search

What is a wireless security mode that requires a RADIUS server to authenticate wireless users WEP personal shared key enterprise?

1 years ago
Comments: 0
Views: 84

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

WEP shared key authentication uses the RC4 symmetric stream cipher to encrypt data. This authentication method requires the same static key pre-configured on the server and client. Both the encryption mechanism and encryption algorithm can bring security risks to the network.

The Wi-Fi Alliance developed Wi-Fi Protected Access (WPA) to overcome the shortcomings of WEP before more secure policies were provided in 802.11i. WPA still uses the RC4 algorithm, but it uses an 802.1X authentication framework and supports Extensible Authentication Protocol-Protected Extensible Authentication Protocol (EAP-PEAP) and EAP-Transport Layer Security (EAP-TLS) authentication, and defines the Temporal Key Integrity Protocol (TKIP) encryption algorithm.

Later, 802.11i defined WPA2. WPA2 uses Counter Mode with CBC-MAC Protocol (CCMP), a more secure encryption algorithm than those used in WPA.

Both WPA and WPA2 support 802.1X authentication and the TKIP/CCMP encryption algorithms, ensuring better compatibility. The two protocols provide almost the same security level and their difference lies in the protocol packet format.

The WPA/WPA2 security policy involves four steps:

  1. Link authentication
  2. Access authentication
  3. Key negotiation
  4. Data encryption

Link authentication can be completed in open system authentication or shared key authentication mode. WPA and WPA2 support only open system authentication. For details, see "Link Authentication" in STA Access.

WPA and WPA2 have an enterprise edition and a personal edition.

  • The WPA/WPA2 enterprise edition (WPA/WPA2-802.1X authentication) uses a RADIUS server and the EAP protocol for authentication. Users provide authentication information, including the user name and password, and are authenticated by an authentication server (generally a RADIUS server).

    Large-scale enterprise networks usually use the WPA/WPA2 enterprise edition.

    For details about 802.1X authentication, see Principles of 802.1X Authentication in the Configuration Guide - User Access and Authentication Configuration Guide.

    WPA/WPA2 implements 802.1X authentication using EAP-TLS and EAP-PEAP. Figure 13-1 and Figure 13-2 show the EAP-TLS 802.1X authentication and EAP-PEAP 802.1X authentication processes.

    Figure 13-1  EAP-TLS 802.1X authentication

    Figure 13-2  EAP-PEAP 802.1X authentication

  • WPA/WPA2 personal edition:

    A dedicated authentication server is expensive and difficult to maintain for small- and medium-scale enterprises and individual users. The WPA/WPA2 personal edition provides a simplified authentication mode: pre-shared key authentication (WPA/WPA2-PSK). This mode does not require a dedicated authentication server. Users only need to set a pre-shared key (PSK) on each WLAN node (including WLAN server, wireless router, and wireless network adapter).

    A WLAN client can access the WLAN if its pre-shared key is the same as that configured on the WLAN server. The PSK is not used for encryption; therefore, it does not pose security risks like the 802.11 shared key authentication.

802.1X authentication can be used to authenticate wireless and wired users, whereas PSK authentication is specific to wireless users.

PSK authentication requires that a STA and an AC be configured with the same PSK. The STA and AC authenticate each other through key negotiation. During key negotiation, the STA and AC use their PSKs to decrypt the message sent from each other. If the messages are successfully decrypted, the STA and AC have the same PSK. If they use the same PSK, PSK authentication is successful; otherwise, PSK authentication fails.

802.11i defines two key hierarchies: pairwise key hierarchy and group key hierarchy. The pairwise key hierarchy protects unicast data exchanged between STAs and APs. The group key hierarchy protects broadcast or multicast data exchanged between STAs and APs.

During key negotiation, a STA and an AC use the pairwise master key (PMK) to generate a pairwise transient key (PTK) and a group temporal key (GTK). The PTK is used to encrypt unicast packets, and the GTK is used to encrypt multicast and broadcast packets.

  • In 802.1X authentication, a PMK is generated in the process shown in Figure 13-1.

  • In PSK authentication, the method to generate a PMK varies according to the form of the PSK, which is configured using a command:
    • If the PSK is a hexadecimal numeral string, it is used as the PMK.
    • If the PSK is a character string, the PMK is calculated using a hash algorithm based on the PSK and service set identifier (SSID).

Key negotiation consists of unicast key negotiation and multicast key negotiation.

  • Unicast key negotiation

    Key negotiation is completed through a four-way handshake between a STA and an AC, during which the STA and AC send EAPOL-Key frames to exchange information, as shown in Figure 13-3.

    Figure 13-3  Unicast key negotiation

    The unicast key negotiation process consists of the following steps:

    1. The AC sends an EAPOL-Key frame with a random value (ANonce) to the STA.
    2. The STA calculates the PTK using its own MAC addresses and the MAC address of the AC, the PMK, ANonce, and SNonce, and sends an EAPOL-Key frame to the AC. The EAPOL-Key frame carries the SNonce, robust security network (RSN) information element, and message integrity code (MIC) of the EAPOL-Key frame. The AC calculates the PTK using the MAC addresses of its own and the STA, PMK, ANonce, and SNonce, and validates the MIC to determine whether STA's PMK is the same as its own PMK.
    3. The AC sends an EAPOL-Key frame to the STA to request the STA to install the PTK. The EAPOL-Key frame carries the ANonce, RSN information element, MIC, and encrypted GTK.
    4. The STA sends an EAPOL-Key frame to the AC to notify the AC that the PTK has been installed and will be used. The AC installs the PTK after receiving the EAPOL-Key frame.

  • Multicast key negotiation

    Multicast key negotiation is completed through a two-way handshake. The two-way handshake begins after the STA and AC generate and install a PTK through a four-way handshake. Figure 13-4 shows the two-way handshake process.

    Figure 13-4  Multicast key negotiation

    The multicast key negotiation process consists of the following steps:

    1. The AC calculates the GTK, uses the unicast key to encrypt the GTK, and sends an EAPOL-Key frame to the STA.
    2. After the STA receives the EAPOL-Key frame, it validates the MIC, decrypts the GTK, installs the GTK, and sends an EAPOL-Key ACK frame to the AC. After the AC receives the EAPOL-Key ACK frame, it validates the MIC and installs the GTK.

WPA and WPA2 support the TKIP and CCMP encryption algorithms.

  • TKIP

    Unlike WEP, which uses a static shared key, TKIP uses a dynamic key negotiation and management mechanism. Each user obtains an independent key through dynamic negotiation. User keys are calculated using the PTK generated in key negotiation, the MAC address of the sender, and the packet sequence number.

    TKIP uses MICs to ensure the integrity of frames received on the receiver and validity of data sent by the sender and receiver. This mechanism protects information integrity. A MIC is calculated using the MIC key generated during key negotiation, the destination MAC address, source MAC address, and data frame.

  • CCMP

    While WEP and TKIP use a stream cipher algorithm, CCMP uses an Advanced Encryption Standard (AES) block cipher. The block cipher algorithm overcomes defects of the RC4 algorithm and provides a higher level of security.

This Document Applies to these Products

Page 2

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Wired Equivalent Privacy (WEP), defined in IEEE 802.11, is used to protect the data of authorized users from tampering during transmission on a WLAN. WEP uses the RC4 algorithm to encrypt data using a 64-bit, 128-bit, or 152-bit encryption key. An encryption key contains a 24-bit initialization vector (IV) generated by the system, so the length of key configured on the WLAN server and client is 40-bit, 104-bit, or 128-bit. WEP uses a static encryption key. That is, all STAs associating with the same SSID use the same key to connect to the wireless network.

A WEP security policy defines a link authentication mechanism and a data encryption mechanism.

Link authentication mechanisms include open system authentication and shared key authentication. For details about link authentication, see "Link Authentication" in STA Access.

  • If open system authentication is used, data is not encrypted during link authentication. After a user goes online, service data can be encrypted by WEP or not, depending on the configuration.

  • If shared key authentication is used, the WLAN client and server complete key negotiation during link authentication. After a user goes online, service data is encrypted using the negotiated key.

This Document Applies to these Products

Page 3

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

A WDS profile contains major parameters required for configuring the WDS function. To enable radios of an AP group or a specified AP to set up Mesh links, a WDS profile must be applied to the radios.

When configuring WDS services, use the WDS profile with the following profiles:

  • Security profile: After a security profile is bound to a WDS profile, parameters in the security profile will be used for WDS link setup to ensure security of WDS links, The WPA2+PSK+AES security policy is recommended for a WDS security profile.

  • WDS whitelist profile: A WDS whitelist profile contains MAC addresses of neighboring APs allowed to set up WDS links with an AP. After a WDS whitelist profile is applied to an AP radio, only APs with MAC addresses in the whitelist can access the AP, and other APs are denied. In the WDS, only APs with radios working in root mode and middle mode can have a whitelist configured. APs in leaf mode require no whitelist.

    • A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the local AP only after passing security authentication.
    • If no WDS whitelist profile is used, all neighboring APs can access the local AP.

  • AP group radio or AP radio: You can configure major feature parameters for radios in an AP group or a specified AP radio, including the working channel and bandwidth, antenna gain, transmit power, and radio coverage distance. For example, when configuring the WDS function, configure the same channel for radios of WDS APs.
  • Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can configure other radio parameters for WDS links through a radio profile.

By default, the system provides the WDS profile default. By default, the security profile default-wds with the security policy WPA2+PSK+AES is referenced by a WDS profile regardless of whether the WDS profile is the default profile provided by the system or a WDS profile created by users. If the default security profile default-wds is used, you are advised to change the security key of the profile to ensure security. The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

For details, see Configuring a WDS Profile.

This Document Applies to these Products

Page 4

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

WIDS profiles provide mechanisms to protect WLAN networks. WIDS profiles are bound to AP groups or APs so that they can take effect.

A WIDS profile supports the following functions:

  • WIDS device detection and countering

    • APs detect Wi-Fi devices within their coverage range and determine whether they are authorized.

    • You can configure a WIDS spoof SSID profile and a WIDS whitelist profile to identify spoofing SSIDs and add the trusted devices to the whitelist. After configuring these profiles, you bind them to the WIDS profile.

    • Countermeasures are taken on the detected rogue device so that rogue STAs cannot access the network or authorized STAs will not access rogue APs.

  • WIDS attack detection and dynamic blacklist

    • APs detect Wi-Fi devices on a network that launch attacks, including flood attacks, weak IV attacks, spoofing attacks, and Brute force PSK cracking attacks.

    • After the dynamic blacklist function is enabled, attacking devices are added to the dynamic blacklist and packets from these devices are discarded.

This Document Applies to these Products

Page 5

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

An AP communicates with an IoT card through a serial port. Each IoT card interface uses independent serial communication parameters and framing parameters. The serial communication parameters and framing parameters can be set in a serial profile.

This Document Applies to these Products

Page 6

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

You can add APs in any of the following modes:

  • Importing APs offline: The APs' MAC addresses and serial numbers (SNs) are configured on an AC before APs go online. The AC starts to set up connections with the APs if the MAC addresses or SNs of the APs match the configured ones.

  • Configuring the AC to automatically discover an AP: The AP authentication mode is set to no authentication; alternatively, the AP authentication mode is set to MAC or SN authentication and the AP whitelist is configured on the AC. When an AP in the whitelist connects to the AC, the AC discovers the AP, and the AP goes online.

  • Manually confirming APs added to the list of unauthorized APs: The AP authentication mode is set to MAC or SN authentication, and the AP whitelist is configured on the AC. When an AP out of the whitelist connects to the AC, the AC adds the AP to the list of unauthorized APs. After the AP identity is confirmed, the AP can go online.

Depending on its location on a WDS network, an AP can work in root, middle, or leaf mode. As shown in Figure 15-10, AP1 is a root node, AP2 is a middle node, and AP3 is a leaf node. You can configure an AP's working mode based on actual situations.

Figure 15-10  WDS networking

  • Add an AP offline.
  • Configure the AC to automatically discover an AP.

    If no AP name or AP group is configured for an automatically discovered AP on the AC, the configuration file of the AP name or AP group will not be generated in the AP view.

    If an AP is deleted from the AC, the configuration in the AP view will be automatically deleted.

    • Set the AP authentication mode to no authentication.

      1. Run the system-view command to enter the system view.
      2. Run the wlan command to enter the WLAN view.

      3. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the AP to an AP blacklist.

        By default, no AP is in an AP blacklist.

      4. Run the ap auth-mode no-auth command to set the AP authentication mode to no authentication.

        The default AP authentication mode is MAC address authentication.

        The non-authentication mode brings security risks. You are advised to set the authentication mode to MAC address authentication or SN authentication, which is more secure.

    • Set the AP authentication mode to MAC address or SN authentication.

      1. Run the system-view command to enter the system view.
      2. Run the wlan command to enter the WLAN view.

      3. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the AP to an AP blacklist.

        By default, no AP is in an AP blacklist.

      4. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP authentication mode to MAC address authentication or SN authentication.

        The default AP authentication mode is MAC address authentication.

      5. Configure the AP whitelist.

        • Run the ap whitelist mac ap-mac1 [ to ap-mac2 ] command to add the AP with the specified MAC address to the whitelist if the AP authentication mode is set to MAC address authentication.

          By default, no MAC address is added to the AP whitelist.

        • Run the ap whitelist sn ap-sn1 [ to ap-sn2 ] command to add the AP with the specified SN to the whitelist if the AP authentication mode is set to SN authentication.

          By default, no SN is added to the AP whitelist.

  • Manually confirm the AP added to the list of unauthorized APs.

This Document Applies to these Products

Page 7

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

You can add APs in any of the following modes:

  • Importing APs offline: The APs' MAC addresses and serial numbers (SNs) are configured on an AC before APs go online. The AC starts to set up connections with the APs if the MAC addresses or SNs of the APs match the configured ones.

  • Configuring the AC to automatically discover an AP: The AP authentication mode is set to no authentication; alternatively, the AP authentication mode is set to MAC or SN authentication and the AP whitelist is configured on the AC. When an AP in the whitelist connects to the AC, the AC discovers the AP, and the AP goes online.

  • Manually confirming APs added to the list of unauthorized APs: The AP authentication mode is set to MAC or SN authentication, and the AP whitelist is configured on the AC. When an AP out of the whitelist connects to the AC, the AC adds the AP to the list of unauthorized APs. After the AP identity is confirmed, the AP can go online.

On a Mesh network, you can deploy an AP as an MPP or MP based on the location of the AP, as shown in Figure 16-7. Select a proper method to add APs on an AC according to actual situations.

Figure 16-7  Mesh networking diagram

  • Mesh point portal (MPP): an MP that connects to a WMN or another type of network. An MPP connects Mesh nodes to external networks. Each WMN has at least one MPP.

    You are not advised to configure access VAPs on an MPP to ensure a high throughput.

  • Mesh point (MP): a node that provides both mesh service and user access service. All nodes except MPPs on a WMN are MPs.

  • Add an AP offline.
  • Configure the AC to automatically discover an AP.

    If no AP name or AP group is configured for an automatically discovered AP on the AC, the configuration file of the AP name or AP group will not be generated in the AP view.

    If an AP is deleted from the AC, the configuration in the AP view will be automatically deleted.

    • Set the AP authentication mode to no authentication.

      1. Run the system-view command to enter the system view.
      2. Run the wlan command to enter the WLAN view.

      3. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the AP to an AP blacklist.

        By default, no AP is in an AP blacklist.

      4. Run the ap auth-mode no-auth command to set the AP authentication mode to no authentication.

        The default AP authentication mode is MAC address authentication.

        The non-authentication mode brings security risks. You are advised to set the authentication mode to MAC address authentication or SN authentication, which is more secure.

    • Set the AP authentication mode to MAC address or SN authentication.

      1. Run the system-view command to enter the system view.
      2. Run the wlan command to enter the WLAN view.

      3. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the AP to an AP blacklist.

        By default, no AP is in an AP blacklist.

      4. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP authentication mode to MAC address authentication or SN authentication.

        The default AP authentication mode is MAC address authentication.

      5. Configure the AP whitelist.

        • Run the ap whitelist mac ap-mac1 [ to ap-mac2 ] command to add the AP with the specified MAC address to the whitelist if the AP authentication mode is set to MAC address authentication.

          By default, no MAC address is added to the AP whitelist.

        • Run the ap whitelist sn ap-sn1 [ to ap-sn2 ] command to add the AP with the specified SN to the whitelist if the AP authentication mode is set to SN authentication.

          By default, no SN is added to the AP whitelist.

  • Manually confirm the AP added to the list of unauthorized APs.

This Document Applies to these Products

Page 8

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

You can add APs in any of the following modes:

  • Importing APs offline: The APs' MAC addresses and serial numbers (SNs) are configured on an AC before APs go online. The AC starts to set up connections with the APs if the MAC addresses or SNs of the APs match the configured ones.

  • Configuring the AC to automatically discover an AP: The AP authentication mode is set to no authentication; alternatively, the AP authentication mode is set to MAC or SN authentication and the AP whitelist is configured on the AC. When an AP in the whitelist connects to the AC, the AC discovers the AP, and the AP goes online.

  • Manually confirming APs added to the list of unauthorized APs: The AP authentication mode is set to MAC or SN authentication, and the AP whitelist is configured on the AC. When an AP out of the whitelist connects to the AC, the AC adds the AP to the list of unauthorized APs. After the AP identity is confirmed, the AP can go online.

When you add an AP in any of the preceding modes, the AP cannot connect to the AC if the MAC address of the AP is in the AP blacklist.

After you add an AP to an AC offline and configure AP parameters, for example, AP group which the AP joins by default, the AP can go online and use the configured data to work. When the AC is configured to automatically discover APs, an AP uses the default parameters to work after going online.

Adding an AP offline is recommended when the MAC address or SN of the AP is already learned.

The AP blacklist and whitelist can be configured at the same time. However, the MAC address of an AP cannot be added to the AP blacklist and whitelist at the same time.

If AP whitelist and blacklist are all configured, check whether an AP is on the blacklist first.

The number of APs managed by an AC is restricted by the following factors:

  • License resource items: The total number of common APs and central APs does not exceed the maximum number of local license resource items on the AC. RUs do not occupy license resources.
  • Maximum number of APs managed by an AC: The total number of central APs, common APs, and RUs does not exceed the maximum number of APs that the AC can manage.

  • Add an AP offline.
  • Configure the AC to automatically discover an AP.

    If no AP name or AP group is configured for an automatically discovered AP on the AC, the configuration file of the AP name or AP group will not be generated in the AP view.

    If an AP is deleted from the AC, the configuration in the AP view will be automatically deleted.

    • Set the AP authentication mode to no authentication.

      1. Run the system-view command to enter the system view.
      2. Run the wlan command to enter the WLAN view.

      3. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the AP to an AP blacklist.

        By default, no AP is in an AP blacklist.

      4. Run the ap auth-mode no-auth command to set the AP authentication mode to no authentication.

        The default AP authentication mode is MAC address authentication.

        The non-authentication mode brings security risks. You are advised to set the authentication mode to MAC address authentication or SN authentication, which is more secure.

    • Set the AP authentication mode to MAC address or SN authentication.

      1. Run the system-view command to enter the system view.
      2. Run the wlan command to enter the WLAN view.

      3. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the AP to an AP blacklist.

        By default, no AP is in an AP blacklist.

      4. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP authentication mode to MAC address authentication or SN authentication.

        The default AP authentication mode is MAC address authentication.

      5. Configure the AP whitelist.

        • Run the ap whitelist mac ap-mac1 [ to ap-mac2 ] command to add the AP with the specified MAC address to the whitelist if the AP authentication mode is set to MAC address authentication.

          By default, no MAC address is added to the AP whitelist.

        • Run the ap whitelist sn ap-sn1 [ to ap-sn2 ] command to add the AP with the specified SN to the whitelist if the AP authentication mode is set to SN authentication.

          By default, no SN is added to the AP whitelist.

  • Manually confirm the AP added to the list of unauthorized APs.

  • Run the display ap global configuration command to check the AP authentication mode.
  • Run the display ap blacklist command to check the AP blacklist.
  • Run the display ap whitelist { mac | sn } command to check the AP whitelist.

This Document Applies to these Products

Page 9

This Document Applies to these Products

Page 10

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

When patients need infusions, nurses use barcode printers to print barcodes and paste them on fluid bags. They use handheld digital terminals to scan barcodes on patients' wrist straps and fluid bags, and associate fluid information with patient information.

The infusion management system monitors infusion conditions in real time. When the fluid dripping speed is too fast or slow, or infusion is complete, audible alarms are generated on the LCD at nurse workstations. After hearing the alarms, nurses can adjust the fluid dripping speed or take other actions.

Manage infusions according to related documents obtained from the infusion management system vendor. The detailed operations are not described in this document.

This Document Applies to these Products

Page 11

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

This Document Applies to these Products

Page 12

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

This Document Applies to these Products

Page 13

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Figure 15-1  WDS networking

  • Service VAP: On a traditional WLAN, an AP is a physical entity that provides WLAN services to STAs. A service virtual access point (VAP) is a logical entity that provides access service for users. Multiple VAPs can be created on an AP to provide access service for multiple user groups. In Figure 15-1, VAP0 created on AP3 is a service VAP.
  • WDS VAP: On a WDS network, an AP is a functional entity that provides WDS service for neighboring devices. WDS VAPs include AP and STA VAPs. The ID of STA VAPs is fixed as 13, and that of AP VAPs is fixed at 12. AP VAPs provide connections for STA VAPs. In Figure 15-1, VAP13 created on AP3 is a STA VAP, and VAP12 created on AP2 is an AP VAP.
  • Wireless virtual link (WVL): a connection set up between a STA VAP and an AP VAP on neighboring APs, as shown in Figure 15-1.

  • AP working mode: Depending on its location on a WDS network, an AP can work in root, middle, or leaf mode, as shown in Figure 15-1.

    • Root: The AP directly connects to an AC through a wired link and uses an AP VAP to set up wireless virtual links with a STA VAP.
    • Middle: The AP uses a STA VAP to connect to an AP VAP on an upstream AP and uses an AP VAP to connect to a STA VAP on a downstream AP.
    • Leaf: The AP uses a STA VAP to connect to an AP VAP on an upstream AP.

  • Working mode of an AP's wired interface: On a WDS network, depending on the location of the AP, a wired interface works in root or endpoint mode.

    • Root: The wired interface connects to an upstream wired network.
    • Endpoint: The wired interface connects to a downstream user host or LAN.

    On a WDS network, one wired interface must work in root mode to connect to the wired network.

  • AP online process

    After WDS is enabled on an AP, the AP automatically creates WDS VAPs (AP VAP and STA VAP). The AP uses the WDS VAPs to set up WVLs with other APs. The AP connects to the AC through the WVL and obtains configurations from the AC.

  • Service intercommunication

    On a WDS network, service data is transmitted over the WVLs. After an AP goes online, it needs to set up service links through WVLs. Figure 15-2 shows how a service link is set up between AP2 and AP3 on the WDS network shown in Figure 15-1.

    Figure 15-2  Setting up a service link

    1. Probe request

      AP3 broadcasts a Probe Request frame carrying a WDS-Name field (similar to SSID in WLAN service).

    2. Probe response

      AP2 receives the Probe Request frame and sends AP3 a Probe Response frame.

    3. Authentication request

      After AP3 receives the Probe Response frame, it sends AP2 an Authentication Request frame.

    4. Authentication response

      After AP2 receives the Authentication Request frame, it determines whether to allow access from AP3, depending on the WDS whitelist configuration:

      • If the WDS whitelist is not enabled, AP2 allows access from AP3 and sends an Authentication Response frame to notify AP3 that the authentication has succeeded.
      • If the WDS whitelist is enabled, AP2 checks whether the MAC address of AP3 is included in the WDS whitelist.
        • If the MAC address of AP3 is included in the WDS whitelist, AP2 allows access from AP3 and sends an Authentication Response frame to notify AP3 that the authentication has succeeded.
        • If the MAC address of AP3 is not included in the WDS whitelist, AP2 sends an Authentication Response frame with an error code, indicating that the authentication has failed. The process ends and the service wireless virtual link (WVL) cannot be set up.

    5. Association request

      After AP3 receives the Authentication Response frame indicating successful authentication, it sends an Association Request frame to AP2.

    6. Association response

      After AP2 receives the Association Request frame, it sends an Association Response frame to request AP3 to start the access authentication.

    7. Access authentication

      On a WDS network, the access authentication method for a STA VAP must be WPA2-PSK. Therefore, AP3 and AP2 use a pre-configured shared key for negotiation. If they decrypt messages sent from each other using the shared key, they have the same shared key and the access authentication is successful.

    8. Key negotiation

      AP3 and AP2 negotiate an encryption key to encrypt service packets.

  • After a service link is set up, APs periodically send link status messages to each other. If one AP does not receive any from the other AP, it disconnects the service link and starts to set up a new one.
  • If the AC delivers new WDS parameter settings to APs, the APs use them to set up service links.

A WDS network can be deployed in point-to-point or point-to-multipoint mode.

  • Point-to-point deployment

    As shown in Figure 15-3, AP1 sets up wireless virtual links with AP2 to provide wireless access service for users.

    Figure 15-3  Point-to-point WDS deployment

  • Point-to-multipoint deployment

    As shown in Figure 15-4, AP1, AP2, and AP3 set up wireless virtual links with AP4. Data from all STAs associating with AP1, AP2, and AP3 is forwarded by AP4.

    Figure 15-4  Point-to-multipoint WDS deployment

This Document Applies to these Products

Page 14

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

This Document Applies to these Products

Page 15

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

If an AP cannot work properly after being upgraded, reset the AP. You can run the display ap all command to check the AP State field to determine whether an AP is working properly. If the State field displays name-conflicted, ver-mismatch, config, config-failed, committing, or commit-failed, an AP fails to work properly.

Exercise caution when resetting an AP because services on the AP will be interrupted.

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group ap-group | ap-type { type type-name | type-id type-id } }

    APs are reset.

This Document Applies to these Products

Page 16

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

To disconnect an AP from the current AC or enable an AP to go online on another AC, you can delete the AP from the current AC.

Deleting an AP will interrupt services of STAs connected to the AP. Exercise caution when you delete an AP.

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    undo ap { ap-name ap-name | ap-id ap-id | ap-mac ap-mac | ap-group group-name | all }

    An AP is deleted.

This Document Applies to these Products

Page 17

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

On an AC + Fit AP network, one AC manages many APs. Usually, you need to perform the same configurations on the APs. In this situation, you can add the APs to an AP group and perform configurations uniformly in the AP group, which simplifies operations. All APs in the group use the same configurations.

Each AP must and can only join one AP group. An AP group contains configurations shared by all APs. You can configure configurations specific to a single AP in the AP view.

By default, an AP automatically joins the AP group default. The AP group default cannot be deleted, but you can modify configurations in the default AP group.

By default, an AP group has the following profiles bound: AP system profile default, 2G radio profile default, 5G radio profile default, regulatory domain profile default, WIDS profile default, and AP wired port profile default.

Before creating an AP group, perform the task of CLI Login Configuration.

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    ap-group name group-name

    An AP group is created, and the AP group view is displayed.

    By default, the system provides the AP group default.

  • Run the display ap-group { all | name group-name } command to verify AP group configurations.

After an AP group is created, you need to add APs to the AP group so that the APs can use configurations in the group. For details, see Adding APs.

This Document Applies to these Products

Page 18

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

In a WIDS profile, you can configure various WIDS and WIPS services. You can create multiple WIDS profiles to carry different WIDS services and apply the profiles to different APs as required.

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    wids-profile name profile-name

    A WIDS profile is created and the WIDS profile view is displayed.

    By default, the system provides the WIDS profile default.

This Document Applies to these Products

Page 19

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

An AP wired port profile provides configurations of AP wired ports. AP wired port link profiles can be bound to AP wired port profiles. AP wired port link profiles are used to configure link-layer parameters of AP wired ports.

The following configurations are performed in an AP wired port profile:

  • Add an AP's wired port to an Eth-Trunk.
  • Configure STP, working mode, and DHCP trusted port on an AP's wired port.
  • Configure STA address learning, IP source guard, and dynamic ARP probing on an AP's wired port.
  • Specify the maximum broadcast, multicast, and unknown unicast traffic allowed by an AP's wired port.
  • Associate STP with the error-triggered shutdown function on an AP's wired port.
  • Configure IGMP Snooping for an AP's wired port.

For details, see Managing an AP's Wired Interface.

This Document Applies to these Products

Page 20

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

After the rogue device containment function is enabled, rogue APs can be detected and contained. However, there may be APs of other vendors or on other networks working in the existing signal coverage areas. If these APs are contained, their services will be affected. To prevent this situation, you can configure the WIDS whitelist profile to add these APs to a WIDS whitelist which includes an authorized MAC address list, OUI list, and SSID list.

This Document Applies to these Products

Page 21

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

On a WLAN, the operating status of APs is affected by the radio environment. For example, adjacent APs using the same working channel interfere with each other, and a large-power AP can interfere with adjacent APs if they work on overlapping channels. Radio calibration can dynamically adjust channels and power of APs managed by the same AC to ensure that the APs work in a way that optimizes performance.

  • Channel adjustment

    On a WLAN, adjacent APs must work on non-overlapping channels to avoid radio interference. For example, the 2.4 GHz frequency band is divided into 14 overlapping 20 MHz channels, as shown in Figure 8-1.

    Figure 8-1  Channels on the 2.4 GHz frequency band

    The 5 GHz frequency band has richer spectrum resources. In addition to 20 MHz channels, APs working on the 5 GHz frequency band support 40 MHz, 80 MHz, and larger-bandwidth channels, as shown in Figure 8-2.

    Figure 8-2  Channels

    • Two neighboring 20 MHz channels are bonded into a 40 MHz channel. One of the two 20 MHz channels is the primary channel, and the other the auxiliary channel.
    • Two neighboring 40 MHz channels are bonded into an 80 MHz channel. In an 80 MHz channel, one 20 MHz channel is selected as the primary channel. The other 20 MHz channel making up the 40 MHz channel with the primary channel is called the auxiliary 20 MHz channel. The 40 MHz channel not containing the primary channel is called the auxiliary 40 MHz channel.
    • Two neighboring 80 MHz channels are bonded into a 160 MHz channel. In a 160 MHz channel, one 20 MHz channel is selected as the primary channel. The other 20 MHz channels making up the 80 MHz channel with the primary channel are called the auxiliary 20 MHz channels. The 40 MHz channels not containing the primary channel are called the auxiliary 40 MHz channels. The 80 MHz channel not containing the primary channel is called the auxiliary 80 MHz channel. At most two 160 MHz channels are supported on the 5 GHz frequency band.
    • Two non-neighboring 80 MHz channels are bonded into an 80+80 MHz channel. The division of primary and auxiliary channels is similar to that for a 160 MHz channel. Compared to the 160 MHz channel, the 80+80 MHz channel allows for more than three non-overlapping channels on the 5 GHz frequency band, which can be used for cellular channel planning and meet wireless network deployment requirements.

    Figure 8-3 shows the channel bonding.

    Figure 8-3  Channel bonding example

    The primary channel is used for transmission of the management and control packets. A channel is idle only when its primary channel is idle.

    Figure 8-4 shows an example of channel distribution before and after channel adjustment. Before channel adjustment, both AP2 and AP4 use channel 6. After channel adjustment, AP4 uses channel 11 so that it does not interfere with AP2.

    After channel adjustment, each AP is allocated an optimal channel to minimize or avoid adjacent-channel or co-channel interference, ensuring reliable data transmission on the network.

    Figure 8-4  Channel adjustment

    In addition to optimizing radio performance, channel adjustment can also be used for dynamic frequency selection (DFS). In some regions, radar systems work in the 5 GHz frequency band, which can interfere with radio signals of APs working in the 5 GHz frequency band. The DFS function enables APs to automatically switch to other channels when they detect interference on their current working channels.

    During the DFS process, radar signals may be incorrectly determined. If radar signals are detected occasionally on a single AP, it may be a mistake. If radar signals are detected for multiple times on an AP or simultaneously on multiple APs, the radar signals may be determined. Then the APs can process the signals accordingly. To minimize misdetections, all Huawei AP models are optimized for DFS misdetections to distinguish radar signals and non-radar signals more accurately.

  • Power adjustment

    An AP's transmit power determines its radio coverage area. APs with higher power have larger coverage areas. A traditional method to control the radio power is to set the transmit power to the maximum value to maximize the radio coverage area. However, a high transmit power may cause interference with other wireless devices. Therefore, an optimal power is required to balance the coverage area and signal quality.

    The power adjustment function helps dynamically allocate proper power to APs according to the real-time radio environment. Power adjustment works according to the following:

    • When an AP is added to the network, the transmit power of neighboring APs decreases, as shown in Figure 8-5. The area of the circle around an AP represents the AP's coverage area after transmit power adjustment. When AP4 is added to the network, the transmit power of each AP decreases automatically.

    Figure 8-5  Transmit power of APs decreases

    • When an AP goes offline or fails, power of neighboring APs increases, as shown in Figure 8-6.

    Figure 8-6  Transmit power of APs increases

Radio calibration requires the following components for implementation:

  • AP: actively or passively collects radio environment information and sends the information to the AC. The AC then delivers the calibration results.
  • AC: maintains the AP neighbor topology based on radio environment information received from the AP, uses calibration algorithms to allocate AP channels and transmit power, sends calibration results to APs.

ACs support global radio calibration and partial radio calibration:

  • Global radio calibration:

    Global radio calibration takes effect on all APs managed by an AC. The AC controls channels and transmit power of all APs in the region to achieve best radio performance. Generally, this calibration mode is used on a newly deployed WLAN or a WLAN with a few services.

    The Figure 8-7 shows the global radio calibration process.

    Figure 8-7  Implementation of global radio calibration

    The global radio calibration process is as follows:

    1. After global radio calibration is enabled, the AC sends a notification to each AP, requesting the AP to start neighbor probing.
    2. The APs periodically implement neighbor probing and report neighbor information to the AC.

    3. After the AC receives probe results from all of the APs, it uses the global radio calibration algorithm to allocate channels and power to the APs.

      The global radio calibration algorithm includes the Dynamic Channel Allocation (DCA) algorithm and Transmit Power Control (TPC) algorithm.

    4. The AC delivers calibration results to the APs. After the AC implements global radio calibration for the first time, the AC starts the next global radio calibration until it receives neighboring information of all APs. The AC continuously implements global radio calibration in order to obtain the optimal and accurate calibration results.

    Neighbor probe

    Two neighbor probe modes are available.

    • Active probe: The AP actively sends Probe Request frames to notify surrounding APs of its existence. Active probe is used to establish neighbor relationships and obtain the maximum interference signal strength.

      The active probe process is as follows:

      1. An AP periodically sends Probe Request frames destined for a specified multicast address on different channels.
      2. After receiving the frames, surrounding APs learn that the AP is a neighbor and collects information about the AP, in which the Received Signal Strength Indicator (RSSI) is the key factor.

    • Passive probe: The AP receives neighbor information to detect neighboring APs. The passive probe is used to collect interference information from neighboring APs and rogue APs.

    Global calibration algorithm

    The global calibration algorithm achieves global optimization through partial optimizations. Global calibration is implemented through AP channel and power adjustment. Instead of being coupled to each other, the algorithms for channel adjustment (DCA) and power adjustment (TPC) are independent of each other.

    • DCA algorithm: Global calibration divides all APs into several calibration groups based on the relationships between the APs and allocates channels to each group. In each radio calibration group, simple exhaustion and iteration algorithms are used to list all possible AP-Channel combinations and choose the optimal combination.
    • TPC algorithm: The TPC algorithm aims to choose the proper transmit power which can meet coverage requirements, without causing large interference to neighboring APs. The TPC algorithm works in the following ways:

      1. The algorithm estimates the deployment density of APs based on the number of AP neighbors, and determines the initial transmit power, lower and upper interference thresholds.

        The level of interference specified by the lower interference threshold is low, and within the allowed range. In this case, two neighboring APs cannot detect interference from each other and can send packets simultaneously.

        The level of interference specified by the upper interference threshold is large. In this case, two neighboring APs can easily detect the interference and must compete to send packets through CSMA.

      2. The algorithm re-detects RSSIs of neighbors. If the interference caused by the neighbor is smaller than the lower interference threshold, the algorithm determines whether to raise transmit power according to their difference. If the interference caused by the neighbor is greater than the upper interference threshold, the algorithm determines whether to reduce transmit power according to their difference.
  • Partial radio calibration

    Partial radio calibration aims to adjust working channels and power of some APs to optimize the radio environment if it deteriorates in only some areas. Similar to the global radio calibration, the partial radio calibration uses DCA and TPC algorithms. Partial radio calibration is triggered in the following scenarios:

    • An AP goes online: When detecting that an AP goes online, the AC allocates a working channel and power to the new AP. To achieve the optimal performance, the AC may re-allocate the working channels and transmit power of neighboring APs. For example, to prevent interference between the new AP and its neighbors, the AC will reduce the transmit power of the AP neighbors.
    • An AP goes offline: When detecting that an AP goes offline, the AC executes the calibration algorithm to increase the transmit power of neighboring APs to eliminate coverage holes. An AP may be restarted unexpectedly or manually restarted for temporary maintenance. In this situation, the AC does not start the calibration algorithm immediately. Instead, the AC starts radio calibration only after the neighbor information is updated.
    • Interference from a rogue AP is detected: If a rogue AP is identified through neighbor probes, interference information is collected and used for radio calibration. If the interference value exceeds the threshold (-65 dBm by default), the interference is considered serious, and partial radio calibration is triggered. The device adjusts working channels of neighboring APs to avoid interference from the rogue AP.
    • The radio environment deteriorates: Radio environment deteriorates due to an increase in lost packets and error codes caused by interference or weak signals. In scenario, partial radio calibration may be triggered if it can improve the radio environment.
    • Interference from non-Wi-Fi devices is detected: Non-Wi-Fi devices, including microwave ovens and cordless phones, work on the same frequency as the APs, and may cause interference. If the spectrum analysis module identifies interference from non-Wi-Fi devices. If the interference is serious or large interference occurs multiple times in a specified period, the module triggers partial radio calibration and adjusts AP channels and power to avoid interference.
    • Partial radio calibration is manually triggered: You can trigger partial radio calibration based on the AP or AP group.

This Document Applies to these Products

Page 22

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Before re-configuring online parameters of APs in the AP provisioning view, clear existing configurations. The cleared configurations cannot be restored. Exercise caution when you run the following command.

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    provision-ap

    The AP provisioning view is displayed.

  4. Run:

    clear configuration this

    All configurations are cleared in the AP provisioning view.

This Document Applies to these Products

Page 23

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Configurations in the AP provisioning view are not automatically delivered to APs. You have to manually deliver them to APs.

After the configuration is committed, the AP receives the configuration and compares the configuration with its local configuration.

  • If they are consistent, the AP does not process the received configuration.
  • If they are different, the AP saves the committed configuration and automatically restarts, and the received configuration takes effect.

If the name or static IP address of an AP is specified in the AP provisioning view, the configuration is delivered only to the AP by specifying the AP name or MAC address, but cannot be delivered to APs in the specified AP group.

If you commit configurations to a large number of APs simultaneously, some of the APs may fail to receive the configurations. In this case, you are advised to commit the configurations again.

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    provision-ap

    The AP provisioning view is displayed.

  4. Run:

    commit { ap-name ap-name | ap-mac ap-mac-address | ap-id ap-id | ap-group ap-group-name | all }

    The configurations are delivered to an AP, a group of APs, or all APs.

This Document Applies to these Products

Page 24

  • Adjust radio parameters:

    Procedure

    Command

    Description

    Configure the radio type

    radio-type { dot11b | dot11g | dot11n }

    By default, the radio type in a 2G radio profile is dot11n.

    Usually, the default radio type is used and does not need to be modified. If the default radio mode cannot meet requirements or a fault needs to be located, configure the radio type as required.

    • The radio-type { dot11b | dot11g | dot11n } command can only be configured in a 2G radio profile.

    • The radio-type { dot11a | dot11ac | dot11n } command can only be configured in a 5G radio profile.

    radio-type { dot11a | dot11ac | dot11n }

    By default, the radio type in a 5G radio profile is dot11ac.

    Configure the radio rate

    dot11a basic-rate { dot11a-rate-value &<1-8> | all }

    By default, a basic rate set of the 802.11a protocol in a 5G radio profile includes rates 6 Mbps, 12 Mbps, and 24 Mbps.

    All rates specified in the basic rate set must be supported by both the AP and STA; otherwise, the STA cannot associate with the AP.

    • The dot11a basic-rate { dot11a-rate-value &<1-8> | all } command can only be configured in a 5G radio profile.

    • The dot11bg basic-rate { dot11bg-rate-value &<1-12> | all } command can only be configured in a 2G radio profile.

    dot11bg basic-rate { dot11bg-rate-value &<1-12> | all }

    By default, the basic rate set of the 802.11bg protocol includes rates 1 Mbps and 2 Mbps in a 2G radio profile.

    dot11a supported-rate { dot11a-rate-value &<1-8> | all }

    By default, the supported rate set of the 802.11a protocol in a 5G radio profile includes rates 6 Mbps, 9 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps, and 54 Mbps.

    The supported rate set contains rates supported by the AP, except the basic rates. The AP and STA can transmit data at all rates specified by the supported rate set.

    • The dot11a supported-rate { dot11a-rate-value &<1-8> | all } command can only be configured in a 5G radio profile.

    • The dot11bg supported-rate { dot11bg-rate-value &<1-12> | all } command can only be configured in a 2G radio profile.

    dot11bg supported-rate { dot11bg-rate-value &<1-12> | all }

    By default, the supported rate set of the 802.11bg protocol in a 2G radio profile includes rates 1 Mbps, 2 Mbps, 5.5 Mbps, 6 Mbps, 9 Mbps, 11 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps, and 54 Mbps.

    vht mcs-map nss nss-value max-mcs max-mcs-value

    By default, the maximum MCS value of the 802.11 ac radios is 9 in the 5G radio profile.

    Rates of 802.11ac radios depend on the index value of Modulation and Coding Scheme (MCS). A larger MCS value indicates a higher transmission rate.

    The MCS value can only be configured in a 5G radio profile. Currently, only the AD9430DN-24 (including the mapping RUs), AD9430DN-12 (including the mapping RUs), AD9431DN-24X (including the mapping RUs), AP7030DE, AP9330DN, AP2030DN, AP4051TN, AP6052DN, AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, AP8182DN, AP3010DN-V2 (supporting 802.11ac after being upgraded from a version earlier than V200R008C10SPC300 to V200R008C10SPC300 or a later version), AP4030TN, AP4050DN-E, AP4050DN-HD, AP6050DN, AP6150DN, AP7050DN-E, AP7050DE, AP4050DN, AP4050DN-S, AP4051DN, AP4151DN, AP8050DN, AP8050DN-S, AP8150DN, AP1050DN-S, AP2050DN, AP2050DN-E, AP8130DN-W, AP5030DN, AP5130DN, AP8030DN, AP8130DN, AP4030DN, AP4130DN, AP9131DN, and AP9132DN support 802.11ac.

    Configure the radio multicast rate

    		 multicast-rate multicast-rate

    By default, the multicast rate of wireless packets is not configured in a radio profile. That is, the multicast rate is set to auto-sensing.

    The configured multicast rate must be in the basic rate set or supported rate set, and supported by the STA; otherwise, the STA cannot receive multicast data.

    The values of multicast-rate differ in 2G and 5G radio profiles. For details, see descriptions of multicast-rate multicast-rate.

    Configure the interval at which an AP sends Beacon frames

    beacon-interval beacon-interval

    By default, the interval for sending Beacon frames is 100 TUs.

    An AP broadcasts Beacon frames at intervals to notify STAs of an existing 802.11 network. After receiving a Beacon frame, a STA can modify parameters used to connect to the 802.11 network.

    A long interval for sending Beacon frames lengthens the dormancy time of STAs, while a short interval for sending Beacon frames increases air interface costs. Therefore, you are advised to set the interval for sending Beacon frames for an AP based on the VAP quantity. The following intervals for sending Beacon frames are recommended for APs with different VAP quantities on a single radio (except the AP7030DE and AP9330DN):

    • No more than 4 VAPs: about 100 TUs
    • 5 to 8 VAPs: about 200 TUs
    • 9 to 12 VAPs: about 300 TUs
    • 13 to 16 VAPs: about 400 TUs

    Configure an AP to support the short preamble

    undo short-preamble disable

    By default, a radio profile supports the short preamble.

    The preamble is a section of bits in the header of a data frame. It synchronizes signals transmitted between the sender and receiver and can be a short or long preamble.

    • A short preamble ensures better network synchronization performance and is recommended.
    • A long preamble is usually used for compatibility with earlier network adapters of clients.

    Configure the packet fragmentation threshold

    		 fragmentation-threshold fragmentation-threshold

    By default, the packet fragmentation threshold is 2346 bytes.

    If an 802.11 MAC frame exceeds the packet fragmentation threshold, the frame needs to be fragmented.

    • When the packet fragmentation threshold is too small, packets are fragmented into smaller frames. These frames are transmitted at a high extra cost, resulting in low channel efficiency.
    • When the packet fragmentation threshold is too large, long packets are not fragmented, increasing the transmission time and error probability. If an error occurs, packets are retransmitted. This wastes the channel bandwidth.

    Enable beamforming

    beamforming enable

    By default, Beamforming is disabled.

    Beamforming can enhance signals at a particular angle (for target users), attenuate signals at another angle (for non-target users or obstacles), and extend the radio coverage area.

    If nodes on the WDS or Mesh network are fixed and distant from each other, enable Beamforming to increase WDS or Mesh link SNR. Mobile nodes may cause low link SNR in WDS or Mesh scenarios. To prevent this problem, disable Beamforming. Among Beamforming-capable APs, the AP2x10xN series, AP7x30xE series, and AP9330DN APs do not support WDS and Mesh.

    Configure the RTS mechanism

    Configure the RTS-CTS operation mode

    rts-cts-mode { cts-to-self | disable | rts-cts }

    By default, the RTS-CTS operation mode is rts-cts.

    The RTS/CTS handshake mechanism prevents data transmission failures caused by channel conflicts. If STAs perform RTS/CTS handshakes before sending data, RTS frames consume high channel bandwidth. The default RTS-CTS operation mode is recommended.

    • If the RTS/CTS handshake mechanism is not used, there may be hidden STAs. If base stations A and C simultaneously send information to base station B because base station C does not know that base station A is sending information to base station B, signal conflict occurs. As a result, signals fail to be sent to base station B.
    • The RTS/CTS handshake mechanism reduces the transmission rate and even causes the network delay.
    Configure an RTS-CTS threshold in a radio profile

    rts-cts-threshold rts-cts-threshold

    The default RTS-CTS alarm threshold is 1400 bytes.

    If STAs perform RTS/CTS handshakes before sending data, many RTS frames consume high channel bandwidth. To prevent this problem, set the RTS threshold and maximum number of retransmission attempts for long/short frames. The RTS threshold specifies the length of frames to be sent. When the length of frames to be sent by a STA is smaller than the RTS threshold, no RST/CTS handshake is performed. The default RTS threshold is recommended.

    This configuration is applicable only when the RTS-CTS operation mode is rts-cts.

    Configure 802.11n parameters

    Enable the MAC Protocol Data Unit (MPDU) aggregation function.

    undo ht a-mpdu disable

    By default, aggregation of MPDUs is enabled.

    An 802.11 packet is sent as an MPDU, requiring channel competition and backoff and consuming channel resources. The 802.11n MPDU aggregation function aggregates multiple MPDUs into an aggregate MAC Protocol Data Unit (A-MPDU), so that N MPDUs can be transmitted through one channel competition and backoff. This function saves the channel resources to be consumed for sending N-1 MPDUs. The MPDU aggregation function improves channel efficiency and 802.11 network performance.

    Before configuring the length of an A-MPDU, run the undo ht a-mpdu disable command to enable the MPDU aggregation function.

    Configure the maximum length of an A-MPDU

    ht a-mpdu max-length-exponent max-length-exponent-index

    By default, the index for the maximum length of an A-MPDU is 3. The maximum length of the A-MPDU is 65535 bytes.

    Configure 802.11ac parameters

    Configure the maximum length of an A-MPDU

    vht a-mpdu max-length-exponent max-length-exponent-index

    By default, the index for the maximum length of an A-MPDU is 7. The maximum length of the A-MPDU is 1048575 bytes.

    An 802.11 packet is sent as an MPDU, requiring channel competition and backoff and consuming channel resources. The 802.11ac MPDU aggregation function aggregates multiple MPDUs into an aggregate MAC Protocol Data Unit (A-MPDU), so that multiple MPDUs can be transmitted through one channel competition and backoff. This function saves the channel resources to be consumed for sending multiple MPDUs. The MPDU aggregation function improves channel efficiency and 802.11 network performance.

    The length of an A-MPDU can only be configured in a 5G radio profile. Currently, only the AD9430DN-24 (including the mapping RUs), AD9430DN-12 (including the mapping RUs), AD9431DN-24X (including the mapping RUs), AP7030DE, AP9330DN, AP2030DN, AP4051TN, AP6052DN, AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, AP8182DN, AP3010DN-V2 (supporting 802.11ac after being upgraded from a version earlier than V200R008C10SPC300 to V200R008C10SPC300 or a later version), AP4030TN, AP4050DN-E, AP4050DN-HD, AP6050DN, AP6150DN, AP7050DN-E, AP7050DE, AP4050DN, AP4050DN-S, AP4051DN, AP4151DN, AP8050DN, AP8050DN-S, AP8150DN, AP1050DN-S, AP2050DN, AP2050DN-E, AP8130DN-W, AP5030DN, AP5130DN, AP8030DN, AP8130DN, AP4030DN, AP4130DN, AP9131DN, and AP9132DN support 802.11ac.
    Enable the function of sending 802.11ac packets in A-MSDU mode

    vht a-msdu enable

    By default, the function of sending 802.11 frames in A-MSDU mode is disabled.

    The function of sending 802.11 frames in A-MSDU mode can reduce MAC layer costs of the 802.11 packets and improve packet transmission efficiency especially when short MSDUs are aggregated.

    The function can only be configured in a 5G radio profile. Currently, only the AD9430DN-24 (including the mapping RUs), AD9430DN-12 (including the mapping RUs), AD9431DN-24X (including the mapping RUs), AP7030DE, AP9330DN, AP2030DN, AP4051TN, AP6052DN, AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, AP8182DN, AP3010DN-V2 (supporting 802.11ac after being upgraded from a version earlier than V200R008C10SPC300 to V200R008C10SPC300 or a later version), AP4030TN, AP4050DN-E, AP4050DN-HD, AP6050DN, AP6150DN, AP7050DN-E, AP7050DE, AP4050DN, AP4050DN-S, AP4051DN, AP4151DN, AP8050DN, AP8050DN-S, AP8150DN, AP1050DN-S, AP2050DN, AP2050DN-E, AP8130DN-W, AP5030DN, AP5130DN, AP8030DN, AP8130DN, AP4030DN, AP4130DN, AP9131DN, and AP9132DN support 802.11ac.
    Configure the maximum number of subframes that can be aggregated into an A-MSDU

    vht a-msdu max-frame-num max-frame-number

    By default, a maximum of two subframes can be aggregated into an A-MSDU at one time.

    A-MSDU technology aggregates multiple MSDUs into an MPDU to reduce the MAC layer cost of 802.11 packets.

    Before configuring the maximum number of subframes that can be aggregated into an A-MSDU, run the vht a-msdu enable command to enable the function of sending 802.11 packets in A-MSDU mode.

    The configuration can only be performed in a 5G radio profile. Currently, only the AD9430DN-24 (including the mapping RUs), AD9430DN-12 (including the mapping RUs), AD9431DN-24X (including the mapping RUs), AP7030DE, AP9330DN, AP2030DN, AP4051TN, AP6052DN, AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, AP8182DN, AP3010DN-V2 (supporting 802.11ac after being upgraded from a version earlier than V200R008C10SPC300 to V200R008C10SPC300 or a later version), AP4030TN, AP4050DN-E, AP4050DN-HD, AP6050DN, AP6150DN, AP7050DN-E, AP7050DE, AP4050DN, AP4050DN-S, AP4051DN, AP4151DN, AP8050DN, AP8050DN-S, AP8150DN, AP1050DN-S, AP2050DN, AP2050DN-E, AP8130DN-W, AP5030DN, AP5130DN, AP8030DN, AP8130DN, AP4030DN, AP4130DN, AP9131DN, and AP9132DN support 802.11ac.

    Configure the guard interval (GI) mode

    guard-interval-mode { short | normal }

    By default, the GI mode is short.

    The GI mode is classified into the short GI and normal GI. The normal GI is 800 ns, and the short GI is 400 ns. The short GI is applicable to 802.11n and 802.11ac standards, which can raise the transmission rate of 802.11n and 802.11ac packets.

    Enable the scheduled VAP auto-off function

    • auto-off service start-time start-time end-time end-time

    By default, the scheduled VAP auto-off function is disabled.

    In actual WLAN applications, the network administrator wants to disable WLAN services in a specified period, ensuring security and reducing power consumption. You can disable the VAP as scheduled.

    This configuration is applicable to enterprises that want to disable WLAN services in a specified period for security or at midnight when the user service traffic volume is low.

    • The scheduled VAP auto-off function enabled in a radio profile takes effect only on the APs using the profile.

    • The scheduled VAP auto-off function enabled in a VAP profile view takes effect only on the APs using the profile. For details on how to configure the scheduled VAP auto-off function in a VAP profile view, see (Optional) Configuring the Scheduled VAP Auto-Off Function.

    Disable radios from sending packets at maximum power

    utmost-power disable

    By default, radios are enabled to send packets at the maximum power.

    This command is valid only when the country code is CN. You can run the undo utmost-power disable command to enable radios to send packets at the maximum power or at the power specified by the country code. After you run the utmost-power disable command, radios send packets at the power specified by the country code. When a country code other than CN is configured, radios can send packets only at the power specified by the country code.

    Enable self-adaptive polarization for agile antennas

    agile-antenna-polarization enable

    By default, self-adaptive polarization is disabled for agile antennas.

    NOTE:

    Only the AP8130DN support this function.

    Self-adaptive polarization for agile antennas can reduce interference between transmit signals of antennas, and increase the transmit power of antennas and the demodulation SNR of STAs. When an AP8130DN or AP8130DN-W is deployed to provide wireless coverage, you can enable this function when the following types of STA exist:

    • STA with one transmit antenna and one receive antenna in 1x1 mode
    • STA with two transmit antennas and two receive antennas in 2x2 mode
    After this function is enabled, the AP uses two mutually orthogonal antennas to communicate with STAs but not a third antenna.

    Prerequisites

    Dual-polarized antennas have been connected to radio ports A and B on the same frequency band.

    • Page 25

    Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

    The band steering function enables an AP to steer STAs to the 5 GHz radio first, which reduces traffic load and interference on the 2.4 GHz radio and improves user experience.

    Before configuring band steering, complete the following tasks:

    • Perform the task of WLAN Service Configuration.
    • Use APs that support both 5 GHz and 2.4 GHz frequency bands and configure the same SSID and security policy on the 5 GHz and 2.4 GHz radios.

    To allow a STA to preferentially associate with the 5 GHz radio and achieve a better access effect, configure larger power for the 5 GHz radio than the 2.4 GHz radio.

    Single-radio devices do not support the band steering function.

    The AP2010DN does not support the band steering function.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      wlan

      The WLAN view is displayed.

    3. Run:

      vap-profile name profile-name

      A VAP profile is created and the VAP profile view is displayed.

    4. Run:

      undo band-steer disable

      The band steering function is enabled.

      By default, the band steering function is enabled.

    5. Run:

      quit

      Return to the WLAN view.

    6. (Optional) Configure band steering parameters.
    7. Run:

      quit

      Return to the WLAN view.

    8. Bind the RRM profile to a radio profile.

      Only the band steering parameters configured in the 2G radio profile take effect in the system.

      1. Run the radio-2g-profile name profile-name or radio-5g-profile name profile-name command to enter the 2G or 5G radio profile view.
      2. Run the rrm-profile profile-name command to bind the RRM profile to the 2G radio profile. Binding the RRM profile to the 5G radio profile does not take effect.
      3. Run the quit command to return to the WLAN view.
    9. Bind the radio profile and VAP profile to an AP group or a specific AP. See Binding a Radio Profile for the detailed procedure of binding a radio profile and Binding VAP Profiles for the detailed procedure of binding a VAP profile.

    • Run the display vap-profile name profile-name command to check the status of the band steering function.
    • Run the display rrm-profile name profile-name command to check settings of band steering parameters.
    • Run the display radio-2g-profile name profile-name command to check the RRM profile referenced by a 2G radio profile.
    • Run the display radio-5g-profile name profile-name command to check the RRM profile referenced by a 5G radio profile.

    This Document Applies to these Products

    Page 26

    Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

    Most STAs on the live network support both 5 GHz and 2.4 GHz frequency bands. When attempting to join a WLAN, some of the STAs associate with the 2.4 GHz radio of APs by default. As a result, the 2.4 GHz frequency band with fewer channels is congested, heavily-loaded, and has severe interference. The 5 GHz frequency band with more channels and less interference is not well used. When the 2.4 GHz frequency band has many users or severe interference, the 5 GHz frequency band can provide better access service for wireless users. Users must manually select the 5 GHz radio to connect to it.

    The band steering function enables an AP to steer STAs to the 5 GHz radio first, which reduces traffic load and interference on the 2.4 GHz radio and improves user experience.

    To implement band steering, an AP must have the same SSID and security policy on the 5 GHz and 2.4 GHz radios.

    Figure 8-9 shows the implementation of band steering, involving two phases:

    Figure 8-9  Band steering

    1. 5G-prior access

      Before the number of access STAs on an AP exceeds the start threshold for load balancing between radios, the AP preferentially connects a new STA to the 5 GHz radio.

      As shown in the figure, when the AP receives a Probe Request frame from the STA (STA_1), it checks the radio that receives the frame. If the Probe Request frame is received by the 5 GHz radio, the AP returns a Probe Response frame. The STA then associates with the 5 GHz radio, and the AC records the supported frequency band of the STA as the 5 GHz frequency band.

      If the 2.4 GHz radio continuously receives Probe Request frames but the 5 GHz radio does not receive any, the AP returns a Probe Response frame through the 2.4 GHz radio. The STA then associates with the 2.4 GHz radio, and the AC records the supported frequency band of the STA as the 2.4 GHz frequency band.

      When STA_1 associates with the AP again, the AP first checks the frequency band supported by the STA. If STA_1 supports only the 2.4 GHz frequency band, the AP immediately permits the STA to access the 2.4 GHz radio.

    2. Load balancing between radios

      After the number of access STAs on an AP exceeds the start threshold for load balancing between radios, the AP determines the radio to which the STA connects based on the difference between the number of access STAs on the 2.4 GHz radio and that on the 5 GHz radio.

    For example, if a STA requests to associate with the AP on the 2.4 GHz radio but the number of access STAs on the AP has exceeded the start threshold for load balancing between radios, the AP implements load balancing between the 2.4 GHz and 5 GHz radios according to the value computed based on the formula: (Number of access STAs on the 5 GHz radio – Number of access STAs on the 2.4 GHz radio)/Number of access STAs on the 5 GHz radio x 100%. If the value is greater than the load difference threshold, the AP preferentially associates with the STA on the 2.4 GHz radio; otherwise, the AP preferentially associates with the STA on the 5 GHz radio.

    This Document Applies to these Products

    Q&A What

    Related Posts

    How to fix broken outlet
    How to fix broken outlet

    What document provides guidance for derivative classification?
    What document provides guidance for derivative classification?

    Which feature in word 2022 that automatically shifts text to a new line when a word or sentence reaches its border?
    Which feature in word 2022 that automatically shifts text to a new line when a word or sentence reaches its border?

    Who is canelo alvarez fighting next
    Who is canelo alvarez fighting next

    What is the project manager responsible for on a team?
    What is the project manager responsible for on a team?

    When a speakers body language is inconsistent with his or her words listeners may well believe the body language rather than the words?
    When a speakers body language is inconsistent with his or her words listeners may well believe the body language rather than the words?

    What commands can dogs not jump on?
    What commands can dogs not jump on?

    When does serena play again
    When does serena play again

    Why collaboration plays an important role in providing quality education and care?
    Why collaboration plays an important role in providing quality education and care?

    What are the two types of physical fitness assessment
    What are the two types of physical fitness assessment

    Local auto body repair shops near me
    Local auto body repair shops near me

    Bath and body works visor clip instructions
    Bath and body works visor clip instructions

    How to get messages from iphone to pc
    How to get messages from iphone to pc

    What time does the next fortnite season come out
    What time does the next fortnite season come out

    What info do you need to get a passport
    What info do you need to get a passport

    Best bb cream for acne prone skin 2022
    Best bb cream for acne prone skin 2022

    All inclusive miami vacation packages with airfare
    All inclusive miami vacation packages with airfare

    How to get into a locked room door
    How to get into a locked room door

    How to remove recent inquiries from credit report
    How to remove recent inquiries from credit report

    How much is 2.5 liters of water in gallons
    How much is 2.5 liters of water in gallons

    Advertising

    LATEST NEWS

    Which one of the following would be considered the most appropriate action for a leader during the performing stage of team development?
    1 years ago . by PedagogicalAdjustment
    Why is it fitting that it is almost the last day of the summer in The Great Gatsby Chapter 7?
    1 years ago . by LustyFinale
    20 workers can build a wall in 30 days, how many days will 15 workers take to build the same wall
    1 years ago . by AllegedCilantro
    Is 12 workers can build a wall in 50 hours how many workers will be required to do the same work in 40 hours?
    1 years ago . by Hand-heldEnlightenment
    The various behavioral forms that nonverbal communication takes are referred to as nonverbal
    1 years ago . by ClosedJuncture
    Why give alpha blocker before beta blocker in pheochromocytoma
    1 years ago . by PrecedingProphecy
    The overlap between groups has ______ in americas residential neighborhoods and workplaces.
    1 years ago . by UnrelentingClimber
    Can you sue your spouse NJ?
    1 years ago . by FrugalDepletion
    The five flows in marketing channels discussed in the text are
    1 years ago . by FadedHacker
    Does Australia use accrual accounting?
    1 years ago . by UrbanCropping

    Advertising

    Populer

    Advertising

    About

    Legal

    Help

    Social

    Copyright © 2024 themosti Inc.