HCIA-WLAN V2.0 Experiment Guide (WEB-based)

Huawei WLAN Certification Training
HCIA-WALN
Experiment Guide for WLAN
n
Engineers(WEB) /e
m o
. c
wei
ISSUE:2.0
u a
. h
i ng
r n
a
: //le
t t p
: h
e s
r c
ou
s
Re
i n g
a rn
e Le HUAWEI TECHNOLOGIES CO., LTD.
o r
M
1
Huawei WLAN Certification Training Experiment Guide
Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
n
Notice
/e
om
The purchased products, services and features are stipulated by the contract made between Huawei and
. c
the customer. All or part of the products, services and features described in this document may not be
i
e
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
aw
u
The information in this document is subject to change without notice. Every effort has been made in the
h
g .
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
n i n
ar
: //le
t t p
: h
e s
r c
u
Huawei Technologies Co., Ltd.
o
s
Address:
Re
Huawei Industrial Base
i n g
Bantian, Longgang
rn
Shenzhen 518129
a People's Republic of China
Website:
e Le http://e.huawei.com
o r
M
华为专有和保密信息
版权所有 © 华为技术有限公司
Huawei Certificate System

Relying on the strong technical strength and professional training system, Huawei provides
a practical and professional four-level certificate system to meet various customer requirements
on different WLAN technologies.
Huawei Certified ICT Associate-Wireless Local Area Network (HCIA-WLAN) is designed for
Huawei local offices, online engineers in representative offices, and readers who want to
understand Huawei WLAN products and technology. HCIA-WLAN covers WLAN basics, Control
and Provisioning of Wireless Access Points (CAPWAP) protocol, WLAN networking, Huawei
WLAN product features, security configuration, WLAN advanced technology, antennas, WLAN
network planning and optimization, and WLAN fault troubleshooting.
e n
/
The HCIA-WLAN certificate system introduces you to the industry and market, helps you
o min
innovation, and enables you to stand atop the WLAN frontiers.
i . c
w e
u a
. h
i n g
arn
/ l e
: /
t tp
: h
e s
r c
o u
e s
R
i n g
a rn
L e
r e
o
M
华为专有和保密信息 1
About This Document
Overview
This document is applicable to the candidates who are preparing for the HCIA-WLAN
exam and the readers who want to understand the WLAN basics, the CAPWAP protocol,
WLAN networking, Huawei WLAN product features, security configuration, WLAN
advanced technology, antennas, WLAN network planning and optimization, and WLAN
n
/e
fault troubleshooting.
. c om
Description
e i
aw
This experiment guide introduces the following six experiments, covering basic
hu
configurations, and configurations and implementation of Layer 2 networking, security,
Layer 3 networking, and the network management software eSight.
g .
 Experiment 1: AC configuration initialization
n i n
r
This experiment involves basis operations and configurations on an AC, helping you
a
/le
know the AC6005 and its basic functions.
/
Experiment 2: AP authentication and WLAN configuration process

p :
This experiment lets you know basic WLAN network capabilities through basic WLAN
configurations.
t t

: h
Experiment 3: WLAN security configuration
e s
This experiment mainly introduces 802.1x authentication, helping you know WLAN
rc
security and the configuration process.

ou
Experiment 4: WLAN configuration on eSight
s
This experiment involves how to add WLAN devices to the eSight and deliver WLAN
Re
services using the configuration wizard.
 Experiment 5: Bypass Layer 3 networking
i n g
This experiment uses the AC6005 and Layer 3 networking. The Layer 3 network
rn
configuration helps you comprehensively know WLAN networking modes.
a  Experiment 6: Configuration file backup and AC configuration clearance
e Le This experiment describes how to back up configuration files through File Transfer
Protocol (FTP).
o r
M
Background Knowledge Required

 The intended audience should know basic WLAN knowledge, Huawei switching
devices, and basic datacom knowledge.
Common Icons
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
Experiment Environment Overview

Networking Introduction
This experiment environment is prepared for WLAN engineers who are preparing for
the HCIA-WLAN exam.
Each suite of experiment environment includes 2-6 ACs, 2-12 APs, 1 core switch, and 1
Remote Authentication Dial In User Service (RADIUS) or eSight server. Each suite of
experiment environment is applicable to 4 to 12 candidates.
Device Introduction
n
he following table lists devices recommended for HCIA-WLAN experiments and the /e
om
mappings between the device name, model, and software version.
Device name Model Software Version

i . c
S3700-28TP-PWR-EI or
w e
Version 5.70 (S3700 V100R005C01SPC100)
Core Switch
S5700-28C-PWR-EI
u a
Version 5.130 (S5700 V200R003C00SPC300)
. h
g
AC AC6005-8-PWR AC6005 V200R007C10SPC100
AP AP4030DN
i n
AP4030DN V200R007C10SPC100
n
NMS eSight Network
ar
eSight Network V300R006C00SPC505
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
Experiment Environment Preparation

Checking Whether All Devices Are Available
Before starting the experiment, check whether all required devices are ready. The
following table lists the required devices.
Device Quantity Remarks
eSight 1 Shared by all groups
n
/e
Radius Server 1 Shared by all groups
om
Huawei 3700PoE/
c
1 Shared by all groups
Huawei 5700PoE Switch
e i .
AC6005
One for each
group
aw
h u
AP4030DN
Two for each
g .
group
n i n
One for each
arA desktop computer requires a
/le
Laptop or desktop computer
group network adapter
: /
Twisted pair
t
group
t p
Four for each The twisted pair must be at least
2 meters long
: h
es
One for each
Console cable
group
r c
ou
Each group must check whether the following devices are ready:
s
 One AC6005 Re
i n g
 Two AP4030DN
a rn
 One laptop or desktop computer
Le
 Four twisted pairs
re
 One console cable
o
M
Experiment topology
n
/e
. com
e i
aw
hu
g .
n i n
ar
Key points of bypass topology establishment:
: //le
t t p
This course uses a layer 3 bypass topology. Devices are connected as follows:
: h
s
For group 1, port 8 of AC1 is connected to port 1 of the switch. AP1 is connected to port
e
10 of the switch. AP2 is connected to port 11 of the switch.
rc
u
o
s
Re
i n g
The same rule applies to all other groups.
a rnFor group 6, port 8 of AC6 is connected to port 6 of the switch. AP11 is connected to
port 20 of the switch. AP12 is connected to port 21 of the switch.
e Le
o r
M
AC Configuration Removal
Trainees must remove previously saved configurations after the experiment is complete
and before devices are turned off, to avoid any impact of the configurations on the next
experiment. In addition, trainees must confirm that the device is not configured before an
experiment starts. If it is not, remove the configurations and then restart the device.
You need a password to log in to the router. The login password is Admin@123 in this
experiment.
Login authentication
Password:Admin@123
<AC6005>reset saved-configuration
This will delete the configuration in the flash memory.
n
/e
The device configurations will be erased to reconfigure.
Are you sure? (y/n)[n]:y
om
Clear the configuration in the device successfully.
To restart the controller, run the following command:

i . c
<AC6005>reboot
Info: The system is comparing the configuration, please wait.
w e
Warning: All the configuration will be saved to the next startup
configuration.
u a
Continue ? [y/n]:n
. h
System will reboot! Continue ? [y/n]:y
Info: system is rebooting ,please wait...
i n g
r n
a
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
Contents
About This Document ..................................................................................................................... 3

Overview ..............................................................................................................................................................3
Description ...........................................................................................................................................................3
Background Knowledge Required .........................................................................................................................4
Common Icons .....................................................................................................................................................4
n
/e
Experiment Environment Preparation .....................................................................................................................6
om
1 Experiment 1:AC configuration initialization ....................................................................... 12
c
1.1 About This Course .........................................................................................................................................12
e i .
1.1.1 Objectives ..................................................................................................................................................12
w
1.1.2 Topology ....................................................................................................................................................12
a
u
1.1.3 Plan ...........................................................................................................................................................13
. h
1.2 Experiment Task ............................................................................................................................................14
i n g
1.2.1 Configuration Procedure .............................................................................................................................14
n
1.3 Verification ...................................................................................................................................................25
r
a
1.3.1 Telnet AC ...................................................................................................................................................25
: / /le
1.4 Reference Configuration ................................................................................................................................25
1.4.1 S5700 Configuration ..................................................................................................................................25
t t p
1.4.2 AC Configuration ........................................................................................................................................27
2 Experiment 2: AP Authentication and

: hWLAN Configuration Roadmap .................... 32
e s
u rc
2.1.1 Objectives ..................................................................................................................................................32
o
2.1.2 Topology ....................................................................................................................................................32
s
Re
2.1.3 Plan ...........................................................................................................................................................33
2.2 Experiment Task ............................................................................................................................................35
i n g
rn
2.3 Verification ...................................................................................................................................................55
a
Le
2.3.1 Checking the VAP List .................................................................................................................................55
2.3.2 Terminal Connection Test ............................................................................................................................55
r e
o
2.4.1 S5700 Configuration ..................................................................................................................................56
M
3 Experiment 3: WLAN Security Configuration....................................................................... 64

3.1.1 Objectives ..................................................................................................................................................64
3.1.2 Topology ....................................................................................................................................................64
3.1.3 Plan ...........................................................................................................................................................65

3.2 Experiment Task ............................................................................................................................................66
3.3 Verification ...................................................................................................................................................83
3.3.1 Connect an STA to the WLAN .....................................................................................................................83
3.4.1 S5700 Configuration ..................................................................................................................................84
4 Experiment 4: eSight WLAN Management ............................................................................ 92
n
/e
4.1.1 Objectives ..................................................................................................................................................92
om
4.1.2 Topology ....................................................................................................................................................92
i . c
4.1.3 Plan ...........................................................................................................................................................93
w e
4.2 Experiment Task ............................................................................................................................................94
u a
4.3 Verification .................................................................................................................................................113
. h
4.3.1 Connect an STA to the WLAN ...................................................................................................................113
n g
4.4 Reference Configuration ..............................................................................................................................114
i
n
4.4.1 S5700 Configuration ................................................................................................................................114
r
l e a
4.4.2 AC Configuration ......................................................................................................................................117
/: /
5 Experiment 5: Layer 3 Networking Experiment .................................................................. 123
tp
5.1 About This Course .......................................................................................................................................123
h t
5.1.1 Objectives ................................................................................................................................................123
s :
5.1.2 Topology ..................................................................................................................................................123
c e
5.1.3 Plan .........................................................................................................................................................124
r
u
5.2 Experiment Task ..........................................................................................................................................125
o
s
5.2.1 Configuration Procedure ...........................................................................................................................125
e
5.3 Verification .................................................................................................................................................130
R
g
5.3.1 Verifiy the L3 Network Status ....................................................................................................................130
i n
rn
5.4.1 S5700 Configuration ................................................................................................................................131
a
e 6: Backup the Configuration and Reset the Device...................................... 139
5.4.2 AC Configuration ......................................................................................................................................133
L
e
6 Experiment
r
o
6.1 About This Course .......................................................................................................................................139
M 6.1.1 Objectives ................................................................................................................................................139

6.1.2 Plan .........................................................................................................................................................139
6.2 Experiment Task ..........................................................................................................................................140
6.2.1 Configuration Procedure ...........................................................................................................................140
6.3 Verification .................................................................................................................................................144
6.3.1 Checking the Device Configuration ...........................................................................................................144

6.4.1 Key Configuration .....................................................................................................................................147
7 Appendix .................................................................................................................................... 148

7.1 Configuration of Core Switch.......................................................................................................................148
n
/e
. c om
e i
aw
h u
g .
n i n
ar
: / /le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
1 Experiment 1:AC configuration initialization
1.1 About This Course

n
1.1.1 Objectives
/e
 Configure the initialization password
. com


Configure VLAN and routing in the AC
Configure telnet service of the AC e i
 Save the configuration in the AC
aw
hu
1.1.2 Topology
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
1.1.3 Plan
You must configure devices according to the plan to avoid errors. This experiment uses
group 1 as an example to illustrate rules for configuring the device name, VLAN, and
Trunk.
The following table describes device connections.
Group
AC-Switch Port AP-Switch Port
No
 AP1-G0/0/10
1 AC1—G0/0/1
n
/e
 AP2-G0/0/11
om
 AP3-G0/0/12
c
2 AC2—G0/0/2
 AP4-G0/0/13
e i .
3 AC3—G0/0/3
 AP5-G0/0/14
aw
 AP6-G0/0/15
hu
 AP7-G0/0/15
g .
4 AC4—G0/0/4
 AP8-G0/0/16
n i n
ar
/le
 AP9-G0/0/17
5 AC5—G0/0/5

:
AP10-G0/0/18
/
t t p
AP11-G0/0/19
h

6 AC6—G0/0/6
s:
 AP12-G0/0/20
r c e
The following table describes an AC parameter configuration template.
ou
Trainee GroupX
s AC Configuration
Console PasswordRe Admin@123
i n g
Device ACX
a rnAP Management
VLAN：X0 IP：10.1.X0.100
Le
VLAN
re
Service VLAN
VLAN：X1 IP：10.1.X1.100
(Employee)
o
M Service VLAN (Voice)
Service VLAN (Guest)

VLAN：X2
VLAN：X3
IP：10.1.X2.100
IP：10.1.X3.100
AC Port Connecting GE0/0/8 VLANs X0 through X3 can pass the

to the Switch trunk interface
Topology: layer2 and layer 3 bypass topology
1.2 Experiment Task
1.2.1 Configuration Procedure

Step1 Logging In to the Web Platform
Before logging in to the web platform, ensure that:
n


The IP address of the device's access port has been configured.
The device and your PC are properly connected. /e
om
 The device is running properly, and the HTTP and HTTPS services are correctly

configured.
The web browser software has been installed on your PC.
i . c
w e
The IP address 169.254.1.1 and subnet mask 255.255.0.0 have been configured on
MEth0/0/1 of the AC6605 before the delivery.
u a
. h
MEth0/0/1 of the ACU2 before the delivery.
i n g
n
r
a
VLANIF 1 of the AC6005 before the delivery, and interfaces GE0/0/1 to GE0/0/8 have been
/le
added to VLAN 1 by default.
: /
Before the device is delivered, the HTTP and HTTPS services have been configured on the
t p
device. The default port number is 80 for HTTP and 443 for HTTPS. The default user name
t
and password are respectively admin and admin@huawei.com.
: h
e s
u rc
s o
Re
i n g
rn
Procedure
a Open a browser such as Internet Explorer 7.0, enter http://IP address or https://IP address
e Le in the address box, for example, http://169.254.1.1 or https://169.254.1.1, and press

Enter. (For the IP address, see IP addresses of access interfaces configured in Configuring
o r an IP Address for Web Platform Login.) The web platform login page is displayed.
M
Select a language. The system supports English and Chinese. By default, the system uses
the same language as the browser.
Enter a user name and password. The default user name and password are admin and
admin@huawei.com.
Click Login.
This experiment takes the first set of 172.21.11.3 as an example.
n
/e
. c om
e i
aw
h u
Change the password upon the first login. Changing the password to Admin@123 is
used as an example in this document.
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
After logging in to the web-based AC, click at the upper-right corner.
The command-line interface (CLI) is displayed.
n
/e
You can enter command lines to manage and maintain the device. The login password is
om
Admin@123. (The Firefox browser is recommended.)
i . c
w e
u a
. h
i n g
r n
a
Step2 Configuring a Switch
: //le
t p
Configure the access switch S5700. Add GE0/0/10 and GE0/0/11 to VLANX0
t
(management VLAN) and set the port VLAN ID (PVID) to VLANX0. Add GE0/0/8 to VLANs
X0 through X3(Connect to AC).
: h
<Huawei>system-view
e s
rc
[Huawei]sysname S5700
u
[S5700]vlan batch 10 to 13
o
[S5700]interface GigabitEthernet0/0/10
s
[S5700-GigabitEthernet0/0/10]port link-type trunk
Re
[S5700-GigabitEthernet0/0/10]port trunk pvid vlan 10
[S5700-GigabitEthernet0/0/10]port trunk allow-pass vlan 10 to 13
n g
[S5700-GigabitEthernet0/0/10]quit
i
[S5700]interface GigabitEthernet0/0/11
a rn[S5700-GigabitEthernet0/0/11]port link-type trunk
Le
[S5700-GigabitEthernet0/0/11]port trunk pvid vlan 10
[S5700-GigabitEthernet0/0/11]port trunk allow-pass vlan 10 to 13
e
o r [S5700]interface GigabitEthernet 0/0/1

[S5700-GigabitEthernet0/0/1]port link-type trunk
M [S5700-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 13

Create a LoopbackX interface, and set its IP address to 10X.10X.10X.10X to simulate a

public network interface. Create VLANIF interfaces to function as gateways of service
VLANs.
[S5700]interface LoopBack 1
[S5700- LoopBack1]ip address 101.101.101.101 32

[S5700- LoopBack1]quit
[S5700]interface Vlanif 10
[S5700-Vlanif10]ip address 10.1.10.1 24
[S5700-Vlanif10]quit
n
Step3 Configuring Basic AC Parameters /e
Naming an AC
. com
i
Choose Maintenance > AC Maintenance > Basic. Set Device name to AC1. Click Apply.
e
aw
hu
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
Configuring VLANs
i n g
Choose Configuration > AC Config > VLAN, The VLAN configuration page is displayed,
Click Batch Create.
a rn
e Le
o r
M
Create VLANX0~VLANX3。
n
/e
Configure IP address of the GE0/0/8 interface to connect S5700.
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
n
/e
. com
e i
aw
hu
Check the interface configuration.
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
Configure IP addresses of the layer 3 interfaces corresponding to the VLANs.
a rnChoose Configuration > AC Config > VLAN > VLANIF. The VLANIF page is displayed.
Le
Click Create. Set parameters on the Create VLANIF page.
r e
o
M
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
Check the VLANIF interface
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M Check whether the route between the AC and the layer 3 switch is reachable. The
following command output indicates that 10X.10X.10X.10X (the simulated public
network interface on the switch) cannot be pinged.
Choose Diagnosis > Diagnosis Tools > Ping.
n
/e
Enter the destination IP address, click start.
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
: h
Configure a static route for the switch.
e s
Choose Configuration > AC Config > IP > Route > Static Route Configuration Table. The
rc
static route management page is displayed.
u
Click Create, configure static route information on the new page, and click OK.
o
s
Re
i n g
a rn
e Le
o r
M
IP address 10X.10X.10X.10X can be pinged.
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
Step4 Configuring and Testing the Telnet/SSH Service (AAA Authentication)
authentication.
: h
Enable and configure telnet service in the AC, add account huawei for AAA
e s
Choose Maintenance > AC Maintenance > System > Service Management. Enable Telnet.
u rc
s o
Re
i n g
a rn
e Le
o r
M
Choose Maintenance > AC Maintenance > Administrator. The Administrator page is displayed.
Create an administrator account: username huawei, password Admin@123.
n
/e
. c om
e i
aw
h u
g .
n i n
ar
: //le
t t p
: h
e s
Step5 Save the Configuration
u rc
s o
Re
Any change through web-based configuration, you need to click “save” to save the
configuration to the device. If you don’t save it , the configuration will lost after rebooted.
i n g
Save the configuration through the upper right of the page.
a rn
e Le
o r
M
1.3 Verification
1.3.1 Telnet AC
After Configure telnet, test the telnet service on S5700.
<S5700>telnet 10.1.10.100
Trying 10.1.10.100 ...
Press CTRL+K to abort
Connected to 10.1.10.100 ...
Warning: Telnet is not a secure protocol, and it is recommended to use
n
/e
Stelnet.
om
Login authentication
i . c
Username:huawei
we
Password:
u a
h
-----------------------------------------------------------------------
------
g .
n
User last login information:
n i
-----------------------------------------------------------------------
------
ar
/le
Access Type: Telnet
IP-Address : 10.1.10.1
: /
Time : 2016-11-18 19:54:01+08:00
t t p
-----------------------------------------------------------------------
------
: h
<AC1>
e s
rc
Login AC successfully.
ou
s
Re
1.4 Reference Configuration
i n g
1.4.1 S5700 nConfiguration
a r
L e #
r e sysname S5700
o
#
vlan batch 10 to 13
M #
lldp enable
#
undo http server enable
undo http secure-server enable
#
undo nap slave enable
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %@%@5d~9:M^ipCfL\iB)EQd>3Uwe%@%@
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
n
/e
#
om
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
#
i . c
e
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
#
aw
interface Vlanif13
hu
.
ip address 10.1.13.1 255.255.255.0
#
interface MEth0/0/1
i n g
ip address 172.21.11.1 255.255.0.0
r n
#
a
/le
interface GigabitEthernet0/0/1
port link-type trunk
: /
p
port trunk allow-pass vlan 10 to 13
#
t t
: h
s
#
#
rc e
u
o
s
#
Re
#
#
i n g
rn
a
#
Le
#
r e interface GigabitEthernet0/0/9
o #
M
port trunk pvid vlan 10
#

#
#
#
#
#
#
#
n
/e
om
#
#
i . c
e
#
aw
#
hu
.
#
i n g
#
r n
a
/le
#
interface NULL0
: /
p
#
interface LoopBack1
t t
h
ip address 101.101.101.101 255.255.255.255
:
s
#
user-interface con 0
rc e
authentication-mode password
ou
set authentication password
cipher %@%@;|J%=/[d[O@L[qD[Xhh~,3[~S(Zs:\Ot8H6*x_MAW=N$3[B,%@%@
s
Re
user-interface vty 0 4
g
user privilege level 3
i n
rn
cipher %@%@`KL`QN[h79h[6AS2ggdT<+Hjaz5lH\hpS4]~^/-CFvtO+Hm<%@%@
protocol inbound all
a
Le
#
r e return
o AC Configuration
1.4.2
M <AC1>display current-configuration
#
sysname AC1
#
http secure-server ssl-policy default_policy
http server enable

#
undo portal url-encode enable
#
ssl renegotiation-rate 1
#
vlan batch 10 to 13 4090
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
n
/e
lldp enable
om
#
diffserv domain default
#
i . c
e
radius-server template default
#
pki realm default
aw
rsa local-key-pair default
hu
.
enrollment self-signed
#
ssl policy default_policy type server
i n g
pki-realm default
r n
version tls1.0 tls1.1
a
/le
ciphersuite rsa_aes_128_cbc_sha
#
: /
p
ike proposal default
encryption-algorithm aes-256
t t
dh group2
: h
s
authentication-algorithm sha2-256
rc e
authentication-method pre-share
integrity-algorithm hmac-sha2-256
u
prf hmac-sha2-256
o
s
#
Re
free-rule-template name default_free_rule
#
#
i n g
portal-access-profile name portal_access_profile
rn
aaa
a
Le
authentication-scheme radius
authentication-mode radius
r e authorization-scheme default
o accounting-scheme default
M
domain default
local-user admin password irreversible-cipher $1a$VNcE$6oR"2$aASkVyCl-
~~qx^~!e+:.S|>BJto>%VV[WvDxK./G$
local-user admin privilege level 15
local-user admin service-type ssh http
local-user huawei password irreversible-cipher

$1a$6@(!=HT_IP$A=lvP*~iu+0<..Y&4`Y6+j4$Xkcf=#aMU=5[4wEP$
local-user huawei privilege level 1
local-user huawei service-type telnet ssh http
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
n
#
/e
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
om
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
i . c
#
we
a
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
hu
.
#
#
i n g
r n
a
#
/le
/
#
p :
#
t t
#
: h
e s
rc
#
ou
port link-type access
s
Re
port default vlan 4090
stp disable
g
#
i n
rn
a
Le
#
interface NULL0
r e #
o
snmp-agent local-engineid 800007DB03845B12566919
snmp-agent community
M read %^%#En_g+AWfX>adWz&5.!G~E^)4&/r]vCScEB~w~u%Zje-
$@`GH0BN7e"$A8PF(_n~lC9qvT)O*{4!I+:yR%^%#
snmp-agent community write %^%#atYiX7&TjG<o\Y/.2Y-
V/8bVI&sGJOTB4$0Y@{"2$306$`dp;=7cULM)*$.3Q!lXY<}!y7jZ,7BS"NNY%^%#
snmp-agent sys-info version v2c
snmp-agent
#
undo telnet ipv6 server enable

ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc
aes128 3des
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5
md5_96
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc
aes128 3des
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5
md5_96
ssh client key-exchange dh_group14_sha1
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
#
n
/e
om
cipher %^%#1<n6!"VC7VQQj=/vGNXG}:Eu&6zT3'C<qU9G'>N8A~"fK_+WA~0De+C]/yW"%^
%#
i . c
e
authentication-mode aaa
aw
protocol inbound telnet
hu
g .
#
n i n
r
wlan
traffic-profile name default
a
/le
security-profile name default
security-profile name default-wds
: /
p
security wpa2 psk pass-phrase %^%#CB&>,Q$BB>x\Fn"|^%qToSj.2]:%J"+-
qK%aTJ_0%^%# aes
t t
: h
security-profile name default-mesh
security wpa2 psk pass-phrase %^%#]7|J"`LHnEQ=,-
e s
GJS[q&>M">Qsqw;9mb8$0`_=6I%^%# aes
rc
ssid-profile name default
u
vap-profile name default
o
mesh-handover-profile name default
s
Re
mesh-profile name default
wds-profile name default
g
regulatory-domain-profile name default
n
air-scan-profile name default
i
rn
rrm-profile name default
radio-2g-profile name default
a
Le
wids-spoof-profile name default
r e wids-profile name default
o
ap-system-profile name default
port-link-profile name default
M wired-port-profile name default

serial-profile name preset-enjoyor-toeap
ap-group name default
provision-ap
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile

#
undo ntp-service enable
#
return
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
2 Experiment 2: AP Authentication and

WLAN Configuration Roadmap
2.1 About This Course n

/e
2.1.1 Objectives
. com
e i
 Configure AP authentication
aw
Understand WLAN configuration profile
u

 Understand WLAN configuration roadmap
. h
 Configure open system authentication
i n g
2.1.2 Topology r n
a
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
2.1.3 Plan
Trunk.
Group
No.
 AP1-G0/0/10
1 AC1—G0/0/1
n
/e
 AP2-G0/0/11
om
 AP3-G0/0/12
c
2 AC2—G0/0/2
 AP4-G0/0/13
e i .
3 AC3—G0/0/3
 AP5-G0/0/14
aw
 AP6-G0/0/15
hu
 AP7-G0/0/15
g .
4 AC4—G0/0/4
 AP8-G0/0/16
n i n
ar
/le
 AP9-G0/0/17
5 AC5—G0/0/5

:
AP10-G0/0/18
/
t t p
AP11-G0/0/19
h

6 AC6—G0/0/6
s:
 AP12-G0/0/20
r c e
ou
s Country code: CN
Re
AC Information
WLAN source: VLAN X0
ing
AP authentication mode: mac-auth
AP Authentication
a rn AP MAC address
Le
Name: ap-groupX
re
VAP ID 1: VAP profile: guestX
regulatory domain profile: domainX
o AP Group VAP ID 2: VAP profile: voiceX
M regulatory domain profile: domainX
VAP ID 3: VAP profile: employeeX
Name: employeeX SSID Profile: employeeX
SSID Profile
Name: voiceX SSID Profile: voiceX
Name: guestX SSID Profile: guestX

Name: employeeX
Forwarding mode: direct forwarding
Service VLAN: 11
Referenced profile: SSID profile employeeX
Name: voiceX
VAP Profile
Service VLAN: 12
Referenced profile: SSID profile voiceX
Name: guestX
Forwarding mode: tunnel forwarding
n
Service VLAN: 13
/e
om
Referenced profile: SSID profile guestX
i . c
we
u a
. h
i n g
r n
a
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
2.2 Experiment Task

Step1 Overall Procedure
1. Configure the Enable layer 2 or layer 3 interconnection

access switch. between the AP and AC.
n
2. Create an AP
/e
om
group. Create an AP group.
Configure the DHCP server function of the AC.

Create a regulatory domain profile.
i . c
Configure AC
management on
3. Configure the
AP going online.
Configure the country code of the AC.
Configure the authentication mode for the AP .
w
Configure the AC source port (for establishing e
a
fit APs. a tunnel with the AP).
h u
4/5. Configure
Configure the
security profile.
g . Configure the
SSID profile.
n
Being
i
WLAN service referred to
parameters.
r n Configure the
a4. Configure the VAP profile.
/le
VAP profile.
:/
Being referred to
t tp Bind the regulatory domain profile
: h and VAP profile to the AP group.
es
5. Bind the profile
c
to the AP group.
u r
s o
Re
Continue the configuration from experiment 1, the configuration of the switch has
been ready.
n g
Step3 Configuring Basic AC Parameters
i
a rn Continue the configuration from experiment 1, the configuration of the switch has been
ready.
L
Step4e Creating an AP Group
r e
o Choose Configuration > AP Config > AP Group > AP Group, The AP Group page is displayed. Click
M
Create. Create ap-groupX.
n
/e
. com
e i
aw
hu
g .
n i n
Step5 Configuring AP Online Parameters
ar
Enable DHCP server.
: //le
t t p
Click Configuration > AC Config > IP > DHCP Address Pool. set DHCP status to ON to
enable the DHCP function, and click Create to create a DHCP address pool.
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
Click Advanced, configure the gateway, the address pool interface.
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
Configure the subnet address for address pool employeeX.
Configure the gateway IP address for address pool employeeX.
n
/e
. com
e i
aw
hu
g .
n i n
ar
/le
Configure the interface for address pool employeeX.
: /
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
Configure the subnet address for address pool voiceX.
Configure the gateway IP address for address pool voiceX.
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
Configure the interface for address pool voiceX.
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
Configure the subnet address for address pool guestX.
Configure the gateway IP address for address pool guestX.
n
/e
. com
e i
aw
hu
g .
n i n
ar
/le
Configure the interface for address pool guestX.
: /
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
Check the IP address pool.
n
/e
. com
e i
aw
hu
Create a regulatory domain profile.
g .
i n
Click Configuration > AP Config > Profile > Radio Management > Regulatory Domain
Profile. Click Create on the right pane.
n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
Configure the AC source address and AP authentication mode.

AP authentication has three modes. By default, MAC authentication is used. Manually add
n
/e
APs based on MAC addresses.
Click Configuration > AC Config > Basic Config > AC Configuration, select VLANIF for AC
om
source address, click , and set the AC source address to VLANIF801. Click Apply.
i . c
w e
u a
. h
i n g
r n
a
: //le
t t p
: h
e s
u rc
s o
Re
Import the AP offline to the AC and add two APs to AP group ap-groupX. Name the two
APs AP1 and AP2.
i n g
a rn
e Le
o r
M
n
/e
. com
Add AP1
e i
aw
hu
g .
n i n
ar
: //le
t t p
Add AP2
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r After we add the AP to the MAC address authentication list, the status of the AP will
change from fault to config and final to the normal status, we need to wait for several
M minutes, if the status could not change to normal status, pls re-check your configuration.
Group online APs. Select two APs, and click Deploy.
n
/e
. com
e i
aw
hu
g .
n i n
ar
Add the two APs to AP group ap-groupX.
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
View AP information.
Step6 Configuring WLAN Service Parameters

Choose Configuration > AP Config > Profile > Wireless Service, The wireless service
n
configuration page is displayed.
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
Create an SSID profile.

Create the name is “employee”、”voiceX” and “guestX” SSID profile, And the SSID name
is “employee”、”voiceX” and “guestX”.
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
h
Create”employee”、”voiceX” and “guestX” VAP profile, configure “employee”、”voice”
:
s
forwarding mode to direct. “guestX” forwarding mode to tunnel, conjure service VLAN.
e
u rc
s o
Re
i n g
a rn
e Le
o r
M
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
: h
e s
Use the default forwarding mode (direct forwarding). Changing the forwarding mode will
rc
trigger risk notifications.
ou
s
Re
i n g
a rn
e Le
o r
M
Bind the SSID profile to VAP profile.
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
n
/e
. com
e i
Bind regulatory domain profile and VAP profile to the AP group.
aw
u
Choose configuration > AP configuretion > AP group configuration , click ap-groupX.
h
g .
n i n
ar
: //le
t t p
: h
e s
Add VAP profile. Set WLAN ID and Radio.
u rc
s o
Re
i n g
a rn
e Le
o r
M
n
/e
. com
e i
aw
hu
g .
n i n
ar
/le
Bind regulatory domain profile domainX to the AP group.
: /
t t p
: h
e s
u rc
s o
Re
i n g
a rn
e Le
o r
M
2.3 Verification
2.3.1 Checking the VAP List

Choose Monitoring > SSID > VAP > VAP List.
n
/e
. com
e i
aw
hu
g .
n i n
ar
: //le
t t p
2.3.2 Terminal Connection Test
: h
e s
rc
Connect STAs to the WLANs with SSIDs employeeX, voiceX and guestX. Run the display
station all commands on the AC.
ou
Choose Monitorng > user > 用户统计, view user list.
s
Re
i n g
a rn
e Le
o r
M
e n
/
o m
e i.c
aw
u
g .h
ni n
r
On the wireless terminal, ping the IP address of the simulated public network interface on
lea
the switch.
C:\Users\zWX>ping 101.101.101.101
: //
t t p
PING 101.101.101.101: 56 data bytes, press CTRL_C to break
Reply from 101.101.101.101: bytes=56 Sequence=1 ttl=255 time=7 ms
:h
s
e
c
r
ou
es
--- 101.101.101.101 ping statistics ---
R
5 packet(s) transmitted
i n g
5 packet(s) received
0.00% packet loss
n
ar
round-trip min/avg/max = 7/9/10 ms
L e
e
2.4rReference Configuration
o
M2.4.1 S5700 Configuration
#
sysname S5700
#
vlan batch 10 to 13
#
lldp enable
#

#
#
aaa
domain default
e n
/
#
o m
i.c
interface Vlanif1
#
interface Vlanif10
w e
#
ip address 10.1.10.1 255.255.255.0
u a
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
g .h
#
ni n
interface Vlanif12
r
lea
ip address 10.1.12.1 255.255.255.0
//
#
interface Vlanif13
p :
t
ip address 10.1.13.1 255.255.255.0
#
t
:h
interface MEth0/0/1
s
ip address 172.21.11.1 255.255.0.0
e
c
#
r
ou
#
es
R
#
i n g
n
ar
#
L e #
e
or
#
M #
#
#
#
#
#
#
#
e n
#
/
#
o m
i.c
#
w e
#
u a
#
g .h
#
ni n
r
lea
#
//
#
p :
t
#
t
:h
#
e s
c
#
r
ou
interface NULL0
#
es
interface LoopBack1
R
ip address 101.101.101.101 255.255.255.255
#
i n g
n
ar
L e cipher %@%@;|J%=/[d[O@L[qD[Xhh~,3[~S(Zs:\Ot8H6*x_MAW=N$3[B,%@%@
e
or
M
#
return
2.4.2 AC Configuration
#
sysname AC1
#
http server enable
#
#
#
#
e n
/
o m
i.c
#
w e
lldp enable
#
u a
dhcp enable
#
g .h
ni n
#
r
lea
//
#
pki realm default
p :
t
t
:h
#
s
e
c
pki-realm default
r
ou
#
es
R
i n g
dh group2
n
ar
L e #
prf hmac-sha2-256
e
or
#
M portal-access-profile name portal_access_profile

#
ip pool ap
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.1.10.100
#
ip pool employee1
network 10.1.11.0 mask 255.255.255.0
#
ip pool voice1
network 10.1.12.0 mask 255.255.255.0
#
ip pool guest1
network 10.1.13.0 mask 255.255.255.0
#
aaa
e n
/
o m
i.c
domain default
w e
u a
g .h
ni n
r
lea
: //
p
#
interface Vlanif1
t t
:h
ip address 169.254.1.1 255.255.0.0
s
#
interface Vlanif10
r c e
ip address 10.1.10.100 255.255.255.0
ou
dhcp select global
s
#
Re
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
#
i n g
dhcp select global
ninterface Vlanif12
ar
ip address 10.1.12.100 255.255.255.0
L e #
dhcp select global
e
or
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
M
dhcp select global
#
ip address 172.21.11.3 255.255.0.0
#
#
#
#
#
#
#
stp disable
#
e n
/
o m
i.c
#
interface NULL0
#
w e
#
info-center timestamp log format-date
u a
g .h
i
read %^%#En_g+AWfX>adWz&5.!G~E^)4&/r]vCScEB~w~u%Zje-
n n
r
lea
//
snmp-agent
p :
#
t t
:h
aes128 3des
e s
md5_96
r c
ou
e
aes128 3dess
R
i n g
md5_96
n
ar
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
L e #
capwap source interface vlanif10
e
or
#
M
cipher %^%#1<n6!"VC7VQQj=/vGNXG}:Eu&6zT3'C<qU9G'>N8A~"fK_+WA~0De+C]/yW"
%^%#
#
wlan
qK%aTJ_0%^%# aes
ssid-profile name guest1
ssid guest1
e n
/
ssid-profile name voice1
ssid voice1
o m
i.c
ssid-profile name employee1
e
ssid employee1
vap-profile name guest1
forward-mode tunnel
aw
service-vlan vlan-id 13
u
.h
vap-profile name voice1
ssid-profile voice1
i n g
r n
lea
vap-profile name employee1
ssid-profile employee1
: //
p
t t
:h
s
r c e
regulatory-domain-profile name domain1
ou
s
Re
i n g
wids-profile name default
n port-link-profile name default
ar
wired-port-profile name default
L e serial-profile name preset-enjoyor-toeap

e
or
ap-group name ap-group1
regulatory-domain-profile domain1
M
radio 0
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
radio 1
radio 2

ap-id 0 type-id 43 ap-mac 4cfa-cabe-eb60 ap-sn 21500826412SG8918066
ap-group ap-group1
ap-id 1 type-id 43 ap-mac 4cfa-cabf-d0c0 ap-sn 21500826412SG8919901
ap-group ap-group1
provision-ap
#
#
#
e n
/
#
return
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
3 Experiment 3: WLAN Security Configuration
3.1 About This Course e n

/
o m
3.1.1 Objectives
ei.c
 Configure WLAN security profile
aw
 Configure WEP authentication
u
 Configure WPA/WPA2 PSK authentication
g .h
n
 Configure WPA/WPA2 EAP authentication
ni
3.1.2 Topology r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
3.1.3 Plan
Trunk.
Group
n
No.
/ e
1 AC1—G0/0/1
 AP1-G0/0/10
o m
i.c
 AP2-G0/0/11
 AP3-G0/0/12
w e
a
2 AC2—G0/0/2
AP4-G0/0/13
u

 AP5-G0/0/14
g .h
3 AC3—G0/0/3
 AP6-G0/0/15
ni n
r
lea
 AP7-G0/0/15
4 AC4—G0/0/4
AP8-G0/0/16
//

p :

t t
AP9-G0/0/17
:h
5 AC5—G0/0/5
 AP10-G0/0/18
e s
6 AC6—G0/0/6
r c  AP11-G0/0/19
ou
 AP12-G0/0/20
es
R
ing
Name: ap-groupX
rn
VAP ID 1: VAP profile: guestX
e a AP Group VAP ID 2: VAP profile: voiceX
e L regulatory domain profile: domain
o r VAP ID 3: VAP profile: employeeX

M RADIUS Server
Profile
Name: huawei Key: huawei
Dot1x Profile Name: employeeX

Name: employeeX
Authentication
Apply: Radius Server Profile: huawei
Scheme
dot1x Profile: employeeX
SSID Profile Name: employeeX SSID name: employeeX
Name: voiceX SSID name: voiceX

Name: guestX SSID name: guestX
Name: employeeX SSID name: employeeX
Security Profile Name: voiceX SSID name: voiceX
Name: guestX SSID name: guestX
Name: employeeX
e n
Service VLAN: 11
/
Referenced profile: SSID profile employeeX
o m
i.c
Security Profile employeeX
Name: voiceX
w e
VAP Profile Service VLAN: 12
u a
Referenced profile: SSID profile voiceX
g
Security Profile voiceX .h
Name: guestX
ni n
r
Forwarding mode: tunnel forwarding
Service VLAN: 13
// lea
:
Referenced profile: SSID profile guestX
p
t
Security Profile guestX
t
:h
e s
r c
ou
es
3.2 Experiment Task
R
i n g
n
e ar
Step1 Configuring Portal Authentication
e L Huawei AC supports six access security policies, every VAP Profile can apply each of
or
policies.
M Security Policy
open
Policy Explain
Open system Authentication

wapi WLAN Authentication and Privacy Infrastructure (WAPI)
wep Wired equivalent privacy
wpa Wi-Fi protected access
wpa2 Wi-Fi protected access version 2
wpa-wpa2 Wi-Fi protected access version 1&2
e n
/
o m
i.c
Configure SSID guestXauthentication to Portal authentication. and authentication
mode to local authentication.
w e
Choose configuretion > Security > AAA > Built-In Portal Server，enter”Built-In Portal
Server” page.
u a
.h
Portal server IP: IP address of the Portal server. Users are then redirected to the Portal
i n g
server if they enter URLs that are not located in the free IP subnet.
SSL policy: SSL policy applied to HTTPS services provided by the Portal server.
r n
Port: Port that provides the authentication service on the Portal server.
lea
Authentication mode: Authentication mode including PAP and CHAP. You are advised to
//
use the CHAP with high security.
p :
Web page file: File in .zip format. The file contains web pages that users access during
authentication.
t t
:h
Maximum number of users: Maximum number of users that can access the Portal
server.
e s
r c
s ou
Re
i n g
n
e ar
e L Create security profile guestX.
or
Choose configuretion > AP Config > Profile > Wireless Service, the security profile list is
displayed.
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
:h
Create Portal Profile guestX.
e s
r c
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
o
Create authentication profile guestX, and bind portal profile to the authenticationm
i.c
profile.
Choose configuration > Security > AAA” ，enter authentication profile list.
w e
u a
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
ar
Bind portal profile guestX to the authentication profile guestX.
L e
e
or
M
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
Enter VAP profile page, bind authentication profile guestX and security profile guestX to
VAP profile guestX.
e n
/
o m
e i.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
Create Portal account.

Choose configuration > Security > AAA > Local User, enter local user page.
e n
/
o m
e i.c
aw
u
g .h
ni n
r
// lea
p :
t t
:h
Wireless uers can open the browser, and enter a website. The link will automatically go
e s
to Portal authencation page. After you input the right username and password, click
“login”.(NOTE:this experiment don’t have DNS, we need to input the ip address, for
r c
example, 114.114.114.114).
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
o m
e i.c
aw
u
g .h
i n
Then the configuration of Portal authentication has been finished, we can test the
n
connection.
r
lea
C:\Users\zWX>ping 101.101.101.101
//
p :
t t
:h
s
e
c
r
ou
--- 101.101.101.101 ping statistics ---
s
Re
i n g
0.00% packet loss
n
ar
Step2 Configuring WPA PSK Authentication
e
e L Configure the authentication type for SSID voiceX to WPA1-PSK. Huawei AC supports
or
below WPA configuration option:：
M WPA Type
WPA/WPA2/WPA1-2 Personal
Encryption Method
CCMP or TKIP
Authentication Method
PSK(password 8-64
characters)
WPA/WPA2/WPA1-2 Enterprise CCMP or TKIP Dot1x
Configure security profile security-profile name voice1, encryption mode TKIP, password of
PSK is voicevoice.
Choose Configuration > AP Config > Profile > Wireless Service > Security profile, the
security profile page is displayed, in security profile list, click create, set the parameters.
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
Bind the security profile voiceX to VAP profile voiceX.
e n
/
o m
ei.c
Then the Configuration of WPA-PSK has been finished, we can test the connection.
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
ar
C:\Users\zWX>ping 101.101.101.101
L e Reply from 101.101.101.101: bytes=56 Sequence=1 ttl=255 time=7 ms
e Reply from 101.101.101.101: bytes=56 Sequence=2 ttl=255 time=10 ms
or Reply from 101.101.101.101: bytes=56 Sequence=3 ttl=255 time=10 ms
M
--- 101.101.101.101 ping statistics ---

0.00% packet loss
Step3 Configuring WPA EAP Authentication
The authentication architecture of EAP consists of three parts: clients, authenticator and
authentication server.
The authentication server of this experiment had set an IP address 10.254.1.100,

e n
password: huawei, the authentication server was ready and test account: huawei, /
password: Huawei@123.
o m
i.c
Configure radius service gateway in the S5700.
[S5700] vlan batch 200
[S5700] interface GigabitEthernet0/0/24
w e
[S5700-GigabitEthernet0/0/24]port link-type access
u a
.h
[S5700-GigabitEthernet0/0/24]port default vlan 200
[S5700] interface Vlanif200
i n g
[S5700-Vlanif200] ip address 10.254.1.1 24
r n
lea
//
Configure radius service and accounting scheme in the AC.
:
Configuring Radius profile.
t t p
Choose Configuration > Security > AAA > RADIUS, the RADIUS page is displayed.
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
Create Radius Server
e n
/
o m
e i.c
aw
u
g .h
ni n
r
// lea
p :
t t
Configure AAA.
s :h
c e
Choose Configuration > AP Config > Profile > Wireless Service, enter
r
AuthenticationScheme list.(by default, have a radius profile, you can not create).
s ou
Re
i n g
n
e ar
e L
or
M
Configure authentication mode for radius authentication.
e n
/
o m
ei.c
aw
u
Configure access profile dot1x-access-profile name employeeX, authentication mode is
.h
eap.
i n g
r n
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
Configure security profile security-profile name employeeX, encryption mode is ccmp

(aes).
e n
/
o m
e i.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
Configure authentication profile authentication-profile name employee.
Bind the access profile, authentication scheme, accounting scheme and radius server to
n
ar
authentication profile.
Choose Configuration > Security > AAA > Authentication Profile, enter authentication
L e profile page, click create, create a employee authentication profile.
e
or
M
e n
/
o m
e i.c
aw
u
Bind the dot1x access profile and radius server profile to authentication profile.
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
Bind security profile and authentication profile to VAP profile.
i n g
n
e ar
e L
or
M
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
3.3 Verification
3.3.1 Connect an STA to the WLAN

Connect iphone to the WLANs with SSIDs employeeX.
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
:h
es
r c
o u
3.4.1 S5700 Configuration
es
R
g
#
i n
sysname S5700
rn
#
a
L e #
lldp enable
r e #
o undo http server enable
M
#
#
aaa
domain default

#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
#
interface Vlanif12
e n
ip address 10.1.12.1 255.255.255.0
/
#
interface Vlanif13
o m
i.c
ip address 10.1.13.1 255.255.255.0
#
interface Vlanif200
w e
#
ip address 10.254.1.1 255.255.255.0
u a
interface MEth0/0/1
ip address 172.21.11.1 255.255.0.0
g .h
#
ni n
r
lea
//
#
p :
t
#
t
:h
#
e s
c
#
r
ou
#
es
#
R
#
i n g
n
ar
#
L e interface GigabitEthernet0/0/9
#
e
or
M #
#
#
#
#
#
#
#
#
e n
/
#
o m
i.c
#
#
w e
#
u a
#
g .h
ni n
r
lea
//
#
interface NULL0
p :
t
#
interface LoopBack1
t
:h
ip address 101.101.101.101 255.255.255.255
#
e s
c
r
ou
s
Re
i n g
ncipher %@%@`KL`QN[h79h[6AS2ggdT<+Hjaz5lH\hpS4]~^/-CFvtO+Hm<%@%@
ar
L e user-interface vty 16 20
#
e
r
return
o
M3.4.2 AC Configuration
#
sysname AC1
#
http server enable
#
portal local-server ip 10.1.10.100
portal local-server https ssl-policy default_policy port 2000
#
#
#
#
e n
portal-access-profile guest1
/
authentication-profile name guest1
o m
i.c
authentication-profile name employee1
dot1x-access-profile employee1
w e
radius-server huawei
u a
#
lldp enable
g .h
#
ni n
dhcp enable
r
lea
#
//
#
p :
t
radius-server template huawei
t
:h
radius-server authentication 10.254.1.100 1812 source ip-address
s
10.1.10.100 weight 80
#
r c e
undo radius-server user-name domain-included
ou
pki realm default
s
#
Re
i n g
pki-realm default
n
ar
L e #
e
or
dh group2
M
prf hmac-sha2-256
#
#
portal local-server enable
#
portal-access-profile name guest1

#
ip pool ap
network 10.1.10.0 mask 255.255.255.0
#
ip pool employee1
network 10.1.11.0 mask 255.255.255.0
dns-list 114.114.114.114
e n
#
/
ip pool voice1
o m
i.c
network 10.1.12.0 mask 255.255.255.0
#
ip pool guest1
w e
network 10.1.13.0 mask 255.255.255.0
u a
#
aaa
g .h
ni n
r
lea
//
p :
t
domain default
t
:h
s
e
c
r
ou
s
Re
i n g
n local-user guest01 password cipher %^%#h)q(D@"^~3lbX|<lHk1L#bj]RY3-
ar
pAYq#XEVAp>~%^%#
L e local-user guest01 privilege level 0

local-user guest01 service-type web
e
or
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
M #
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0

dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
ip address 172.21.11.3 255.255.0.0
#
e n
#
/
#
o m
i.c
#
w e
#
u a
#
g .h
#
ni n
r
lea
//
stp disable
p :
t
#
t
:h
s
e
c
#
interface NULL0
r
ou
#
#
es
R
i n g
n$@`GH0BN7e"$A8PF(_n~lC9qvT)O*{4!I+:yR%^%#
ar
L e V/8bVI&sGJOTB4$0Y@{"2$306$`dp;=7cULM)*$.3Q!lXY<}!y7jZ,7BS"NNY%^%#
e
or
snmp-agent
#
M ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc

aes128 3des
md5_96
aes128 3des
md5_96
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1

#
#
%^%#
e n
/
o m
i.c
e
#
wlan
aw
security-profile name guest1
u
.h
security-profile name voice1
security wpa psk pass-
i n g
phrase %^%#0)RfPJm>L58cY+4*K);#E~]V)7`\406bJM4syy*%%^%# tkip
r n
lea
security-profile name employee1
security wpa2 dot1x aes
//
p :
qK%aTJ_0%^%# aes
t t
:h
s
e
c
ssid guest1
r
ou
es
ssid voice1
R
i n g
ssid employee1
n
ar
forward-mode tunnel
L e ssid-profile guest1
e
security-profile guest1
or
authentication-profile portal_authen_profile
M service-vlan vlan-id 12
ssid-profile voice1
security-profile voice1
security-profile employee1
authentication-profile employee1

e n
/
o m
i.c
radio 0
w e
u a
radio 1
g .h
ni n
r
lea
//
radio 2
p :
t
t
:h
ap-group ap-group1
e s
c
r
ap-group ap-group1
ou
provision-ap
#
es
R
dot1x-access-profile name employee1
#
i n g
n
ar
#
L e #
return
e
or
M
4 Experiment 4: eSight WLAN Management

/
o m
4.1.1 Objectives
ei.c
 Configure SNMP in AC
aw
 Understand the method of eSight discover AC
u
 Configure WLAN with eSight wizard
g .h
4.1.2 Topology
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
4.1.3 Plan
Trunk.
Group
n
No.
/ e
1 AC1—G0/0/1
 AP1-G0/0/10
o m
i.c
 AP2-G0/0/11
 AP3-G0/0/12
w e
a
2 AC2—G0/0/2
AP4-G0/0/13
u

 AP5-G0/0/14
g .h
3 AC3—G0/0/3
 AP6-G0/0/15
ni n
r
lea
 AP7-G0/0/15
4 AC4—G0/0/4
AP8-G0/0/16
//

p :

t t
AP9-G0/0/17
:h
5 AC5—G0/0/5
 AP10-G0/0/18
e s
6 AC6—G0/0/6
r c  AP11-G0/0/19
ou
 AP12-G0/0/20
es
R
n g
eSight Server IP
i
172.21.11.20
n
e ar
eSight Server password Name: admin Password: Huawei@123
e L
or
SNMP read only community publicRO
M SNMP read and write

community
privateRW
4.2 Experiment Task

Continue the configuration from experiment 1, the configuration of the switch has
been ready.
e n
Step2 Configuring SNMP Parameters
/
Configure AC SNMP Community and static route.
o m
i.c
Choose “Maintenance > AC Maintenance > SNMP > Global Configuration”, enter the
Global Configuration page.
w e
u a
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar Enter Community/Group Management, click create and set parameters for snmp.
e L
or
M
e n
/
o m
ei.c
aw
u
.h
Choose “Configuration > AC Config > IP > Route > Static Route Configuration Table”,
enter Static Route Configuration Table page.
n g
In Static Route Configuration Table, click create, configure the static route.
i
r n
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
Step3 Configuring eSight Discover AC
After the PC connect to the WLAN, enter URL http://172.21.11.20:8080 to access eSight
Server, user name: admin, password: Huawei@123 (The initialized user name and
password are: admin/Changeme123, you need change the initial password when you first
login eSight). Should use google chrome or firefox browser.
e n
/
o m
ei.c
aw
u
.h
After login in to eSight, select the pull-down menu“Resource”，and click “Add
Device”,reference below parameters.
i n g
IP Address 172.21.11.X+2
r n
lea
Name ACX
SNMP Version V2C
: //
Read Only Community
t t p
publicRO
:h
Write Community privateRW
e s
Telnet Authentication mode Password
r c
ou
Password Admin@123
es
R
i n g
n
e ar
e L
or
M
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
Click”OK” when you finished, if displayed “Success”then means the configuring is
:h
successed.
e s
r c
s ou
Re
i n g
n
e ar
e L
or
M
，and click “Network Device”.
Select the pull-down menu“Resource”
e n
/
o m
Click “WLAN Feature > AP”, enter the Create Manually interface and add aps.
e i.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
Configure interface Group huaweiX.
Select the pull-down menu“Resource> Resources Group> Group Management”
Click “Interface group > User Defined > ”, and the name for this experiment is
“huawei1”.
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
o m
ei.c
aw
u
g .h
Configure VLANIF and DHCP Server
ni n
r
Select the pull-down menu“Business> WLAN Management> Configuration and
lea
Deployment”
: //
t t p
s :h
r c e
s ou
Re
i n g
nAdd devices on base configuration.
e ar
e L
or
M
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
o m
e i.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
Configure Channel. Click “Base configuration > Channel Configuration ”, set the allow
pass VLANs and PVID for interface group”.
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
o m
ei.c
Step5 Configuring AP Online
aw
Configure AP Authentication mode and AC Source Address.
u
Click “Global AC Configuration > AC >
g
”, select Resouce AC1”.
.h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
Step6 Configure WLAN Service Parameters

Create Profiles employeeX, Click “AP Configuration > Profile Management > VAP Profile >
SSID Profile ”, select Create”. Configure the security policy for employeeX to WPA2, with
the password employee.
e n
/
o m
e i.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
o m
e i.c
aw
u
g .h
n
Create VAP profiles employeeX. Set the data forwarding mode for employeeX to tunnel
i
forwarding. Configure the service VLAN and bind the profile to the security profile and
n
SSID profile.
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L Configure AP groups ap-groupX to use the VAP profile.
or
M
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
After finish above, ap still not online. Configure the function of ssh for AC, and test the
SFTP for eSight. Username: admin, password: Changeme123.
[AC6005]ssh client first-time enable
[AC6005]sftp 172.21.0.11 31922
Please input the username:admin
Trying 172.21.0.11 ...
Press CTRL+K to abort
The server is not authenticated. Continue to access it? (y/n)[n]:y
Save the server's public key? (y/n)[n]:y
e n
/
The server's public key will be saved with the name 172.21.0.11. Please
wait...
o m
i.c
Enter password:
sftp-client>
w e
Click “System > Network Management Settings > Polling Settings”. Configure Polling
interval, make the AP online.
u a
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
c e
Check the AP Status and two Aps are online.
r
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
orVerification
4.3
M
4.3.1 Connect an STA to the WLAN
Connect STAs to the WLANs with SSIDs employeeX.
e n
/
o m
ei.c
aw
u
g .h
ni n
r
lea
C:\Users\zWX>ping 101.101.101.101
//
:
t t p
:h
s
e
c
r
s ou
--- 101.101.101.101 ping statistics ---
Re
i n g
0.00% packet loss
n
e ar
eL
or
M4.4.1 S5700 Configuration
#
sysname S5700
#
#
lldp enable
#

#
#
aaa
domain default
e n
/
#
interface Vlanif1
o m
i.c
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
w e
#
interface Vlanif11
u a
#
ip address 10.1.11.1 255.255.255.0
g .h
interface Vlanif12
ni n
ip address 10.1.12.1 255.255.255.0
r
lea
#
//
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
p :
t
#
interface Vlanif200
t
:h
ip address 10.254.1.1 255.255.255.0
#
e s
c
interface MEth0/0/1
r
ip address 172.21.11.1 255.255.0.0
ou
#
es
R
#
i n g
n
ar
#
L e #
e
or
#
M #
#
#
#
#

#
#
#
e n
#
/
#
o m
i.c
#
w e
#
u a
#
g .h
#
ni n
r
lea
#
//
#
p :
t
#
t
:h
#
e s
c
#
r
ou
es
#
R
#
i n g
interface NULL0
n
ar
interface LoopBack1
ip address 101.101.101.101 255.255.255.255
L e #
e
or
M
#
return
#
sysname AC1
#
http server enable
#
e n
/
#
o m
i.c
#
w e
#
u a
#
g .h
ni n
r
lea
: //
t p
t
s :h
e
r c
ou
#
es
R
lldp enable
#
i n g
n
dhcp enable
ar
#
Le
#
r e radius-server template default
o radius-server template huawei
M radius-server authentication 10.254.1.100 1812 source ip-address

10.1.10.100 weight 80
#
pki realm default
#
pki-realm default
#
dh group2
e n
prf hmac-sha2-256 /
#
o m
i.c
#
w e
u a
.h
#
i n g
#
r n
lea
ip pool ap
//
network 10.1.10.0 mask 255.255.255.0
p :
t t
:h
#
s
ip pool employee1
c
r e
network 10.1.11.0 mask 255.255.255.0
ou
dns-list 114.114.114.114
#
es
R
ip pool voice1
i n g
network 10.1.12.0 mask 255.255.255.0
n
ar
#
ip pool guest1
L e gateway-list 10.1.13.1
e network 10.1.13.0 mask 255.255.255.0
or #
M
aaa
domain default

local-user guest01 password cipher %^%#h)q(D@"^~3lbX|<lHk1L#bj]RY3-
pAYq#XEVAp>~%^%#
e n
local-user guest01 privilege level 0
/
o m
i.c
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
w e
#
interface Vlanif10
u a
ip address 10.1.10.100 255.255.255.0
g .h
dhcp select global
#
ni n
r
lea
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
: //
#
interface Vlanif12
t t p
:h
ip address 10.1.12.100 255.255.255.0
s
e
dhcp select global
#
r c
ou
interface Vlanif13
es
ip address 10.1.13.100 255.255.255.0
dhcp select global
# R
n g
i
n
ip address 172.21.11.3 255.255.0.0
ar
#
Le
#
o #
M interface GigabitEthernet0/0/3
#
#
#
#

stp disable
#
#
interface NULL0
#
e n
info-center timestamp log format-date /
#
o m
i.c
w e
u a
.h
i n g
snmp-agent
r n
lea
#
: //
aes128 3des
t t p
:h
md5_96
s
e
c
r
ou
aes128 3des
md5_96
es
R
#
i n g
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
n
ar
#
L e #
e user-interface con 0
or authentication-mode password
M
cipher %^%#1<n6!"VC7VQQj=/vGNXG}:Eu&6zT3'C<qU9G'>N8A~"fK_+WA~0De+C]/yW"%^
%#
#
wlan
e n
/
qK%aTJ_0%^%# aes
o m
i.c
e
aw
ssid guest1
u
g .h
ssid voice1
ni n
r
lea
ssid employee1
: //
forward-mode tunnel
t t p
ssid-profile guest1
s :h
e
r c
ou
es
ssid-profile voice1
R
n g
i
n
ar
L e ssid-profile employee1
e
or
M mesh-profile name default


radio 0
e n
vap-profile voice1 wlan 2 /
o m
i.c
radio 1
w e
u a
.h
radio 2
i n g
r n
lea
//
ap-group ap-group1
:
p
ap-group ap-group1
t t
:h
provision-ap
s
#
c e
r
ou
#
es
#
R
#
i n g
n
ar
return
L e
e
or
M
5 Experiment 5: Layer 3 Networking Experiment

/
o m
5.1.1 Objectives
ei.c
 Understand the L3 networking structure
aw
 Configure L3 networking device
u
 Configure tunnel forwarding
g .h
n
 Verify the configuration
ni
5.1.2 Topology r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
5.1.3 Plan
Trunk.
Group
n
No.
/ e
1 AC1—G0/0/1
 AP1-G0/0/10
o m
i.c
 AP2-G0/0/11
 AP3-G0/0/12
w e
a
2 AC2—G0/0/2
AP4-G0/0/13
u

 AP5-G0/0/14
g .h
3 AC3—G0/0/3
 AP6-G0/0/15
ni n
r
lea
 AP7-G0/0/15
4 AC4—G0/0/4
AP8-G0/0/16
//

p :

t t
AP9-G0/0/17
:h
5 AC5—G0/0/5
 AP10-G0/0/18
e s
6 AC6—G0/0/6
r c  AP11-G0/0/19
ou
 AP12-G0/0/20
es
R
n g
Trainee Group X
i
AC Configuration
n
ar
Console Port Login
Admin@123
L e Password
e Device ACX
or AP Management
VLAN：X0 IP：10.1.X0.100
M VLAN
Service VLAN
VLAN：X1 IP：10.1.X1.100
(Employee)
Service VLAN (Voice) VLAN：X2 IP：10.1.X2.100
Service VLAN (Guest) VLAN：X3 IP：10.1.X3.100
AC Source interface
VLANif 80X IP：10.1.20X.100
（L3 Networking）
5.2 Experiment Task

e n
/
o m
i.c
Configure the VLAN and Trunk on switch S5700, set the VLANIF80X ip address.
[S5700]vlan batch 801
[S5700]int GigabitEthernet 0/0/1
w e
[S5700-GigabitEthernet0/0/1]port trunk allow-pass vlan 801
u a
.h
[S5700]int Vlanif 801

i n g
r n
lea
: //
Update the VLAN and Trunk Configuration, and set the VLANIF80X ip address.
t p
Choose “Configuration > AC Config > VLAN”, ebter the VLAN page.
t
:h
Click create, add VLAN80x.
e s
r c
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
ar
Step3 Configuring AP Online
Le
Modify DHCP configuration and WLAN configuration, make AP can discover AC.
Choose “Configuration > AC Config > IP > DHCP Address pool”, enter DHCP Address pool
r e page.
o Click AP address pool, modify optionparameter.
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
:h
Modify AC source address.
s
Choose “Configuration > ACConfig > Basic Config > AC Configuration”, enter AC
e
c
configuration page.
r
s ou
Re
i n g
n
e ar
e L
or
M
Choose “Configuration > AP Config > Profile > Wireless Service”, enter Wireless Service
e n
/
page.
Click VAPprofile, modify employee and voiceX forwarding mode to tunnel.
o m
e i.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
e n
/
. com
e i
a w
. hu
in g
r n
//lea
p :
t t
: h
es
r c
ou
es
R
i n g
n
e ar
e L
or
M
e n
/
. com
e i
a w
. hu
in g
r n
//lea
p :
t t
: h
es
r c
ou
es
R
i n g
n
e ar
e L
or
M5.3 Verification
5.3.1 Verifiy the L3 Network Status
Then the Configuration of L3 Network has been finished, all Aps are online.
[AC1]display ap all
Info: This operation may take a few seconds. Please wait for a
moment.done.
Total AP information:
nor : normal [2]
-------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-------------------------------------------------------------------------
0 4cfa-cabe-eb60 ap1 ap-group1 10.1.10.253 AP4030DN nor 0 6S
1 4cfa-cabf-d0c0 ap2 ap-group1 10.1.10.254 AP4030DN nor 1 26S
-------------------------------------------------------------------------
e n
Total: 2
/
Check the station information.
. c om
[AC1]display station all
Rf/WLAN: Radio ID/WLAN ID
e i
Rx/Tx: link receive rate/link transmit rate(Mbps)
a w
hu
-------------------------------------------------------------------------
g.
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address SSID
in
-------------------------------------------------------------------------
n
1041-7f67-01b1 0 ap1 0/2
r
2.4G 11g
a
35/46 -64 12
le
10.1.12.254 voice1
//
-------------------------------------------------------------------------
p :
t
Total: 1 2.4G: 1 5G: 0
h t
s :
r c e
ou
5.4.1 S5700 Configurations
Re
#
i n g
sysname S5700
rn
#
a
vlan batch 10 to 13 200 801
L e #
lldp enable
r e #
o undo http server enable
M
#
#
aaa
domain default

#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
#
interface Vlanif12
e n
ip address 10.1.12.1 255.255.255.0
/
om
#
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
i . c
#
interface Vlanif200
we
ip address 10.254.1.1 255.255.255.0
a
hu
#
interface Vlanif801
ip address 10.1.201.1 255.255.255.0
g .
#
n in
interface MEth0/0/1
r
lea
ip address 172.21.11.1 255.255.0.0
//
#
p :
t
#
h t
port trunk allow-pass vlan 10 to 13 801
s :
#
r c e
#
ou
#
es
R
#
i n g
n
ar
#
L e #
e
or
#
M #
#
#
#
#
#
#
#
e n
#
/
om
#
i . c
#
we
#
a
hu
#
g .
#
n in
r
lea
#
//
p :
t
#
interface NULL0
h t
#
s :
interface LoopBack1
r c e
ip address 101.101.101.101 255.255.255.255
#
ou
es
R
i n g
n
ar
L e set authentication password

e
or
M
#
return
#
sysname AC1
#
http server enable
#
#
#
#
vlan batch 10 to 13 801 4090
#
e n
/
om
i . c
we
a
hu
g .
n in
#
r
lea
lldp enable
//
#
dhcp enable
p :
t
#
#
h t
s :
c e
radius-server template huawei
r
radius-server authentication 10.254.1.100 1812 source ip-address
u
10.1.10.100 weight 80
o
s
#
R e
pki realm default
i n g
n
ar
#
L e pki-realm default
e
or
#
M
dh group2
prf hmac-sha2-256
#
#

#
#
ip pool ap
network 10.1.10.0 mask 255.255.255.0
#
ip pool employee1
e n
/
om
network 10.1.11.0 mask 255.255.255.0
dns-list 114.114.114.114
#
i . c
ip pool voice1
we
network 10.1.12.0 mask 255.255.255.0
a
hu
#
ip pool guest1
g .
network 10.1.13.0 mask 255.255.255.0
n in
#
r
lea
aaa
//
p :
t
h t
domain default
s :
c e
r
u
o
es
R
i n g
n$1a$6@(!=HT_IP$A=lvP*~iu+0<..Y&4`Y6+j4$Xkcf=#aMU=5[4wEP$
ar
L e local-user huawei service-type telnet ssh http

local-user guest01 password cipher %^%#h)q(D@"^~3lbX|<lHk1L#bj]RY3-
e
or
pAYq#XEVAp>~%^%#
local-user guest01 privilege level 0
M #
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global

#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
interface Vlanif801
e n
ip address 10.1.201.100 255.255.255.0
/
om
#
ip address 172.21.11.3 255.255.0.0
i . c
#
we
#
a
hu
#
g .
#
n in
r
lea
#
//
#
p :
t
#
h t
s :
c
stp disable
r e
#
ou
es
R
#
i n g
interface NULL0
n
ar
#
L e #
e
or
M
snmp-agent
#
aes128 3des
md5_96

aes128 3des
md5_96
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
#
#
e n
/
om
c
%^%#
e i .
a w
hu
g .
in
#
n
wlan
r
lea
//
p :
t
h t
:
es
c
u
qK%aTJ_0%^%# aes r
s o
R e
i n g
ssid guest1
n
ar
ssid voice1
L e ssid-profile name default

e
or
ssid employee1
M
forward-mode tunnel
ssid-profile guest1
forward-mode tunnel
ssid-profile voice1

forward-mode tunnel
e n
/
om
i . c
we
a
hu
g .
n in
r
lea
//
radio 0
p :
t
radio 1
h t
s :
c e
r
radio 2
ou
es
R
i n g
ap-group ap-group1
n
ar
ap-group ap-group1
L e #
provision-ap
e
or
M #
#
#
return
6 Experiment 6: Backup the Configuration and

Reset the Device
e n
/
6.1 About This Course . c om
e i
6.1.1 Objectives a w
. hu
Save the configuration of AC
g

 Configure FTP service in AC
n in
 Backup the configuration of AC
r
lea
 Reset the configuration of AC
6.1.2 Plan : //
t t p
: h
s
e
c
Trunk.
u r
s o
Group
No.
R e
i n g
n
 AP1-G0/0/10
ar
1 AC1—G0/0/1
 AP2-G0/0/11
L e AP3-G0/0/12
e

or
2 AC2—G0/0/2
 AP4-G0/0/13
M 3 AC3—G0/0/3


AP5-G0/0/14
AP6-G0/0/15
 AP7-G0/0/15
4 AC4—G0/0/4
 AP8-G0/0/16
 AP9-G0/0/17
5 AC5—G0/0/5
 AP10-G0/0/18
 AP11-G0/0/19
6 AC6—G0/0/6
 AP12-G0/0/20
Item Parameter
Management IP 172.21.11.X+2
Backup Configuration File
e n
name
acvrpcfg.zip
/
FTP account Name: ftp Password: Huawei@123
. c om
FTP Directory Flash:/
e i
a w
.hu
6.2 Experiment Task in g
r n
//lea
p :
Step1 Save the Configuration
t t
: h
Any change through web-based configuration, you need to click “save” to save the
es
configuration to the device. If you don’t save it , the configuration will lost after
rebooted.
r c
u
Save the configuration through the upper right of the page.
o
es
R
i n g
After saving, you can view information about the files and directories on the storage
device.
n
ar
Choose “Maintenance > System Configuration > File Management”. Enter the file
e
management page.
e L
or
M
e n
/
. c om
e i
a w
. hu
in g
n
In the Storage Medium area, check the remaining size and total size of storage devices.
r
lea
Manage files in the File Management area.
//
To search all files in a storage medium or all the storage media, click Search.
:
t p
To move a file to the recycle bin, select the file and click Delete and Move to Recycle Bin.
t
h
You can restore the deleted file in the Recycle Bin area.
s :
To permanently delete a file, select the file and click Delete File Permanently.
r c e
To upload a file to the storage device, click Upload file.
ou
To refresh the file list, click Refresh.To download a file to the local PC, select the file and
click .
es
R
Step2 Configuring FTP Service on AC
i n g
Create a FTP user, Choose “Maintenance > Administrator > Administrator List”,
n
ar
enter the administrator list page. Username:ftp, password:Huawei@123, level:15.
L e
e
or
M
e n
/
. c om
e i
a w
. hu
in g
r n
//lea
p :
t t
: h
es
r c
ou
es
R
Enable FTP service in the global view, Choose “Maintenance> AC Maintenance >
i n g
System > Service Management”, enter Service managementpage.
n
e ar
e L
or
M
e n
/
. com
e i
a w
. hu
in g
r n
Step3 Backup the Configuration to PC
//lea
D:\>ftp 172.21.11.3
p :
connect 172.21.11.3.
t t
: h
s
220 FTP service ready.
c e
User(172.21.11.3:(none)): ftp
r
u
331 Password required for ftp.
o
es
password:ftp001
R
230 User logged in.
i n g
ftp> get acvrpcfg.zip
n
ar
200 Port command okay.
Le 150 Opening ASCII mode data connection for acvrpcfg.zip.
ore 226 Transfer complete.
ftp: 1373 bytes received in 0.00Seconds 1373000.00Kbytes/sec.
M ftp>
Then the configuration file is backuped in the PC, find the file in D:/
and then can opent it by notepad or wordpad.
e n
/
. c om
e i
a w
. hu
in g
r n
//lea
Step4 Reset the Configuration
p :
t t
After your practice finished, We need to reset the configuration of the devices before the
: h
practice, so as to avoid the impacting to the practice, please following below procedures
s
to reset the configuration and reboot the device.
e
c
<AC1>reset saved-configuration
r
ou
This will delete the configuration in the flash memory.
The device configurations will be erased to reconfigure.
es
Are you sure? (y/n)[n]:y
#
R
i n g
<AC1>reboot
Info: The system is comparing the configuration, please wait......
n
ar
Warning: All the configuration will be saved to the next startup configuration. Continue ?
e
[y/n]:n
e L System will reboot! Continue ? [y/n]:y
or
M6.3 Verification
6.3.1 Checking the Device Configuration
It required set a new password When you login the device after reboot.
Please configure the login password:
Info: A plain text password is a string of 8 to 16 case-sensitive
characters and must be a combination of at least two of the following:
uppercase letters A to Z, lowercase letters a to z, digits, and special

characters. A cipher text password contains 68 characters.
Enter password:
Confirm password:
Only the default configuration exist.

<AC6005>display current-configuration
#
http server enable
#
e n
/
#
om
i . c
e
a w
hu
#
.
#
in g
#
r n
lea
pki realm default
: //
p
#
t t
pki-realm default
: h
s
version tls1.0 tls1.1 tls1.2
#
r c e
ou
dh group2
es
R
g
n i n
prf hmac-sha2-256
ar
#
L e free-rule-template name default_free_rule

#
e
or
#
M
aaa
domain default
local-user admin password irreversible-

cipher %^%#M`4JPQpOV5o%dg<#chz:0uQcV}F#{FY6"T-
UeF>YO[l0C!OPI-!:hyJLvcXC%^%#
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
#
e n
/
#
om
#
i . c
e
#
a w
hu
#
.
#
in g
#
r n
lea
#
interface NULL0
: //
p
#
undo snmp-agent
t t
#
: h
s
stelnet server enable
r c e
undo telnet server enable
u
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
o
s
ssh server secure-algorithms hmac sha2_256
R e
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
i n g
ssh client secure-algorithms hmac sha2_256
n#
ar
L e authentication-mode password
e
or
cipher %^%#h'O5Y|4b&.=,loK4{<@Qo0h6R~Q>oT[2{<X+y^:,Sg*tSthkTO("UiYv~tN<
%^%#
M authentication-mode aaa
protocol inbound ssh
#
wlan
security wpa2 psk pass-
phrase %^%#qNfI(V#y8:b/W|/(mY81#Z\D8~!8Y*#IO1RwV);+%^%# aes

security wpa2 psk pass-phrase %^%#o[7"I"t]\4xd-
e7_BV:3&kdR~nCGO!El4DSuB>~E%^%# aes
e n
/
om
i . c
e
w
a
hu
provision-ap
g .
#
n in
r
lea
#
#
: //
#
t t p
return
: h
es
r c
u
o
s
6.4.1 Key ConfigurationRe
i n g
rn
[AC1]ftp server enable
[AC1]aaa
e a [AC1-aaa]local-user ftp password irreversible-cipher Huawei@123 ftp-
e L directory sdcard:/
[AC1-aaa]local-user ftp service-type ftp
o r [AC1-aaa]local-user ftp privilege level 15

Warning: This operation may affect online users, are you sure to change
M the user privilege level ?[Y/N]y
7 Appendix
7.1 Configuration of Core Switch e n

/
#
. com
i
sysname S5700
#
vlan batch 10 to 13 20 to 23 30 to 33 40 to 43 50 to 53 60 to 63 200
we
801 to 806
a
hu
#
g .
#
n in
aaa
r
lea
//
domain default
p :
t t
h
:
#
es
interface Vlanif1
r c
#
ou
es
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
R
i n g
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
n
ar
#
interface Vlanif12
L e #
ip address 10.1.12.1 255.255.255.0
e
or
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
M #
interface Vlanif20
ip address 10.1.20.1 255.255.255.0
#
interface Vlanif21
ip address 10.1.21.1 255.255.255.0
#
interface Vlanif22
ip address 10.1.22.1 255.255.255.0
#
interface Vlanif23
ip address 10.1.23.1 255.255.255.0

#
interface Vlanif30
ip address 10.1.30.1 255.255.255.0
#
interface Vlanif31
ip address 10.1.31.1 255.255.255.0
#
interface Vlanif32
ip address 10.1.32.1 255.255.255.0
#
e n
interface Vlanif33
/
om
ip address 10.1.33.1 255.255.255.0
#
interface Vlanif40
i . c
#
ip address 10.1.40.1 255.255.255.0
we
interface Vlanif41
a
hu
ip address 10.1.41.1 255.255.255.0
#
interface Vlanif42
g .
ip address 10.1.42.1 255.255.255.0
n in
#
r
lea
interface Vlanif43
//
ip address 10.1.43.1 255.255.255.0
#
p :
t
interface Vlanif50
#
h t
ip address 10.1.50.1 255.255.255.0
interface Vlanif51
s :
#
c e
ip address 10.1.51.1 255.255.255.0
r
u
interface Vlanif52
o
#
es
ip address 10.1.52.1 255.255.255.0
R
interface Vlanif53
#
i n g
ip address 10.1.53.1 255.255.255.0
n
ar
interface Vlanif60
ip address 10.1.60.1 255.255.255.0
L e #
interface Vlanif61
e
or
ip address 10.1.61.1 255.255.255.0
#
M interface Vlanif62
#
ip address 10.1.62.1 255.255.255.0
interface Vlanif63
ip address 10.1.63.1 255.255.255.0
#
interface Vlanif200
ip address 10.254.1.1 255.255.255.0
#
interface Vlanif801
ip address 10.1.201.1 255.255.255.0
#
interface Vlanif802
ip address 10.1.202.1 255.255.255.0
#
interface Vlanif803
ip address 10.1.203.1 255.255.255.0
#
interface Vlanif804
ip address 10.1.204.1 255.255.255.0
#
interface Vlanif805
e n
ip address 10.1.205.1 255.255.255.0
/
om
#
interface Vlanif806
ip address 10.1.206.1 255.255.255.0
i . c
#
interface MEth0/0/1
we
#
a
hu
g .
#
n in
r
lea
//
#
p :
t
h t
#
s :
c e
r
ou
#
es
R
ing
#
rn
e a port link-type trunk
L
#
o #
M interface GigabitEthernet0/0/8
#
#
#

#
#
e n
/
om
#
i . c
we
#
a
hu
g .
n in
#
r
lea
//
p :
t
#
h t
s :
r c
e
#
ou
es
R
ing
#
rn
e a port link-type trunk
eL
or
#
M port link-type trunk

#
#
#
#
#
interface NULL0
#
interface LoopBack1
e n
ip address 101.101.101.101 255.255.255.255
/
om
#
interface LoopBack2
ip address 102.102.102.102 255.255.255.255
i . c
#
interface LoopBack3
we
ip address 103.103.103.103 255.255.255.255
a
hu
#
interface LoopBack4
ip address 104.104.104.104 255.255.255.255
g .
#
n in
interface LoopBack5
r
lea
ip address 105.105.105.105 255.255.255.255
//
#
interface LoopBack6
p :
t
ip address 106.106.106.106 255.255.255.255
#
h t
s :
c e
r
cipher %@%@;($MM!"!U<_DW.Z.H!4L,$49.>!z*#!\EX>M5e+/7j&#$4<,%@%@
u
o
s
#
return
R e
i n g
n
e ar
e L
or
M

HCIA-WLAN V2.0 Experiment Guide (WEB-based)

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

HCIA-WLAN V2.0 Experiment Guide (WEB-based)

Încărcat de

Drepturi de autor:

Formate disponibile

Huawei WLAN Certification Training

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.

Trademarks and Permissions

a People's Republic of China

Huawei Certificate System

About This Document

a  Experiment 6: Configuration file backup and AC configuration clearance

Background Knowledge Required

Experiment Environment Overview

Device name Model Software Version

Experiment Environment Preparation

Device Quantity Remarks

eSight 1 Shared by all groups

To restart the controller, run the following command:

About This Document ..................................................................................................................... 3

2 Experiment 2: AP Authentication and

3 Experiment 3: WLAN Security Configuration....................................................................... 64

3.1.3 Plan ...........................................................................................................................................................65

4 Experiment 4: eSight WLAN Management ............................................................................ 92

M 6.1.1 Objectives ................................................................................................................................................139

6.4 Reference Configuration ..............................................................................................................................147

7 Appendix .................................................................................................................................... 148

1 Experiment 1:AC configuration initialization

1.1 About This Course

Console PasswordRe Admin@123

Service VLAN (Guest)

AC Port Connecting GE0/0/8 VLANs X0 through X3 can pass the

Topology: layer2 and layer 3 bypass topology

1.2 Experiment Task

1.2.1 Configuration Procedure

e Le in the address box, for example, http://169.254.1.1 or https://169.254.1.1, and press

a rn[S5700-GigabitEthernet0/0/11]port link-type trunk

o r [S5700]interface GigabitEthernet 0/0/1

M [S5700-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 13

Create a LoopbackX interface, and set its IP address to 10X.10X.10X.10X to simulate a

[S5700- LoopBack1]ip address 101.101.101.101 32

IP address 10X.10X.10X.10X can be pinged.

port trunk allow-pass vlan 10 to 13

http server enable

local-user huawei password irreversible-cipher

undo telnet ipv6 server enable

r e wids-profile name default

M wired-port-profile name default

mac-access-profile name mac_access_profile

2 Experiment 2: AP Authentication and

2.1 About This Course n

Name: guestX SSID Profile: guestX

2.2 Experiment Task

2.2.1 Configuration Procedure

1. Configure the Enable layer 2 or layer 3 interconnection

Configure the DHCP server function of the AC.

a4. Configure the VAP profile.

t tp Bind the regulatory domain profile

: h and VAP profile to the AP group.

Click Advanced, configure the gateway, the address pool interface.

Configure the subnet address for address pool employeeX.

Configure the gateway IP address for address pool employeeX.

Configure the subnet address for address pool voiceX.

Configure the gateway IP address for address pool voiceX.

Configure the subnet address for address pool guestX.

Configure the gateway IP address for address pool guestX.

Check the IP address pool.

Configure the AC source address and AP authentication mode.