

Item Description
For more information about the configurations of items not listed in the table, see Table 97 and Table 98.
A member AP uses the country/region code of the AP group even if the AP does not support the code. In such
cases, the AP uses the global country/region code.

Configure the work mode.

• Normal—An AP operating in normal mode transmits but does not monitor user
data.
• Monitor—The AP operates as a monitoring AP but not access AP. An AP in monitor
mode disables all WLAN services, and monitors all 802.11 frames.
• Hybrid—An AP in hybrid mode transmits and monitors user data.
Work Mode
IMPORTANT:
Support for the number of APs supporting the monitor mode varies with device models.
The number of APs operating in monitor mode cannot exceed the upper limit for the AC.
For example, if an AC supports 32 APs to operate in monitor mode and there has existed
30 APs in the monitor mode, only the first two APs in an AP group can be configured to
operate in the monitor mode.

300
Item Description
Configure the interval at which an AP sends statistics reports.
Statistics Interval
The statistics report covers radio decryption error, radio statistics, and so on.

Configure the AP version upgrade function.

You can configure the AP version upgrade function on the Advanced Setup > AC Setup,
Version Upgrade AP > AP Group, or AP > AP Setup page. You can upgrade specified APs by
configuring AP version upgrade functions on different pages. For more information,
see "Configuring advanced settings."

Configuring AP-based client access control

To configure client access control, you need to create an AP group and add APs into the group.

Configuring a user profile

1. Select Authentication > Users from the navigation tree.
2. Click User Profile.
3. Click Add.
Figure 297 Setting the user profile name

4. Specify a name for the user profile.

5. Click Apply.
The user profile configuration page appears.

301
Figure 298 Configuring a user profile

302
6. Configure the user profile as described in Table 106.
7. Click Apply.
For more information about user profile, see "Configuring users."
Table 106 Configuration item

Item Description
Specify the AP groups permitted in the user profile.
Select the AP groups in the AP group list and click the << button to add them to the
AP Group list
Selected AP group list.
permitted
The available AP groups are AP groups you configured on the page you enter by
selecting AP > AP Group. For more information, see "Configuring an AP group".

8. On the user profile management page, select the user profile to be enabled.
9. Click Enable.

AP configuration examples
Auto AP configuration example
Network requirement
To simplify AP configuration, configure the auto AP function to enable the AP with the model
MSM460-WW to automatically connect to the AC. Configure the AP to obtain an IP address through a
DHCP server and to provide clear-type wireless service with the SSID service1.
Figure 299 Network diagram

Configuring the AC
1. Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select
the serial ID auto, and click Apply.

303
Figure 300 Creating an AP

2. Configure wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to service1, select the wireless service type
Clear, and click Apply.
Figure 301 Creating a wireless service

3. Enable the wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Select the service1 box.
c. Click Enable.
Figure 302 Enabling the wireless service

304
4. Bind an AP to a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the wireless service service1 to enter the page for binding an AP.
c. Select the box before ap with radio mode 802.11n (2.4 GHz).
d. Click Bind.
Figure 303 Binding an AP

e. Select AP > AP Setup from the navigation tree. You can see that the AP is in IDLE state.
Figure 304 AP status before auto AP is enabled

5. Enable 802.11gn radio

a. Select Radio > Radio Setup from the navigation tree.
b. Select the box before the target AP.
c. Click Enable.

305
Figure 305 Enabling 802.11gn radio

6. Enable auto AP
a. Select AP > Auto AP from the navigation tree.
b. Select Enable from the Auto AP list.
c. Click Apply.
Figure 306 Configuring auto AP

d. After enabling auto AP, click Refresh to view the auto AP.
Figure 307 Viewing the auto AP

Verifying the configuration

• Select AP > AP Setup from the navigation tree.
You can see that the AP is in run state.
• The client can successfully associate with the AP and access the WLAN network.
• You can view the online clients on the page you enter by selecting Summary > Client from the
navigation tree.

306
Figure 308 Viewing the online clients

Auto-AP authentication configuration example

Network requirements
As shown in Figure 309, enable the auto-AP function, and configure auto-AP authentication on the AC to
permit AP 1 and deny AP 2. Use the DHCP server to assign IP addresses to authenticated APs. Use the
RADIUS server to authenticate the unauthenticated AP (AP 3 in this example).
The serial IDs of AP 1, AP 2, and AP 3 are CN2AD330S7, CN2AD330S8, and CN2AD330S9,
respectively.
Figure 309 Network diagram

Configuring the AC
1. Create ACL 202:
a. Select QoS > ACL IPv4 from the navigation tree.
b. Click Add.
c. Type ACL ID 202.
d. Click Apply.

307
Figure 310 Creating ACL 202

2. Configure a permit rule to allow AP 1 with the serial ID CN2AD330S7 and a deny rule to deny AP
2 with the serial ID CN2AD330S8.
a. Select QoS > ACL IPv4 from the navigation tree.
b. Click the Wireless Setup tab.
c. Select 202 from the ACL list and add two ACL rules as shown in Figure 311.
d. Click Apply.
Figure 311 Configuring ACL rules

3. Configure the auto AP function:

a. Select AP > Auto AP from the navigation tree.
b. Select Enable for Auto AP.
c. Select Enable for Authenticate Feature, and Serial ID for Authenticate Method.
d. Select 202 from the ACL list.
e. Click Apply.

308
Figure 312 Configuring auto AP

4. Display the auto AP status:

To display auto AP status, click Refresh.
Figure 313 Displaying auto AP status

5. Enable the unauthenticated auto AP to pass authentication and provide WLAN services:
a. Select the box to the left of the target AP.
b. Click Accept.

309
Figure 314 Enabling the unauthenticated auto AP to pass authentication and provide WLAN
services

Verifying the configuration

• AP 1 matches the permit rule, so it can connect to the AC.
• AP 2 matches the deny rule, so it cannot connect to the AC.
• AP 3 does not match any rule, so it is authenticated by the remote RADIUS server. If it passes the
authentication, it can connect to the AC to provide WLAN services.

310
Configuring access services

Wireless Local Area Networks (WLAN) provide the following services:

• Connectivity to the Internet
• Secured WLAN access with different authentication and encryption methods
• Seamless roaming of WLAN clients in a mobility domain

Access service overview

Terminology
• Wireless client—A handheld computer or laptop with a wireless Network Interface Card (NIC) or
a terminal supporting WiFi can be a WLAN client.
• Access point—An AP bridges frames between wireless and wired networks.
• Access controller—An AC can control and manage APs associated with it in a WLAN. The AC
communicates with an authentication server for WLAN client authentication.
• Service set identifier—An SSID identifies a wireless network. A client scans all networks at first, and
then selects a specific SSID to connect to a specific wireless network.

Client access
A client access process involves active/passive scanning surrounding wireless services, authentication,
and association, as shown in Figure 315.
Figure 315 Establishing a client access

Scanning
Wireless clients use active scanning and passive scanning to obtain information about surrounding
wireless networks.
1. Active scanning

311
A wireless client periodically sends probe request frames and obtains wireless network
information from received probe response frames. Active scanning includes the following modes:
Active scanning without an SSID—The client periodically sends a probe request frame without
an SSID on each of its supported channels. APs that receive the probe request send a probe
response, which includes the available wireless network information. The client associates with
the AP with the strongest signal. This mode enables the client to find the optimal wireless
network.
Figure 316 Active scanning without an SSID
AP 1 AC 1
)
no SSID
(with
uest
e req
Client Pro b pons
e
r ob e re s
P

Pro b
e req
uest
(with
Pro b no S
e res SI D)
pons
e AP 2 AC 2

Active scanning with an SSID—If the wireless client is configured to access a wireless network
or has associated with a wireless network, the client periodically sends a probe request that
carries the SSID of that wireless network. When the target AP receives the probe request, it
sends a probe response. This mode enables the client to access a specified wireless network.
Figure 317 Active scanning with an SSID

2. Passive scanning
A wireless client listens to the beacon frames periodically sent by APs to discover surrounding
wireless networks. Passive scanning is used when a client wants to save battery power. Typically,
VoIP clients adopt passive scanning.

312
Figure 318 Passive scanning

Authentication
To secure wireless links, APs perform authentication on wireless clients. A wireless client must pass
authentication before it can access a wireless network. 802.11 define two authentication methods: open
system authentication and shared key authentication.
• Open system authentication
Open system authentication is the default authentication algorithm and is the simplest of the
available authentication algorithms. It is a null authentication algorithm. Any client that requests
authentication with this algorithm can become authenticated. Open system authentication is not
required to be successful, because an AP might decline to authenticate the client. Open system
authentication involves a two-step authentication process. In the first step, the wireless client sends
a request for authentication. In the second step, the AP returns the result to the client.
Figure 319 Open system authentication process

Client AP AC

Authentication request

Authentication response

• Shared key authentication

Figure 320 shows a shared key authentication process. The two parties have the same shared key
configured.
a. The client sends an authentication request to the AP.
b. The AP randomly generates a challenge and sends it to the client.
c. The client uses the shared key to encrypt the challenge and sends it to the AP.
d. The AP uses the shared key to de-encrypt the challenge and compares the result with the
original challenge sent to the client. If they are identical, the client passes the authentication. If
they are not, the authentication fails.

313
Figure 320 Shared key authentication process

Association
To access a wireless network through an AP, a client must associate with that AP. After the client passes
authentication on the AP, the client sends an association request to the AP. The AP verifies the capability
information in the association request to determine the capability supported by the wireless client. Then
it sends an association response to notify the client of the association result. A client can associate with
only one AP at a time, and an association process is always initiated by the client.

WLAN data security

Compared with wired networks, WLAN networks are more susceptible to attacks. All WLAN devices
share the same medium and every device can receive data from any other sending device. If no security
service is provided, plain-text data is transmitted over the WLAN.
To secure data transmission, 802.11 protocols provide encryption methods to make sure devices without
the right key cannot read encrypted data.
• Plain-text data.
It is a WLAN service without security protection. No data packets are encrypted.
• WEP encryption.
Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized
users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream
encryption algorithm) for confidentiality. WEP encryption uses static and dynamic encryption
depending on how a WEP key is generated.
Static WEP encryption
With Static WEP encryption, all clients using the same SSID must use the same encryption key.
If the encryption key is deciphered or lost, attackers will access all encrypted data. In addition,
periodical manual key update enhances the management workload.
Dynamic WEP encryption
Dynamic WEP encryption is an improvement over static WEP encryption. With dynamic WEP
encryption, WEP keys are negotiated between the client and server through the 802.1X
protocol so that each client is assigned a different WEP key. The WEP key can be updated
periodically to further improve unicast frame transmission security.
Although WEP encryption increases the difficulty of network interception and session hijacking,
it has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.
• TKIP encryption.

314
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP provides
advantages over WEP, and provides more secure protection for WLAN, as follows:
TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP
encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from 24 bits
to 48 bits.
TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single
static key with a base key generated by an authentication server. TKIP dynamic keys cannot be
easily deciphered.
TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC, the
data might be tampered, and the system might be attacked. If two packets fail the MIC in a
specific period, the AP automatically takes countermeasures. It will not provide services to
prevent attacks while it takes countermeasures.
• AES-CCMP encryption.
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM
combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the
integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The
AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP
contains a dynamic key negotiation and management method, so that each wireless client can
dynamically negotiate a key suite. The key suite can be updated periodically to further enhance
the security of the CCMP encryption mechanism. During the encryption process, CCMP uses a
48-bit packet number (PN) to make sure each encrypted packet uses a different PN, which
improves security.

Client access authentication

• PSK authentication
To implement PSK authentication, the client and the authenticator must have the same shared key
configured. Otherwise, the client cannot pass pre-shared key (PSK) authentication.
• 802.1X authentication
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at
the port level. A device connected to an 802.1X-enabled port of a WLAN access control device
can access the resources on the WLAN only after passing authentication.
The administrators of access devices can select to use RADIUS or local authentication to cooperate
with 802.1X for authenticating users. For more information about remote/local 802.1X
authentication, see "Configuring 802.1X."
• MAC authentication
MAC authentication provides a method to authenticate users based on ports and MAC addresses.
You can configure permitted MAC address lists to filter MAC addresses of clients. However, the
efficiency will be reduced when the number of clients increases. Therefore, MAC authentication is
applicable to environments without high security requirements, for example, SOHO and small
offices.
MAC authentication includes the following modes:
Local MAC authentication—When this authentication mode is used, you need to configure a
permitted MAC address list on the device. If the MAC address of a client is not in the list, its
access request will be denied.

315
Figure 321 Local MAC authentication

Permitted MAC
address list: Client: 0009-5bcf-cce3
0009-5bcf-cce3
0011-9548-4007
000f-e200-00a2

Client: 0011-9548-4007

AC L2 switch AP

Client: 001a-9228-2d3e

Remote Authentication Dial-In User Service-based MAC authentication—When RADIUS-based

MAC authentication is used, if the device finds that the current client is an unknown client, it
sends an unsolicited authentication request to the RADIUS server. After the client passes the
authentication, the client can access the WLAN network and the corresponding authorized
information.
Figure 322 Remote MAC authentication

When a RADIUS server is used for MAC authentication, you can specify a domain for each wireless
service, and send MAC authentication information of different SSIDs to different remote RADIUS servers.

802.11n
As the next generation wireless LAN technology, 802.11n supports both 2.4GHz and 5GHz bands. It
provides higher throughput to customers by using the following methods:
• Increasing bandwidth
802.11n can bond two adjacent 20-MHz channels together to form a 40-MHz channel. During
data forwarding, the two 20-MHz channels can work separately with one acting as the primary

316
channel and the other acting as the secondary channel. They can also work together as a 40-MHz
channel, which provides a simple way to double the data rate.
• Improving channel utilization
802.11n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU
can accommodate multiple Message Protocol Data Units (MPDUs) which have their PHY
headers removed. This reduces the overhead in transmission and the number of ACK frames to
be used, and improves network throughput.
Multiple MAC Service Data Units (MSDU) can be aggregated into a single A-MSDU. This
reduces the MAC header overhead and thus improves MAC layer forwarding efficiency.
To improve physical layer performance, 802.11n introduces the short GI function, which
shortens the GI interval of 800 ns in 802.11a/g to 400 ns. This can increase the data rate by
10 percent.

Configuring access service

Recommended configuration procedure
Step Remarks
1. Creating a WLAN service Required.

2. Configuring wireless service: Required.

Configuring clear-type wireless service Use either method.
Configuring crypto-type wireless service Complete the security settings as needed.
3. Configuring an authentication mode Optional.
4. Enabling a wireless service Required.
5. Binding an AP radio to a wireless service Required.
6. Enabling a radio Required.
7. Displaying detailed information about a wireless
Optional.
service

Creating a WLAN service

1. Select Wireless Service > Access Service from the navigation tree.

317
Figure 323 Configuring access service

2. Click Add.
Figure 324 Creating a wireless service

3. Configure the wireless service as described in Table 107.

4. Click Apply.
Table 107 Configuration items

Item Description
Set the SSID, a case-sensitive string of 1 to 32 characters, which can
contain letters, digits, underlines, and spaces.
Set an SSID as unique as possible. For security, the company name
Wireless Service Name should not be contained in the SSID. Meanwhile, HP recommends
that you not use a long random string as the SSID, because a long
random string only adds payload to the header field, and does not
improve wireless security.

Select the wireless service type:

Wireless Service Type • clear—The wireless service will not be encrypted.
• crypto—The wireless service will be encrypted.

Configuring clear-type wireless service

Configuring basic settings for a clear-type wireless service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target clear-type wireless service.

318
Figure 325 Configuring clear-type wireless service

3. Configure basic settings for the clear-type wireless service as described in Table 108.
4. Click Apply.
Table 108 Configuration items

Item Description
WLAN ID Display the selected WLAN ID.

Wireless Service Display the selected SSID.

Specify a description for the wireless service.

By default, no description is specified for a wireless service.
Service Description The same wireless service can be configured for different WLAN IDs.
Specify a description to distinguish between different functions of the
wireless service.

Enter the ID of the VLAN whose packets are to be sent untagged. VLAN
VLAN (Untagged) (Untagged) indicates that the port sends the traffic of the VLAN with the
VLAN tag removed.

Set the default VLAN of a port.

Default VLAN By default, the default VLAN of all ports is VLAN 1. After you set the
new default VLAN, VLAN 1 is the ID of the VLAN whose packets are to
be sent untagged.

Remove the IDs of the VLANs whose packets are to be sent untagged
Delete VLAN
and tagged.

319
Item Description
• Enable—Disable the advertisement of the SSID in beacon frames.
• Disable—Enable the advertisement of the SSID in beacon frames.
By default, the SSID is advertised in beacon frames.

IMPORTANT:
SSID Hide • If the advertisement of the SSID in beacon frames is disabled, the
SSID must be configured for the clients to associate with the AP.
• Disabling the advertisement of the SSID in beacon frames does not
improve wireless security.
• Enabling the advertisement of the SSID in beacon frames allows a
client to discover an AP more easily.

Configuring advanced settings for the clear-type wireless service

1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target clear-type wireless service.

320
Figure 326 Configuring advanced settings for the clear-type wireless service

3. Configure advanced settings for the clear-type wireless service as described in Table 109.
4. Click Apply.

321
Table 109 Configuration items

Item Description
• Remote Forwarding—The AC performs data forwarding. Centralized
forwarding includes 802.3 centralized forwarding and 802.11 centralized
forwarding. With 802.3 centralized forwarding, APs change incoming
802.11 frames to 802.3 frames and tunnel the 802.3 frames to the AC. With
802.11 centralized forwarding, APs directly tunnel incoming 802.11 frames
to the AC.
• Local Forwarding—APs directly forward data frames. The AC still performs
authentication on clients. This forwarding mode reduces the workload of
the AC and retains the security and management advantages of the AC/fit
Forwarding Mode AP architecture.
• Forwarding Policy Based —Based on the forwarding policy that matches
the packets from clients, the AC chooses centralized forwarding mode or
local forwarding mode. This forwarding mode reduces the workload of the
AC (see "Configuring policy-based forwarding").
By default, the centralized forwarding mode is adopted.

IMPORTANT:
Forwarding policies can only take effect on packets sent by clients.

Clients using the same SSID might belong to different VLANs. You can
Local Forwarding VLAN configure a local forwarding VLAN when configuring a local forwarding
policy.

Enable the policy-based forwarding mode and apply the forwarding policy to
Forwarding Policy
the access service.
• 802.11—Packets are encapsulated in 802.11 format and forwarded by the
AC.
• 802.3—Packets are encapsulated in 802.3 format and forwarded by the
Packet Format AC.
This configuration only applies to a CAPWAP tunnel. For an LWAPP tunnel,
data frames can only be encapsulated in 802.11 format.
• Enable—Enable the beacon measurement function.
• Disable—Disable the beacon measurement function.
By default, the beacon measurement function is disabled.
Beacon Measurement Beacon measurement, defined by 802.11k, provides a mechanism for APs
and clients to measure the available radio resources. When this function is
enabled, an AP periodically sends beacon requests to clients. Clients respond
with beacon reports to inform the AP of the beacon measurement information
they have collected.

322
Item Description
• Active—The AP sends a beacon measurement requests to the client. Upon
receiving the request, the client broadcasts probe requests on all supported
channels and sets a measurement duration timer. At the end of the
measurement duration, the client compiles all received beacons and probe
responses into a measurement report.
• Beacon-table—The AP sends a beacon measurement request to a client.
Beacon-measurement Type Upon receiving the request, the client measures beacons and returns a
report to the AP. The report contains all beacon information stored on the
client. The client does not perform any additional measurements.
• Passive—The AP sends a beacon measurement request to a client. Upon
receiving the request, the client sets a measurement duration timer, and, at
the end of the measurement duration, compiles all received beacons and
probe responses into a measurement report.

Beacon-measurement Interval The interval at which the AP sends beacon requests to clients.

Authentication Mode See "Configuring an authentication mode."

Maximum number of clients of an SSID to be associated with the same radio of

the AP.
Client Max Users IMPORTANT:
When the number of clients of an SSID to be associated with the same radio of
the AP reaches the maximum, the SSID is automatically hidden.
Bonjour Policy Apply the specified Bonjour policy to the wireless service.

Web interface management right of online clients.

Management Right • Disable—Disable the Web interface management right of online clients.
• Enable—Enable the Web interface management right of online clients.
• Enable—Enable the MAC VLAN feature for the wireless service.
• Disable—Disable the MAC VLAN feature for the wireless service.
MAC VLAN
IMPORTANT:
Before binding an AP radio to a VLAN, enable the MAC VLAN feature first.
• Enable—Enable fast association.
• Disable—Disable fast association.
Fast Association By default, fast association is disabled.
When fast association is enabled, the device does not perform band
navigation and load balancing calculations for associated clients.

IP Verify Source See "Configuring source IP address verification."

Configure the AP to deauthenticate the clients or drop the packets when it

receives the packets from unknown clients.
Unknown Client • Deauthenticate—The AP sends deauthentication packets to unknown
clients.
• Drop—The AP drops the packets sent by unknown clients.
The client cache saves information such as the PMK list and access VLAN for
clients.
Client Cache Aging-time
A value of 0 means the client cache information is cleared when a client goes
offline. After the client cache information is cleared, the client cannot roam.

323
Configuring security settings for a clear-type wireless service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target clear-type wireless service.
Figure 327 Configuring security settings for the clear-type wireless service

3. Configure security settings for the clear-type wireless service as described in Table 110.
4. Click Apply.
Table 110 Configuration items

Item Description
Authentication Type For the clear-type wireless service, you can select Open-System only.

• mac-authentication—Perform MAC address authentication on users.

• mac-else-userlogin-secure—This mode is the combination of the
mac-authentication and userlogin-secure modes. MAC authentication has a
higher priority than userlogin-secure mode. Upon receiving a non-802.1X
frame, a port in this mode performs only MAC authentication. When it
receives an 802.1X frame, the port performs MAC authentication. It
performs 802.1X if MAC authentication fails.
• mac-else-userlogin-secure-ext—This mode is similar to the
mac-else-userlogin-secure mode, except that it supports multiple 802.1X and
MAC authentication users on the port.
• userlogin-secure—In this mode, MAC-based 802.1X authentication is
Port Mode performed for users. Multiple 802.1X authenticated users can access the
port, but only one user can be online.
• userlogin-secure-or-mac—This mode is the combination of the
userlogin-secure and mac-authentication modes. 802.1X authentication has
a higher priority than MAC authentication. For a wireless user, 802.1X
authentication is performed first. If 802.1X authentication fails, MAC
authentication is performed.
• userlogin-secure-or-mac-ext—This mode is similar to the
userlogin-secure-or-mac mode, except that it supports multiple 802.1X and
MAC authentication users on the port.
• userlogin-secure-ext—In this mode, a port performs 802.1X authentication
on users in macbased mode and supports multiple 802.1X users.

324
Item Description
TIP:
There are multiple security modes. The following rules explain the port security
mode names:
• userLogin indicates port-based 802.1X authentication.
• mac indicates MAC address authentication.
• The authentication mode before Else is used preferentially. If the
authentication fails, the authentication after Else might be used depending
on the protocol type of the packets to be authenticated.
• The authentication modes before Or and after Or have the same priority.
The device determines the authentication mode according to the protocol
type of the packets to be authenticated. For wireless users, the 802.1X
authentication mode is used preferentially.
• userLogin together with Secure indicates MAC-based 802.1X
authentication.
• A security mode with Ext allows multiple 802.1X users to pass the
authentication. A security mode without Ext allows only one 802.1X user to
pass the authentication.

Maximum number of users that can be connected to the network through a

Max User
specific port.

a. Configure mac-authentication:
Figure 328 Configuring mac-authentication port security

Table 111 Configuration items

Item Description
mac-authentication—MAC-based authentication is performed on access
users.
Port Mode
Select Wireless Service > Access Service from the navigation tree, click
MAC Authentication List, and enter the MAC address of the client.

Control the maximum number of users allowed to access the network

Max User
through the port.

325
Item Description
MAC Authentication Select MAC Authentication.

Select an existing domain from the list.

The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain Setup
tab, and enter a new domain name in the Domain Name field.
Domain • The selected domain name applies to only the current wireless service,
and all clients accessing the wireless service use this domain for
authentication and authorization.
• Do not delete a domain name in use. Otherwise, the clients that
access the wireless service will be logged out.

b. Configure userlogin-secure/userlogin-secure-ext:
Figure 329 Configuring userlogin-secure/userlogin-secure-ext port security (userlogin-secure
is taken for example)

Table 112 Configuration items

Item Description
• userlogin-secure—Perform MAC-based 802.1X authentication for access
users. In this mode, multiple 802.1X authenticated users can access the
Port Mode port, but only one user can be online.
• userlogin-secure-ext—Perform MAC-based 802.1X authentication for
access users. In this mode, the port supports multiple 802.1X users.

Control the maximum number of users allowed to access the network

Max User
through the port.

326
Item Description
Select an existing domain from the list.
The default domain is system. To create a domain, select Authentication >
AAA from the navigation tree, click the Domain Setup tab, and enter a new
domain name in the Domain Name field.
Mandatory Domain • The selected domain name applies to only the current wireless service,
and all clients accessing the wireless service use this domain for
authentication and authorization.
• Do not delete a domain name in use. Otherwise, the clients that access
the wireless service will be logged out.
• EAP—Use the Extensible Authentication Protocol (EAP). With EAP
authentication, the authenticator encapsulates 802.1X user information
in the EAP attributes of RADIUS packets and sends the packets to the
RADIUS server for authentication. It is not required to repackage the EAP
packets into standard RADIUS packets for authentication.
Authentication
• CHAP—Use the Challenge Handshake Authentication Protocol (CHAP).
Method
By default, CHAP is used. CHAP transmits usernames in simple text and
passwords in cipher text over the network. This method is safer than the
other two methods.
• PAP—Use the Password Authentication Protocol (PAP). PAP transmits
passwords in plain text.
• Enable—Enable the online user handshake function so that the device
can periodically send handshake messages to a user to identify whether
Handshake the user is online. By default, the function is enabled.
• Disable—Disable the online user handshake function.
• Enable—Enable the multicast trigger function of 802.1X to send multicast
trigger messages to the clients periodically for initiating authentication.
By default, the multicast trigger function is enabled.
• Disable—Disable the 802.1X multicast trigger function.

Multicast Trigger IMPORTANT:

For a WLAN, the clients can actively initiate authentication, or the AP can
discover users and trigger authentication. Therefore, the ports do not need to
send 802.1X multicast trigger messages for initiating authentication
periodically. HP recommends that you disable the multicast trigger function in
a WLAN because the multicast trigger messages consume bandwidth.
• Enable—Enable 802.1X support for the stateful failover function. You
need to select High Availability > Stateful Failover and configure the
stateful failover function. For more information, see "Configuring stateful
failover."
Stateful Failover
• Disable—Disable 802.1X support for the stateful failover function.
Whether a device supports the stateful failover function varies with the
device model. For more information, see "About the Web-based
configuration guide for HP unified wired-WLAN products."

c. Configure the other four port security modes

327
Figure 330 Configuring port security for the other four security modes
(mac-else-userlogin-secure is taken for example)

Table 113 Configuration items

Item Description
• mac-else-userlogin-secure—This mode is the combination of the
mac-authentication and userlogin-secure modes. MAC authentication
has a higher priority than the userlogin-secure mode. Upon receiving
a non-802.1X frame, a port in this mode performs only MAC
authentication. When it receives an 802.1X frame, the port performs
MAC authentication and if MAC authentication fails, the port
performs 802.1X authentication.
• mac-else-userlogin-secure-ext—This mode is similar to the
mac-else-userlogin-secure mode, except that it supports multiple
802.1X and MAC authentication users on the port.
Port Mode
• userlogin-secure-or-mac—This mode is the combination of the
userlogin-secure and mac-authentication modes, with 802.1X
authentication having a higher priority. For a wireless user, 802.1X
authentication is performed first. If 802.1X authentication fails, MAC
authentication is performed.
• userlogin-secure-or-mac-ext—This mode is similar to the
userlogin-secure-or-mac mode, except that it supports multiple 802.1X
and MAC authentication users on the port.
Select Wireless Service > Access Service from the navigation tree, click
MAC Authentication List, and enter the MAC address of the client.

Control the maximum number of users allowed to access the network

Max User
through the port.

Select an existing domain from the list. After a mandatory domain is

Mandatory Domain configured, all 802.1X users accessing the port are forced to use the
mandatory domain for authentication and authorization.

328
Item Description
The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain Setup
tab, and enter a new domain name in the Domain Name field.
• EAP—Use the Extensible Authentication Protocol (EAP). With EAP
authentication, the authenticator encapsulates 802.1X user
information in the EAP attributes of RADIUS packets and sends the
packets to the RADIUS server for authentication. It is not required to
repackage the EAP packets into standard RADIUS packets for
authentication.
Authentication Method
• CHAP—Use the Challenge Handshake Authentication Protocol
(CHAP). By default, CHAP is used. CHAP transmits usernames in
simple text and passwords in cipher text over the network. This method
is safer than the other two methods.
• PAP—Use the Password Authentication Protocol (PAP). PAP transmits
passwords in plain text.
• Enable—Enable the online user handshake function. With this
function enabled, the device can periodically send handshake
Handshake messages to a user to identify whether the user is online. By default,
the function is enabled.
• Disable—Disable the online user handshake function.
• Enable—Enable the multicast trigger function of 802.1X to send
multicast trigger messages to the clients periodically to initiate
authentication. By default, the multicast trigger function is enabled.
• Disable—Disable the 802.1X multicast trigger function.
IMPORTANT:
Multicast Trigger
For a WLAN, the clients can actively initiate authentication, or the AP can
discover users and trigger authentication. Therefore, the ports do not need
to send 802.1X multicast trigger messages periodically for initiating
authentication. HP recommends that you disable the multicast trigger
function in a WLAN because the multicast trigger messages consume
bandwidth.
• Enable—Enable 802.1X support for the stateful failover function. You
need to select High Availability > Stateful Failover and configure the
stateful failover function (see "Configuring stateful failover").
Stateful Failover • Disable—Disable 802.1X support for the stateful failover function.
Whether a device supports the stateful failover function varies with the
device model. For more information, see "About the Web-based
configuration guide for HP unified wired-WLAN products."

MAC Authentication Select MAC Authentication.

Select an existing domain from the list.

329
Configuring crypto-type wireless service
Configuring basic settings for a crypto-type wireless service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target crypto-type wireless service.
Figure 331 Configuring crypto-type wireless service

3. Configure basic settings for the crypto-type wireless service as described in Table 108.
4. Click Apply.

Configuring advanced settings for a crypto-type wireless service

1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target crypto-type wireless service.

330
Figure 332 Configuring advanced settings for the crypto-type wireless service

3. Configure advanced settings for the crypto-type wireless service as described in Table 114.
4. Click Apply.

331
Table 114 Configuration items

Item Description
• Remote Forwarding—The AC performs data forwarding.
Centralized forwarding comprises 802.3 centralized forwarding
and 802.11 centralized forwarding. With 802.3 centralized
forwarding, APs change incoming 802.11 frames to 802.3 frames
and tunnel the 802.3 frames to the AC. With 802.11 centralized
forwarding, APs directly tunnel incoming 802.11 frames to the AC.
• Local Forwarding—APs directly forward data frames. The AC still
performs authentication on clients. This forwarding mode reduces
the workload of the AC and retains the security and management
Forwarding Mode advantages of the AC/fit AP architecture.
• Forwarding Policy Based —Based on the forwarding policy that
matches the packets from clients, the AC chooses centralized
forwarding mode or local forwarding mode. This forwarding
mode reduces the workload of the AC. For more information, see
"Configuring policy-based forwarding".
By default, the centralized forwarding mode is adopted.

IMPORTANT:
Forwarding policies are only available to packets sent by clients.

Clients using the same SSID might belong to different VLANs. You
Local Forwarding VLAN can configure a local forwarding VLAN when configuring a local
forwarding policy.

Enable the policy-based forwarding mode and apply the forwarding

Forwarding Policy
policy to the access service.
• 802.11—Packets are encapsulated in 802.11 format in the data
tunnel and forwarded by the AC.
• 802.3—Packets are encapsulated in 802.3 format in the data
Packet Format
tunnel and forwarded by the AC.
This configuration only applies to a CAPWAP tunnel. For a LWAPP
tunnel, data frames can only be encapsulated in 802.11 format.
• Enable—Enable the beacon measurement function.
• Disable—Disable the beacon measurement function.
By default, the beacon measurement function is disabled.
Beacon Measurement Beacon measurement, defined by 802.11k, provides a mechanism
for APs and clients to measure the available radio resources. When
this function is enabled, an AP periodically sends beacon requests to
clients. Clients respond with beacon reports to inform the AP of the
beacon measurement information they have collected.

332
Item Description
• Active—The AP sends a beacon measurement requests to the
client. Upon receiving the request, the client broadcasts probe
requests on all supported channels and sets a measurement
duration timer. At the end of the measurement duration, compiles
all received beacons and probe responses into a measurement
report.
• Beacon-table—The AP sends a beacon measurement request to a
client. Upon receiving the request, the client measures beacons
Beacon-measurement Type
and returns a report to the AP. The report contains all beacon
information stored on the client. The client does not perform any
additional measurements.
• Passive—The AP sends a beacon measurement request to a client.
Upon receiving the request, the client sets a measurement duration
timer, and, at the end of the measurement duration, compiles all
received beacons and probe responses into a measurement
report.

Beacon-measurement Interval The interval at which the AP sends beacon requests to clients.

Authentication Mode See "Configuring an authentication mode."

Maximum number of clients of an SSID to be associated with the

same radio of the AP.

Client Max Users IMPORTANT:

When the number of clients of an SSID to be associated with the same
radio of the AP reaches the maximum, the SSID is automatically
hidden.
Set the pairwise transient key (PTK) lifetime. A PTK is generated
PTK Life Time
through a four-way handshake.

Bonjour Policy Apply the specified Bonjour policy to the wireless service.

Set the TKIP countermeasure time.

By default, the TKIP countermeasure time is 0 seconds and the TKIP
countermeasure policy is disabled.
Message integrity check (MIC) is designed to avoid hacker
TKIP CM Time tampering. It uses the Michael algorithm and is very secure. When
failures occur to MIC, the data might have been tampered, and the
system might be under attack. With the countermeasure policy
enabled, if more than two MIC failures occur within the specified
time, the TKIP associations are disassociated and no new
associations are allowed within the TKIP countermeasure time.

Web interface management right of online clients.

• Disable—Disable the Web interface management right of online
Management Right clients.
• Enable—Enable the Web interface management right of online
clients.
• Enable—Enable the MAC VLAN feature for the wireless service.
• Disable—Disable the MAC VLAN feature for the wireless service.
MAC VLAN IMPORTANT:
Before you bind an AP radio to a VLAN, enable the MAC VLAN
feature first.

333
Item Description
• Enable—Enable fast association.
• Disable—Disable fast association.
Fast Association By default, fast association is disabled.
When fast association is enabled, the device does not perform band
navigation and load balancing calculations for associated clients.

IP Verify Source See "Configuring source IP address verification."

Configure the AP to deauthenticate the clients or drop the packets

when it receives the packets from unknown clients.
Unknown Client • Deauthenticate—The AP sends deauthentication packets to
unknown clients.
• Drop—The AP drops the packets sent by unknown clients.
The client cache saves information such as the PMK list and access
VLAN for clients.
Client Cache Aging-time A value of 0 means the client cache information is cleared when a
client goes offline. After the client cache information is cleared, the
client cannot roam.

An AC generates a group transient key (GTK). Through group key

handshake/the 4-way handshake, the AC sends the GTK to a client
during the authentication process between an AP and the client. The
client uses the GTK to decrypt broadcast and multicast packets.
• If Time is selected, the GTK will be refreshed after a specified
GTK Rekey Method period of time.
• If Packet is selected, the GTK will be refreshed after a specified
number of packets are transmitted.
By default, the GTK rekeying method is time-based, and the interval is
86400 seconds.

Enable refreshing the GTK when a client goes offline.

GTK Rekey With Clients Offline
By default, the GTK is not refreshed when a client goes off-line.

Configuring management frame protection for a crypto-type wireless service

Perform this task to enable an AP to protect management frames, including deauthentication frames,
deassociation frames, and some robust action frames.
Management frame protection uses the PTK encrypt method to ensure privacy, integrity, and replay
protection of unicast management frames.
For multicast and broadcast management frames, this feature uses Broadcast Integrity Protocol (BIP) to
ensure integrity and replay protection. BIP adds the Management MIC IE (MME) field to the end of the
management frames to protect their privacy.
If management frame protection is enabled, the AC/AP uses SA Query to secure connections with
clients.
SA Query includes active SA Query and passive SA Query.
• Active SA Query.
If the AP receives spoofing association or reassociation requests, this mechanism can prevent the
AP from responding to clients.
As shown in Figure 333, active SA Query operates as follows:

334
a. The client sends an association or a reassociation request to the AP.
b. Upon receiving the request, the AP sends a response to inform the client that the request is
denied and the client can associate later. The response contains an association comeback time
specified by the pmf association-comeback command.
c. The AP sends an SA Query request to the client.
− If the AP receives an SA Query response within the timeout time, it determines that the client
is online.
− If the AP receives no SA Query response within the timeout time, it resends the request. If the
AP receives an SA Query response within the retransmission time, it determines that the
client is online.
If the client is online, the AP does not respond to any association or reassociation request
from the client within the association comeback time.
− If the AP receives no SA Query response within the retransmission time, it determines that
the client is offline. The AP allows the client to reassociate.
Figure 333 Active SA Query

• Passive SA Query.
If a client receives unencrypted deassociation or deauthentication frames with failure code 6 or 7,
this mechanism can prevent the client from going offline abnormally.
As shown in Figure 334, the passive SA Query operates as follows:
a. The client triggers the SA Query mechanism upon receiving an unencrypted deassociation or
deauthentication frame.
b. The client sends an SA Query request to the AP.
c. The AP responds with an SA Query response.
d. The client determines the AP is online because it receives the SA Query response. The client
does not go offline.

335
Figure 334 Passive SA Query

To configure management frame protection:

1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target crypto-type wireless service.
Figure 335 Configuring management frame protection for a crypto-type wireless service

3. Configure management frame protection for a crypto-type wireless service as described in Table
115.
4. Click Apply.
Table 115 Configuration items

Item Description
Management frame protection status:
• Disabled—All clients can associate with the AP. The AP does not protect
management frames in communications.
• Optional—All clients can associate with the AP. The AP protects management
frames from clients supporting PMF.
• Mandatory—Clients supporting PMF can associate with the AP. The AP protects
management frames from these clients. Clients not supporting PMF cannot
associate with the AP.
PMF
By default, PMF is disabled.
NOTE:
You can only configure management frame protection on a service template
whose:
• Authentication type is PSK or 802.1X.
• Cipher suite is AES-CCMP.
• Security IE is RSN.
The AP does not respond to any association or reassociation request from the client
Association Comeback
within the association comeback time.

336
Item Description
If the AP receives no SA Query response within the timeout time, it resends the
SA Query Timeout
request.

SA Query Retry The retransmission time for an AP to retransmit SA Query requests.

Configuring security settings for a crypto-type wireless service

1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target crypto-type wireless service.
Figure 336 Configuring security settings for the crypto-type wireless service

3. Configure security settings for the crypto-type wireless service as described in Table 116.
4. Click Apply.

337
Table 116 Configuration items

Item Description
• Open-System—No authentication. With this authentication mode enabled, all
the clients will pass the authentication.
• Shared-Key—The two parties need to have the same shared key configured for
this authentication mode. You can select this option only when the WEP
encryption mode is used.
• Open-System and Shared-Key—You can select both open-system and
shared-key authentication.

IMPORTANT:
Authentication Type
WEP encryption can be used together with open system and shared-key
authentication.
• Open system authentication—When this authentication mode is used, a WEP
key is used for encryption only. If the two parties do not use the same key, a
wireless link can still be established, but all data will be discarded.
• Shared-key authentication—When this authentication mode is used, a WEP
key is used for both authentication and encryption. If the two parties do not use
the same key, the client cannot pass the authentication, and cannot access the
wireless network.

Encryption mechanisms supported by the wireless service:

• AES—Encryption mechanism based on the AES encryption algorithm.
Cipher Suite
• TKIP—Encryption mechanism based on the RC4 algorithm and dynamic key
management. When a client that uses TKIP wants to associate with an AP
supporting 802.11n, the client cannot operate in 802.11n mode.
• AES and TKIP—You can select both AES and TKIP encryption.
Wireless service type (IE information carried in the beacon or probe response
frame):
• WPA—Wi-Fi Protected Access.
Security IE • RSN—An RSN is a security network that allows only the creation of robust
security network associations (RSNAs). It provides greater protection than WEP
and WPA.
• WPA and RSN—You can select both WPA and RSN..
Specify the hash algorithm used to generate PTK and GTK based on PMK.
Key derivation type:
• SHA1—Supports the HMAC-SHA1 hash algorithm.
• SHA1 and SHA256—Supports the HMAC-SHA1 and the HMAC-SHA256 hash
algorithm.
Key Derivation
• SHA256—Supports the HMAC-SHA256 hash algorithm.
By default, the key derivation type is SHA1.
NOTE:
PSK or 802.1X authentication takes effect only after the key derivation type is
configured.
Encryption

338
Item Description
• Enable—A WEP key is dynamically assigned.
• Disable—A static WEP key is used.
By default, a static WEP key is used.
When you enable this function, the WEP option is automatically set to wep104.
Provide Key
IMPORTANT:
Automatically
• This function must be used together with 802.1X authentication.
• When dynamic WEP encryption is configured, the WEP key used to encrypt
unicast frames is negotiated between client and server. If the WEP default key is
configured, the WEP default key is used to encrypt multicast frames. If not, the
device randomly generates a multicast WEP key.
• wep40—WEP40 key option.
WEP • wep104—WEP104 key option.
• wep128—WEP128 key option.
• 1—Key index 1.
• 2—Key index 2.
• 3—Key index 3.
Key ID • 4—Key index 4.
There are four static keys in WEP. The key index can be 1, 2, 3, or 4. The key for
the specified key index will be used for encrypting and decrypting broadcast and
multicast frames.
• For wep40, the key is a string of five alphanumeric characters or a 10-digit
hexadecimal number.
• For wep104, the key is a string of 13 alphanumeric characters or a 26-digit
Key Length
hexadecimal number.
• For wep128, the key is a string of 16 alphanumeric characters or a 32-digit
hexadecimal number.

WEP Key Configure the WEP key.

See Table 110.

Parameters such as authentication type and encryption type determine the port
mode. For more information, see Table 119.
After you select the Cipher Suite option, the following port security modes are
added:
• mac and psk—MAC-based authentication must be performed on access users
Port Security first. If MAC-based authentication succeeds, an access user has to use the
preconfigured PSK to negotiate with the device. Access to the port is allowed
only after the negotiation succeeds.
• psk—An access user must use the pre-shared key (PSK) that is preconfigured to
negotiate with the device. The access to the port is allowed only after the
negotiation succeeds.
• userlogin-secure-ext—Perform MAC-based 802.1X authentication for access
users. In this mode, the port supports multiple 802.1X users.

a. Configure mac and psk.

339
Figure 337 Configuring mac and psk port security

Table 117 Configuration items

Item Description
mac and psk: MAC-based authentication must be performed on
access users first. If MAC-based authentication succeeds, an
access user is required to use the pre-configured PSK to
negotiate with the device. Access to the port is allowed only
Port Mode after the negotiation succeeds.
Select Wireless Service > Access Service from the navigation
tree, click MAC Authentication List, and enter the MAC address
of the client.

Control the maximum number of users allowed to access the

Max User
network through the port.

MAC Authentication Select MAC Authentication.

Select an existing domain from the list.

• The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the
Domain Setup tab, and enter a new domain name in the
Domain Name field.
Domain
• The selected domain name applies to only the current
wireless service, and all clients accessing the wireless service
use this domain for authentication and authorization.
• Do not delete a domain name in use. Otherwise, the clients
that access the wireless service will be logged out.
• pass-phrase—Enter a PSK in the form of a character string.
You must enter a string that can be displayed and consists of
Preshared Key 8 to 63 characters.
• raw-key—Enter a PSK in the form of a hexadecimal number.
You must enter a valid 64-bit hexadecimal number.

b. Configure psk.

340
Figure 338 Configuring psk port security

Table 118 Configuration items

Item Description
psk: An access user must use the pre-shared key (PSK) that is pre-configured
Port Mode to negotiate with the device. The access to the port is allowed only after the
negotiation succeeds.

Control the maximum number of users allowed to access the network through
Max User
the port.

• pass-phrase—Enter a PSK in the form of a character string. You must enter

a string that can be displayed and consists of 8 to 63 characters.
Preshared Key
• raw-key—Enter a PSK in the form of a hexadecimal number. You must
enter a valid 64-bit hexadecimal number.

c. Configure userlogin-secure-ext:
Perform the configurations shown in Table 112.

Security parameter dependencies

For a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are
shown in Table 119.
Table 119 Security parameter dependencies

Service Authenticati Encryption WEP

Security IE Port mode
type on mode type encryption/key ID
• mac-authentication
• mac-else-userlogin-secu
re
• mac-else-userlogin-secu
re-ext
Clear Open-System Unavailable Unavailable Unavailable
• userlogin-secure
• userlogin-secure-ext
• userlogin-secure-or-mac
• userlogin-secure-or-mac
-ext

341
Service Authenticati Encryption WEP
Security IE Port mode
type on mode type encryption/key ID
WEP encryption is
• mac and psk
available
Selected Required • psk
The key ID can be 2,
• userlogin-secure-ext
3, or 4.
Open-System
WEP encryption is
• mac-authentication
required
Unselected Unavailable • userlogin-secure
The key ID can be 1,
• userlogin-secure-ext
2, 3 or 4.

WEP encryption is
required
Crypto Shared-Key Unavailable Unavailable mac-authentication
The key ID can be 1,
2, 3 or 4.

WEP encryption is
• mac and psk
required
Selected Required • psk
The key ID can be 1,
Open-System • userlogin-secure-ext
2, 3 or 4.
and
Shared-Key WEP encryption is
• mac-authentication
required
Unselected Unavailable • userlogin-secure
The key ID can be 1,
• userlogin-secure-ext
2, 3 or 4.

Configuring an authentication mode

WLAN access supports the following client authentication modes:
• Centralized—The AC authenticates clients. In centralized authentication mode, the data forwarding
mode is determined by the forwarding mode settings (see "Configuring advanced settings for the
clear-type wireless service"). If the connection between AC and AP fails, whether to log off clients
associated with the AP depends on the remote AP settings (see "Configuring APs").
• Local—The AP authenticates clients. Use this mode in simple networks. In this mode, the AP directly
forwards data frames from clients. If the connection between AP and AC fails, the AP does not log
off locally authenticated clients and accepts new clients after they pass local authentication.
• Backup—When the AP-AC connection is correct, the AC authenticates clients. When the
connection fails, the AP authenticates clients and performs local forwarding. When the AP
re-establishes a connection with the AC, the AP logs out all clients and the AC re-authenticates
clients.

Configuration guidelines
• If clients are authenticated remotely, make sure the AP is still connected to the authentication server
when the AC-AP connection fails. Otherwise, the existing clients go offline. You can deploy the
authentication server at the AP side (see "Configuring clear-type wireless service").
• Portal authentication is not supported.
• Clients authenticated by the AP do not support roaming.
• Locally authenticated clients do not support roaming and client information backup. For more
information about client information backup, see "Configuring advanced settings."

342
• You can click Disconnect on the Summary > Client page on the AC to log off locally authenticated
clients.
• For the local authentication mode and backup authentication mode, if the AC-AP connection fails,
do not modify the configuration on the AC before the connection recovers because the AC verifies
the configuration after the connection recovers. If the configuration is inconsistent, online clients
might be logged off.

Networking mode
For the local authentication mode and backup authentication mode, you can use the following
networking modes if an authentication server is needed. The networking mode shown in Figure 340 is
recommended. In this mode, the authentication server is deployed at the AP side so that online clients are
not logged off if the AC-AP connection fails.
Figure 339 Network diagram

Figure 340 Network diagram

Server

Internet

AC AP Client

Configuration prerequisites
1. Enable the remote AP function on the AP > AP Setup page before you configure the backup or
local authentication mode.
2. If you configure the backup or local authentication mode and clients use 802.1X or MAC
authentication, edit the configuration file of the AP on the AC and then download the file to the AP
on the AP > AP Setup page. The configuration file of the AP must contain the following contents:
If clients use local 802.1X or local MAC authentication, the configuration file must contain port
security, ISP domain, and local user configurations.
If clients use remote 802.1X or remote MAC authentication, the configuration file must contain
port security, ISP domain, and RADIUS scheme configurations.

Configuring an authentication mode

1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target wireless service in the list.

343
Figure 341 Configuring an authentication mode

3. Select Central, Local, or Backup from the Authentication Mode list.

4. Click Apply.

Configuring source IP address verification

Source IP address verification is intended to improve wireless network security by filtering and blocking
illegal packets.

344
For a client using an IPv4 address, the AP can obtain the IP address assigned to the client in the DHCPv4
packets exchanged between the DHCP server and the client, and bind the IP address with the MAC
address of the client.
For a client using an IPv6 address, the AP can generate binding entries in either of the following ways:
• DHCPv6—The AP obtains the complete IPv6 address assigned to the client in the DHCPv6 packets
exchanged between the DHCP server and the client, and binds the IPv6 address with the MAC
address of the client. If the AP obtains the IPv6 address prefix assigned to the client, it cannot
generate a proper binding entry.
• ND (Neighbor Discovery)—The AP obtains the broadcast IPv6 address prefix in the router
advertisement packets exchanged between the router and the client, and binds the IPv6 address
prefix with the MAC address of the client.
After source IP address verification is enabled, the AP looks up the binding entries for received packets.
If the source MAC address and the source IP address of a packet match a binding entry, the AP forwards
the packets. Otherwise, the AP discards it. Figure 342 shows how source IP address verification works.
Figure 342 Source IP address verification process

NOTE:
• For more information about DHCP, see "DHCP overview."
• For more information about DHCPv6, see Layer 3 Configuration Guide.
• For more information about ND, see Layer 3 Configuration Guide.

Configuring source IP address verification

1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target wireless service in the list.

345
Figure 343 Configuring source IP address verification

3. Select IPv4 or IPv6 for IP Verify Source. By default, the source IP address verification function is
disabled.
4. Click Apply.

346
NOTE:
• For a client using an SSID configured with source IP address verification, if it accesses the network through AP
local authentication, the source IP address verification feature is effective but the IP-MAC binding entry for the
client cannot be displayed on the AC. For more information about local authentication, see "Configuring an
authentication mode."
• If the client needs to roam to an AP of another AC in the roaming group, the AC to which the client roams must
be configured with source IP address verification for the specified SSID. Otherwise, the client connection is lost.
For more information about AP local authentication and WLAN roaming, see "Configuring WLAN roaming".

Enabling a wireless service

1. Select Wireless Service > Access Service from the navigation tree.
Figure 344 Enabling a wireless service

2. Select the wireless service to be bound.

3. Click Enable.

Binding an AP radio to a wireless service

Binding an AP radio to a wireless service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target wireless service.

347
Figure 345 Binding an AP radio to a wireless service

3. Select the radio to be bound.

4. Click Bind.

Binding an AP radio to a VLAN

Traffic of different services is identified by SSIDs. Locations are identified by APs. Users at different
locations access different services. For a user roaming between different APs, you can provide services
for the user based on its access AP. The detailed requirements are as follows:
• Users with the same SSID but accessing through different APs can be assigned to different VLANs
based on their configurations.
• A roaming user always belongs to the same VLAN.
• For a user roaming between ACs, if the local AC does not have a VLAN-interface, the user is
required to use an HA in the AC group for forwarding packets to avoid packet loss.

348
Figure 346 Schematic diagram for WLAN support for AP-based access VLAN recognition
RADIUS server

AC 1 AC 2
HA IACTP tunnel FA

VLAN 3 VLAN 2

VLAN 3 VLAN 3
Intra AC roaming Inter AC roaming
AP 1 AP 2 AP 3 AP 4

Client 1 Client 1 Client 1 Client 2

As shown in Figure 346, Client 1 goes online through AP 1 and belongs to VLAN 3. When Client 1
roams within an AC or between ACs, Client 1 always belongs to VLAN 3. When Client 1 roams between
ACs, if FA, that is, AC 2, has VLAN-interface 3, AC 2 forwards packets from Client 1. Otherwise, packets
from Client 1 are sent to HA (AC 1) through the data tunnel and then HA forwards these packets.
Client 2 goes online through AP 4 and belongs to VLAN 2. A client going online through a different AP
is assigned to a different VLAN.
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target wireless service to enter the AP radio setup page, as shown
in Figure 345.
3. Select the box for the AP radio mode to be bound.
4. Select Binding VLAN and enter the VLAN to be bound in the Binding VLAN field.
5. Click Bind.

Binding a service template to a VLAN pool

For more information about VLAN pool, see "Configuring advanced settings."
To bind a service template to a VLAN pool:
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target wireless service, as shown in Figure 345.
3. Select the AP radio mode to be bound.
4. Select Binding VLAN pool and select the target VLAN pool from the Binding VLAN pool list.
5. Click Bind.

349
Enabling a radio
1. Select Radio > Radio from the navigation tree.
Figure 347 Enabling 802.11n radio

2. Select the box of the target radio.

3. Click Enable.

Displaying detailed information about a wireless service

Displaying detailed information about a clear-type wireless service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the specified clear-type wireless service to see its detailed information.

350
Figure 348 Displaying detailed information about a clear-type wireless service

Table 120 Field description

Field Description
Service Template Number Current service template number.

SSID Service set identifier.

Description for the service template. Not Configured means no

Description
description is configured.

Binding Interface Name of the WLAN-ESS interface bound with the service template.

Service Template Type Service template type.

Type of authentication used.

Authentication Method A clear-type wireless service can use only Open System
authentication.

Beacon-measurement Enable: The beacon measurement function is enabled.

Beacon-measurement Interval The interval at which the AP sends beacon requests to clients.
• Passive.
Beacon-measurement Type • Active.
• Beacon-table.
Authentication mode of the service template:
• Central.
Authentication Mode
• Local.
• Backup.

351
Field Description
• Disable—SSID advertisement is enabled.
SSID-hide • Enable—SSID advertisement is disabled, and the AP does not
advertise the SSID in the beacon frames.

Forwarding mode:
Bridge Mode • Local Forwarding—The AP forwards the data.
• Remote Forwarding—The AC forwards the data.
Service template status, which can be:
Service Template Status • Enable—The wireless service is enabled.
• Disable—The wireless service is disabled.
Maximum clients per BSS Maximum number of associated clients per BSS.

Status of source IPv4 address verification:

ip verify source • Enable—Verify the source IPv4 address.
• Disable—Do not verify the source IPv4 address.
Status of source IPv6 address verification:
ipv6 verify source • Enable—Verify the source IPv6 address.
• Disable—Do not verify the source IPv6 address.
Bonjour Policy Name of the Bonjour policy applied to the service template.

Displaying detailed information about a crypto-type wireless service

1. Select Wireless Service > Access Service from the navigation tree.
2. Click a crypto-type wireless service to see its detailed information.

352
Figure 349 Displaying detailed information about a crypto-type wireless service

Table 121 Field description

Field Description
Service Template Number Current service template number.

SSID Service set identifier.

Description for the service template. Not Configured means no

Description
description is configured.

Binding Interface Name of WLAN-ESS the interface bound with the service template.

Service Template Type Service template type.

Security IE Security IE: WPA or WPA2(RSN).

Authentication Method Type of authentication used: Open System or Shared Key.

Beacon-measurement Enable: The beacon measurement function is enabled.

353
Field Description
• Disable—SSID advertisement is enabled.
SSID-hide • Enable—SSID advertisement is disabled, and the AP does not
advertise the SSID in the beacon frames.

Cipher Suite Cipher suite: AES-CCMP, TKIP, or WEP40/WEP104/WEP128.

WEP Key Index WEP key index for encryption or de-encryption frames.

WEP key mode:

WEP Key Mode • HEX—WEP key in hexadecimal format.
• ASCII—WEP key in the format of string.
WEP Key WEP key.

TKIP Countermeasure Time(s) TKIP MIC failure holdtime, in seconds.

PTK Life Time(s) PTK lifetime in seconds.

GTK Rekey GTK rekey configured.

GTK rekey method configured:

GTK Rekey Method • Time-based, which displays the GTK rekey time in seconds.
• Packet-based, which displays the number of packets.
GTK Rekey Time(s) Time for GTK rekey in seconds.

Forwarding mode:
Bridge Mode • Local Forwarding—The AP forwards the data.
• Remote Forwarding—The AC forwards the data.
Management frame protection status:
• Disabled—PMF is disabled. All clients can associate with the AP.
The AP does not protect management frames in
communications.
• Optional—PMF is enabled. All clients can associate with the AP.
PMF Status The AP protects management frames from clients supporting
PMF.
• Mandatory—PMF is enabled. Clients supporting PMF can
associate with the AP. The AP protects management frames from
these clients. Clients not supporting PMF cannot associate with
the AP.

Service template status:

Service Template Status • Enable—The wireless service is enabled.
• Disable—The wireless service is disabled.
Maximum clients per BSS Maximum number of associated clients per BSS.

Status of source IPv4 address verification:

ip verify source • Enable—Verify the source IPv4 address.
• Disable—Do not verify the source IPv4 address.
Status of source IPv4 address verification:
ipv6 verify source • Enable—Verify the source IPv6 address.
• Disable—Do not verify the source IPv6 address.
Bonjour Policy Name of the Bonjour policy applied to the service template.

354
Configuring policy-based forwarding
If the AC adopts the local authentication mode, it also uses the local forwarding mode. Configuration of
policed-based forwarding mode is invalid. For more information about authentication modes, see
"Configuring an authentication mode."
Before you can apply a forwarding policy, create a forwarding policy and specify forwarding rules. The
ACL sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with
a higher ID. If a match is found, the AC forwards the packet according to this rule. If no match is found,
or no rule is configured, the AC adopts the centralized forwarding mode by default.
The forwarding modes can be applied to a user profile or service template:
• User profile—If a client passes the 802.1X authentication, the authentication server sends the user
profile name used by the client to the AP. Then the AP obtains the forwarding mode applied to the
user profile. You need to create and enable the user profile on the AC first. If you configure a QoS
policy in the user profile at the same time, and the packets match both the QoS policy and the
forwarding mode, the QoS policy enjoys a higher priority.
• Service template—Clients associated with the AP adopt the forwarding mode in the service
template.
If you configure different forwarding modes in the user profile and the service template, the forwarding
mode in the user profile has a higher priority.
The forwarding mode takes effect only when applied to the AP, so you need to download the
configuration file from the AC to the AP. The configuration files must contain ACL numbers and ACL rules.
To apply the forwarding mode to the user profile, you must include user profile configurations in the
configuration file. For more information about the configuration file, see "Configuring APs."

Creating a forwarding policy

1. Select Wireless Service > Access Service from the navigation tree.
2. Click the Forwarding Policy tab.
3. Click Add.

355
Figure 350 Creating a forwarding policy

4. Create a forwarding policy as described in Table 122.

5. Click Add.
6. Click Apply.
Table 122 Configuration items

Item Description
Create a forwarding policy.
Policy Name
You can create 1000 forwarding policies at most.

ACL Type Choose IPv4 or IPv6.

ACL Number Specify the ACL number.

The AC When matching the ACL
• Remote—Use the centralized
Forwarding forwarding mode to forward number of data with forwarding
Policy Rule packets. rules, the AC does not distinguish
Behavior parameters permit and deny.
• Local—Use the local
forwarding mode to forward
packets.

Table 123 Supported ACL category

Category Match criteria

IPv4 basic ACL Source IPv4 addresses

IPv6 basic ACL Source IPv6 addresses

356
Category Match criteria
IP Source and destination IP addresses
IPv4 advanced ACL TCP and UDP Source and destination port numbers
IPv6 advanced ACL
Message type and message code of specified ICMP
ICMP
packets

Ethernet frame header ACL Source and destination MAC addresses

Applying a forwarding policy to an access service

1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target wireless service.

357
Figure 351 Applying a forwarding policy to an access service

3. Apply the forwarding policy to the access service as described in Table 124.
4. Click Apply.

358
Table 124 Configuration Items

Item Description
Select Forwarding Policy Based from the list to enable the policy-based
forwarding mode.
Forwarding Mode
IMPORTANT:
Forwarding policies are only available to packets sent by clients.

Forwarding policy name.

Forwarding Policy IMPORTANT:
This field can be null when you apply a forwarding policy to the user profile.

Applying a forwarding policy to a user profile

1. Enable the policy-based forwarding mode (see "Applying a forwarding policy to an access
service").
2. Configure the user profile.
a. On the AC, create and activate the user profile that will be applied to the AP.
Make sure the user profile on the AC, user scheme in the configuration files and user profile
sent by the authentication server have the same name.
b. Select Authentication > User from the navigation tree.
c. Click the User Profile tab.
d. Click Add.
Figure 352 Specify the name of the user profile

e. Enter a name of the user profile.

f. Click Apply.
g. Select User Profile, and click Enable.

Wireless service configuration example

Network requirements
As shown in Figure 353, enable the client to access the internal network resources at any time. The
manually entered serial ID of the AP is CN2AD330S8. The AP adopts 802.11n (2.4 GHz) and provides
plain-text wireless access service with SSID service1.

359
Figure 353 Network diagram

Configuration guidelines
Select a correct district code.

2. Configure a wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to service1 and select the wireless service type
clear.
d. Click Apply.
Figure 355 Creating a wireless service

3. Enable the wireless service:

a. Select Wireless Service > Access Service from the navigation tree.

360
b. On the page that appears, select service1 and click Enable.
Figure 356 Enabling wireless service

4. Bind an AP radio to a wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the wireless service service1.
c. On the page that appears, select the box to the left of the radio type 802.11n(2.4GHz).
d. Click Bind.
Figure 357 Binding an AP radio

361
5. Enable 802.11n(2.4GHz) radio:
a. Select Radio > Radio from the navigation tree.
b. Select the box to the left of the radio mode 802.11n(2.4GHz).
c. Click Enable.
Figure 358 Enabling 802.11n(2.4GHz) radio

Verifying the configuration

• The client can successfully associate with the AP and access the WLAN network.
• You can view the online clients on the page that you enter by selecting Summary > Client from the
navigation tree.
Figure 359 Viewing the online clients

WPA-PSK authentication configuration example

Network requirements
As shown in Figure 360, connect the client to the wireless network through WPA-PSK authentication. The
client and the AC have the same PSK 12345678.

362
Figure 360 Network diagram

2. Create a wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to psk, select the wireless service type crypto,
and click Apply.
Figure 362 Creating a wireless service

3. Configure wireless service:

After you create a wireless service, you will enter the wireless service configuration page.
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select Cipher Suite, select TKIP (select an encryption type as needed), and then select WPA
from the Security IE list.
c. Select Port Set, and select psk from the Port Mode list.
d. Select pass-phrase from the Pre-shared Key list, and enter the key ID 12345678.

363
e. Click Apply.
Figure 363 Configuring security settings

4. Enable wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Select psk.
c. Click Enable.
Figure 364 Enabling wireless service

5. Bind an AP radio to a wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the wireless service psk.
c. On the page that appears, select the box to the left of the radio mode 802.11n(2.4GHz) and
click Bind.

364
Figure 365 Binding an AP radio

6. Enable 802.11n(2.4GHz) radio:

a. Select Radio > Radio from the navigation tree.
b. Select the ap box to the left of 802.11n(2.4GHz).
c. Click Enable.
Figure 366 Enabling 802.11n(2.4GHz) radio

Configuring the client

1. Launch the client, and refresh the network list.
2. Select the configured service in Choose a wireless network (PSK in this example).

365
3. Click Connect.
4. In the popup dialog box, enter the key (12345678 in this example), and then click Connect.
Figure 367 Configuring the client

The client has the same pre-shared PSK key as the AP, so the client can associate with the AP.

366
Figure 368 The client is associated with the AP

Verifying the configuration

• The client can successfully associate with the AP and access the WLAN network.
• You can view the online clients on the page you enter by selecting Summary > Client from the
navigation tree.

Local MAC authentication configuration example

Network requirements
AC is connected to AP through a Layer 2 switch, and they are in the same network. Perform MAC
authentication on the client.
Figure 369 Network diagram

Configuring the AC
1. Create an AP:
a. Select AP > AP Setup from the navigation tree.

367
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select
Manual from the Serial ID list, enter the AP serial ID, and click Apply.
Figure 370 Creating an AP

2. Create a wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to mac-auth, select the wireless service type
clear, and click Apply.
Figure 371 Creating a wireless service

3. Configure the wireless service:

After you have created a wireless service, you enter the wireless service configuration page.
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select the Port Set box, and select mac-authentication from the Port Mode list.
c. Select the MAC Authentication box, and select system from the Domain list.
To create a domain, select Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a domain name in the Domain Name field.
d. Click Apply.

368
Figure 372 Configuring security settings

4. Enable wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Select the mac-auth box.
c. Click Enable.
Figure 373 Enabling wireless service

5. Configure a MAC authentication list:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click MAC Authentication List.

369
c. On the page that appears, add a local user in the MAC Address field. 0014-6c8a-43ff is used
in this example.
d. Click Add.
Figure 374 Adding a MAC authentication list

6. Bind an AP radio to a wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the wireless service mac-auth.
c. On the page that appears, select the box to the left of the radio mode 802.11n(2.4GHz) and
click Bind.
Figure 375 Binding an AP radio

7. Enable 802.11n (2.4GHz) radio:

a. Select Radio > Radio from the navigation tree.
b. Select the 802.11n(2.4GHz) box of the target AP.
c. Click Enable.

370
Figure 376 Enabling 802.11n(2.4GHz) radio

Configuring the client

1. Launch the client, and refresh the network list.
2. Select the configured service in Choose a wireless network (mac-auth in this example).
3. Click Connect.
Figure 377 Configuring the client

Verifying the configuration

• The client can successfully associate with the AP and access the WLAN.

371
• You can view the online clients on the page you enter by selecting Summary > Client.

Remote MAC authentication configuration example

Network requirements
As shown in Figure 378, perform remote MAC authentication on the client.
• Use the intelligent management center (IMC) as the RADIUS server for authentication and
authorization. On the RADIUS server, configure the client's username and password as the MAC
address of the client and the shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
• The IP address of the AC is 10.18.1.1. On the AC, configure the shared key for communication with
the RADIUS server as expert, and configure the AC to remove the domain name of a username
before sending it to the RADIUS server.
Figure 378 Network diagram

Configuring the AC
1. Assign an IP address to the AC:
a. Select Network > VLAN to create a VLAN on the AC.
b. Select Device > Interface Management to assign an IP address to the VLAN interface.
2. Configure a RADIUS scheme:
a. Select Authentication > RADIUS from the navigation tree.
b. Click Add.
c. On the page that appears, add two servers in the RADIUS Server Configuration area as shown
in Figure 379, and specify the key expert.
d. Enter mac-auth in the Scheme Name field.
e. Select Extended as the server type.
f. Select Without domain name from the Username Format List.
g. Click Apply.

372
Figure 379 Configuring RADIUS

3. Configure AAA:
a. From the navigation tree, select Authentication > AAA.
b. Optional: On the Domain Setup tab, create a new ISP domain.
This example uses the default domain system.
c. On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box,
select the authentication mode RADIUS, select the authentication scheme mac-auth from the
Name list, and click Apply.
Figure 380 Configuring the AAA authentication method for the ISP domain

d. On the Authorization tab, select the ISP domain system, select the LAN-access AuthZ box,
select the authorization mode RADIUS, select the authorization scheme mac-auth from the
Name list, and click Apply.
e. Click Close after the configuration process is complete.

373
Figure 381 Configuring the AAA authorization method for the ISP domain

f. Click Apply.
4. Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select
Manual from the Serial ID list, enter the AP serial ID, and click Apply.
Figure 382 Configuring an AP

5. Configure wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the wireless service name to mac-auth, select the wireless
service type clear, and click Apply.

374
Figure 383 Creating a wireless service

6. Configure MAC authentication:

After you create a wireless service, the wireless service configuration page appears.
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select the Port Set box, and select mac-authentication from the Port Mode list.
c. Select the MAC Authentication box, and select system from the Domain list.
d. Click Apply.
Figure 384 Configuring security settings

7. Enable the wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. On the page that appears, select the mac-auth box.
c. Click Enable.

375
Figure 385 Enabling the wireless service

8. Bind an AP radio to the wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the wireless service mac-auth.
c. Select the box of the AP with the radio mode 802.11n(2.4GHz).
d. Click Bind.
Figure 386 Binding an AP radio to a wireless service

9. Enable 802.11n(2.4GHz) radio:

a. Select Radio > Radio from the navigation tree.
b. Select the ap 802.11n(2.4GHz) box of the target AP.
c. Click Enable.

376
Figure 387 Enabling 802.11n(2.4GHz) radio

Configuring the RADIUS server

The following example uses IMC (IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301)) to illustrate
the basic configuration of the RADIUS server.
To configure the RADIUS server:
1. Add an access device:
a. Click the Service tab in the IMC platform.
b. Select User Access Manager > Access Device Management from the navigation tree.
c. Click Add.
d. On the page that appears, enter 12345678 as the Shared Key, keep the default values for
other parameters, and select or manually add the access device with the IP address 10.18.1.1,
and click Apply.
Figure 388 Adding an access device

2. Add a service:
a. Click the Service tab.
b. Select User Access Manager > Service Configuration from the navigation tree.
c. Click Add.

377
d. On the page that appears, set the service name to mac, keep the default values for other
parameters, and click Apply.
Figure 389 Adding a service

3. Add an account:
a. Click the User tab.
b. Select User > All Access Users from the navigation tree.
c. Click Add.
d. On the page that appears, enter username 00146c8a43ff, set the account name and
password both to 00146c8a43ff, select the service mac, and click Apply.
Figure 390 Adding an account

Verifying the configuration

• During the authentication, the user does not need to enter the username or password. After passing
MAC authentication, the client can associate with the AP and access the WLAN.
• You can view the online clients on the page you enter by selecting Summary > Client.

Remote 802.1X authentication configuration

example
Network requirements
Perform remote 802.1X authentication on the client.

378
• Use IMC as a RADIUS server for authentication and authorization. On the RADIUS server, configure
the client's username as user, password as dot1x, and shared key as expert. The IP address of the
RADIUS server is 10.18.1.88.
• On the AC, configure the shared key as expert, and configure the AC to remove the domain name
of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
Figure 391 Network diagram

Configuring the AC
1. Assign an IP address to the AC:
a. Select Network > VLAN to create a VLAN on the AC.
b. Select Device > Interface Management to assign an IP address to the VLAN interface.
2. Configure a RADIUS scheme:
a. Select Authentication > RADIUS from the navigation tree.
b. Click Add.
c. On the page that appears, add two servers in the RADIUS Server Configuration, and specify
the key expert.
d. Enter 802.1x in the Scheme Name field.
e. Select the server type Extended, and select Without domain name from the Username Format
list.
f. Click Apply.

379
Figure 392 Configuring RADIUS

3. Configure AAA:
a. Select Authentication > AAA from the navigation tree. In this example, the default ISP domain
system is used. You can create a new ISP domain if needed.
b. (Optional.) On the Domain Setup tab, create a new ISP domain.
This example uses the default domain system.
c. On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box,
select the authentication mode RADIUS, select the authentication scheme 802.1x from the
Name list, and click Apply.
Figure 393 Configuring the AAA authentication method for the ISP domain

380
d. On the Authorization tab, select the domain name system, select the LAN-access AuthZ box,
select the authorization mode RADIUS, select the authorization scheme 802.1x from the Name
list, and click Apply.
Figure 394 Configuring the AAA authorization method for the ISP domain

4. Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select
Manual from the Serial ID list, enter the AP serial ID, and click Apply.
Figure 395 Configuring an AP

5. Configure wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to dot1x, select the wireless service type crypto,
and click Apply.

381
Figure 396 Creating a wireless service

6. Configure 802.1X authentication:

After you create a wireless service, the wireless service configuration page appears.
a. In the Security Setup area, select Open-System from the Authentication Type list, select the
Cipher Suite box, select AES from the Cipher Suite list, and select WPA2 from the Security IE list.
b. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
c. Select system from the Mandatory Domain list.
d. Select EAP from the Authentication Method list.
e. Disable Handshake and Multicast Trigger (recommended).
f. Click Apply.
Figure 397 Configuring security settings

7. Enable the wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. On the page that appears, select the dot1x box and click Enable.

382
Figure 398 Enabling the wireless service

8. Bind an AP radio to the wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the wireless service dot1x.
c. Select the box of the AP with the radio mode 802.11n(2.4GHz).
d. Click Bind.
Figure 399 Binding an AP radio to a wireless service

383
9. Enable 802.11n(2.4GHz) radio:
a. Select Radio > Radio from the navigation tree.
b. Select the box of the AP with the radio mode 802.11n(2.4GHz).
c. Click Enable.
Figure 400 Enabling 802.11n(2.4GHz) radio

Configuring the RADIUS server

The following example uses IMC (IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301)) to illustrate
the basic configuration of the RADIUS server. Make sure a certificate has been installed on the RADIUS
server.
To configure the RADIUS server:
1. Add an access device:
a. Click the Service tab in the IMC platform.
b. Select User Access Manager > Access Device Management from the navigation tree.
c. Click Add.
d. On the page that appears, enter 12345678 as the Shared Key for authentication, keep the
default values for other parameters, and select or manually add the access device with the IP
address 10.18.1.1, and click OK.
Figure 401 Adding access device

384
2. Add a service:
a. Click the Service tab.
b. Select User Access Manager > Service Configuration from the navigation tree.
c. Click Add.
d. On the page that appears, set the service name to dot1x, and set the Certificate Type to
EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply.
Figure 402 Adding a service

3. Add an account:
a. Click the User tab.
b. Select User > All Access Users from the navigation tree.
c. Click Add.
d. On the page that appears, enter username user, set the account name to user and password
to dot1x, and select the service dot1x, and click Apply.
Figure 403 Adding account

385
Configuring the wireless client

1. Double click the icon at the bottom right corner of your desktop.
The Wireless Network Connection Status window appears.
2. Click Properties in the General tab.
The Wireless Network Connection Properties window appears.
3. In the Wireless Networks tab, select wireless network with the SSID dot1x, and then click
Properties.
The dot1x Properties window appears.
4. In the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
5. In the popup window, clear Validate server certificate, and click Configure.
6. In the popup dialog box, clear Automatically use my Windows logon name and password (and
domain if any).

386
Figure 404 Configuring the wireless client (1)

387
Figure 405 Configuring the wireless client (2)

388
Figure 406 Configuring the wireless client (3)

Verifying the configuration

• After the user enters username user and password dot1x in the popup dialog box, the client can
associate with the AP and access the WLAN.
• You can view the online clients on the page you enter by selecting Summary > Client.

Dynamic WEP encryption-802.1X authentication

configuration example
Network requirements
Perform dynamic WEP encryption-802.1X authentication on the client.
• Use IMC as a RADIUS server for authentication and authorization. On the RADIUS server, configure
the client's username as user, password as dot1x, and shared key as expert. The IP address of the
RADIUS server is 10.18.1.88.
• On the AC, configure the shared key as expert, and configure the AC to remove the domain name
of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.

389
Figure 407 Network diagram

Configuration procedure
1. Assign an IP address for the AC:
See "Assign an IP address to the AC:."
2. Configure a RADIUS scheme:
See "Configure a RADIUS scheme:."
3. Configure AAA:
See "Configure AAA:."
4. Configure the AP:
See "Create an AP:."
5. Create a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to dot1x, select the wireless service type crypto,
and click Apply.
Figure 408 Creating a wireless service

6. Configure 802.1X authentication:

After you create a wireless service, the wireless service configuration page appears.
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select Encryption, and select Enable from the Provide Key Automatically list.
c. Select the Cipher Suite box, select CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list.
d. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
e. Select system from the Mandatory Domain list.
f. Select EAP from the Authentication Method list.

390
g. Disable Handshake and Multicast Trigger (recommended).
h. Click Apply.
Figure 409 Configuring security settings

7. Enable the wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. On the page that appears, select the dot1x box and click Enable.
Figure 410 Enabling the wireless service

391
8. Bind an AP radio to the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the wireless service dot1x.
c. On the page that appears, select the box of 802.11n(2.4GHz) and click Bind.
Figure 411 Binding an AP radio to a wireless service

9. Enable 802.11n(2.4GHz) radio:

See "Enable 802.11n(2.4GHz) radio:."
10. Configure the RADIUS server:
See "Configuring the RADIUS server."

Configuring the wireless client

1. Double click the icon at the bottom right corner of your desktop.
2. The Wireless Network Connection Status window appears.
3. Click Properties.
The Wireless Network window appears.
4. Click Add.
5. Click the Association tab, and enter dot1x in the Network name (SSID) field. Make sure you have
selected The key is provided for me automatically. Click OK.

392
Figure 412 Configuring the wireless client (1)

6. On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
7. In the popup window, clear Validate server certificate, and click Configure.
8. In the popup dialog box, clear Automatically use my Windows logon name and password (and
domain if any), and then click OK.

393
Figure 413 Configuring the wireless client (2)

394
Figure 414 Configuring the wireless client (3)

Verifying the configuration

Backup client authentication configuration example

Network requirements
Configure backup client authentication on the AC to achieve the following purposes:
• When the AC-AP connection is normal, the AC authenticates clients in the branch.
• When the connection fails, the AP authenticates clients and does not log off online clients.
Figure 415 Network diagram

395
Adding commands to the configuration file of the AP
port-security enable

domain branch.net
authentication lan-access local
authorization lan-access local
accounting lan-access local

local-user 00-14-6c-8a-43-ff
password simple 00-14-6c-8a-43-ff
service-type lan-access

mac-authentication user-name-format mac-address with-hyphen lowercase

Then save the configuration file with the name map.cfg, and upload it to the storage media of the AC.

Configuring the AC
Before configuring the AC in the Web interface, use the mac-authentication user-name-format
mac-address with-hyphen lowercase command to use MAC-based user accounts for MAC
authentication users, and each MAC address must be hyphenated and in lower case..
To configure the AC:
1. Configure an ISP domain branch.net:
a. Select Authentication > AAA from the navigation tree.
You are placed on the Domain Setup tab.
b. Enter the domain name in the Domain Name field.
c. Click Apply.

396
Figure 416 Configuring an ISP domain

2. Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select
Manual from the Serial ID list, enter the serial ID of the AP, and click Apply.
Figure 417 Creating an AP

3. Configure wireless service:

397
Figure 418 Creating a wireless service

4. Configure backup client authentication:

After you create a wireless service, you will enter the wireless service configuration page. Select
Backup from the Authentication Mode list and then configure local MAC authentication on the
page.

398
Figure 419 Configuring backup client authentication

5. Configure local MAC authentication:

a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select the Port Set box, and select mac-authentication from the Port Mode list.
c. Select the MAC Authentication box, and select branch.net from the Domain list. Make sure the
mandatory authentication domain and the ISP domain in the configuration file are the same.
d. Click Apply.

399
Figure 420 Configuring local MAC authentication

6. Enable wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Select the mac-auth box.
c. Click Enable.
Figure 421 Enabling wireless service

7. Configure a MAC authentication list:

a. Select Wireless Service > Access Service from the navigation tree.

400
b. Click MAC Authentication List.
c. Add a local user in the MAC Address field. 00-14-6c-8a-43-ff is used in this example.
d. Click Add.
Figure 422 Adding a MAC authentication list

8. Enable remote AP and download the configuration file to the AP:

a. Select AP > AP Setup from the navigation tree.
b. Click the icon for the target AP in the list.
The page for configuring an AP appears.
c. Expand Advanced Setup, set the configuration file to map.cfg, and select Enable from the
Remote AP list.
d. Click Apply.
Figure 423 Enabling remote AP

401
9. Bind an AP radio to a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the wireless service mac-auth.
c. Select the box to the left of ap with the radio mode 802.11n(2.4GHz).
d. Click Bind.
Figure 424 Binding an AP radio

10. Enable 802.11n(2.4GHz) radio:

a. Select Radio > Radio Setup from the navigation tree.
b. Select the box to the left of ap with the radio mode 802.11n(2.4GHz).
c. Click Enable.
Figure 425 Enabling 802.11n(2.4GHz) radio

402
11. Verify the configuration:
When the connection between AP and AC is correct, clients associated with the AP can access
the network after passing centralized authentication. Select Summary > Client from the
navigation tree to view detailed client information. The Central field in the output shows that the
AC authenticates the clients.
When the connection between AC and AP fails, clients associated with the AP are not logged
off and the AP authenticates new clients.
When the connection between AC and AP recovers, the AP logs off all associated clients. The
clients can associate with the AP again after authenticated by the AC. Select Summary > Client
from the navigation tree to view detailed client information. The authentication-mode field in the
output displays Central.

Local client authentication configuration example

Network requirements
Configure local client authentication on the AC so the AP performs 802.1X authentication on clients
through the RADIUS server whenever the AC-AP connection fails or not.
Deploy the RADIUS server at the AP side so associated 802.1X clients are not logged off when the
connection between the branch and headquarters fails.
Figure 426 Network diagram

Adding commands to the configuration file of the AP

port-security enable

dot1x authentication-method eap

radius scheme rad

primary authentication 192.168.100.254
primary accounting 192.168.100.254
key authentication simple 123456
key accounting simple 123456
user-name-format without-domain

domain cams
authentication default radius-scheme rad

403
authorization default radius-scheme rad
accounting default radius-scheme rad

Then save the file with the name map.cfg, and upload it to the storage media on the AC.

Configuring the AC
1. Configure the AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select
Manual from the Serial ID list, enter the serial ID of the AP, and click Apply.
Figure 427 Configuring the AP

2. Configure wireless service:

3. Configure local authentication:

After you create a wireless service, you will enter the wireless service configuration page. Select
Local from the Authentication Mode list and then configure local MAC authentication on the page.

404
Figure 429 Configuring local client authentication

4. Configure 802.1X authentication:

After you create a wireless service, the wireless service configuration page appears.
a. In the Security Setup area, select the Open-System from the Authentication Type list.
b. Select the Cipher Suite box, select AES from the Cipher Suite list, and select WPA2 from the
Security IE list.
c. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
d. Select cams from the Mandatory Domain list. Make sure the mandatory authentication domain
and the ISP domain in the configuration file are the same.

405
e. Select EAP from the Authentication Method list.
f. Disable Handshake and Multicast Trigger (recommended).
g. Click Apply.
Figure 430 Security setup

5. Enable the wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Select the dot1x box.
c. Click Enable.
Figure 431 Enabling the wireless service

6. Enable remote AP and download the configuration file to the AP:

a. Select AP > AP Setup from the navigation tree.

406
b. Click the icon for the target AP in the list.
The page for configuring an AP appears.
c. Expand Advanced Setup, set the configuration file to map.cfg, and select Enable from the
Remote AP list.
d. Click Apply.
Figure 432 Enabling remote AP

7. Bind an AP radio to the wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the wireless service dot1x.
c. Select the box for the AP with the radio mode 802.11n(2.4GHz).
d. Click Bind.

407
Figure 433 Binding an AP radio to a wireless service

8. Enable 802.11n(2.4GHz) radio:

a. Select Radio > Radio from the navigation tree.
b. Select the box for the AP with the radio mode 802.11n(2.4GHz).
c. Click Enable.
Figure 434 Enabling 802.11n(2.4GHz) radio

9. Verify the configuration:

The AP performs 802.1X authentication on clients through the RADIUS server whenever the AC-AP
connection fails or not. When the connection is correct, select Summary > Client from the
navigation tree on the AC to view detailed client information. The Local field in the output shows
that the AP authenticates clients.

408
Policy-based forwarding configuration example
Network requirements
Configure policy-based forwarding so that both the centralized forwarding mode and the local
forwarding mode can be achieved for one SSID.
Figure 435 Network diagram

Adding commands to the configuration file of the AP

acl number 3000
rule 0 permit icmp icmp-type echo
acl ipv6 number 3001
rule 0 permit icmpv6 icmp6-type echo-request

undo user-profile aaa enable

user-profile aaa
wlan forwarding-policy us
user-profile aaa enable

Configuring the authentication server

Configure the shared key 12345678, add the username and password of the client, and make sure the
user scheme name is aaa. (Details not shown.)

Configuring the AC
1. Configure forwarding policy st:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the Forwarding Policy tab.
c. Click Add.
d. On the page that appears, create a forwarding policy st as described in Figure 436.
e. Click Apply.

409
Figure 436 Creating a forwarding policy (1)

2. Configure forwarding policy us:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click the Forwarding Policy tab.
c. Click Add.
d. On the page that appears, create forwarding policy us as described in Figure 437.
e. Click Apply.

410
Figure 437 Creating a forwarding policy (2)

3. Configure 802.1X authentication method:

See "Remote 802.1X authentication configuration example."
4. Download the configuration file to the AP:
a. Select AP > AP Setup from the navigation tree, click the icon for the target AP.
b. Click Advanced Setup, and specify the configuration file as ACL.cfg.
c. Click Apply.

411
Figure 438 Downloading the configuration file to the AP

5. Apply the forwarding policy to the access service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the target wireless service.
c. Select the forwarding mode Forwarding Policy Based, specify the forwarding policy as st,
select the packets format 802.3, and click Apply.

412
Figure 439 Applying the forwarding policy to the access service

6. Apply the forwarding policy to the user profile:

a. Select Authentication > User from the navigation tree.
b. Click the User Profile tab.
c. Click Add.
d. Click Apply.
e. On the page that appears, select the box of the user profile, and click Enable.

413
Figure 440 Specifying the user profile name

Verifying the configuration

The forwarding policy applied to the user profile has a higher priority and the forwarding policy us takes
effect.
• Use an IPv4 client to ping the IP address that connects the AP to the AC. The ICMP packet matches
ACL 3000 and is forwarded by the AC. Before the CAPWAP encapsulation, the AP transfers 802.11
frames to 802.3 frames.
• Use an IPv6 client to ping the IP address that connects the AP to the AC. The ICMPv6 packet
matches ACL 3001 and is forwarded by the AP.

414
Configuring mesh services

A WLAN mesh network allows for wireless connections between APs, making the WLAN more mobile
and flexible. Also, you can establish multi-hop wireless links between APs. In these ways, a WLAN mesh
network differs from a traditional WLAN. However, from the perspective of end users, a WLAN mesh
network is no different from a traditional WLAN.

Mesh overview
Basic concepts in WLAN mesh
Concept Description
Access controller (AC) Device that controls and manages all the APs in the WLAN.

Wireless AP that connects to a mesh portal point (MPP) through a

Mesh point (MP)
wireless connection but cannot have any client attached.

Mesh access point (MAP) AP providing the mesh service and the access service concurrently.

Mesh portal point (MPP) Wireless AP that connects to an AC through a wired connection.

Mesh link Wireless link between MPs.

Advantages of WLAN mesh

The WLAN mesh technology allows operators to easily deploy wireless networks anywhere and anytime.
WLAN mesh offers the following advantages:
• High performance/price ratio—In a mesh network, only the MPPs need to connect to a wired
network. In this way, the dependency on the wired network is reduced to the minimum extent, and
the investment in wired devices, cabling, and installation is also reduced.
• Excellent scalability—In a mesh network, the APs can automatically discover each other and initiate
wireless link setup. To add new APs to the mesh network, you need to install these new APs and
perform the related configurations.
• Fast deployment—Only the MPPs need to connect to a wired network, so WLAN mesh reduces the
network deployment time.
• Various application scenarios—The mesh network is applicable to enterprise, office, and campus
networks, which are common application scenarios of traditional WLANs. It is also applicable to
large-sized warehouse, port, MAN, railway transportation, and crisis communication networks.
• High reliability—In a traditional WLAN, when the wired upstream link of an AP fails, all clients
associated with the AP cannot access the WLAN. Comparatively, in a mesh network, all APs are
fully meshed. There are multiple available wireless links for a mesh AP to reach a portal node in the
wired network to effectively avoid single point failure.

415
Deployment scenarios
One-hop mesh link backhaul deployment
As shown in Figure 441, the MAP is a dual-radio AP, with one radio for WLAN access and the other for
mesh link backhaul. You can configure the MAC address of the MPP connected to the MAP to establish
a mesh link between them.
Figure 441 One-hop mesh link backhaul

HP supports up to 4 MAPs on a single MPP as shown in Figure 442.

Figure 442 MAP to MPP configuration
…

……
…

Two-hop mesh link backhaul deployment

As shown in Figure 443 and Figure 444, the MAP and the MP are both dual-radio APs. One radio of the
MAP is for WLAN access and the other for mesh link backhaul, and both MP radios are for mesh link
backhaul. You can configure peer-MAC addresses to establish a mesh link between the MAP and the
MPP to expand the wireless coverage.

416
Figure 443 Two-hop mesh backhaul deployment (1)

HP supports up to 4 MPs on a single MPP and up to 4 MAPs on a single MP as shown in Figure 444.
Figure 444 Two-hop mesh backhaul deployment (2)
MAP 1

mesh-link
AC

mesh-link
MP 1
mesh-link

PC1
MAP 4 mesh-link

MP 2
mesh-link
PC2
MPP
MAP 13

MP 3
mesh-link
mesh-link

MP 4
mesh-link

MAP 16

Configuring mesh service

Configuring mesh service
Creating a mesh service
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Service tab.

417
Figure 445 Configuring mesh service

3. Click Add.
Figure 446 Creating a mesh service

4. Configure the mesh service as described in Table 125.

5. Click Apply.
Table 125 Configuration items

Item Description
Mesh Service Name Name of the created mesh service.

Configuring a mesh service

1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Service tab.
3. Click the icon for the target mesh service.

418
Figure 447 Configuring mesh service

4. Configure the mesh service as described in Table 126.

5. Click Apply.
Table 126 Configuration items

Item Description
Mesh Service Display the selected mesh service name.

Enter the ID of the VLAN whose packets are to be sent tagged. VLAN (Tagged)
VLAN (Tagged)
indicates that the port sends the traffic of the VLAN without removing the VLAN tag.

Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged)
VLAN (Untagged)
indicates that the ports send the traffic of the VLAN with the VLAN tag removed.

Set the default VLAN.

Default VLAN By default, the default VLAN of all ports is VLAN 1. After you set the new default
VLAN, VLAN 1 is the ID of the VLAN whose packets are to be sent untagged.

Exclude VLAN Remove the IDs of the VLANs whose packets are to be sent untagged and tagged.

Enable or disable mesh route selection algorithm:

• Disable—Disable the mesh route selection algorithm.
Mesh Route
• Enable—Enable the mesh route selection algorithm.
By default, the mesh route selection algorithm is enabled.

Link Keep Alive Interval Configure the mesh link keep-alive interval.

Link Backhaul Rate Configure the backhaul radio rate.

Security Configuration

Pass Phrase Enter a pre-shared key in the format of character string.

Raw Key Enter a pre-shared key in the format of hexadecimal digits.

419
Item Description
Pre-shared key, which takes one of the following values:
Preshared Key • A string of 8 to 63 characters.
• A valid hexadecimal number of 64 bits.

Binding an AP radio to a mesh service

1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the icon.
3. Select the radio to be bound.
4. Click Bind.
Figure 448 Binding an AP radio to a mesh service

Enabling a mesh service

1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Service tab.
Figure 449 Enabling a mesh service

3. Select the mesh service to be enabled.

4. Click Enable.

Displaying detailed information about a mesh service

1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Service tab.

420
3. Click a mesh service to see its detailed information.
Figure 450 Displaying detailed mesh service information

Table 127 Field description

Field Description
Mesh Profile Number Mesh service number.

Mesh ID Mesh ID of the mesh service.

Binding Interface Mesh interface bound to the mesh service.

MKD service status:

MKD Service • Enable—The MKD service is enabled.
• Disable—The MKD service is disabled.
Link Keep Alive Interval Interval to send keep-alive packets.

Link Backhaul Rate Link backhaul rate.

Mesh service status:

Mesh Profile Status • Enable—The mesh service is enabled.
• Disable—The mesh service is disabled.

Configuring a mesh policy

Creating a mesh policy
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Service tab.

421
Figure 451 Mesh policy configuration page

3. Click Add.
Figure 452 Creating a mesh policy

4. Configure the mesh policy as described in Table 128.

5. Click Apply.
Table 128 Configuration items

Item Description
Name of the created mesh policy.
Mesh Policy Name The created mesh policies use the contents of the
default mesh policy default_mp_plcy.

Configuring a mesh policy

1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Policy tab.
3. Click the icon for the target mesh policy.

422
Figure 453 Configuring a mesh policy

4. Configure the mesh policy as described in Table 129.

5. Click Apply.
Table 129 Configuration items

Item Description
Mesh Policy Display the name of the created mesh policy.

Link establishment By default, link initiation is enabled.

Set the link hold time.

Minimum time to hold a link An active link remains up within the link hold time, even if the link
switch margin is reached. This mechanism is used to avoid
frequent link switch.

Set the maximum number of links that an MP can form in a mesh

network.

Maximum number of links IMPORTANT:

When configuring mesh, if the number of mesh links configured on
an AP is greater than two, you need to configure the maximum links
that an MP can form as needed.
Set the link formation/link hold RSSI (received signal strength
indicator).
Minimum rssi to hold a link This is the minimum RSSI to allow a link to be formed and held.
Therefore, the minimum RSSI must be used at any given point in
the tunnel. Otherwise, the error rate can be very high.

423
Item Description
Set the link switch margin.

Minimum margin rssi If the RSSI of the new link is greater than that of the current active
link by the link switch margin, active link switch will occur. This
mechanism is used to avoid frequent link switch.

Set link saturation RSSI.

Maximum rssi to hold a link This is the upper limit of RSSI on the active link. If the value is
reached, the chipset is saturated and link switch will occur.

Interval between probe requests Set the probe request interval.

By default, whether or not a device plays the role of an

Role as authenticator
authenticator is based on negotiation results.
• fixed—This is the default mode. The rate adopted is of a fixed
value. It is the maximum rate of the current radio.
ratemode
• realtime—The rate adopted changes with the link quality. The
rate changes with the change of the RSSI of the current radio.

Binding an AP radio to a mesh policy

1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Policy tab.
3. Click the button for the target mesh policy.
4. Select the AP radio to be bound.
5. Click Bind.

Displaying detailed information about a mesh policy

1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Policy tab.
3. Click a mesh policy to see its detailed information.

424
Figure 454 Displaying detailed mesh policy information

Table 130 Field description

Field Description
MP Policy Name Name of the mesh policy.

Mesh Link Initiation Whether link initiation is enabled or not.

Authenticator role status:

Authenticator Role • Enable—The authenticator role is enabled.
• Disable—The authenticator role is disabled.
Max Links Maximum number of links on a device using this mesh policy.

Interval between probe requests sent by a device using this

Probe Request Interval (ms)
mesh policy.

Link Hold RSSI Link hold RSSI.

Link Hold Time (ms) Link hold time.

Link Switch Margin Link switch margin.

Link saturation RSSI Link saturation RSSI.

Method of calculating the link cost:

• Fixed—The mesh interface rate is fixed.
Link rate-mode
• real-time—The mesh interface rate changes with the RSSI in
real-time.

425
Mesh global setup
Mesh basic setup
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Global Setup tab.
Figure 455 Configuring basic mesh settings

3. Configure the basic mesh settings as described in Table 131.

4. Click Apply.
Table 131 Configuration items

Item Description
Make sure the MAC address configured is unused and has the correct
MKD-ID vendor specific part.
The MAC address of an AC should not be configured as the MKD ID.
• Manual—Select one-time dynamic channel selection (DFS) and click
Apply to enable it. After manual mode is selected, if no mesh network is
manually specified when the next calibration interval is reached, the AC
will refresh radio information of all mesh networks that it manages, and
display it on the Radio Info tab of the Mesh Channel Optimize page. You
can view the radio information and select mesh networks for which
one-time DFS will be performed on the Mesh Channel Optimize tab. After
that, if you want the AC to perform DFS for the mesh network, you have
to make this configuration again.
• Auto—Select auto-DFS and click Apply to enable it. Auto-DFS applies to
all mesh networks where the working channels of the radios are
Dynamic Channel Select: automatically selected. With auto DFS enabled, an AC makes DFS
decisions at the calibrate interval automatically.
• Close—Close DFS. At the next calibration interval, the radio information
and channel switching information on the Mesh Channel Optimize page
will be cleared.
By default, DFS for a mesh network is disabled.

IMPORTANT:
Before enabling auto or one-time DFS for a mesh network, make sure auto
mode is selected for the working channel of radios in the mesh network. For
the related configuration, see "Configuring radios."

Enabling mesh portal service

1. Select Wireless Service > Mesh Service from the navigation tree.

426
2. Click the Global Setup tab.
Figure 456 Enabling mesh portal service

3. Select the AP for which mesh portal service is to be enabled.

4. Click Enable.

Configuring a working channel

You can configure a working channel by using one of the following methods.
No matter which method is used, as long as an AP detects radar signals on its working channel, the AP
and any other AP that establish a mesh link switch to another available working channel.
In some countries, most available channels on the 802.11a band are radar channels. HP recommends
that you use the auto mode to establish mesh links on the 802.11a band.

Manual

1. Select Radio > Radio from the navigation tree, and click the icon for the target AP.

427
Figure 457 Configuring a radio

2. On the page that appears, select a specified channel from the Channel list.
3. Click Apply.

NOTE:
Specify a working channel for the radios of the MAP and MPP. Specify the same working channel for the
radio of the MAP and the radio of the MPP.

Auto
Set the working channel mode on the MPP and MAP to auto so that the working channel is automatically
negotiated when a WDS link is established between the MPP and MAP.

NOTE:
If you configure the working channel mode of the radios of the MPP and MAP as auto, the automatically
selected working channel is a non-radar channel.

Enabling radio
1. Select Radio > Radio from the navigation tree.

428
Figure 458 Enabling a radio

2. Select the radio mode to be enabled.

3. Click Enable.

Configuring a peer MAC address

1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click .
3. Select the AP radio to be bound, and click the icon.
Figure 459 Configuring a peer MAC address

4. Configure the peer MAC address as described in Table 132.

5. Click Apply.
Table 132 Configuration items

Item Description
The mesh feature supports two topologies. The mesh feature is implemented
Peer MAC Address
through configuration of peer MAC addresses for each AP.

Sets the STP cost of the mesh link to the peer. If not configured, the STP cost is
cos automatically calculated by STP.
You can view the cost of the mesh link on the page shown in Figure 459.

429
Configuring mesh DFS
Displaying radio information
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Channel Optimize tab.
3. Click the specified mesh network, and click the Radio Info tab.
Figure 460 Displaying radio information

Displaying channel switch information

1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Channel Optimize tab.
3. Click the mesh network, and then select the Channel Switch Info tab to view the channel switching
information.
Figure 461 Displaying mesh channel switching information

430
NOTE:
• If you select Auto or Close for dynamic channel selection on the Global Setup tab, when you enter the
Mesh Channel Optimize page, the Channel Optimize button is grayed out, and you cannot perform
the operation.
• If you select manual DFS on the Global Setup tab, select mesh networks where DFS will be performed,
and then click Channel Optimize to complete DFS. In auto mode, DFS is performed at the calibration
interval. In manual mode, DFS is performed one time.

Table 133 Field description

Field Description
AP AP name in the mesh network.

Radio Radio of the AP.

Chl(After/Before) Channels before and after channel optimization.

Date(yyyy-mm-dd) Date, in the format of yyyy-mm-dd.

Time(hh:mm:ss) Time, in the format of hh:mm:ss.

Displaying the mesh link status

Mesh link monitoring
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Link Info tab.
Figure 462 Displaying the mesh link monitoring information

You can monitor the mesh link status in real-time on the mesh link monitoring page.

Mesh link test

1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Link Test tab.

431
Figure 463 Displaying mesh link test information

3. Select the box of the target AP.

4. Click Begin.

WLAN mesh configuration example

Network requirements
As shown in Figure 464, establish a mesh link between the MAP and the MPP.
Configure 802.11n (5GHz) on the MAP so that the client can access the network.
1. Establish a mesh link between the MPP and the MAP by following these steps:
Configure MAP and MPP—Select AP > AP Setup from the navigation tree, and click Add to
configure MAP and MPP. For more information, see "Create an MAP and MPP:."
Configure mesh service—After creating a mesh service and configuring a pre-shared key, you
can bind the mesh service to the AP and enable the mesh service. For more information, see
"Create a mesh service:."
Configure a mesh policy—A mesh policy exists by default. You can create a mesh policy and
bind the mesh policy to an AP. For more information, see "(Optional) Configure a mesh
policy.."
Mesh global setup—Configure an MKD-ID (which exists by default), enable mesh portal service
for the MPP. For more information, see "Configure mesh service globally:."
Configure the same working channel, and enable the radio. For more information, see
"Configure the same working channel and enable the radio on the MAP and MPP:."
2. Configure 802.11n (2.4GHz) service on the MAP to enable the client to access the WLAN
network. For more information, see "Wireless service configuration example."
Figure 464 Network diagram

Configuring the AC
1. Create an MAP and MPP:

432
a. Select AP> AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to map, select the AP model MSM460-WW, select
Manual from the Serial ID list, enter the AP serial ID, and click Apply.
Figure 465 Configuring an AP

d. Configure MPP by following the same steps.

2. Create a mesh service:
a. Select Wireless Service > Mesh Service from the navigation tree.
b. Click the Mesh Service tab.
c. Click Add.
d. On the page that appears, set the mesh service name to outdoor and click Apply.
After completing mesh service configuration, you enter the page shown in Figure 467.
Figure 466 Creating a mesh service

Figure 467 Configuring a pre-shared key

e. Select Pass Phrase, and set the pre-shared key to 12345678.

f. Click Apply.
3. Bind a radio to the mesh service:
a. Select Wireless Service > Mesh Service from the navigation tree.

433
b. Click the icon for the mesh service outdoor.
c. Select the AP radios to be bound.
d. Click Bind.
Figure 468 Binding an AP radio to a mesh service

4. Enable the mesh service:

a. Select Wireless Service > Mesh Service from the navigation tree.
Figure 469 Enabling the mesh service

b. Select the mesh service to be enabled.

c. Click Enable.
5. (Optional) Configure a mesh policy.

NOTE:
By default, the default mesh policy default_mp_plcy already exists. You can create a mesh policy and
bind the mesh policy to an AP as needed. By default, the default_mp_plcy mesh policy is mapped to
an AP.

6. Configure mesh service globally:

a. (Optional) Select Wireless Service > Mesh Service from the navigation tree, and click the
Global Setup tab to enter the mesh global setup page to set the MKD-ID (By default, the MKD-ID
exists.)
b. Select the MPP that has wired connectivity with the AC to enable mesh portal service.
c. Click Enable.

434
Figure 470 Configuring mesh portal service

7. Configure the same working channel and enable the radio on the MAP and MPP:
a. Select Radio > Radio from the navigation tree.
b. Click the icon for the target MAP.
Figure 471 Configuring the working channel

c. Select the channel 153 to be used from the Channel list.

d. Click Apply.

435
You can follow this step to configure the working channel for the MPP. The working channel of
the radio on the MPP must be the same as the working channel of the radio on the MAP.
8. Enable radio:
a. Select Radio > Radio from the navigation tree.
b. Select the radio modes to be enabled for the MAP and MPP.
c. Click Enable.
Figure 472 Enabling radio

Verifying the configuration

• The mesh link between the MAP and the MPP has been established, and they can ping each other.
• After 802.11n(2.4GHz) is configured on the MAP, the client can access the network through the
mesh link.

Mesh point-to-multipoint configuration example

Network requirements
AP 1 operates as an MPP, and establishes a mesh link with AP 2, AP 3, AP 4, and AP 5.
The mesh configuration is the same as the normal WLAN mesh configuration.

436
Figure 473 Network diagram

Configuration guidelines
• Configure a peer MAC address for each radio interface. Configure the MAC addresses of AP 2
through AP 5 on AP 1, and configure the MAC address of only AP 1 on AP 2 through AP 5.
• Set the value of maximum links that an MP can form in a mesh network (The default value is 2. It
must be set to 4 in this example.). For more information, see "Configuring a mesh policy."

Configuring mesh point-to-multipoint

Mesh configuration in this example is the same as normal WLAN mesh configuration. For more
information, see "Configuring the AC."

Mesh DFS configuration example

Network requirements
• As shown in Figure 474, establish an 802.11n(5GHz) mesh link between the MAP and MPP. The
working channel is automatically selected.
• Enable one-time DFS. After that, the AC performs DFS for the radios when certain trigger conditions
are met on the channel.
Figure 474 Network diagram
802.11n(5GHz)

AC MPP MAP

Configuration guidelines
The mesh configuration in this example is similar to a common wireless mesh configuration. Follow these
guidelines when you configure mesh DFS:
• Configure the working channel mode of the radios that provide mesh services as auto.
• Do not configure any wireless service on radios that provide mesh services.

437
Configuration procedure
The mesh configuration is the same as the normal WLAN mesh configuration. For configuration
procedures, see "WLAN mesh configuration example." Perform the following operations after
completing mesh configuration:
1. (Optional) Set a calibration interval:
a. Select Radio > Calibration from the navigation tree.
b. Click the Parameters tab.
c. On the page that appears, enter the calibration interval 3 and click OK.

438
Figure 475 Setting mesh calibration interval

439
2. Configure mesh DFS:
a. Select Wireless Service > Mesh Service from the navigation tree.
b. Click the Global Setup tab.
c. On the page that appears, select the Manual box for Dynamic Channel Select.
d. Click Apply.
Figure 476 Configuring mesh DFS

3. Enable one time DFS for the mesh network:

a. Select Wireless Service > Mesh Service from the navigation tree.
b. Click the Mesh Channel Optimize tab.
c. Select the outdoor mesh network.
d. Click Channel Optimize.
Figure 477 Configuring one-time mesh DFS

Verifying the configuration

After a next calibration interval, you can view the channel switching information:
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Channel Optimize tab.
3. Click the Channel Switch Info tab.
4. Select the target mesh network to display the radio information.

440
Figure 478 Displaying mesh channel switching information

441
Configuring an IACTP tunnel and WLAN
roaming

IACTP tunnel
The Inter AC Tunneling Protocol (IACTP) provides a generic packet encapsulation and transport
mechanism for ACs to securely communicate with each other.
IACTP provides a control tunnel to exchange control messages, and a data tunnel to transmit data
packets between ACs. IACTP supports both IPv4 and IPv6.
WLAN roaming, AC backup, and AC-BAS collaboration must support IACTP for inter-AC
communication.

WLAN roaming overview

WLAN roaming enables clients to roam between ACs in a mobility group or within an AC. ACs in a
mobility group communicate with each other through IACTP tunnels.
When a client supporting fast roaming associates with one of the ACs in a mobility group for the first time,
the AC (called the HA) performs 802.1X authentication and 11 Key exchange for the client. The client
information is synchronized across ACs in the mobility group. When this client roams to another AC in
the mobility group (called the FA), the FA uses stored client information to fast authenticate the client by
skipping 802.1X authentication, and performing only 802.11 key exchange and associates with the
client.

Configuring an IACTP tunnel

IMPORTANT:
Roaming group configuration is available only for inter-AC roaming. For the configuration example of
inter-AC roaming, see "Inter-AC roaming configuration example."

1. Select Roam > Roam Group from the navigation tree.

442
Figure 479 Configuring an IACTP tunnel

2. Configure an IACTP tunnel as described in Table 134.

3. Click Apply.
Table 134 Configuration items

Item Description
• Enable—Enable IACTP service.
IACTP Tunnel
• Disable—Disable IACTP service.
IP Type Select IPv4 or IPv6.

Source Address Source address of the IACTP protocol.

Optional.
MD5: Select the MD5 authentication mode.
The control message integrity can be verified when the MD5 authentication mode is
Auth Mode selected. The sender (an AC) calculates a digest based on the content of a control
message. On receiving such a message, the receiver (another AC in the roaming group)
will calculate the digest again and compare it against the digest present in the message
to verify the integrity of the packet received. If the digests are the same, the packet is not
tampered.

MD5 authentication key.

Auth Key
If you select the MD5 authentication mode, you need to input an authentication key.

Adding a member to the IACTP tunnel

1. Select Roam > Roam Group from the navigation tree.

443
Figure 480 Adding a member to the IACTP tunnel

2. Add a member to the IACTP tunnel as described in Table 135.

3. Click Add.
4. Click Apply.
Table 135 Configuration items

Item Description
Add the IP address of an AC to a roaming group.

IP Address IMPORTANT:
When you configure a roaming group, the roaming group name configured
for the ACs in the same roaming group must be the same.
Configure the VLAN to which the roaming group member belongs.
This configuration item is optional.
VLAN
If multiple ACs exist in a roaming group, make sure no loop occurs on the
IACTP tunnels between ACs in the group when configure this option.

NOTE:
• The user profile configurations of the ACs in a roaming group must be the same. For more information,
see "Configuring users."

444
Configuring WLAN roaming
Configuring WLAN roaming
1. Select Roam > Roam Group from the navigation tree.
Figure 481 Configuring WLAN roaming

2. Select Enable to the right of Client Roaming.

By default, WLAN roaming is enabled.
3. Click Apply.

Displaying client information

1. Select Roam > Roam Client from the navigation tree.
Figure 482 Displaying client information

2. View the detailed information and roaming information of the client by clicking a target client. For
more information, see "Displaying information summary."

445
WLAN roaming configuration examples
Intra-AC roaming configuration example
Network requirements
As shown in Figure 483, an AC has two APs associated and all of them are in VLAN 1. A client is
associated with AP 1. Configure intra-AC roaming so that the client can associate with AP 2 when
roaming to AP 2.
Figure 483 Network diagram

Configuration guidelines
When you configure intra-AC roaming, the SSIDs of the two APs must be the same. The same wireless
service must be bound to the radios of the two APs in Bind AP radios to the wireless service:.

Configuring the AC
If remote authentication is required in the authentication mode you select, configure the RADIUS server.
For information about how to configure the RADIUS server, see "Configuring AAA."
1. Create two APs:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap1, select the AP model MSM460-WW, select
manual from the Serial ID list, enter the serial ID of the AP, and click Apply.
d. Follow the same steps to create the other AP.
2. Configure wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.

446
c. On the page that appears, set the service name to Roam, and click Apply.

NOTE:
For information about how to configure the authentication mode, see "Configuring access services."
Fast roaming can be implemented only when the RSN+802.1X authentication mode is adopted.

3. Enable wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Select the Roam box.
c. Click Enable.
4. Bind AP radios to the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon to the right of the wireless service Roam.
c. Select the box before ap1 with radio type 802.11n(2.4GHz), and the box to the left of ap2 with
radio type 802.11n(2.4GHz).
d. Click Bind.
Figure 484 Binding AP radios

5. Enable dot11g radio:

a. Select Radio > Radio Setup from the navigation tree.
b. On the page that appears, select the box to the left of ap1 with the radio mode
802.11n(2.4GHz), and select the box to the left of ap2 with the radio mode 802.11n(2.4GHz).
c. Click Enable.

447
Figure 485 Enabling radio

Verifying the configuration

1. Display the roaming information of the client:
a. Select Summary > Client from the navigation tree.
b. Click the Roam Information tab.
c. Click the desired client to view the roaming information of the client.
From the roaming information, you can see that the client accesses the WLAN through AP 1,
and the BSSID of AP 1 is 000f-e27b-3d90 (see Figure 486.).
Figure 486 Client status before intra-AC roaming

d. Click Refresh.
On the Roam Information page that appears, you can see that the client is connected to the
WLAN through AP 2, and the BSSID of AP 2 is 000f-e233-5500.

448
Figure 487 Client status after intra-AC roaming

2. View the Roam Status field:

a. Select Summary > Client from the navigation tree.
You are placed in the Detail Information tab.
b. Click the desired client.
Intra-AC roam association appears in the Roam Status field.
Figure 488 Verifying intra-AC roaming

Inter-AC roaming configuration example

Network requirements
As shown in Figure 489, two ACs that each are connected to an AP are connected through a Layer 2
switch. Both ACs are in the same network. The IP address of AC 1 is 192.168.1.100 and that of AC 2 is
192.168.1.101 A client associates with AP 1.
Configure inter-AC roaming so that the client can associate with AP 2 when roaming to it.

449
Figure 489 Network diagram

Configuration guidelines
Follow these guidelines when you configure inter-AC roaming:
• The SSIDs and the authentication and encryption modes of two APs should be the same.
• An IACTP tunnel must be configured on both of the two ACs.

Configuring AC 1 and AC 2
If remote authentication is required in the authentication mode you select, configure the RADIUS server.
For information about how to configure the RADIUS server, see "Configuring RADIUS."
1. Establish AC-AP connections:
Configure AC 1 and AC 2 to establish a connection between AP 1 and AC 1, and between AP 2
and AC 2. You see that the two APs are in the running status only after you establish the
connections. To view the AP status, select Summary > AP or AP > AP Setup.
For the related configuration, see "Configuring access services."

NOTE:
For the configuration of authentication mode, see "Configuring access services." Fast roaming
supporting key caching can be implemented only when RSN+802.1X authentication is adopted.

2. Configure an IACTP tunnel:

a. Select Roam > Roam Group from the navigation tree.
b. On the page that appears, select Enable from the IACTP Tunnel list, select IPv4 from the IP Type
list, enter 192.168.1.100 for Source address, the IP address of AC 1, enter the IP address of
AC 2 in the member list, and click Add.
c. Click Apply.

450
Figure 490 Configuring an IACTP tunnel on AC 1

d. Configure the IACTP tunnel on AC 2.

The source address is the IP address of AC 2, and the member address is the IP address of AC
1. (Details not shown.)

Verifying the configuration

1. Verify the status of the IACTP tunnel:
a. On AC 1, select Roam > Roam Group from the navigation tree.
You can see that the group member 192.168.1.101 is in Run state.
Figure 491 Verifying the IACTP tunnel state (1)

b. On AC 2, select Roam > Roam Group from the navigation tree.

You can see that the group member 192.168.1.100 is in Run state.

451
Figure 492 Verifying the IACTP tunnel state (2)

2. Display the client information:

a. After the client roams from AP 1 to AP 2, select Roam > Roam Client on AC 1.
You can see that the client roams out of 192.168.1.100.
Figure 493 Viewing client information

b. Select Roam > Roam Client on AC 2.

You can see that the client roams in to 192.168.1.1.100.
3. View connection information about the client that is associated with the AP, and the Roam Status
field in the client detailed information:
a. Before roaming, select Summary > Client from the navigation tree on AC 1.
You can see that the client is associated with AP 1.
b. After roaming: Select Summary > Client from the navigation tree on AC 1.
The client has roamed from AP 1 to AP 2, so no client information is displayed on the page.
c. Select Summary > Client from the navigation tree on AC 2.
You can view the client information.
d. Select the Detail Information tab, and then click the desired client.
Inter-AC roam association appears in the Roam Status field. This indicates that the client has
roamed to AP 2.

452
Figure 494 Verifying inter-AC roaming

4. View the BSSID field:

a. Before roaming, select Summary > Client from the navigation tree on AC 1, select the Detail
Information tab, and click the desired client to view the roaming information of the client.
The roaming information in Figure 495 shows that the client connects to the WLAN through AP
1, and the BSSID of AP 1 is 000f-e27b-3d90.
Figure 495 Client status before inter-AC roaming

b. Select Summary > Client, from the navigation tree on AC 2, select the Detail Information tab,
and click the desired client to view the roaming information of the client.
The roaming information in Figure 496 shows that the client connects to the WLAN through AP
2, and the BSSID of AP 2 is 000f-e233-5500.

453
Figure 496 Client status after intra-AC roaming

454
Configuring WLAN RRM

Radio overview
Radio frequency (RF) refers to electrical signals that can be transferred over the space to a long distance.
802.11b/g in the IEEE 802.11 standards operates at the 2.4 GHz band, 802.11a operates at the 5 GHz
band, and 802.11n operates at both the 2.4 GHz and 5 GHz bands. Radio frequency is allocated in
bands, each of which corresponds to a range of frequencies.

WLAN RRM overview

WLAN radio resource management (RRM) is a scalable radio resource management solution. APs
collect radio environment information in real time. The AC analyzes the collected information. The AC
makes radio resource adjustment configurations according to analysis results. APs implement the
configurations made by the AC for radio resource optimization. Therefore, through information collection,
information analysis, decision-making, and implementation, WLAN RRM delivers a real-time, intelligent,
and integrated radio resource management solution. This enables a WLAN network to quickly adapt to
radio environment changes and remain in a healthy state.

Dynamic frequency selection

A WLAN has limited working channels. Channel overlapping can easily occur. In addition, other radio
sources such as radar and micro-wave ovens might interfere with the operation of APs. Dynamic
frequency selection (DFS) can solve these problems.
With DFS, the AC selects an optimal channel for each AP in real time to avoid co-channel interference
and interference from other radio sources.
The following conditions determine DFS:
• Error code rate—Physical layer error code and CRC errors.
• Interference—Influence of 802.11 and non-802.11 wireless signals on wireless services.
• Retransmission—APs retransmit data if they do not receive ACK messages from the AC.
• Radar signal detected on a working channel—The AC immediately notifies the AP to change its
working channel.
If the first three conditions are met, the AC calculates the channel quality. The AP does not use the new
channel until the channel quality difference between the new and old channels exceeds the tolerance
level.

455
Figure 497 Dynamic channel adjustment

Transmit power control

Traditionally, an AP uses the maximum power to cover an area as large as possible. However, this
method affects the operation of surrounding wireless devices. Transmit power control (TPC) is used to
select a proper transmission power for each AP to satisfy both coverage and usage requirements.
Whether the transmission power of an AP is increased or decreased is determined by these factors: the
maximum number of neighbors (detected neighbors that are managed by the same AC), the neighbor
AP that performs power detection, and the power adjustment threshold. The latter two cannot be
configured on the Web interface.
As shown in Figure 498, APs 1, 2, and 3 cover an area. When AP 4 joins, the default maximum neighbor
number 3 (configurable) is reached. Among all the neighbors AP 2, AP 3, and AP 4 of AP 1, the signal
strength of AP 4 is the third, so AP 4 becomes the AP that performs power detection. If AP 4 detects that
the power of AP 1 is –75 dBm, which is lower than the default power adjustment threshold –65 dBm
(configurable), AP 1 will increase its transmission power. If AP 4 detects that the power of AP 1 is –55
dBm, which is higher than the power adjustment threshold –65 dBm, AP 1 will decrease its transmission
power.

456
Figure 498 Power reduction

As shown in Figure 499, when AP 3 fails or goes offline, the other APs increase their transmission power
to cover the signal blackhole.

457
Figure 499 Power increasing

Spectrum analysis
WLAN systems operate on shared bands. Many devices, such as microwave ovens, cordless phones,
and Bluetooth devices also operate on these bands and can negatively affect the WLAN systems.
The spectrum analysis feature is designed to solve this problem. Spectrum analysis delivers the following
functions:
• Identifies five types of interferences and provides interference device reports.
• Calculates the number of interferences on each channel and average and worst channel quality,
and provides channel quality reports.
• The AP collects Fast Fourier Transform (FFT) data, including frequency, FFT power, maximum power,
and FFT duty cycle, and sends the data to the NMS through the AC.

458
• With RRM collaboration enabled, if the detected channel quality is lower than the threshold, the AC
automatically adjusts the working channel upon detecting a channel with a higher quality.
Administrators can view the interference information on the AC, or view real-time spectrum analysis data
on the NMS to locate and remove the interferences.
For more information about WIDS, see "Configuring WLAN security."

Configuring radios
Configuring radio parameters
1. Select Radio > Radio from the navigation tree.
2. Click the icon for the desired AP.
Figure 500 802.11a/b/g/n radio setup

459
Figure 501 802.11ac radio setup

3. Configure the radio as described in Table 136.

Table 136 Configuration items

Item Description
AP Name Display the selected AP.

Radio Unit Display the selected AP's radios.

Radio Mode Display the selected AP's radio mode.

Maximum radio transmission power, which varies with country/region

codes, channels, AP models, radio modes and antenna types. If you
Transmit Power
adopt the 802.11n mode, the maximum transmit power of the radio also
depends on the bandwidth mode.

Specify the working channel of the radio, which varies with radio types
and country/region codes. The working channel list varies with device
models.
auto: The working channel is automatically selected. If you select this
Channel
mode, the AP checks the channel quality in the WLAN network, and
selects the channel of the best quality as its working channel.
If you modify the working channel configuration, the transmit power is
automatically adjusted.

Antenna Gain Configure the gain for the third-party antenna.

The option is available only when the AP supports 802.11n and the radio
802.11n
mode is 802.11n.

460
Item Description
802.11n can bond two adjacent 20-MHz channels together to form a
40-MHz channel. During data forwarding, the two 20-MHz channels can
work separately with one acting as the primary channel and the other
acting as the secondary channel. This provides a simple way of doubling
the data rate.
By default, the channel bandwidth of the 802.11n radio (5 GHz) is 40
MHz, and that of the 802.11n radio (2.4 GHz) is 20 MHz.
802.11ac bonds four adjacent 20-MHz channels together to form an
80-MHz channel, which increases the bandwidth and throughput. Like
802.11n, 802.11ac also ensures the throughput by increasing the
channel usage rate. 802.11ac only supports 5 GHz.
By default, the channel bandwidth of 802.11ac radios is 80 MHz.

bandwidth mode IMPORTANT:

• If the channel bandwidth of the radio is set to 40 MHz, a 40 MHz
channel is used as the working channel. If no 40 MHz channel is
available, a 20 MHz channel is used. For the specifications, see IEEE
P802.11n D2.00.
• If the channel bandwidth of the radio is set to 80 MHz, an 80 MHz
channel is used as the working channel when the corresponding center
frequency is found. If no corresponding center frequency is found, the
device attempts to use a 40 MHz channel. The 40 MHz channel is
used if a channel that can be bound is found. If the device cannot find
a channel that can be bound, it uses a 20 MHz channel. For the
specifications, see IEEE P802.11acTM/D5.0.
• If you modify the bandwidth mode configuration, the transmit power is
automatically adjusted.

Select this option to allow automatic bandwidth switch. If the channel

bandwidth of an 802.11gn radio is 40 MHz, the automatic bandwidth
switch function is not enabled by default.
Auto-switch
NOTE:
For 802.11gn radios, only radios operating at 40 MHz support this option.
802.11an radios do not support this option.
Configure the MIMO mode for a radio:
• default—No MIMO mode is set.
MIMO • 1x1—Enable a radio to transmit and receive 1 space stream at a time.
• 2x2—Enable a radio to transmit and receive 2 space streams at a time.
• 3x3—Enable a radio to transmit and receive 3 space streams at a time.

Select this option to enable energy saving. By default, this function is

disabled.
NOTE:
Green Energy Management • Only 802.11n radios support this option.
• When this function is enabled, an AP automatically changes the
MIMO mode of its radio to 1X1 if no clients are associated with the
radio.

If you select the client dot11n-only option, only 802.11n clients are
client dot11n-only allowed to access the wireless network. To provide access for all
802.11a/b/g clients, you must disable this function.

461
Item Description
Select the A-MSDU option to enable A-MSDU.
Multiple MSDUs can be aggregated into a single A-MSDU. This reduces
the MAC header overhead and improves MAC layer forwarding
efficiency.
A-MSDU At present, only A-MSDUs can be received.

IMPORTANT:
When 802.11n radios are used in a mesh WLAN, make sure they have
the same A-MSDU configuration.

Select the A-MPDU option to enable A-MPDU.

802.11n introduces the Aggregated MAC Protocol Data Unit (A-MPDU)
frame format. By using only one PHY header, each A-MPDU can
accommodate multiple MPDUs which have their PHY headers removed.
A-MPDU This reduces the overhead in transmission and the number of ACK frames
to be used, and improves network throughput.

IMPORTANT:
When 802.11n radios are used in a mesh WLAN, make sure they have
the same A-MSDU configuration.

Select the short GI option to enable short GI.

Delays might occur during transmission of radio signals due to factors like
multi-path reception. A subsequently sent frame might interfere with a
short GI
previously sent frame. The GI function is used to avoid such interference.
The 802.11a/g GI is 800ns. You can configure a short GI, 400 ns for
802.11n. The short GI increases the throughput by 10 percent.

This option is available only when the AP supports 802.11ac and the
802.11ac
radio mode is 802.11ac.

Select the client type that is allowed to associate with the radio.
• all type—The radio allows 802.11a/an clients to associate with it.
Access Type • 802.11n—The radio allows 802.11an clients to associate with it.
By default, 802.11ac radio allows 802.11a/11an/ac clients to
associate with it.

4. Expand Advanced Setup.

462
Figure 502 Radio setup (advanced setup)

5. Configure the radio as described in Table 137, and click Apply.

Table 137 Configuration items

Item Description
Preamble is a pattern of bits at the beginning of a frame so that the receiver
can sync up and be ready for the real data.
• Short preamble—Short preamble improves network performance.
Therefore, this option is always selected.
Preamble
• Long preamble—Long preamble ensures compatibility between access
point and some legacy client devices. Therefore, you can select this
option to make legacy client devices support short preamble.
802.11a/802.11n (5 GHz) does not support this configuration.

Adaptive Noise Immunity (ANI). After the ANI function is enabled, the
device automatically adjusts the noise immunity level according to the
ANI surrounding signal environment to eliminate RF interference.
• Enable—Enable ANI.
• Disable—Disable ANI.
Transmit Distance Maximum coverage of a radio.

463
Item Description
Client Max Count Maximum number of clients that can be associated with one radio.

Specify the maximum length of frames that can be transmitted without

fragmentation. When the length of a frame exceeds the specified fragment
threshold value, it is fragmented.
• In a wireless network where error rate is high, you can decrease the
fragment threshold by a rational value. In this way, when a fragment of
Fragment Threshold a frame is not received, only this fragment rather than the whole frame
needs to be retransmitted, and the throughput of the wireless network is
improved.
• In a wireless network where no collision occurs, you can increase the
fragment threshold by a rational value to decrease acknowledgement
packets, and increase network throughput.

Interval for sending beacon frames. Beacon frames are transmitted at a

Beacon Interval regular interval to allow mobile clients to join the network. Beacon frames
are used for a client to identify nearby APs or network control devices.

There are two data collision avoidance mechanisms, RTS/CTS and

CTS-to-Self.
• RTS/CTS—In this mode, an AP sends an RTS packet before sending
data to a client. After receiving the RTS packet, all the devices within the
coverage of the AP will not send data within the specified time. Upon
receiving the RTS packet, the client sends a CTS packet, ensuring that all
the devices within the coverage of the client will not send data within
the specified time. The RTS/CTS mechanism requires two frames to
implement data collision avoidance, and has a higher cost.
• CTS-to-Self—In this mode, an AP uses its IP address to send a CTS
RTS (CTS)
packet before sending data to a client, ensuring that all the devices
within the coverage of the AP will not send data within the specified
time. The CTS-to-Self mechanism uses only one frame to avoid data
collision. However, if another device is in the coverage of the client, but
not in the coverage of the AP, data collision still might occur.
Compared with RTS/CTS, CTS-to-Self reduces the number of control
frames. However, data collisions still occur when some clients are hidden
and cannot receive the CTS frames sent by the AP. Therefore, the RTS/CTS
mechanism can solve the data collision problem in a larger coverage than
RTS/CTS.

If a frame is larger than the RTS (CTS) threshold, the data collision
avoidance mechanism is used.
A smaller RTS/CTS threshold causes RTS/CTS packets to be sent more
often, consuming more bandwidth. However, the more often RTS/CTS
packets are sent, the quicker the system can recover from collisions.
RTS (CTS) Threshold In a high-density WLAN, you can decrease the RTS threshold to reduce
collisions in the network.

IMPORTANT:
The data collision avoidance mechanism occupies bandwidth. Therefore,
this mechanism applies only to data frames larger than the RTS/CTS
threshold.
Number of beacon intervals between delivery traffic indication message
DTIM Period (DTIM) transmissions. The AP sends buffered broadcast/multicast frames
when the DTIM counter reaches 0.

464
Item Description
Number of retransmission attempts for unicast frames larger than the
Long Retry Threshold
RTS/CTS threshold.

Number of retransmission attempts for unicast frames smaller than the

Short Retry Threshold
RTS/CTS threshold if no acknowledgment is received for it.

Interval for which a frame received by an AP can stay in the buffer

Max Receive Duration
memory.
• On—Enable STBC.
• Off—Disable STBC.
By default, Space-timed block coding (STBC) is enabled.
With STBC enabled, the SNR of the receiver is increased and the reliability
of data transmission is enhanced.
STBC
STBC is applicable to WLAN access and mesh link. To reach the best
performance, enable STBC on both the sending and receiving devices.
STBC takes effect only when the number of antennas on the AP is greater
than the spatial streams corresponding to the radio rate. For example, if
the MCS index is set to 8 and the number of corresponding spatial streams
is 2, STBC takes effect only when at least 3 antennas exist on the AP.
• On—Enable LDPC.
LDPC • Off—Disable LDPC.
By default, Low Density Parity Check Code (LDPC) is disabled.
• On—Enable smart antenna.
• Off—Disable smart antenna.
Smart antenna can ensure high and stable bandwidths for clients within
the coverage area, and decrease the interference among the AP and
Smart Antenna clients, avoiding interference caused by non-wireless devices.
By default, smart antenna is enabled.
Smart antenna takes effect only when the radio uses an internal antenna.
You can select an internal antenna for the radio on the Radio > Antenna
Switch page.
• Auto—Adopt auto policy, with high reliability policy for voice and
video packets, and high throughput policy for other packets.
Smart Antenna Policy • High Reliability—Adopt high reliability policy.
• High Throughput—Adopt high throughput policy.
By default, Auto is selected.

Enabling a radio
1. Select Radio > Radio from the navigation tree.

465
Figure 503 Enabling radio

2. Select the box of the target radio.

3. Click Enable.

Locking the channel

1. Select Radio > Radio from the navigation tree.
Figure 504 Locking a channel

2. Select the box of the target radio.

3. Click Lock Channel.
Channel locking takes effect only when the AC adopts the auto mode. For more information
about automatic channel adjustment, see "Configuring radio parameters."
If you enable channel locking and then enable the radio, the AC automatically selects an
optimal channel, and then locks the channel.
When the AC detects any radar signals, it immediately selects another channel even if the
current channel is locked, and then locks the new channel.
If you lock the current channel first, and then enable channel adjustment, channel adjustment
does not work because the current channel is locked. Therefore, before enabling channel
adjustment, make sure the current channel is not locked. If you enable channel adjustment and
then lock the current channel, the last selected channel is locked. For information about channel
adjustment, see "Dynamic frequency selection." For more information about channel adjustment
configuration, see "Setting parameters."

466
Locking the power
1. Select Radio > Radio from the navigation tree.
Figure 505 Locking the current power

2. Select the box of the target radio.

3. Click Lock Power.
After you lock the power, the AC automatically sets the transmission power to the adjusted
power value so that the AP can use the adjusted power when the AC is rebooted. For
transmission power configuration, see "Configuring radio parameters."
If you lock the current power first, and then enable power adjustment, power adjustment does
not work because the power is locked. Therefore, before enabling power adjustment, make sure
the current power is not locked. If you enable power adjustment, and then lock the current power,
the last selected power is locked. For information about power adjustment, see "Transmit power
control." For information about how to configure power adjustment, see "Setting parameters."
After you lock the power, if the operating channel is adjusted, and the locked power is greater
than the maximum power supported by the adjusted operating channel, the AC changes the
power to the maximum power supported by the channel.

Configuring data transmit rates

Configuring 802.11a/802.11b/802.11g rates
1. Select Radio > Rate from the navigation tree.

467
Figure 506 Setting 802.11a/802.11b/802.11g rates

2. Configure 802.11a/802.11b/802.11g rates as described in Table 138, and click Apply.

468
Table 138 Configuration items

Item Description
Configure rates (in Mbps) for 802.11a.
By default:
• Mandatory rates—6, 12, and 24.
802.11a • Supported rates—9, 18, 36, 48, and 54.
• Multicast rate—Automatically selected from the mandatory rates. The transmission
rate of multicasts in a BSS is selected from the mandatory rates supported by all the
clients.

Configure rates (in Mbps) for 802.11b.

By default:
• Mandatory rates—1 and 2.
802.11b • Supported rates—5.5 and 11.
• Multicast rate—Automatically selected from the mandatory rates. The transmission
rate of multicasts in a BSS is selected from the mandatory rates supported by all the
clients.

Configure rates (in Mbps) for 802.11g.

By default:
• Mandatory rates—2, 5.5, and 11.
802.11g • Supported rates—6, 9, 12, 18, 24, 36, 48, and 54.
• Multicast rate—Automatically selected from the mandatory rates. The transmission
rate of multicasts in a BSS is selected from the mandatory rates supported by all the
clients.

Configuring 802.11n MCS

Introduction to MCS
Configuration of mandatory and supported 802.11n rates is achieved by specifying the maximum
Modulation and Coding Scheme (MCS) index. The MCS data rate table shows relations between data
rates, MCS indexes, and parameters that affect data rates. Sample MCS data rate tables for 20 MHz
and 40 MHz are shown in Table 139 and Table 140, respectively. For the entire table, see IEEE P802.11n
D2.00.
Table 139 and Table 140 indicate that MCS 0 through 7 are for one single spatial stream, and when the
MCS is 7, the data rate is the highest. MCS 8 through 15 are for two spatial streams, and when the MCS
is 15, the data rate is the highest. For the whole table, see IEEE 802.11n-2009.
Support for MCS indexes depends on the device model.
Table 139 MCS index table (20 MHz)

Number of Data rate (Mbps)

MCS index Modulation
spatial streams 800ns GI 400ns GI
0 1 BPSK 6.5 7.2

1 1 QPSK 13.0 14.4

2 1 QPSK 19.5 21.7

469
Number of Data rate (Mbps)
MCS index Modulation
spatial streams 800ns GI 400ns GI
3 1 16-QAM 26.0 28.9

4 1 16-QAM 39.0 43.3

5 1 64-QAM 52.0 57.8

6 1 64-QAM 58.5 65.0

7 1 64-QAM 65.0 72.2

8 2 BPSK 13.0 14.4

9 2 QPSK 26.0 28.9

10 2 QPSK 39.0 43.3

11 2 16-QAM 52.0 57.8

12 2 16-QAM 78.0 86.7

13 2 64-QAM 104.0 115.6

14 2 64-QAM 117.0 130.0

15 2 64-QAM 130.0 144.4

Table 140 MCS index table (40 MHz)

Number of Data rate (Mbps)

MCS index Modulation
spatial streams 800ns GI 400ns GI
0 1 BPSK 13.5 15.0

1 1 QPSK 27.0 30.0

2 1 QPSK 40.5 45.0

3 1 16-QAM 54.0 60.0

4 1 16-QAM 81.0 90.0

5 1 64-QAM 108.0 120.0

6 1 64-QAM 121.5 135.0

7 1 64-QAM 135.0 150.0

8 2 BPSK 27.0 30.0

9 2 QPSK 54.0 60.0

10 2 QPSK 81.0 90.0

11 2 16-QAM 108.0 120.0

12 2 16-QAM 162.0 180.0

13 2 64-QAM 216.0 240.0

14 2 64-QAM 243.0 270.0

15 2 64-QAM 270.0 300.0

For example, if you specify the maximum MCS index as 5 for mandatory rates, rates corresponding to
MCS indexes 0 through 5 are configured as 802.11n mandatory rates.

470
• Mandatory rates must be supported by the AP and the clients that want to associate with the AP.
• Supported rates allow some clients that support both mandatory and supported rates to choose
higher rates when communicating with the AP.
• Multicast MCS: Specifies 802.11n multicast data rates.

Configuring 802.11n rates

1. Select Radio > Rate from the navigation tree.
Figure 507 Setting 802.11n rate

2. Configure the 802.11n rate as described in Table 141, and click Apply.
Table 141 Configuration items

Item Description
Set the maximum MCS index for 802.11n mandatory rates.

Mandatory Maximum MCS IMPORTANT:

If you select the client dot11n-only option, you must configure the
mandatory maximum MCS.
Set the multicast MCS for 802.11n.
The multicast MCS is adopted only when all the clients use 802.11n. If a
non 802.11n client exists, multicast traffic is transmitted at a mandatory
MCS data rate.

Multicast MCS IMPORTANT:

• If you configure a multicast MCS index greater than the maximum MCS
index supported by the radio, the maximum MCS index is adopted.
• When the multicast MCS takes effect, the corresponding data rates
defined for 20 MHz are adopted no matter whether the 802.11n radio
operates in 40 MHz mode or in 20 MHz mode.

Supported Maximum MCS Set the maximum MCS index for 802.11n supported rates.

NOTE:
When 802.11n radios are used in a mesh WLAN, make sure they have the same MCS configuration.

Configuring 802.11ac NSS

Introduction to MCS
Configuration of 802.11ac radio rate is achieved by specifying the number of spatial streams (NSS).
802.11 ac uses very high throughput modulation and coding scheme (VHT-MCS) to indicate WLAN data
rates. A VHT-MCS data rate table shows relations between data rates, VHT-MCS indexes, and
parameters that affect data rates. In 802.11ac, the physical transmission rate upon specific parameters
corresponding to the VHT-MCS index is determined by the VHT-MCS data rate table and NSS. Sample

471
VHT-MCS data rate tables for 20 MHz, 40 MHz, and 80 MHz are shown in Table 142, Table 143,
and Table 144, respectively. For the entire table, see IEEE Draft P802.11ac_D5.0.
The value range for NSS is 1 to 8, and the value range for VHT-MCS index in each NSS is 0 to 9.

NOTE:
Support for NSS depends on the device model.

Table 142 VHT-MCS data rate table (20 MHz Nss =1)

Data rate (Mbps)

VHT-MCS index Modulation
800ns GI 400ns GI
0 BPSK 6.5 7.2

1 QPSK 13.0 14.4

2 QPSK 19.5 21.7

3 16-QAM 26.0 28.9

4 16-QAM 39.0 43.3

5 64-QAM 52.0 57.8

6 64-QAM 58.5 65.0

7 64-QAM 65.0 72.2

8 256-QAM 78.0 86.7

9 not valid

Table 143 VHT-MCS data rate table (40 MHz Nss =1)

Data rate (Mbps)

MCS index Modulation
800ns GI 400ns GI
0 BPSK 13.5 15.0

1 QPSK 27.0 30.0

2 QPSK 40.5 45.0

3 16-QAM 54.0 60.0

4 16-QAM 81.0 90.0

5 64-QAM 108.0 120.0

6 64-QAM 121.5 135.0

7 64-QAM 135.0 150.0

8 256-QAM 162.0 180.0

9 256-QAM 180.0 200.0

472
Table 144 VHT-MCS data rate table (80 MHz Nss =1)

Data rate (Mbps)

MCS index Modulation
800ns GI 400ns GI
0 BPSK 29.3 32.5

1 QPSK 58.5 65.0

2 QPSK 87.8 97.5

3 16-QAM 117.0 130.0

4 16-QAM 175.5 195.0

5 64-QAM 234.0 260.0

6 64-QAM 263.3 292.5

7 64-QAM 292.5 325.0

8 256-QAM 351.0 390.0

9 256-QAM 390.0 433.3

NSS is divided into the following types:

• Mandatory NSS—Mandatory NSS must be supported by the AP and the clients that want to
associate with the AP.
• Supported NSS—Supported NSS allows some clients that support both mandatory NSS and
supported NSS to choose higher rates when communicating with the AP.
• Multicast NSS—Multicast NSS allows some clients that support both mandatory NSS and multicast
NSS to transmit multicast data with configured multicast NSS.
The NSS value refers to a value range, starting from 0 and ending with the configured value. For example,
if you enter 5, the value range for NSS is 0 to 5.
When configuring multicast rate for 802.11ac radios, specify the multicast NSS and multicast VHT-MCS.

Configuring 802.11ac rates

1. Select Radio > Rate from the navigation tree.
Figure 508 Configuring 802.11ac rates

2. Configure the 802.11ac rate as described in Table 145, and click Apply.

473
Table 145 Configuration items

Item Description
Select Mandatory Maximum NSS and set the maximum 802.11ac
mandatory NSS.
Mandatory Maximum NSS IMPORTANT:
If you select the 802.11n and 802.11ac or 802.11ac option, you must
configure the mandatory maximum NSS.
Set the multicast NSS for 802.11ac.
The multicast NSS is adopted only when all the clients use 802.11ac. If a
non 802.11ac client exists, multicast traffic is transmitted at a rate
determined by the client type.

Multicast NSS IMPORTANT:

• If you configure a multicast NSS greater than the maximum NSS
supported by the radio, the maximum supported NSS is adopted.
• When the multicast NSS takes effect, the corresponding data rates
defined for 20 MHz are adopted no matter whether the 802.11ac
radio operates in 20 MHz mode, 40 MHz mode, or 80 MHz mode.

Set the maximum NSS for 802.11ac supported rates. The supported
Supported Maximum NSS maximum NSS must be equivalent to or larger than the mandatory
maximum NSS.

Set the multicast VHT-MCS index value for 802.11ac radios.

Multicast VHT-MCS When configuring multicast rate for 802.11ac radios, specify the
multicast NSS and multicast VHT-MCS index.

Configuring channel scanning

For more information about active passive scanning, see "Configuring access services."
To configure channel scanning:
1. Select Radio > Channel Scan from the navigation tree.
Figure 509 Setting channel scanning

474
2. Configure channel scanning as described in Table 146, and click Apply.
Table 146 Configuration items

Item Description
Set the scan mode.
• Auto—Legal channels with the scanning mode under country/region
Scan Mode
code are scanned.
• All—All the channels of the radio band are scanned.
Some of 802.11h channels, also called radar channels, overlap some
802.11a channels. If the device operates on an overlapping channel, the
service quality of the WLAN might be affected. With this function
enabled, the device selects a working channel from non-802.11h
channels belonging to the configured country/region code to avoid
Scan Non-802.11h Channel channel collision.
Selecting the Scan Non-802.11h Channel option enables the function of
scanning non-802.11h channels.
By default, the scan mode is auto, that is, all channels of the
country/region code being set are scanned.

Set the scan type.

• Active—Active scanning requires a client to send a probe request. This
scanning mode enables a client to discover APs more easily.
• Passive—Passive scanning is used by a client when it wants to save
battery power. Typically, VoIP clients adopt the passive scanning
mode.
Scan Type For an AP that has the monitoring function:
• Active—The AP simulates a client to send probe requests during the
scanning process.
• Passive—The AP does not send probe requests during the scanning
process.
If you set active scanning for the AP, it is more likely to discover devices in
the WLAN.

Set the scan report interval.

• A longer scan interval enables an AP to discover more devices in the
WLAN.
• A shorter scan interval enables an AP to send scanning reports to an
Scan Interval AC more frequently.
If an AP has the monitoring function, the scan report interval will affect
whether the scanning results can be processed in time and the frequency
of message exchanges. Therefore, you need to set the interval correctly
according to the actual network conditions.

475
Item Description
To avoid selecting improper channels, you can exclude specific channels
from automatic channel selection. The excluded channels will not be
available for initial channel selection, DFS, and mesh DFS. This feature
does not affect rogue detection and WIDS.
Select a channel and add it to the 5GHz Excluded Channel or 2.4GHz
Excluded Channel.
By default, no channels exist in the 5GHz Excluded Channel or 2.4GHz
Excluded Channel.

IMPORTANT:
• The channel exclusion list is not restricted by the country/region code.
You can add channels not supported by the country/region code to
the list, and changing the country/region code does not change the
channel list. The device will select an available channel from the
5GHz Excluded
channels supported by the country/region code and not in the
Channel/2.4GHz Excluded
channel exclusion list. When you configure this feature, do not add all
Channel
channels supported by the country/region code to the channel
exclusion list.
• This feature takes effect only for initial channel selection, DFS, and
mesh DFS.
• If you add an automatically selected channel into the channel
exclusion list, the AC disables the radio, enables the radio, and then
selects an available channel from the channels supported by the
country/region code and not in the channel exclusion list.
• If you add an automatically selected primary channel to the channel
exclusion list, the AC selects another available primary channel. If you
add a secondary channel into the channel exclusion list in this case,
the AC selects another secondary channel. If the AP cannot find an
available secondary channel, no channels are available for the
wireless, mesh, and WDS services.

Configuring calibration
Executing channel persistence
Configuration guidelines
• Channel persistence is applicable to radios used for wireless access, and the radios must have
channels.
• Channel persistence is not applicable to auto APs, nor APs operating in monitor mode.
• The device switches to a new channel if radar signals are detected on the channel, regardless of
whether it is a persistent channel or not.
• If a radio is configured to automatically select its channel mode, the channel persistence operation
does not take effect if no channel is selected.
• If a radio is configured to automatically select its channel mode and channel persistence is
executed after a channel is selected, the device automatically saves the channel value through the
Channel option on the Radio page. After AC reboots, AP continues to use the persistent channel.

476
• If channel persistence is executed on a locked channel, the channel is unlocked. The device
automatically saves the channel value through the Channel option on the Radio page. After AC
reboots, AP continues to use the persistent channel.

Configuration procedure
1. Select Radio > Calibration from the navigation tree.
2. Click the Operation tab.
3. Select the box of the target AP.
4. Click Channel Persistent.
Figure 510 Executing channel persistence

The device executes channel persistence on automatically selected or adjusted channels. After the AC
reboots, the AP continues to use the persistent channel.

Configuring power persistence

Configuration guidelines
• Power persistence is applicable to radios used for wireless access.
• Power persistence is not applicable to auto APs, nor APs operating in monitor mode.

Configuration procedure
1. Select Radio > Calibration from the navigation tree.
2. Click the Operation tab.
3. Select the box of the target AP.
4. Click Power Persistent.
Figure 511 Configuring power persistence

477
The device executes power persistence on the adjusted power. If the adjusted power value is not the
default value set through the Transmit Power option on the Radio page, the device automatically saves
the power value. After the AC reboots, the AP continues to use the adjusted power.

Setting parameters
1. Select Radio > Calibration from the navigation tree.
2. Click the Parameters tab.

478
Figure 512 Setting channel calibration

479
3. Configure channel calibration as described in Table 147, and click Apply.
Table 147 Configuration items

Item Description
• RTS/CTS—Use RTS/CTS mode to implement 802.11g protection.
Before sending data to a client, an AP sends an RTS packet to the
client, ensuring that all the devices within the coverage of the AP do
not send data in the specified time after receiving the RTS packet.
Upon receiving the RTS packet, the client will send a CTS packet
802.11g again, ensuring that all the devices within the coverage of the client
Protection do not send data in the specified time.
Mode
• CTS-to-Self—Use CTS-to-Self mode to implement 802.11g protection.
When an AP sends packets to a client, it uses its IP address to send
a CTS packet to inform the client that it will send a packet, ensuring
that all the devices within the coverage of the AP do not send data in
the specified time.
• 802.11b devices and 802.11g devices use different modulation
modes, so 802.11g protection needs to be enabled for a 802.11g
device to send RTS/CTS or CTS-to-self packets to 802.11b devices,
which will defer access to the medium.
• Enable—Enable 802.11g protection.
Basic Setup • Close—Disable 802.11g protection.
An AP running 802.11g uses the 802.11g protection function in the
802.11g
following two cases:
Protection
• An 802.11b client is associated with it.
• It detects APs or clients running 802.11b on the same channel.
IMPORTANT:
• Enabling 802.11g protection reduces network performance.
• Enabling 802.11g protection applies to the second case only,
because 802.11g protection is always enabled for the first case.

802.11n
Both RTS/CTS and CTS-to-Self modes can be adopted. The
Protection
implementation of the two modes is the same as 802.11g.
Mode
• Enable—Enable 802.11n protection. When non 802.11n wireless
802.11n devices or non 802.11n clients exist within the coverage of the AP,
Protection you need to enable 802.11n protection.
• Close—Disable 802.11n protection.
Calibration Channel and power calibration interval. A calibration interval takes effect on both mesh
Interval network channel calibration and channel and power calibration of wireless services.

Follow these guidelines when configuring channel adjustment:

• Before configuring channel adjustment, make sure the AC adopts the auto channel
adjustment mode (for more information, see "Configuring radio parameters.").
Otherwise, channel adjustment does not work.
Channel • If you lock the channel first, and then enable channel adjustment (by selecting Dynamic
Setup Channel Select), channel adjustment does not work because the channel is locked.
Before enabling channel adjustment, make sure the channel is not locked.
• If you enable channel adjustment and then lock the channel, the last selected channel
is locked.
For information about how to lock the channel, see "Locking the channel."

480
Item Description
• Close—Disable the DFS function.
• Auto—With auto DFS enabled, an AC performs DFS for a radio
when certain trigger conditions are met on the channel, and returns
the result to the AP after a calibration interval (the default calibration
interval is 8 minutes, which can be set through the Calibration
Interval option). After that, the AC will make DFS decisions at the
calibration interval automatically.
Dynamic • Manual—With one-time DFS configured for a radio, an AC performs
Channel Select DFS for the radio when certain trigger conditions are met on the
channel, and returns the result to the AP after a calibration interval.
After that, if you want the AC to perform DFS for the radio, you have
to make this configuration again.

IMPORTANT:
If you select the manual mode, click Calibration on the Calibration page
every time you perform channel calibration.
CRC Error
Set the CRC error threshold value, in percentage.
Threshold

Channel
Interference Set the channel interference threshold value, in percentage.
Threshold

A new channel is selected when either the configured CRC error

threshold or interference threshold is exceeded on the current channel.
Tolerance
However, the new channel is not applied until the quality of the current
Factor
channel is worse than that of the new channel by the tolerance
threshold.
• Enable—Enable spectrum management.
Spectrum • Close—Disable spectrum management.
Management When spectrum management is enabled, the AP notifies its power
capacity and power restriction on clients.

Follow these guidelines when configuring power adjustment:

• If you lock the power first, and then enable power adjustment (by selecting Dynamic
Channel Select), power adjustment does not work because the power is locked.
Power Setup Therefore, before enabling power adjustment, make sure the power is not locked.
• If you enable power adjustment and then lock the power, the last selected power is
locked.
For information about how to lock the power, see "Locking the power."

481
Item Description
• Close—Disable transmit power control (TPC).
• Auto—With auto TPC enabled, the AC performs TPC for an AP upon
certain interference and returns the result to the AP after a calibration
interval (the default calibration interval is 8 minutes, which can be
set through the Calibration Interval option). After that, the AC makes
TPC decisions at the calibration interval automatically.
• Manual—With one-time TPC configured, an AC performs TPC for
Dynamic the AP upon certain interference, and returns the result to the AP after
Power Select a calibration interval (the default calibration interval is 8 minutes,
which can be set through the Calibration Interval option). After that,
if you want the AC to perform TPC for the AP, you have to make this
configuration again.

IMPORTANT:
If you select the manual mode, click Calibration on the Calibration page
every time you perform channel calibration.
Adjacency Specify the neighbor APs that trigger automatic power adjustment. The
Factor neighbor APs are managed by the same AC.

Enable the AC to notify all 802.11a clients to reduce their transmit

power by a specified value. For example, if the power constraint is set
to 5, the AC notifies 802.11a clients to decrease their power by 5 dBm.
Power By default, the transmit power for 802.11a radios is not restricted.
Constraint
IMPORTANT:
Enable spectrum management before configuring the power constraint;
otherwise, the configuration does not take effect.

Channel switching results in temporary service interruption, so use the channel calibration function with
caution.

Configuring a radio group

With DFS or TPC configured for a radio, the AC calculates the channel quality or power of the radio at
the calibration interval. When the result meets a trigger condition, the AC selects a new channel or
power for the radio. In an environment where interference is serious, frequent channel or power
adjustments might affect user access to the WLAN network. In this case, you can configure a radio group
to keep the channel or power of radios in the group unchanged within a specified time. The channel and
power of radios not in the radio group are adjusted correctly.
After a channel or power adjustment (auto or initial DFS or TPC), the channel or power of any radio in
the radio group keeps unchanged within the specified holddown time. When the holddown time expires,
the AC calculates the channel or power again. If the result meets a trigger condition, the channel or
power is changed, and the new channel or power keeps unchanged within the specified holddown time.
This mechanism continues.

NOTE:
Before entering the Radio Group page, configure channel or power adjustment on the Parameters tab.

1. Select Radio > Calibration from the navigation tree.

2. Click Radio Group.

482
3. Click Add.
The Radio Group page appears.
Figure 513 Configuring a radio group

4. Configure the radio group as described in Table 148, and click Apply.
Table 148 Configuration items

Item Description
Group ID ID of the radio group

Description for the radio group.

Description
By default, a radio group has no description.

Specify that the current channel keeps unchanged within the specified time after a
channel adjustment (automatic or initial channel selection).
Channel
Holddown IMPORTANT:
Interval
The AC immediately selects another channel when it detects any radar signals on the
current channel, and then resets the channel holddown timer.
Power
Specify that the current power keeps unchanged within the specified time after a
Holddown
power adjustment (automatic power adjustment).
Interval
• Select the target radios from the Radios Available area, and then click << to add
them into the Radios Selected area.
Radio List
• Select the radios to be removed from the Radios Selected, and the click >> to
remove them from the radio group.

483
Calibration operations
If RRM is not enabled, or the radio to be displayed works on a fixed channel, you can only view the work
channel and the power of the radio on the Operations tab in the Radio > Calibration page. Other
information such as interference observed and the number of neighbors is displayed when RRM is
enabled, that is, dynamic power selection or automatic dynamic frequency selection is enabled. For the
configuration of RRM parameters, see "Setting parameters."

Displaying channel status

1. Select Radio > Calibration from the navigation tree.
2. On the Operations tab, click the Channel Status tab.
3. Click the desired radio to enter the page for displaying channel status.
Figure 514 Channel status

Table 149 Configuration items

Item Description
Channel NO Running channel.

Neighbor Num Number of neighbors on a channel.

Load (%) Load detected on a channel.

Utilization (%) Channel utilization.

Interference (%) Duration of all invalid packets detected on a channel.

Packet Error Rate (%) Error rate for packets on a channel.

Retransmission Rate (%) Retransmission rate on a channel.

Radar Detect Radar detection status.

Displaying neighbor information

1. Select Radio > Calibration from the navigation tree.
2. On the Operations tab, click the Neighbor Info tab.
3. Click the desired radio to enter the page for displaying neighbor information.

484
Figure 515 Neighbor information

Table 150 Field description

Field Description
AP MAC Address MAC address of a neighbor AP.

Channel No Running channel.

Interference (%) Duration of all invalid packets detected on a channel.

RSSI (dBm) Received signal strength indication (RSSI) of the AP, in dBm.

AP Type AP type, managed or unmanaged.

Displaying history information

History information is available only if channel switching or power adjustment occurs after RRM is
enabled.
To display history information:
1. Select Radio > Calibration from the navigation tree.
2. On the Operations tab, click History Info.
3. Click the desired radio to enter the page for displaying neighbor information.

485
Figure 516 History information

Table 151 Field description

Field Description
Radio Radio ID of the AP.

Basic BSSID MAC address of the AP.

Chl Channel on which the radio operates in case of the change of channel or power.

Power Power of the radio in case of the change of channel or power.

Load Load observed on the radio in percentage in case of the change of channel or power.

Util Utilization of the radio in percentage in case of the change of channel or power.

Interference observed on the radio in percentage in case of the change of channel or

Intf
power.

PER Packet error rate observed on a channel, in percentage.

Percentage of retransmission happened on the radio before/after the change of

Retry
channel or power.

Reason for the change of channel or power, such as Interference, packets discarded,
Reason
retransmission, radar or coverage.

Date Date when the channel or power change occurred.

Time Time when the channel or power change occurred.

Selecting an antenna
1. Select Radio > Antenna Switch to select an appropriate antenna for the corresponding radio.
2. Select the antenna type for a specific radio from the Antenna list.
3. Click Apply.

486
Figure 517 Antenna switch

Configuring spectrum analysis

IMPORTANT:
Support for this feature depends on the device model.

Configuring the operating mode for an AP

The channels that an AP can detect depend on the operating mode of the AP:
• When operating in normal mode, an AP can only detect interference devices and channel quality,
and collect FFT data for its working channel.
• When operating in monitor or hybrid mode, the channels that an AP can detect depend on the scan
channel command. If you configure the scan channel auto command, the AP detects interference
devices and channel quality, and collects FFT data for the channels supported by the
country/region code. If you configure the scan channel all command, the AP detects interference
devices and channel quality, and collects FFT data for all channels.
For information about how to configure the operating mode for an AP, see "Configuring WLAN IDS."

NOTE:
HP recommends that you enable spectrum analysis for APs operating in monitor or hybrid mode.

Configuring spectrum analysis

This section configures spectrum analysis on 2.4 GHz radios.
Select Radio > Spectrum Analysis from the navigation tree, and click 802.11bg.

487
Figure 518 Spectrum analysis

Enabling spectrum analysis

The AP begins to detect interferences and channel quality, and collects FFT data when spectrum analysis
is enabled.
Table 152 Configuration items

Item Description
• Enable—Enable spectrum analysis.
Spectrum Analysis • Disable—Disable spectrum analysis. IMPORTANT:
By default, spectrum analysis is disabled. Spectrum analysis takes effect only
when enabled both globally and on a
Enable spectrum See "Enabling spectrum analysis on a radio.
analysis on a radio radio."

Specify the device types to detect.

• To add a device type to the Device Types area, select a device type in the Device
Types to Detect area, and click <<.
Device Types to Detect
• To remove a device type from the Device Types area, select a device type in this
area, and click >>.
By default, all device types in the Device Types to Detect area are detected.

488
Configuring event-driven RRM
This function enables the AC to start calculating the channel quality, and switch to a new channel with a
higher quality when the channel quality is lower than the sensitivity level.
Table 153 Configuration items

Item Description
• Enable—Enable event-driven RRM.
Event Driven RRM • Disable—Disable event-driven RRM.
By default, spectrum analysis does not trigger channel adjustment.
• High—Specify the high sensitivity threshold.
• Low—Specify the low sensitivity threshold.
Sensitivity Threshold
• Medium—Specify the medium sensitivity threshold.
By default, the sensitivity threshold is medium.

Enabling SNMP traps

This function enables the AC to send SNMP traps to the NMS when detecting an interference device or
when detecting the channel quality is lower than the alarm threshold.
Table 154 Configuration items

Item Description
Configure channel quality trap
• Enable—The AC sends SNMP traps to the NMS when the channel quality is
lower than the threshold.
• Disable—The AC does not send SNMP traps to the NMS when the channel
Channel Quality Trap
quality is lower than the threshold.
By default, the AC sends SNMP traps to the NMS when the channel quality is
lower than the threshold.

Trap Threshold Channel quality trap threshold.

Configure interference device trap

• Enable—The AC sends SNMP traps to the NMS when an interference device is
detected.
• Disable—The AC does not send SNMP traps to the NMS when an interference
Interference Trap
device is detected.
By default, the AC sends SNMP traps to the NMS when an interference device is
detected.

Configure the AC to send SNMP traps to the NMS when a specified interference
device is detected.
• To add a device type to the Device Types area, select a device type in the Trap
on Device Types area, and click <<.
• To remove a device type from the Device Types area, select a device type in this
Trap on Device Types area, and click >>.
By default, all device types in the Trap on Device Types area are detected.

IMPORTANT:
Before using this function, you must select the target devices in the Devices Types to
Detect area. Otherwise, interference device trap does not take effect.

489
Enabling spectrum analysis on a radio
1. Select Radio > Spectrum Analysis from the navigation tree.
2. Click Radio.
Figure 519 Enabling spectrum analysis

3. Select the radio for which spectrum analysis is to be enabled.

4. Click Enable.

Displaying interference device state

1. Select Radio > Spectrum Analysis from the navigation tree.
2. Click Interference Info.
You can view the non-802.11 interference devices detected by the AP.
Figure 520 Displaying interference device state

Table 155 Field description

Field Description
Interference severity level in the range of 1 to 100. A greater value indicates a stronger
Severity Index
interference.

Duty Cycle(%) Percentage of time for which the interference device was active.

Signal Strength Signal strength of the detected interference device.

Displaying channel quality information

1. Select Radio > Spectrum Analysis from the navigation tree.

490
2. Click Channel Quality Info.
Figure 521 Displaying channel quality information

Manual channel adjustment configuration example

Network requirements
As shown in Figure 522, configure manual channel adjustment on the AC so that the AC can perform
manual channel adjustment when the channel of AP 1 is unavailable.
Figure 522 Network diagram

Configuration guidelines
If you select manual channel adjustment, click Channel Optimize on the Operation tab every time you
perform manual channel adjustment.

Configuration procedure
1. Before you configure manual channel adjustment, configure AP 1 on the AC to establish a
connection between them.
For the related configuration, see "Configuring access services."
2. Configure manual channel adjustment:
a. Select Radio > Calibration from the navigation tree.
b. Click the Parameters tab.
c. Select Manual from the Dynamic Channel Select list.
d. Click Apply.

491
Figure 523 Configuring manual channel adjustment

492
3. Perform manual channel adjustment:
a. Select Radio > Calibration from the navigation tree.
b. On the Operation tab, select the box of the target radio.
c. Click Channel Optimize.
Figure 524 Performing manual channel adjustment

Verifying the configuration

• You can view the channel status on the Operation tab you enter by selecting Radio > Calibration
from the navigation tree.
• After you perform manual channel calibration, the AC informs the adjusted channel to the AP after
a calibration interval.
• You can view the detailed information, such as the specific reason for channel adjustment on the
History Info tab you enter by selecting Radio > Calibration from the navigation tree, clicking
Operation, and then clicking History Info.

Automatic power adjustment configuration

example
Network requirements
As shown in Figure 525, AP 1 through AP 3 are connected to the AC. Configure automatic power
adjustment and specify the adjacency factor as 3 on the AC. In this way, when AP 4 joins, the AC
performs automatic power adjustment to avoid interference.

493
Figure 525 Network diagram

Configuration procedure
1. Before you configure automatic power adjustment, configure AP 1 through AP 4 on the AC to
establish a connection between the AC and each AP.
For the related configuration, see "Configuring access services."
2. Configure automatic power adjustment:
a. Select Radio > Calibration from the navigation tree.
b. Click the Parameters tab.
c. Select Auto from the Dynamic Power Select list.
d. Click Apply.

494
Figure 526 Configuring automatic power adjustment

495
Verifying the configuration
• You can view the power of each AP on the Operation tab you enter by selecting Radio > Calibration
from the navigation tree.
• When AP 4 joins (the adjacency number becomes 3), the maximum number of neighbors reaches
the upper limit (3 by default), and the AC performs power adjustment after the calibration interval.
You can view the detailed information, such as decrease of the Tx power value, on the History Info
tab you enter by selecting Radio > Calibration from the navigation tree, selecting the Operation tab,
and then selecting History Info.

Radio group configuration example

Network requirements
As shown in Figure 527, AP 1 through AP 3 are connected to the AC.
• Configure automatic channel adjustment so that the AC can automatically switch the channel when
the signal quality on a channel is degraded to a certain level.
• Configure automatic power adjustment so that the AC can automatically adjust the power when the
third neighbor is discovered (or in other words, when AP 4 joins) to avoid interference.
• Add radio 2 of AP 1 and radio 2 of AP 2 to a radio group to prevent frequent channel or power
adjustments for the radios.
Figure 527 Network diagram

Configuration procedure
1. Before you configure a radio group, configure AP 1 through AP 4 on the AC to establish a
connection between the AC and each AP.
For the related configuration, see "Configuring access services."
2. Configure automatic channel and power adjustment:
a. Select Radio > Calibration from the navigation tree.
b. Click the Parameters tab.
c. Select Auto from the Dynamic Channel Select list, select Auto from the Dynamic Power Select list,
and click Apply.

496
Figure 528 Configuring automatic channel and power adjustment

497
3. Configure a radio group:
a. Select Radio > Calibration from the navigation tree.
b. Click Radio Group.
c. Click Add.
d. On the page that appears, enter the channel holddown interval 20 and enter the power
holddown interval 30.
e. In the Radios Available area, select the target radios and click << to add them into the Radios
Selected area.
f. Click Apply.
Figure 529 Configuring the radio group

Verifying the configuration

• The working channel of radio 2 of AP 1 and the working channel of radio 2 of AP 2 do not change
within 20 minutes after each automatic channel adjustment.
• The power of radio 2 of AP 1 and the power of radio 2 of AP 2 do not change within 30 minutes
after each automatic power adjustment.

Spectrum analysis configuration example

Network requirements
As shown in Figure 530, AP 1 is operating in normal mode to provide WLAN access services. AP 2 is
operating in monitor mode to detect interferences, channel quality, and FFT data. If AP 2 detects a
microwave oven or bluetooth device, AP 2 notifies the AC, which sends alarms to the NMS.

498
Figure 530 Network diagram

Configuration procedure
1. Configure AP 1 to operate in normal mode. For more information, see "Configuring WLAN
access."
2. Configure AP 2 to operate in monitor mode. For more information, see "Configuring WLAN
security."
3. Enable spectrum analysis on a specified radio:
a. Select Radio > Spectrum Analysis from the navigation tree.
b. Click Radio.
Figure 531 Configuring radio

c. Select the radio with the radio mode 802.11n(2.4 GHz).

d. Click Enable.
4. Enable spectrum analysis globally on 2.4 GHz radios:
a. Select Radio > Spectrum Analysis from the navigation tree.
b. Click 802.11bg.

499
c. Enable spectrum analysis, disable channel quality trap (enabled by default), and keep
Microwave oven and Bluetooth in the Trap on Device Types area (remove other devices from
the area by selecting them and clicking >>).
d. Click OK.
Figure 532 Configuring spectrum analysis

Verifying the configuration

• Select Radio > Spectrum Analysis from the navigation tree, and click Interference Info to display
information about the non-802.11 interferences detected by AP 2.
• Select Radio > Spectrum Analysis from the navigation tree, and click Channel Quality Info to
display channel quality information detected by AP 2.

500
Configuring 802.1X

802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN
committee for the security of wireless LANs (WLANs). It has been widely used on Ethernet networks for
access control.
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
You can also configure the port security feature to perform 802.1X. Port security combines and extends
802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different
authentication methods for different users on a port. For more information about port security, see HP
Unified Wired-WLAN Products Security Configuration Guide.

Overview
802.1X architecture
802.1X operates in the client/server model. It has three entities: the client (supplicant), the network
access device (authenticator), and the authentication server, as shown in Figure 533.
Figure 533 802.1X architecture

Device Authentication server

Client

• Client—A user terminal seeking access to the LAN. It must have 802.1X software to authenticate to
the network access device.
• Network access device—Authenticates the client to control access to the LAN. In a typical 802.1X
environment, the network access device uses an authentication server to perform authentication.
• Authentication server—Provides authentication services for the network access device. The
authentication server authenticates 802.1X clients by using the data sent from the network access
device, and returns the authentication results for the network access device to make access
decisions. The authentication server typically is a RADIUS server. In a small LAN, you can also use
the network access device as the authentication server.
For more information about the 802.1X protocol, see HP Unified Wired-WLAN Products Security
Configuration Guide.

Access control methods

H3C implements port-based access control as defined in the 802.1X protocol, and extends the protocol
to support MAC-based access control.

501
• Port-based access control—Once an 802.1X user passes authentication on a port, any subsequent
user can access the network through the port without authentication. When the authenticated user
logs off, all other users are logged off.
• MAC-based access control—Each user is authenticated separately on a port. When a user logs off,
no other online users are affected.

802.1X timers
This section describes the timers used on an 802.1X device to guarantee that the client, the device, and
the RADIUS server can interact with each other correctly.
• Username request timeout timer—Starts when the device sends an EAP-Request/Identity packet to
a client in response to an authentication request. If the device receives no response before this timer
expires, it retransmits the request. The timer also sets the interval at which the network device sends
multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.
• Client timeout timer—Starts when the access device sends an EAP-Request/MD5 Challenge packet
to a client. If no response is received when this timer expires, the access device retransmits the
request to the client.
• Server timeout timer—Starts when the access device sends a RADIUS Access-Request packet to the
authentication server. If no response is received when this timer expires, the access device
retransmits the request to the server.
• Handshake timer—Sets the interval at which the access device sends client handshake requests to
check the online status of a client that has passed authentication. If the device receives no response
after sending the maximum number of handshake requests, it considers that the client has logged
off. For information about how to enable the online user handshake function, see "Configuring
802.1X on a port."
• Quiet timer—Starts when the access device sends a RADIUS Access-Request packet to the
authentication server. If no response is received when this timer expires, the access device
retransmits the request to the server.
• Periodic online user re-authentication timer—Sets the interval at which the network device
periodically re-authenticates online 802.1X users. For information about how to enable periodic
online user re-authentication on a port, see "Configuring 802.1X on a port."

Configuration prerequisites
• Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. For
more information, see "Configuring AAA" and "Configuring RADIUS."
• If you use local authentication, create user accounts on the device and assign the LAN access
service to the users. For more information, see "Configuring users."
• If you use RADIUS authentication, create user accounts on the RADIUS server.
• Configure a special local EAP server on the device to use EAP relay if the RADIUS server does not
support any EAP authentication method or when local authentication is used. For more information,
see "Configuring the local EAP service."

502
Configuration procedure
Task Description
Required.
Enable 802.1X authentication globally and configure the authentication
1. Configuring 802.1X globally
method and advanced parameters.
By default, 802.1X authentication is disabled globally.

Required.
Enable 802.1X authentication on specified ports and configure 802.1X
2. Configuring 802.1X on a port
parameters for the ports.
By default, 802.1X authentication is disabled on a port.

Configuring 802.1X globally

1. From the navigation tree, select Authentication > 802.1X.
Figure 534 802.1X global configuration

2. In the 802.1X Configuration area, select the Enable 802.1X option.

3. Select an authentication method for 802.1X users. Options include CHAP, PAP, and EAP.
CHAP—Sets the access device to perform EAP termination and use the CHAP to communicate
with the RADIUS server.
PAP—Sets the access device to perform EAP termination and use the PAP to communicate with
the RADIUS server.
EAP—Sets the access device to relay EAP packets, and supports any of the EAP authentication
methods to communicate with the RADIUS server.
When you configure EAP relay or EAP termination, consider the following factors:

503
• Whether the RADIUS server supports EAP packets.
• The authentication methods supported by the 802.1X client and the RADIUS server.
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP
authentication initiated by an H3C iNode 802.1X client, you can use both EAP termination and EAP relay.
To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay.
4. Click Advanced to expand the advanced 802.1X configuration area.
Figure 535 Advanced configuration

5. Configure advanced 802.1X settings as described in Table 156.

6. Click Apply.
Table 156 Configuration items

Item Description
Specify whether to enable the quiet timer.

Quiet The quiet timer enables the network access device to wait a period of time before it
can process any authentication request from a client that has failed an 802.1X
authentication.

Quiet Period Set the value of the quiet timer.

Set the maximum number of authentication request attempts.

The network access device retransmits an authentication request if it receives no
Retry Times response to the request it has sent to the client within a period of time (specified by
using the TX Period option or the Supplicant Timeout Time option). The network
access device stops retransmitting the request, if it has made the maximum number of
request transmission attempts but still received no response.

TX-Period Set the username request timeout timer.

Handshake Period Set the handshake timer.

504
Item Description
Re-Authentication
Set the periodic online user re-authentication timer.
Period

Set the client and server timeout timers.

Supplicant Timeout
TIP:
Time
You can set the client timeout timer to a high value in a low-performance network,
Server Timeout Time
and adjust the server timeout timer to adapt to the performance of different
authentication servers. In most cases, the default settings are sufficient.

For more information about 802.1X timers, see "802.1X timers."

IMPORTANT:
Do not change the timer parameters of global 802.1X from their default values unless you have
determined that the changes would better the interaction process.

Configuring 802.1X on a port

1. From the navigation tree, select Authentication > 802.1X to enter the page, as shown in Figure
534.
The Ports With 802.1X Enabled area shows the 802.1X configuration on ports.
2. Click Add.
Figure 536 802.1X configuration on a port

505
3. Configure 802.1X features on a port, as described in Table 157.
4. Click Apply.
Table 157 Configuration items

Item Description
Select the port to be enabled with 802.1X authentication. Only 802.1X-disabled ports
are available.
802.1X configuration takes effect on ports only when 802.1X is enabled both globally
Port and on the ports.
NOTE:
802.1X is mutually exclusive with the link aggregation group or service loopback group
configuration on a port.
Set the access control method for the port: MAC Based or Port Based.
Port Control NOTE:
To use both 802.1X and portal authentication on a port, you must select MAC Based.

Select the port authorization state for 802.1X.

Options include:
• Auto—Places the port initially in unauthorized state to allow only EAPOL packets to
pass, and after a user passes authentication, sets the port in authorized state to allow
Port Authorization access to the network. You can use this option in most scenarios.
• Force-Authorized—Places the port in authorized state, enabling users on the port to
access the network without authentication.
• Force-Unauthorized—Places the port in unauthorized state, denying any access
requests from users on the port.

Max Number of
Set the maximum number of concurrent 802.1X users on the port.
Users

Specify whether to enable the online user handshake function.

The online user handshake function checks the connectivity status of online 802.1X users.
The network access device sends handshake messages to online users at the interval
specified by the Handshake Period setting. If no response is received from an online user
after the maximum number of handshake attempts (set by the Retry Times setting) has
Enable Handshake been made, the network access device sets the user in offline state. For information about
the timers, see "802.1X timers."
NOTE:
If the network has 802.1X clients that cannot exchange handshake packets with the network
access device, disable the online user handshake function to prevent their connections from
being inappropriately torn down.

506
Item Description
Specify whether to enable periodic online user re-authentication on the port.
Periodic online user re-authentication tracks the connection status of online users and
updates the authorization attributes assigned by the server, such as the ACL, and VLAN.
The re-authentication interval is specified by the Re-Authentication Period setting in Table
156.
NOTE:
• The periodic online user re-authentication timer can also be set by the authentication
Enable server in the session-timeout attribute. The server-assigned timer overrides the timer
Re-Authentication setting on the access device, and enables periodic online user re-authentication, even
if the function is not configured. Support for the server assignment of re-authentication
timer and the re-authentication timer configuration on the server vary with servers.
• The VLAN assignment status must be consistent before and after re-authentication. If
the authentication server has assigned a VLAN before re-authentication, it must also
assign a VLAN at re-authentication. If the authentication server has assigned no VLAN
before re-authentication, it must not assign one at re-authentication. Violation of either
rule can cause the user to be logged off. The VLANs assigned to an online user before
and after re-authentication can be the same or different.

Specify an existing VLAN as the guest VLAN. For more information, see "Configuring an
Guest VLAN
802.1X guest VLAN."

Select the option to enable MAC-based VLAN.

Enable MAC VLAN NOTE:
Only hybrid ports support the feature.
Specify an existing VLAN as the Auth-Fail VLAN to accommodate users that have failed
Auth-Fail VLAN 802.1X authentication.
For more information, see "Configuring an Auth-Fail VLAN."

Configuring an 802.1X guest VLAN

Configuration guidelines
• You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different
ports can be different.
• Assign different IDs to the default VLAN and 802.1X guest VLAN on a port, so the port can correctly
process incoming VLAN tagged traffic.
• With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member.
After the assignment, do not re-configure the port as a tagged member in the VLAN.
• Use Table 158 when you configure multiple security features on a port.
Table 158 Relationships of the 802.1X guest VLAN and other security features

Feature Relationship description

Only the 802.1X guest VLAN take effect. A user that fails
MAC authentication guest VLAN on a port
MAC authentication will not be assigned to the MAC
that performs MAC-based access control
authentication guest VLAN.

802.1X Auth-Fail VLAN on a port that

The 802.1X Auth-Fail VLAN has a higher priority.
performs MAC-based access control

507
Feature Relationship description
The 802.1X guest VLAN function has higher priority than
Port intrusion protection on a port that the block MAC action, but lower priority than the
performs MAC-based access control shutdown port action of the port intrusion protection
feature.

Configuration prerequisites
• Create the VLAN to be specified as the 802.1X guest VLAN.
• If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger at
the CLI. (802.1X multicast trigger is enabled by default.)
• If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,
enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an
untagged member.

Configuring an Auth-Fail VLAN

Configuration guidelines
• You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on
different ports can be different.
• Assign different IDs to the default VLAN and 802.1X Auth-Fail VLAN on a port, so the port can
correctly process VLAN tagged incoming traffic.
• Use Table 159 when you configure multiple security features on a port.
Table 159 Relationships of the 802.1X Auth-Fail VLAN with other features

Feature Relationship description

MAC authentication guest VLAN on a port that
The 802.1X Auth-Fail VLAN has a high priority.
performs MAC-based access control

The 802.1X Auth-Fail VLAN function has higher priority

Port intrusion protection on a port that than the block MAC action, but lower priority than the
performs MAC-based access control shutdown port action of the port intrusion protection
feature.

Configuration prerequisites
• Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.
• If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.
(802.1X multicast trigger is enabled by default.)
• If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,
enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged
member.

508
Configuring portal authentication

Overview
Portal authentication helps control access to the Internet. It is also called Web authentication. A website
implementing portal authentication is called a portal website.
With portal authentication, an access device redirects all users to the portal authentication page. All
users can access the free services provided on the portal website. However, to access the Internet, a user
must pass portal authentication.
A user can access a known portal website and enter username and password for authentication. This
authentication mode is called active authentication. There is also another authentication mode, forced
authentication, in which the access device forces a user who is trying to access the Internet through HTTP
to log on to a portal website for authentication.
The portal feature provides the flexibility for ISPs to manage services. A portal website can, for example,
present advertisements and deliver community and personalized services. In this way, broadband
network providers, equipment vendors, and content service providers form an industrial ecological
system.
A typical portal system comprises these basic components: authentication client, access device, portal
server, authentication/accounting server, and security policy server.
Figure 537 Portal system components

Authentication client Security policy server

Authentication client Access device Portal server

Authentication/accounting
Authentication client server

The components of a portal system interact in the following procedure:

1. When an unauthenticated user enters a website address in the browser's address bar to access the
Internet, an HTTP request is created and sent to the access device. The access device then redirects
the HTTP request to the portal server's Web authentication homepage. For extended portal
functions, authentication clients must run the portal client software.

509
2. On the authentication homepage/authentication dialog box, the user enters and submits the
authentication information, which the portal server then transfers to the access device.
3. Upon receipt of the authentication information, the access device communicates with the
authentication/accounting server for authentication and accounting.
4. After successful authentication, the access device checks whether there is a corresponding security
policy for the user. If not, it allows the user to access the Internet. Otherwise, the client
communicates with the access device and the security policy server for security check. If the client
passes security check, the security policy server authorizes the user to access the Internet
resources.

NOTE:
The Web interface of the device supports configuring portal authentication only on Layer 3 interfaces. For
more information about portal authentication, see HP Unified Wired-WLAN Products Security
Configuration Guide.

Configuration prerequisites
Although the portal feature provides a solution for user identity authentication and security checking, the
portal feature cannot implement this solution by itself. RADIUS authentication needs to be configured on
the access device to cooperate with the portal feature to complete user authentication.
The prerequisites for portal authentication configuration are as follows:
• The portal server and the RADIUS server have been installed and configured correctly. Local portal
authentication requires no independent portal server.
• With re-DHCP authentication, the IP address check function of DHCP relay is enabled on the access
device, and the DHCP server is installed and configured correctly.
• The portal client, access device, and servers can reach each other.
• With RADIUS authentication, usernames and passwords of the users are configured on the RADIUS
server, and the RADIUS client configurations are performed on the access device. For information
about RADIUS client configuration, see "Configuring RADIUS."
• To implement extended portal functions, install and configure IMC EAD. Make sure the ACLs
configured on the access device correspond to those specified for the resources in the quarantined
area and for the restricted resources on the security policy server. For information about security
policy server configuration on the access device, see "Configuring RADIUS."

Configuration procedure
Step Remarks
Required.
Configure a portal server, apply the portal server to a Layer 3
1. Configuring the portal service
interface, and configure the portal authentication parameters.
By default, no portal server is configured.

510
Step Remarks
Optional.
2. Configuring advanced
parameters for portal Specify an auto redirection URL, set the time that the device must wait
authentication before redirecting an authenticated user to the auto redirection URL,
and add Web proxy server port numbers.

Optional.
Configure a portal-free rule, specifying the source and destination
information for packet filtering.

3. Configuring a portal-free rule A portal-free rule allows specified users to access specified external
websites without portal authentication. Packets matching a portal-free
rule will not trigger portal authentication and the users can directly
access the specified external websites.
By default, no portal-free policy is configured.

Configuring the portal service

1. From the navigation tree, select Authentication > Portal.
The portal server configuration page appears.
The portal service on a Layer 3 interface can be in either of the following states:
Running—Portal authentication has taken effect on the interface.
Enabled—Portal authentication is enabled on the interface, but it does not take effect.

511
Figure 538 Portal server configuration

2. Click Add to enter the portal service application page.

Figure 539 Portal service application

3. Configure the portal application settings as described in Table 160.

4. Click Apply.

512
Table 160 Configuration items

Item Description
Interface Specify the Layer 3 interface to be enabled with portal authentication.

Specify the portal server to be applied on the specified interface. Options include:
• Select Server—Select an existing portal server from the Portal Server list.
• New Server—If you select Add under this option from the list, the portal server
configuration area, as shown in Figure 540, will be displayed at the lower part of the
page. You can add a remote portal server and apply the portal server to the interface.
Portal Server
For detailed configuration, see Table 161.
• Enable Local Server—If you select this option from the list, the local portal service
configuration area, as shown in Figure 541, will be displayed at the lower part of the
page. You can configure the parameters for local portal service. For detailed
configuration, see Table 162.

Specify the portal authentication mode:

• Direct—Direct portal authentication.
• Layer3—Cross-subnet portal authentication.
• Re DHCP—Re-DHCP portal authentication.
IMPORTANT:
• In cross-subnet portal authentication mode, Layer 3 forwarding devices are not
Method required to be present between the authentication client and the access device.
However, if they are present, you must select the cross-subnet portal authentication
mode.
• In re-DHCP portal authentication mode, a client is allowed to send out packets using
a public IP address before it passes portal authentication. However, responses of the
packets are restricted.
• If the local portal server is used, you can configure the re-DHCP mode but it does not
take effect.

Specify the IP address and mask of the authentication subnet. This field is configurable
when you select the Layer3 mode (cross-subnet portal authentication).
By configuring an authentication subnet, you specify that only HTTP packets from users on
the authentication subnet can trigger portal authentication. If an unauthenticated user is
Auth Network IP
not on any authentication subnet, the access device discards all the user's HTTP packets
Network Mask that do not match any portal-free rule.

IMPORTANT:
The authentication subnet in direct mode is any source IP address, and that in re-DHCP
mode is the private subnet to which the interface's private IP address belongs.
Specify the authentication domain for Layer 3 portal users.
After you specify an authentication domain on a Layer 3 interface, the device will use the
authentication domain for authentication, authorization, and accounting (AAA) of the
Authentication portal users on the interface, ignoring the domain names carried in the usernames. You
Domain can specify different authentication domains for different interfaces as needed.
The available authentication domains are those specified on the page you enter by
selecting Authentication > AAA from the navigation tree. For more information, see
"Configuring AAA."

513
Figure 540 Adding a portal server

Table 161 Configuration items

Item Description
Server Name Enter a name for the remote portal server.

IP Enter the IP address of the remote portal server.

Enter the shared key to be used for communication between the device and the remote
Key
portal server.

Port Enter the port number of the remote portal server.

Specify the URL for HTTP packets redirection, in the format http://ip-address. By default,
the IP address of the portal server is used in the URL.
URL IMPORTANT:
Redirection URL supports domain name resolution. However, you must configure a
portal-free rule and add the DNS server address into the portal-free address range.

Figure 541 Local portal service configuration

Table 162 Configuration items

Item Description
Server Name Specify the local portal server name.

514
Item Description
Specify the IP address of the local portal server. You need to specify the IP address of
IP
the interface where the local portal server is applied.

Specify the URL for HTTP packets redirection, in the format

http://ip-address/portal/logon.htm or https://ip-address/portal/logon.htm
(depending on the protocol type).
By default, the IP address of the local portal server is used in the URL.

URL IMPORTANT:
• To use the local portal server for stateful failover in a wireless environment, you must
specify the redirection URL, and the IP address of the URL must be the virtual IP
address of the VRRP group where the VRRP downlink resides.
• URL redirection supports domain name resolution, but you need to configure a
portal-free rule and add the DNS server address into the portal-free address range.

Specify the protocol to be used for authentication information exchange between the
Protocol
local portal server and the client. It can be HTTP or HTTPS.

Specify the PKI domain for HTTPS. This field is configurable when you select HTTPS.
The available PKI domains are those specified on the page you enter by selecting
Authentication > Certificate Management from the navigation tree. For more
information, see "Managing certificates."
PKI Domain
IMPORTANT:
The service management, local portal authentication, and local EAP service modules
always reference the same PKI domain. Changing the referenced PKI domain in any of the
three modules will also change that referenced in the other two modules.
Specify the authentication page files to be bound with SSIDs as required.
After you bind SSIDs with authentication page files, when a user access the portal
page, the local portal server pushes the authentication pages according to the SSID of
Page Customization the user login interface and the bound authentication page file.
SSID By default, an SSID is not bound with any authentication page file. In this case, the
Page File system pushes the default authentication pages.
You can edit an authentication page file as required and save it in the root directory or
the portal directory under the root directory of the access device. For rules of
customizing authentication pages, see "Customizing authentication pages."

Configuring advanced parameters for portal

authentication
1. From the navigation tree, select Authentication > Portal.
2. Expand the Advanced area to show the advanced parameters for portal authentication.

515
Figure 542 Advanced configuration

3. Configure the advanced parameters as described in Table 163.

4. Click Apply.
Table 163 Advanced portal parameters

Item Description
Add the Web proxy server ports to allow HTTP requests proxied by the specified proxy
servers to trigger portal authentication. By default, only HTTP requests that are not
proxied can trigger portal authentication.
Different clients may have different Web proxy configurations. To make sure that clients
using a Web proxy can trigger portal authentication, you must first complete some other
relevant configurations. When the IMC portal server is used, you must first complete the
following configurations:
• If the client does not specify the portal server's IP address as a proxy exception, ensure
the IP connectivity between the portal server and the Web proxy server and perform
the following configurations on the IMC portal server:
Select NAT as the type of the IP group associated with the portal device.
Specify the proxy server's IP address as the IP address after NAT.
Web Proxy Server Configure the port group to support NAT.
Ports • If the client specifies the portal server's IP address as an exception of the Web proxy
server, configure the IP group and port group to not support NAT.

IMPORTANT:
• If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover
Web proxy servers, add the port numbers of the Web proxy servers on the device, and
configure portal-free rules to allow user packets destined for the IP address of the
WPAD server to pass without authentication.
• If the Web proxy server port 80 is added on the device, clients that do not use a proxy
server can trigger portal authentication only when they access a reachable host
enabled with the HTTP service.
• Authorized ACLs to be assigned to users who have passed portal authentication must
contain a rule that permits the Web proxy server's IP address. Otherwise, the user
cannot receive heartbeat packets from the remote portal server.

Specify the auto redirection URL to which users will be automatically redirected after they
pass portal authentication.

Redirection URL To access the network, an unauthenticated user either goes to or is automatically forced
to the portal authentication page for authentication. If the user passes portal
authentication and the access device is configured with an auto redirection URL, the
access device will redirect the user to the URL after a specified period of time.

516
Item Description
Period of time that the device must wait before redirecting an authenticated portal user to
Wait-Time
the auto redirection URL.

Configuring a portal-free rule

1. From the navigation tree, select Authentication > Portal.
2. Click the Free Rule tab.
Figure 543 Portal-free rule configuration

3. Click Add.
The page for adding a new portal-free rule appears.
Figure 544 Adding a portal-free rule

4. Configure the portal-free rule as described in Table 164.

5. Click Apply.

517
Table 164 Configuration items

Item Description
Number Specify the sequence number of the portal-free rule.

Specify the source interface of the portal-free rule.

Source-interface
The SSIDs in the list are the corresponding SSIDs of the wireless ESS interfaces.

Source IP address
Specify the source IP address and mask of the portal-free rule.
Mask

Specify the source MAC address of the portal-free rule.

IMPORTANT:
Source MAC
If you configure both the source IP address and the source MAC address, make sure
that the mask of the specified source IP address is 255.255.255.255. Otherwise, the
specified source MAC address will not take effect.
Specify the source VLAN of the portal-free rule.

IMPORTANT:
Source-VLAN
If you configure both a source interface and a source VLAN for a portal-free rule, make
sure that the source interface is in the source VLAN. Otherwise, the portal-free rule will
not take effect.
Destination IP Address
Specify the destination IP address and mask of the portal-free rule.
Mask

Customizing authentication pages

When the local portal server is used for portal authentication, the local portal server pushes
authentication pages. You can define the authentication pages for users. Otherwise, the local portal
server pushes the default authentication pages.
Customized authentication pages exist in the form of HTML files. You can compress them, and then save
them in the storage medium of the access device.
A set of authentication pages include six main pages and their page elements.
The six main pages are the logon page, the logon success page, the logon failure page, the online page,
the system busy page, and the logoff success page.
The page elements are the files that the authentication pages reference. For example, back.jpg is for
page Logon.htm. Each main authentication page can reference multiple page elements. If you define
only some of the main pages, the local portal server pushes the default authentication pages for the
undefined ones.
For the local portal server to operate normally and steadily, use the following rules in this section when
customizing authentication pages.

File name rules

The names of the main authentication page files cannot be changed. You can define the names of the
files other than the main authentication page files. File names and directory names are case-insensitive.

518
Table 165 Main authentication page file names

Main authentication page File name

Logon page. logon.htm

Logon success page. logonSuccess.htm

Logon failure page. logonFail.htm

Online page.
online.htm
Pushed after the user gets online for online notification.

System busy page.

busy.htm
Pushed when the system is busy or the user is in the logon process.

Logoff success page. logoffSuccess.htm

Page request rules

The local portal server supports only Post and Get requests.
• Get requests—Used to get the static files in the authentication pages, and allow no recursion. For
example, if file logon.htm includes contents that perform Get action on file ca.htm, file ca.htm
cannot include any reference to file logon.htm.
• Post requests—Used when users submit usernames and passwords, log on to the system, and log off
the system.

Post request attribute rules

1. Observe the following requirements when editing a form of an authentication page:
An authentication page can have multiple forms, but there must be one and only one form
whose action is logon.cgi. Otherwise, user information cannot be sent to the local portal server.
The username attribute is fixed as PtUser. The password attribute is fixed as PtPwd.
Attribute PtButton is required to indicate the action that the user requests, either Logon or Logoff.
A logon Post request must contain PtUser, PtPwd, and PtButton attributes.
A logoff Post request must contain the PtButton attribute.
2. Authentication pages logon.htm and logonFail.htm must contain the logon Post request.
The following example shows part of the script in page logon.htm.
<form action=logon.cgi method = post >
<p>User name:<input type="text" name = "PtUser" style="width:160px;height:22px"
maxlength=64>
<p>Password :<input type="password" name = "PtPwd" style="width:160px;height:22px"
maxlength=32>
<p><input type=SUBMIT value="Logon" name = "PtButton" style="width:60px;"
onclick="form.action=form.action+location.search;>
</form>
3. Authentication pages logonSuccess.htm and online.htm must contain the logoff Post request.
The following example shows part of the script in page online.htm.
<form action=logon.cgi method = post >

519
<p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;">
</form>

Page file compression and saving rules

• A set of authentication page files must be compressed into a standard .zip file. The name of a .zip
file can contain only letters, numbers, and underscores. The .zip file of the default authentication
pages must be saved with name defaultfile.zip.
• The set of authentication pages must be located in the root directory of the .zip file.
• Zip files can be transferred to the device through FTP or TFTP. The default authentication pages file
must be saved in the root directory of the device, and other authentication files can be saved in the
root directory or in the portal directory under the root directory of the device.

File size and content rules

The following size and content requirements for authentication pages allows the system to push
customized authentication pages smoothly:
• The size of the zip file of each set of authentication pages, including the main authentication pages
and the page elements, must be no more than 500 KB.
• The size of an uncompressed page, including the main authentication page and its page elements,
must be no more than 50 KB.
• Page elements can contain only static contents such as HTML, JS, CSS, and pictures.

Logging off a user who closes the logon success or online page
After a user passes authentication, the system pushes the logon success page named logonSuccess.htm.
If the user initiates another authentication through the logon page, the system pushes the online page
named online.htm. You can configure the device to forcibly log off the user when the user closes either
of these two pages. To do so, add the following contents in logonSuccess.htm and online.htm:
1. Reference to file pt_private.js.
2. Function pt_unload(), which is for triggering page unloading.
3. Function pt_submit(), the event handler function for Form.
4. Function pt_init(), which is for triggering page loading.
The following is a script example with the added contents highlighted in gray:
<html>
<head>
<script type="text/javascript" language="javascript" src="pt_private.js"></script>
</head>
<body onload="pt_init();" onbeforeunload="return pt_unload();">
... ...
<form action=logon.cgi method = post onsubmit="pt_submit()">
... ...
</body>
</html>

520
If a user refreshes the logon success or online page, or jumps to another website from either of the pages,
the device also logs off the user.
Google Chrome browsers do not support this function.
Make sure that the browser of an authentication client permits pop-ups or permits pop-ups from the
access device. Otherwise, the user cannot log off by closing the logon success or online page, and can
only click Cancel to return back to the logon success or online page

Redirecting authenticated users to a specific webpage

To make the device automatically redirect authenticated users to a specified webpage, do the following
in logon.htm and logonSuccess.htm:
1. In logon.htm, set the target attribute of Form to blank.
See the contents in gray:
<form method=post action=logon.cgi target="blank">
2. Add the function for page loading pt_init() to logonSucceess.htm.
See the contents in gray:
<html>
<head>
<title>LogonSuccessed</title>
<script type="text/javascript" language="javascript"
src="pt_private.js"></script>
</head>
<body onload="pt_init();" onbeforeunload="return pt_unload();">
... ...
</body>
</html>

H3C recommends using browser IE 6.0 or later on the authentication clients.

Portal authentication configuration example

Network requirements
As shown in Figure 545, the wireless client belongs to VLAN 2 and accesses the network through the AP,
which belongs to VLAN 3. The model and serial ID of the AP is MSM460-WW and CN2AD330S8,
respectively.
AC supports the local portal server, which runs HTTPS. The local portal server can push the
corresponding customized pages according to the SSID of the user logon interface.
A RADIUS server runs on IMC to provide authentication and accounting services.
The client must pass direct portal authentication to access Internet resources. Before authentication, the
client can access only the local portal server.

521
Figure 545 Network diagram

RADIUS server
1.1.1.2/24

Vlan-int4
Vlan-int2 1.1.1.1/24
192.168.1.1/24
IP network
Vlan-int3
3.3.3.3/24
Client AP AC
SSID: abc
Gateway: 192.168.1.1/24

Configuration prerequisites
Complete the follow tasks before you perform the portal configuration:
• Configure IP addresses for the devices, as shown in Figure 545, and make sure they can reach each
other.
• Configure PKI domain test, and make sure that a local certificate and a CA certificate are obtained
successfully. For more information, see "Managing certificates."
• Complete the editing of the authentication page files to be bound with the client SSID.
• Configure the RADIUS server correctly to provide authentication and accounting functions for users.

Configuring the AC
1. Configure the RADIUS scheme system:
a. From the navigation tree, select Authentication > RADIUS.
b. Click Add.
c. On the page that appears, enter the scheme name system, select the server type Extended, and
select Without domain name for Username Format.
d. In the RADIUS Server Configuration area, click Add.
e. On the page that appears, select Primary Authentication as the server type, enter the IP
address 1.1.1.2, the port number 1812, and the key expert, enter expert again in the Confirm
Key field, and click Apply.
The RADIUS server configuration page closes, and the RADIUS Server Configuration area on
the RADIUS scheme configuration page displays the authentication server you have just
configured.
f. In the RADIUS Server Configuration area, click Add.
g. On the page that appears, select Primary Accounting as the server type, enter the IP address
1.1.1.2, the port number 1813, and the key expert, enter expert again in the Confirm Key field,
and click Apply.
The RADIUS server configuration page closes, and the RADIUS Server Configuration area on
the RADIUS scheme configuration page displays the accounting server you have just
configured.
h. Click Apply.

522
Figure 546 Configuring the RADIUS scheme

2. Configure ISP domain test as the default domain:

a. From the navigation tree, select Authentication > AAA.
The Domain Setup tab appears.
b. Enter the domain name test, and select Enable from the Default Domain list.
c. Click Apply.

523
Figure 547 Creating an ISP domain

3. Configure an authentication method for the ISP domain:

a. Click the Authentication tab.
b. Select the domain name test.
c. Select the Default AuthN option, and then select RADIUS as the authentication mode.
d. From the Name list, select system to use it as the authentication scheme
e. Click Apply.
A configuration progress dialog box appears.
f. After the configuration process is complete, click Close.

524
Figure 548 Configuring the authentication method for the ISP domain

4. Configure an authorization method for the ISP domain:

a. Click the Authorization tab.
b. Select the Default AuthZ option, and then select RADIUS as the authorization mode.
c. From the Name list, select system to use it as the authorization scheme
d. Click Apply.
A configuration progress dialog box appears
e. After the configuration process is complete, click Close.
Figure 549 Configuring the authorization method for the ISP domain

5. Configure an accounting method for the ISP domain:

a. Click the Accounting tab.
b. Select the domain name test.
c. Select the Accounting Optional option, and then select Enable from the list.
d. Select the Default Accounting option, and then select RADIUS as the accounting mode.
e. From the Name list, select system to use it as the accounting scheme
f. Click Apply.

525
The configuration progress dialog box appears
g. After the configuration process is complete, click Close.
Figure 550 Configuring the accounting method for the ISP domain

6. Create an AP:
a. From the navigation tree, select AP > AP Setup.
b. Click Create.
c. Enter the AP name ap1.
d. Select model MSM460-WW.
e. Select the manual mode for serial ID, and then enter the serial ID CN2AD330S8.
f. Click Apply.
Figure 551 Creating an AP

7. Create a wireless service:

a. From the navigation tree, select Wireless Service > Access Service.
b. Click New.
c. On the page as shown in Figure 552, enter the wireless service name abc, select clear as the
wireless service type, and click Apply.
The wireless service configuration page appears.

526
Figure 552 Creating a wireless service

d. On the page as shown in Figure 553, enter 2 in the VLAN (Untagged) field, enter 2 in the
Default VLAN field, and click Apply.
A configuration progress dialog box appears.
Figure 553 Configuring parameters for the wireless service

e. After the configuration process is complete, click Close.

8. Enable the wireless service:
a. On wireless service list as shown in Figure 554, select the wireless service abc.
b. Click Enable.
A configuration progress dialog box appears.
c. After the configuration process is complete, click Close.

527
Figure 554 Enabling the wireless service

9. Bind an AP radio with the wireless service:

a. On the wireless service list, click the icon in the Operation column of wireless service abc.
b. On the page that appears, select ap1 with the radio mode of 802.11n(2.4GHz).
c. Click Bind.
A configuration progress dialog box appears.
d. After the configuration process is complete, click Close.

528
Figure 555 Binding an AP radio

10. Enable radio:

a. From the navigation tree, select Radio > Radio.
b. Select ap1 with the radio mode of 802.11n(2.4GHz).
c. Click Enable.

529
Figure 556 Enabling 802.11n(2.4GHz) radio

11. Configure portal authentication:

a. From the navigation tree, select Authentication > Portal.
b. Click Add.
c. Configure a local portal server:
− Select interface Vlan-interface2.
− Select Enable Local Server for Portal Server.
− Select Direct as the authentication method.
− Select the authentication domain test.
− Enter 192.168.1.1 as the server IP address.
− Select HTTPS as the protocol type.
− Select test as the PKI domain.
− Select Page Customization.
− Select the authentication page file ssid1.zip for SSID abc.
d. Click Apply.

530
Figure 557 Portal service application

12. Configure a portal-free rule for Bridge-Aggregation 1:

a. Click the Free Rule tab.
b. Click Add.
c. On the page that appears, enter the rule number 0, and select the source interface
Bridge-Aggregation1.
d. Click Apply.

531
Figure 558 Configuring a portal-free rule for Bridge-Aggregation 1

Verifying the configuration

When a user accesses subnet 1.1.1.0/24 by using a Web browser, the user is redirected to page
https://192.168.1.1/portal/logon.htm. After entering the correct username and password on the
webpage, the user passes the authentication.

532
Configuring AAA

Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It provides the following security functions:
• Authentication—Identifies users and determines whether a user is valid.
• Authorization—Grants user rights and controls user access to resources and services. For example,
a user who has successfully logged in to the device can be granted read and print permissions to
the files on the device.
• Accounting—Records all network service usage information, including the service type, start time,
and traffic. The accounting function provides information required for charging and allows for
network security surveillance.
AAA can be implemented through multiple protocols. The device supports RADIUS. For more information,
see "Configuring RADIUS."
AAA typically uses a client/server model. The client runs on the network access server (NAS) and the
server maintains user information centrally. In an AAA network, the NAS is a server for users, but a client
for AAA servers.
Figure 559 AAA application scenario

AAA manages users based on their ISP domains and access types.
On a NAS, each user belongs to one ISP domain. Typically, a NAS determines the ISP domain a user
belongs to by the username entered by the user at login.

533
Figure 560 Determining the ISP domain for a user by the username

You can configure different authentication, authorization, and accounting methods for users in an ISP
domain. Or you can configure a set of default methods for an ISP domain. These default methods are
used for users for whom no specific AAA methods are configured.
AAA manages users in the same ISP domain based on their access types. The device supports the
following user access types:
• LAN users—Users on a LAN who must pass 802.1X or MAC address authentication to access the
network.
• Login users—Users who want to log in to the device, including SSH users, Telnet users, FTP users,
and terminal users.
• Portal users—Users who must pass portal authentication to access the network.
• PPP users—Users who access through PPP.
To improve device security, AAA provides command authorization for login users. Command
authorization enables the NAS to defer to the authorization server to determine whether a command
entered by a login user is permitted for the user, and allows login users to execute only authorized
commands.
For more information about AAA and ISP, see HP Unified Wired-WLAN Products Security Configuration
Guide.

Configuration prerequisites
• To deploy local authentication, first configure local users on the access device. See "Configuring
users."
• To perform RADIUS authentication, first create the RADIUS schemes. See "Configuring RADIUS."

Configuration procedure
Step Remarks
Optional.
Create ISP domains and specify one of them as the default ISP domain.
1. Configuring an ISP domain
By default, there is an ISP domain named system, which is the default ISP
domain.

534
Step Remarks
Optional.
2. Configuring authentication
Configure authentication methods for various types of users.
methods for the ISP domain
By default, all types of users use local authentication.

Optional.
3. Configuring authorization
Specify the authorization methods for various types of users.
methods for the ISP domain
By default, all types of users use local authorization.

Required.
4. Configuring accounting
Specify the accounting methods for various types of users.
methods for the ISP domain
By default, all types of users use local accounting.

Configuring an ISP domain

1. From the navigation tree, select Authentication > AAA.
The Domain Setup page appears.
Figure 561 Domain Setup page

2. Configure an ISP domain as described in Table 166.

3. Click Apply.

535
Table 166 Configuration items

Item Description
Enter an ISP domain name for uniquely identifying the domain.
Domain Name You can enter a new domain name to create a domain, or specify an existing domain
to change its status (whether it is the default domain).

Specify whether to use the ISP domain as the default domain. Options include:
• Enable—Uses the domain as the default domain.
Default Domain • Disable—Uses the domain as a non-default domain.
There can only be one default domain at a time. If you specify a second domain as
the default domain, the original default domain will become a non-default domain.

Configuring authentication methods for the ISP

domain
1. From the navigation tree, select Authentication > AAA.
2. Click the Authentication tab to enter the authentication method configuration page.
Figure 562 Authentication method configuration page

3. Configure authentication methods for different types of users in the domain, as described in Table
167.
4. Click Apply.
A configuration progress dialog box appears.
5. After the configuration progress is complete, click Close.
Table 167 Configuration items

Item Description
Select an ISP
Select the ISP domain for which you want to specify authentication methods.
domain

536
Item Description
Configure the default authentication method and secondary authentication method for all
types of users.
Options include:
• HWTACACS—HWTACACS authentication. You must specify the HWTACACS scheme
to be used.
Default AuthN
• Local—Local authentication.
Name • None—No authentication. This method trusts all users and is not for general use.
Secondary • RADIUS—RADIUS authentication. You must specify the RADIUS scheme to be used.
Method
• Not Set—The device uses the default authentication setting, which is local
authentication.

IMPORTANT:
Use the default authentication method if the AC performs authentication on the connecting
APs.
Configure the authentication method and secondary authentication method for LAN
users.
LAN-access AuthN
Options include:
Name
• Local—Local authentication.
Secondary • None—No authentication. This method trusts all users and is not for general use.
Method
• RADIUS—RADIUS authentication. You must specify the RADIUS scheme to be used.
• Not Set—The device uses the settings in the Default AuthN area for LAN users.

Configure the authentication method and secondary authentication method for login
users.
Options include:
Login AuthN
• HWTACACS—HWTACACS authentication. You must specify the HWTACACS scheme
Name to be used.
Secondary • Local—Local authentication.
Method
• None—No authentication. This method trusts all users and is not for general use.
• RADIUS—RADIUS authentication. You must specify the RADIUS scheme to be used.
• Not Set—The device uses the settings in the Default AuthN area for login users.

Configure the authentication method and secondary authentication method for PPP users.
Options include:
PPP AuthN • HWTACACS—HWTACACS authentication. You must specify the HWTACACS scheme
Name to be used.
Secondary • Local—Local authentication.
Method • None—No authentication. This method trusts all users and is not for general use.
• RADIUS—RADIUS authentication. You must specify the RADIUS scheme to be used.
• Not Set—The device uses the settings in the Default AuthN area for PPP users.

Configure the authentication method and secondary authentication method for portal
users.
Portal AuthN
Options include:
Name
• Local—Local authentication.
Secondary • None—No authentication. This method trusts all users and is not for general use.
Method
• RADIUS—RADIUS authentication. You must specify the RADIUS scheme to be used.
• Not Set—The device uses the settings in the Default AuthN area for portal users.

537
Configuring authorization methods for the ISP
domain
1. From the navigation tree, select Authentication > AAA.
2. Click the Authorization tab to enter the authorization method configuration page.
Figure 563 Authorization method configuration page

3. Configure authorization methods for different types of users in the domain, as described in Table
168.
4. Click Apply.
A configuration progress dialog box appears.
5. After the configuration progress is complete, click Close.
Table 168 Configuration items

Item Description
Select an ISP domain Select the ISP domain for which you want to specify authorization methods.

Configure the default authorization method and secondary authorization method for
all types of users.
Options include:

Default AuthZ • HWTACACS—HWTACACS authorization. You must specify the HWTACACS

scheme to be used.
Name
• Local—Local authorization.
Secondary Method
• None—This method trusts all users and assigns default rights to them.
• RADIUS—RADIUS authorization. You must specify the RADIUS scheme to be used.
• Not Set—The device uses the default authorization setting, which is local
authorization.

538
Item Description
Configure the authorization method and secondary authorization method for LAN
users.
LAN-access AuthZ Options include:
Name • Local—Local authorization.
Secondary Method • None—This method trusts all users and assigns default rights to them.
• RADIUS—RADIUS authorization. You must specify the RADIUS scheme to be used.
• Not Set—The device uses the settings in the Default AuthZ area for LAN users.

Configure the authorization method and secondary authorization method for login
users.
Options include:
Login AuthZ • HWTACACS—HWTACACS authorization. You must specify the HWTACACS
Name scheme to be used.
Secondary Method • Local—Local authorization.
• None—This method trusts all users and assigns default rights to them.
• RADIUS—RADIUS authorization. You must specify the RADIUS scheme to be used.
• Not Set—The device uses the settings in the Default AuthZ area for login users.

Configure the authorization method and secondary authorization method for PPP
users.
Options include:
PPP AuthZ • HWTACACS—HWTACACS authorization. You must specify the HWTACACS
Name scheme to be used.
Secondary Method • Local—Local authorization.
• None—This method trusts all users and assigns default rights to them.
• RADIUS—RADIUS authorization. You must specify the RADIUS scheme to be used.
• Not Set—The device uses the settings in the Default AuthZ area for PPP users.

Configure the authorization method and secondary authorization method for portal
users.
Portal AuthZ Options include:
Name • Local—Local authorization.
Secondary Method • None—This method trusts all users and assigns default rights to them.
• RADIUS—RADIUS authorization. You must specify the RADIUS scheme to be used.
• Not Set—The device uses the settings in the Default AuthZ area for portal users.

Configure the command authorization method.

Options include:
Command AuthZ
• HWTACACS—HWTACACS authorization. You must specify the HWTACACS
Name
scheme to be used.
• Not Set—The device uses the settings in the Default AuthZ area for command users.

Configuring accounting methods for the ISP domain

1. From the navigation tree, select Authentication > AAA.
2. Click the Accounting tab to enter the accounting method configuration page.

539
Figure 564 Accounting method configuration page

3. Configure accounting methods for different types of users in the domain, as described in Table
169.
4. Click Apply.
A configuration progress dialog box appears.
5. After the configuration progress is complete, click Close.
Table 169 Configuration items

Item Description
Select an ISP domain Select the ISP domain for which you want to specify accounting methods.

Specify whether to enable the accounting optional feature.

With the feature enabled, a user that will be disconnected otherwise can use the
network resources even when there is no accounting server available or
Accounting Optional
communication with the current accounting server fails.
If accounting for such a user fails, the device will not send real-time accounting updates
for the user anymore.

Configure the default accounting method and secondary accounting method for all
types of users.
Options include:
Default Accounting • HWTACACS—HWTACACS accounting. You must specify the HWTACACS scheme
Name to be used.
Secondary Method • Local—Local accounting.
• None—No accounting.
• RADIUS—RADIUS accounting. You must specify the RADIUS scheme to be used.
• Not Set—The device uses the default accounting setting, which is local accounting.

Configure the accounting method and secondary accounting method for LAN users.
LAN-access Options include:
Accounting • Local—Local accounting.
Name • None—No accounting.
Secondary Method • RADIUS—RADIUS accounting. You must specify the RADIUS scheme to be used.
• Not Set—The device uses the settings in the Default Accounting area for LAN users.

540
Item Description
Configure the accounting method and secondary accounting method for login users.
Options include:

Login Accounting • HWTACACS—HWTACACS accounting. You must specify the HWTACACS scheme
to be used.
Name
• Local—Local accounting.
Secondary Method
• None—No accounting.
• RADIUS—RADIUS accounting. You must specify the RADIUS scheme to be used.
• Not Set—The device uses the settings in the Default Accounting area for login users.

Configure the accounting method and secondary accounting method for PPP users.
Options include:

PPP Accounting • HWTACACS—HWTACACS accounting. You must specify the HWTACACS scheme
to be used.
Name
• Local—Local accounting.
Secondary Method
• None—No accounting.
• RADIUS—RADIUS accounting. You must specify the RADIUS scheme to be used.
• Not Set—The device uses the settings in the Default Accounting area for PPP users.

Configure the accounting method and secondary accounting method for portal users.
Options include:
Portal Accounting • Local—Local accounting.
Name • None—No accounting.
Secondary Method • RADIUS—RADIUS accounting. You must specify the RADIUS scheme to be used.
• Not Set—The device uses the settings in the Default Accounting area for portal
users.

AAA configuration example

Network requirements
As shown in Figure 565, configure the AC to perform local authentication, authorization, and accounting
for Telnet users.
Figure 565 Network diagram

Configuration procedure
1. Configure a local user:
a. From the navigation tree, select Authentication > Users.
The local user management page appears.

541
b. Click Add.
c. Enter telnet as the username.
d. Enter abcd as the password.
e. Enter abcd again to confirm the password.
f. Select Reversible as the password encryption method.
g. Select Common User as the user type.
h. Select Configure as the level.
i. Select Telnet as the service type.
j. Click Apply.
Figure 566 Configuring the local user

2. Configure ISP domain test:

a. From the navigation tree, select Authentication > AAA.
The Domain Setup page appears, as shown in Figure 567.
b. Enter test as the domain name.
c. Click Apply.

542
Figure 567 Configuring ISP domain test

3. Configure the ISP domain to use local authentication for login users:
a. From the navigation tree, select Authentication > AAA.
b. Click the Authentication tab.
c. Select the domain test.
d. Select the Login AuthN option, and then select the authentication method Local.
e. Click Apply.
A configuration progress dialog box appears.
f. After the configuration progress is complete, click Close.

543
Figure 568 Configuring the ISP domain to use local authentication for login users

4. Configure the ISP domain to use local authorization for login users:
a. From the navigation tree, select Authentication > AAA.
b. Click the Authorization tab.
c. Select the domain test.
d. Select the Login AuthZ option, and then select the authorization method Local.
e. Click Apply.
A configuration progress dialog box appears.
f. After the configuration progress is complete, click Close.
Figure 569 Configuring the ISP domain to use local authorization for login users

5. At the CLI, enable the Telnet service and configure the AC to use AAA for Telnet users.
<AC> system-view
[AC] telnet server enable
[AC] user-interface vty 0 4
[AC-ui-vty0-4] authentication-mode scheme
[AC-ui-vty0-4] quit

544
Verifying the configuration
Telnet to the AC and enter the username telnet@test and password abcd. You are serviced as a user in
domain test.

545
Configuring RADIUS

The Remote Authentication Dial-In User Service (RADIUS) protocol implements Authentication,
Authorization, and Accounting (AAA). RADIUS uses the client/server model. It can protect networks
against unauthorized access, and is often used in network environments where both high security and
remote user access are required. RADIUS defines the packet format and message transfer mechanism,
and uses UDP as the transport layer protocol for encapsulating RADIUS packets. It uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL.
RADIUS provides access authentication and authorization services. Its accounting function collects and
records network resource usage information.
For more information about AAA and RADIUS, see HP Unified Wired-WLAN Products Security
Configuration Guide.

Configuration guidelines
The status of RADIUS servers (blocked or active) determines which servers the device will communicate
with or turn to when the current servers are not available. In practice, you can specify one primary
RADIUS server and multiple secondary RADIUS servers, with the secondary servers that function as the
backup of the primary servers. Generally, the device chooses servers based on these rules:
• When the primary server is in active state, the device communicates with the primary server. If the
primary server fails, the device changes the state of the primary server to blocked, starts a quiet
timer for the server, and turns to a secondary server in active state (a secondary server configured
earlier has a higher priority). If the secondary server is unreachable, the device changes the state
of the secondary server to blocked, starts a quiet timer for the server, and continues to check the
next secondary server in active state. This search process continues until the device finds an
available secondary server or has checked all secondary servers in active state. If the quiet timer of
a server expires or an authentication response is received from the server, the status of the server
changes back to active automatically, but the device does not check the server again during the
authentication process. If no server is found reachable during one search process, the device
considers the authentication attempt a failure.
• If you remove an authentication server in use, the communication of the device with the server will
soon time out, and the device will look for a server in active state from scratch: it checks the primary
server (if any) first and then the secondary servers in the order they are configured.
• When the primary server and secondary servers are all in blocked state, the device communicates
with the primary server. If the primary server is available, its statues changes to active. Otherwise,
its status remains to be blocked.
• If one server is in active state, but all the others are in blocked state, the device only tries to
communicate with the server in active state, even if the server is unavailable.
• After receiving an authentication response from a server, the device changes the status of the server
identified by the source IP address of the response to active if the current status of the server is
blocked.

546
Configuring a RADIUS scheme
A RADIUS scheme defines a set of parameters that the device uses to exchange information with the
RADIUS servers. There might be authentication servers and accounting servers, or primary servers and
secondary servers. The parameters mainly include the IP addresses of the servers, the shared keys, and
the RADIUS server type. By default, no RADIUS scheme exists.
To configure a RADIUS scheme:
1. From the navigation tree, select Authentication > RADIUS.
Figure 570 RADIUS scheme list

2. Click Add.
Figure 571 RADIUS scheme configuration page

3. Enter a scheme name.

4. Select a server type and a username format.

547
Table 170 Configuration items

Item Description
Select the type of the RADIUS servers supported by the device:
• Standard—Standard RADIUS servers. The RADIUS client and server
communicate by using the standard RADIUS protocol and packet format
Server Type defined in RFC 2865/2866 or later.
• Extended—Extended RADIUS servers, usually running on IMC. The
RADIUS client and server communicate by using the proprietary RADIUS
protocol and packet format.

Select the format of usernames to be sent to the RADIUS server.

Typically, a username is in the format of userid@isp-name, of which isp-name
is used by the device to determine the ISP domain to for the user. If a RADIUS
server does not accept a username that contains an ISP domain name,
configure the device to remove the domain name of a username before
sending it to the RADIUS server.
Username Format
• Original format—Configure the device to send the username of a user on
an "as is" basis.
• With domain name—Configure the device to include the domain name in a
username.
• Without domain name—Configure the device to remove the domain name
from a username.

5. In the Common Configuration area, expand the Advanced area.

548
Figure 572 Advanced configuration area

6. Configure the advanced parameters.

549
Table 171 Configuration items

Item Description
Set the shared key for RADIUS authentication packets and that for RADIUS
accounting packets.
The RADIUS client and the RADIUS authentication/accounting server use
MD5 to encrypt RADIUS packets. They verify the validity of packets
Authentication Key through the specified shared key. The client and the server can receive and
respond to packets from each other only when they use the same shared
Confirm Authentication Key key.
Accounting Key
IMPORTANT:
Confirm Accounting Key
• The shared keys configured on the device must be consistent with those
configured on the RADIUS servers.
• The shared keys configured in the Common Configuration area are
used only when no corresponding shared keys are configured in the
RADIUS server configuration area.

Set the time the device keeps an unreachable RADIUS server in blocked
state.
If you set the quiet time to 0, when the device needs to send an
authentication or accounting request but finds that the current server is
unreachable, it does not change the server's status that it maintains. It
simply sends the request to the next server in active state. As a result, when
Quiet Time the device needs to send a request of the same type for another user, it still
tries to send the request to the server because the server is in active state.
You can use this parameter to control whether the device changes the
status of an unreachable server. For example, if you determine that the
primary server is unreachable because the device's port for connecting the
server is out of service temporarily or the server is busy, you can set the
time to 0 so that the device uses the primary server as much.

Set the RADIUS server response timeout time and the maximum number of
attempts for transmitting a RADIUS packet to a single RADIUS server.
If the device does not receive a response to its request from the RADIUS
Server Response Timeout server within the response timeout period, it retransmits the RADIUS
Time request. If the number of transmission attempts exceeds the limit but the
device still receives no response from the RADIUS server, the device
Request Transmission
considers the request a failure.
Attempts
IMPORTANT:
The server response timeout time multiplied by the maximum number of
RADIUS packet transmission attempts must not exceed 75.
Set the interval for sending real-time accounting information. The interval
must be a multiple of 3.
To implement real-time accounting, the device must send real-time
accounting packets to the accounting server for online users periodically.
Realtime Accounting Different real-time accounting intervals impose different performance
Interval requirements on the NAS and the RADIUS server. A shorter interval helps
achieve higher accounting precision but requires higher performance. Use
a longer interval when 1000 or more users exist. For information about the
recommended real-time accounting intervals, see "Configuration
guidelines."

550
Item Description
Realtime Accounting Set the maximum number of attempts for sending a real-time accounting
Attempts request.

Specify the unit for data flows sent to the RADIUS server:
• Byte.
• Kilo-byte.
Unit for Data Flows • Mega-byte.
• Giga-byte.
The traffic measurement units on the device must be the same as the units
configured on the RADIUS servers.

Specify the unit for data packets sent to the RADIUS server:
• One-packet.
• Kilo-packet.
Unit for Packets • Mega-packet.
• Giga-packet.
The traffic measurement units on the device must be the same as the units
configured on the RADIUS servers.

Enable or disable the EAP offload function.

RADIUS servers that do not support EAP authentication cannot process
EAP packets. To cooperate with these servers, the device must process EAP
packets it receives from EAP clients before forwarding them to the servers.
After receiving an EAP packet from an EAP client, the device operates as
Enable EAP offload a local EAP authentication server to interact with the client, encapsulate the
authentication information of the client into the RADIUS MS-CHAPv2
attribute, and send the attribute in a RADIUS authentication request to the
RADIUS server. When the RADIUS server receives the request, it resolves
the authentication information in the request, performs authentication, and
then encapsulates and sends the authentication result in a RADIUS packet
to the local EAP authentication server.

Security Policy Server Specify the IP address of the security policy server.

551
Item Description
Specify the source IP address for the device to use in RADIUS packets sent
to the RADIUS server.
The source IP address of RADIUS packets that a NAS sends must match the
IP address of the NAS configured on the RADIUS server. A RADIUS server
identifies a NAS by its IP address. Upon receiving a RADIUS packet, a
RADIUS server checks whether the source IP address of the packet is the IP
address of a managed NAS. If it is, the server processes the packet. If it is
not, the server drops the packet.
The source address of outgoing RADIUS packets is typically the IP address
of an egress interface on the NAS to communicate with the RADIUS server.
RADIUS Packet Source IP However, in some situations, you must change the source IP address. For
example, if the NAS is configured with VRRP for stateful failover, the
source IP address of outgoing RADIUS packets can be the virtual IP
address of the uplink VRRP group.

IMPORTANT:
• If you do not specify this parameter, the IP address of the outbound
interface is used.
• Make sure this source address has the same IP version of the RADIUS
server address that is specified in the scheme. Otherwise, the
configuration does not take effect.

Specify the backup source IP address for the device to use in RADIUS
packets sent to the RADIUS server.
In a stateful failover environment, the backup source IP address must be the
RADIUS Packet Backup source IP address for the remote device to use in RADIUS packets sent to
Source IP the RADIUS server.
Configuring the backup source IP address in a stateful failover
environment makes sure that the backup server can receive the RADIUS
packets sent from the RADIUS server when the master device fails.

Buffer stop-accounting Enable or disable buffering of stop-accounting requests for which no

packets responses are received.

Set the maximum number of stop-accounting attempts.

The NAS disconnects from a user according to the maximum number of
stop-accounting attempts and specific parameters. For example, the
RADIUS server response timeout period is 3 seconds, the maximum
number of transmission attempts is five, and the maximum number of
Stop-Accounting Attempts stop-accounting attempts is 20. For each stop-accounting request, if the
device receives no response within 3 seconds, it retransmits the request. If
it receives no responses after retransmitting the request five times, it
considers the stop-accounting attempt a failure, buffers the request, and
makes another stop-accounting attempt. If 20 consecutive attempts fail, the
device discards the request.

Enable or disable the accounting-on feature.

The accounting-on feature enables a device to send accounting-on packets
to RADIUS servers after it reboots, making the servers forcedly log out
users who logged in through the device before the reboot.
Send accounting-on packets
IMPORTANT:
When enabling the accounting-on feature on a device for the first time, you
must save the configuration so that the feature takes effect after the device
reboots.

552
Item Description
Set the interval for sending accounting-on packets. This field is
Accounting-On Interval
configurable only when the Send accounting-on packets option is selected.

Set the maximum number of accounting-on packets transmission attempts.

Accounting-On Attempts This field is configurable only when the Send accounting-on packets option
is selected.

Attribute Enable or disable the device to interpret the RADIUS class attribute as CAR
Interpretation parameters.

7. In the RADIUS Server Configuration area, click Add.

Figure 573 RADIUS server configuration page

8. Configure a RADIUS server for the RADIUS scheme.

Table 172 Configuration items

Item Description
Select the type of the RADIUS server to be configured. Possible values include
Server Type primary authentication server, primary accounting server, secondary
authentication server, and secondary accounting server.

Specify the IPv4 or IPv6 address of the RADIUS server.

You cannot specify the same server to serve as both the primary and the
IP Address secondary authentication server in the scheme. The same rule applies to the
primary and secondary accounting servers.
Make sure all RADIUS server addresses in the scheme use the same IP version.

Port Specify the UDP port of the RADIUS server.

Specify the shared key for communication with the RADIUS server.
Key
If no shared key is specified here, the shared key specified in the common
Confirm Key
configuration area is used.

9. Click Apply to add the server to the RADIUS scheme.

10. Repeat step 7 through step 9 to add more RADIUS servers to the RADIUS scheme.
11. On the RADIUS scheme configuration page, click Apply.

553
RADIUS configuration example
Network requirements
As shown in Figure 574, a RADIUS server running on IMC uses UDP port 1812 to provide authentication
and authorization service.
Configure the AC to do the following:
• Use the RADIUS server for Telnet user authentication and authorization.
• Remove domain names from the usernames sent to the server.
On the RADIUS server, configure a Telnet user account with the username hello@bbb and the password
abc, and set the EXEC privilege level to 3 for the user.
Set the shared keys for packet exchange between the AC and the RADIUS server to expert.
Figure 574 Network diagram

Configuration procedure
1. Configure RADIUS scheme system:
a. From the navigation tree, select Authentication > RADIUS.
b. Click Add.
c. Enter the scheme name system, select the server type Extended, and select the username format
Without domain name.
d. In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration
page.
e. Select the server type Primary Authentication, enter 10.1.1.1 as the IP address of the primary
authentication server, 1812 as the port number, and expert as the key, and click Apply to add
the primary authentication server to the scheme.
Figure 575 RADIUS authentication server configuration page

554
The RADIUS scheme configuration page refreshes and the added server appears in the server
list, as shown in Figure 576.
f. Click Apply.
Figure 576 RADIUS scheme configuration

2. Create an ISP domain named bbb:

a. From the navigation tree, select Authentication > AAA.
The domain setup page appears.
b. Enter bbb in the Domain Name field.
c. Click Apply.

555
Figure 577 Creating an ISP domain

3. Configure an authentication method for the ISP domain:

a. Click the Authentication tab.
b. Select the domain name bbb.
c. Select the Default AuthN option, and then select the authentication mode RADIUS.
d. From the Name list, select the RADIUS scheme system to use it as the authentication scheme.
e. Click Apply.
A configuration progress dialog box appears.
f. After the configuration progress is complete, click Close.

556
Figure 578 Configuring an authentication method for the ISP domain

4. Configure an authorization method for the ISP domain:

a. Click the Authorization tab.
b. Select the domain name bbb.
c. Select the Default AuthZ option, and then select the authorization mode RADIUS.
d. From the Name list, select the RADIUS scheme system to use it as the authorization scheme.
e. Click Apply.
A configuration progress dialog box appears.
f. After the configuration progress is complete, click Close.
Figure 579 Configuring an authorization method for the ISP domain

5. Enable the Telnet service:

a. From the navigation tree, select Network > Service.
b. Select Enable Telnet service.
c. Click Apply.

557
Figure 580 Enabling the Telnet service

6. At the CLI, configure the VTY user interfaces to use AAA for user access control.
<AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] authentication-mode scheme
[AC-ui-vty0-4] quit

Verifying the configuration

Telnet to the AC and enter the username hello@bbb and password abc. You can log in and access
commands of level 0 through level 3.

558
Configuring the local EAP service

In some simple application environments, you may want to use a NAS to authenticate users locally,
instead of deploying AAA servers for user authentication. When the Extensible Authentication Protocol
(EAP) is used for user authentication, configure the local EAP authentication server to cooperate with
local authentication method of AAA for local EAP authentication. For more information about AAA, see
"Configuring AAA."

Configuration procedure
1. From the navigation tree, select Authentication > Local EAP Server.
The local EAP service configuration page appears.
Figure 581 Local EAP service configuration page

2. Configure the local EAP service as described in Table 173.

3. Click Apply.
Table 173 Configuration items

Item Description
Enable or disable the EAP server.
Status If the EAP server is enabled, the EAP authentication method and PKI domain
configurations are required.

559
Item Description
Specify the EAP authentication methods:
• MD5—Uses Message Digest 5 (MD5) for authentication.
• TLS—Uses the Transport Layer Security (TLS) protocol for authentication.
• PEAP-MSCHAPV2—Uses the Protected Extensible Authentication Protocol (PEAP) for
authentication and uses the Microsoft Challenge Handshake Authentication Protocol
version 2 (MSCHAPv2) for authentication in the established TLS tunnel.
• PEAP-GTC—Uses the Protected Extensible Authentication Protocol (PEAP) for
authentication and uses the Microsoft Generic Token Card (GTC) for authentication
in the established TLS tunnel.
• TTLS—Uses the Tunneled Transport Layer Security (TTLS) protocol for authentication.
Method When an EAP client and the local server communicate for EAP authentication, they first
negotiate the EAP authentication method to be used. During negotiation, the local
server prefers the authentication method with the highest priority from the EAP
authentication method list. If the client supports the authentication method, the
negotiation succeeds and they proceed with the authentication process. Otherwise, the
local server tries the one with the next highest priority until a supported one is found, or
if none of the authentication methods are found supported, the local server sends an
EAP-Failure packet to the client for notification of the authentication failure.

IMPORTANT:
• You can select more than one authentication method. An authentication method
selected earlier has a higher priority.
• PEAP-MSCHAPv2 and PEAP-GTC methods are mutually exclusive.
Specify the PKI domain for EAP authentication.
The available PKI domains are those configured on the page you enter by selecting
Authentication > Certificate Management. For more information, see "Managing
certificates."
PKI domain
IMPORTANT:
The service management, local portal authentication, and local EAP service modules
always reference the same PKI domain. Changing the referenced PKI domain in any of the
three modules will also change that referenced in the other two modules.

Local EAP service configuration example

Network requirements
As shown in Figure 582, configure the AC to perform local EAP authentication and authorization for
802.1X users by using the authentication method EAP-TLS.
Figure 582 Network diagram

Configuration guidelines
To implement local EAP authentication and authorization for 802.1X users, make sure port security is
enabled and 802.1X authentication uses the EAP authentication mode.

560
To use the authentication method of EAP-TLS, configure the network properties of the connection and the
client certificate correctly on the client.
For information about configuring PKI domain test, requesting a local certificate, and retrieving a CA
certificate, see "Managing certificates."

Configuration procedure
1. Configure local user usera:
a. From the navigation tree, select Authentication > Users.
b. Click Add.
c. Enter the username usera and password 1234, and select the service type LAN-access.
d. Click Apply.
Figure 583 Local user configuration page

2. Configure the default ISP domain named system to use local authentication and local
authorization.
The ISP domain system uses local authentication and local authorization by default. For the
configuration procedure, see "Configuring AAA."
3. Enable the EAP server, configure the authentication method as TLS, and the PKI domain as test:
a. From the navigation tree, select Authentication > Local EAP Server.
b. Select Enabled for Status.
c. Select TLS from the Available methods list and click << to add TLS to the Selected methods list.
d. Select test from the PKI domain list.
e. Click Apply.

561
Figure 584 Configuring a local EAP server

4. Configure the AP:

a. From the navigation tree, select AP > AP Setup.
b. Click Add.
c. Enter the AP name ap1.
d. Select the device model MSM460-WW.
e. Select Manual and enter the serial number in the field below the list.
f. Click Apply.
Figure 585 Configuring the AP

5. Create the wireless service:

a. From the navigation tree, select Wireless Service > Access Service.
b. Click Add.
c. Enter the wireless service name 802.1x-auth.
d. Select the service type crypto.
e. Click Apply.
The wireless service configuration page appears.

562
Figure 586 Creating a wireless service

6. Configure the wireless service:

a. Expand the Security Setup area.
b. Select the authentication type Open-System.
c. Select the Cipher Suite option, and then select a cipher suite from the list as needed. This
example uses AES and TKIP.
d. Select WPA and WPA2 as the security IE.
e. Expand the Port Security area.
f. Select the Port Set option, and then select the port mode userlogin-secure-ext.
g. Select the Mandatory Domain option, and then select system from the list.
h. Select the authentication method EAP.
i. Disable the handshake, multicast trigger, and stateful failover functions.
j. Click Apply.
A configuration progress dialog box appears.
k. Click OK in the confirmation dialog box to enable the EAP service.
l. After the configuration process is complete, click Close.

563
Figure 587 Wireless service configuration page

7. Enable the wireless service:

a. On the access service list page, select the wireless service named 802.1x-auth.
b. Click Enable.
A progress dialog box appears.
c. After the configuration process is complete, click Close.
Figure 588 Enabling the wireless service

564
8. Bind the AP's radio mode with the wireless service:
a. In the wireless service list, click the icon for wireless service 802.1x-auth.
b. Select the AP named ap1 with the radio mode 802.11n(2.4GHz).
c. Click Bind.
A progress dialog box appears.
d. After the configuration process is complete, click Close.
Figure 589 Binding the radio mode with the wireless service

9. Enable 802.11n (2.4GHz):

a. From the navigation tree, select Radio > Radio.
b. Select the AP named ap1 with the radio mode 802.11n(2.4GHz).
c. Click Enable.
Figure 590 Enabling 802.11n(2.4GHz)

565
Verifying the configuration
When a client passes EAP authentication to access the wireless network, you can successfully ping the
client from the AC.

566
Configuring users

Overview
This module allows you to configure local users, user groups, guests, and user profiles.

Local user
A local user represents a set of user attributes configured on a device (such as the user password, user
type, service type, and authorization attribute). It is uniquely identified by the username. For a user
requesting a network service to pass local authentication, you must add an entry as required in the local
user database of the device. For more information about local authentication, see "Configuring AAA."

User group
A user group consists of a group of local users and has a set of local user attributes. You can configure
local user attributes for a user group to implement centralized management of user attributes for the local
users in the group. All local users in a user group inherit the user attributes of the group, but if you
configure user attributes for a local user, the settings of the local user take precedence over the settings
for the user group.
By default, every newly added local user belongs to a user group named system, which is automatically
created by the system.

Guest
A guest is a local user for specific applications. You can create a guest account for portal and LAN users
to temporarily access the network.

User profile
A user profile is a configuration template for saving predefined configurations. You can configure
different items such as Quality of Service (QoS) policy, rate limit, wireless service, and AP group for
different user profiles to accommodate to different application scenarios.
During the authentication process for a user, the authentication server sends the user profile name to the
device, which then enables the configurations in the user profile. After the user passes the authentication
and accesses the device, the device restricts the user's access based on the configurations in the user
profile. When the user logs out, the device automatically disables the configurations in the user profile,
removing the restrictions on the user as a result. As the mechanism indicates, user profiles are for
restricting online users' access. If no user is online (no user is accessing the network, no user has passed
authentication, or all users have logged out), user profiles do not take effect.
With user profiles, you can:
• Make use of system resources more granularly. For example, you can apply a QoS policy on a
per-user basis.
• Restrict users' access rate more flexibly. For example, you can deploy traffic policing on a per-user
basis by defining a rate limit in user profiles.
• Restrict users' access more specifically. For example, you can deploy user access control on a
per-wireless service basis by defining an SSID in user profiles. Or you can deploy user access
control on a per-AP basis by defining APs in the user profiles.

567
Configuring a local user
1. From the navigation tree, select Authentication > Users.
The local user management page appears, displaying information about all local users including
common users, guest administrator, and guests.

NOTE:
On the Local User tab, you can modify a guest user, but the user type changes to another one after
your modification.

Figure 591 Local user list

2. Click Add.
The local user configuration page appears. On this page, you can create a local user of any type
except guest.

568
Figure 592 Local user configuration page

3. Configure a local user as described in Table 174.

4. Click Apply.
Table 174 Configuration items

Item Description
User-name Specify a name for the local user.

Enter and confirm the password of the local user.

Password
IMPORTANT:
Confirm
Make sure the password does not include leading spaces, because they will be ignored.
Password Encryption Select a password encryption method: Reversible or Irreversible.

Select a user group for the local user.

Group
For information about user group configuration, see "Configuring a user group."

Specify the user type for the local user: Common User or Guest Admin.
User-Type A guest administrator manages guest accounts through the Authentication > User >
Guest page.

569
Item Description
Select an authorization level for the local user: Visitor, Monitor, Configure, or
Management, in ascending order of priority. A local user has the rights of the specified
level and all levels lower than the specified level (if any).
• Visitor—A user of this level can perform ping and trace route operations but cannot
read any data from the device or configure the device.
• Monitor—A user of this level can read data from the device but cannot configure the
device.
Level
• Configure—A user of this level can read data from the device and configure the
device, but it cannot upgrade the device software, configure users, or back up or
restore configuration files.
• Management—A user of this level can perform all operations.
IMPORTANT:
This option is effective only for Web, FTP, Telnet, and SSH users of the Common User type.
Select the service types for the local user to use: Web, FTP, Telnet, PPP, Portal,
LAN-access (accessing through the Ethernet, such as 802.1X users), SSH, or Terminal.

IMPORTANT:
Service-Type • If you do not specify any service type for a local user who uses local authentication,
the user cannot pass authentication and cannot log in.
• Guest administrators can use the Web service.
• Guests can use portal and LAN access services.
Specify an expiration time for the local user.

Expire-time When authenticating a local user with the expiration time configured, the access
device checks whether the expiration time has elapsed. If not, the device permits the
user to log in.

Specify the VLAN to be authorized to the local user after the user passes authentication.
VLAN IMPORTANT:
This option is effective only on portal and LAN users of the Common User type.
Specify the ACL to be used by the access device to restrict the access of the local user
after the user passes authentication.
ACL
IMPORTANT:
This option is effective only on PPP, portal, and LAN users of the Common User type.
Specify the user profile for the local user.
User-profile IMPORTANT:
This option is effective only on PPP, portal, and LAN users of the Common User type.

Configuring a user group

1. From the navigation tree, select Authentication > Users.
2. Click the User Group tab to display the existing user groups.

570
Figure 593 User group list

3. Click Add to enter the user group configuration page.

Figure 594 User group configuration page

4. Add a user group as described in Table 175.

5. Click Apply.
Table 175 Configuration items

Item Description
Group-name Specify a name for the user group.

Select an authorization level for the user group: Visitor, Monitor, Configure, or
Level
Management, in ascending order of priority.

Specify the VLAN to be authorized to a user in the user group after the user passes
VLAN
authentication.

Specify the ACL to be used by the access device to restrict the access of a user in the
ACL
user group after the user passes authentication.

User-profile Specify the user profile for the user group.

571
Item Description
Specify whether to allow a guest to join the user group.
Allow Guest IMPORTANT:
Accounts
By default, the system provides a group named system for guest accounts. The group
cannot be modified.

Configuring a guest
Two categories of administrators can configure guests: guest administrators and administrators of the
management level. A guest administrator manages guests through the Web interface. For information
about the user type and authorization level, see Table 174.

Configuring a guest by a management level administrator

1. From the navigation tree, select Authentication > Users.
2. Click the Guest tab to display the guest information.
Figure 595 Guest list

3. Click Add to enter the guest configuration page.

572
Figure 596 Guest configuration page

4. Configure a single guest or a batch of guests as described in Table 176.

5. Click Apply.
Table 176 Configuration items

Item Description
Create Users in a Batch Specify whether to create guests in a batch.

Username Specify a name for the guest when users are not created in a batch.

Specify the username prefix and number for guests to be created in a batch.
User-name(prefix) For example, if you specify the username prefix as abc and number as 50, 50 guests
will be created, with the usernames abc0 through abc49.

Enter and confirm the password of the guest.

Password
IMPORTANT:
Confirm
Leading spaces in the password are ignored.
Select this option if you want to set the password the same as the guest account
Same as the Username
name instead of configuring a password in the Password and Confirm fields.

Password Encryption Select a password encryption method: Reversible or Irreversible.

Select a user group for the guest.

Group
For information about user group configuration, see "Configuring a user group."

Specify a valid time range for the guest, including the start time and end time.

ValidTime When authenticating a local user with the valid time configured, the access device
checks whether the valid time has elapsed. If it is not, the device permits the user to
log in.

573
Configuring a guest by a guest administrator
1. Log in to the AC as a guest administrator, and then select Authentication > User from the
navigation tree.
The guest management page appears.
Figure 597 Guest management page

2. Click Add to enter the guest configuration page.

Figure 598 Guest configuration page

3. Configure the guest as described in Table 176.

4. Click Apply.

574
NOTE:
The guest accounts are also displayed in the local user list. You can click the icon of a guest in the list
to edit the guest information and authorization attributes.

Configuring a user profile

Configuration guidelines
When you configure a user profile, use the following configuration guidelines:
• By default, a newly added user profile is disabled.
• A user profile takes effect and the authentication server notifies users of authentication results only
after the user profile is enabled. Therefore, if you do not enable the user profile, users using the user
profile will not be able to get online.
• Only enabled user profiles can be referenced by users. Disabling a user profile logs out all users
using the user profile.
• Enabled user profiles cannot be modified or removed. To modify or remove an enabled user profile,
you must disable it first.

Configuration procedure
1. From the navigation tree, select Authentication > Users.
2. Click the User Profile tab to display the existing user profiles
Figure 599 User profile list

3. Click Add to enter the user profile name configuration page.

575
Figure 600 User profile name configuration item

4. Enter a profile name profile.

5. Click Apply.
The user profile configuration page appears.

576
Figure 601 User profile configuration page

6. Configure the profile as described in Table 177.

577
7. Click Apply.
8. From the page displaying the existing user profiles, select the user profile to be enabled.
9. Click Enable.
Table 177 Configuration items

Item Description
Userprofile name This field displays the user profile name.

Qos-out policy Select a QoS policy in the outbound direction.

Qos-in policy Select a QoS policy in the inbound direction.

limited-out rate Specify the rate limit in the outbound direction.

limited-in rate Specify the rate limit in the inbound direction.

Specify the wireless services permitted in the user profile:

Select services in the Services list and click << to add them to the Selected services
list.
Services permitted
The available wireless services are those configured on the page you enter by
selecting Wireless Service > Access Service. For more information, see
"Configuring access services."

Specify the AP group permitted in the user profile:

Select the AP group in the AP group list and click << to add them to the Selected
AP Group list permitted AP group list.
The available APs are those you configured on the page you enter by selecting
AP > AP Group. For more information, see "Configuring APs."

578
Managing certificates

Overview
The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security
through public key technologies. It is the most widely applied encryption mechanism currently. H3C's PKI
system provides certificate management for IP Security (IPsec), and Secure Sockets Layer (SSL).
PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt data. The key pair
consists of a private key and a public key. The private key must be kept secret, but the public key needs
to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
A key problem of PKI is how to manage the public keys. Currently, PKI employs the digital certificate
mechanism to solve this problem. The digital certificate mechanism binds public keys to their owners,
helping distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication and e-commerce with security
services such as user authentication, data non-repudiation, data confidentiality, and data integrity.
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI
has a wide range of applications. Here are some application examples:
• VPN—A virtual private network (VPN) provides private data communication on public
communication infrastructure. For security and privacy purposes, it is typically protected by network
layer security protocols such as IPsec and employs PKI encryption and digital signature
technologies.
• Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI
can address these needs. The secure email protocol that is currently developing rapidly is
Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for
transfer of encrypted mails with signature.
• Web security—For Web security, two peers can establish a Secure Sockets Layer (SSL) connection
first for transparent and secure communications at the application layer. With PKI, SSL enables
encrypted communications between a browser and a server. Both the communication parties can
verify the identity of each other through digital certificates.
For more information about PKI, see HP Unified Wired-WLAN Products Security Configuration Guide.

Configuration guidelines
When you configure PKI, use the following guidelines:
• Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates will be abnormal.
• The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server will not
respond to the certificate request.
• The SCEP plug-in is required when you use the Windows Server as the CA. In this case, you need
to specify RA as the authority for certificate request when you configure the PKI domain.

579
• The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case, you
need to specify CA as the authority for certificate request when you configure the PKI domain.

Configuration procedures
The system supports the following PKI certificate request modes:
• Manual—In manual mode, you must retrieve a CA certificate, generate a local RSA key pair, and
submit a local certificate request for an entity.
• Auto—In auto mode, an entity automatically requests a certificate through the Simple Certification
Enrollment Protocol (SCEP) when it has no local certificate or the existing certificate is about to
expire.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes
require different configurations.

Configuration procedure for manual request

Step Remarks
Required.
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and the identity information of an
1. Creating a PKI entity entity, where the identity information is identified by an entity distinguished
name (DN). A CA uniquely identifies a certificate applicant by entity DN.
The parameter settings of an entity DN, optional or required, must be
compliant to the CA certificate issue policy. Otherwise, the certificate request
might be rejected.

Required.
Create a PKI domain, setting the certificate request mode to Manual.

2. Creating a PKI domain Before requesting a PKI certificate, an entity needs to be configured with some
enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other
applications like IKE and SSL, and has only local significance.

Required.
Generate a local RSA key pair.
By default, no local RSA key pair exists.
Generating an RSA key pair is an important step in certificate request. The key
3. Generating an RSA key pair includes a public key and a private key. The private key is kept by the
pair user, and the public key is transferred to the CA along with some other
information.

IMPORTANT:
If a local certificate already exists, you must remove the certificate before
generating a new key pair, so as to keep the consistency between the key pair
and the local certificate.

580
Step Remarks
Required.
Certificate retrieval serves the following purposes:
• Locally store the certificates associated with the local security domain for
improved query efficiency and reduced query count,
4. Retrieving the CA • Prepare for certificate verification.
certificate
IMPORTANT:
If a local CA certificate already exists, you cannot perform the CA certificate
retrieval operation. This will avoid possible mismatch between certificates and
registration information resulting from relevant changes. To retrieve the CA
certificate, you must remove the CA certificate and local certificate first.
Required.
When requesting a certificate, an entity introduces itself to the CA by
providing its identity information and public key, which will be the major
components of the certificate.
A certificate request can be submitted to a CA in online mode or offline mode.
• In online mode, if the request is granted, the local certificate will be
retrieved to the local system automatically.
5. Requesting a local
certificate • In offline mode, you must retrieve the local certificate by an out-of-band
means.

IMPORTANT:
If a local certificate already exists, you cannot perform the local certificate
retrieval operation. This will avoid possible mismatch between the local
certificate and registration information resulting from relevant changes. To
retrieve a new local certificate, you must remove the CA certificate and local
certificate first.
Optional.

6. Destroying the RSA key If the certificate to be retrieved contains an RSA key pair, you must destroy the
pair existing RSA key pair. Otherwise, the certificate cannot be retrieved.
Destroying the existing RSA key pair also destroys the corresponding local
certificate.

Required if you request a certificate in offline mode.

Retrieve an existing certificate and display its contents.

7. Retrieving and IMPORTANT:

displaying a certificate • If you request a certificate in offline mode, you must retrieve the CA
certificate and local certificate by an out-of-band means.
• Before retrieving a local certificate in online mode, be sure to complete
LDAP server configuration.

8. Retrieving and Optional.

displaying a CRL Retrieve a CRL and display its contents.

581
Configuration procedure for automatic request
Step Remarks
Required.
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and the identity information of an
1. Creating a PKI entity entity, where the identity information is identified by an entity distinguished
name (DN). A CA uniquely identifies a certificate applicant by entity DN.
The parameter settings of an entity DN, optional or required, must be
compliant to the CA certificate issue policy. Otherwise, the certificate request
might be rejected.

Required.
Create a PKI domain, setting the certificate request mode to Auto.

Optional.

3. Destroying the RSA key If the certificate to be retrieved contains an RSA key pair, you must destroy the
pair existing RSA key pair. Otherwise, the certificate cannot be retrieved.
Destroying the existing RSA key pair also destroys the corresponding local
certificate.

Optional.
Retrieve an existing certificate and display its contents.

IMPORTANT:
4. Retrieving and • Before retrieving a local certificate in online mode, be sure to complete
displaying a certificate LDAP server configuration.
• If a CA certificate already exists, you cannot retrieve another CA certificate.
This restriction avoids inconsistency between the certificate and registration
information due to related configuration changes. To retrieve a new CA
certificate, remove the existing CA certificate and local certificate first.

5. Retrieving and Optional.

displaying a CRL Retrieve a CRL and display its contents.

Creating a PKI entity

1. From the navigation tree, select Authentication > Certificate Management.
The PKI entity list page is displayed by default.

582
Figure 602 PKI entity list

2. Click Add to enter the PKI entity configuration page.

Figure 603 PKI entity configuration page

3. Configure the parameters as described in Table 178.

4. Click Apply.
Table 178 Configuration items

Item Description
Entity Name Enter the name for the PKI entity.

Common Name Enter the common name for the entity.

IP Address Enter the IP address of the entity.

Enter the fully qualified domain name (FQDN) for the entity.
An FQDN is a unique identifier of an entity on the network. It consists of a host name
FQDN and a domain name and can be resolved to an IP address. For example,
www.whatever.com is an FQDN, where www indicates the host name and
whatever.com the domain name.

583
Item Description
Country/Region Code Enter the country or region code for the entity.

State Enter the state or province for the entity.

Locality Enter the locality for the entity.

Organization Enter the organization name for the entity.

Organization Unit Enter the unit name for the entity.

Creating a PKI domain

1. From the navigation tree, select Authentication > Certificate Management.
2. Click the Domain tab.
Figure 604 PKI domain list

3. Click Add to enter the PKI domain configuration page.

Figure 605 PKI domain configuration page

584
4. Configure the parameters as described in Table 179.
5. Click Apply.
Table 179 Configuration items

Item Description
Enter the name for the PKI domain. By default, the device contains a PKI domain
Domain Name
named local_domain.

Enter the identifier of the trusted CA.

An entity requests a certificate from a trusted CA. The trusted CA takes the
CA Identifier
responsibility of certificate registration, distribution, and revocation, and query.
In offline mode, this item is optional. In other modes, this item is required.

Select the local PKI entity.

When submitting a certificate request to a CA, an entity needs to show its identity
Entity Name
information.
Available PKI entities are those that have been configured.

Select the authority for certificate request:

• CA—The entity requests a certificate from a CA.
Institution
• RA—The entity requests a certificate from an RA.
RA is recommended.

Enter the URL of the RA.

The entity will submit the certificate request to the server at this URL through the SCEP
protocol. The SCEP protocol is intended for communication between an entity and an
authentication authority.
Requesting URL
In offline mode, this item is optional. In other modes, this item is required.

IMPORTANT:
This item does not support domain name resolution.

LDAP IP Enter the IP address, port number and version of the LDAP server.
Port In a PKI system, the storage of certificates and CRLs is a crucial problem, which is
Version usually addressed by deploying an LDAP server.

Request Mode Select the online certificate request mode: Auto or Manual.

Password Enter and confirm the password for certificate revocation.

Confirm Password The parameters appear when the certificate request mode is set to Auto.

585
Item Description
Specify the fingerprint used for verifying the CA root certificate.
After receiving the root certificate of the CA, an entity needs to verify the fingerprint of
the root certificate, namely, the hash value of the root certificate content. This hash
value is unique to every certificate. If the fingerprint of the root certificate does not
match the one configured for the PKI domain, the entity will reject the root certificate.
• If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The fingerprint
must a string of 32 characters in hexadecimal notation.
• If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The
Fingerprint Hash
fingerprint must a string of 40 characters in hexadecimal notation.
Fingerprint
• If you do not specify the fingerprint hash, do not enter any fingerprint. The entity will
not verify the CA root certificate, and you yourself must make sure that the CA
server is trusted.

IMPORTANT:
The fingerprint must be configured if you specify the certificate request mode as Auto. If
you specify the certificate request mode as Manual, you can leave the fingerprint settings
null. If you do not configure the fingerprint, the entity will not verify the CA root certificate
and you yourself must make sure that the CA server is trusted.

Set the polling interval and attempt limit for querying the certificate request status.
Polling Count After an entity makes a certificate request, the CA might need a long period of time if
it verifies the certificate request in manual mode. During this period, the applicant
Polling Interval
needs to query the status of the request periodically to get the certificate as soon as
possible after the certificate is signed.

Select this option to enable CRL checking for certificate verification. By default, CRL
Enable CRL Checking
checking is disabled in the default PKI domain local_domain.

Enter the interval at which the PKI entity downloads the latest CRLs for CRL checking.
CRL Update Period
By default, the CRL update period depends on the next update field in the CRL file.

Enter the URL of the CRL distribution point by an IP address or domain name for CRL
checking.
CRL URL
When the URL of the CRL distribution point is not set, first obtain the CA certificate and
a local certificate, and then obtain a CRL through SCEP.

Generating an RSA key pair

1. From the navigation tree, select Authentication > Certificate Management.
2. Click the Certificate tab.

586
Figure 606 Certificate configuration page

3. Click Create Key to enter RSA key pair parameter configuration page.
Figure 607 Key pair parameter configuration page

4. Set the key length.

5. Click Apply.

Destroying the RSA key pair

1. From the navigation tree, select Authentication > Certificate Management.
2. Click the Certificate tab.
3. Click Destroy Key to enter RSA key pair destruction page.
4. Click Apply to destroy the existing RSA key pair and the corresponding local certificate.

587
Figure 608 Key pair destruction page

Retrieving and displaying a certificate

You can download an existing CA certificate or local certificate from the CA server, and save it locally.
To do so, you can use offline mode or online mode. In offline mode, you can retrieve a certificate by an
out-of-band means like FTP, disk, email and then import it into the local PKI system.
The retrieved CA certificate and local certificate are saved as files named domain-name_ca.cer and
domain-name_local.cer in the root directory, respectively.
To retrieve a certificate:
1. From the navigation tree, select Authentication > Certificate Management.
2. Click the Certificate tab.
3. Click Retrieve Cert to enter PKI certificate retrieval page.
Figure 609 PKI certificate retrieval page

4. Configure the parameters as described in Table 180.

5. Click Apply.
Table 180 Configuration items

Item Description
Select the PKI domain for the certificate. By default, the list displays the default PKI
Domain Name
domain local_domain.

Certificate Type Select the type of the certificate to be retrieved: CA or Local.

588
Item Description
Enable Offline Select this option to retrieve a certificate by an out-of-band means like FTP, disk, or
Mode email, and then import the certificate into the local PKI system.

Specify the path and name of the certificate file if you retrieve the certificate in offline
mode.
• If the certificate file is saved on the device, select Get File From Device, and then
Get File From Device specify the path of the file on the device. If you do not specify the file path, the system
Get File From PC uses the CA certificate file named domain-name_ca.cer or local certificate file
named domain-name_local.cer in the root directory of the device.
• If the certificate file is saved on a local PC, select Get File From PC and then specify
the path to the file and select the partition of the device for saving the file.

Enter the password for protecting the private key if you retrieve the certificate in offline
Password
mode. The password was specified when the certificate was exported.

6. After you retrieve a certificate, click View Cert corresponding to the certificate from the PKI
certificates list to display the contents of the certificate.
Figure 610 Certificate information

589
Requesting a local certificate
1. From the navigation tree, select Authentication > Certificate Management.
2. Click the Certificate tab.
3. Click Request Cert to enter the local certificate request page.
Figure 611 Local certificate request page

4. Configure the parameters as described in Table 181.

Table 181 Configuration items

Item Description
Select the PKI domain for the certificate. By default, the list displays the default PKI
Domain Name
domain local_domain.

Password Enter the password for certificate revocation.

Select this option to request a certificate by an out-of-band means like FTP, disk, or
Enable Offline Mode
email.

5. Click Apply.
If you request the certificate in online mode, the system displays Certificate request has been
submitted. Click OK. If you request the certificate in offline mode, the system displays the offline
certificate request information. You can submit the information to the CA by an out-of-band means.
Figure 612 Offline certificate request information page

590
Retrieving and displaying a CRL
1. From the navigation tree, select Authentication > Certificate Management.
2. Click the CRL tab.
Figure 613 CRL page

3. Click Retrieve CRL to retrieve the CRL of a domain.

4. Click View CRL for the domain to display the contents of the CRL.
Figure 614 CRL information

Certificate management configuration example

Network requirements
As shown in Figure 615, configure the AC as the PKI entity, so that:
• The AC submits a local certificate request to the CA server, which runs the RSA Keon software.

591
• The AC acquires CRLs for certificate verification.
Figure 615 Network diagram

Configuring the CA server

1. Create a CA server named myca.
In this example, you must first configure the basic attributes of Nickname and Subject DN on the
CA server: the nickname is the name of the trusted CA, and the subject DN is the DN attributes of
the CA, including the common name (CN), organization unit (OU), organization (O), and country
(C). Leave the default values of the other attributes.
2. Configure extended attributes.
After you configure the basic attributes, perform configuration on the Jurisdiction Configuration
page of the CA server. This includes selecting the correct extension profiles, enabling the SCEP
autovetting function, and adding the IP address list for SCEP autovetting.
3. Configure the CRL publishing behavior
After you complete the previous configuration, perform CRL related configurations.
In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to
http://4.4.4.133:447/myca.crl.
After this configuration, make sure the system clock of the AC is synchronous to that of the CA, so
the AC can correctly request certificates and retrieve CRLs.

Configuring the AC
1. Create a PKI entity.
a. From the navigation tree, select Authentication > Certificate Management.
The PKI entity list page is displayed by default.
b. Click Add.
c. Enter aaa as the PKI entity name.
d. Enter ac as the common name.
e. Click Apply.

592
Figure 616 Configuring a PKI entity

2. Create a PKI domain.

a. Click the Domain tab.
b. Click Add.
c. Enter torsa as the PKI domain name.
d. Enter myca as the CA identifier.
e. Select aaa as the local entity.
f. Select CA as the authority for certificate request.
g. Enter http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for
certificate request.
The URL must be in the format of http://host:port/Issuing Jurisdiction ID, where Issuing
Jurisdiction ID is the hexadecimal string generated on the CA.
h. Select Manual as the certificate request mode.
i. Expand the Advanced Configuration area.
j. Select Enable CRL Checking.
k. Enter http://4.4.4.133:447/myca.crl as the CRL URL.
l. Click Apply.
The system displays the following message: Fingerprint of the root certificate not specified. No
root certificate validation will occur. Continue?
m. Click OK.

593
Figure 617 Configuring a PKI domain

3. Generate an RSA key pair.

a. Click the Certificate tab.
b. Click Create Key to enter the page.
c. Enter 1024 for the key length.
d. Click Apply to generate an RSA key pair.

594
Figure 618 Generating an RSA key pair

4. Retrieve the CA certificate.

a. Click the Certificate tab.
b. Click Retrieve Cert.
c. Select torsa as the PKI domain.
d. Select CA as the certificate type.
e. Click Apply.
Figure 619 Retrieving the CA certificate

5. Request a local certificate.

a. Click the Certificate tab.
b. Click Request Cert.
c. Select torsa for the PKI domain.
d. Select Password, and then enter challenge-word as the password.
e. Click Apply.
The system displays Certificate request has been submitted.
f. Click OK.

595
Figure 620 Requesting a local certificate

6. Retrieve the CRL.

a. Click the CRL tab.
b. Click Retrieve CRL for the PKI domain torsa.
Figure 621 Retrieving the CRL

Verifying the configuration

After the configuration, you can select Certificate Management > Certificate from the navigation tree to
view detailed information about the retrieved CA certificate and local certificate, or select Certificate
Management > CRL from the navigation tree to view detailed information about the retrieved CRL.

596
Configuring WLAN security

WLAN security overview

802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients,
ad hoc networks, and Denial of Service (DoS) attacks. Rogue devices are a serious threat to enterprise
security. To ensure security, the wireless intrusion detection system (WIDS) is introduced. WIDS provides
early detection of malicious attacks and intrusions on a wireless network without affecting network
performance, and provides real-time countermeasures.
WLAN security provides these features:
• Rogue detection
• WIDS attack detection
• Blacklist and whitelist

Terminology
• Rogue AP—An unauthorized or malicious access point on the network, such as an employee setup
AP, misconfigured AP, neighbor AP or an attacker operated AP. Because it is not authorized, if there
is any vulnerability in the AP, the hacker will have a chance to compromise your network security.
• Rogue client—An unauthorized or malicious client on the network.
• Rogue wireless bridge—Unauthorized wireless bridge on the network.
• Monitor AP—An AP that scans or listens to 802.11 frames to detect rogue devices in the network.
• Ad hoc mode—A wireless client in ad-hoc mode can communicate directly with other stations
without support from any other device.

Detecting rogue devices

Rogue detection is applicable to large wireless networks. It detects the presence of rogue devices in a
WLAN network based on the pre-configured rules.
Rogue detection can detect different types of devices in a WLAN network, for example, rogue APs, rogue
clients, rogue wireless bridges, and ad-hoc terminals. An AP can work in either of the following modes
for rogue detection:
• Monitor mode—An AP scans all 802.11g frames in the WLAN, but cannot provide WLAN services.
As shown in Figure 622, AP 1 works as an access AP, and AP 2 works as a monitor AP to listen to
all 802.11g frames. AP 2 cannot provide wireless access services.

597
Figure 622 Monitor AP for rogue detection

• Hybrid mode—An AP can both scan devices in the WLAN and provide WLAN data services.
Figure 623 Hybrid AP for rogue detection

Taking countermeasures against rogue device attacks

You can enable the countermeasures on a monitor AP. The monitor AP downloads an attack list from the
AC according to the countermeasure mode, and takes countermeasures against detected rogue devices.
The processing methods vary with rogue devices:
• If the rogue device is a rogue client, it is logged out.
• If the rogue device is a rogue AP, legal clients will not use the rogue AP to access the WLAN.
• If the rogue device is an ad-hoc client, it is denied, and ad-hoc clients cannot communicate with
each other.

598
Figure 624 Taking countermeasures against rogue devices

WIDS attack detection

The WIDS attack detection function detects intrusions or attacks on a WLAN network, and informs the
network administrator of the attacks by recording information or sending logs. WIDS detection supports
detection of the following attacks:
• Flood attack
• Spoofing attack
• Weak IV attack

Flood attack detection

A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind
within a short span of time. When this occurs, the WLAN devices get overwhelmed, and are unable to
service normal clients.
WIDS attacks detection counters flood attacks by constantly keeping track of the density of a specific
kind of packets. When the traffic density of a device exceeds the limit, the device is considered flooding
the network. If the dynamic blacklist feature is enabled, the device is added to the blacklist, and is
forbidden to access the WLAN.
WIDS inspects the following types of frames:
• Authentication requests and de-authentication requests
• Association requests, disassociation requests and reassociation requests
• Probe requests
• 802.11 null data frames
• 802.11 action frames.

Spoofing attack detection

In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For
instance, a client in a WLAN has been associated with an AP and works normally. In this case, a

599
spoofed de-authentication frame can cause a client to get de-authenticated from the network and can
affect the normal operation of the WLAN.
At present, spoofing attack detection counters this type of attack by detecting broadcast
de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it
is identified as a spoofed frame, and the attack is immediately logged.

Weak IV detection
Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame. The system uses
an IV and a key to generate a key stream, so encryptions using the same key have different results. Also,
when a WEP frame is sent, the IV used in encrypting the frame is sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all
frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is
compromised, the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a
weak IV is detected, it is immediately logged.

Blacklist and whitelist

You can configure the blacklist and whitelist functions to filter frames from WLAN clients and thereby
implement client access control.
WLAN client access control is accomplished through the following three types of lists.
• Whitelist—Contains the MAC addresses of all clients allowed to access the WLAN. If the whitelist
is used, only permitted clients can access the WLAN, and all frames from other clients are
discarded.
• Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is
configured manually.
• Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. A client
is added dynamically to the list if it is considered sending attacking frames until the timer of the
entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects
any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more
information about ARP detection, see "Configuring ARP attack defense."
When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the
frame as follows:
1. If the source MAC address does not match any entry in the whitelist, the frame is dropped. If there
is a match, the frame is considered valid, and is processed further.
2. If no whitelist entries exist, the static and dynamic blacklists are searched.
3. If the source MAC address matches an entry in any of the two lists, the frame is dropped.
4. If there is no match, or no blacklist entries exist, the frame is considered valid, and is processed
further.
A static blacklist or whitelist configured on an AC applies to all APs connected to the AC, while a
dynamic blacklist applies to APs that receive attack frames.

600
Figure 625 Network diagram for WLAN client access control

• In the topology above, three APs are connected to an AC. Configure whitelist and static blacklist
entries on the AC, which will send all the entries to the APs. If the MAC address of a station, Client
1 for example, is present in the blacklist, it cannot access any of the APs. If only Client 1 is present
in the whitelist, it can access any of the APs, and other clients cannot access any of the APs.
• Enable dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, a dynamic
blacklist entry is generated in the blacklist. Client 1 cannot associate with AP 1, but can associate
with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic blacklist
entry is generated in the blacklist.

Configuring rogue device detection

Recommended configuration procedure
Step Remarks
Required.
1. Configuring AP operating mode By default, the AP operates in normal mode and only
provides WLAN data services.
2. Configuring detection rule lists Required.
3. Enabling countermeasures and configuring
Optional.
aging time for detected rogue devices

Configuring AP operating mode

1. Select Security > Rogue Detection from the navigation tree.

601
Figure 626 AP monitor configuration

2. On the AP Monitor tab, select the AP to be configured and click the icon.
Figure 627 AP operating mode configuration

3. Configure the AP operating mode as described in Table 182.

An AP operating in hybrid mode can provide WLAN data services as well as scanning devices in
the WLAN, so WLAN service configurations are needed.
An AP operating in monitor mode cannot provide WLAN data services, so WLAN service
configurations are not needed.
Table 182 Configuration items

Item Description
Configure the AP operating mode:
• In normal mode, an AP provides WLAN data services but does not perform scanning.
• In monitor mode, an AP scans all 802.11g frames in the WLAN, but cannot provide
WLAN services.
• In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN data
Work mode services.

IMPORTANT:
• When an AP has its operating mode changed from normal to monitor, it does not
restart.
• When an AP has its operating mode changed from monitor to normal, it restarts.

602
4. Click Apply.

Configuring detection rules

Configuring detection rules is to configure rogue device classification rules. An AC classifies devices as
rogues and friends based on the configured classification rules.
• Identify whether an AP is a rogue.
Figure 628 Identifying whether an AP is a rogue

• Identify whether a client is a rogue.

603
Figure 629 Identifying whether a client is a rogue

Client

In the static
attack list? Yes

No or the list is not

configured

In the permitted
MAC address list?

No or the list is not

configured

Check if AP (BSSID) No
Yes associated with the client
is legal

Yes

Legal client Illegal client

(Friend) (Rogue)

• Identify whether an ad hoc network or a wireless bridge is a rogue.

Figure 630 Identifying whether an ad hoc network or a wireless bridge is a rogue

604
Configuring detection rule lists
1. Select Security > Rogue Detection from the navigation tree.
2. Click the Rule List tab.
Figure 631 Configuring a rule list

3. Configure the rule list as described in Table 183.

Table 183 Configuration items

Item Description
• MAC—Add MAC addresses to be permitted after selecting this option.
• Wireless Service—Add SSIDs to be permitted after selecting this option.
List Type • Vendor—Specify vendors to be permitted after selecting this option.
• Attacker—Add the MAC address of a device to configure the device as a
rogue.

4. Select MAC from the list and click Add.

605
Figure 632 Configuring a MAC address list

5. Configure the MAC address list as described in Table 184.

Table 184 Configuration items

Item Description
MAC Enter the permitted MAC address in the box.

Select the existent If you select this option, the MAC address table displays MAC addresses of
devices the current devices. Select the MAC addresses to be permitted.

6. Click Apply.
The operation to add other types of lists is similar to the add operation of a MAC address list, so the
description is omitted.

Enabling countermeasures and configuring aging time for

detected rogue devices
1. Select Security > Rogue Detection from the navigation tree.
2. On the AP Monitor tab, click Common Set.

606
Figure 633 Common configuration

3. Perform common configuration as described in Table 185.

Table 185 Configuration items

Item Description
Configure the AP to take countermeasures against rouge devices while
providing wireless services.
Countermeasures
• Interval—The interval at which the AP takes countermeasures.
Setting
• Max Device Number—The maximum number of rouge devices that the AP
can take countermeasures against.
• Rogue Device—Allows you to take countermeasures against rogue devices
(including illegal APs and illegal clients).
• Rogue Adhoc Device—Allows you to take countermeasures against ad hoc
Countermeasures Mode
devices.
• Static Rogue Device—Allows you to take countermeasures against rogue
devices configured in the detection rule list.

Configure the aging time of entries in the device list.

Once a rogue device is detected, an entry for it is added to the monitor record
Device Aging-Duration and the aging time starts. The aging time restarts if the device is detected
again during the time. When the aging time is reached, the entry is deleted
from the monitor record and added to the history record.

4. Click Apply.

Displaying monitor record

1. Select Security > Rogue Detection from the navigation tree.
2. Click the Monitor Record tab to enter the monitor record page.

607
Figure 634 Monitor record

Table 186 Field description

Type Description
• r—Rogue device.
• p—Permitted device.
• a—Ad hoc device.
• w—AP.
Type
• b—Wireless bridge.
• c—Client.
For example, pw represents a permitted AP while rb represents a rogue wireless bridge.
The device considers all ad hoc devices and wireless bridges as rogue devices.

Displaying history record

1. Select Security > Rogue Detection from the navigation tree.
2. Click the History Record tab.

608
Figure 635 History record page

Configuring WIDS
Configuring WIDS
1. Select Security > WIDS from the navigation tree.
Figure 636 Configuring WIDS

2. On the WIDS Setup tab, configure WIDS as described in Table 187.

Table 187 Configuration items

Item Description
If you select the option, flood attack detection is enabled.
Flood Attack Detect
It is disabled by default.

If you select the option, spoofing attack detection is enabled. It is disabled by

Spoofing Attack Detect
default.

If you select the option, Weak IV attack detection is enabled. It is disabled by

Weak IV Attack Detect
default.

3. Click Apply.

Displaying history record

1. Select Security > WIDS from the navigation tree.
2. Click the History Record tab.

609
Figure 637 Displaying history information

Displaying statistics information

1. Select Security > WIDS from the navigation tree.
2. Click the Statistics tab.
Figure 638 Displaying statistics

610
Configuring the blacklist and whitelist functions
A static blacklist or whitelist configured on an AC applies to all APs connected to the AC, while a
dynamic blacklist applies to APs that receive attack frames. For more information, see "Blacklist and
whitelist."

Configuring dynamic blacklist

1. Select Security > Filter from the navigation tree.
Figure 639 Configuring a dynamic blacklist

2. On the Blacklist tab, configure the dynamic blacklist as described in Table 188.
Table 188 Configuration items

Item Description
• Enable—Enable dynamic blacklist.
Dynamic Blacklist
• Disable—Disable dynamic blacklist.
Configure the lifetime of the entries in the blacklist. When the lifetime of an
Lifetime
entry expires, the entry is removed from the blacklist.

3. Click Apply.

NOTE:
These attacks can be detected through a dynamic blacklist: Assoc-Flood, Reassoc-Flood, Disassoc-Flood,
ProbeReq-Flood, Action-Flood, Auth-Flood, Deauth-Flood, and Null data-Flood.

Configuring static blacklist

1. Select Security > Filter from the navigation tree.

611
2. On the Blacklist tab, click Static.
Figure 640 Configuring a static blacklist

3. Click Add Static.

Figure 641 Adding static blacklist

4. Add a static blacklist as described in Table 189.

Table 189 Configuration items

Item Description
MAC Address Select MAC Address, and then add a MAC address to the static blacklist.

Select from Connected If you select the option, the table below lists the current existing clients. Select
Clients the options of the clients to add their MAC addresses to the static blacklist.

5. Click Apply.

612
Configuring whitelist
1. Select Security > Filter from the navigation tree.
2. Click the Whitelist tab.
Figure 642 Configuring a whitelist

3. Click Add.
Figure 643 Adding a whitelist

4. Add a whitelist as described in Table 190.

Table 190 Configuration items

Item Description
MAC Address Select MAC Address, and then add a MAC address to the whitelist.

If you select the option, the table below this option lists the current existing
Select from Connected
clients. Select the options of the clients to add their MAC addresses to the
Clients
whitelist.

613
5. Click Apply.

Rogue detection configuration example

Network requirements
As shown in Figure 644, a monitor AP (AP 2 with serial ID SZ001) and AP 1 (serial ID SZ002) are
connected to an AC through a Layer 2 switch.
• AP 1 operates in normal mode and provides WLAN data services only.
• AP 2 operates in monitor mode, and scans all 802.11g frames in the WLAN.
• Client 1 (MAC address 000f-e215-1515), Client 2 (MAC address 000f-e215-1530), and Client 3
(MAC address 000f-e213-1235) are connected to AP 1. They are configured as friends.
• Client 4 (MAC address 000f-e220-405e) is connected to AP 2. It is configured as a rogue device.
Figure 644 Network diagram

Configuration guidelines
• The radio must be disabled so that the AP operation mode can be changed.
• If you configure more than one detection rule, you need to specify the rogue device types (AP, client,
bridge, and ad hoc) and the rule matching order. For more information, see "Configuring user
isolation."
• The wireless service configuration is needed for an AP operating in hybrid mode, and not needed
for an AP in monitor mode.

Configuration procedure
1. Configure AP 1 to operate in normal mode:
In normal mode, AP 1 provides WLAN data services only. For information about how to configure
WLAN services, see "Configuring access services."
2. Configure AP 2 to operate in monitor mode:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.

614
c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select
Manual, and enter the serial ID of AP 2.
d. Click Apply.
Figure 645 AP configuration

e. Select Security > Rogue Detection from the navigation tree.

f. On the AP Monitor tab, click the icon for the target AP.
g. Select the operating mode Monitor.
h. Click Apply.
Figure 646 AP operating mode configuration

3. Enable the 802.11n(2.4GHz) radio mode:

a. Select Radio > Radio from the navigation tree.
b. Select the AP with the radio mode 802.11n(2.4GHz).
c. Click Enable.

615
Figure 647 Radio configuration

4. Configure rogue detection rules:

a. Select Security > Rogue Detection from the navigation tree.
b. Click the Rule List tab and click Add.
c. On the page that appears, enter 000f-e215-1515, 000f-e215-1530, and 000f-e213-1235 in
the MAC Address field, and then click Apply.
Figure 648 Adding MAC addresses to the rogue detection rule list

616
d. Select Attacker, and click Add. Enter 000f-e220-405e in the MAC Address field and click
Apply.
Figure 649 Adding MAC addresses to the attacker list

5. Enable countermeasures against the static rogue device:

a. Select Security > Rogue Detection from the navigation tree.
b. Click the AP Monitor tab, and click Common Set.
c. Select Static Rogue Device. This is because the MAC address of Client 4 is added manually to
the attacker list.
d. Click Apply.

617
Figure 650 Common configuration

618
Configuring user isolation

User isolation overview

Without user isolation, all the devices in the same VLAN can access each other directly. This causes
security problems. User isolation can solve this problem.
• When an AC configured with user isolation receives unicast packets, broadcast packets or multicast
packets from a wireless client to another wireless client in the same VLAN, the AC determines
whether to isolate the two devices according to the configured list of permitted MAC addresses.
• When an AC configured with user isolation receives unicast packets (broadcast and multicast
packets in a VLAN are not isolated) from a wireless client to a wired client or from a wired client to
another wired client in the same VLAN, the AC determines whether to isolate the two devices
according to the configured list of permitted MAC addresses.
• When an AC configured with user isolation receives unicast packets from a wired client to a
wireless client, the AC determines whether to isolate the two devices according to the configured list
of permitted MAC addresses. Whether to isolate broadcast or multicast packets varies with the
configuration of command user-isolation permit broadcast (see "Configuring stateful failover").
To avoid user isolation from affecting communications between users and the gateway, you can add the
MAC address of the gateway to the list of permitted MAC addresses.
User isolation both provides network services for users and isolates users, disabling them from
communication at Layer-2 and thus ensuring service security.

Before user isolation is enabled

As shown in Figure 651, before user isolation is enabled in VLAN 2 on the AC, the wireless terminal
Client, the server and the wired terminal Host in the VLAN can communicate with each other and access
the Internet.

619
Figure 651 User communication

After user isolation is enabled

As shown in Figure 651, user isolation is enabled on the AC. The client, the server and the host in VLAN
2 access the Internet through the gateway.
• If you add the MAC address of the gateway to the permitted MAC address list, the client, the server
and the host in the same VLAN are isolated, but they can access the Internet.
• If you add the MAC address of a user (the client, for example) to the permitted MAC address list,
the client and the server, and the client and the host can access each other directly, but the server
and the host cannot.
To enable all the users in the VLAN to access one another and the Internet, you need to add the MAC
address of the gateway and the MAC addresses of the users to the permitted MAC address list.

Configuring user isolation

Configuring user isolation
1. Select Security > User Isolation from the navigation tree.
2. Click Add .
The page for configuring user isolation appears.

620
Figure 652 Configuring user isolation

3. Configure user isolation as described in Table 191.

Table 191 Configuration items

Item Description
VLAN ID Specify the VLAN in which user isolation is enabled.

Specify the MAC addresses to be permitted by the AC. For more information, see
"After user isolation is enabled."
• Enter a MAC address in the field next to the Add button.
• Click Add to add the MAC address to the permitted MAC list.
AccessMAC
• To delete a MAC address from the list, select an entry and click Delete.
IMPORTANT:
• Broadcast or multicast MAC addresses cannot be specified as permitted
MAC addresses.
• Up to 16 permitted MAC addresses can be configured for one VLAN.

4. Click Apply.
To avoid network disruption caused by user isolation, add the MAC address of the gateway to the
permitted MAC address list, and then enable user isolation.
If you configure user isolation for a super VLAN, the configuration does not take effect on the sub-VLANs
in the super VLAN, and you must configure user isolation on the sub-VLANs if needed.

Displaying user isolation information

Select Security > User Isolation from the navigation tree to enter the page displaying user isolation
configuration summary.

621
Figure 653 Displaying user isolation summary

User isolation configuration example

Network requirements
As shown in Figure 654, isolate Client A, Client B, and Host A in VLAN 2 from one another while
allowing them to access the Internet. The MAC address of the gateway is 000f-e212-7788.
Figure 654 Network diagram

Configuration procedure
1. Configure wireless service:
For information about how to configure wireless service, see "Configuring access services."

622
2. Configure user isolation:
a. Select Security > User Isolation from the navigation tree.
b. Click Add.
c. On the page that appears, enter the VLAN ID 2, add MAC address 000f-e212-7788 to the
permitted MAC address list, and click Apply.
Figure 655 Configuring user isolation

623
Configuring authorized IP

The authorized IP function associates the HTTP or Telnet service with an ACL to filter the requests of clients.
Only clients that pass the ACL filtering can access the device.
Before configuring authorized IP, you must create and configure the ACL. For ACL configuration, see
"Configuring QoS."
1. Select Security > Authorized IP from the navigation tree.
2. Click the Setup tab.
Figure 656 Configuring authorized IP

3. Configure authorized IP as described in Table 192.

Table 192 Configuration items

Item Description
Select the IPv4 ACL to be associated with the Telnet service.
IPv4 ACL Available IPv4 ACLs are what you configure on the page you enter
by selecting QoS > ACL IPv4.
Telnet
Select the IPv6 ACL to be associated with the Telnet service.
IPv6 ACL Available IPv6 ACLs are what you configure on the page you enter
by selecting QoS > ACL IPv6.

Select the IPv4 ACL to be associated with the HTTP service.

Web (HTTP) IPv4 ACL Available IPv4 ACLs are what you configure on the page you enter
by selecting QoS > ACL IPv4.

4. Click Apply.

624
Configuring session management

This function is used to verify packets through transport layer protocols. The session management feature
tracks the status of connections by inspecting the transport layer protocol (TCP or UDP) information, and
performs unified status maintenance and management for all connections.
Basic session management settings include:
• Configuring whether to enable unidirectional traffic detection.
• Configuring a persistent session rule which is available only for TCP sessions in ESTABLISHED state.
• Setting aging times for the sessions in different protocol states, which are effective only for the
sessions that are being established.
• Setting aging times for the sessions of different application layer protocols, which are effective only
for the sessions in READY or ESTABLISHED state.

NOTE:
If too many sessions, for example, more than 800 thousands sessions, exist, do not set small values for the
aging times of the sessions in different protocol states and of different application layer protocols.
Otherwise, the responses of the console will be very slow.

To configure the basic session management settings:

1. Select Security > Session table from the navigation tree, and click the Configuration tab.
The basic configuration page appears.

625
Figure 657 Session configuration

2. Configure basic settings as described in Table 193.

626
Table 193 Configuration items

Item Description
Enable or disable unidirectional traffic detection.
• When unidirectional traffic detection is enabled, the session
management feature processes both the unidirectional and
Enable unidirectional traffic detection
bidirectional traffic.
• When unidirectional traffic detection is disabled, the session
management feature processes only the bidirectional traffic.

Configure the persistent session rule according to the ID of an

ACL.
ACL Only one ACL can be referenced as the persistent session rule,
and the last referenced ACL takes effect. If no ACL is specified,
persistent sessions are not allowed.

Set the aging time of persistent sessions.

Session Aging Time
The value of 0 means that the persistent sessions will not be aged.
• SYN_SENT State and
SYN_RCV State
• Specify the SYN_SENT state and SYN_RCV state aging time
Aging Time
for TCP.
TCP Protocol • FIN_WAIT State
• Specify the FIN_WAIT state aging time for TCP.
Aging Time
• Specify the ESTABLISHED state aging time for TCP.
• ESTABLISHED State
Aging Time
• OPEN State Aging
Time • Specify the OPEN state aging time for UDP.
UDP Protocol
• READY State Aging • Specify the READY state aging time for UDP.
Time
• OPEN State Aging
Time • Specify the OPEN state aging time for ICMP.
ICMP Protocol
• CLOSED State Aging • Specify the CLOSED state aging time for ICMP.
Time

Aging
Accelerate Queue Aging
Accelerate Specify the accelerate queue aging time.
Time
Queue
• OPEN State Aging
RAWIP Time • Specify the OPEN state aging time for RAW IP.
Protocol • READY State Aging • Specify the READY state aging time for RAW IP.
Time

DNS Session Aging Time Specify the DNS session aging time.

FTP Session Aging Time Specify the FTP session aging time.

MSN Session Aging Time Specify the MSN session aging time.

QQ Session Aging Time Specify the QQ session aging time.

SIP Session Aging Time Specify the SIP session aging time.

627
Displaying session table information
1. Select Security > Session Table from the navigation tree, and click the Session Summary tab.
The session table appears.
Figure 658 Session table

Table 194 Field description

Field Description
Init Src IP Source IP address and port number of packets from the session initiator.

Destination IP address and port number of packets from the session

Init Dest IP
initiator.

Init VPN VPN to which the packets (from the initiator to responder) belong and the
VPN/VLAN/INLINE VLAN and INLINE to which the packets belong during Layer 2 forwarding.

Resp Src IP Source IP address and port number of packets from the session responder.

Destination IP address and port number of packets from the session

Resp Dest IP
responder.

VPN instance to which the packets (from the responder to initiator) belong
Resp VPN
and the VLAN and INLINE to which the packets belong during Layer 2
VPN/VLAN/INLINE
forwarding.

Protocol Transport layer protocol type or number.

Session status, including Accelerate, SYN, TCP-EST, FIN, UDP-OPEN,

Session Status UDP-READY, ICMP-OPEN, ICMP-CLOSED, RAWIP-OPEN, and
RAWIP-READY.

Lifetime(s) Remaining lifetime of the session.

2. Click the icon for the target session to display detailed information about the session.
Figure 659 Detailed information about a session

628
Table 195 Field description

Field Description
Protocol Transport layer protocol, which can be TCP, UDP, ICMP, or RAWIP.

Session status:
• Accelerate.
• SYN.
• TCP-EST.
• FIN.
State • UDP-OPEN.
• UDP-READY.
• ICMP-OPEN.
• ICMP-CLOSED.
• RAWIP-OPEN.
• RAWIP-READY.

TTL Remaining lifetime of the session.

Initiator: VD / ZONE / VPN Initiator's virtual device/security zone/VPN instance/IP address/port

/ IP / PORT number.

Responder: VD / ZONE / Responder's virtual device/security zone/VPN instance/IP address/port

VPN / IP / PORT number.

----------> Session direction—From the initiator to responder.

<--------- Session direction—From the responder to initiator.

Packets Number of packets in the direction.

Bytes Number of bytes in the direction.

629
Configuring ACL and QoS

ACL overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are primarily used for packet filtering. You can use ACLs in QoS, security, and other feature
modules for identifying traffic. The packet drop or forwarding decisions varies with the modules that use
ACLs.
ACLs include the following categories.

Category ACL number IP version Match criteria

WLAN ACL 100 to 199 IPv4 and IPv6 SSID of a WLAN.

WLAN-AP ACLs 200 to 299 IPv4 and IPv6 MAC address and serial ID of a WLAN AP.

IPv4 Source IPv4 address.

Basic ACLs 2000 to 2999
IPv6 Source IPv6 address.

Source/destination IPv4 address, packet priority,

IPv4 protocols over IPv4, and other Layer 3 and Layer 4
header fields.
Advanced ACLs 3000 to 3999
Source/destination IPv6 address, packet priority,
IPv6 protocols over IPv6, and other Layer 3 and Layer 4
header fields.

Layer 2 header fields, such as source and

Ethernet frame
4000 to 4999 IPv4 and IPv6 destination MAC addresses, 802.1p priority, and
header ACLs
link layer protocol type.

For more information about ACL, see ACL and QoS Configuration Guide.

QoS overview
Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to
meet customer needs. Generally, QoS does not focus on grading services precisely, but on improving
services under certain conditions.
In the Internet, QoS refers to the ability of the network to forward packets. The evaluation on QoS of a
network can be based on different aspects because the network might provide various services.
Generally, QoS refers to the ability to provide improved service by solving the core issues such as delay,
jitter, and packet loss ratio in the packet forwarding process.

Traditional packet forwarding services

On traditional IP networks, devices treat all packets equally and handle them using the first in first out
(FIFO) policy. All packets share the resources of the network and devices. The amount of resources the
packets can obtain completely depends on the time they arrive. This service is called "best-effort." It

630
delivers packets to their destinations as best it can, without any guarantee for such issues as delay, jitter,
packet loss ratio, and reliability.
This service policy is only suitable for applications insensitive to bandwidth and delay, such as WWW,
file transfer and email.

New requirements from new applications

The Internet has been growing along with the fast development of networking technologies. More and
more users take the Internet as their data transmission platform to implement various applications.
Besides traditional applications such as WWW, email and FTP, network users are implementing new
services, such as tele-education, telemedicine, video telephone, videoconference and Video-on-Demand
(VoD). The enterprise users expect to connect their regional branches together through VPN technologies
to carry out operational applications (for example, to access the database of the company or to monitor
remote devices through Telnet).
These new applications have one thing in common, and they all have special requirements for
bandwidth, delay, and jitter. For instance, videoconference and VoD need large bandwidth, low delay,
and low jitter. Mission-critical applications, such as transactions and Telnet, may not require large
bandwidth but require low delay and preferential service during congestion.
The new emerging applications require higher service performance of IP networks. Required network
services during packet forwarding include providing dedicated bandwidth, reducing packet loss ratio,
managing and avoiding congestion, regulating network traffic, and setting the precedence of packets.
To meet these requirements, networks must provide improved services.
For more information about QoS, see ACL and QoS Configuration Guide.

Configuration guidelines
When you configure an ACL and QoS, follow these guidelines:
• You cannot add an ACL rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
• You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you can choose to change just some of the settings, in which case
the other settings remain the same.
• When you configure rate limit and traffic policing for a behavior, make sure the ratio of CBS to CIR
is more than 100:16. Otherwise, the handling for bursty traffic might be affected.
• If an ACL is referenced by a QoS policy for defining traffic classification rules, the operation of the
QoS policy varies by interface (the definition of software/hardware interface varies with device
models). The specific process is as follows:
If the QoS policy is applied to a software interface and the referenced ACL rule is a deny clause,
the ACL rule does not take effect and packets go to the next classification rule.
If the QoS policy is applied to a hardware interface, packets matching the referenced ACL rule
are organized as a class and the behavior defined in the QoS policy applies to the class
regardless of whether the referenced ACL rule is a deny or permit clause.
• If a QoS policy is applied in the outbound direction of a port, the QoS policy cannot influence local
packets. Local packets refer to the important protocol packets that maintain the normal operation of
the device. QoS must not process such packets to avoid packet drop. Commonly used local packets
are: link maintenance packets, ISIS packets, OSPF packets, RIP packets, BGP packets, LDP packets,
RSVP packets, and SSH packets and so on.

631
• When you configure queuing for a traffic behavior:
In a policy, the total bandwidth assigned to the AF and EF classes cannot be greater than the
available bandwidth of the interface to which the policy applies. The total bandwidth
percentage assigned to the AF and EF classes cannot be greater than 100%.
In the same policy, the same bandwidth unit must be used to configure bandwidth for AF classes
and EF classes, either absolute bandwidth value or percent.

Configuring an ACL
Recommended ACL configuration procedures
Recommended IPv4 basic ACL configuration procedure
IPv4 basic ACLs match packets based only on source IP addresses.
To configure an IPv4 basic ACL:

Step Remarks
Optional.
1. Adding a time range A rule referencing a time range takes effect only
during the specified time range.

Required.
2. Add an IPv4 basic ACL
For more information, see "Adding an ACL."

3. Configuring a rule for an IPv4 basic ACL Required.

Recommended IPv4 advanced ACL configuration procedure

IPv4 advanced ACLs match packets based on source IP addresses, destination IP addresses, packet
priorities, protocols over IP, and other protocol header information, such as TCP/UDP source and
destination port numbers, TCP flags, ICMP message types, and ICMP message codes.
IPv4 advanced ACLs allow more flexible and accurate filtering than IPv4 basic ACLs.
To configure an IPv4 advanced ACL:

Step Remarks
Optional.
1. Adding a time range A rule referencing a time range takes effect only
during the specified time range.

Required.
2. Add an IPv4 advanced ACL
For more information, see "Adding an ACL."
3. Configuring a rule for an IPv4 advanced ACL Required.

632
Recommended Ethernet frame header ACL configuration procedure
Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol
header fields, such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),
and link layer protocol type.
To configure an Ethernet frame header ACL:

Step Remarks
Optional.
1. Adding a time range A rule referencing a time range takes effect only
during the specified time range.

Required.
2. Add an Ethernet frame header ACL
For more information, see "Adding an ACL."
3. Configuring a rule for an Ethernet frame header
Required.
ACL

Recommended WLAN-AP ACL configuration procedure

WLAN-AP ACLs match APs based on MAC addresses or serial IDs of APs.
To configure a WLAN-AP ACL:

Step Remarks
Optional.
1. Adding a time range A rule referencing a time range takes effect only
during the specified time range.

Required.
2. Add a WLAN-AP ACL
For more information, see "Adding an ACL."
3. Configuring a rule for a WLAN-AP ACL Required.

Recommended IPv6 basic ACL configuration procedure

IPv6 basic ACLs match packets based only on source IP addresses.
To configure an IPv6 basic ACL:

Step Remarks
Optional.
1. Adding a time range A rule referencing a time range takes effect only during the
specified time range.

Required.
2. Add an IPv6 basic ACL
For more information, see "Adding an IPv6 ACL."

3. Configuring a rule for an IPv6 basic ACL Required.

633
Recommended IPv6 advanced ACL configuration procedure
IPv6 advanced ACLs match packets based on the source IPv6 addresses, destination IPv6 addresses,
packet priorities, protocols carried over IPv6, and other protocol header fields such as the TCP/UDP
source port number, TCP/UDP destination port number, ICMPv6 message type, and ICMPv6 message
code.
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv6 advanced ACL:

Step Remarks
Optional.
1. Adding a time range A rule referencing a time range takes effect only during the
specified time range.

Required.
2. Add an IPv6 advanced ACL
For more information, see "Adding an IPv6 ACL."

3. Configuring a rule for an IPv6 advanced ACL Required.

Adding a time range

You can implement ACL rules based on the time of day by applying a time range to them. A time-based
ACL rule only takes effect in any time periods specified by the time range.
To add a time range:
1. Select QoS > Time Range from the navigation tree.
2. Click the Add tab to enter the time range adding page.

634
Figure 660 Adding a time range

3. Configure the time range information, as described in Table 196.

4. Click Apply.
Table 196 Configuration items

Item Description
Time Range Name Set the name for the time range.
• Start Time—Set the start time of the periodic time range.
• End Time—Set the end time of the periodic time range. The end time must be later
than the start time.
• Sun, Mon, Tue, Wed, Thu, Fri, and Sat—Select the day or days of the week on
Periodic Time Range
which the periodic time range is valid. You can select any combination of the days
of the week.
NOTE:
These items are available after you select the Periodic Time Range option.
• From—Set the start time of the absolute time range. The time of the day is in the
hh:mm format (24-hour clock), and the date is in the MM/DD/YYYY format.
• To—Set the end time of the absolute time range. The time of the day is in the hh:mm
Absolute Time Range format (24-hour clock), and the date is in the MM/DD/YYYY format. The end time
must be later than the start time.
NOTE:
These items are available after you select the Absolute Time Range option.

635
Adding an ACL
1. Select QoS > ACL IPv4 from the navigation tree.
2. Click the Add tab to enter the ACL adding page, as shown in Figure 661.
Figure 661 Adding an ACL

3. Configure the ACL information, as described in Table 197.

4. Click Apply.
Table 197 Configuration items

Item Description
Set the number of the ACL.
• WLAN-AP ACL—200 to 299.
• IPv4 basic ACL—2000 to 2999.
ACL Number • IPv4 advanced ACL—3000 to 3999.
• Ethernet frame header ACL—4000 to 4999.
For an IPv4 basic or advanced ACLs, its ACL number and name must be unique in
IPv4.

Set the match order of the ACL:

• Config—Packets are compared against ACL rules in the order that the rules are
Match Order
configured.
• Auto—Packets are compared against ACL rules in the depth-first match order.
Description Set the description for the ACL.

636
Configuring a rule for an IPv4 basic ACL
1. Select QoS > ACL IPv4 from the navigation tree.
2. Click the Basic Setup tab.
Figure 662 Configuring an IPv4 basic ACL

3. Configure an IPv4 basic ACL, as described in Table 198.

4. Click Add.
Table 198 Configuration items

Item Description
Select the IPv4 basic ACL for which you want to configure rules.
ACL
Available ACLs are IPv4 basic ACLs.

637
Item Description
Select this option to keep a log of matched IPv4 packets.
A log entry contains the ACL rule number, operation for the matched packets,
protocol that IP carries, source/destination address, source/destination port
Check Logging
number, and number of matched packets.
NOTE:
Do not select this option for an AC, because an AC does not support logging.
Source IP Address Select the Source IP Address option, and enter a source IPv4 address and source
Source Wildcard wildcard, in dotted decimal notation.

Time Range Select the time range during which the rule takes effect.

Configuring a rule for an IPv4 advanced ACL

1. Select QoS > ACL IPv4 from the navigation tree.
2. Click the Advanced Setup tab.

638
Figure 663 Configuring an IPv4 advanced ACL

3. Configure an IPv4 advanced ACL rule, as described in Table 199.

4. Click Add.

639
Table 199 Configuration items

Item Description
Select the IPv4 advanced ACL for which you want to
ACL configure rules.
Available ACLs are IPv4 advanced ACLs.

Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system assigns one
automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, this procedure
modifies the configuration of the existing rule.
Select the action to be performed for IPv4 packets matching
the rule:
Action
• Permit—Allows matched packets to pass.
• Deny—Drops matched packets.
Select this option to apply the rule to only non-first fragments.
If you do not select this option, the rule applies to all
fragments and non-fragments.
Non-First Fragments Only
NOTE:
Do not select this option for an AC, because an AC does not
support fragmentation.
Select this option to keep a log of matched IPv4 packets.
A log entry contains the ACL rule number, operation for the
matched packets, protocol that IP carries, source/destination
address, source/destination port number, and number of
Logging
matched packets.
NOTE:
Do not select this option for an AC, because an AC does not
support logging.
Source IP Address Select the Source IP Address option, and enter a source IPv4
Source Wildcard address and source wildcard, in dotted decimal notation.
IP Address Filter
Destination IP Address Select the Destination IP Address option, and enter a
destination IP address and destination wildcard, in dotted
Destination Wildcard decimal notation.

Select the protocol to be carried by IP.

Protocol If you select 1 ICMP, you can configure the ICMP message
type and code; if you select 6 TCP or 17 UDP, you can
configure the TCP or UDP specific items.

ICMP Message Specify the ICMP message type and code.

These items are available only when you select 1 ICMP from
ICMP Type the Protocol list.
ICMP Type If you select Other from the ICMP Message list, you must enter
values in the ICMP Type and ICMP Code fields. Otherwise, the
ICMP Code two fields will take the default values, which cannot be
changed.

640
Item Description
Select this option to make the rule match packets used for
TCP Connection establishing and maintaining TCP connections.
Established These items are available only when you select 6 TCP from the
Protocol list.

Operation Select the operations, and enter the source port numbers and
destination port numbers as required.
Source Port
These items are available only when you select 6 TCP or 17
- UDP from the Protocol list.
TCP/UDP Port
Operation Different operations have different configuration
requirements for the port number fields:
Port
• Not Check—The following port number fields cannot be
configured.
Destination
• Range—The following port number fields must be
- configured to define a port range.
• Other values—The first port number field must be
configured and the second port number field must not.

DSCP Specify the DSCP value.

Precedence
TOS Specify the ToS preference.
Filter
Precedence Specify the IP precedence.

Time Range Select the time range during which the rule takes effect.

Configuring a rule for an Ethernet frame header ACL

1. Select QoS > ACL IPv4 from the navigation tree.
2. Click the Link Setup tab.

641
Figure 664 Configuring a rule for an Ethernet frame header ACL

3. Configure an Ethernet frame header ACL rule, as described in Table 200.

4. Click Add.
Table 200 Configuration items

Item Description
Select the Ethernet frame header ACL for which you want to configure rules.
ACL
Available ACLs are Ethernet frame header ACLs.

642
Item Description
Source MAC
Address Select the Source MAC Address option and enter a source MAC address
and wildcard.
MAC Source Mask
Address
Filter Destination MAC
Address Select the Destination MAC Address option and enter a destination MAC
address and wildcard.
Destination Mask

COS(802.1p priority) Specify the 802.1p priority for the rule.

Select the LSAP Type option and specify the DSAP and SSAP fields in the LLC
LSAP Type encapsulation by configuring the following items:
• LSAP Type—Frame encapsulation format.
• LSAP Mask—LSAP wildcard.

LSAP Mask TIP:

Type Filter The AC does not support the LSAP Type or Protocol Type option. They do not
take effect after being configured.

Select the Protocol Type option and specify the link layer protocol type by
Protocol Type
configuring the following items:
• Protocol Type—Frame type. It corresponds to the type-code field of
Ethernet_II and Ethernet_SNAP frames.
Protocol Mask
• Protocol Mask—Wildcard.

Time Range Select the time range during which the rule takes effect.

Configuring a rule for a WLAN-AP ACL

1. Select QoS > ACL IPv4 from the navigation tree.
2. Click the Wlan Setup tab.
Figure 665 Configuring a WLAN-AP ACL

3. Configure a WLAN-AP ACL rule as described in Table 201.

643
4. Click Add.
Table 201 Configuration items

Item Description
ACL Select the WLAN-AP ACL for which you want to configure rules.

Specify an ID for the rule.

If you do not specify the rule ID, the system will assign one automatically.
Rule ID
If the rule ID you specify already exists, the following operations modify the configuration
of the rule.

Select the action to be performed for APs matching the rule:

Action • Permit—Allows matched APs.
• Deny—Drops matched APs.
MAC address
Set the MAC address range of APs.
MAC Mask

Serial ID Set the serial ID of an AP.

Adding an IPv6 ACL

1. Select QoS > ACL IPv6 from the navigation tree.
2. Click the Add tab.
Figure 666 Adding an IPv6 ACL

3. Configure the IPv6 ACL information, as described in Table 202.

4. Click Apply.

644
Table 202 Configuration items

Item Description
Enter a number for the IPv6 ACL.
• IPv6 basic ACL—2000 to 2999.
ACL Number • IPv6 advanced ACL—3000 to 3999.
For an IPv6 basic or advanced ACLs, its ACL number and name must be unique in
IPv6.

Select a match order for the ACL:

• Config—Packets are compared against ACL rules in the order the rules are
Match Order
configured.
• Auto—Packets are compared against ACL rules in the depth-first match order.
Description Set the description for the ACL.

Configuring a rule for an IPv6 basic ACL

1. Select QoS > ACL IPv6 from the navigation tree
2. Click the Basic Setup tab.
Figure 667 Configuring a rule for an IPv6 basic ACL

3. Configure the IPv6 basic ACL rule information, as described in Table 203.
4. Click Add.

645
Table 203 Configuration items

Item Description
Select Access Control List Select the IPv6 basic ACL for which you want to configure rules.
(ACL) Available ACLs are IPv6 basic ACLs.

Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system assigns one automatically.
Rule ID IMPORTANT:
If the rule number you specify already exists, this procedure modifies the
configuration of the existing rule.
Select the operation to be performed for IPv6 packets matching the rule:
Operation • Permit—Allows matched packets to pass.
• Deny—Drops matched packets.
Select this option to apply the rule to only non-first fragments.
If you do not select this option, the rule applies to all fragments and non-fragments.
Check Fragment
NOTE:
Do not select this option for an AC, because an AC does not support fragmentation.
Select this option to keep a log of matched IPv6 packets.
A log entry contains the ACL rule number, operation for the matched packets,
protocol that IP carries, source/destination address, source/destination port
Check Logging
number, and number of matched packets.
NOTE:
Do not select this option for an AC, because an AC does not support logging.
Source IP Address Select the Source IP Address option, and enter a source IPv6 address and prefix
length.
The IPv6 address must be in a format like X:X::X:X. An IPv6 address consists of eight
Source Prefix
16-bit long fields, each of which is expressed with two hexadecimal numbers and
separated from its neighboring fields by colon (:).

Time Range Select the time range during which the rule takes effect.

Configuring a rule for an IPv6 advanced ACL

1. Select QoS > ACL IPv6 from the navigation tree
2. Click the Advanced Setup tab.

646
Figure 668 Configuring a rule for an IPv6 advanced ACL

3. Configure the IPv6 advanced ACL rule information, as described in Table 204.
4. Click Add.
Table 204 Configuration items

Item Description
Select the IPv6 advanced ACL for which you want to configure
Select Access Control List (ACL) rules.
Available ACLs are IPv6 advanced ACLs.

647
Item Description
Select the operation to be performed for IPv6 packets matching the
rule:
Operation
• Permit—Allows matched packets to pass.
• Deny—Drops matched packets.
Select this option to apply the rule to only non-first fragments.
If you do not select this option, the rule applies to all fragments and
non-fragments.
Check Fragment
NOTE:
Do not select this option for an AC, because an AC does not support
fragmentation.
Select this option to keep a log of matched IPv6 packets.
A log entry contains the ACL rule number, operation for the
matched packets, protocol that IP carries, source/destination
address, source/destination port number, and number of matched
Check Logging
packets.
NOTE:
Do not select this option for an AC, because an AC does not support
logging.
Source IP Address Select the Source IP Address option, and enter a source IPv6
address and prefix length.
The IPv6 address must be in a format like X:X::X:X. An IPv6 address
Source Prefix consists of eight 16-bit long fields, each of which is expressed with
two hexadecimal numbers and separated from its neighboring
IP Address fields by colon (:).
Filter Destination IP Address Select the Destination IP Address option, and enter a destination
IPv6 address and prefix length.
The IPv6 address must be in a format like X:X::X:X. An IPv6 address
Destination Prefix consists of eight 16-bit long fields, each of which is expressed with
two hexadecimal numbers and separated from its neighboring
fields by colon (:).

Select the protocol to be carried by IP.

Protocol If you select 58 ICMPv6, you can configure the ICMPv6 message
type and code. If you select 6 TCP or 17 UDP, you can configure the
TCP or UDP specific items.

Named ICMPv6 Type Specify the ICMPv6 message type and code.
These items are available only when you select 58 ICMPv6 from the
ICMPv6 ICMPv6 Type Protocol list.
Type If you select Other from the Named ICMPv6 Type list, you must enter
ICMPv6 Code values in the ICMPv6 Type and ICMPv6 Code fields. Otherwise, the
two fields will take the default values, which cannot be changed.

648
Item Description
Operator Select the operators, and enter the source port numbers and
destination port numbers as required.
Source Port
These items are available only when you select 6 TCP or 17 UDP
To Port from the Protocol list.
Operator Different operators have different configuration requirements for the
TCP/UDP port number fields:
Port
Port • Not Check—The following port number fields cannot be
configured.
Destination
• Range—The following port number fields must be configured to
Port define a port range.
• Other values—The first port number field must be configured
and the second must not.

Time Range Select the time range during which the rule takes effect.

Configuring rate limit

Rate limit uses token buckets to control traffic. The rate limit of a physical interface specifies the maximum
rate for forwarding packets (including critical packets). Rate limit can limit all the packets passing a
physical interface.
To configure rate limit:
1. Select QoS > Line rate from the navigation tree.
2. Click the Setup tab.

649
Figure 669 Configuring rate limit on a port

3. Configure rate limit, as described in Table 205.

4. Click Apply.
Table 205 Configuration items

Item Description
Select the types of interfaces to be configured with rate limit.
Please select an interface type
The interface types available for selection depend on your device model.

Rate Limit Select Enable or Disable to enable or disable rate limit on the specified port.

Select a direction to which the rate limit is to be applied:

Direction • Inbound—Limits the rate of packets received by the specified port.
• Outbound—Limits the rate of packets sent by the specified port.
CIR Set the committed information rate (CIR), the average traffic rate.

Set the committed burst size (CBS), number of bits that can be sent in each
CBS
interval.

Set the excess burst size (EBS).

EBS
This configuration item is not supported.

Specify the ports to be configured with rate limit.

Please select port(s) Click the ports to be configured with rate limit in the port list. You can select
one or more ports.

650
Configuring the priority trust mode of a port
Priority mapping overview
When a packet enters a device, the device assigns a set of QoS priority parameters to the packet based
on a certain priority field carried in the packet and sometimes might modify its priority, according to
certain rules depending on device status. This process is called "priority mapping". The set of QoS
priority parameters decides the scheduling priority and forwarding priority of the packet.
The device provides various types of priority mapping tables, or rather, priority mappings. By looking up
a priority mapping table, the device decides which priority value is to assign to a packet for subsequent
packet processing.
You can configure priority mapping by configuring trusting packet priority or trusting port priority.
• If packet priority is trusted, the device uses the specified priority field of the incoming packet to look
up the priority mapping tables for the set of QoS priority parameters to assign to the packet. Note
that, if a received packet does not carry the specified priority field, the device uses the port priority
to look up the priority mapping tables for the set of QoS priority parameters to assign to the packet.
• If port priority is trusted, the device uses the port priority rather than packet priority to look up the
priority mapping tables for the set of QoS priority parameters to assign to the packet.

Configuring priority mapping

Two methods are available for you to configure the priority trust mode on a port for priority mapping:
• By using the first method, you can configure a port to use the 802.1p or 802.11e priority carried in
received packets for priority mapping. This method is supported for the WLAN-ESS interface in
addition to other types of interface.
• By using the second method, more options are available. In addition, you can change port priority
(local precedence) of a port for priority mapping. This method is not supported on the WLAN-ESS
interface.

Configuring the trust mode

1. Select QoS > Trust Mode from the navigation tree.

651
Figure 670 Configuring priority trust mode

2. Configure the priority trust mode of the interfaces, as described in Table 206.
3. Click Apply.
Table 206 Configuration items

Item Description
Select the type of the ports to be configured. The interface types available for
selection depend on your device model.

IMPORTANT:
Please select the interface type
If a WLAN-ESS interface in use has WLAN-DBSS interfaces created on it, its
priority cannot be modified. To modify the priority of the WLAN-ESS interface,
you must stop the service the interface provides (make the current users on the
interface offline).

652
Item Description
Select the priority trust mode:
• Dot1p—Uses the 802.1p priority of received packets for mapping.
• Dscp—Uses the DSCP value of received packets for mapping.
• Dot11e—Uses the 802.11e priority of received packets for mapping. This
Trust Mode
option is applicable to only WLAN-ESS interfaces.

IMPORTANT:
Support for priority trust modes depends on the interface type. The supported
priority trust modes are shown in the Trust Mode list.
Specify the ports to be configured.
(Select the ports) Click the ports to be configured in the port list. You can select one or more
ports.

Configuring the port priority

1. Select QoS > Port Priority from the navigation tree.
Figure 671 Port priority

2. Click the icon for a port to enter the page for configuring the priority and priority trust mode of
the port.
Figure 672 Modifying the port priority

3. Set the port priority, as described in Table 207.

4. Click Apply.
Table 207 Configuration items

Item Remarks
Interface Name Name of the interface to be configured.

653
Item Remarks
Set the local precedence value for the port.
Local precedence is allocated by the device and has only local significance. A local
Priority precedence value corresponds to an output queue. A packet with higher local
precedence is assigned to a higher priority output queue to be preferentially
scheduled.

Set the priority trust mode of the port:

• Untrust—Uses the port priority rather than a packet priority value for priority
mapping.
Trust Mode • Dot1p—Uses the 802.1p priority of received packets for priority mapping.
• DSCP—Uses the DSCP value of received packets for priority mapping.
IMPORTANT:
Support for priority trust modes depends on the interface type.

Configuring a QoS policy

A QoS policy defines what QoS actions to take on what class of traffic for purposes such as traffic
shaping or traffic policing. Before configuring a QoS policy, be familiar with these concepts: class, traffic
behavior, and policy.

Class
Classes identify traffic.
A class is identified by a class name and contains some match criteria for identifying traffic. The
relationship between the criteria can be:
• AND—A packet is considered belonging to a class only when the packet matches all the criteria in
the class.
• OR—A packet is considered belonging to a class if it matches any of the criteria in the class.

Traffic behavior
A traffic behavior, identified by a name, defines a set of QoS actions for packets.

Policy
A policy associates a class with a traffic behavior to define what actions to take on which class of traffic.
You can define multiple class-traffic behavior associations in a policy.
You can apply a policy to a port to regulate traffic sent or received on the port. A QoS policy can be
applied to multiple ports, but in one direction (inbound or outbound) of a port, only one QoS policy can
be applied.

654
QoS policy configuration procedure
Step Remarks
Required.
1. Adding a class
Add a class and specify the operation of the class.

Required.
2. Configuring traffic classification rules
Configure match criteria for the class.

Required.
3. Adding a traffic behavior
Add a traffic behavior.

Use either method.

4. Configuring actions for a traffic behavior
Configure various actions for the traffic behavior.

Required.
5. Adding a policy
Add a policy.

Required.
Associate a traffic behavior with a class in the QoS
policy.
6. Configuring classifier-behavior associations for
the policy You can associate a class with only one traffic
behavior in a QoS policy. If a class is associated with
multiple traffic behaviors, the last associated one takes
effect.

7. Apply the policy:

Use either method.
Applying a policy to a port
Apply the QoS policy to a port or a WLAN service.
Applying a QoS policy to a WLAN service

Adding a class
1. Select QoS > Classifier from the navigation tree.
2. Click the Add tab.

655
Figure 673 Adding a class

3. Configure the class information, as described in Table 208.

4. Click Add.
Table 208 Configuration items

Item Description
Classifier Name Specify a name for the classifier to be added.

Specify the logical relationship between rules of the classifier:

• And—Specifies the relationship between the rules in a class as logic AND. The
device considers a packet belongs to a class only when the packet matches all the
Operation rules in the class.
• Or—Specifies the relationship between the rules in a class as logic OR. The device
considers a packet belongs to a class as long as the packet matches one of the
rules in the class.

Configuring traffic classification rules

1. Select QoS > Classifier from the navigation tree.
2. Click the Setup tab.

656
Figure 674 Configuring classification rules

3. Configuration classification rules, as described in Table 209.

4. Click Apply.
A progress dialog box appears.
5. Click Close on the progress dialog box when the progress dialog box prompts that the
configuration succeeds.

657
Table 209 Configuration items

Item Description
Please select a classifier Select an existing classifier in the list.

Define a rule to match all packets.

Any
Select the option to match all packets.

Define a rule to match DSCP values.

If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
DSCP You can configure up to eight DSCP values at a time. If multiple identical DSCP
values are specified, the system considers them as a single value. The
relationship between different DSCP values is OR. After configuration, all the
DSCP values are arranged in ascending order automatically.

Define a rule to match IP precedence values.

If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
IP Precedence You can configure up to eight IP precedence values at a time. If multiple
identical IP precedence values are specified, the system considers them as a
single value. The relationship between different IP precedence values is OR.
After configuration, all the IP precedence values are arranged in ascending
order automatically.

Define a rule to match a QoS class.

Classifier TIP:
This configuration item is not supported.
Define a rule to match inbound interfaces.
Inbound Interface TIP:
This configuration item is not supported.
Define a rule to match a range of RTP ports.
Specify the start port in the from field and the end port in the to field.
RTP Port
TIP:
This configuration item is not supported.

Define a rule to match the service 802.1p precedence values.

If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
You can configure up to eight Dot1p values at a time. If multiple identical Dot1p
Dot1p Service 802.1p values are specified, the system considers them as a single value. The
relationship between different Dot1p values is OR. After configuration, all the
Dot1p values are arranged in ascending order automatically.

TIP:
This configuration item is not supported.

658
Item Description
Define a rule to match the customer 802.1p precedence values.
If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
Customer
802.1p You can configure up to eight Dot1p values at a time. If multiple identical Dot1p
values are specified, the system considers them as a single value. The
relationship between different Dot1p values is OR. After configuration, all the
Dot1p values are arranged in ascending order automatically.

Define a rule to match a source MAC address.

If multiple rules are configured for a class, the new configuration does not
Source MAC
overwrite the previous.
A rule to match a source MAC address is significant only to Ethernet interfaces.
MAC Define a rule to match a destination MAC address.
If multiple rules are configured for a class, the new configuration does not
Destination MAC overwrite the previous.
A rule to match a destination MAC address is significant only to Ethernet
interfaces.

Define a rule to match service VLAN IDs.

If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
You can configure multiple VLAN IDs at a time. If the same VLAN ID is specified
multiple times, the system considers them as a single value. The relationship
between different VLAN IDs is logical OR. You can specify VLAN IDs by using
one of the following methods:
Service VLAN
• Enter a range of VLAN IDs, such as 10-500. The number of VLAN IDs in the
range is not limited.
• Specify a combination of individual VLAN IDs and VLAN ID ranges, such as
3, 5-7, 10. You can specify up to eight VLAN IDs.

TIP:
VLAN
This configuration item is not supported.
Define a rule to match customer VLAN IDs.
If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
You can configure multiple VLAN IDs at a time. If the same VLAN ID is specified
multiple times, the system considers them as a single value. The relationship
Customer VLAN between different VLAN IDs is logical OR. You can specify VLAN IDs in two
ways:
• Enter a range of VLAN IDs, such as 10-500. The number of VLAN IDs in the
range is not limited.
• Specify a combination of individual VLAN IDs and VLAN ID ranges, such as
3, 5-7, 10. You can specify up to eight VLAN IDs in this way.

ACL IPv4 Define an IPv4 ACL-based rule.

ACL
ACL IPv6 Define an IPv6 ACL-based rule.

659
Adding a traffic behavior
1. Select QoS > Behavior from the navigation tree.
2. Click the Add tab.
3. Set the traffic behavior name.
4. Click Add.
Figure 675 Adding a traffic behavior

Configuring actions for a traffic behavior

1. Select QoS > Behavior from the navigation tree.
2. Click the Setup tab.

660
Figure 676 Setting a traffic behavior

3. Configure the traffic behavior actions, as described in Table 210.

4. Click Apply.
A progress dialog box appears.
5. Click Close on the progress dialog box when the progress dialog box prompts that the
configuration succeeds.
Table 210 Configuration items

Item Description
Please select a behavior Select an existing behavior in the list.

CAR Enable/Disable Enable or disable CAR

661
Item Description
CIR Set the committed information rate (CIR), the average traffic rate.

Set the committed burst size (CBS), number of bits that can be sent
CBS
in each interval.

Discard Set the action to perform for exceeding packets.

After selecting the Red option, you can select one of the following
options:
Red • Discard—Drops the exceeding packet.
Pass
• Pass—Permits the exceeding packet to pass through.
• Remark DSCP Pass—Resets the DSCP value for the exceeding
packet and then sends it.

Configure the action of marking IP precedence for packets.

Select the IP Precedence option and then select the IP precedence
value to be marked for packets in the following list. Select Not Set to
IP Precedence cancel the action of marking IP precedence.

TIP:
This configuration item is not supported.
Configure the action of marking 802.1p precedence for packets.

Dot1p Select the Dot1p option and then select the 802.1p precedence
value to be marked for packets in the following list. Select Not Set to
cancel the action of marking 802.1p precedence.
Remark
Configure the action of marking local precedence for packets.

Local Precedence Select the Local Precedence option and then select the local
precedence value to be marked for packets in the following list.
Select Not Set to cancel the action of marking local precedence.

Configure the action of marking DSCP values for packets.

Select the DSCP option and then select the DSCP value to be marked
for packets in the following list. Select Not Set to cancel the action of
DSCP marking DSCP values.

TIP:
This configuration item is not supported.
Configure the maximum bandwidth for
Max Bandwidth
Expedited Forwarding (EF).

CBS Configure the CBS for EF.

EF
Configure the percent of available bandwidth
Percent
for EF.
TIP:
CBS-Ratio Configure the ratio of CBS to CIR for EF.
These
Queue
Configure the minimum guaranteed bandwidth configuration
Min Bandwidth
for Assured Forwarding (AF). items are not
AF supported.
Configure the percent of available bandwidth
Percent
for AF.

Configure WFQ for the default class by

WFQ entering the total number of fair queues, which
must be the power of two.

662
Item Description
Configure the packet filtering action.
After selecting the Filter option, select one item in the following list:
Filter • Permit—Forwards the packet.
• Deny—Drops the packet.
• Not Set—Cancels the packet filtering action.
Configure the traffic accounting action.
Select the Accounting option and select Enable or Disable in the
Accounting following list to enable/disable the traffic accounting action.

TIP:
This configuration item is not supported.

Adding a policy
1. Select QoS > QoS Policy from the navigation tree.
2. Click the Add tab.
3. Set the policy name.
4. Click Add.
Figure 677 Adding a policy

Configuring classifier-behavior associations for the policy

1. Select QoS > QoS Policy from the navigation tree.
2. Click the Setup tab.

663
Figure 678 Setting a policy

3. Configure classifier-behavior associations, as described in Table 211.

4. Click Apply.
Table 211 Configuration items

Item Description
Please select a policy Select an existing policy in the list.

Classifier Name Select an existing classifier in the list.

Behavior Name Select an existing behavior in the list.

Applying a policy to a port

1. Select QoS > Port Policy from the navigation tree.
2. Click the Setup tab.

664
Figure 679 Applying a policy to a port

3. Select a policy and apply the policy to the specified ports, as described in Table 212.
4. Click Apply.
Table 212 Configuration items

Item Description
Please select a policy Select an existing policy in the list.

Set the direction in which you want to apply the policy:

Direction • Inbound—Applies the policy to the incoming packets of the specified ports.
• Outbound—Applies the policy to the outgoing packets of the specified ports.
Click the ports to which the QoS policy is to be applied in the port list. You can select
Please select port(s)
one or more ports.

Applying a QoS policy to a WLAN service

1. Select QoS > Service Policy from the navigation tree.

665
Figure 680 Service policy

2. Click the icon for a wireless service.

Figure 681 Service policy setup

3. Apply the policy to the wireless service, as described in Table 213.

4. Click Apply.
Table 213 Configuration items

Item Remarks
WLAN ID Display the selected WLAN ID.

666
Item Remarks
WLAN Service Display the specified WLAN service to which you want to apply a QoS policy.

Inbound Policy Apply the QoS policy to the packets received by the wireless service.

Outbound Policy Apply the QoS policy to the packets sent by the wireless service.

Set the priority trust mode:

• Untrust—Trusts the port priority.
Trust Mode
• Dscp—Uses the DSCP values of received packets for mapping.
• 802.11e—Uses the 802.11e priority of received 802.11 packets for mapping.
QoS Priority Set the local precedence value.

ACL and QoS configuration example

Network requirements
As shown in Figure 682, in the WLAN, the FTP server (10.1.1.1/24) is connected to the AC (SSID:
service1), and the wireless clients are connected to the AC through APs and a Layer 2 switch and access
the network resources.
Configure an ACL and a QoS policy on the AC to prohibit the wireless clients from accessing the FTP
server from 8:00 to 18:00 every day:
1. Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.
2. Configure a QoS policy to drop the packets matching the ACL.
3. Apply the QoS policy in the inbound direction of the wireless service named service1.
Figure 682 Network diagram

service1

AP 1
10.1.1.1/24

L2 Switch AC FTP server

SSID: service1

service1

AP 2

Configuration procedure
Before performing the following configurations, make sure the AC has been configured with wireless
service service1. For more information about the wireless service configuration, see "Configuring access
services."
1. Define a time range to cover the time range from 8:00 to 18:00 every day:

667
a. Select QoS > Time Range from the navigation tree.
b. Click the Add tab.
c. On the page as shown in Figure 683, enter the time range name test-time, select the Periodic
Time Range option, set the Start Time to 8:00 and the End Time to 18:00, and select the
options Sun through Sat.
d. Click Apply.
Figure 683 Defining a time range covering 8:00 to 18:00 every day

2. Add an IPv4 advanced ACL:

a. Select QoS > ACL IPv4 from the navigation tree.
b. Click the Add tab.
c. Enter the ACL number 3000.
d. Click Apply.

668
Figure 684 Adding an IPv4 advanced ACL

3. Define an ACL rule for traffic to the FTP server:

a. Click the Advanced Setup tab.
b. On the page as shown in Figure 685, select 3000 in the ACL list, select the Rule ID option, and
enter rule ID 2.
c. Select Permit in the Action list.
d. Select the Destination IP Address option, and enter IP address 10.1.1.1 and destination
wildcard 0.0.0.0.
e. Select test-time in the Time Range list.
f. Click Add.

669
Figure 685 Defining an ACL rule for traffic to the FTP server

4. Add a class:
a. Select QoS > Classifier from the navigation tree.
b. Click the Add tab.

670
c. On the page as shown in Figure 686, enter the class name class1.
d. Click Add.
Figure 686 Adding a class

5. Define classification rules:

a. Click the Setup tab.
b. On the page as shown in Figure 687, select the class name class1 in the list, select the ACL IPv4
option, and select ACL 3000 in the following list.
c. Click Apply.
A progress dialog box appears.
d. Click Close on the progress dialog box when the progress dialog box prompts that the
configuration succeeds.

671
Figure 687 Defining classification rules

6. Add a traffic behavior:

a. Select QoS > Behavior from the navigation tree.
b. Click the Add tab.
c. On the page as shown in Figure 688, enter the behavior name behavior1.
d. Click Add.

672
Figure 688 Adding a traffic behavior

7. Configure actions for the traffic behavior:

a. Click the Setup tab.
b. On the page as shown in Figure 689, select behavior1 in the list, select the Filter option, and
then select Deny in the following list.
c. Click Apply.
A progress dialog box appears.
d. Click Close when the progress dialog box prompts that the configuration succeeds.

673
Figure 689 Configuring actions for the behavior

8. Add a policy:
a. Select QoS > QoS Policy from the navigation tree.
b. Click the Add tab.
c. On the page as shown in Figure 690, enter the policy name policy1.
d. Click Add.

674
Figure 690 Adding a policy

9. Configure classifier-behavior associations for the policy:

a. Click the Setup tab.
b. On the page as shown in Figure 691, select policy1, select class1 in the Classifier Name list,
and select behavior1 in the Behavior Name list.
c. Click Apply.
Figure 691 Configuring classifier-behavior associations for the policy

10. Apply the QoS policy in the inbound direction of the wireless service named service1:
a. Select QoS > Service Policy from the navigation tree.
b. Click the icon for wireless service service1.
c. On the page as shown in Figure 692, select the Inbound Policy option, and select policy1 from
the following list.
d. Click Apply.

675
Figure 692 Applying the QoS policy in the inbound direction of WLAN service service1

Verifying the configuration

After you complete these configurations, the QoS policy is successfully applied to the wireless service
named service1. The wireless clients cannot access the FTP server at IP address 10.1.1.1/24 from 8:00 to
18:00 every day, but they can do that at any other time.

676
Configuring wireless QoS

Overview
An 802.11 network offers wireless access based on the carrier sense multiple access with collision
avoidance (CSMA/CA) channel contention. All clients accessing the WLAN have equal channel
contention opportunities. All applications carried on the WLAN use the same channel contention
parameters. A live WLAN, however, is required to provide differentiated access services to address
diversified requirements of applications for bandwidth, delay, and jitter.
When IEEE 802.11e was being standardized, Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM)
standard to allow QoS provision devices of different vendors to interoperate. WMM makes a WLAN
network capable of providing QoS services.

Terminology
WMM
WMM is a wireless QoS protocol designed to preferentially transmit packets with high priority, and
guarantees better QoS services for voice and video applications in a wireless network.

EDCA
Enhanced distributed channel access (EDCA) is a channel contention mechanism designed by WMM to
preferentially transmit packets with high priority and allocate more bandwidth to such packets.

AC
WMM uses access categories (ACs) for handling channel contentions. WMM assigns WLAN data to
four access categories: AC-VO (voice), AC-VI (video), AC-BE (best-effort), and AC-BK (background), in
the descending order of priority. Each access category uses an independent priority queue for
transmitting data. When contention occurs, WMM guarantees that a high-priority access category
preempts a low-priority access category.

CAC
Connection admission control (CAC) limits the number of clients that are using high-priority access
categories (AC-VO and AC-VI) to guarantee sufficient bandwidth for existing high-priority traffic.

U-APSD
Unscheduled automatic power-save delivery (U-APSD) is a new power saving mechanism defined by
WMM to enhance the power saving capability of clients.

SVP
SpectraLink voice priority (SVP) is a voice priority protocol designed by the Spectralink company to
guarantee QoS for voice traffic.

677
WMM protocol overview
The distributed coordination function (DCF) in 802.11 stipulates that access points (APs) and clients use
the CSMA/CA access mechanism. APs or clients listen to the channel before they hold the channel for
data transmission. When the specified idle duration of the channel times out, APs or clients randomly
select a backoff slot within the contention window to perform backoff. The device that finishes backoff first
gets the channel. With 802.11, all devices have the same idle duration and contention window. They are
equal when contending for a channel. In WMM, this fair contention mechanism is changed.

EDCA parameters
WMM assigns data packets to four access categories. By allowing a high-priority access category to
have more channel contention opportunities than a low-priority access category, WMM offers different
service levels to access categories.
WMM define a set of EDCA parameters for each access category, covering the following:
• Arbitration inter-frame spacing number (AIFSN)—Different from the 802.11 protocol where the idle
duration (set using DIFS) is a constant value, WMM can define an idle duration per access category.
The idle duration increases as the AIFSN value increases (see Figure 693 for the AIFS durations).
• Exponent of CWmin (ECWmin) and exponent of CWmax (ECWmax)—Determine the average
backoff slots, which increases as the two values increase (see Figure 693 for the backoff slots).
• Transmission opportunity limit (TXOPLimit)—Indicates the maximum time for which a user can hold
a channel after a successful contention. The greater the TXOPLimit, the longer the user can hold the
channel. The value 0 indicates that the user can send only one packet each time it holds the
channel.
Figure 693 Per-AC channel contention parameters in WMM

CAC admission policies

CAC requires that a client obtain permission of the AP before it can use a high-priority access category
for transmission, and guarantees bandwidth to the clients that have gained access. CAC controls
real-time traffic (AC-VO and AC-VI traffic) but not common data traffic (AC-BE and AC-BK traffic).

678
To use a high-priority access category, a client must send a request to the AP. The AP returns a positive
or negative response based on either of the following admission control policy:
• Channel utilization-based admission policy—The AP calculates the total time that the existing
high-priority access categories occupy the channel in one second, and then calculates the time that
the requesting traffic will occupy the channel in one second. If the sum of the two values is smaller
than or equal to the maximum hold time of the channel, the client can use the requested access
category. Otherwise, the request is rejected.
• Users-based admission policy—If the number of clients using high-priority access categories plus
the requesting clients is smaller than or equal to the maximum number of high-priority access
category clients, the request is accepted. Otherwise, the request is rejected. During calculation, a
client is counted once even if it is using both AC-VO and AC-VI.

U-APSD power-save mechanism

U-APSD improves the 802.11 APSD power saving mechanism. When associating clients with access
categories, specify some access categories as trigger-enabled, some access categories as
delivery-enabled, and the maximum number of data packets that can be delivered after receiving a
trigger packet. You can modify both the trigger attribute and the delivery attribute when flows are
established using CAC. When a client sleeps, the delivery-enabled AC packets destined for the client are
buffered. The client needs to send a trigger-enabled AC packet to get the buffered packets. After the AP
receives the trigger packet, packets in the transmit queue are sent. The number of sent packets depends
on the agreement made when the client was admitted. Access categories without the delivery attribute
store and transmit packets as defined in the 802.11 protocol.

SVP service
SVP service implements differentiated treatment of SVP packets by mapping each SVP packet (IP protocol
number 119) to an access category, which corresponds to a transmit queue with certain priority.

ACK policy
WMM defines the following ACK policies:
• No ACK—When the no acknowledgement (No ACK) policy is used, the recipient does not
acknowledge received packets during wireless packet exchange. This policy can improve
transmission efficiency in the environment where communication quality is good and interference is
weak. However, in the environment where communication quality is poor, it can cause increased
packet loss and deteriorated communication quality.
• Normal ACK—When the Normal ACK policy is used, the recipient acknowledges each received
unicast packet.

Enabling wireless QoS

1. Select QoS > Wireless QoS from the navigation tree.
By default, the Wireless QoS tab is displayed, as shown in Figure 694.

679
Figure 694 Wireless QoS

2. Select the option in front of the radio unit to be configured.

3. Click Enable.
By default, wireless QoS is enabled.

NOTE:
The WMM protocol is the foundation of the 802.11n protocol. When the radio operates in 802.11n (5
GHz) or 802.11n (2.4 GHz) radio mode, you must enable WMM. Otherwise, the associated 802.11n
clients might fail to communicate.

Setting the SVP service

1. Select QoS > Wireless QoS from the navigation tree.
By default, the Wireless QoS tab is displayed, as shown in Figure 695.
Figure 695 Mapping SVP service to an access category

2. Click the icon in the Operation column for the desired AP to enter the page for mapping SVP
service to an access category, as shown in Figure 696.

680
Figure 696 Mapping SVP service to an access category

3. Configure SVP mapping, as described in Table 214.

4. Click Apply.
Table 214 Configuration items

Item Description
AP Name Displays the selected AP.

Radio Displays the selected AP's radio.

Select the option before SVP Mapping, and then select an access category for SVP
service:
• AC-VO.
SVP Mapping
• AC-VI.
• AC-BE.
• AC-BK.

NOTE:
SVP mapping is applicable only to non-WMM clients.

Setting CAC admission policy

681
Figure 697 Setting CAC admission policy

3. Configure the CAC admission policy, as described in Table 215.

4. Click Apply.
Table 215 Configuration items

Item Description
Users-based admission policy, or the maximum number of clients allowed to be
connected. A client is counted only once, even if it is using both AC-VO and AC-VI.
Client Number
By default, the users-based admission policy applies, with the maximum number of
users being 20.

Channel utilization-based admission policy, or the rate of the medium time of the
Channel Utilization accepted AC-VO and AC-VI traffic to the valid time during the unit time. The valid
time is the total time during which data is transmitted.

Setting radio EDCA parameters for APs

1. Select QoS > Wireless QoS from the navigation tree.
By default, the Wireless QoS tab is displayed.
2. Click the icon in the Operation column for the desired AP to enter the page for configuring
wireless QoS.
3. On the radio EDCA list, click the icon in the Operation column for the desired priority type
(AC_BK, for example) to enter the page for setting radio EDCA parameters.
Figure 698 Setting radio EDCA parameters

4. Configure the radio EDCA parameters, as described in Table 216.

682
5. Click Apply.
Table 216 Configuration items

Item Description
AP Name Displays the selected AP.

Radio Displays the selected AP's radio.

Priority type Displays the priority type.

AIFSN Arbitration inter-frame spacing number used by the AP.

TXOP Limit Transmission opportunity limit used by the AP.

ECWmin Exponent of CWmin used by the AP.

ECWmax Exponent of CWmax used by the AP.

If you select the option before No ACK, the No ACK policy is used by the AP.
No ACK
By default, the normal ACK policy is used by the AP.

Table 217 Default radio EDCA parameters

Access category TXOP Limit AIFSN ECWmin ECWmax

AC-BK 0 7 4 10

AC-BE 0 3 4 6

AC-VI 94 1 3 4

AC-VO 47 1 2 3

NOTE:
• ECWmin cannot be greater than ECWmax.
• On an AP operating in 802.11b radio mode, HP recommends that you set the TXOP-Limit to 0, 0, 188,
and 102 for AC-BK, AC-BE, AC-VI, and AC-VO.

Setting EDCA parameters for wireless clients

Configuration restrictions and guidelines
Follow these restrictions and guidelines when you set EDCA parameters for wireless clients:
• ECWmin cannot be greater than ECWmax.
• If all clients operate in 802.11b radio mode, set TXOPLimit to 188 and 102 for AC-VI and AC-VO.
• If some clients operate in 802.11b radio mode and some clients operate in 802.11g radio mode in
the network, HP recommends the TXOPLimit parameters in Table 219.
• Once you enable CAC for an access category, it is enabled automatically for all higher priority
access categories. For example, if you enable CAC for AC-VI, CAC is also enabled for AC-VO.
However, enabling CAC for AC-VO does not enable CAC for AC-VI.

683
Configuration procedure
1. Select QoS > Wireless QoS from the navigation tree.
By default, the Wireless QoS tab is displayed.
2. Click the icon in the Operation column for the desired AP.
3. On the client EDCA list, click the icon in the Operation column for the desired priority type
(AC_BK, for example).
Figure 699 Setting client EDCA parameters

4. Configure the client EDCA parameters, as described in Table 218.

5. Click Apply.
Table 218 Configuration items

Item Description
AP Name Displays the selected AP.

Radio Displays the selected AP's radio.

Priority type Displays the priority type.

AIFSN Arbitration inter-frame spacing number used by clients.

TXOP Limit Transmission opportunity limit used by clients.

ECWmin Exponent of CWmin used by clients.

ECWmax Exponent of CWmax used by clients.

Enable CAC:
• Enable—Enable CAC.
CAC • Disable—Disable CAC.
AC-VO and AC-VI support CAC, which is disabled by default. This item is not
available for AC-BE or AC-BK, because they do not support CAC.

Table 219 Default EDCA parameters for clients

Access category TXOP Limit AIFSN ECWmin ECWmax

AC-BK 0 7 4 10

AC-BE 0 3 4 10

AC-VI 94 2 3 4

684
Access category TXOP Limit AIFSN ECWmin ECWmax
AC-VO 47 2 2 3

Displaying radio statistics

1. Select QoS > Wireless QoS from the navigation tree.
2. Click the Radio Statistics tab.
3. Click an AP to see its details.
Figure 700 Displaying the radio statistics

Table 220 Filed description

Field Description
AP ID AP ID.

AP Name AP name.

Radio Radio ID.

Client EDCA update count Number of client EDCA parameter updates.

QoS mode:
QoS mode • WMM—The client is a QoS client.
• None—The client is a non-QoS client.
Radio chip QoS mode Radio chip's support for the QoS mode.

Radio chip max AIFSN Maximum AIFSN allowed by the radio chip.

Radio chip max ECWmin Maximum ECWmin allowed by the radio chip.

685
Field Description
Radio chip max TXOPLimit Maximum TXOPLimit allowed by the radio chip.

Radio chip max ECWmax Maximum ECWmax allowed by the radio chip.

Number of clients that have been admitted to access the radio, including the
Client accepted number of clients that have been admitted to access the AC-VO and the AC-VI
queues.

Total request Total requested medium time, including that of the AC-VO and the AC-VI
mediumtime(us) queues.

Calls rejected due to

Number of requests rejected due to insufficient resources.
insufficient resource

Calls rejected due to invalid

Number of requests rejected due to invalid parameters.
parameters

Calls rejected due to invalid

Number of requests rejected due to invalid medium time.
mediumtime

Calls rejected due to invalid

Number of requests rejected due to invalid delay bound.
delaybound

Displaying client statistics

1. Select QoS > Wireless QoS from the navigation tree.
2. Click the Client Statistics tab.
3. Click a client name to see its details.
Figure 701 Displaying the client statistics

Table 221 Field description

Field Description
MAC address MAC address of the client.

SSID Service set ID (SSID)

686
Field Description
QoS mode:
QoS Mode • WMM—QoS mode is enabled.
• None—QoS mode is not enabled.
Max SP length Maximum service period.

AC Access category.

APSD attribute of an access category:

• T—The access category is trigger-enabled.
State • D—The access category is delivery-enabled.
• T | D—The access category is both trigger-enabled and delivery-enabled.
• L—The access category is of legacy attributes.

Assoc State APSD attribute of the four access categories when a client accesses the AP.

Uplink CAC packets Number of uplink CAC packets.

Uplink CAC bytes Number of uplink CAC bytes.

Downlink CAC packets Number of downlink CAC packets.

Downlink CAC bytes Number of downlink CAC bytes.

Downgrade packets Number of downgraded packets.

Downgrade bytes Number of downgraded bytes.

Discard packets Number of dropped packets.

Discard bytes Number of dropped bytes.

Setting rate limiting

The WLAN provides limited bandwidth for each AP. Because the bandwidth is shared by wireless clients
attached to the AP, aggressive use of bandwidth by a client will affect other clients. To ensure fair use of
bandwidth, rate limit traffic of clients in either of the following methods:
• Configure the total bandwidth shared by all clients in the same BSS. This is called "dynamic mode".
The rate limit of a client is the configured total rate/the number of online clients. For example, if the
configure total rate is 10 Mbps and five clients are online, the rate of each client is 2 Mbps.
• Configure the maximum bandwidth that can be used by each client in the BSS. This is called "static
mode". For example, if the configured rate is 1 Mbps, the rate limit of each user online is 1 Mbps.
When the set rate limit multiplied by the number of access clients exceeds the available bandwidth
provided by the AP, no clients can get the guaranteed bandwidth.

Setting wireless service-based client rate limiting

You can configure the access controller to limit client rates for a service within a BSS.
To set wireless service-based client rate limiting:
1. Select QoS > Wireless QoS from the navigation tree on the left.
2. Click the Client Rate Limit tab.
3. Click for the target wireless service.

687
Figure 702 Setting wireless service-based client rate limiting

4. Configure service-based client rate limiting, as described in Table 222.

5. Click Apply.
Table 222 Configuration items

Item Description
WLAN ID Display the selected WLAN ID.

Wireless Service Select an existing wireless service.

Set the traffic direction:

Direction • Inbound—Traffic from client to AP.
• Outbound—Traffic from AP to client.
Set a rate limiting mode:
• Static—Limits the rate of each client to a fixed value.
Mode
• Dynamic—Limits the rate of a client to the configured total rate/the number of
online clients.

Set the rate of the clients.

• If you select the static mode, Per-Client Rate is displayed, and the rate is the rate
Rate of each client.
• If you select the dynamic mode, Total Rate is displayed, and the rate is the total
rate of all clients.

Setting radio-based client rate limiting

You can configure the access controller to limit client rates for a radio.
To set radio-based client rate limiting:
1. Select QoS > Wireless QoS from the navigation tree on the left.
2. Click the Client Rate Limit tab.
3. Click Add in the Radio-Based Configuration area.

688
Figure 703 Setting radio-based client rate limiting

4. Configure radio-based client rate limiting, as described in Table 223.

5. Click Apply.
Table 223 Configuration items

Item Description
List of radios available. You can create the rate limiting rules for one or multiple
Radio List
radios.

Traffic direction:
• Inbound—Traffic from clients to the AP.
Direction
• Outbound—Traffic from the AP to clients.
• Both—Both inbound and outbound traffic.
Rate limiting mode:
• Static—Limits the rate of each client to a fixed value.
Mode
• Dynamic—Limits the rate of a client to the configured total rate/the number of
online clients.

Set the rate of the clients:

Configuring the bandwidth guarantee function

When traffic is heavy, a BSS without any rate limitation might aggressively occupy the available
bandwidth for other BSSs. If you limit the rate of the BSS, it cannot use the idle bandwidth of other BSSs.

689
To improve bandwidth use efficiency when ensuring bandwidth use fairness among wireless services, use
the bandwidth guarantee function. Bandwidth guarantee makes sure all traffic from each BSS can pass
through when the network is not congested, and each BSS can get the guaranteed bandwidth when the
network is congested. For example, suppose you guarantee SSID1, SSID2, and SSID3 25%, 25%, and
50% of the bandwidth. When the network is not congested, SSID1 can use all idle bandwidth in addition
to its guaranteed bandwidth. When the network is congested, SSID1 can use at least its guaranteed
bandwidth, 25% of the bandwidth.

NOTE:
Bandwidth guarantees apply only to the traffic from AP to client.

Setting the reference radio bandwidth

1. Select QoS > Wireless QoS from the navigation tree.
2. Click the Bandwidth Guarantee tab.
Figure 704 Setting the reference radio bandwidth

3. Set the reference radio bandwidth, as described in Table 224.

4. Click Apply.
Table 224 Configuration items

Item Description
802.11a Mode
Set the reference radio bandwidth.
802.11b Mode
IMPORTANT:
802.11g Mode
Set the reference radio bandwidth slightly lower than the maximum available bandwidth.
802.11n Mode

NOTE:
After you set the reference radio bandwidth values, the new settings do not take effect for the radios with
bandwidth guarantee enabled. To make the new settings take effect, you must disable and then enable the
radios.

690
Setting guaranteed bandwidth percents
1. Select QoS > Wireless QoS from the navigation tree.
2. Select a radio from the bandwidth guarantee setup list, and click the icon for the radio in the
Operation column.
Figure 705 Setting guaranteed bandwidth

3. Set the guaranteed bandwidth, as described in Table 225.

4. Click Apply.
Table 225 Configuration items

Item Description
Allocate a percentage of the total radio bandwidth to each wireless service as the
Guaranteed Bandwidth
guaranteed bandwidth. The total guaranteed bandwidth cannot exceed 100% of
Percent (%)
the ratio bandwidth.

Enabling bandwidth guaranteeing

After the configurations above, the bandwidth guarantee tab appears.
To validate the bandwidth guarantee settings for a radio unit, enable its bandwidth guarantee function.
To enable the bandwidth guarantee function:
1. Select QoS > Wireless QoS from the navigation tree on the left.
2. Click the Bandwidth Guarantee tab.
3. Select the AP and the corresponding radio mode for which you want to enable bandwidth
guarantee on the list under the Bandwidth Guarantee title bar.
4. Click Enable.

691
Figure 706 Enabling the bandwidth guarantee function

Displaying guaranteed bandwidth settings

1. Select QoS > Wireless QoS from the navigation tree on the left.
2. Click Bandwidth Guarantee.
3. Click the specified radio unit of the AP on the list under the Bandwidth Guarantee title bar.
Figure 707 Displaying guaranteed bandwidth settings

CAC service configuration example

Network requirements
As shown in Figure 708, a WMM-enabled AP accesses the Ethernet.
Enable CAC for AC-VO and AC-VI on the AP. To guarantee high priority clients (AC-VO and AC-VI clients)
sufficient bandwidth, use the user number-based admission policy to limit the number of access users to
10.

692
Figure 708 Network diagram

Configuring the wireless service

1. Configure the AP, and establish a connection between the AC and the AP.
For related configurations, see "Configuring access services." Follow the steps in the related
configuration example to establish a connection between the AC and the AP.

Configuring CAC
1. Select QoS > Wireless QoS from the navigation tree.
By default, the Wireless QoS tab is displayed.
2. Make sure WMM is enabled.
Figure 709 Wireless QoS configuration page

3. As shown in Figure 709, select the AP to be configured on the list, and click the icon for the AP
in the Operation column.
4. On the Client EDCA list, select the priority type (AC_VO, for example) to be modified, and click the
icon for the priority type in the Operation column.
5. Select Enable from the CAC list.
6. Click Apply.
Figure 710 Enabling CAC

693
7. Enable CAC for AC_VI in the same way. (Details not shown.)
8. Select QoS > Wireless QoS from the navigation tree.
By default, the Wireless QoS tab is displayed.
9. Click the icon in the Operation column for the desired AP.
10. Select the Client Number option, and then enter 10.
11. Click Apply.
Figure 711 Setting CAC client number

Verifying the configuration

If the number of existing clients in the high-priority access categories plus the number of clients requesting
for high-priority access categories is smaller than or equal to the user-defined maximum number of users
allowed in high-priority access categories (10 in this example) the request is allowed. Otherwise, the
request is rejected.

Wireless service-based static rate limiting

configuration example
Network requirements
As shown in Figure 712, two wireless clients access the WLAN through a SSID named service1.
Limit the maximum bandwidth per wireless client to 1024 kbps for traffic from the wireless clients to the
AP.
Figure 712 Network diagram

694
Configuring the wireless service
For the configuration procedure, see "Configuring access services."

Configuring static rate limiting

1. Select QoS > Wireless QoS from the navigation tree.
2. Click Client Rate Limit.
3. Select Inbound from the Direction list, and click .
4. Configure static rate limiting:
a. Select Static from the Mode list.
b. Enter 1024 in the Per-Client Rate field.
5. Click Apply.
Figure 713 Configuring static rate limiting

Verifying the configuration

1. Client 1 and Client 2 access the WLAN through the SSID named service1.
2. Verify that traffic from Client 1 is rate limited to around 1024 kbps, so is traffic from Client 2.

Wireless service-based dynamic rate limiting

configuration example
Network requirements
As shown in Figure 714, wireless clients access the WLAN through a SSID named service2.
Configure all wireless clients to share 8000 kbps of bandwidth in any direction.

695
Figure 714 Network diagram

Configuring the wireless service

For the configuration procedure, see "Configuring access services."

Configuring dynamic rate limiting

1. Select QoS > Wireless QoS from the navigation tree.
2. Click Client Rate Limit.
3. Select service2 from the Wireless Service list, select Inbound from the Direction list, and click .
4. Configure dynamic rate limiting:
a. Select Dynamic from the Mode list.
b. Enter 8000 in the Total Rate field.
5. Click Apply.
Figure 715 Configuring dynamic rate limiting

Verifying the configuration

Verify that:
1. When only Client 1 accesses the WLAN through SSID service2, its traffic can pass through at a
rate as high as 8000 kbps.
2. When both Client 1 and Client 2 access the WLAN through SSID service2, their traffic flows can
each pass through at a rate as high as 4000 kbps.

696
Bandwidth guarantee configuration example
Network requirements
As shown in Figure 716, three wireless clients use wireless services research, office, and entertain to
access the wireless network.
To make sure the enterprise network works properly, guarantee the office service 20% of the bandwidth,
the research service 80%, and the entertain service none.
Figure 716 Network diagram

Configuring the wireless services

For the configuration procedure, see "Configuring access services." Follow the related configuration
example to configure the wireless services.

Configuring bandwidth guaranteeing

1. Select QoS > Wireless QoS from the navigation tree.
2. Click Bandwidth Guarantee.
3. Use the default reference radio bandwidth for 802.11a.
4. Click Apply.
Figure 717 Setting the reference radio bandwidth

697
5. Click the icon in the Operation column for 802.11a to enter the page for setting guaranteed
bandwidth, as shown in Figure 718.
6. Set the guaranteed bandwidth:
a. Set the guaranteed bandwidth percent to 80 for wireless service research.
b. Set the guaranteed bandwidth percent to 20 for wireless service office.
c. Set the guaranteed bandwidth percent to 0 for wireless service entertain.
7. Click Apply.
After you apply the guaranteed bandwidth settings, the page for enabling bandwidth guarantee
appears, as shown in Figure 719.
Figure 718 Setting guaranteed bandwidth

8. Select the option specific to 802.11a.

9. Click Enable.
Figure 719 Enabling bandwidth guarantee

698
Verifying the configuration
• Send traffic from the AP to the three wireless clients at a rate lower than 30000 kbps. The rate of
traffic from the AP to the three wireless clients is not limited.
• Send traffic at a rate higher than 6000 kbps from the AP to Client 1 and at a rate higher than
24000 kbps from the AP to Client 2. The total rate of traffic rate from the AP to the two wireless
clients exceeds 30000 kbps. Because you have enabled bandwidth guarantee for wireless services
research and office, the AP forwards traffic to Client 1 and Client 2 at 6000 kbps and 24000 kbps,
respectively, and limits the traffic to Client 3.

NOTE:
• Guaranteed bandwidth in kbps = reference radio bandwidth × guaranteed bandwidth percent.
• Set the reference radio bandwidth slightly lower than the available maximum bandwidth.
• The guaranteed bandwidth configuration applies to only the traffic from the AP to clients.

699
Configuring advanced settings

Advanced settings overview

Country/Region code
Radio frequencies for countries and regions vary based on country regulations. A country/region code
determines characteristics such as frequency range, channel, and transmit power level. Configure the
valid country/region code for a WLAN device to meet the specific country regulations.

1+1 AC backup
Support for the 1+1 backup feature might vary depending on your device model. For more information,
see "About the Web-based configuration guide for HP unified wired-WLAN products."

Dual-link backup
• Dual links:
Dual links allow for AC backup. An AP establishes links with two different ACs. The active AC
provides services for APs in the network, and the standby AC provides backup service for the
active AC. If the active AC fails, the standby AC takes over to provide services for the APs.
Figure 720 Dual link topology

AC 1 is operating in active mode and providing services to AP 1, AP 2, AP 3, and AP 4. AC 2 is

operating in standby mode. APs are connected to AC 2 through backup links. When AC 1 is down,
AC 2 converts to operate in active mode even when AC 1 is up again, in which case, AC 1 is in
standby mode. However, this is not so if an AC is configured as the primary AC. For more
information about primary AC, see "Primary AC recovery:."
• Using fast link fault detection, you can configure 1+1 fast backup (see "1+1 fast backup") to
provide uninterrupted services.

700
• Primary AC recovery:
Primary AC provides a mechanism to make sure the primary AC is chosen in precedence by APs
as an active AC. When the primary AC goes down, the APs switch to connect to the standby AC.
As soon as the active AC recovers, the APs automatically connect to the primary AC again.
Figure 721 Primary AC recovery

AC 1 is the primary AC with the connection priority of 7, and it establishes a connection with the
AP. AC 2 acts as the secondary AC. If AC 1 goes down, AC 2 takes over to provide services to
AP until AC 1 recovers. Once the primary AC is reachable again, the AP automatically establishes
a connection with the primary AC. For more information about priority configuration, see
"Configuring an AP connection priority."

1+1 fast backup

Fast link fault detection allows two ACs in 1+1 backup to detect the failure of each other. To achieve this,
a heartbeat detection mechanism is used. When the active AC goes down, the standby AC can quickly
detect the faults and become the new active AC.

NOTE:
• 1+1 fast backup supports only tunnel backup between AC and AP to make sure when the main AC goes down,
the standby AC can quickly connect to the AP. 1+1 fast backup does not back up client information.
• Support for the 1+1 fast backup feature might vary depending on your device model. For more information, see
"About the Web-based configuration guide for HP unified wired-WLAN products."

1+N AC backup
1+N AC backup allows an AC to operate as a backup for multiple ACs. The active ACs independently
provide services for APs that connect to them, and only one standby AC provides backup service for the
active ACs. If an active AC goes down, the APs connecting to it can detect the failure quickly and make
connections to the standby AC. As soon as the active AC recovers, the APs automatically connect to the
original active AC again. This makes sure the standby AC operates as a dedicated backup for the active
ACs. 1+N AC backup delivers high reliability and saves network construction cost.

701
Client information backup
In a network environment as shown in Figure 722, to prevent clients from going offline due to unexpected
primary/backup AC switchover, the ACs must support the stateful failover function. This feature enables
the primary AC to send client information in real time to the backup AC through an IACTP tunnel,
ensuring consistency of client information on the two ACs. When a switchover occurs, the backup AC
immediately takes over services for online clients to ensure service continuity.
To make the stateful failover function operate correctly, you need to configure client information backup
on both the primary and backup ACs so that the client information on both ACs are identical.
This feature supports backing up information for clients that use 802.1X authentication and clients that
use clear-type wireless services.
Figure 722 Network diagram

As shown in Figure 722, AC 1 and AC 2 back up each other. AC 1 is the primary AC of AP 1, AC 2 is

the primary AC of AP 1, and the two ACs are in the same IACTP tunnel. When clients go online and
offline or roam between the ACs, the two ACs synchronized client information in real time to ensure
consistent client information.
If an anomaly occurs, for example, AC 1 fails, the tunnel between AC 1 and AP 1 is terminated, or AC
2 detects that the tunnel to AC 1 is terminated, AC 2 becomes the primary AC of AP 1. During the switch,
clients connected with AP 1 are not logged off. When the network recovers, AC 2 sends all client
information to AC 1 to ensure consistent client information.

NOTE:
If a primary/backup AC switchover occurs during the client information backup process, clients will be
logged out and associated with the AC again because the backup AC does not have complete online client
information.

To identify consistency of client information, use the following ways:

702
• To view detailed client information on the primary and backup ACs, select Summary > Client from
the navigation tree, click the Detailed Information tab, and select the target client. In the command
output, if the client information, except the state (Running for the primary AC, Running(Backup) for
the backup AC), is consistent on the two ACs, the basic client information has been synchronized.
• To view roam-track information of the clients on the primary and backup ACs, select Summary >
Client from the navigation tree, click the Roam Information tab, and select the target client. In the
command output, if the client information is consistent on the two ACs, the basic client information
has been synchronized.

Continuous transmitting mode

The continuous transmitting mode is used for testing only. Do not use the function unless necessary.

Channel busy test

The channel busy test is a tool to test how busy a channel is. It tests channels supported by the
country/region code individually, and provides a busy rate for each channel. This avoids the situation in
which some channels are heavily loaded and some are idle.
During a channel busy test, APs do not provide any WLAN services. All the connected clients are
disconnected, and WLAN packets are discarded.

WLAN load balancing

WLAN load balancing dynamically adjusts loads among APs to ensure adequate bandwidth for clients.
It is mainly used in high-density WLAN networks.

Requirement of WLAN load-balancing implementation

As shown in Figure 723, Client 6 wants to associate with AP 3. AP 3 has reached its maximum load, so
it rejects the association request. Then, Client 6 tries to associate with AP 1 or AP 2, but it cannot receive
signals from these two APs, so it has to resend an association request to AP 3.
To implement load-balancing, the APs must be managed by the same AC, and the clients can find the
APs.

703
Figure 723 Requirement of WLAN load-balancing implementation

Load-balancing modes
The AC supports two load balancing modes: session mode and traffic mode.
• Session mode load-balancing:
Session-mode load balancing is based on the number of clients associated with the AP/radio.
As shown in Figure 724, Client 1 is associated with AP 1, and Client 2 through Client 6 are
associated with AP 2. The AC has session-mode load balancing configured: the maximum number
of sessions is 5, and the maximum session gap is 4. Then, Client 7 sends an association request
to AP 2. The maximum session threshold and session gap have been reached on AP 2, so AP 2
rejects the request. Finally, Client 7 associates with AP 1.
Figure 724 Network diagram for session-mode load balancing

• Traffic mode load-balancing

704
Traffic snapshot is considered for traffic mode load balancing.
As shown in Figure 725, Client 1 and Client 2 that run 802.11g are associated with AP 1. The AC
has traffic-mode load balancing configured: the maximum traffic threshold is 10%, and the
maximum traffic gap is 20%. Then, Client 3 wants to access the WLAN through AP 1. The
maximum traffic threshold and traffic gap (between AP 1 and AP 2) have been reached on AP 1,
so AP 1 rejects the request. Finally, Client 3 associates with AP 2.
Figure 725 Network diagram for traffic-mode load balancing

Load-balancing methods
The AC supports AP-based load balancing and group-based load balancing.
1. AP-based load balancing
AP-based load balancing can be implemented either among APs or among the radios of an AP.
AP-based load balancing—APs can carry out either session-mode or traffic-mode load
balancing. An AP starts load balancing when the maximum threshold and gap are reached,
and it does not accept any association requests unless the load decreases below the maximum
threshold or the gap is less than the maximum gap. However, if a client has been denied more
than the specified maximum times, the AP considers that the client is unable to associate with
any other AP, and it accepts the association request from the client.
Radio-based load balancing—The radios of a balanced AP can carry out either session-mode
or traffic-mode load balancing. A radio starts load balancing when the maximum threshold and
gap are reached, and it will reject any association requests unless the load decreases below the
maximum threshold or the gap is less than the maximum gap. However, if a client has been
denied more than the specified maximum times, the AP considers that the client is unable to
associate with any other AP, and it accepts the association request from the client.
2. Group-based load balancing
To balance loads among the radios of different APs, you can add them to the same load balancing
group.
The radios in a load balancing group can carry out either session-mode or traffic-mode load
balancing. The radios that are not added to any load balancing group do not carry out load
balancing. A radio in a load balancing group starts load balancing when the maximum threshold
and gap are reached on it, and it does not accept any association requests unless the load
decreases below the maximum threshold or the gap is less than the maximum gap. However, if a

705
client has been denied more than the specified maximum times, the AP considers that the client is
unable to associate with any other AP, and it accepts the association request from the client.

Configuring the AC to accept APs with a different software

version
An AP is a zero-configuration device. It can automatically discover an AC after it is powered on. To make
sure an AP can associate with an AC, their software versions must be consistent by default, which
complicates maintenance. This task allows the AC to accept APs with a different software version.

Upgrading APs
An improper AP version can cause network problems when you upgrade versions for a large amount of
APs at one time. To avoid the problem, you can upgrade a single AP, a group of APs, and all APs as
needed.
You can configure the version upgrade function on the Advanced > AP Setting, AP > AP Group, and AP >
AP Setting pages. The configuration priorities on these pages are in ascending order. If this function is
not configured on one of the pages, configuration with a lower priority is used. For example, if this
function is not configured on the AP > AP Setting page, the AP uses the configuration on the AP > AP
Group page. If this function is not configured on the AP > AP Group page either, the AP uses the
configuration on the Advanced > AP Setting page.
If the version upgrade function is disabled, the AP and the AC establish a tunnel with each other without
checking their versions.
If the version upgrade function is enabled, the AC checks the AP's version before establishing a tunnel.
If their versions are different, the AP downloads a new version from the AC and restarts.

NOTE:
If you enable the version upgrade function on the AC after an AC-AP tunnel has been established, restart
the AP manually so that the AP can automatically download a new version from the AC.

Switching to fat AP
You can switch the working mode of an AP between the fit mode and the fat mode.

Wireless location
Wireless location is a technology to locate, track and monitor specified devices by using WiFi-based
Radio Frequency Identification (RFID) and sensors. With this function enabled, APs send Tag or MU
messages to a location server, which performs location calculation and then sends the data to the
graphics software. You can get the location information of the assets by maps, forms, or reports.
Meanwhile, the graphics software provides the search, alert and query functions to facilitate your
operations.
Wireless location can be applied to medical monitoring, asset management, and logistics, helping users
effectively manage and monitor assets.

706
Architecture of the wireless location system
A wireless location system is composed of three parts: devices or sources to be located, location
information receivers, and location systems.
• Devices or sources to be located include Tags (small, portable RFIDs, which are usually placed or
glued to the assets to be located) of a location server company or Mobile Units (MU), and MUs
(wireless terminals or devices running 802.11). The tags and MUs can send wireless messages
periodically.
• Location information receivers include 802.11 APs.
• Location systems include the location server, calculation software of a location server company, and
different types of graphics software.

Wireless location method

Before locating wireless devices, configure a wireless location method in either of the following methods
so that the AP can get an IP address of the location server:
• Dynamic wireless location—The AP gets an IP address of the location server from packets sent from
the location server. Only location servers of AeroScout support this method.
• Static wireless location—An IP address of the location server is manually configured on the AC.

Wireless locating process

A wireless location system can locate wireless clients, APs, rogue APs, rogue clients, Tags and other
devices supporting WLAN protocols. All wireless devices except Tags will be identified as MUs by the
wireless location system.
1. Send Tag and MU messages:
A Tag message is a message sent by an RFID. A Tag message contains the channel number so that
an AP can filter Tag messages whose channel numbers are not consistent with the AP's operating
channel. To make sure more Tags can be detected by the AP, a Tag sends messages on different
channels. A Tag periodically sends messages on one or multiple pre-configured channels, and
then periodically sends location messages on channels 1, 6, and 11, in turn.
MU messages are sent by standard wireless devices. An MU message does not contain the
channel number, so an AP cannot filter MU messages whose channel numbers are not consistent
with the AP's operating channel or illegal packets. The filtering is done by the location server,
according to a certain algorithm and certain rules.
2. Collect Tag and MU messages:
The working mode of an AP determines how it collects Tag and MU messages.
When the AP operates in normal mode and is bound to an enabled wireless service, it can
locate wireless clients associated or not associated with it or other wireless devices, including
Tags. The wireless location system considers wireless clients associated with the AP as wireless
clients, and considers wireless clients or other wireless devices not associated with the AP as
unknown devices.
When the AP operates in normal mode and is not bound to any wireless service or the wireless
service is disabled, it can only locate wireless clients not associated with it or other wireless
devices.
When the AP operates in monitor mode or hybrid mode, it can locate wireless clients or other
wireless devices that are not associated with it. HP does not recommend this mode because
frequent channel change might affect Tag locating performance.

707
NOTE:
• For more information about monitor mode and hybrid mode, see "Configuring WLAN security."
• An AP operates in normal mode when it functions as a WLAN access point. For more information,
see "Configuring access services."

After the processes, the AP begins to collect Tag and MU messages.

Upon receiving Tag messages (assume that the Tags mode has been configured on the AC, and
the location server has notified the AP to report Tag messages), the AP checks the Tag messages,
encapsulates those passing the check, and reports them to the location server. The AP
encapsulates Tag messages by copying all the information (including the message header and
payload) except the multicast address, and adding the BSSID, channel, timestamp, data rate,
RSSI, SNR, and radio mode of the radio on which the relevant Tag messages were received.
Upon receiving MU messages (assume that the MUs mode has been configured on the AC, and
the location server has notified the AP to report MU messages), the AP checks the messages,
encapsulates those that pass the check, and reports the messages to the location server. The AP
encapsulates an MU message by copying its source address, Frame Control field, and
Sequence Control field, and adding the BSSID, channel, timestamp, data rate, RSSI, SNR, and
radio mode of the radio on which the relevant Tag messages were received.
3. Calculate the locations of Tags or MUs:
After receiving Tag and MU messages from APs, the location server uses an algorithm to calculate
the locations of the Tag and MU devices according to the RSSI, SNR, radio mode, and data rate
carried in the messages, and displays the locations on the imported map. Typically, a location
server can calculate the locations if more than 3 APs report Tag or MU messages.

Wireless location protocols

An AP supports the following wireless location protocols:
• AeroScout protocol—A protocol made by AeroScout for communications between location servers
and APs. It supports both dynamic and static wireless location methods.
• General wireless location protocol—A protocol made by HP for communications between location
servers and APs. It supports only the static wireless location method.

Wireless sniffer
In a wireless network, it is difficult to locate signal interference or packet collision by debugging
information or terminal display information of WLAN devices. To facilitate the troubleshooting, configure
an AP as a packet sniffer to listen to, capture, and record wireless packets. The sniffed packets are
recorded in the .dmp file for troubleshooting.
As shown in Figure 726, enable wireless sniffer on the Capture AP. The Capture AP is able to listen to the
wireless packets in the network. Administrators can download the .dmp file to the PC and make further
analysis.
The device supports the following wireless sniffer methods:
• Radio-based—If you enable WLAN sniffer on a radio of the AP, the radio can capture control,
management, and data packets that it can monitor on its working channel.
• Client-based—You can use this method to capture management, control, and data packets sent or
received by specified clients. The packets contain client connection or status update information.

708
Figure 726 Network diagram

AP provision
AP provision enables you to configure network settings for fit APs on the AC. The AC automatically
assigns these settings to the fit APs in run state over tunnel connections. The settings are stored in the
proprietary configuration file on each AP and take effect after the AP restarts. This feature avoids
configuring network settings for APs one by one from a terminal, reducing the work load in large WLAN
networks.

Band navigation
The 2.4 GHz band is often congested. Band navigation enables APs to accept dual-band (2.4 GHz and
5 GHz) clients on their 5 GHz radio, increasing overall network performance.
When band navigation is enabled, the AP directs clients to its 2.4 GHz or 5 GHz radio by following
these principles:
• For a 2.4 GHz client, the AP associates with the client after rejecting it several times.
• For a dual-band client, the AP directs the client to its 5 GHz radio.
• For a 5 GHz client, the AP associates with the client on its 5 GHz radio.
The AP verifies the RSSI of a dual-band client before directing the client to the 5 GHz radio. If the RSSI is
lower than the specified value, the AP does not direct the client to the 5 GHz band.
If the number of clients on the 5 GHz radio reaches the upper limit, and the gap between the number of
clients on the 5 GHz radio and that on the 2.4 GHz radio reaches the upper limit, the AP denies the
client’s association to the 5 GHz radio and allows new clients to associate with the 2.4 GHz radio. If a
client has been denied more than the maximum number of times on the 5 GHz radio, the AP considers
that the client is unable to associate with any other AP, and it allows the 5 GHz radio to accept the client.

VLAN pool
A VLAN pool comprises a group of VLANs. It can assign VLAN IDs only to wireless clients.

709
Multicast optimization
WLAN selects the lowest transmit rate for multicast packets and provides no multicast retransmission
mechanism. Therefore, WLAN cannot meet the requirements of some multicast applications that are not
delay-sensitive but are data-integrity sensitive, such as HD VoD. The multicast optimization feature can
solve these problems by enabling APs to convert multicast packets to unicast packets, so WLAN can
provide retransmission service and higher transmit rates for the converted unicast packets.
Unless otherwise specified, the unicast packets in this chapter refer to the wireless unicast packets that
have the priority of video.
Figure 727 Multicast data transmission when multicast optimization is enabled

Multicast stream
Unicast stream
Client 1

AC Switch AP Client 2
Source

Client 3

With multicast optimization enabled, the AP listens to the IGMP reports and leave messages sent by
clients. When the AP receives an IGMP report, it adds or updates a multicast optimization entry and
updates the multicast source addresses allowed by the client (for IGMPv3 and MLDv2 packets). When
the AP receives an IGMP leave message or when a multicast optimization entry ages out, the AP removes
the entry. When the AP is disconnected from the AC, or when multicast optimization is disabled, all
multicast optimization entries are removed.
After creating multicast entries, the AP listens to non-IGMP and non-MLD multicast packets sent from the
multicast source to clients, and matches the multicast address of the packets to the multicast optimization
entries. If a match is found, the AP converts the multicast packets to unicast packets and sends the unicast
packets to all the clients in the multicast entries. If no match is found, the AP directly sends the multicast
packets.
To avoid performance degradation, you can configure the maximum number of clients that multicast
optimization can support. When the maximum number is reached, the AC takes either of the following
actions, depending on which one is configured:
• Halt—A new client can join a multicast group and receive multicast packets, and a multicast
optimization entry can be created for the client. However, the multicast optimization function for all
clients in the multicast group becomes invalid. When the number of clients drops below the upper
limit, the multicast optimization function takes effect again.
• Reject-client—A new client can join a multicast group, but no new multicast optimization entries can
be created. If multicast optimization entries have been created for other clients in the multicast group,
the client cannot receive multicast packets. Otherwise, the client can receive multicast packets.

NOTE:
If you configure Halt first, and then configure Reject-client, the existing multicast optimization entries still
take effect.

710
Guest access tunnel
A guest access tunnel redirects guest traffic to the external network of a company, providing WLAN
access for guests and ensuring data security in the external network at the same time.
The guest access tunnel function is realized through an aggregation AC and an edge AC. The edge AC
is deployed in the internal network to provide access and authentication services to internal users. The
aggregation AC is deployed in the external network to process guest traffic. After a guest access tunnel
is established between the edge AC and aggregation AC, guests get online through the specified guest
VLAN, and guest traffic is forwarded to the aggregation AC.
Guest access tunnels support NAT traversal. If a NAT device is deployed between the edge AC and the
aggregation AC, a guest access tunnel can still be established.
Figure 728 Network diagram

Bonjour gateway
Bonjour is a set of zero configuration network protocols developed by Apple Inc based on Multicast DNS
(mDNS) services. Bonjour is designed to make network configuration easier for users. It enables Apple
devices to automatically advertise service information and enables clients to automatically discover
Apple devices without obtaining information about the devices.
However, Bonjour supports only link-local multicast addresses. To address this issue, the AC can act as
a Bonjour gateway to manage clients and devices providing services and forward mDNS packets across
VLANs, enabling Bonjour to be applied in large scale networks.

Benefits
Bonjour gateway provides the following benefits:
• mDNS traffic control.
• User-defined Bonjour policies to restrict services that can be used by clients.
• Inter-VLAN forwarding of mDNS packets, enhancing network availability.
• Bonjour policy application in views of multiple levels.

711
Working mechanism

IMPORTANT:
• The Bonjour gateway discards queries received from the wired network.
• The Bonjour gateway filters queries and responses according to user-defined Bonjour policy. For more
information, see "Configuring a Bonjour policy."

• Bonjour service advertisement snooping

The service devices send Bonjour responses to advertise their supporting services. Upon receiving
the Bonjour responses, the AC creates a service-device mapping table to store service information
about the service devices. When a client queries for a service, the Bonjour gateway searches the
service-device mapping table and sends a response to the client.
As shown in Figure 729, Bonjour service advertisement snooping operates as follows:
a. Apple TV and Print send Bonjour responses to advertise their supporting services.
b. Upon receiving the Bonjour responses, the AC creates a service-device mapping table to store
service information about Apple TV and Print.
c. iPad queries for the service of Apple TV or Print and the AC sends a response to iPad.
Figure 729 Bonjour service advertisement snooping

• Bonjour query snooping and response

When a client queries for a service that is not in the service-device mapping table, the Bonjour
gateway forwards the query. After receiving a response, the Bonjour gateway adds the service
information to the service-device mapping table and forwards the response to the client.
As shown in Figure 730, Bonjour query snooping and response operates as follows:
a. iPad queries for the printing service, and the AP sends the query to the AC through the
CAPWAP tunnel.
b. The AC forwards the query to the configured VLANs because it does not find any printing
service entry in the service-device mapping table.
c. Upon receiving the query, the print service sends a response to the AC.
d. The AC adds the service information to the service-device mapping table and forwards the
response to iPad.
Next time when a client queries the printing service, the AC can respond by searching the
service-device mapping table.

712
Figure 730 Bonjour query snooping and response

Configuring WLAN advanced settings

Setting a country/region code
1. Select Advanced > Country/Region Code from the navigation tree.
Figure 731 Setting a country/region code

2. Configure a country/region code as described in Table 226.

3. Click Apply.
Table 226 Configuration items

Item Description
Select a country/region code.
Configure the valid country/region code for a WLAN device to meet the
Country/Region Code country regulations.
If the list is grayed out, the setting is preconfigured to meet the
requirements of the target market and is locked. It cannot be changed.

If you do not specify a country/region code for an AP, the AP uses the global country/region code
configured on this page. If an AP is configured with a country/region code, the AP uses its own country
code. For information about how to specify the country/region code for an AP, see "Configuring APs."
Some ACs and APs have fixed country/region codes. The codes to be used are determined as follows:

713
• An AC's fixed country/region code cannot be changed, and all managed fit APs whose
country/region codes are not fixed must use the AC's fixed country/region code.
• A fit AP's fixed country/region code cannot be changed, and the fit AP can only use the
country/region code.
• If an AC and a managed fit AP use different fixed country/region codes, the fit AP uses its own fixed
country/region code.

Configuring 1+1 AC backup

Configuring an AP connection priority
1. Select AP > AP Setup from the navigation tree.
2. Click the icon for the target AP.
3. Expand the Advanced Setup area.
Figure 732 Configuring an AP connection priority

4. Configure an AP connection priority as described in Table 227.

5. Click Apply.

714
Table 227 Configuration items

Item Description
AP Connection Priority Set the priority for the AP connection to the AC.

Configuring 1+1 AC backup

1. Select Advanced > AC Backup from the navigation tree.
Figure 733 Configuring AC backup

2. Configure an IP address for the backup AC as described in Table 228.

3. Click Apply.
Table 228 Configuration items

Item Description

If the backup AC is configured on the page you enter by selecting AP >

AP Setup, the configuration on this page is used first. For more
Enter the IPv4 address information, see "Configuring APs."
IPv4
of the backup AC. The access mode configuration on the two ACs must be the same.
Specify the IP address of one AC on the other AC in an AC backup.
Support for AC backup varies with the device model. For more
Enter the IPv6 address information, see "About the Web-based configuration guide for HP
IPv6 unified wired-WLAN products."
of the backup AC.

Switch
Delay time for the AP to switch from the backup AC to the primary AC.
Delay

715
Configuring 1+1 fast backup
1. Select Advanced > AC Backup from the navigation tree to enter the page shown in Figure 733.
2. Configure fast backup as described in Table 229.
3. Click Apply.
Table 229 Configuration items

Item Description
• disable—Disable fast backup.
Fast Backup Mode • enable—Enable fast backup.
By default, fast backup is disabled.

Heartbeat interval for an AC connection. If no heartbeat is received during the

continuous three intervals, the device considers the peer down.
Hello Interval
The value range varies with devices. For more information, see "About the
Web-based configuration guide for HP unified wired-WLAN products."

VLAN ID ID of the VLAN to which the port where the backup is performed belongs.

Backup Domain ID ID of the domain to which the AC belongs.

NOTE:
• Support for 1+1 fast backup varies with the device model. For more information, see "About the
Web-based configuration guide for HP unified wired-WLAN products."
• For the 11900/10500/7500 20G unified wired-WLAN module, if the heartbeat interval is less than
1000 milliseconds and the two Ten-GigabitEthernet interfaces are aggregate interfaces, do not
shutdown any one of the two interfaces.

Displaying status information for 1+1 fast backup

1. Select Advanced > AC Backup from the navigation tree.
2. Click the Status tab.

716
Figure 734 Status information

Table 230 Field description

Field Description
AP Name Display the AP connecting to the AC.

Status Current status of the AC.

Vlan ID ID of the VLAN to which the port belongs.

Domain ID Domain to which the AC belongs.

Link status of the AC connection:

• Close—No connection is established.
Link State
• Init—The connection is being set up.
• Connect—The connection has been established.
Peer Board MAC MAC address of the peer AC.

Status of the peer AC.

• Normal—The peer AC is normal.
Peer Board State
• Abnormal—The peer AC is malfunctioning.
• Unknown—No connection is present.
Hello Interval Heartbeat interval for an AC connection.

Configuring 1+N AC backup

Configuring an AP connection priority
1. Select AP > AP Setup from the navigation tree.

717
2. Click the icon for the target AP.
3. Expand Advanced Setup to enter the page as shown in Figure 732.
4. Configure a connection priority as described in Table 227.
5. Click Apply.

Configuring 1+N AC backup

1. Select AP > AP Setup from the navigation tree.
2. Click the icon for the target AP.
3. Expand Advanced Setup.
Figure 735 Configuring 1+N AC backup

4. Configure 1+N backup as described in Table 231.

5. Click Apply.

718
Table 231 Configuration items

Item Description
Set the IPv4 address of the backup If the global backup AC is also
Backup AC IPv4 Address
AC. configured on the page you enter by
selecting Advanced > AC Backup, the
Set the IPv6 address of the backup configuration on this page is used
Backup AC IPv6 Address
AC. first.

Configuring client information backup

Before performing this task, establish an IACTP tunnel (see "Configuring WLAN roaming") and
configure AC backup (see "Configuring 1+1 AC backup") on the two ACs.
By default, client information backup is disabled. HP recommends that you enable client information
backup after the configuration of 1+1 AC backup and IACTP tunnel. 1+1 AC backup takes effect only if
client information backup is enabled on both ACs.
To configure client information backup:
1. Select Advanced > AC Backup from the navigation tree.
You are placed on the Setup tab. See Figure 733.
2. Select Enable to the right of Backup Client Information.
3. Click Apply.

Configuring continuous transmitting mode

1. Select Advanced > Continuous Transmit from the navigation tree.
Figure 736 Configuring continuous transmitting mode

2. Click the icon for the target radio. The transmission rate varies with radio mode.
When the radio mode is 802.11a/b/g, the page shown in Figure 737 appears. Select a
transmission rate from the list.
Figure 737 Selecting a transmission rate (802.11a/b/g)

719
When the radio mode is 802.11n, the page shown in Figure 738 appears. Select an MCS index
value to specify the 802.11n transmission rate. For more information about MCS, see
"Configuring radios."
Figure 738 Selecting an MCS index (802.11n)

When the radio mode is 802.11ac, the page shown in Figure 739 appears. Select a VHT MCS
index value and a VHT NSS index value to specify the 802.11ac transmission rate. For more
information about VHT MCS and VHT NSS, see "Configuring radios."
Figure 739 Transmission rate (802.11ac)

3. Click Apply.
4. To stop the continuous transmitting mode:
Click the icon for the target radio.
Or, select the target radio and click Stop.
After the continuous transmit is stopped, the transmission rate value on the page shown in Figure
737 is displayed as 0.

NOTE:
When continuous transmit is enabled, do not perform any operations other than transmission rate
configuration.

Configuring a channel busy test

1. Select Advanced > Channel Busy Test from the navigation tree.
Figure 740 Configuring a channel busy test

720
2. Click the icon for the target AP.
Figure 741 Testing busy rate of channels

3. Configure channel busy test as described in Table 232.

4. Click Start to start the testing.
Table 232 Configuration items

Item Description
AP Name Display the AP name.

Radio Unit Display the radio unit of the AP.

Radio Mode Display the radio mode of the AP.

Test Time Per Channel Set a time period in seconds within which a channel is tested.

NOTE:
• During a channel busy test, the AP does not provide any WLAN services. All the connected clients are
disconnected.
• Before the channel busy test completes, do not start another test for the same channel.

Configuring load balancing

Band navigation and load balancing can be used simultaneously.

Configuration prerequisites
Before you configure load balancing, make sure of the following:
• The target APs are associated with the same AC.
• The clients can find the APs.

721
• The fast association function is disabled. By default, the fast association function is disabled. For
more information about fast association, see "Configuring access services."

Recommended configuration procedure

Task Remarks
1. Configuring a load balancing mode N/A

HP recommends that you complete Configuring a load balancing

2. Configuring group-based load
mode first. A load balancing group takes effect only when a load
balancing
balancing mode is configured.

Optional.
3. Configuring parameters that affect
load balancing This configuration takes effect for both AP-based load balancing
and radio group-based load balancing.

Configuring a load balancing mode

If the AC has a load balancing mode configured but has no load balancing group created, it uses
AP-based load balancing by default.
1. Configure session-mode load balancing:
a. Select Advanced > Load Balance from the navigation tree.
b. Select Session from the Load Balance Mode list.
c. Click Apply.
Figure 742 Setting session-mode load balancing

Table 233 Configuration items

Item Description
Select Session.
Load Balance Mode
The function is disabled by default.

Load balancing is carried out for a radio when the session threshold
Threshold
and session gap threshold are reached.

Load balancing is carried out for a radio when the session threshold
Gap
and session gap threshold are reached.

722
2. Configure traffic-mode load balancing:
a. Select Advanced > Load Balance from the navigation tree.
b. Select Traffic from the Load Balance Mode list.
c. Click Apply.
Figure 743 Setting traffic-mode load balancing

Table 234 Configuration items

Item Description
Select Traffic.
Load Balance Mode
The function is disabled by default.

Load balancing is carried out for a radio when the traffic

Traffic
threshold and traffic gap threshold are reached.

Load balancing is carried out for a radio when the traffic

Gap threshold and traffic gap threshold (the traffic gap between
the two APs) are reached.

NOTE:
The maximum throughput for 802.11g/802.11a, 802.11b and 802.11n are 30 Mbps, 7 Mbps and
250 Mbps, respectively.

Configuring group-based load balancing

HP recommends that you complete Configuring a load balancing mode on the Load Balance tab. A load
balancing group takes effect only when a load balancing mode is configured.
To configure group-based load balancing:
1. Select Advanced > Load Balance from the navigation tree.
2. Click the Load Balance Group tab.
3. Click Add.

723
Figure 744 Configuring a load balancing group

4. Configure a load balancing group as described in Table 235.

5. Click Apply.
Table 235 Configuration items

Item Remarks
Group ID Display the ID of the load balancing group.

Configure a description for the load balancing group.

Description
By default, the load balancing group has no description.
• In the Radios Available area, select the target radios, and then click << to add them to
the Radios Selected area.
Radio List
• In the Radios Selected area, select the radios to be removed, and then click >> to remove
them from the load balancing group.

Configuring parameters that affect load balancing

1. Select Advanced > Load Balance from the navigation tree. See Figure 742.
2. Configure parameters that affect load balancing as described in Table 236.
3. Click Apply.

724
Table 236 Configuration items

Item Remarks
Maximum denial count of client association requests.

Max Denial Count If a client has been denied more than the specified maximum times, the AP
considers that the client is unable to associate with any other AP and accepts the
association request from the client.

Load balancing RSSI threshold.

A client may be detected by multiple APs. An AP considers a client whose RSSI
RSSI Threshold is lower than the load balancing RSSI threshold to be not detected. If only one AP
can detect the client, the AP increases the access probability for the client even
if it is overloaded.

Configuring AP
Upgrading AP version
1. Select Advanced > AP from the navigation tree.
2. On the AP Module tab, select Enable.
3. Click Apply.

NOTE:
You can configure the version upgrade function on the Advanced > AP Setting, AP > AP Group, and AP >
AP Setting pages to upgrade a single AP, a group of APs, and all APs as needed. See "Upgrading APs."

Figure 745 Upgrading AP version

Configuring the AC to accept APs with a different software version

1. Select Advanced > AP from the navigation tree.
2. On the AP Module tab, select the desired AP.
3. Click Version Set.
4. Configure AP settings as described in Table 237.
5. Click Apply.
Table 237 Configuration items

Item Description
AP Model Display the selected AP model.

725
Item Description
Software Version Enter the software version of the AC in the correct format.

Switching to fat AP
1. Select Advanced > AP Setup from the navigation tree.
2. Click the Switch to Fat AP tab.
3. Select the desired AP.
4. Click Switch to Fat AP to perform AP working mode switchover.

NOTE:
Before you switch the work mode, you must download the fat AP software to the AP.

Configuring wireless location

1. Select Advanced > Wireless Location from the navigation tree.
Figure 746 Configuring wireless location

2. Configure wireless location as described in Table 238.

3. Click Apply.

726
Table 238 Configuration items

Item Description
• Enable—Enable the wireless location function. The device begins to listen
to packets when wireless location is enabled.
• Disable—Disable wireless location.
To ensure the location function, complete the configuration on the location
server and AC:
• On the location server—Configure whether to locate Tags or MUs, Tag
message multicast address, and dilution factor on the location server.
Location Function These settings will be notified to the APs through the configuration
message. For more information about location server and configuration
parameters, see the location server manuals.
• On the AC—Configure the AP mode settings, and enable the wireless
location function.
When configurations are made correctly, APs wait for the configuration
message sent by the location server. After receiving that message, the APs
start to receive and report Tag and MU messages.

Specify a wireless location protocol.

Protocol Type • Aero Scout—Use the AeroScout protocol.
• General—Use the general location protocol.
Specify a wireless location method.
Address Acquisition Method • Static—Apply the static location mode.
• Dynamic—Apply the dynamic location mode.
Set the vendor port number in the XML file on the AeroScout location server,
Vendor Port
in the range of 0 to 65535. By default, the port number is 1144.

Ignored Frame Type Ignore beacon frames.

Specify the rate at which the AP sends location packets to the location
Rate Limit
server, in the range of 16 to 300000 kbps.

RSSI Threshold Specify the RSSI threshold for the location packets, in the range of 5 to 100.

Specify the view in which the IP address of the location server is configured.
• AP Group Table—Configure the IP address of the location server in AP
Address Configuration group view.
• AP Table—Configure the IP address of the location server in AP template
view.

Specify the dilution factor for the location packets, in the range of 1 to
Dilution Factor
10000.

Specify the dilution timeout for the location packets, in the range of 1 to 60
Dilution Timeout
seconds.

Engine Address Specify the IP address of the location server.

An AP reports IP address change and device reboot events to the location server so that the location
server is able to respond in time. The AP reports a reboot message according to the IP address and port
information of the location server recorded in its flash.
• The AP updates the data in the flash after receiving a configuration message. To protect the flash,
the AP does not update the flash immediately after receiving a configuration message, but waits for
10 minutes. If the AP receives another configuration message within 10 minutes, it only updates the

727
configuration information in the cache, and when the 10-minute timer is reached, it saves the cache
information in the flash.
• If the AP reboots within 10 minutes after receiving the first configuration message, and no
configuration is saved in the flash, it does not send a reboot message to the location server.

Configuring wireless sniffer

Configuring radio-based wireless sniffer
When configuring radio-based wireless sniffer, follow these guidelines:
• Auto APs do not support wireless sniffer.
• Before you enable wireless sniffer, make sure the AP operates in run state (select Summary > AP to
verify the state of the AP). Wireless sniffer can be enabled for only one radio configured with a
fixed channel.
• Wireless sniffer can be enabled only on one radio at one time.
• The working mode of an AP cannot be changed when it is capturing packets.
• Do not enable or run wireless services for the radio with wireless sniffer enabled. Disable all
wireless services before enabling wireless sniffer.
• When the Capture AP is capturing packets, if the radio for which the wireless sniffer is disabled, it
automatically stops the sniffer operation, and the packets are saved to the file with the specified
name in the default storage medium. The default storage medium varies with device models.
To configure radio-based wireless sniffer:
1. Select Advanced > Wireless Sniffer from the navigation tree.
Figure 747 Configuring radio-based wireless sniffer

2. Configure wireless sniffer as described in Table 239.

3. Select Capture Based On Radio.
4. Click Apply.

728
5. Click the icon for the target radio.
Table 239 Configuration items

Item Description
The maximum number of packets that can be captured. If you set a new value for this
option, the packets that have been captured are cleared.

Capture Limit IMPORTANT:

• You cannot change the value when the device is capturing packets.
• Once the limit is exceeded, the device stops capturing packets.
Name of the file to which the packets are saved.
By default, the name is CaptureRecord.
Filename
IMPORTANT:
You cannot change the file name when the device is capturing packets.

Configuring client-based wireless sniffer

When configuring client-based wireless sniffer, follow these guidelines:
• Create an Ethernet frame header ACL and configure ACL rules to match the MAC address of clients
whose packets you need to capture. The match action should be permit.
• ACL rules only support source MAC address.
• For more information about ACL, see "Configuring ACL and QoS."
To configure client-based wireless sniffer:
1. Select Advanced > Wireless Sniffer from the navigation tree.
Figure 748 Configuring client-based wireless sniffer

2. Configure client-based wireless sniffer as described in Table 239.

3. Select Capture Based On ACL.
4. Click Apply.

729
5. Enter Ethernet frame ACL ID in the Capture ACL field.
6. Click Start.

Configuring AP provision
If you change the provision settings for an associated AP, save the settings to the proprietary
configuration file of the AP, and restart the AP to validate the new settings.

Configuring global provision information

1. Select Advanced > AP Provision from the navigation tree.
2. Click the Global Provision tab.
Figure 749 Configuring global provision information

3. Configure global provision as described in Table 240.

4. Click Apply.
Table 240 Configuration Items

Item Description
Global IPv4 address of the AC so that all APs can IMPORTANT:
AC IPv4 Address
discover the AC.
• If an item is configured on
Global IPv6 address of the AC so that all APs can both the global provision
AC IPv6 Address
discover the AC. information page and the AP
provision information page,
AC Host Name Global host name of the AC.
the setting on the AP
DNS IPv4 Address Global IPv4 address of the DNS server. provision information page
applies.
DNS IPv6 Address Global IPv6 address of the DNS server.
• The global IPv6 address of
an AC cannot be the link
Domain Name Global AP domain name.
local address.

Configuring non provision APs

1. Select Advanced > AP Provision from the navigation tree.

730
2. Click the Non Provision APs tab.
Figure 750 Configuring non provision APs

3. Select the box for the target AP.

4. Configure the AP as described in Table 241.
Table 241 Configuration items

Item Description
Select an AP and click this button to change the selected AP to a provision
Change to Provision AP
AP.

Select an AP and click this button to delete the proprietary configuration file
of the selected AP.

IMPORTANT:
Delete Provision
• The Delete Provision operation applies to only running APs.
• The Delete Provision operation takes effect only when you manually
reboot the APs.

Configuring provision APs

CAUTION:
After you click Apply Provision on the AC, the configuration is saved to the wlan_ap_cfg.wcfg file of the
specified AP. When the wlan_ap_cfg.wcfg file takes effect, the AP can only be managed by the AC
specified on the Global Provision tab or Provision APs tab. Make sure the correct AC is specified.
Otherwise, the AP cannot be managed by the specified AC, and you have to log in to the AP to modify its
configuration.

Provision AP settings are not configurable for automatically associated APs (auto APs).
To configure provision APs:
1. Select Advanced > AP Provision from the navigation tree.
2. Click the Provision APs tab.

731
Figure 751 Configuring provision APs

3. Select the box for the target AP.

4. Configure the AP as described in Table 242.
Table 242 Configuration items

Item Description
Change to Non Provision Select an AP and click this button to change the selected AP to a non-provision
AP AP.

Select an AP and click this button to IMPORTANT:

save the provision settings to the
Apply Provision • The Apply Provision/Delete Provision
proprietary configuration file of the
operation applies to only running APs.
selected AP.
• The Apply Provision/Delete Provision
operation takes effect only when you
manually reboot the APs.
• After restart, the AP executes the
configuration file, the
Select an AP and click this button to wlan_ap_cfg.wcfg file, and the
Delete Provision clear the proprietary configuration configuration file specified on the
file of the selected AP. page you enter by selecting AP > AP
Setup in turn. Make sure these three
types of files are correct because
wrong configurations may make them
overwrite or conflict with one another.

5. To configure AP provision settings:

a. Select Advanced > AP Provision from the navigation tree.
b. Click the Provision APs tab.
c. Click the icon for the target AP.

732
Figure 752 Configuring AP provision settings

6. Configure AP provision settings as described in Table 243.

7. Click Apply.
Table 243 Configuration items

Item Description
IPv4 Address IPv4 address of the management VLAN interface of the AP.

IPv4 Mask IPv4 address mask.

IPv6 Address IPv6 address of the management VLAN interface of the AP.

IPv6 Prefix Length Length of IPv6 address prefix.

Gateway IPv4 Address IPv4 address of the gateway.

Gateway IPv6 Address IPv6 address of the gateway.

DNS IPv4 Address IPv4 address of the DNS server.

DNS IPv6 Address IPv6 address of the DNS server.

Domain Name Domain name of the AP.

• IPsec—The AP encrypts the control tunnel by using IPsec.
Encrypted Type • No Encryption—The AP does not encrypt the control and data tunnels.
By default, the AP does not encrypt control and data tunnels.

Enable the AP to encrypt the data tunnel by using IPsec.

Data Tunnel Encryption
By default, the AP does not encrypt the data tunnel.

733
Item Description
IPsec Key Select this option to configure the IPsec key used by the AP.

Initial Country Code Initial country code used by the AP.

• Disable.
802.1X Client Function • Enable.
By default, the 802.1X client function is disabled.

802.1X Client Username Configure the username for the AP when it operates as an 802.1X client.

802.1X Client Password Configure the password for the AP when it operates as an 802.1X client.

Select the authentication method for the AP when it operates as an 802.1X

802.1X Client EAPMethod
client.

AC IPv4 Address IPv4 address of the AC so that the AP can discover the AC.

AC IPv6 Address IPv6 address of the AC so that the AP can discover the AC.

AC Host Name Host name of the AC.

Default VLAN ID Default VLAN ID of the Layer 2 Ethernet interface of the AP.

Tagged VLAN IDs on the IMPORTANT:

Tagged VLAN Layer 2 Ethernet interface
of the AP. The total number of tagged and untagged VLANs
cannot exceed 256. If a VLAN is specified as a
Untagged VLAN IDs on the tagged VLAN and an untagged VLAN at the same
Untagged VLAN Layer 2 Ethernet interface time, the untagged VLAN setting overwrites the
of the AP. tagged VLAN setting.

Configuring band navigation

When band navigation is enabled, client association efficiency is reduced, so this feature is not
recommended in a scenario where most clients use 2.4 GHz.
Band navigation is not recommended in a delay-sensitive network.
Band navigation and load balancing can be used simultaneously.

Configuration prerequisites
To enable band navigation to operate correctly, make sure of the following:
• The fast association function is disabled. By default, the fast association function is disabled. For
more information about fast association, see "Configuring access services."
• Band navigation is enabled for the AP. By default, band navigation is enabled for the AP.
• The SSID is bound to the 2.4 GHz and 5 GHz radios of the AP.

Configuring band navigation

1. Select Advance > Band Navigation from the navigation tree.

734
Figure 753 Configuring band navigation

2. Configure band navigation as described in Table 244.

3. Click Apply.
Table 244 Configuration items

Item Description
• Enable—Enable band navigation.
Band Navigation • Disable—Disable band navigation.
By default, band navigation is disabled globally.
• Session Threshold—Session threshold for clients on the 5 GHz band.
Session Threshold • Gap—Session gap, which is the number of clients on the 5 GHz band minus the
number of clients on the 2.4 GHz band.
If the number of clients on the 5 GHz radio has reached the upper limit, and the gap
between the number of clients on the 5 GHz radio and that on the 2.4 GHz radio has
Gap reached the upper limit, the AP denies the client’s association to the 5 GHz radio, and
allows new clients to associate with the 2.4 GHz radio.

Maximum denial count of client association requests.

Max Denial Count If a client has been denied more than the maximum times on the 5 GHz radio, the AP
considers that the client is unable to associate with any other AP, and allows the 5 GHz
radio to accept the client.

Band navigation RSSI threshold.

RSSI Threshold The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz
radio. If the RSSI is lower than the value, the AP does not direct the client to the 5 GHz
band.

Client information aging time.

The AP records the client information when a client tries to associate with it. If the AP
Aging Time receives the probe request or association request sent by the client before the aging time
expires, the AP refreshes the client information and restarts the aging timer. If not, the AP
removes the client information, and does not count the client during band navigation.

735
Configuring a VLAN pool
Creating a VLAN pool
1. Select Advanced > VLAN Pool from the navigation tree.
2. Click Add.
Figure 754 Creating a VLAN pool

3. Configure VLAN pool as described in Table 245.

4. Click Apply.
Table 245 Configuration items

Item Description
Specify the name for a VLAN pool.
VLAN Pool By default, no VLAN pool exists.
You can create up to 32 VLAN pools.

Configure the VLAN list in a VLAN pool.

VLAN List By default, no VLAN list exists in a VLAN pool.
Deleting a VLAN in the VLAN list does not affect clients getting online through the VLAN.

After a VLAN pool assigns a VLAN ID to a client, if the client goes offline and goes online by using the
same SSID within a certain time, the VLAN pool assigns the previous VLAN ID rather than a new VLAN
ID to the client. In addition, this client is not counted in the number of clients in each VLAN on the VLAN
Info tab.
The AP selects a VLAN ID for a client in the following order:
5. VLAN ID assigned by the authentication server.
6. These two kinds of VLAN ID enjoy the same priority:
VLAN ID in the VLAN pool.
VLAN ID specified in the bound service template.
7. VLAN ID bound on the Wireless Service > Access Service page.
Configurations with a higher priority will overwrite the one with lower priority.

736
Binding a VLAN pool to a specific wireless service
Enable MAC VLAN for the wireless service to be bound to the VLAN pool. Configure the MAC VLAN
function on the Wireless Service > Access Service page.
To bind a VLAN pool to a service template:
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target wireless service.
Figure 755 Binding a VLAN pool to a wireless service

3. Select the AP radio mode to be bound.

4. Select the Binding VLAN pool option and select the target VLAN pool from the Binding VLAN pool
list.
5. Click Bind.

Displaying VLAN pool information

1. Select Advanced > VLAN Pool from the navigation tree.
2. Click the VLAN Info tab, and click the target VLAN pool name. You can see the number of online
clients for each VLAN.

737
Figure 756 Displaying number of clients for each VLAN ID

This page displays the number of clients that obtain VLAN IDs through the VLAN pool, but not the
clients that obtain VLAN IDs through other methods such as a server-assigned VLAN.
3. Click the VLAN Pool Bound Info tab and click the target VLAN pool name. You can display the
VLAN pool binding information.
Figure 757 Displaying VLAN pool binding information

Configuring multicast optimization

In centralized forwarding mode, enable IGMP/MLD snooping on the AC before enabling multicast
optimization and configure the aging time of multicast optimization entries to be greater than the aging
time of IGMP/MLD snooping dynamic member ports. Whether IGMP/MLD snooping is enabled does
not affect the multicast optimization function in local forwarding mode.
To enable multicast optimization to operate correctly in a WLAN roam environment with AC backup,
make sure the multicast optimization function is enabled on all ACs on IACTP tunnels. After the primary

738
AC fails, a large number of APs upload multicast optimization entries to the new primary AC. To avoid
congestion, the multicast optimization entries will be synchronized to the new primary AC in two minutes.

Enabling multicast optimization

1. Select Advanced > Multicast Optimization from the navigation tree.
Figure 758 Configuring multicast optimization

2. Configure multicast optimization as described in Table 246.

3. Click Apply.
Table 246 Configuration items

Item Description
Specify the aging time for multicast optimization entries. If the AP does not receive an
IGMP report from a client within the aging time, the AP removes the client from the
Aging Time multicast optimization entry.
If you enable IGMP snooping, configure the aging time of multicast optimization entries
to be greater than the aging time of IGMP snooping dynamic member ports.

Specify the maximum number of clients supported by multicast optimization.

Multicast A client can join up to eight multicast groups.
Optimization Max If a client joins multiple multicast groups, the client is counted as multiple clients in
Clients multicast optimization statistics. For example, if a client has joined two multicast groups,
the client is counted as two clients in the multicast optimization statistics.

739
Item Description
• Pause Multicast Optimization for All Clients—Invalidate the multicast optimization
function. A new client can join a multicast group and receive multicast packets, and
a multicast optimization entry can be created for the client. However, the multicast
optimization function for all clients in the multicast group becomes invalid. When the
number of clients drops below the upper limit, the multicast optimization function
takes effect again.
• Exclude New Clients for Multicast Optimization—Reject new clients. A new client
Max Client Limit can join a multicast group, but no new multicast optimization entries can be created.
Exceeded Action If multicast optimization entries have been created for other clients in the multicast
group, the client cannot receive multicast packets. Otherwise, the client can receive
multicast packets.
By default, the multicast optimization function becomes invalid when the maximum
number of clients supported by multicast optimization is reached.
If you configure Pause Multicast Optimization for All Clients first, and then configure
Exclude New Clients for Multicast Optimization, the existing multicast optimization
entries still take effect.

4. Select the target wireless service.

5. Click Enable.

Displaying multicast optimization information

1. Select Advanced > Multicast Optimization from the navigation tree.
2. Click the target radio.
Figure 759 Displaying multicast optimization information

Table 247 Field description

Field Description
AP Name Name of the AP.

Radio ID ID of the radio to which the clients are associated.

740
Field Description
Total number of clients served by multicast optimization.

Total Clients If a client joins multiple multicast groups, the client is counted as multiple
clients. For example, if a client has joined two multicast groups through a
radio, the client is counted as two clients by multicast optimization.

Operating status of the multicast optimization function:

Action • Optimize—The multicast optimization function is operating.
• Halt—The multicast optimization function is halted.
Multicast Address Address of the multicast group that the clients have joined.

MAC Address MAC addresses of the clients that have joined the multicast group.

Configuring a guest access tunnel

After you complete the configuration, the aggregation AC and edge AC communicate with each other
by following these steps:
1. The edge AC sends a keep-alive request to the aggregation AC.
2. Upon receiving the request, the aggregation AC determines whether the source IP address of the
request belongs to one of the edge ACs configured on it. If it does, the aggregation AC sends a
response and a guest access tunnel is established.
3. The edge AC sends keep-alive requests to the aggregation AC at a specific interval.
If the edge AC does not receive any response from the aggregation AC after three successive
attempts, the edge AC terminates the guest access tunnel.
If the aggregation AC does not receive any keep-alive request three times the interval, it
terminates the guest access tunnel.

Configuration restrictions and guidelines

When you configure a guest access tunnel, follow these restrictions and guidelines:
• If there are multiple guest access tunnels, each of them must belong to a different VLAN.
• The device supports at most 512 guest access tunnels. You can only establish a guest access tunnel
with IPv4 addresses.
• Configure the same guest VLAN on both the edge AC and the aggregation ACs. For example, if
you configure VLAN 1, VLAN 2, VLAN 3, and VLAN 4 on the edge AC, and configure VLAN 2 and
VLAN 3 on the aggregation AC, you must configure VLAN 2 or VLAN 3 as the guest VLAN.
VLANs that can be configured as guest VLAN include:
VLAN specified by the WLAN-ESS interface.
VLANs specified when you bind a service template.
VLANs assigned by the VLAN pool.
VLANs authorized by the authentication server.
The priorities of these VLANs are in ascending order. VLAN specified when you bind a service
template and VLAN assigned by the VLAN pool have the same priority.

Configuring the edge AC

1. Select Advanced > Guest Tunnel from the navigation tree.

741
Figure 760 Configuring the edge AC

2. On the page that appears, select Edge AC and configure the parameters as shown in Table 248.
3. Click Add.
4. Click Apply.
Table 248 Configuration items

Item Description
Keep-Alive Time Specify the interval at which the edge AC sends keep-alive requests to aggregation ACs.

Aggregation AC
Specify the IPv4 address of the aggregation AC to be configured on the edge AC.
Address

VLAN Specify a guest VLAN name.

Specify the source IPv4 address for the edge AC to establish guest access tunnels with
Edge AC Address
aggregation ACs.

NOTE:
• An edge AC can establish guest access tunnels with multiple aggregation ACs, but it cannot use different IP
addresses to build tunnels with one aggregation AC.
• If several IP addresses configured on the edge AC belong to one aggregation AC, the aggregation AC uses the
destination IP address of the first keep-alive request to establish a guest access tunnel with the edge AC.

Configuring the aggregation AC

1. Select Advanced > Guest Tunnel from the navigation tree.

742
Figure 761 Configuring the aggregation AC

2. On the page that appears, select Aggregation AC and configure the parameters as shown in Table
249.
3. Click Add.
4. Click Apply.
Table 249 Configuration items

Item Description
Edge AC Address Specify the IP address of the edge AC to be configured on the aggregation AC.

VLAN Specify a guest VLAN by its name.

Viewing guest access tunnels

Select Advanced > Guest Tunnel from the navigation tree.
Figure 762 Guest access tunnel list

You can view the configurations and status of guest access tunnels on the current AC. The VLAN ID field
shows configured guest VLANs.

Configuring Bonjour gateway

The AC supports centralized forwarding, local forwarding, and policy-based forwarding when it
operates as a Bonjour gateway.
Enable multicast optimization on the Bonjour gateway for media traffic services such as video and audio.

743
Enabling Bonjour gateway
1. Select Advanced > Bonjour Gateway from the navigation tree.
Figure 763 Enabling Bonjour gateway

2. On the page that appears, select Bonjour Gateway and configure the parameters as shown
in Table 250.
3. Click Apply.
Table 250 Configuration items

Item Description
• Disable—Disable Bonjour gateway globally.
• Enable—Enable Bonjour gateway globally.
By default, Bonjour gateway is disabled globally.
Bonjour Gateway
Bonjour gateway takes effect only after you enable it both globally and for an
AP. You can enable Bonjour gateway for the AP on the AP > AP Setup or
AP > AP Group page.
• Disable—Disable active query for Bonjour services on the AC.
• Enable—Enable active query for Bonjour services on the AC.
By default, active query for Bonjour services is disabled on the AC.
Service Query
With this function enabled, the AC sends queries for a Bonjour service at the
specified intervals and updates the service entry based on the responses. If
no response is received within the TTL of the Bonjour service, the AC deletes
the entry for the service.

Query Interval Interval at which the AC sends queries for a service.

The AC can send unicast or multicast responses to clients in Bonjour service

advertisement snooping. When the AC sends a multicast response to clients,
it converts the multicast response to multiple unicast responses by default.
This function prevents the AC from sending excessive unicast responses to
clients.
Packets Convert Threshold With this function enabled, the AC sends one multicast response instead of
multiple unicast responses to clients when the following conditions are met:
• The clients are associated with the same BSS.
• The clients query for the same service.
• The number of clients meeting the above conditions reaches the threshold
within 500 ms.

744
Configuring a Bonjour policy
A service policy contains service type configuration and VLAN configuration.
The AC forwards queries and responses according to the following rules:
• For a query, if the service type in the query does not match the specified service type, the AC
discards the query.
• For a response, the AC forwards it only when it matches service type, IP address, and instance
name.
• The AC can forward queries and responses only to the VLANs in the configured VLAN lists.

NOTE:
If a service uses multiple protocols, you must configure multiple service types on the AC to enable the AC
to forward queries for the service. For example, you must configure both ipp and ipps service types on the
AC for the airprint service.

To configure a Bonjour policy:

1. Select Advanced > Bonjour Gateway from the navigation tree.
2. On the page that appears, select Bonjour Policy and click Add.
Figure 764 Configuring a Bonjour policy

3. Configure the Bonjour policy parameters as shown in Table 251.

4. Click Add.
5. Click Apply.
Table 251 Configuration items

Item Description
Configure a name for the Bonjour policy.
Policy Name By default, no Bonjour policy exists.
You can configure up to 1000 Bonjour policies.

745
Item Description
Configure the VLANs to which the AC can forward queries and responses.
Service VLAN
By default, the AC cannot forward queries and responses.

Allow the AC to forward queries and responses to the VLANs to which the clients
Access VLAN belong.
By default, the AC cannot forward queries and responses.

Service Rule List

Specify the type of service that can be queried by clients. Table 252 lists some
Service Type
Bonjour protocols by their names and service type strings.
• IPv4—Specify the IP address of the service that can be queried by clients.
• IPv6—Specify the IPv6 address of the service that can be queried by clients.
Service Rule • Instance—Specify the instance name of the service that can be queried by
clients. An instance name uniquely identifies a service.
By default, clients can query all services.

Table 252 Apple Bonjour protocols and service type strings

Service type Protocol name

afpovertcp AppleTalkFiling Protocol

airplay Airplay

airport Airport Base Station

apple-sasl Apple Password Server

daap Digital Audio Access Protocol

dacp Digital Audio Control Protocol

distcc Distributed Compiler

dpap Digital Photo Access Protocol

eppc Remote AppleEvents

ftp File Transfer Protocol

http Hypertext Transfer Protocol

Ica-networking Image Capture Sharing

ichat iChat Instant Messaging Protocol

ipp Internet Printing Protocol

ipps Internet Printing Protocol

nfs Network File System

pdl-stream PDL Data Stream

printer Line Printer Daemon

raop Remote Audio Output Protocol

riousbprint Remote I/O USB Printer Protocol

servermgr Server Admin

ssh Secure Shell

746
Service type Protocol name
telnet Remote Login

webdav WebDav File System

workstation Workgroup Manager

xserveraid Xerver RAID

Applying a Bonjour policy

You can apply a Bonjour policy on the Wireless Service > Access Service, AP > AP Setup, AP > AP group,
and Authentication > User pages. If you apply a Bonjour policy to an AP group, the Bonjour policy takes
effect on all APs in the AP group. If you apply different Bonjour policies to a user profile, an AP, and a
service template, all Bonjour policies take effect on all views.
Assume that you apply Bonjour policies A and B to AP 1 and service template with the SSID service to
allow the AC to forward queries and responses to VLAN A and VLAN B, respectively. When a client is
associated with AP 1 through the SSID service, the AC forwards the queries and responses it receives to
both VLAN A and VLAN B.

Viewing information about Bonjour services discovered by the AC

1. Select Advanced > Bonjour Gateway from the navigation tree.
2. On the page that appears, select Bonjour Service.
Figure 765 Viewing information about Bonjour services discovered by the AC

Advanced settings configuration examples

1+1 fast backup configuration example
Network requirements
As shown in Figure 766, AC 1 and AC 2 back up each other, with AC 1 acting as the active AC. When
the active AC fails, the standby AC takes over to provide services, ensuring no service interruption.
• Assign a higher priority to the AP connection to AC 1 (which is 6 in this example) to make sure AP
will first establish a connection with AC 1. In this way, AC 1 acts as the active AC.
• When AC 1 is down, AC 2 becomes the new active AC.

747
• When AC 1 recovers, no switchover to AC 1 occurs, in which case AC 2 remains the active AC, and
AC 1 acts as the standby AC. This is because the AP connection on AC 1 does not have the highest
priority.
Figure 766 Network diagram

Configuration guidelines
• The wireless services configured on the two ACs should be consistent.
• Specify the IP address of the backup AC on each AC.
• AC backup has no relation to the access authentication method. However, the authentication
method of the two ACs must be the same.

Configuring AC 1
1. Configure AP to establish a connection between AC 1 and AP. For more information about
configurations, see "Configuring access services."
2. Select AP > AP Setup from the navigation tree.
3. Click the icon for the target AP.
4. Expand Advanced Setup.
5. Set the connection priority to 6.
6. Click Apply.

748
Figure 767 Configuring the AP connection priority

7. Select Advance > AC Backup from the navigation tree. You are placed on the Setup tab.
8. On the page that appears, select the IPv4 box, set the IP address of the backup AC to 1.1.1.5, and
select enable to enable the fast backup mode.
9. Click Apply.

749
Figure 768 Configuring the IP address of the backup AC

Configuring AC 2
1. Configure AP to establish a connection between AC 2 and AP.
For more information about configurations, see "Configuring access services."
2. Leave the default value of the AP connection priority unchanged. (Details not shown.)
3. Select Advanced > AC Backup from the navigation tree.
4. On the page that appears, select the IPv4 box, set the address of the backup AC to 1.1.1.4, and
select enable to enable the fast backup mode.
5. Click Apply.

750
Figure 769 Configuring the address of the backup AC

Verifying the configuration

1. When AC 1 operates correctly, view the AP status on AC 1 and AC 2, respectively. The AP
connection priority on AC 1 is set to 6 (the higher one), so AC 1 becomes the active AC. The AP
establishes a connection to AC 1 based on priority.
a. On AC 1, select Advanced > AC Backup from the navigation tree.
b. Click the Status tab.
The status information shows that AC 1 is the active AC.

751
Figure 770 Displaying the AP status on AC 1

c. On AC 2, select Advanced > AC Backup from the navigation tree.

d. Click the Status tab.
The information shows that AC 1 is acting as the standby AC.
Figure 771 Displaying the AP status on AC 2

752
2. When AC 1 goes down, the standby AC (AC 2) detects the failure immediately through the
heartbeat detection mechanism. Then AC 2 takes over to become the new active AC, providing
services to AP.
On AC 2 (the new active AC), display the AP status. (Details not shown.)
The information shows that AC 2 has become the active AC.
On AC 2, display the client information. (Details not shown.)
The value for the State field turns to Running from Running/B, which indicates that the client is
connecting to AC 2 through an active link.
3. When AC 1 recovers, AC 2 still acts as the active AC, and AC 1 becomes the standby AC. AC 1
establishes a backup link with the AP and backs up the client status.

1+N backup configuration example

Network requirements
As shown in Figure 772, AC 1 and AC 2 are active ACs, and AC 3 acts as the standby AC. When an
active AC fails, AC 3 (the standby AC) takes over to provide services. As soon as the active AC recovers,
the AP connects to the original active AC again.
• AP connects to AC 1, AC 2, and AC 3 through a Layer 2 switch. The IP addresses of AC 1, AC 2,
and AC 3 are 1.1.1.3, 1.1.1.4, and 1.1.1.5, respectively.
• Assign the highest AP connection priority of 7 on AC 1 and AC 2 to make sure AP 1 establishes a
connection with AC 1, and that AP 2 establishes a connection with AC 2.
• If one of the two active AC is down, AC 3 becomes the new active AC.
• When the faulty AC recovers, the AP that connects to AC 3 automatically connects to the original
active AC. This is because the AP connection priority on the active AC has the highest priority. In this
way, AC 3 can always act as a dedicated standby AC to provide backup services for AC 1 and AC
2.
Figure 772 Network diagram

Configuring AC 1
1. Configure AC 1 so that a connection is set up between AC 1 and AP 1.
For more information about configurations, see "Configuring access services."
2. Select AP > AP Setup from the navigation tree.
3. Click the icon for the target AP.
4. Expand Advanced Setup.

753
5. Set the connection priority to 7.
6. Click Apply.
Figure 773 Configuring the AP connection priority for AP 1

Configuring AC 2
1. Configure AC 2 so that a connection is set up between AC 2 and AP 2.
For more information about configurations, see "Configuring access services."
2. Set the AP connection priority to 7.
The configuration steps are the same as the steps on AC 1 (Details not shown.).
3. Configure AC 3 (the backup AC):
a. Configure the related information for AP 1 and AP 2.
For more information about configurations, see "Configuring access services."
b. Select AP > AP Setup from the navigation tree.
c. Click the icon for the target AP.
d. Expand Advanced Setup.

754
e. Enter 1.1.1.3 in the Backup AC IPv4 Address field.
f. Click Apply.
Figure 774 Backing up the IP address of AC 1

g. Select AP > AP Setup from the navigation tree.

h. Click the icon for the target AP.
i. Expand Advanced Setup.
j. Enter 1.1.1.4 in the Backup AC IPv4 Address field.
k. Click Apply.

755
Figure 775 Backing up the IP address of AC 2

Verifying the configuration

1. When AC 1 goes down, AC 3 becomes the new active AC.
2. When AC 1 recovers, the AP connecting to AC 3 connects to AC 1 again. This is because the
highest AP connection priority of 7 on AC 1 ensures an automatic switchover.

Client information backup configuration example

Network requirements
As shown in Figure 776, AC 1 and AC 2 support stateful failover. AC 1 is the primary AC. Enable client
information backup on the two ACs so the clients can communicate during a primary/backup switchover.
The client in this example is a client that uses clear-type service template for accessing the network.

756
Figure 776 Network diagram

Configuration procedure
Complete the following configurations on both AC 1 and AC 2.
1. Build an IACTP tunnel. For more information, see "Configuring WLAN roaming."
2. Configure AC backup. For more information, see "Configuring 1+1 AC backup."
3. Configure client information backup:
a. Select Advanced > AC Backup from the navigation tree. You are placed on the Setup tab.
b. Click Enable to the right of Backup Client Information.
c. Click Apply.
Figure 777 Enabling client information backup

Verifying the configuration

1. When AC 1 operates correctly, display the client status on AC 1 and AC 2 to verify that the client
has been associated with AC 1 through the AP, and the client information has been synchronized
to AC 2.
a. Select Summary > Client from the navigation tree, click the Detail Information tab, and select
the target client to view its detailed information.

757
Figure 778 Displaying the client status on AC 1

The page shows that the client is in Running status, which means the client is associated with
the primary AC AC 1 because AC 1 has a higher connection priority.
b. Select Summary > Client from the navigation tree, click the Detail Information tab, and select
the target client to view its detailed information.
Figure 779 Displaying the client status on AC 2

This page shows that the client is in Running(Backup) state, which means the client is
associated with the backup AC AC 2.
c. Display roam-track information of the clients (select Summary > Client from the navigation tree,
click the Roam Information tab, and select the target client to view its detailed roaming

758
information. If the information on the two ACs is consistent, the client roaming information has
been synchronized.
2. When AC 1 fails, AC 2 becomes the primary AC. During the switchover, clients are not logged off
and can access network through AC 2.

AP-based session-mode load balancing configuration example

Network requirements
• As shown in Figure 780, all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client
2 through Client 6 are associated with AP 2.
• Configure session-mode load balancing on the AC. The threshold (the maximum number of sessions)
is 5, and the session gap is 4.
Figure 780 Network diagram
AC

L2 Switch

Client 6

AP 1 AP 2
Client 1
Client 5

Client 2
Client 4

Client 3
Client 7

Configuration guidelines
An AP starts session-mode load balancing only when both the maximum sessions and maximum session
gap are reached.

Configuration procedure
1. Before you configure load balancing, configure AP 1 and AP 2 on the AC to establish a
connection between the AC and each AP.
For the related configuration, see "Configuring access services."
2. Configure session-mode load balancing:
a. Select Advanced > Load Balance from the navigation tree.
b. On the Load Balance tab, select the Session mode, enter the threshold 5, and use the default
value for the gap.
c. Use the default values for Max Denial Count and RSSI Threshold.
d. Click Apply.

759
Figure 781 Setting session-mode load balancing

Verifying the configuration

Client 1 is associated with AP 1, and Client 2 through Client 6 are associated with AP 2. Because the
number of clients associated with AP 1 reaches 5 and the session gap between AP 2 and AP 1 reaches
4, Client 7 is associated with AP 1.

AP-based traffic-mode load balancing configuration example

Network requirements
• As shown in Figure 782, all APs operate in 802.11g mode. Client 1 and Client 2 are associated with
AP 1, and no client is associated with AP 2.
• Configure traffic-mode load balancing on the AC. The traffic threshold is 3 Mbps, which
corresponds to the threshold value of 10 in percentage, and the traffic gap is 12 Mbps, which
corresponds to the traffic gap value 40 in percentage.

760
Figure 782 Network diagram

Configuration guidelines
An AP starts traffic-mode load balancing only when both the maximum traffic threshold and maximum
traffic gap are reached.

Configuration procedure
1. Before you configure load balancing, configure AP 1 and AP 2 on the AC to establish a
connection between the AC and each AP.
For the related configuration, see "Configuring access services."
2. Configure traffic-mode load balancing:
a. Select Advanced > Load Balance from the navigation tree.
b. On the Load Balance tab, select the Traffic mode, enter the threshold 10, and the traffic gap
40.
c. Use the default values for Max Denial Count and RSSI Threshold.
d. Click Apply.

761
Figure 783 Setting traffic-mode load balancing

Verifying the configuration

Client 1 and Client 2 are associated with AP 1. Add Client 3 to the network. When the maximum traffic
threshold and traffic gap are reached on AP 1, Client 3 is associated with AP 2.

Group-based session-mode load balancing configuration

example
Network requirements
• As shown in Figure 784, all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client
2 through Client 6 are associated with AP 2, and no client is associated with AP 3.
• Configure session-mode load balancing on the AC. The maximum number of sessions is 5, and the
maximum session gap is 4.
• Session-mode load balancing is required on only radio 2 of AP 1 and radio 2 of AP 2. Therefore,
add them to a load balancing group.

762
Figure 784 Network diagram

Configuration procedure
1. Before you configure load balancing, configure AP 1 and AP 2 on the AC to establish a
connection between the AC and each AP.
For the related configuration, see "Configuring access services."
2. Configure load balancing:
a. Select Advanced > Load Balance from the navigation tree.
b. On the Load Balance tab, select Session from the Load Balance Mode list, enter the threshold 5,
and use the default value for the gap.
c. Use the default values for Max Denial Count and RSSI Threshold.
d. Click Apply.
Figure 785 Configuring session-mode load balancing

763
3. Configure a load balancing group:
a. Select Advanced > Load Balance from the navigation tree.
b. Click the Load Balance Group tab.
c. Click Add.
d. On the page that appears, select ap1. radio 2 and ap2. radio 2 in the Radios Available area,
click << to add them to the Radios Selected area, and click Apply.
Figure 786 Configuring a load balancing group

Verifying the configuration

• Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group. The radio of AP 3 does
not belong to any load balancing group. Because load balancing takes effect only on radios in a
load balancing group, AP 3 does not take part in load balancing.
• Assume Client 7 wants to associate with AP 2. The number of clients associated with radio 2 of AP
2 reaches 5 and the session gap between radio 2 of AP 2 and AP 1 reaches 4, so Client 7 is
associated with AP 1.

Group-based traffic-mode load balancing configuration

example
Network requirements
• As shown in Figure 787, all APs operate in 802.11g mode. Client 1 and Client 2 are associated with
AP 1, and no client is associated with AP 2 and AP 3.
• Configure traffic-mode load balancing on the AC. The maximum traffic threshold is 10%, and the
maximum traffic gap is 20%.

764
• Traffic-mode load balancing is required only on radio 2 of AP 1 and radio 2 of AP 2. Therefore, add
them to a load balancing group.
Figure 787 Network diagram
AC

L2 Switch

AP 1 AP 3

AP 2

Client 1 Client 2

Client 3

Configuration procedure
1. Before you configure load balancing, configure AP 1 and AP 2 on the AC to establish a
connection between the AC and each AP.
For the related configuration, see "Configuring access services."
2. Configure load balancing:
a. Select Advanced > Load Balance from the navigation tree.
b. On the Load Balance tab, select Traffic from the Load Balance Mode list, enter the threshold 10
and the gap 40.
c. Use the default values for Max Denial Count and RSSI Threshold.
d. Click Apply.

765
Figure 788 Configuring traffic load balancing

3. Configure a load balancing group:

a. Select Advanced > Load Balance from the navigation tree.
b. Click the Load Balance Group tab.
c. Click Add.
d. On the page that appears, select ap1. radio 2 and ap2. radio 2 in the Radios Available area,
click << to add them to the Radios Selected area, and click Apply.

766
Figure 789 Configuring a load balancing group

Verifying the configuration

• Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group, and the radio of AP
3 does not belong to any load balancing group. Because load balancing takes effect only on
radios in a load balancing group, AP 3 does not take part in load balancing.
• Assume Client 3 wants to associate with AP 1. Because the maximum traffic threshold and traffic
gap have been reached on radio 2 of AP 1, Client 3 is associated with AP 2.

AP version upgrade configuration example

Network requirements
As shown in Figure 790, configure the AP version upgrade function to upgrade the AC, AP 1 and AP 2.
The AC has established an LWAPP tunnel with AP 1, AP 2 and AP 3, respectively.

767
Figure 790 Network diagram

AP 1

AC Switch AP 2

AP 3

Configuration procedures
Before the configuration, assume that you have configured the three APs in AP > AP Setup.
1. Configure an AP group:
a. Select AP > AP Group from the navigation tree.
b. On the page that appears, click Add to create an AP group named update.
2. Enable the AP version upgrade function for AP 1 and AP 2:
a. Select ap1 and ap2 from the AP List, click the icon and add these two APs to the
Selected AP List.
b. Select Enable from the Firmware Update list.
c. Click Apply.

768
Figure 791 Configuring AP version upgrade (1)

769
3. Disable the AP version upgrade function for AP 3:
a. Select AP > AP Setup from the navigation tree.
b. Click the icon for AP 3.
c. Select Disable from the Firmware Update list.
d. Click Apply.
Figure 792 Configuring AP version upgrade (2)

4. Download the AP version to the AC. (Details not shown.)

5. Upgrade the AC's version to B108D001 and reset the AC. AP 1 and AP 2 will try to establish
tunnels with the AC of the new version:
AP 1 and AP 2 compare their versions with that the version of the AC, download the AP version
B108D001 from the AC and restart. After reboot, they use version B108D001 to establish
LWAPP tunnels with the AC.
AP 3 does not compare its version with the AC, and uses version B106D001 to establish an
LWAPP tunnel with the AC.

Verifying the configuration

1. Select Summary > AP from the navigation tree.
2. On the page that appears, click the Detail tab, and click the target AP name.
You can see that versions of AP 1 and AP 2 are B108D001, and the version of AP 3 remains as
B106D001.

770
Wireless location configuration example
Network requirements
As shown in Figure 793, AP 1, AP 2, and AP 3 operate in normal mode. They send the collected tag and
MU messages to an AE (the location server), which performs location calculation and then sends the
data to the graphics software. You can obtain the location information of the rogue AP, APs, and clients
by using maps, forms or reports.
Figure 793 Network diagram
AE (location server)

AP 1 Client

AC Switch AP 2 Rogue AP

AP 3 AP

Configuration guidelines
Before you enable the wireless location function, make sure at least three APs operate in normal mode,
bind the APs to a wireless service, and enable the wireless service so that the APs can detect Tags and
clients not associated with them, and that the AE can implement location calculation.

Configuring the AE
1. Configure the IP addresses of AP 1, AP 2, and AP 3 on the AE, or select the broadcasting mode
for the AE to discover APs.
2. Perform configuration related to wireless location on the AE.

Configuring AP 1
AP 1, AP 2, and AP 3 are configured similarly, and the following only describes how to configure AP 1
for illustration.
To bind the wireless service to AP 1:
1. Select AP > AP Setup from the navigation tree.
2. Click Add.
3. On the page that appears, enter the AP name ap1, select the model MSM460-WW, select Manual
from the Serial ID list, enter the AP serial ID in the field, and click Apply.

771
Figure 794 Creating an AP

4. Select Wireless Service > Access Service from the navigation tree.
5. Click Add.
6. On the page that appears, specify the Wireless Service Name as service, select clear from the
Wireless Service Type list, and click Apply.
Figure 795 Creating a wireless service

7. Select Wireless Service > Access Service from the navigation tree.
8. On the page that appears, select the box to the left of service.
9. Click Enable.

772
Figure 796 Enabling the wireless service

10. Select Wireless Service > Access Service from the navigation tree.
11. On the page that appears, click the icon for wireless service service.
12. Select the box to the left of 802.11n(2.4GHz).
13. Click Bind.

773
Figure 797 Binding the wireless service to a radio

Enabling 802.11n
1. Select Radio > Radio from the navigation tree.
2. Select the target AP.
3. Click Enable.

774
Figure 798 Enabling 802.11n (2.4 GHz)

Enabling wireless location

1. Select Advanced > Wireless Location from the navigation tree.
2. On the page that appears, perform the following tasks:
a. Select Enable for Location Function.
b. Select Aero Scout for Protocol Type.
c. Select Dynamic for Address Acquisition Method.
d. Select Tag Mode and MU Mode for ap1, ap2, and ap3.
3. Click Apply.

775
Figure 799 Enabling wireless location

Verifying the configuration

You can display the location information of the rogue AP, APs, and clients by using maps, forms or
reports.

Wireless sniffer configuration example

Network requirements
As shown in Figure 800, configure a Capture AP, and enable wireless sniffer on this AP to capture
wireless packets. The captured packets are then saved in a .dmp file for troubleshooting.

776
Figure 800 Network diagram

Client
AP 1
Switch

AC Capture AP
Rogue AP

AP 2
PDA
PC

Configuring Capture_AP
1. Select AP > AP Setup from the navigation tree.
2. Click Add.
3. On the page that appears, enter the AP name capture_ap, select the model MSM460-WW, select
Manual from the Serial ID list, enter the AP serial ID in the field, and click Apply.
Figure 801 Creating a Capture AP

4. Select Radio > Radio from the navigation tree.

5. Click the icon of 802.11n(2.4 GHz) for the Capture_AP.
6. Select 6 from the Channel list.
7. Click Apply.

777
Figure 802 Setting the channel

8. Select Radio > Radio from the navigation tree.

9. Select the target AP.
10. Click Enable.

778
Figure 803 Enabling 802.11n (2.4 GHz)

Configuring and enabling wireless sniffer

1. Select Advanced > Wireless Sniffer from the navigation tree.
2. On the page that appears, enter the capture limit 5000, enter the file name CapFile, and click
Apply.
3. Click the icon for radio 802.11g.
Figure 804 Configuring and enabling wireless sniffer

779
Verifying the configuration
• Capture AP captures wireless packets and saves the packets to a CAP file in the default storage
medium. Administrators can download the file to the PC and get the packet information by using
tools such as Ethereal.
• When the total number of captured packets reaches the upper limit, Capture AP stops capturing
packets.

AP provision configuration example

Network requirements
Configure AP provision on AC 1 to assign the following network settings to AP 1 and AP 2:
• IP address 2.2.2.1/24 for AC 1 so that AP 1 and AP 2 can discover AC 1.
• IP address 1.1.1.1/24 for AP 1 and IP address 1.1.1.2/24 for AP 2.
• Username test and password test for AP 1 and AP 2 when they operate as 802.1X clients.
• Authentication method peap-mschapv2.
• 802.1X client function for Ethernet interfaces on AP 1 and AP 2.
Figure 805 Network diagram

Configuring AC 1
Make sure AP 1 and AP 2 have established connections to AC. Otherwise, AC 1 cannot assign the
network settings to them.
1. Configure global provision information so that AP 1 and AP 2 can discover AC 2 with IP address
2.2.2.1:
a. Select Advanced > AP Provision from the navigation tree.
b. Click the Global Provision tab.
c. Enter IP address 2.2.2.1 in the AC IPv4 Address field.
d. Click Apply.

780
Figure 806 Configuring global provision

2. Configure AP 1 and AP 2 as provision APs:

a. Select Advanced > AP Provision from the navigation tree.
b. Click the Non Provision APs tab.
Figure 807 Configuring non provision APs

c. Select the boxes to the left of ap1 and ap2.

d. Click Change to Provision AP.
e. Click the Provision APs tab.

781
Figure 808 Configuring provision APs

f. Click the icon for ap1.

g. Assign the following network settings to AP 1:
− IPv4 address 1.1.1.1 and mask 24.
− 802.1X client function.
− Username test and password test.
− Authentication method peap-mschapv2.
h. Click Apply Provision.
Figure 809 Configuring AP provision information

i. Assign the following network settings to AP 2:

− IPv4 address 1.1.1.2 and mask 24.

782
− 802.1X client function.
− Username test and password test.
− Authentication method peap-mschapv2.
j. Click the Provision APs tab.
Figure 810 Configuring provision APs

k. Select the boxes to the left of ap1 and ap2.

l. Click Apply Provision.

Configuring AC 2
Configure wireless service on AC 2. For more information, see "Configuring access services."

Verifying the configuration

1. On AC 1, select Summary > AP from the navigation tree.
Figure 811 AP information page

2. Select the boxes to the left of ap1 and ap2.

3. Click Reboot.
After restart, AP 1 and AP 2 establish connections to AC 1.
4. On AC 2, select Summary > AP from the navigation tree.
The two APs are both in Run status.

783
Figure 812 AP information page on AC 2

Band navigation configuration example

Network requirements
As shown in Figure 813, Client 1 through Client 4 try to associate with AP 1, and the two radios of AP 1
operate at 5 GHz and 2.4 GHz, respectively. Client 1, Client 2, and Client 3 are dual-band clients, and
Client 4 is a single-band (2.4 GHz) client. Configure band navigation to direct clients to different radios
of the AP.
Figure 813 Network diagram

Configuring the AC
To enable band navigation to operate correctly, make sure of the following:
• The fast association function is disabled. By default, the fast association function is disabled.
• Band navigation is enabled for the AP. By default, band navigation is enabled for the AP.
1. Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click New.
c. On the page that appears, enter the AP name ap 1, select the model MSM460-WW, select
Manual from the Serial ID list, and enter the AP serial ID in the field.
d. Click Apply.
2. Configure wireless service:
a. Select Wireless Service > Access Service from the navigation tree.

784
b. Click Add.
c. On the page that appears, set the service name to band-navigation, select the wireless service
type Clear, and click Apply.
3. Enable wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Set the band-navigation box.
c. Click Enable.
4. Bind an AP radio to the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the wireless service band-navigation.
c. Select the boxes next to ap1 with radio types 802.11n(2.4GHz) and 802.11n(5GHz).
d. Click Bind.
Figure 814 Binding an AP radio

5. Enable 802.11n(2.4GHz) and 802.11n(5GHz) radios:

a. Select Radio > Radio Setup from the navigation tree.
b. Select the boxes next to ap1 with the radio modes 802.11n(2.4GHz) and 802.11n(5GHz).
c. Click Enable.
6. Configure band navigation:
a. Select Advance > Band Navigation from the navigation tree.
b. On the page that appears, click Enable, and type the Session Threshold 2 and Gap 1. Use the
default values for other options.
c. Click Apply.

785
Figure 815 Configuring band navigation

Verifying the configuration

Client 1 and Client 2 are associated with the 5 GHz radio of AP 1, and Client 4 can only be associated
with the 2.4 GHz radio of AP 1. Because the number of clients on the 5 GHz radio has reached the upper
limit 2, and the gap between the number of clients on the 5 GHz radio and 2.4 GHz radio has reached
the session gap 1, Client 3 will be associated with the 2.4 GHz radio of AP 1.

VLAN pool configuration example

Network requirements
Configure a VLAN pool that comprises VLANs 2 through 5 for the AP to assign clients to different VLANs.
Figure 816 Network diagram

Client

AC Switch AP
Client

Client

Configuring the AC
1. Create a VLAN pool:
a. Select Advanced > VLAN Pool from the navigation tree.
b. On the page that appears, set the VLAN pool name to office and set the VLAN list to 2-5.

786
c. Click Apply.
Figure 817 Creating a VLAN pool

2. Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, enter the AP name ap, select the model MSM460-WW, select
Manual from the Serial ID list, and enter the AP serial ID in the field.
d. Click Apply.
3. Configure wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to office and select the wireless service type
Clear. You are placed on the access service configuration page.
d. Enable MAC VLAN.
e. Click Apply.

787
Figure 818 Enabling MAC VLAN

4. Enable wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Select the office box.
c. Click Enable.
5. Bind an AP radio to the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the wireless service office.
c. Select the box with radio type 802.11n(2.4GHz).
d. Select the Binding VLAN pool option and select the target VLAN pool from the Binding VLAN
pool list.
e. Click Bind.

788
Figure 819 Binding a VLAN pool to a wireless service

6. Enable 802.11n(2.4GHz) radio:

a. Select Radio > Radio Setup from the navigation tree.
b. Select the box to the left of ap with the radio mode 802.11n(2.4GHz).
c. Click Enable.

Verifying the configuration

• Select Advanced > VLAN Pool from the navigation tree to display the number of clients in each
VLAN in the VLAN pool.
• Select Summary > Client from the navigation tree, click Details, and click the target client to display
the VLAN to which the client belongs.

Multicast optimization configuration example

Network requirements
As shown in Figure 820, enable multicast optimization for the AP to convert multicast packets to unicast
packets for up to two clients.
Enable IGMP snooping on the AC before enabling multicast optimization and configure the aging time
of multicast optimization entries to be greater than the aging time of IGMP snooping dynamic member
ports.

789
Figure 820 Network diagram

Configuring the AC
1. Select Advanced > Multicast Optimization from the navigation tree.
2. Set the Aging Time to 300 seconds, the Multicast Optimization Max Clients to 2, and Max Client
Limit Exceeded Action to Exclude New Clients for Multicast Optimization.
3. Click Apply.
4. Select the target wireless service.
5. Click Enable.
Figure 821 Configuring multicast optimization

Verifying the configuration

Client 1 and Client 2 are associated with a radio of the AP. Because the number of clients on the radio
has reached the upper limit 2, Client 3 cannot be added to multicast optimization entries.

790
Guest access tunnel configuration example
Network requirements
As shown in Figure 822, AC 1 is an edge AC and AC 2 is an aggregation AC. Configure a guest access
tunnel so that guest traffic is separated from the traffic of the inner network. Guests get online through
guest VLAN VLAN 5.
Figure 822 Network diagram

Configuring AC 1
Before configuring the edge AC, complete the following configurations:
• Configure wireless services on AC 1. For more information, see "Configuring access services".
• Configure guest VLAN VLAN 5. (Details not shown.)
To configure AC 1:
1. Select Advanced > Guest Tunnel from the navigation tree.
2. On the page that appears, select Edge AC, enter 192.168.2.3 as the Aggregation AC Address,
and enter 192.168.2.1 as the Edge AC Address. Specify VLAN 5 as the guest VLAN.
3. Click Add.
4. Click Apply.
Figure 823 Configuring the edge AC

Configuring AC 2
1. Select Advanced > Guest Tunnel from the navigation tree.

791
2. On the page that appears, select Aggregation AC, enter 192.168.2.1 as the Edge AC Address,
and specify VLAN 5 as the guest VLAN.
3. Click Add.
4. Click Apply.
Figure 824 Configuring the aggregation AC

Verifying the configuration

• Select Advanced > Guest Tunnel from the navigation tree. You can see that the guest access tunnel
is in Up state.
• Select Summary > Client from the navigation tree. You can see that guests get online through VLAN
5.

Bonjour gateway configuration example

Network requirements
As shown in Figure 825, Apple TV, Print, iPad 1, and iPad 2 associate with the AP through service
templates with SSIDs apple_tv, print, student, and teacher, respectively. Apple TV, Print, iPad 1, and iPad
2 belong to VLANs 3, 4, 10, and 20, respectively.
Configure Bonjour gateway to make sure iPad 2 can query the services of both Apple TV and Print and
iPad 1 can only query the service of Print.
Figure 825 Network diagram

VLAN 4 DHCP server

VLAN 3

Apple TV Print
SSID:apple_tv SSID:print

SSID:student AP SSID:teacher Switch AC

VLAN 10 VLAN 20

iPad 1 iPad 2

792
Configuration procedures
1. Configure wireless services on the AC. (Details not shown.)
2. Configure the DHCP server to assign an IP address of the AC as the gateway IP address of the
clients. (Details not shown.)
3. Enable Bonjour gateway:
a. Select Advanced > Bonjour Gateway from the navigation tree, and click the Bonjour Gateway
tab.
b. Select Enable for Bonjour Gateway.
c. Click Apply.
Figure 826 Enabling Bonjour gateway

4. Configure Bonjour policy teacher:

a. Select Advanced > Bonjour Gateway from the navigation tree, and click the Bonjour Policy tab.
b. Click Add.
c. On the page that appears, specify the Policy Name as teacher and Service VLAN as 3-4.
d. Click Apply.
5. Configure Bonjour policy student in the same way Bonjour policy teacher is configured, and
specify the service VLAN for Bonjour policy student as 4. (Details not shown.)

793
Figure 827 Configuring Bonjour policies

6. Apply Bonjour policy teacher:

a. Select Wireless Service > Access Service from the navigation tree, and click the icon for
wireless service teacher.
b. Specify Bonjour Policy as teacher.
c. Click Apply.
7. Apply Bonjour policy student to wireless service student in the same way Bonjour policy teacher is
applied to wireless service teacher. (Details not shown.)

794
Figure 828 Applying Bonjour policies

Verifying the configuration

1. Select Advanced > Bonjour Gateway from the navigation tree, and click the Bonjour Service tab.
You can see that the AC can discover the services of both Apple TV and Print.
2. Select Summary > Client from the navigation tree, and click the Detailed Information tab.
You can see that iPad 1 can discover only the service of Print and iPad 2 can discover the services
of both Apple TV and Print.

795
Configuring stateful failover

NOTE:
Support for the stateful failover feature might vary depending on your device model. For more
information, see "About the Web-based configuration guide for HP unified wired-WLAN products."

Overview
Introduction to stateful failover
Some customers require their wireless networks to be highly reliable to ensure continuous data
transmission. In Figure 829, deploying only one AC (even with high reliability) risks a single point of
failure and therefore cannot meet the requirement.
Figure 829 Network with one AC deployed

Internet

Host

The stateful failover feature (supporting portal, 802.1X, and DHCP services) was introduced to meet the
requirement. In Figure 830, two ACs that are enabled with stateful failover are deployed in the network.
You need to specify a VLAN on the two ACs as the backup VLAN, and add the interfaces between the
ACs to the backup VLAN. The backup VLAN is like a failover link, through which the two ACs exchange
state negotiation messages periodically. After the two ACs enter the synchronization state, they back up
the service entries of each other to make sure the service entries on them are consistent. If one AC fails,
the other AC, which has already backed up the service information, takes over to avoid service
interruption.

796
Figure 830 Network diagram for stateful failover

Internet

GE1/0/2 GE1/0/2 AP Host

Tagged VLAN: 2 Tagged VLAN: 2

VLAN 2

Failover link
AC 1 AC 2

Stateful failover states

Stateful failover includes the following states:
• Silence—The device has just started, or is transiting from synchronization state to independence
state.
• Independence—The silence timer has expired, but no failover link is established.
• Synchronization—The device has completed state negotiation with the other device and is ready for
data backup.
The following figure shows state relations.
Figure 831 Stateful failover state diagram

Configuration guidelines
When you configure stateful failover, follow these guidelines:
• You must configure the AC and AP to support backup function to make sure the traffic can
automatically switch to the other device if one device fails. For more information, see "Advanced
settings."

797
• To back up portal or 802.1X related information from the active device to the standby device, you
must configure portal or 802.1X to support stateful failover besides the configurations described in
this chapter. For more information, see "About the Web-based configuration guide for HP unified
wired-WLAN products."
• Stateful failover can be implemented only between two devices rather than among more than two
devices.

Configuring stateful failover

1. From the navigation tree, select High reliability > Stateful Failover.
The stateful failover configuration page appears.
2. View the current stateful failover state at the lower part of the page, as described in Table 254.
Figure 832 Stateful failover configuration page

3. Configure stateful failover parameters at the upper part of the page, as described in Table 253.
4. Click Apply.
Table 253 Configuration items

Item Description
Enable Stateful Failover Enable/disable the stateful failover feature.

Select whether to support asymmetric path:

• Unsupport Asymmetric Path—Sessions enter and leave the internal network
through one device. The two devices operate in the active/standby mode.
Backup Type
• Support Asymmetric Path—Sessions enter and leave the internal network
through different devices to achieve load sharing. The two devices operate in
the active/active mode.

798
Item Description
Set the backup VLAN.
After a VLAN is configured as a backup VLAN, the interfaces in the VLAN are used
to transmit stateful failover packets.

IMPORTANT:
Backup VLAN • A device uses VLAN tag+protocol number to identify stateful failover packets,
and broadcasts stateful failover packets to the peer within the backup VLAN.
Therefore, HP recommends not configuring other services (such as voice VLAN)
for a backup VLAN to avoid impact on the operation of stateful failover.
• An interface added to the backup VLAN can transmit other packets besides
stateful failover packets.

Table 254 Field description

Field Description
Configure the NAS Device ID used for AAA authentication.
NAS Device ID Configure the NAS Device IDs of the two devices to 1 and 2.
If you modify the NAS Device ID, all online clients on the device are forced offline.

Stateful failover configuration example

Network requirements
In Figure 833, the IP address of VLAN-interface 1 on AC 1 is 8.190.1.60/16, and that on AC 2 is
8.190.1.61/16. The client and AP each obtain an IP address from the DHCP server at 8.190.0.13/16, and
the ACs perform portal authentication through the IMC server. Configure stateful failover on AC 1 and
AC 2 so that when one AC fails, the other AC can take over portal and other services.
Figure 833 Network diagram

799
Configuring AC 1
1. Configure AC 1 to support link backup between AC and AP to make sure traffic can be switched
to AC 2 when AC 1 fails:
a. From the navigation tree, select Advanced > AC Backup.
The default Setup page appears.
b. Select IPv4 and enter the IPv4 address of AC 2 (8.190.1.61) as the backup AC address, and
select Enable from the Fast Backup Mode list.
c. Click Apply.
Figure 834 Setup page

2. Configure stateful failover:

a. Select High reliability > Stateful Failover from the navigation tree.
b. Select Enable Stateful Failover, select Unsupport Asymmetric Path from the Backup Type list,
enter 2 for Backup VLAN, and select 1 for NAS Device ID.
c. Click Apply.

800
Figure 835 Configuring stateful failover

3. Configure RADIUS scheme system:

a. Select Authentication > RADIUS from the navigation tree.
b. Click Add.
The RADIUS scheme configuration page appears.
c. Enter system for Scheme Name, select Extended for Server Type, and select Without domain
name for Username Format.
d. Click Add in the RADIUS Server Configuration field.
The Add RADIUS Server page appears.
e. Select Primary Authentication for Server Type, specify an IPv4 address 8.1.1.16 and 1812 as
the port number.
f. Enter expert for Key and expert for Confirm Key.
g. Click Apply.
Figure 836 Configuring a primary RADIUS authentication server

h. Click Add in the RADIUS Server Configuration field.

The Add RADIUS Server page appears.
i. Select Primary Accounting for Server Type, and specify an IPv4 address 8.1.1.16 and 1813 as
the port number.
j. Enter expert for Key and expert for Confirm Key.
k. Click Apply.

801
Figure 837 Configuring a RADIUS accounting server

l. After the configurations are complete, click Apply on the RADIUS scheme configuration page.
Figure 838 RADIUS scheme configuration page

4. Configure AAA authentication scheme for ISP domain system:

a. Select Authentication > AAA from the navigation tree.
b. Click the Authentication tab.
c. Select system from the Select an ISP domain list, select the Default AuthN box, select RADIUS
from the list, and select system from the Name list.
d. Click Apply.
A dialog box appears, showing the configuration progress.
e. After the configuration is successfully applied, click Close.

802
Figure 839 Configuring AAA authentication scheme for the ISP domain

5. Configure AAA authorization scheme for ISP domain system:

a. Click the Authorization tab.
b. Select system from the Select an ISP domain list, select the Default AuthZ box, select RADIUS
from the list, and select system from the Name list.
c. Click Apply.
A dialog box appears, showing the configuration progress.
d. After the configuration is successfully applied, click Close.
Figure 840 Configuring AAA authorization scheme for the ISP domain

6. Configure AAA accounting scheme for ISP domain system:

a. Click the Accounting tab.
b. Select system from the Select an ISP domain list, and select the Accounting Optional box.
c. Select Enable from the list, and select the Default Accounting box.
d. Select RADIUS from the list and system from the Name list.
e. Click Apply.
A dialog box appears, showing the configuration progress.
f. After the configuration is successfully applied, click Close.

803
Figure 841 Configuring AAA accounting scheme for the ISP domain

7. Configure portal authentication:

a. Select Authentication > Portal from the navigation tree.
The default Portal Server configuration page appears.
b. Click Add.
c. Select Vlan-interface1 from the Interface list, Add from the Portal Server list, and Direct from the
Method list, and select system for Authentication Domain.
d. Enter newpt for Server Name, 8.1.1.16 for IP, expert for Key, 50100 for Port, and
http://8.1.1.16:8080/portal for URL.
e. Click Apply.

804
Figure 842 Configuring a portal server

8. Add a portal-free rule:

a. Click the Free Rule tab.
b. Click Add.
c. Enter 0 for Number, and select Bridge-Aggregation1 as the source interface.
d. Click Apply.
Figure 843 Adding a portal-free rule

805
9. Configure portal to support stateful failover at the command line interface (CLI):
# Specify AC 1's device ID to be used in stateful failover mode as 1, and specify portal group 2
for interface VLAN-interface 1.
<AC1>system-view
[AC1]interface Vlan-interface 1
[AC1-Vlan-interface1]portal backup-group 2
# Configure the virtual IP address of VRRP group 1 as 8.190.1.100, and specify the priority of AC
1 as 200. AC 2 uses the default priority.
[AC1-Vlan-interface1]vrrp vrid 1 virtual-ip 8.190.1.100
[AC1-Vlan-interface1]vrrp vrid 1 priority 200
[AC1-Vlan-interface1]quit
# Configure the source IP address for RADIUS packets as 8.190.1.100.
[AC1]radius nas-ip 8.190.1.100
# Configure the source IP address for portal packets as 8.190.1.100 (same as the AC's IP address
configured on the IMC server for portal authentication).
[AC1-Vlan-interface1]portal nas-ip 8.190.1.100

Configuring AC 2
Configure AC 2 in the same way you configure AC 1 except that:
• When you configure AC backup, specify AC 1's IP address as the backup AC address.
• Specify the NAS device ID to be used in stateful failover mode as 2.
For more information, see the configuration on AC 1.
The portal group configuration on the two stateful failover devices must be consistent.

806
Configuring IKE

Support for VPN depends on the device model. For more information, see "About the Web-based
configuration guide for HP unified wired-WLAN products."

Overview
Built on a framework defined by the ISAKMP, IKE provides automatic key negotiation and SA
establishment services for IPsec. This simplifies the application, management, configuration and
maintenance of IPsec dramatically.
Instead of transmitting keys directly across a network, IKE peers transmit keying materials between them,
and calculate shared keys, respectively. Even if a third party captures all exchanged data for calculating
the keys, it cannot calculate the keys.
Unless otherwise specified, the term "IKE" in this chapter refers to the IKE version 1 protocol.

IKE security mechanism

IKE has a series of self-protection mechanisms, and it supports secure identity authentication, key
distribution, and IPsec SA establishment on insecure networks.

Data authentication
Data authentication involves the following concepts:
• Identity authentication—Mutual identity authentication between peers. Two authentication
methods are available: pre-shared key authentication and PKI-based digital signature
authentication (RSA signature).
• Identity protection—Encrypts the identity information with the generated keys before sending the
information.

DH
The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material
and then use the material to calculate the shared keys. Due to the decryption complexity, a third party
cannot decrypt the keys even after intercepting all keying materials.

PFS
The PFS feature is a security feature based on the DH algorithm. By making sure keys have no derivative
relations, it guarantees a broken key brings no threats to other keys. For IPsec, PFS is implemented by
adding an additional key exchange at IKE negotiation phase 2.

IKE operation
IKE negotiates keys and establishes SAs for IPsec in two phases:
1. Phase 1—Two peers establish an ISAKMP SA, a secure, authenticated channel for communication.
In this phase, two modes are available: main mode and aggressive mode.

807
2. Phase 2—Using the ISAKMP SA established in phase 1, the two peers negotiate to establish IPsec
SAs.
Figure 844 IKE exchange process in main mode

As shown in Figure 844, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
• SA exchange—Used for negotiating the security policy.
• Key exchange—Used for exchanging the Diffie-Hellman public value and other values like the
random number. Key data is generated in this stage.
• ID and authentication data exchange—Used for authentication of identity and exchanged data in
phase 1.
The main difference between main mode and aggressive mode is that aggressive mode does not provide
identity protection and only exchanges the above three messages. Aggressive mode exchanges less
information and features higher negotiation speed. It applies to scenarios where the requirement for
identity protection is lower. For scenarios with higher requirement for identity protection, use the main
mode.

Functions of IKE in IPsec

IKE provides the following functions for IPsec:
• Automatically negotiates IPsec parameters such as the keys, reducing the manual configuration
complexity.
• Performs DH exchange whenever establishing an SA, making sure each SA has a key independent
of any other keys.
• Automatically negotiates SAs when the sequence number in the AH or ESP header overflows,
making sure IPsec provides the anti-replay service correctly by using the sequence number.
• Provides end-to-end dynamic authentication.
• Identity authentication and management of peers influence IPsec deployment. A large-scale IPsec
deployment needs the support of CAs or other institutes that manage identity data centrally.

808
Relationship between IKE and IPsec
Figure 845 Relationship between IKE and IPsec

Figure 845 illustrates the relationship between IKE and IPsec:

• IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec.
• IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec.
• IPsec uses the SAs set up through IKE negotiation for encryption and authentication of IP packets.

Protocols and standards

• RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)
• RFC 2409, The Internet Key Exchange (IKE)
• RFC 2412, The OAKLEY Key Determination Protocol

Configuration prerequisites
Before you configure IKE, verify the following parameters:
• The strength of the algorithms for IKE negotiation (the security protection level), including the
identity authentication method, encryption algorithm, authentication algorithm, and DH group.
Different algorithms provide different levels of protection. A stronger algorithm means more resistant
to decryption of protected data but requires more resources. Generally, the longer the key, the
stronger the algorithm.
• The pre-shared key or the PKI domain to which the certificate belongs. For more information about
PKI configuration, see "Managing certificates."

Recommended configuration procedure

Step Remarks
1. Configuring global IKE Optional.
parameters Configure the IKE local name and NAT keepalive interval.

809
Step Remarks
Required when IKE peers need to specify an IKE proposal.
An IKE proposal defines a set of attributes describing how IKE negotiation
should take place. You can create multiple IKE proposals with different
preferences. The preference of an IKE proposal is represented by its
sequence number, and the smaller the sequence number, the higher the
preference.
Two peers must have at least one pair of matched IKE proposals for
successful IKE negotiation. During IKE negotiation, the negotiation initiator
sends its IKE proposals to the peer. The peer will match the IKE proposals
against its own IKE proposals, starting with the one with the smallest
sequence number. The match goes on until a match is found or all IKE
proposals are found mismatched. The matched IKE proposals will be used to
2. Configuring an IKE
establish the security tunnel.
proposal
Two matched IKE proposals have the same encryption algorithm,
authentication method, authentication algorithm, and DH group. The
ISAKMP SA lifetime will take the smaller one of the two matched IKE
proposals.
By default, there is an IKE proposal, which has the lowest preference and
uses these default settings:
• Pre-shared key authentication method
• SHA authentication algorithm
• DES-CBC encryption algorithm
• DH group named Group1
• SA lifetime of 86400 seconds

Optional.
DPD irregularly detects dead IKE peers. When the local end sends an IPsec
packet, DPD checks the time the last IPsec packet was received from the peer.
If the time exceeds the DPD interval, it sends a DPD hello to the peer. If the
3. Configuring IKE DPD local end receives no DPD acknowledgement within the DPD packet
retransmission interval, it retransmits the DPD hello. If the local end still
receives no DPD acknowledgement after having made the maximum number
of retransmission attempts (two by default), it considers the peer already
dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.

Required.
Create an IKE peer and configure the related parameters.

IMPORTANT:
4. Configuring an IKE peer
If you change the settings of an IKE peer, make sure you clear the established
IPsec SAs and ISAKMP SAs on the pages displayed after you select VPN >
IKE > IKE SA and select VPN > IPSec > IPSec SA, respectively. Otherwise, SA
renegotiation will fail.

Optional.
5. Viewing IKE SAs
View the summary information of the current ISAKMP SA.

810
Configuring global IKE parameters
1. From the navigation tree, select VPN > IKE.
The IKE Global Configuration page appears.
Figure 846 IKE global configuration page

2. Configure global IKE parameters, as described in Table 255.

3. Click Apply.
Table 255 Configuration items

Item Description
Enter a name for the local security gateway.
If the local device acts as the IKE negotiation initiator and uses the ID type of FQDN or the
user FQDN of the security gateway for IKE negotiation, you must configure this
parameter on the local device. Then, the local device sends its gateway name as
IKE Local Name
identification to its peer and the peer uses the locally configured remote gateway name
to authenticate the local device. Make sure that the local gateway name configured here
is identical to the remote gateway name configured on its peer.
By default, the device name is used as the local gateway name.

Set the interval at which the ISAKMP SA sends NAT keepalive packets to its peer.
NAT mappings on a NAT gateway might get aged. If no packet traverses an IPsec tunnel
NAT Keepalive in a certain period of time, the NAT mapping will be deleted, disabling the tunnel beyond
Interval the NAT gateway from transferring data. To prevent NAT mappings from being aged, an
ISAKMP SA sends to its peer NAT keepalive packets at a certain interval to keep the NAT
session alive.

Configuring an IKE proposal

1. From the navigation tree, select VPN > IKE.
2. Click the Proposal tab.
The IKE proposal list page appears.

811
Figure 847 IKE proposal list

3. Click Add.
The IKE Proposal Configuration page appears.
Figure 848 Adding an IKE proposal

4. Configure the IKE proposal parameters, as described in Table 256.

5. Click Apply.
Table 256 Configuration items

Item Description
Enter the IKE proposal number.
IKE Proposal The number also stands for the priority of the IKE proposal, with a smaller value meaning
Number a higher priority. During IKE negotiation, the system matches IKE proposals in order of
proposal number, starting from the smallest one.

Select the authentication method to be used by the IKE proposal. Options include:
Authentication
• Preshared Key—Uses the pre-shared key method.
Method
• RSA Signature—Uses the RSA digital signature method.

812
Item Description
Select the authentication algorithm to be used by the IKE proposal. Options include:
Authentication
• SHA1—Uses HMAC-SHA1.
Algorithm
• MD5—Uses HMAC-MD5.
Select the encryption algorithm to be used by the IKE proposal. Options include:
• DES-CBC—Uses the DES algorithm in CBC mode and 56-bit keys for encryption.
Encryption • 3DES-CBC—Uses the 3DES algorithm in CBC mode and 168-bit keys for encryption.
Algorithm • AES-128—Uses the AES algorithm in CBC mode and 128-bit keys for encryption.
• AES-192—Uses the AES algorithm in CBC mode and 192-bit keys for encryption.
• AES-256—Uses the AES algorithm in CBC mode and 256-bit keys for encryption.

Select the DH group to be used in key negotiation phase 1. Options include:

• Group1—Uses the 768-bit Diffie-Hellman group.
DH Group • Group2—Uses the 1024-bit Diffie-Hellman group.
• Group5—Uses the 1536-bit Diffie-Hellman group.
• Group14—Uses the 2048-bit Diffie-Hellman group.

Enter the ISAKMP SA lifetime of the IKE proposal.

Before an SA expires, IKE negotiates a new SA. As soon as the new SA is set up, it takes
effect immediately and the old one will be cleared automatically when it expires.
SA Lifetime
IMPORTANT:
If the SA lifetime expires, the system automatically updates the ISAKMP SA. DH calculation
in IKE negotiation takes time, especially on low-end devices. Set the lifetime greater than 10
minutes to prevent the SA update from influencing normal communication.

Configuring IKE DPD

1. From the navigation tree, select VPN > IKE.
2. Click the DPD tab.
The DPD detector list page appears.
Figure 849 DPD detector list

3. Click Add.
The Add IKE DPD page appears.

813
Figure 850 Adding an IKE DPD detector

4. Configure the IKE DPD parameters, as described in Table 257.

5. Click Apply.
Table 257 Configuration items

Item Description
DPD Name Enter a name for the IKE DPD.

Enter the interval after which DPD is triggered if no IPsec protected packets is
DPD Query Triggering Interval
received from the peer.

DPD Packet Retransmission Enter the interval after which DPD packet retransmission will occur if no DPD
Interval response is received.

Configuring an IKE peer

1. From the navigation tree, select VPN > IKE.
2. Click the Peer tab.
The IKE peer list page appears.
Figure 851 IKE peer list

3. Click Add.
The Add IKE Peer page appears.

814
Figure 852 Adding an IKE peer

4. Configure the IKE peer parameters, as described in Table 258.

5. Click Apply.
Table 258 Configuration items

Item Description
Peer Name Enter a name for the IKE peer.

Select the IKE negotiation mode in phase 1, which can be Main or Aggressive.

IMPORTANT:
• If you configure one end of an IPsec tunnel to obtain an IP address
IKE Negotiation Mode dynamically, the IKE negotiation mode must be Aggressive. In this case, SAs
can be established as long as the username and password are correct.
• The specified negotiated mode is used when the local peer is the negotiation
initiator. When acting as the responder, the negotiation mode of the initiator
is used.

815
Item Description
Select the local ID type for IKE negotiation phase 1. Options include:
• IP Address—Uses an IP address as the ID in IKE negotiation.
• FQDN—Uses the FQDN type as the ID in IKE negotiation. If this option is
selected, type a name string without any at sign (@) for the local security
gateway, for example, foo.bar.com.
Local ID Type • User FQDN—Uses a user FQDN type as the ID in IKE negotiation. If this
option is selected, type a name string with an at sign (@) for the local security
gateway, for example, [email protected].

IMPORTANT:
In main mode, only the ID type of IP address can be used in IKE negotiation and
SA establishment.
Enter the IP address of the local security gateway.
By default, it is the primary IP address of the interface referencing the security
policy. Configure this item when you want to specify a special address for the
local security gateway.
Local IP Address
IMPORTANT:
Typically, you do not need to specify the local IP address unless you want to specify
a special address, such as the loopback interface address. For the local peer to act
as the initiator, you must configure the remote security gateway name or IP
address, so that the initiator can find the remote peer during the negotiation.
Enter the IP address or host name of the remote security gateway.
• IP Address—Specify an IP address or a range of IP addresses for the remote
gateway. If the local end is the initiator of IKE negotiation, it can have only
one remote IP address and its remote IP address must match the local IP
address configured on its peer. If the local end is the responder of IKE
Remote Gateway Address negotiation, it can have more than one remote IP address and one of its
remote IP addresses must match the local IP address configured on its peer.
• Hostname—Enter the host name of the remote gateway, which is the only
identifier of the IPsec peer in the network. The host name can be resolved into
an IP address by the DNS server. If host name is used, the local end can serve
as the initiator of IKE negotiation.

Enter the name of the remote security gateway.

If the local ID type configured for the IKE negotiation initiator is FQDN or user
FQDN, the initiator sends its gateway name (IKE Local Name) to the responder
Remote Gateway Name for identification. The responder then uses the locally configured remote
gateway name to authenticate the initiator. Make sure that the remote gateway
name configured here is identical to the local gateway name (IKE Local Name)
configured on its peer.

To use the authentication method of pre-shared key, select Pre-Shared Key and
enter consistent pre-shared keys in the Key and Confirm Key fields.
Pre-Shared Key To use the authentication method of RSA signature, select PKI Domain and then
PKI Domain select the PKI domain to which the certificate belongs in the following list.
Available PKI domains are those configured on the page you enter by selecting
VPN > Certificate Manager > Domain from the navigation tree.

Enable DPD Select the IKE DPD to be applied to the IKE peer.

816
Item Description
Enable the NAT traversal function for IPsec/IKE.
The NAT traversal function must be enabled if a NAT security gateway exists in
an IPsec/IKE VPN tunnel.

Enable the NAT traversal IMPORTANT:

function To save IP addresses, ISPs often deploy NAT gateways on public networks to
allocate private IP addresses to users. In this case, one end of an IPsec/IKE tunnel
might have a public address while the other end might have a private address,
and NAT traversal must be configured at the private network side to set up the
tunnel.

Viewing IKE SAs

1. From the navigation tree, select VPN > IKE.
2. Click the IKE SA tab.
The IKE SA list page appears.
Figure 853 IKE SA list

You can click Delete All to remove all ISAKMP SAs. To clear a local IPsec SA, the local end must
send a Delete Message to the remote end over the corresponding ISAKMP SA. The message
notifies the remote end to delete the IPsec SA. If the corresponding ISAKMP SA does not exist, the
local end cannot notify the remote end to clear the IPsec SA.
Table 259 Field description

Field Description
Connection ID Identifier of the ISAKMP SA.

Remote IP Address Remote IP address of the SA.

817
Field Description
Status of the SA. Possible values include:
• RD—Ready. The SA has already been established and is ready for use.
• ST—Stayalive. The local end is the tunnel negotiation initiator.
• RL—Replaced. The tunnel has been replaced and will be cleared soon.
• FD—Fading. The soft lifetime expires but the tunnel is still in use. The
tunnel will be deleted when the hard lifetime expires.
• TO—Timeout. The SA has received no keepalive packets after the last
Flag keepalive timeout. If no keepalive packets are received before the next
keepalive timeout, the SA will be deleted.

IMPORTANT:
IKE maintains the link status of an ISAKMP SA by keepalive packets.
Generally, if the peer is configured with the keepalive timeout, you must
configure the keepalive packet transmission interval on the local end. If the
peer receives no keepalive packet during the timeout interval, the ISAKMP SA
will be tagged with the TIMEOUT tag (if it does not have the tag), or be deleted
along with the IPsec SAs it negotiated (when it has the tag already).
Domain of Interpretation Interpretation domain to which the SA belongs.

IKE configuration example

Network requirements
As shown in Figure 854, configure an IPsec tunnel between AC 1 and AC 2 to protect traffic between
subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
On AC 1, configure an IKE proposal that uses the sequence number 10 and the authentication algorithm
MD5. AC 2 uses the default IKE proposal.
Configure the pre-shared key authentication method.
Figure 854 Network diagram

818
Configuring AC 1
1. Configure IP addresses for the interfaces, and assign the interfaces to security zones. (Details not
shown.)
2. Create ACL 3101:
a. From the navigation tree, select QoS > ACL IPv4.
b. Click the Add tab.
c. Enter the ACL number 3101, and select the match order Config.
d. Click Apply.
Figure 855 Creating ACL 3101

e. Click the Advanced Setup tab.

f. Select the ACL 3101.
g. Select Permit from the Action list.
h. Select Source IP Address, and enter 10.1.1.0 and 0.0.0.255 as the source IP address and
mask.
i. Select Destination IP Address, and enter 10.1.2.0 and 0.0.0.255 as the destination IP address
and mask.
j. Click Apply.

819
Figure 856 Configuring a rule to allow packets from subnet 10.1.1.0/24 to subnet 10.1.2.0/24

3. Configure an IKE peer named peer:

a. From the navigation tree, select VPN > IKE.
b. Click the Peer tab.
c. Click Add.
d. Enter the peer name peer.
e. Select the negotiation mode Main.
f. Enter the remote gateway IP address 2.2.2.2.
g. Select Pre-Shared Key, and enter the pre-shared key abcde in the Key and Confirm Key fields.
h. Click Apply.

820
Figure 857 Configuring an IKE peer named peer

4. Create an IKE proposal numbered 10:

a. From the navigation tree, select VPN > IKE.
b. Click the Proposal tab.
c. Click Add.
d. Enter the IKE proposal number 10.
e. Select the authentication method Preshared Key.
f. Select the authentication algorithm MD5.
g. Set the SA lifetime to 5000 seconds.
h. Click Apply.

821
Figure 858 Creating an IKE proposal numbered 10

5. Create an IPsec proposal named tran1:

a. From the navigation tree, select VPN > IPSec.
b. Click the Proposal tab.
c. Click Add.
d. From the IPSec Proposal Configuration Wizard page, select Custom mode.
e. Enter the IPsec proposal name tran1.
f. Select the packet encapsulation mode Tunnel.
g. Select the security protocol ESP.
h. Select the authentication algorithm SHA1.
i. Select the encryption algorithm DES.
j. Click Apply.
Figure 859 Creating an IPsec proposal named tran1

822
6. Create an IPsec policy named map1:
a. From the navigation tree, select VPN > IPSec.
b. Click the Policy tab.
c. Click Add.
d. Enter the IPsec policy name map1.
e. Enter the sequence number 10.
f. Select the IKE peer peer.
g. Select the IPsec proposal tran1 from the Available Proposal list, and click <<.
h. Enter the ACL number 3101.
i. Click Apply.
Figure 860 Creating an IPsec proposal named map1

823
7. Apply the IPsec policy to VLAN-interface 1:
a. From the navigation tree, select VPN > IPSec.
The IPSec Application page appears.
无法显示链接的图像。该文

b. Click the icon for interface Vlan-interface1.

件可能已被移动、重命名或
删除。请验证该链接是否指
向正确的文件和位置。

c. Select policy map1.

d. Click Apply.
Figure 861 Applying the IPsec policy to interface VLAN-interface 1

8. Configure a static route to Host 2:

a. From the navigation tree, select Network > IPv4 Routing.
b. Click the Add tab.
c. Enter 10.1.2.0 as the destination IP address.
d. Enter 255.255.255.0 as the mask.
e. Enter 2.2.2.2 as the next hop.
f. Click Apply.
Figure 862 Configuring a static route to Host B

Configuring AC 2
1. Configure IP addresses for the interfaces, and assign the interfaces to security zones. (Details not
shown.)
2. Create ACL 3101:
a. From the navigation tree, select QoS > ACL IPv4.
b. Click the Add tab.
c. Enter the ACL number 3101, and select the match order Config.

824
d. Click Apply.
e. Click the Advanced Setup tab.
f. Select Permit from the Action list.
g. Select Source IP Address, and enter 10.1.2.0 and 0.0.0.255 as the source IP address and
mask.
h. Select Destination IP Address, and enter 10.1.1.0 and 0.0.0.255 as the destination IP address
and mask.
i. Click Apply.
3. Configure an IKE peer named peer:
a. From the navigation tree, select VPN > IKE.
b. Click the Peer tab.
c. Click Add.
d. Enter the peer name peer.
e. Select the negotiation mode Main.
f. Enter the remote gateway IP address 1.1.1.1.
g. Select Pre-Shared Key, and enter the pre-shared key abcde in the Key and Confirm Key fields.
h. Click Apply.
4. Create an IPsec proposal named tran1:
a. From the navigation tree, select VPN > IPSec.
b. Click the Proposal tab.
c. Click Add.
d. From the IPSec Proposal Configuration Wizard page, select Custom mode.
e. Enter the IPsec proposal name tran1.
f. Select the packet encapsulation mode Tunnel.
g. Select the security protocol ESP.
h. Select the authentication algorithm SHA1.
i. Select the encryption algorithm DES.
j. Click Apply.
5. Create an IPsec policy named map1:
a. From the navigation tree, select VPN > IPSec.
b. Click the Policy tab.
c. Click Add.
d. Enter the IPsec policy name map1.
e. Enter the sequence number 10.
f. Select the IKE peer peer.
g. Select the IPsec proposal tran1 from the Available Proposal list, and click <<.
h. Enter the ACL number 3101.
i. Click Apply.

825
6. Apply the IPsec policy to VLAN-interface 1:
a. From the navigation tree, select VPN > IPSec.
The IPSec Application page appears.
无法显示链接的图像。该文

b. Click the icon for interface Vlan-interface1.

件可能已被移动、重命名或
删除。请验证该链接是否指
向正确的文件和位置。

c. Select policy map1.

d. Click Apply.
7. Configure a static route to Host 1:
a. From the navigation tree, select Network > IPv4 Routing.
b. Click Add.
c. Enter 10.1.1.0 as the destination IP address.
d. Enter 255.255.255.0 as the mask.
e. Enter 1.1.1.1 as the next hop.
f. Click Apply.

Verifying the configuration

A packet destined to subnet 10.1.2.0/24 or 10.1.1.0/24 from AC 1 or AC 2 triggers IKE negotiation.
AC 1 is configured with IKE proposal 10, which uses the authentication algorithm of MD5. AC 2 uses the
default IKE proposal, which uses the default authentication algorithm of SHA. Because AC 2 has no
proposal matching proposal 10 of AC 1, the two devices use the default IKE proposal. The two devices
do not need to have the same ISAKMP SA lifetime, and they will negotiate one instead.

826
Configuring IPsec

Overview
IP Security (IPsec) is a security framework defined by IETF for securing IP communications. It is a Layer 3
VPN technology that transmits data in a secure tunnel established between two endpoints.
IPsec guarantees the confidentiality, integrity, and authenticity of data and provides anti-replay service at
the IP layer in an insecure network environment:
• Confidentiality—The sender encrypts packets before transmitting them over the Internet.
• Data integrity—The receiver verifies the packets received from the sender to ensure they are not
tampered with during transmission.
• Data origin authentication—The receiver verifies the authenticity of the sender.
• Anti-replay—The receiver examines packets, and drops outdated or repeated packets.
IPsec delivers these benefits:
• Reduced key negotiation overheads and simplified maintenance by supporting the IKE protocol.
IKE provides automatic key negotiation and automatic IPsec security association (SA) setup and
maintenance.
• Good compatibility. IPsec can be applied to all IP-based application systems and services without
any modification to them.
• Encryption on a per-packet rather than per-flow basis. This allows for flexibility and greatly
enhances IP security.
IPsec comprises a set of protocols for IP data security, including AH, ESP, IKE, and algorithms for
authentication and encryption. AH and ESP provides security services and IKE performs key exchange.
For more information about IKE, see "Configuring IKE."

Basic concepts
Security protocols
IPsec comes with two security protocols:
• AH (protocol 51)—Provides data origin authentication, data integrity, and anti-replay services. For
these purposes, an AH header is added to each IP packet. AH is suitable for transmitting
non-critical data because it cannot prevent eavesdropping even though it works fine in preventing
data tampering. AH supports authentication algorithms such as MD5 and SHA-1.
• ESP (protocol 50)—Provides data encryption in addition to origin authentication, data integrity, and
anti-replay services. ESP works by inserting an ESP header and an ESP trailer in IP packets. Unlike
AH, ESP encrypts data before encapsulating the data to ensure data confidentiality. ESP supports
encryption algorithms such as DES, 3DES, and AES, and authentication algorithms such as MD5
and SHA-1. The authentication function is optional to ESP.
Both AH and ESP provide authentication services, but the authentication service provided by AH is
stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used,
an IP packet is encapsulated first by ESP and then by AH.

827
Security association
A security association is an agreement negotiated between two communicating parties called IPsec
peers. It comprises a set of parameters for data protection, including security protocols, encapsulation
mode, authentication and encryption algorithms, and privacy keys and their lifetime. SAs can be set up
manually or through IKE.
An SA is unidirectional. At least two SAs are needed to protect data flows in a bidirectional
communication. Moreover, if two peers want to use both AH and ESP to protect data flows between them,
they construct an independent SA for each protocol.
An SA is uniquely identified by a triplet, which consists of the security parameter index (SPI), destination
IP address, and security protocol (AH or ESP).
An SPI is a 32-bit number for uniquely identifying an SA. It is transmitted in the AH/ESP header. A
manually configured SA requires an SPI to be specified manually for it. An IKE created SA will have an
SPI generated at random.
A manually configured SA never ages out. An IKE created SA has a specified period of lifetime, which
comes in two types:
• Time-based lifetime—Defines how long an SA can be valid after it is created.
• Traffic-based lifetime—Defines the maximum traffic that an SA is allowed to process.
The SA becomes invalid when either of the lifetime timers expires. Before the SA expires, IKE negotiates
a new SA, which takes over immediately after its creation.

Encapsulation modes
IPsec supports the following IP packet encapsulation modes:
• Tunnel mode—IPsec protects the entire IP packet (the IP header and the payload). It uses the entire
IP packet to calculate an AH or ESP header, and then encapsulates the original IP packet and the
AH or ESP header with a new IP header. If you use ESP, an ESP trailer is also encapsulated. Tunnel
mode typically is used for protecting gateway-to-gateway communications.
• Transport mode—IPsec protects only the IP payload. It uses only the IP payload to calculate the AH
or ESP header, and inserts the calculated header between the original IP header and payload. If
you use ESP, an ESP trailer is also encapsulated. The transport mode typically is used for protecting
host-to-host or host-to-gateway communications.
Figure 863 shows how the security protocols encapsulate an IP packet in different encapsulation modes.
Figure 863 Encapsulation by security protocols in different modes

828
Authentication algorithms and encryption algorithms
• Authentication algorithms
IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length
digest for an arbitrary-length message. IPsec peers calculate message digests for each packet. If
the resulting digests are identical, the packet is considered intact.
IPsec supports the following hash algorithms for authentication:
MD5—Takes a message of arbitrary length as input and produces a 128-bit message digest.
SHA-1—Takes a message of a maximum length less than the 64th power of 2 in bits as input
and produces a 160-bit message digest.
Compared with SHA-1, MD5 is faster but less secure.
• Encryption algorithms
IPsec typically uses symmetric encryption algorithms, which encrypt and decrypt data by using the
same keys. The following encryption algorithms are available for IPsec on the device:
DES—Encrypts a 64-bit plain text block with a 56-bit key. DES is the least secure but the fastest
algorithm. It is sufficient for general security requirements.
3DES—Encrypts plain text data with three 56-bit DES keys. The key length totals up to 168 bits.
It provides moderate security strength and is slower than DES.
AES—Encrypts plain text data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest
security strength and is slower than 3DES.

IPsec SA setup modes

There are two IPsec SA setup modes:
• Manual mode—In this mode, you must manually configure and maintain all SA settings. Advanced
features like periodical key update are not available. However, this mode implements IPsec
independently of IKE.
• ISAKMP mode—In this mode, IKE negotiates and maintains IPsec SAs for IPsec automatically.
If the number of IPsec tunnels in your network is small, use the manual mode. If the number of IPsec
tunnels is large, use the ISAKMP mode.
The Web interface supports only the ISAKMP mode.

IPsec tunnel
An IPsec tunnel is a bidirectional channel created between two peers. An IPsec tunnel comprises one or
more pairs of SAs.

IPsec RRI
With IPsec Reverse Route Inject (RRI), an IPsec tunnel gateway can automatically add static routes
destined for its peer IPsec tunnel gateways to a routing table.
IPsec RRI frees you from the tedious work of manually configuring and maintaining static routes for IPsec
tunnels. For example, if you enable RRI on Device A in Figure 864, Device A can automatically create a
static route to branch network 192.168.2.0/24 for the IPsec protected traffic from the headquarters to the
branch. You do not need to add the route manually.

829
Figure 864 An IPsec VPN

You can advertise the static routes created by IPsec RRI in the internal network. IPsec RRI can quickly
create new routes for forwarding IPsec VPN traffic when an active link fails in a load balanced or stateful
failover environment, or when IPsec VPN traffic cannot reach the peer gateway through the default local
gateway.
IPsec RRI dynamically creates static routes based on IPsec SAs. In each static route, the destination
address is the address of a protected branch network, and the next hop is the user-specified remote peer
address or the remote tunnel endpoint's address learned during IPsec SA negotiation.
In an MPLS L3VPN network, an RRI-configured IPsec VPN gateway can add static routes into the IP
routing table of the VPN instance that is bound to the interface applied with an IPsec policy.
IPsec RRI creates static routes when the IPsec SAs are established, and deletes the static routes when the
IPsec SAs are deleted.

IPsec stateful failover

The IPsec stateful failover function enables hot backup of IPsec service data between two devices and is
typically deployed on two redundant gateways at the headquarters to improve the availability of IPsec
service.
The IPsec stateful failover function must work with the stateful failover feature and the VRRP feature.
The two devices in IPsec stateful failover must join the same VRRP group to act as a single virtual device.
They use the virtual IP address of the virtual device to communicate with remote devices.
The IPsec stateful failover function can operate only in standard VRRP mode. In this mode, the master
processes and forwards IPsec traffic, and the backup device only synchronizes IPsec service data with the
master. When the master fails, the backup immediately takes over to forward IPsec traffic. This switchover
process is transparent to remote devices. No extra configuration is required on remote devices and no
IPsec re-negotiation is required after the switchover.

830
Figure 865 IPsec stateful failover

LAN

Virtual router 2
Master Backup
Failover link

Device A Virtual router 1 Device B

el
Internet

nn
tu
c
se
IP

Device C

LAN

As shown in Figure 865, Device A and Device B form an IPsec stateful failover system and Device A is
elected the master in the VRRP group. When Device A operates correctly, it establishes an IPsec tunnel to
Device C, and synchronizes its IPsec service data to Device B. The synchronized IPsec service data
includes the IKE SA, IPsec SAs, anti-replay sequence number and window, SA lifetime in bytes, and DPD
packet sequence number. Based on the IPsec service data, Device B creates standby IKE SA and standby
IPsec SAs to back up the active IKE SA and active IPsec SAs on Device A. When Device A fails, the VRRP
mechanism switches IPsec traffic from Device A to Device B. Because Device B has an instant copy of
Device A's IPsec service data, Device B can immediately process IPsec traffic to provide nonstop IPsec
service.

Protocols and standards

• RFC 2401, Security Architecture for the Internet Protocol
• RFC 2402, IP Authentication Header
• RFC 2406, IP Encapsulating Security Payload
• RFC 4552, Authentication/Confidentiality for OSPFv3
• RFC 4301, Security Architecture for the Internet Protocol
• RFC 4302, IP Authentication Header
• RFC 4303, IP Encapsulating Security Payload (ESP)

Configuration guidelines
When you configure IPsec, follow these guidelines:
• Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51
and 50, respectively. You must make sure flows of these protocols are not denied on the interfaces
with IKE or IPsec configured.

831
• If you enable both IPsec and QoS on an interface, traffic of an IPsec SA might be put into different
queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay
operation, packets outside the anti-replay window in the inbound direction might be discarded,
resulting in packet loss. When using IPsec together with QoS, make sure they use the same
classification rules. IPsec classification rules depend on the referenced ACL rules.

Configuration considerations
You configure IPsec tunnels on the device by configuring IPsec polices. The IPsec policies use ACLs to
identify protected traffic, and take effect after being applied to physical interfaces.
Configure IPsec policies by using the following steps:
1. Configure ACLs for identifying the data flows to be protected by IPsec.
2. Configure IPsec proposals to specify the security protocols, authentication and encryption
algorithms, and encapsulation mode. An IPsec proposal applies to data flows associated with it.
3. Configure IPsec policies to associate data flows with IPsec proposals and specify the SA
negotiation mode, the start and end points of the IPsec tunnels, the privacy keys, and the SA
lifetime.
4. Apply the IPsec policies to interfaces.

Recommended configuration procedure

Step Remarks
Required.
1. Configuring ACLs
Configure ACLs to identify the data flows to be protected by IPsec.

Required.
An IPsec proposal defines a set of security parameters for IPsec SA
negotiation, including the security protocol, encryption and
2. Configuring an IPsec proposal authentication algorithms, and encapsulation mode.

IMPORTANT:
Changes to an IPsec proposal affect only SAs negotiated after the
changes are made.
Required if you are using an IPsec policy template group to create an
IPsec policy.
3. Configuring an IPsec policy An IPsec policy template group is a collection of IPsec policy templates
template with the same name but different sequence numbers. In an IPsec policy
template group, an IPsec policy template with a smaller sequence
number has a higher priority.

832
Step Remarks
Required.
Configure an IPsec policy by specifying the parameters directly or using
a created IPsec policy template. The device supports only IPsec policies
that use IKE.
An IPsec policy group is a collection of IPsec policies with the same
name but different sequence numbers. The smaller the sequence
4. Configuring an IPsec policy number, the higher the priority of the IPsec policy in the policy group.

IMPORTANT:
An IPsec policy referencing a template cannot be used to initiate SA
negotiations but can be used to respond to a negotiation request. The
parameters specified in the IPsec policy template must match those of the
remote end. The parameters not defined in the template are determined
by the initiator.
Required.
5. Applying an IPsec policy group Apply an IPsec policy group to an interface (logical or physical) to
protect certain data flows.

Optional.
6. Viewing IPsec SAs View brief information about established IPsec SAs to verify your
configuration.

Optional.
7. Viewing packet statistics
View packet statistics to verify your configuration.

Configuring ACLs
For more information about ACL configuration, see "QoS > ACL IPv4," and "QoS > ACL IPv6."
If you enable both IPsec and QoS on an interface, traffic of an IPsec SA might be put into different queues
by QoS, causing some packets to be sent out of order. Because IPsec performs anti-replay operation,
packets outside the anti-replay window in the inbound direction might be discarded, resulting in packet
loss. When using IPsec together with QoS, make sure that they use the same classification rules. IPsec
classification rules depend on the referenced ACL rules. For more information about QoS classification
rules, see "Configuring QoS."
When defining ACL rules for IPsec, follow these guidelines:
• Make sure that only the data flows to be protected by IPsec are defined in permit statements. If a
packet is protected at the entry of the IPsec tunnel but not at the exit of the IPsec tunnel, it will be
dropped.
• Avoid statement conflicts in the scope of IPsec policy groups. When creating a deny statement, be
careful with its matching scope and matching order relative to permit statements. The policies in an
IPsec policy group have different match priorities. ACL rule conflicts between them are prone to
cause mistreatment of packets. For example, when configuring a permit statement for an IPsec
policy to protect an outbound traffic flow, you must avoid the situation that the traffic flow matches
a deny statement in a higher priority IPsec policy. Otherwise, the packets will be sent out as normal
packets; if they match a permit statement at the receiving end, they will be dropped by IPsec.

833
Use of the Permit/Deny Actions in ACLs
IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or
permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement
identifies a data flow that is not protected by IPsec. IPsec uses referenced ACL to match against packets.
The matching process stops once a match is found or ends with no match hit. The packet is handled as
follows:
• Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is
a rule as shown in Figure 866. This rule matches both traffic from 1.1.1.0 to 2.2.2.0 and returned
traffic from 2.2.2.0 to 1.1.1.0.
Figure 866 An ACL referenced in an IPsec policy

• In the outbound direction, if a permit statement is matched, IPsec considers the packet as requiring
protection and continues to process it. If a deny statement is matched or no match is found, IPsec
considers the packet as not requiring protection and delivers it to the next function module.
• In the inbound direction, if the packet is an IPsec packet and matches a permit statement, IPsec
receives and processes the packet. If the packet is not an IPsec packet and matches a permit
statement, it is discarded.
The following uses a configuration example to show how a statement conflict causes packet drop. In this
example, only the ACL-related configurations are presented.
Device A connects the segment 1.1.2.0/24 and Device B connects the segment 3.3.3.0/24. On Device
A, apply the IPsec policy group test to the outbound interface to Device B. The IPsec policy group
contains two policies, test 1 and test 2. The ACLs referenced by the two policies each contain a rule that
matches traffic from 1.1.2.0/24 to 3.3.3.0/24. The one referenced in policy test 1 is a deny statement
and the one referenced in policy test 2 is a permit statement. Because test 1 is matched prior to test 2,
traffic from 1.1.2.0/24 to 3.3.3.0/24 will match the deny statement and sent as normal traffic. When the
traffic arrives at Device B, it will be dropped if it matches a permit statement in the ACL referenced in the
applied IPsec policy.
The configurations on Device A are shown in Figure 867, Figure 868, and Figure 869.

834
Figure 867 ACL 3000 configuration on Device A

Figure 868 ACL 3001 configuration on Device A

Figure 869 IPsec policy configuration on Device A

The configurations on Device B are shown in Figure 870 and Figure 871.

835
Figure 870 ACL 3001 configuration on Device B

Figure 871 IPsec policy configuration on Device B

Mirror image ACLs

To make sure that SAs can be set up and the traffic protected by IPsec locally can be processed correctly
at the remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the
local peer. As shown in Figure 872, ACL rules on Device B are mirror images of the rules on Device A.
This ensures that SAs can be created successfully for the traffic between Host A and Host C and the traffic
between Network 1 and Network 2.
Figure 872 Mirror image ACLs

ACL1: rule permit 1.1.1.1 -> 2.2.2.2

Host A ACL2: rule permit 1.1.1.0/24 -> 2.2.2.0/24 Host C
1.1.1.1 2.2.2.2
GE0/1 GE0/2
Network 1 IP network Network 2
1.1.1.0/24 2.2.2.0/24
Device A Device B
ACL1: rule permit 2.2.2.2 -> 1.1.1.1
ACL2: rule permit 2.2.2.0/24 -> 1.1.1.0/24

Host B Host D
Mirror image ACLs at Device A GE0/1 and Device B GE0/2

836
If the ACL rules on the peers do not form mirror images of each other, SAs can be set up only when both
of the following requirements are met:
• The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other
peer. As shown in Figure 873, the range specified by the ACL rule configured on Device A is
covered by its counterpart on Device B.
• The peer with the narrower rule initiates SA negotiation. If a wider ACL rule is used by the SA
initiator, the negotiation request might be rejected because the matching traffic is beyond the scope
of the responder. As shown in Figure 873, the SA negotiation initiated by Host A to Host C is
accepted, but the SA negotiation from Host C to Host B or from Host D to Host A is rejected.
Figure 873 Non-mirror image ACLs

Protection modes
Data flows can be protected in the following modes:
• Standard mode—One tunnel is used to protect one data flow. The data flow permitted by each ACL
rule is protected by one tunnel that is established separately for it.
• Aggregation mode—One tunnel is used to protect all data flows permitted by all the rules of an ACL.
This mode applies to only scenarios that use IKE for negotiation.

Configuring an IPsec proposal

The Web interface provides two modes for configuring an IPsec proposal: suite mode and custom mode.
The suite mode allows you to select a pre-defined encryption suite, and the custom mode allows you to
configure IPsec proposal parameters discretionarily.

Configuring an IPsec proposal in suite mode

1. From the navigation tree, select VPN > IPSec.
2. Click the Proposal tab.
The IPsec proposal list page appears.

837
Figure 874 IPsec proposal list

3. Click Add.
The IPSec Proposal Configuration Wizard page appears.
Figure 875 IPsec proposal configuration wizard page

4. Click Suite mode.

Figure 876 IPsec proposal configuration in suite mode

5. Enter a name for the IPsec proposal.

6. Select an encryption suite for the proposal.
An encryption suite specifies the IP packet encapsulation mode, security protocol, and
authentication and encryption algorithms to be used. Available encryption suites include:
Tunnel-ESP-DES-MD5—Uses the ESP security protocol, the DES encryption algorithm, and the
MD5 authentication algorithm.
Tunnel-ESP-3DES-MD5—Uses the ESP security protocol, the 3DES encryption algorithm, and the
MD5 authentication algorithm.
Tunnel-AH-MD5-ESP-DES—Uses the ESP and AH security protocols successively, making ESP
use the DES encryption algorithm and perform no authentication and making AH use the MD5
authentication algorithm.

838
Tunnel-AH-MD5-ESP-3DES—Uses the ESP and AH security protocols successively, making ESP
use the 3DES encryption algorithm and perform no authentication, and making AH use the
MD5 authentication algorithm.
All these suites use the tunnel mode for IP packet encapsulation.
7. Click Apply.

Configuring an IPsec proposal in custom mode

1. From the navigation tree, select VPN > IPSec.
2. Click the Proposal tab.
The IPsec proposal list page as shown in Figure 874 appears.
3. Click Add.
The IPsec proposal configuration wizard page as shown in Figure 875 appears.
4. Click Custom mode.
Figure 877 IPsec proposal configuration in custom mode

5. Configure the IPsec proposal parameters, as described in Table 260.

6. Click Apply.
Table 260 Configuration items

Item Description
Proposal Name Enter a name for the IPsec proposal.

Select an IP packet encapsulation mode for the IPsec proposal. Options include:
Encapsulation
• Tunnel—Uses the tunnel mode.
Mode
• Transport—Uses the transport mode.
Select a security protocol setting for the proposal. Options include:
• AH—Uses the AH protocol.
Security Protocol
• ESP—Uses the ESP protocol.
• AH-ESP—Uses ESP first and then AH.

839
Item Description
Select an authentication algorithm for AH when the security protocol setting is AH or
AH Authentication AH-ESP.
Algorithm
Available authentication algorithms include MD5 and SHA1.

Select an authentication algorithm for ESP when the security protocol setting is ESP or
AH-ESP.
ESP Authentication You can select MD5 or SHA1, or leave it null so the ESP performs no authentication.
Algorithm
IMPORTANT:
The ESP authentication algorithm and ESP encryption algorithm cannot be both null.
Select an encryption algorithm for ESP when the security protocol is ESP or AH-ESP.
Options include:
• DES—Uses the DES algorithm and 56-bit keys for encryption.
• 3DES—Uses the 3DES algorithm and 168-bit keys for encryption.
• AES128—Uses the AES algorithm and 128-bit keys for encryption.
• AES192—Uses the AES algorithm and 192-bit keys for encryption.
ESP Encryption
• AES256—Uses the AES algorithm and 256-bit keys for encryption.
Algorithm
• Leave it null so the ESP performs no encryption.

IMPORTANT:
• Higher security means increased complexity and decreased speed. DES is sufficient
for general security requirements. Use 3DES if you require high confidentiality and
security.
• The ESP authentication and encryption algorithms cannot be both null.

Configuring an IPsec policy template

1. From the navigation tree, select VPN > IPSec.
2. Click the Policy-Template tab.
The IPsec policy template list page appears.
Figure 878 IPsec policy template list

3. Click Add.
The Add IPSec Template page appears.

840
Figure 879 Adding an IPsec policy template

4. Configure an IPsec policy template, as described in Table 261.

5. Click Apply.
Table 261 Configuration items

Item Description
Template Name Enter a name for the IPsec policy template.

Enter a sequence number for the IPsec policy template.

Sequence Number In an IPsec policy template group, an IPsec policy template with a smaller sequence
number has a higher priority.

Select an IKE peer for the IPsec policy template.

IKE Peer
You configure IKE peers by selecting VPN > IKE from the navigation tree.

841
Item Description
Select up to six IPsec proposals for the IPsec policy template.

IPSec Proposal IPsec SAs can be set up only when the IPsec peers have at least one matching IPsec
proposal. If no matching IPsec proposal is available, the IPsec SAs cannot be
established, and the packets that need to be protected are discarded.

Enable and configure the PFS feature or disable the feature. Options include:
• dh-group1—Uses the 768-bit Diffie-Hellman group.
• dh-group2—Uses the 1024-bit Diffie-Hellman group.
• dh-group5—Uses the 1536-bit Diffie-Hellman group.
• dh-group14—Uses the 2048-bit Diffie-Hellman group.
PFS
IMPORTANT:
• dh-group14, dh-group5, dh-group2, and dh-group1 are in descending order of
security and calculation time.
• When IPsec uses an IPsec policy configured with PFS to initiate negotiation, an
additional key exchange is performed in phase 2 for higher security.
• Two peers must use the same Diffie-Hellman. Otherwise, negotiation will fail.
Select an ACL for identifying protected traffic.
The specified ACL must be created already and contains at least one rule.
ACL ACL configuration supports VPN multi-instance.
Make sure that this ACL has been created and contains at least one rule.
You can use an ACL to identify traffic between VPN instances.

Time Enter the time-based and traffic-based SA lifetime values.

Based
SA IMPORTANT:
Lifetime
Traffic When negotiating IPsec SAs, IKE uses the smaller one between the lifetime set locally and
Based the lifetime proposed by the peer.
Enable or disable IPsec RRI. When enabling IPsec RRI, you can specify a next hop and
change the preference of the static routes.
After an outbound IPsec SA is created, IPsec RRI automatically creates a static route to the
peer private network. You do not have to manually configure the static route.

Reverse Route IMPORTANT:

Injection • If you enable IPsec RRI and do not configure the static route, the SA negotiation must
be initiated by the remote gateway.
• IPsec RRI creates static routes when IPsec SAs are set up, and delete the static routes
when the IPsec SAs are deleted.
• To view the static routes created by IPsec RRI, select Network > IPv4 Routing from the
navigation tree.

Specify a next hop for the static routes.

Next Hop If you do not specify any next hop, the remote tunnel endpoint's address learned during
IPsec SA negotiation is used.

Change the preference of the static routes.

Change the route preference for equal-cost multipath routing or route backup. If multiple
Priority routes to the same destination have the same preference, traffic is balanced among them.
If multiple routes to the same destination have different preference values, the route with
the highest preference forwards traffic and all other routes are backup routes.

842
Configuring an IPsec policy
1. From the navigation tree, select VPN > IPSec.
2. Click the Policy tab.
The IPsec policy list page appears.
Figure 880 IPsec policy list

3. Click Add.
The Add IPSec Policy page appears.

843
Figure 881 Adding an IPsec policy

4. Configure an IPsec policy, as described in Table 262.

5. Click Apply.
Table 262 Configuration items

Item Description
Policy Name Enter a name for the IPsec policy.

Enter a sequence number for the IPsec policy.

Sequence Number In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher
priority.

844
Item Description
Select an IPsec policy template.

Template IMPORTANT:
If you select an IPsec policy template, all subsequent configuration items except the
aggregation setting are unavailable.
Select an IKE peer for the IPsec policy.
IKE Peer
You configure IKE peers by selecting VPN > IKE from the navigation tree.

Select up to six IPsec proposals for the IPsec policy.

IPSec Proposal IPsec SAs can be set up only when the IPsec peers have at least one matching IPsec
proposal. If no matching IPsec proposal is available, the IPsec SAs cannot be established
and the packets that need to be protected are discarded.

Enable and configure the PFS feature or disable the feature. Options include:
• dh-group1—Uses the 768-bit Diffie-Hellman group.
• dh-group2—Uses the 1024-bit Diffie-Hellman group.
• dh-group5—Uses the 1536-bit Diffie-Hellman group.
• dh-group14—Uses the 2048-bit Diffie-Hellman group.
PFS
IMPORTANT:
• dh-group14, dh-group5, dh-group2, and dh-group1 are in descending order of
security and calculation time.
• When IPsec uses an IPsec policy configured with PFS to initiate negotiation, an
additional key exchange is performed in phase 2 for higher security.
• Two peers must use the same Diffie-Hellman. Otherwise, negotiation will fail.
Select an ACL for identifying protected traffic.
ACL Make sure that this ACL has been created and contains at least one rule.
You can use an ACL to identify traffic between VPN instances.

Select this option if you are using one tunnel to protect all data flows permitted by the
ACL. If you do not select the aggregation mode, the standard mode applies and one
tunnel is set up for each data flow permitted by the ACL.
Aggregation This configuration item is available after you specify an ACL.

IMPORTANT:
The two ends of a tunnel must operate in the same mode.

Time Enter the time-based and traffic-based SA lifetime values.

Based
SA IMPORTANT:
Lifetime
Traffic When negotiating IPsec SAs, IKE uses the smaller one between the lifetime set locally and
Based the lifetime proposed by the peer.

845
Item Description
Enable or disable IPsec RRI. When enabling IPsec RRI, you can specify a next hop and
change the preference of the static routes.
After an outbound IPsec SA is created, IPsec RRI automatically creates a static route to the
peer private network. You do not have to manually configure the static route.

Reverse Route IMPORTANT:

Injection • If you enable IPsec RRI and do not configure the static route, the SA negotiation must
be initiated by the remote gateways.
• IPsec RRI creates static routes when IPsec SAs are set up, and delete the static routes
when the IPsec SAs are deleted.
• To view the static routes created by IPsec RRI, select Network > IPv4 Routing from the
navigation tree.

Specify a next hop for the static routes.

Next Hop If you do not specify any next hop, the remote tunnel endpoint's address learned during
IPsec SA negotiation is used.

Change the preference of the static routes.

Applying an IPsec policy group

1. From the navigation tree, select VPN > IPSec.
The page for the IPSec Application tab appears.
Figure 882 IPsec application list

无法显示链接的图像。该文

2. Click the icon for an interface.

件可能已被移动、重命名或
删除。请验证该链接是否指
向正确的文件和位置。

The IPSec Application Setup page appears.

Figure 883 IPsec application configuration page

846
3. Select an IPsec policy for the interface.
4. Click Apply.

Viewing IPsec SAs

1. From the navigation tree, select VPN > IPSec.
2. Click the IPSec SA tab.
The IPsec SA list page appears.
Figure 884 IPsec SA list

Table 263 Field description

Field Description
Source IP IP address of the local end of the IPsec SA.

Destination IP IP address of the remote end of the IPsec SA.

SPI SPI of the IPsec SA.

Security Protocol Security protocol that the IPsec SA uses.

Authentication Algorithm Authentication algorithm that the security protocol uses.

Encryption Algorithm Encryption algorithm that the security protocol uses.

Viewing packet statistics

1. From the navigation tree, select VPN > IPSec.
2. Click the Statistics tab.
The packet statistics page appears.

847
Figure 885 Packet statistics

IPsec configuration example

Network requirements
As shown in Figure 886, an enterprise branch accesses the headquarters through IPsec VPN. Configure
the IPsec VPN as follows:
• Configure an IPsec tunnel between AC 1 and AC 1 to protect traffic between the headquarters
subnet 10.1.1.0/24 and the branch subnet 10.1.2.0/24.
• Configure the tunnel to use the security protocol ESP, encryption algorithm DES, and authentication
algorithm SHA-1.
• Enable IPsec RRI on AC 1, so AC 1 can automatically create a static route from the headquarters to
the branch when the IPsec SA is established. Specify the next hop as 2.2.2.2.
Figure 886 Network diagram
Device A Device B
GE0/1 GE0/1
2.2.2.1/24 2.2.3.1/24
Internet
GEth0/0 GE0/0
10.1.1.1/24 10.1.2.1/24

Headquarter Branch

Host A Host B
10.1.1.2/24 10.1.2.2/24

Configuring AC 1
1. Configure IP addresses for the interfaces, and assign the interfaces to target zones. (Details not
shown.)
2. Define ACL 3101 to permit packets from subnet 10.1.1.0/24 to subnet 10.1.2.0/24:

848
a. From the navigation tree, select QoS > ACL IPv4.
b. Click the Add tab.
c. Enter the ACL number 3101, and select the match order Config.
d. Click Apply.
Figure 887 Creating ACL 3101

e. Click the Advanced Setup tab.

f. Select the ACL number 3101.
g. Select Permit from the Action list.
h. Select Source IP Address, and enter 10.1.1.0 and 0.0.0.255 as the source IP address and
mask.
i. Select Destination IP Address, and enter 10.1.2.0 and 0.0.0.255 as the destination IP address
and mask.
j. Click Apply.

849
Figure 888 Configuring a rule to permit packets from 10.1.1.0/24 to 10.1.2.0/24

3. Configure an IPsec proposal named tran1:

a. From the navigation tree, select VPN > IPSec.
b. Click the Proposal tab.
c. Click Add.
d. On the page that appears, select Custom mode.
e. Enter the IPsec proposal name tran1.
f. Select the packet encapsulation mode Tunnel.
g. Select the security protocol ESP.
h. Select the authentication algorithm SHA1.
i. Select the encryption algorithm DES.
j. Click Apply.

850
Figure 889 Configuring IPsec proposal tran1

4. Configure the IKE peer:

a. From the navigation tree, select VPN > IKE.
b. Click the Peer tab.
c. Click Add.
d. Enter the peer name peer.
e. Select the negotiation mode Main.
f. Enter the remote gateway IP address 2.2.3.1.
g. Select Pre-Shared Key, and enter abcde for both the Key and Confirm Key fields.
h. Click Apply.

851
Figure 890 Configuring an IKE peer

5. Configure an IPsec policy:

a. From the navigation tree, select VPN > IPSec.
b. Click the Policy tab.
c. Click Add.
d. Enter the policy name map1.
e. Enter the sequence number 10.
f. Select the IKE peer peer.
g. Select the IPsec proposal tran1 and click <<.
h. Enter the ACL number 3101.
i. Select Enable for RRI.
j. Enter the next hop address 2.2.2.2.
k. Click Apply.

852
Figure 891 Configuring an IPsec policy

6. Apply the IPsec policy to VLAN-interface 1:

a. From the navigation tree, select VPN > IPSec.
The page for the IPSec Application tab appears.
b. Click the icon of interface Vlan-interface 1.
c. Select the policy of map1.
d. Click Apply.

853
Figure 892 Applying IPsec policy to VLAN-interface 1

Configuring Device B
The configuration steps on Device B are similar to those on Device A. The configuration pages are not
shown.
1. Configure IP addresses for the interfaces, and assign the interfaces to the target zones. (Details not
shown.)
2. Define an ACL to permit traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24:
a. From the navigation tree, select QoS > ACL IPv4.
b. Click the Add tab.
c. Enter the ACL number 3101, and select the match order Config.
d. Click Apply.
e. Click the Advanced Setup tab.
f. Select the ACL number 3101.
g. Select Permit from the Action list.
h. Select Source IP Address, and enter 10.1.2.0 and 0.0.0.255 as the source IP address and
mask.
i. Select Destination IP Address, and enter 10.1.1.0 and 0.0.0.255 as the destination IP address
and mask.
j. Click Apply.
3. Configure a static route to Host 1:
a. From the navigation tree, select Network > IPv4 Routing.
b. Click the Add tab.
c. Enter the destination IP address 10.1.1.0 and mask 255.255.255.0.
d. Select the outbound interface Vlan-interface1.
e. Click Apply.
4. Configure an IPsec proposal named tran1:
a. From the navigation tree, select VPN > IPSec.
b. Click the Proposal tab.
c. Click Add.
d. From the IPSec Proposal Configuration Wizard page, select Custom mode.
e. Enter the IPsec proposal name tran1.
f. Select the packet encapsulation mode Tunnel.

854
g. Select the security protocol ESP.
h. Select the authentication algorithm SHA1.
i. Select the encryption algorithm DES.
j. Click Apply.
5. Configure IKE peer peer:
a. From the navigation tree, select VPN > IKE.
b. Click the Peer tab.
c. Click Add.
d. Enter the peer name peer.
e. Select the negotiation mode Main.
f. Enter the remote gateway IP address 2.2.2.1.
g. Select Pre-Shared Key, and enter abcde for both the Key and Confirm Key fields.
h. Click Apply.
6. Configure IPsec policy map1:
a. From the navigation tree, select VPN > IPSec.
b. Click the Policy tab.
c. Click Add.
d. Enter the policy name map1.
e. Enter the sequence number 10.
f. Select the IKE peer peer.
g. Select the IPsec proposal tran1 and click <<.
h. Enter the ACL number 3101.
i. Click Apply.
7. Apply IPsec policy map1 to VLAN-interface 1:
a. From the navigation tree, select VPN > IPSec.
The page for the IPSec Application tab appears.
b. Click the icon of interface Vlan-interface 1.
c. Select the policy of map1.
d. Click Apply.

Verifying the configuration

Packets to be exchanged between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 triggers the negotiation of
SAs by IKE. After IKE negotiation succeeds and the IPsec SAs are established, a static route to subnet
10.1.2.0/24 through 2.2.2.2 is added to the routing table on AC 1, and traffic between subnet
10.1.1.0/24 and subnet 10.1.2.0/24 is protected by IPsec.

855
Support and other resources

Contacting HP
For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
• Product model names and numbers
• Technical support registration number (if applicable)
• Product serial numbers
• Error messages
• Operating system type and revision level
• Detailed questions

Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.

Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
• For related documentation, navigate to the Networking section, and select a networking category.
• For a complete list of acronyms and their definitions, see HP FlexNetwork Technology Acronyms.

Websites
• HP.com http://www.hp.com
• HP Networking http://www.hp.com/go/networking
• HP manuals http://www.hp.com/support/manuals
• HP download drivers and software http://www.hp.com/support/downloads
• HP software depot http://www.software.hp.com
• HP Education http://www.hp.com/learn

856
Conventions
This section describes the conventions used in this documentation set.

Command conventions

Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[] Square brackets enclose syntax choices (keywords or arguments) that are optional.

Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.

Square brackets enclose a set of optional syntax choices separated by vertical bars, from
[ x | y | ... ]
which you select one or none.

Asterisk-marked braces enclose a set of required syntax choices separated by vertical

{ x | y | ... } *
bars, from which you select at least one.

Asterisk-marked square brackets enclose optional syntax choices separated by vertical

[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.

The argument or keyword and argument combination before the ampersand (&) sign can
&<1-n>
be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description
Window names, button names, field names, and menu items are in bold text. For
Boldface
example, the New User window appears; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Symbols

Convention Description
An alert that calls attention to important information that if not understood or followed can
WARNING result in personal injury.

An alert that calls attention to important information that if not understood or followed can
CAUTION result in data loss, data corruption, or damage to hardware or software.

IMPORTANT An alert that calls attention to essential information.

NOTE An alert that contains additional or supplementary information.

TIP An alert that provides helpful information.

857
Network topology icons

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.

Represents an access controller, a unified wired-WLAN module, or the switching engine

on a unified wired-WLAN switch.

Represents an access point.

Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.

858
Index

ABCDEFGILMNOPQRSTUVW
A Configuration guidelines,172
Configuration guidelines,76
AAA configuration example,541
Configuration guidelines,631
AC-AP tunnel,280
Configuration guidelines,101
Access service overview,311
Configuration guidelines,797
ACL and QoS configuration example,667
Configuration guidelines,579
ACL overview,630
Configuration guidelines,831
Adding a DNS server address,218
Configuration guidelines,546
Adding a domain name suffix,219
Configuration guidelines,132
Adding a member to the IACTP tunnel,443
Configuration guidelines,206
Adding a mirroring group,102
Configuration prerequisites,510
Admin configuration,33
Configuration prerequisites,502
Advanced settings configuration examples,747
Configuration prerequisites,534
Advanced settings overview,700
Configuration prerequisites,809
ALG configuration examples,269
Configuration prerequisites,226
ALG process,267
Configuration procedure,510
AP configuration,40
Configuration procedure,559
AP configuration examples,303
Configuration procedure,534
AP group,280
Configuration procedure,269
Applying an IPsec policy group,846
Configuration procedure,503
Auto AP,280
Configuration procedure,226
Automatic power adjustment configuration
Configuration procedures,580
example,493
Configuration summary,42
B
Configuring 802.1X globally,503
Backing up the configuration,86 Configuring 802.1X on a port,505
Backup client authentication configuration Configuring a DNS mapping,260
example,395 Configuring a guest,572
Bandwidth guarantee configuration example,697 Configuring a local user,568
Basic configuration,32 Configuring a MAC address entry,137
C Configuring a management IP address,135
CAC service configuration example,692 Configuring a portal-free rule,517
Certificate management configuration example,591 Configuring a PPPoE client,233
Clearing dynamic DNS cache,219 Configuring a QoS policy,654
Common items on the Web pages,20 Configuring a RADIUS scheme,547
Configuration considerations,832 Configuring a user group,570
Configuration guidelines,251 Configuring a user profile,575

Configuration guidelines,232 Configuring access service,317

Configuration guidelines,141

859
Configuring accounting methods for the ISP Configuring rate limit,649
domain,539 Configuring rogue device detection,601
Configuring ACLs,833 Configuring service management,240
Configuring advanced parameters for portal Configuring SNMP trap function,121
authentication,515 Configuring spectrum analysis,487
Configuring an ACL,632 Configuring stateful failover,798
Configuring an AP,281 Configuring static name resolution table,216
Configuring an AP group,294 Configuring system name,70
Configuring an IACTP tunnel,442 Configuring the bandwidth guarantee function,689
Configuring an IKE peer,814 Configuring the blacklist and whitelist functions,611
Configuring an IKE proposal,811 Configuring the network time,77
Configuring an internal server,257 Configuring the portal service,511
Configuring an IPsec policy,843 Configuring the priority trust mode of a port,651
Configuring an IPsec policy template,840 Configuring the system time,77
Configuring an IPsec proposal,837 Configuring the time zone and daylight saving time,79
Configuring an ISP domain,535 Configuring user isolation,620
Configuring an SNMP community,116 Configuring Web idle timeout,70
Configuring an SNMP group,117 Configuring WIDS,609
Configuring an SNMP user,119 Configuring WLAN advanced settings,713
Configuring an SNMP view,114 Configuring WLAN roaming,445
Configuring AP-based client access control,301 Contacting HP,856
Configuring ARP detection,158 Conventions,857
Configuring authentication methods for the ISP Creating a link aggregation group,208
domain,536
Creating a PKI domain,584
Configuring authorization methods for the ISP
Creating a PKI entity,582
domain,538
Creating a static address mapping,255
Configuring auto AP,288
Creating a static ARP entry,151
Configuring calibration,476
Creating a user,108
Configuring channel scanning,474
Creating a VLAN,142
Configuring data transmit rates,467
Creating an address pool,252
Configuring DNS proxy,218
Creating an interface,92
Configuring dynamic domain name resolution,217
Creating an IPv4 static route,173
Configuring dynamic NAT,254
Creating an IPv6 static route,175
Configuring global IKE parameters,811
Customizing authentication pages,518
Configuring gratuitous ARP,152
Configuring IGMP snooping on a port,165 D
Configuring IGMP snooping on a VLAN,163 DDNS configuration example,228
Configuring IKE DPD,813 Destroying the RSA key pair,587
Configuring IP address match criteria for an AP Device information,43
group,294 DHCP configuration examples,196
Configuring mesh service,417 DHCP overview,180
Configuring other ARP attack protection functions,159 DHCP snooping overview,181
Configuring policy-based forwarding,355 Displaying aggregate interface information,208
Configuring ports for a mirroring group,103 Displaying AP,50
Configuring radios,459 Displaying ARP entries,150

860
Displaying client statistics,686 IPv4 and IPv6 static route configuration examples,176
Displaying clients,60 L
Displaying file list,89
Link aggregation and LACP configuration example,212
Displaying IGMP snooping multicast entry
Local client authentication configuration example,403
information,166
Local EAP service configuration example,560
Displaying interface information and statistics,91
Local MAC authentication configuration example,367
Displaying LACP-enabled port information,211
Logging in to the Web interface,29
Displaying PPPoE client session information,235
Logging out of the Web interface,30
Displaying PPPoE client session statistic
information,234 Loopback operation,132
Displaying radio statistics,685 M
Displaying registered enhanced licenses,69 MAC address configuration example,139
Displaying session table information,628 Manual channel adjustment configuration
Displaying SNMP packet statistics,123 example,491
Displaying syslog,82 Mesh DFS configuration example,437
Displaying the IPv4 active route table,172 Mesh overview,415
Displaying the IPv6 active route table,174 Modifying a Layer 2 interface,94
Displaying the system time,76 Modifying a Layer 3 interface,97
Displaying WLAN service,45 Modifying a port,144
DNS configuration example,220 Modifying a VLAN,143
Downloading a file,89
N
Dynamic WEP encryption-802.1X authentication
configuration example,389 NAT configuration examples,261

E O

Enabling IGMP snooping globally,162 Overview,827

Enabling SNMP agent,112 Overview,807
Enabling static NAT on an interface,256 Overview,247
Enabling wireless QoS,679 Overview,150
Encryption configuration,39 Overview,239
Overview,135
F
Overview,136
Feature matrix,3 Overview,141
G Overview,232
Generating an RSA key pair,586 Overview,203
Generating the diagnostic information file,74 Overview,161
Overview,172
I
Overview,225
IACTP tunnel,442 Overview,215
IGMP snooping configuration example,167 Overview,157
IKE configuration example,818 Overview,501
Initializing the configuration,88 Overview,567
Interface management configuration example,99 Overview,533
Interface management overview,91 Overview,677
IP configuration,34 Overview,579
IPsec configuration example,848 Overview,509

861
Overview,796 Restrictions and guidelines,25
Overview,101 Retrieving and displaying a certificate,588
P Retrieving and displaying a CRL,591
Rogue detection configuration example,614
Ping,242
Ping operation,243 S
Policy-based forwarding configuration example,409 Saving the configuration,87
Port mirroring configuration example,104 Selecting an antenna,486
Port mirroring configuration task list,102 Setting buffer capacity and refresh interval,84
Portal authentication configuration example,521 Setting CAC admission policy,681
Portal configuration,38 Setting EDCA parameters for wireless clients,683
PPPoE client configuration example,236 Setting LACP priority,210
Q Setting radio EDCA parameters for APs,682
Setting rate limiting,687
QoS overview,630
Setting the aging time of MAC address entries,138
Quick Start wizard home page,32
Setting the log host,83
R Setting the super password,109
Radio group configuration example,496 Setting the SVP service,680
Radio overview,455 SNMP configuration task list,111
RADIUS configuration,36 SNMP overview,111
RADIUS configuration example,554 SNMPv1/SNMPv2c configuration example,123
Rebooting the device,73 SNMPv3 configuration example,126
Recommended configuration procedure,161 Specifying the main boot file,90
Recommended configuration procedure,142 Spectrum analysis,458
Recommended configuration procedure,251 Spectrum analysis configuration example,498
Recommended configuration procedure,216 Stateful failover configuration example,799
Recommended configuration procedure,832 Static ARP configuration example,153
Recommended configuration procedure,809 Switching the user access level to the management
Recommended configuration procedure (for DHCP level,110
relay agent),188 System time configuration example,80
Recommended configuration procedure (for DHCP T
server),181
Trace route,242
Recommended configuration procedure (for DHCP
snooping),193 Trace route operation,245
Recommended link aggregation and LACP Typical network scenarios,1
configuration procedures,207 U
Registering an enhanced license,68
Upgrading software,72
Related information,856
Uploading a file,90
Remote 802.1X authentication configuration
User isolation configuration example,622
example,378
User isolation overview,619
Remote MAC authentication configuration
example,372 V
Removing a file,90 Viewing IKE SAs,817
Removing ARP entries,152 Viewing IPsec SAs,847
Requesting a local certificate,590 Viewing packet statistics,847
Restoring the configuration,86 VLAN configuration example,145

862
W Wireless service-based static rate limiting
configuration example,694
Web interface,6
WLAN mesh configuration example,432
Web user level,7
WLAN roaming configuration examples,446
Web-based NM functions,7
WLAN roaming overview,442
Wireless configuration,35
WLAN RRM overview,455
Wireless service configuration example,359
WLAN security overview,597
Wireless service-based dynamic rate limiting
configuration example,695 WPA-PSK authentication configuration example,362

863

HP Unified Wired-WLAN Products Security Configuration Guide
No ratings yet
HP Unified Wired-WLAN Products Security Configuration Guide
465 pages
Switches - Cisco Nexus 9000 - Art
No ratings yet
Switches - Cisco Nexus 9000 - Art
96 pages
ZigBee and IEEE 802.15.4
100% (2)
ZigBee and IEEE 802.15.4
39 pages
Vendor: Cisco Exam Code: 300-360 Exam Name: Designing Cisco Wireless Enterprise Networks
No ratings yet
Vendor: Cisco Exam Code: 300-360 Exam Name: Designing Cisco Wireless Enterprise Networks
85 pages
Central Web Authentication On The WLC and ISE Configuration Example - Cisco
No ratings yet
Central Web Authentication On The WLC and ISE Configuration Example - Cisco
17 pages
Cisco ISE Architecture
No ratings yet
Cisco ISE Architecture
26 pages
Routing Policy
No ratings yet
Routing Policy
2,936 pages
Ospf DMVPN Anycast PDF
No ratings yet
Ospf DMVPN Anycast PDF
32 pages
@UPGREAT AutomatyzacjaSieciKampusowych-13.06.2019
No ratings yet
@UPGREAT AutomatyzacjaSieciKampusowych-13.06.2019
60 pages
Devasc Module 5
No ratings yet
Devasc Module 5
90 pages
CP R81.10 CLI ReferenceGuide
No ratings yet
CP R81.10 CLI ReferenceGuide
1,697 pages
EMEA DC PVT Nov 2022 Techtorial ACI Best Practices
No ratings yet
EMEA DC PVT Nov 2022 Techtorial ACI Best Practices
126 pages
A Brief Introduction:: Cisco Networking Academy University of Engineering & Technology
No ratings yet
A Brief Introduction:: Cisco Networking Academy University of Engineering & Technology
24 pages
BGP
No ratings yet
BGP
283 pages
FortiOS-7.2.0-New Features Guide PDF
No ratings yet
FortiOS-7.2.0-New Features Guide PDF
523 pages
CCIE Note
No ratings yet
CCIE Note
60 pages
Config Guide Policy PDF
No ratings yet
Config Guide Policy PDF
2,720 pages
B ISE Admin 3 0
No ratings yet
B ISE Admin 3 0
1,300 pages
Cern Thesis 2018 035 PDF
No ratings yet
Cern Thesis 2018 035 PDF
113 pages
Support For TI-LFA FRR Using Is-Is Segment Routing
No ratings yet
Support For TI-LFA FRR Using Is-Is Segment Routing
9 pages
Software-Defined Access 1.0: Solution White Paper
No ratings yet
Software-Defined Access 1.0: Solution White Paper
35 pages
Palo-Alto-Networks Actualtests PCNSE - v2018-09-13 by - Ben - 70q PDF
No ratings yet
Palo-Alto-Networks Actualtests PCNSE - v2018-09-13 by - Ben - 70q PDF
41 pages
Emergency Services Over IEEE 802 Tutorial V1.3
No ratings yet
Emergency Services Over IEEE 802 Tutorial V1.3
57 pages
Course List
No ratings yet
Course List
35 pages
CS 3.2.2.8 Troubleshoot PPPoE
0% (5)
CS 3.2.2.8 Troubleshoot PPPoE
7 pages
Lat. SoalMTA Netwokring DG Jawaban Soal
100% (1)
Lat. SoalMTA Netwokring DG Jawaban Soal
14 pages
HP Wifi Controller Configuration Guide PDF
100% (1)
HP Wifi Controller Configuration Guide PDF
635 pages
Vol 1
No ratings yet
Vol 1
88 pages
Building Data Centers With VXLAN BGP EVPN A Cisco NX-OS Perspective - 401-End
No ratings yet
Building Data Centers With VXLAN BGP EVPN A Cisco NX-OS Perspective - 401-End
77 pages
Traffic MGMT QFX
No ratings yet
Traffic MGMT QFX
1,196 pages
Refer To The Exhibit.: Ape3: Key Server - Customer 2 Ces: Group Members
No ratings yet
Refer To The Exhibit.: Ape3: Key Server - Customer 2 Ces: Group Members
57 pages
Aruba Wlans and Advanced Design Fundamentals: #Atm15Anz - @arubaanz
No ratings yet
Aruba Wlans and Advanced Design Fundamentals: #Atm15Anz - @arubaanz
65 pages
AOS-CX Switch Simulator - Loop Protect Lab Guide
No ratings yet
AOS-CX Switch Simulator - Loop Protect Lab Guide
9 pages
Applications of Bidirectional Forwarding Detection (BFD) : Rahul Aggarwal
No ratings yet
Applications of Bidirectional Forwarding Detection (BFD) : Rahul Aggarwal
34 pages
ACI Best Practice Configurations
No ratings yet
ACI Best Practice Configurations
7 pages
Pan Os Web Interface Help PDF
No ratings yet
Pan Os Web Interface Help PDF
840 pages
ACI Remote Leaf Fabric Discovery v1.0 PDF
No ratings yet
ACI Remote Leaf Fabric Discovery v1.0 PDF
24 pages
Engagement Guide BB PDF
No ratings yet
Engagement Guide BB PDF
36 pages
CCNA 200-301 - Lab-22 HSRP v1.0
No ratings yet
CCNA 200-301 - Lab-22 HSRP v1.0
22 pages
(CCNA) Cisco Commands Cheat Sheet #2
No ratings yet
(CCNA) Cisco Commands Cheat Sheet #2
6 pages
CXW01 - Campus Switching Fundamentals - Lab Guide
No ratings yet
CXW01 - Campus Switching Fundamentals - Lab Guide
19 pages
Troubleshooting Cisco IOS and PIX Firewall-Based IPSec Implementations
No ratings yet
Troubleshooting Cisco IOS and PIX Firewall-Based IPSec Implementations
54 pages
FortiNAC Deployment Guide v94
No ratings yet
FortiNAC Deployment Guide v94
79 pages
Certification of G-PON Equipment Ensures Optimal Performance in The Field
No ratings yet
Certification of G-PON Equipment Ensures Optimal Performance in The Field
15 pages
1.1 Solution PDF
No ratings yet
1.1 Solution PDF
165 pages
CCNA R&S Overview Presentation
No ratings yet
CCNA R&S Overview Presentation
37 pages
Brkewn 2016 PDF
No ratings yet
Brkewn 2016 PDF
109 pages
Nexus Switches Overview
No ratings yet
Nexus Switches Overview
15 pages
IoT Module-5 Notes
No ratings yet
IoT Module-5 Notes
6 pages
Brkaci 2301
No ratings yet
Brkaci 2301
133 pages
CCNP Enterprise Design ENSLD 300 420 Official Cert Guide 2nd Edition Anthony Bruno & Steve Jordan
100% (5)
CCNP Enterprise Design ENSLD 300 420 Official Cert Guide 2nd Edition Anthony Bruno & Steve Jordan
75 pages
Cisco C8300 Datasheet-C78-744088
No ratings yet
Cisco C8300 Datasheet-C78-744088
23 pages
Integration Between ISE and HPE-ArubaOS
No ratings yet
Integration Between ISE and HPE-ArubaOS
16 pages
Presentation Title Meraki SD-WAN: A Global Solution For Distributed Networks
No ratings yet
Presentation Title Meraki SD-WAN: A Global Solution For Distributed Networks
54 pages
(Fortigate) Summary of Various Status Confirmation Commands in Cli
No ratings yet
(Fortigate) Summary of Various Status Confirmation Commands in Cli
16 pages
Huawei S5720-EI Series Switches Product Datasheet PDF
No ratings yet
Huawei S5720-EI Series Switches Product Datasheet PDF
28 pages
Blog Ine Com 2009-05-03 Using The DHCP Import Statement
No ratings yet
Blog Ine Com 2009-05-03 Using The DHCP Import Statement
1 page
HPE7-A04 Dumps - Aruba Certified Data Center Architect Exam
No ratings yet
HPE7-A04 Dumps - Aruba Certified Data Center Architect Exam
6 pages
Thunder ADC: Agile Application Delivery & Security
No ratings yet
Thunder ADC: Agile Application Delivery & Security
20 pages
Cisco Certified DevNet Professional Training and Certification Program
No ratings yet
Cisco Certified DevNet Professional Training and Certification Program
4 pages
Introduction To Enterprise Networking: Naveen Patel
No ratings yet
Introduction To Enterprise Networking: Naveen Patel
34 pages
How To Enable Remote Connections To SQL Server
No ratings yet
How To Enable Remote Connections To SQL Server
18 pages
Mtctce - Mikrotik Certified Traffic Control Engineer: Certificación Oficial Mikrotik
No ratings yet
Mtctce - Mikrotik Certified Traffic Control Engineer: Certificación Oficial Mikrotik
4 pages
NH Brochures
No ratings yet
NH Brochures
16 pages
3850 Switch Wired C3PL Configuration For Cisco Identity Services Engine
No ratings yet
3850 Switch Wired C3PL Configuration For Cisco Identity Services Engine
20 pages
TW QFabric TrafficFlows
No ratings yet
TW QFabric TrafficFlows
82 pages
ECE 358: Computer Networks Solutions To Homework #4 Chapter 4 - The Network Layer P 4. Consider The Network Below
No ratings yet
ECE 358: Computer Networks Solutions To Homework #4 Chapter 4 - The Network Layer P 4. Consider The Network Below
7 pages
F5 Lab Topics
No ratings yet
F5 Lab Topics
2 pages
NU-AP699E9N3 WirelessRouterUserManual
No ratings yet
NU-AP699E9N3 WirelessRouterUserManual
151 pages
Nexus 7000 FAQ
No ratings yet
Nexus 7000 FAQ
11 pages
Gary White Network Engineer
No ratings yet
Gary White Network Engineer
14 pages
By: Pratik Pranav - 2018CS10368: WWW - Cse.iitd - Ac.in
No ratings yet
By: Pratik Pranav - 2018CS10368: WWW - Cse.iitd - Ac.in
6 pages
Why Do I See - Martian Source - Logs in The Messages File - Red Hat Customer Portal
No ratings yet
Why Do I See - Martian Source - Logs in The Messages File - Red Hat Customer Portal
8 pages
Firewall - pfBlockerNG - Alerts PDF
No ratings yet
Firewall - pfBlockerNG - Alerts PDF
1 page
Fabric Path Switching
No ratings yet
Fabric Path Switching
1 page
Juniper Routers Basic Commands
No ratings yet
Juniper Routers Basic Commands
23 pages
Implementing and Administering Cisco Solutions (CCNA) v2.0: What You'll Learn
No ratings yet
Implementing and Administering Cisco Solutions (CCNA) v2.0: What You'll Learn
5 pages
Central-Web-Authentication WLC 9800
No ratings yet
Central-Web-Authentication WLC 9800
30 pages
Bit4205 Network Programming Extra 5
No ratings yet
Bit4205 Network Programming Extra 5
3 pages
Trắc nghiệm CCNA - Chương 3 STP
No ratings yet
Trắc nghiệm CCNA - Chương 3 STP
5 pages
Lab 1 Dsaln
No ratings yet
Lab 1 Dsaln
7 pages
FBR-4000-V1 Spec V1.0
No ratings yet
FBR-4000-V1 Spec V1.0
3 pages
Unit 3.3 Congestion Control
No ratings yet
Unit 3.3 Congestion Control
38 pages
HC60W35R2 Datasheet
No ratings yet
HC60W35R2 Datasheet
2 pages
Question Bank For Multiple-Choice Exam and Self-Essay: Part 1. Basic Concepts
No ratings yet
Question Bank For Multiple-Choice Exam and Self-Essay: Part 1. Basic Concepts
54 pages
Exp 1.1
No ratings yet
Exp 1.1
3 pages
Cisco CCNA-Voice Check List - Training Notes Updated October 2009
100% (1)
Cisco CCNA-Voice Check List - Training Notes Updated October 2009
17 pages
Out
No ratings yet
Out
24 pages
Aruba Clustering of Mobility Controllers
No ratings yet
Aruba Clustering of Mobility Controllers
9 pages
En NS2 ILM v20
No ratings yet
En NS2 ILM v20
199 pages