HP Wifi Controller Configuration Guide PDF

HP 830 Series PoE+ Unified Wired-WLAN
Switch and HP 10500/7500 20G Unified

Wired-WLAN Module
Web-Based Configuration Guide
Part number: 5998-3927

Software version:
3308P29 (HP 830 Series PoE+ Unified Wired-WLAN Switch)
2308P29 (HP 10500/7500 20G Unified Wired-WLAN Module)
Document version: 6W102-20131112
Legal and notice information

Copyright 2013 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or use
of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents
About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN
Module Web-Based Configuration Guide 1
Typical network scenarios 1
HP 10500/7500 20G unified wired-WLAN module network scenario 1
HP 830 series PoE+ unified wired-WLAN switch network scenario 2
Feature matrix 3
Web overview 5
Web interface 5
Web user level 5
Web-based NM functions 6
Common items on the Web pages 17
Logging in to the Web interface 23
Restrictions and guidelines 23
Operating system requirements 23
Web browser requirements 23
Others 26
Logging in to the Web interface 27
Logging out of the Web interface 28
Quick Start 29
Quick Start wizard home page 29
Basic configuration 29
Admin configuration 30
IP configuration 31
Wireless configuration 32
RADIUS configuration 33
Portal configuration 35
Encryption configuration 36
AP configuration 37
Configuration summary 39
Displaying information summary 40
Device information 40
Device info 41
System resource state 41
Device interface information 41
Recent system logs 42
Displaying WLAN service 42
Displaying detailed information about WLAN service 42
Displaying statistics of WLAN service 45
Displaying connection history information of the WLAN service 45
Displaying AP 46
Displaying WLAN service information of an AP 46
Displaying AP connection history information 46
Displaying AP radio information 47
Displaying AP detailed information 50
Displaying clients 54
Displaying client detailed information 55
Displaying client statistics 57
i
Displaying client roaming information 58

Displaying RF ping information 59
Managing licenses 61
Configuring enhanced licenses 61
Registering an enhanced license 61
Displaying registered enhanced licenses 62
Configuring basic device settings 63
Configuring system name 63
Configuring Web idle timeout 63
Maintaining devices 64
Upgrading software 64
Rebooting the device 65
Generating the diagnostic information file 66
Configuring the system time 67
Configuration guidelines 67
Displaying the system time 67
Configuring the system time 67
Configuring the network time 68
System time configuration example 70
Managing logs 72
Displaying syslog 72
Setting the log host 73
Setting buffer capacity and refresh interval 74
Managing the configuration 76
Backing up the configuration 76
Restoring the configuration 76
Saving the configuration 77
Initializing the configuration 78
Managing files 79
Displaying file list 79
Downloading a file 80
Uploading a file 80
Removing a file 80
Specifying the main boot file 80
Managing interfaces 81
Interface management overview 81
Displaying interface information and statistics 81
Creating an interface 83
Modifying a Layer 2 interface 85
Modifying a Layer 3 interface 88
Interface management configuration example 90
Managing users 92
Creating a user 92
Setting the super password 93
Switching the user access level to the management level 94
Configuring SNMP 95
SNMP overview 95
SNMP configuration task list 95
Enabling SNMP 96
ii
Configuring an SNMP view 98

Creating an SNMP view 98
Adding rules to an SNMP view 99
Configuring an SNMP community 100
Configuring an SNMP group 101
Configuring an SNMP user 103
Configuring SNMP trap function 105
Displaying SNMP packet statistics 106
SNMP configuration example 107
Configuring loopback 112

Loopback operation 112
Configuring MAC addresses 115
Overview 115
Configuring a MAC address entry 116
Setting the aging time of MAC address entries 117
MAC address configuration example 118
Configuring VLANs 120
Overview 120
Recommended configuration procedure 121
Creating a VLAN 121
Modifying a VLAN 122
Modifying a port 123
VLAN configuration examples 124
Configuring ARP 127
Overview 127
Introduction to ARP 127
Introduction to gratuitous ARP 127
Displaying ARP entries 127
Creating a static ARP entry 128
Removing ARP entries 129
Configuring gratuitous ARP 129
Static ARP configuration example 130
Configuring ARP attack protection 134
ARP detection 134
Source MAC address based ARP attack detection 134
ARP active acknowledgement 134
ARP packet source MAC address consistency check 135
Configuring ARP detection 135
Configuring other ARP attack protection functions 136
Configuring IGMP snooping 138
Overview 138
Enabling IGMP snooping globally 139
Configuring IGMP snooping on a VLAN 140
Configuring IGMP snooping on a port 142
Displaying IGMP snooping multicast entry information 143
IGMP snooping configuration examples 144
iii
Configuring IPv4 and IPv6 routing 149

Overview 149
Displaying the IPv4 active route table 150
Creating an IPv4 static route 150
Displaying the IPv6 active route table 151
Creating an IPv6 static route 152
IPv4 static route configuration example 153
IPv6 static route configuration example 155
DHCP overview 157
Introduction to DHCP snooping 158
Recommended configuration procedure (for DHCP server) 158
Enabling DHCP 159
Creating a static address pool for the DHCP server 160
Creating a dynamic address pool for the DHCP server 162
Enabling the DHCP server on an interface 163
Displaying information about assigned IP addresses 164
Recommended configuration procedure (for DHCP relay agent) 165
Enabling DHCP and configuring advanced parameters for the DHCP relay agent 166
Creating a DHCP server group 168
Enabling the DHCP relay agent on an interface 168
Configuring and displaying clients' IP-to-MAC bindings 169
Recommended configuration procedure (for DHCP snooping) 170
Enabling DHCP snooping 170
Configuring DHCP snooping functions on an interface 171
Displaying clients' IP-to-MAC bindings 172
DHCP server configuration example 173
DHCP relay agent configuration example 174
DHCP snooping configuration example 176
Configuring DNS 179
Overview 179
Static domain name resolution 179
Dynamic domain name resolution 179
DNS proxy 179
Configuring static name resolution table 180
Configuring dynamic domain name resolution 180
Configuring DNS proxy 180
Configuring static name resolution table 180
Configuring dynamic domain name resolution 181
Configuring DNS proxy 182
Adding a DNS server address 182
Adding a domain name suffix 183
Clearing dynamic DNS cache 183
DNS configuration example 183
Managing services 188
Overview 188
Configuring service management 189
Using diagnostic tools 191
Ping 191
Trace route 191
Ping operation 192
iv
IPv4 ping operation 192

IPv6 ping operation 193
Trace route operation 195
Configuring APs 197

AC-AP connection 197
Auto AP 197
AP group 197
Configuring an AP 198
Creating an AP 198
Configuring an AP 198
Configuring advanced settings 201
Configuring auto AP 204
Enabling auto AP 204
Renaming an AP 204
Batch conversion 205
Configuring an AP group 205
Creating an AP group 205
Configuring an AP group 206
Applying the AP group 207
AP connection priority configuration example 207
Configuring access services 209
Access service overview 209
Terminology 209
Client access 209
WLAN data security 212
Client access authentication 213
802.11n 214
Configuring access service 215
Creating a WLAN service 215
Configuring clear-type wireless service 217
Configuring crypto-type wireless service 226
Security parameter dependencies 233
Enabling a wireless service 234
Binding an AP radio to a wireless service 234
Enabling a radio 236
Displaying detailed information about a wireless service 237
Wireless service configuration example 240
Auto AP configuration example 243
802.11n configuration example 248
WPA-PSK authentication configuration example 250
Local MAC authentication configuration example 255
Remote MAC authentication configuration example 260
Remote 802.1X authentication configuration example 268
Dynamic WEP encryption-802.1X authentication configuration example 277
Configuring mesh services 284
Mesh overview 284
Basic concepts in WLAN mesh 284
Advantages of WLAN mesh 285
Deployment scenarios 285
WLAN mesh security 287
Deployment scenarios 287
Configuring mesh service 288
v
Configuring mesh service 288

Configuring a mesh policy 291
Mesh global setup 296
Configuring a working channel 297
Enabling radio 298
Configuring a peer MAC address 298
Mesh DFS 299
Displaying the mesh link status 301
WLAN mesh configuration example 302
Mesh DFS configuration example 306
Configuring WLAN roaming 309

IACTP tunnel 309
WLAN roaming overview 309
Configuring a roaming group 309
Adding a group member 310
Displaying client information 311
WLAN roaming configuration examples 311
Intra-AC roaming configuration example 311
Inter-AC roaming configuration example 316
Configuring WLAN RRM 321
Radio overview 321
WLAN RRM overview 321
Dynamic frequency selection 321
Transmit power control 322
Spectrum analysis 324
Configuring radios 325
Configuring radio parameters 325
Enabling a radio 329
Locking the channel 330
Locking the power 331
Configuring data transmit rates 331
Configuring 802.11a/802.11b/802.11g rates 331
Configuring 802.11n MCS 333
Configuring channel scanning 335
Configuring calibration 337
Setting parameters 337
Configuring a radio group 341
Calibration operations 342
Selecting an antenna 345
Configuring spectrum analysis 346
Configuring the operating mode for an AP 346
Configuring spectrum analysis 346
Enabling spectrum analysis on a radio 349
Displaying interference device state 349
Displaying channel quality information 350
Manual channel adjustment configuration example 350
Automatic power adjustment configuration example 352
Radio group configuration example 354
Spectrum analysis configuration example 356
Configuring 802.1X 359
Overview 359
802.1X architecture 359
Access control methods 359
vi
802.1X timers 360

Configuration prerequisites 360
Configuration procedure 361
Configuring 802.1X globally 361
Configuring 802.1X on a port 363
Configuring an 802.1X guest VLAN 365
Configuring an Auth-Fail VLAN 365
Configuring portal authentication 367

Overview 367
Configuring the portal service 369
Configuring advanced parameters for portal authentication 374
Configuring a portal-free rule 375
Customizing authentication pages 377
File name rules 377
Page request rules 378
Post request attribute rules 378
Page file compression and saving rules 379
File size and content rules 379
Logging off a user who closes the logon success or online page 379
Redirecting authenticated users to a specific webpage 380
Portal authentication configuration example 380
Configuring AAA 392
Overview 392
Configuring an ISP domain 393
Configuring authentication methods for the ISP domain 394
Configuring authorization methods for the ISP domain 396
Configuring accounting methods for the ISP domain 398
AAA configuration example 400
Network requirements 400
Configuring RADIUS 404
Overview 404
Configuring a RADIUS scheme 405
RADIUS configuration example 411
Configuring the local EAP service 418
Local EAP service configuration example 419
Configuring users 426
Overview 426
Configuring a local user 427
Configuring a user group 429
Configuring a guest 430
Configuring a guest by a management level administrator 430
Configuring a guest by a guest administrator 432
Configuring a user profile 433
vii
Managing certificates 437

Overview 437
Configuration procedures 438
Configuration procedure for manual request 438
Configuration procedure for automatic request 440
Creating a PKI entity 440
Creating a PKI domain 442
Generating an RSA key pair 444
Destroying the RSA key pair 445
Retrieving and displaying a certificate 445
Requesting a local certificate 447
Retrieving and displaying a CRL 448
Certificate management configuration example 449
Configuring WLAN security 454
WLAN security overview 454
Terminology 454
WIDS attack detection 456
Blacklist and white list 457
Configuring rogue device detection 458
Recommended configure procedure 458
Configuring AP operating mode 459
Configuring detection rules 460
Configuring detection rule lists 462
Enabling countermeasures and configuring aging time for detected rogue devices 463
Displaying monitor record 464
Displaying history record 465
Configuring WIDS 466
Configuring WIDS 466
Displaying history record 466
Displaying statistics information 467
Configuring the blacklist and white list functions 468
Configuring dynamic blacklist 468
Configuring static blacklist 468
Configuring white list 469
Rogue detection configuration example 471
Configuring user isolation 474
User isolation overview 474
Before user isolation is enabled 474
After user isolation is enabled 475
Displaying user isolation information 476
User isolation configuration example 476
Configuring ACL and QoS 479
ACL overview 479
QoS overview 479
Configuring an ACL 481
ACL configuration procedures 481
Adding a time range 481
Adding an IPv4 ACL 483
Configuring a rule for a basic IPv4 ACL 483
viii
Configuring a rule for an advanced IPv4 ACL 485

Configuring a rule for an Ethernet frame header ACL 488
Adding an IPv6 ACL 490
Configuring a rule for a basic IPv6 ACL 491
Configuring a rule for an advanced IPv6 ACL 493
Configuring rate limit 496
Configuring the priority trust mode of a port 498
Priority mapping overview 498
Configuring priority mapping 498
Configuring a QoS policy 501
Class 501
Traffic behavior 501
Policy 501
QoS policy configuration procedure 502
Adding a class 502
Configuring traffic classification rules 503
Adding a traffic behavior 507
Configuring actions for a traffic behavior 507
Adding a policy 510
Configuring classifier-behavior associations for the policy 510
Applying a policy to a port 511
Applying a QoS policy to a WLAN service 512
ACL and QoS configuration example 514
Verifying the configuration 523
Configuring wireless QoS 524

Overview 524
Terminology 524
WMM protocol overview 525
Enabling wireless QoS 526
Setting the SVP service 527
Setting CAC admission policy 528
Setting radio EDCA parameters for APs 529
Setting EDCA parameters for wireless clients 530
Configuration restrictions and guidelines 530
Displaying radio statistics 531
Displaying client statistics 533
Setting rate limiting 534
Setting wireless service-based client rate limiting 534
Setting radio-based client rate limiting 535
Configuring the bandwidth guarantee function 536
Setting the reference radio bandwidth 537
Setting guaranteed bandwidth percents 537
Enabling bandwidth guaranteeing 538
Displaying guaranteed bandwidth settings 539
CAC service configuration example 539
Configuring the wireless service 540
Configuring CAC 540
Wireless service-based static rate limiting configuration example 541
ix

Configuring static rate limiting 542
Wireless service-based dynamic rate limiting configuration example 543
Configuring dynamic rate limiting 543
Bandwidth guarantee configuration example 544
Configuring the wireless services 544
Configuring bandwidth guaranteeing 545
Configuring advanced settings 548

Advanced settings overview 548
Country/Region code 548
1+1 AC backup 548
1+N AC backup 549
Continuous transmitting mode 550
Channel busy test 550
WLAN load balancing 550
AP version setting 552
Switching to fat AP 552
Wireless location 552
Wireless sniffer 554
Band navigation 555
Configuring multicast optimization 555
Configuring WLAN advanced settings 556
Setting a country/region code 556
Configuring 1+1 AC backup 557
Configuring 1+N AC backup 560
Configuring continuous transmitting mode 562
Configuring a channel busy test 564
Configuring load balancing 565
Configuring AP 568
Configuring wireless location 569
Configuring wireless sniffer 570
Configuring band navigation 572
Configuring multicast optimization 574
Advanced settings configuration examples 576
1+1 fast backup configuration example 576
1+N backup configuration example 584
AP-based session-mode load balancing configuration example 587
AP-based traffic-mode load balancing configuration example 589
Group-based session-mode load balancing configuration example 590
Group-based traffic-mode load balancing configuration example 592
Wireless location configuration example 595
Wireless sniffer configuration example 597
Band navigation configuration example 600
Multicast optimization configuration example 603
Configuring stateful failover 605
Overview 605
Introduction to stateful failover 605
x
Stateful failover states 606

Configuring stateful failover 607
Stateful failover configuration example 608
Support and other resources 616

Contacting HP 616
Subscription service 616
Related information 616
Documents 616
Websites 616
Conventions 617
Index 619
xi
About the HP 830 Series PoE+ Unified

Wired-WLAN Switch and HP 10500/7500
20G Unified Wired-WLAN Module Web-Based
Configuration Guide
The HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN
Module Web-Based Configuration Guide describes the Web functions of the HP 830 series PoE+ unified
wired-WLAN switches and HP 10500/7500 20G unified wired-WLAN modules. The functions include
quick start, web overview, wireless service configuration, security and authentication related
configurations, QoS configuration, and advanced settings
This book uses the webpages of the HP 10500/7500 20G Unified Wired-WLAN Module in
configuration procedures. For features not available on the module, this book uses the webpages of the
HP 830 24-port PoE+ unified wired-WLAN switch.
The interface types and displayed webpages vary by AP model.
If a function or parameter is grayed out, it is either not supported or cannot be modified.
Typical network scenarios

HP 10500/7500 20G unified wired-WLAN module network
scenario
As shown in Figure 1, an HP 10500/7500 20G unified wired-WLAN module is installed on a Layer 2
or Layer 3 switch, the switch is connected to APs directly or over an IP network, and clients access the
network through the APs.
Figure 1 Network diagram
HP 830 series PoE+ unified wired-WLAN switch network

scenario
As shown in Figure 2, the switch that has both AC and switch functions is connected to APs directly or
over an IP network, and clients access the network through the APs.
Feature matrix
The HP 10500/7500 20G unified wired-WLAN module adopts the OAA architecture. It works as an
OAP card on a switch to exchange data and status and control information with the switch through their
internal interfaces. Do not configure services such as QoS rate limit and 802.1X authentication on the
internal interfaces.
The controller engine and switching engine of an HP 830 series PoE+ unified wired-WLAN switch adopt
the OAA architecture. The switching engine is integrated on the controller engine as OAP software. You
actually log in to the controller engine when you log in to the switch by default.
HP recommends not configuring QoS rate limiting or 802.1X authentication on the internal aggregate
interfaces (BAGG1) between the switching engine and the controller engine on an HP 830 switch.
Inappropriate rate limiting or authentication settings on the internal aggregate interfaces can cause
communication problems between the switching engine and the controller engine.
On the HP 830 24-port switch, the switching engine's internal aggregate interface is formed by
GigabitEthernet 1/0/29 and GigabitEthernet 1/0/30. On the HP 830 8-port switch, the switching
engine's internal aggregate interface is formed by GigabitEthernet 1/0/10 and GigabitEthernet
1/0/11. On all HP 830 switches, the controller engine's internal aggregate interface is formed by
GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
This document only describes the feature matrix for the controller engine of an HP 830 series PoE+
unified wired-WLAN switch. For feature and configuration information about the switching engine of an
HP 830 series PoE+ unified wired-WLAN switch, see HP 830 Series PoE+ Unified Wired-WLAN Switch
Switching Engine Configuration Guides.
Table 1 Feature matrix
Module
Device
Network
Feature
HP 10500/7500
20G unified
wired-WLAN
module
HP 830 24-port
PoE+ unified
wired-WLAN
switch controller
engine
HP 830 8-port
PoE+ unified
wired-WLAN
switch controller
engine
License management
Supports 128
concurrent APs by
default, and can be
extended to support
1024 concurrent
APs.
Supports 24
concurrent APs by
default, and can be
extended to support
60 concurrent APs.
Supports 12
concurrent APs by
default, and can be
extended to support
24 concurrent APs.
File management
CF card and USB

supported.
Flash supported.
CF card supported.
Loopback test
Internal loopback
testing only
supported on XGE
interfaces.
Internal loopback
testing only
supported on GE
interfaces.
Internal loopback
testing only
supported on GE
interfaces.
IGMP Snooping
The maximum
number of multicast
groups is in the range
of 1 to 256 and
defaults to 256.
The maximum
number of multicast
of 1 to 64 and
defaults to 64.
The maximum
number of multicast
of 1 to 64 and
defaults to 64.
HP 830 24-port
PoE+ unified
wired-WLAN
switch controller
engine
HP 830 8-port
PoE+ unified
wired-WLAN
switch controller
engine
Module
Feature
HP 10500/7500
20G unified
wired-WLAN
module
AP
AP group (licenses
must be fully
configured to reach
the maximum number
of group IDs)
The number of group

IDs is in the range of
1 to 128.
The number of group

1 to 36.
The number of group

1 to 12.
AC backup
Supported.
Not supported.
Not supported.
Fast backup (Hello

interval)
Supported (a hello
interval of 30 to
2000, and the
default is 2000).
Not supported.
Not supported.
1+1 AC backup
Supported.
Not supported.
Not supported.
Stateful failover
Supported.
Not supported.
Not supported.
Advanced
settings
High
availability
Web overview
This chapter describes the Web interface, functions available on the Web interface, Web user levels you
must have to perform a function, and common icons and buttons on the Web pages.
Web interface
The Web interface consists of the navigation tree, title area, and body area.
Figure 3 Web-based configuration interface
(1) Navigation area
(2) Body area
(3) Title area
Navigation areaOrganizes the Web-based NM function menus in the form of a navigation tree,
where you can select function menus as needed. The result is displayed in the body area. The Web
network management functions not supported by the device are not displayed in the navigation
area.
Body areaThe area where you can configure and display a function.
Title areaOn the left, displays the path of the current configuration interface in the navigation
area; on the right, provides the Save button to quickly save the current configuration, the Help button
to display the Web related help information, and the Logout button to log out of the Web interface.
Web user level

Web user levels, ranging from low to high, are visitor, monitor, configure, and management. A user with
a higher level has all the operating rights of a user with a lower level.
VisitorUsers can use the network diagnostic tools ping and Trace Route, but they can neither
access the device data nor configure the device.
5
MonitorUsers can only access the device data, but they cannot configure the device.
ConfigureUsers can access device data and configure the device, but they cannot upgrade the
host software, add/delete/modify users, or backup/restore configuration files.
ManagementUsers of this level can perform any operations to the device.
Web-based NM functions
Support for the configuration items depends on the device model. For more information, see "About the
HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN
Module Web-Based Configuration Guide."
A user level in Table 2 indicates that users of this level or users of a higher level can perform the
corresponding operations.
Table 2 Web-based NM function description
Function menu
Description
User level
Quick Start
Perform quick configuration of the

device.
Configure
Device Info
Display and refresh system resource

state, device interface information, and
recent system operation logs.
Monitor
Wireless Service
Display the information of the queried

WLAN service, including the detailed
information, statistics, and connection
history.
Monitor
Display the information of the queried

AP, including wireless service,
connection history, radio, and detailed
information.
Monitor
Reboot an AP.
Configure
Display the detailed information,

statistics, roaming, and link information
of the client.
Monitor
Clear statistics of the client, disconnect

the connection, and add the client into
the blacklist.
Configure
Display license information.
Monitor
Add licenses.
Configure
Display enhanced license information.
Monitor
Register enhanced licenses.
Configure
System Name
Display and configure the system

name.
Configure
Web Idle Timeout
Display and configure the idle timeout

time for a logged-in user.
Configure
Summary
AP
Client
License
License
Enhanced License
Device
Basic
Function menu
Device
Maintenance
Description
User level
Software Upgrade
Upload the file to be upgraded from the

local host to upgrade the system
software.
Management
Reboot
Reboot the device.
Management
Diagnostic
Information
Generate a diagnostic information file,

view the file, or save the file to the local
host.
Management
Display the system date and time.
Monitor
Manually set the system date and time.
Configure
Display time synchronization status

and network time configuration.
Monitor
Set local and external clock sources

and system time zone.
Configure
Display and refresh system logs.
Monitor
Clear system logs.
Configure
Loghost
Display and configure the loghost.
Configure
Log Setup
Display and configure the buffer

capacity, and refresh interval for
displaying system logs.
Configure
Backup
Back up the configuration file for the

next startup to the host of the current
user.
Management
Restore
Upgrade the configuration file on the

host of the current user to the device for
the next startup.
Management
Save
Save the current configuration to the

configuration file for the next startup.
Configure
Initialize
Restore the system to factory defaults.
Configure
Manage files on the device, including

displaying file list, downloading a file,
uploading a file, removing a file, and
setting the main boot file.
Management
Display interface information and

statistics.
Monitor
Create, modify, and delete an

interface, and clear interface statistics.
Configure
Summary
Display brief information of Web, FTP

and Telnet users.
Monitor
Super Password
Configure the password for a

lower-level user to switch from the
current access level to the management
level.
Configure
Create
Create a Web, FTP, or Telnet user.
Configure
System Time
System Time
Net Time
Loglist
Syslog
Configuration
File management
Interface
Users
Function menu
Description
User level
Modify
Modify Web, FTP, or Telnet user

information.
Configure
Remove
Remove a Web, FTP, or Telnet user.
Configure
Switch To
Management
Switch the current user level to the

management level.
Monitor
Setup
Display and refresh SNMP

configuration and statistics
information.
Monitor
Configure SNMP.
Configure
Display SNMP community information.
Monitor
Create, modify, and delete an SNMP

community.
Configure
Display SNMP group information.
Monitor

group.
Configure
Display SNMP user information.
Monitor

user.
Configure
Display the status of the SNMP trap

function and information about target
hosts.
Monitor
Enable or disable the SNMP trap

function, or create, modify, and delete
a target host.
Configure
Display SNMP view information.
Monitor

view.
Configure
Perform the loopback test on Ethernet

interfaces.
Configure
Display MAC address information.
Monitor
Create or remove MAC addresses.
Configure
Display and configure MAC address

aging time.
Configure
Display all VLANs on the device and

information about their member ports.
Monitor
Create, modify, and delete VLANs.
Configure
Display VLANs to which a port on the

device belongs.
Monitor
Modify the VLANs to which a port

belongs.
Configure
Display ARP table information.
Monitor
Add, modify, or delete an ARP entry.
Configure
Community
Group
SNMP
User
Trap
View
Loopback
MAC
MAC
Setup
VLAN
Network
VLAN
Port
ARP
Management
ARP Table
Function menu
Description
User level
Display configuration information of

gratuitous ARP.
Monitor
Configure gratuitous ARP.
Configure
Display the configuration information

of ARP detection.
Monitor
Configure ARP detection.
Configure

of source MAC address based ARP
attack detection, ARP active
acknowledgement, and ARP packet
source MAC address consistency
check.
Monitor
Configure source MAC address based

ARP attack detection, ARP active
acknowledgement, and ARP packet
source MAC address consistency
check.
Configure
Display global IGMP Snooping

configuration information and the
IGMP Snooping configuration
information in a VLAN, and view the
IGMP Snooping multicast entry
information.
Monitor
Configure IGMP Snooping globally

and in a VLAN.
Configure
Display the IGMP Snooping

configuration information on a port.
Monitor
Configure IGMP Snooping on a port.
Configure
Summary
Display the IPv4 active route table.
Monitor
Create
Create an IPv4 static route.
Configure
Remove
Delete the selected IPv4 static routes.
Configure
Summary
Display the IPv6 active route table.
Monitor
Create
Create an IPv6 static route.
Configure
Remove
Delete the selected IPv6 static routes.
Configure
Display the DHCP service status, the

DHCP address pool information, the
DHCP server status on an interface,
and addresses in use.
Monitor
Set the DHCP service status, add,

modify, or delete a DHCP address
pool, and modify the DHCP server
status on an interface.
Configure
Gratuitous ARP
ARP Detection
ARP
Anti-Attack
Advanced
Configuration
Basic
IGMP
Snooping
Advance
IPv4 Routing
IPv6 Routing
DHCP
DHCP Server
Function menu
Description
User level
Display the status of a DHCP service

and advanced configuration
information of DHCP relay, display
information of a DHCP group, and
status of the DHCP relay agent on an
interface, and view the DHCP relay
user information.
Monitor
Configure the status of a DHCP service

and advanced configuration
information of DHCP relay, add or
delete a DHCP group, and modify the
status of the DHCP relay agent on an
interface.
Configure
Display the status of the DHCP

Snooping function, and the trusted and
untrusted attributes of a port, and view
the DHCP Snooping user information.
Monitor
Configure the status of the DHCP

Snooping function, and modify the
trusted and untrusted attributes of a
port.
Configure
Static
Display, create, modify, or delete a

static host name-to-IP address
mapping.
Configure
Dynamic
Display and configure related

parameters for dynamic domain name
resolution. Display, create, or delete an
IP address and the domain name suffix.
Configure
Display the states of the services:

enabled or disabled.
Monitor
Specify whether to enable various

services, and set related parameters.
Management
IPv4 Ping
Ping an IPv4 address or host and

display the result.
Visitor
IPv6 Ping
Ping an IPv6 address or host and

display the result.
Visitor
Trace Route
Perform trace route operations and

display the result.
Visitor
Display AP-related information,

including AP name, AP IP address,
serial ID, model and status.
Monitor
Add an AP and modify the AP

configuration.
Configure
Display auto AP information after auto

AP is enabled, including AP name,
model, serial ID and IP address.
Monitor
Enable auto AP.
Configure
DHCP Relay
DHCP Snooping
DNS
Service
Diagnostic
Tools
AP Setup
AP
Auto AP
10
Function menu
AP Group
Access Service
Mesh Service
Mesh Policy
Wireless
Service
Global Setup
Mesh
Service
Mesh Channel
Optimize
Mesh Link Info
Mesh Link Test
Roam Group
Roam
Roam Client
Radio
Radio
Rate
11
Description
User level
Display AP group information.
Monitor
Create and configure an AP group.
Configure
Display an access service, including

security type, detailed information,
service status and binding status.
Monitor
Create and configure an access

service, map an access service to an
AP radio, and add a MAC
authentication list.
Configure
Display a mesh service, including its

detailed information, status, and
binding information.
Monitor
Create and configure a mesh service,

including security settings.
Configure
Display mesh policies.
Monitor
Create and configure a mesh policy.
Configure
Display mesh global setting, including

basic setting, mesh DFS, and mesh
portal service.
Monitor
Configure mesh global setting,

including basic setting, mesh DFS, and
mesh portal service.
Configure
Display radio information and channel

switch information in a mesh network.
Monitor
Configure mesh channel optimization.
Configure
Display mesh link status information.
Monitor
Monitor mesh link status and refresh

mesh link status information.
Monitor
Display mesh link test results.
Monitor
Test mesh links and refresh mesh link

test results.
Configure
Display a roaming group and its

members.
Monitor
Configure a roaming group and add a

group member.
Configure
Display client information, including

MAC address, BSSID, VLAN ID, home
AC and roaming direction.
Monitor
Display radio status, including radio

mode and radio status.
Monitor
Configure radio parameters, including

802.11n settings.
Configure
Display rate settings.
Monitor
Function menu
Channel Scan
Operation
Calibration
Parameters
Radio Group
Antenna Switch
802.1X
Portal Server
Portal
Free Rule
Authenticat
ion
Domain Setup
AAA
Authentication
Authorization
12
Description
User level
Configure rates, including MCS index.
Configure
Display channel scanning, including

scanning mode, scanning type and
scanning interval.
Monitor
Configure channel scanning, including

scanning mode and scanning type.
Configure
Display or refresh AP status, including

channel status, neighbor information,
and history information.
Monitor
Manual calibration
Configure
Display basic setup, channel setup and

power setup.
Monitor
Configure channel calibration

parameters.
Configure
Display radio group configuration.
Monitor
Configure a radio group.
Configure
Configure the antenna of an AP.
Configure
Display the global 802.1X information

and 802.1X information of a port.
Monitor
Configure the global 802.1X features

and 802.1X features of a port.
Configure
Display configuration information

about the portal server and advanced
parameters for portal authentication.
Monitor
Add and delete a portal server, and

modify advanced parameters for portal
authentication.
Configure
Display the portal-free rule

configuration information.
Monitor
Add and delete a portal-free rule.
Configure
Display ISP domain configuration

information.
Monitor
Add and remove ISP domains.
Management
Display the authentication method

configuration information of an ISP
domain.
Monitor
Specify authentication methods for an

ISP domain.
Management
Display the authorization method

domain.
Monitor
Specify authorization methods for an

ISP domain.
Management
Function menu
Accounting
RADIUS
Local EAP Server
Local User
User Group
Users
Guest
User Profile
Entity
Domain
Certificate
Management
Certificate
CRL
AP Monitor
Security
Rogue
detection
Rule List
13
Description
User level
Display the accounting method

domain.
Monitor
Specify accounting methods for an ISP

domain.
Management
Display and add, modify, and delete a

RADIUS scheme.
Management

of the local EAP service.
Monitor
Configure the local EAP service.
Configure
Display local users' configuration

information.
Monitor
Add, modify, and remove local users.
Management
Display user groups' configuration

information.
Monitor
Add, modify, and remove user groups.
Management
Display guest users' configuration

information.
Monitor
Add, modify, and remove guest users.
Management
Display user profile configuration

information.
Monitor
Add, modify, remove, enable, and

disable user profiles.
Configure
Display information about PKI entities.
Monitor
Add, modify, and delete a PKI entity.
Configure
Display information about PKI

domains.
Monitor
Add, modify, and delete a PKI domain.
Configure
Display the certificate information of

PKI domains and view the contents of a
certificate.
Monitor
Generate a key pair, destroy a key

pair, retrieve a certificate, request a
certificate, and delete a certificate.
Configure
Display the contents of the CRL.
Monitor
Receive the CRL of a domain.
Configure
Display AP operating mode.
Monitor
Configure AP operating mode.
Configure
Display list types for the rogue device

detection and the detection rules.
Monitor
Configure list types for rogue device

detection and the rules.
Configure
Function menu
Description
User level
Display monitor record of rogue device

detection.
Monitor
Clear monitor record of rogue device

detection, and add rogue devices to
blacklist.
Configure
Display rogue device detection history.
Monitor
Clear history of rogue device detection

and add rogue devices to blacklist.
Configure
Display IDS configuration.
Monitor
Configure IDS detection, including

flood attack detection, spoofing attack
detection, and weak IV detection.
Configure
Display IDS attack detection history.
Monitor
Clear history record of IDS attack

detection and add the detected devices
that initiate attacks to blacklist.
Configure
Display statistics of IDS attack

detection.
Monitor
Clear the statistics.
Configure
Display dynamic and static blacklists.
Monitor
Clear dynamic blacklist and static

blacklist; enable dynamic blacklist;
add entries to the static blacklist.
Configure
Display white list.
Monitor
Clear white list and add entries to the

white list.
Configure
Display, add, modify, and remove user

isolation configuration.
Management
Summary
Display time range configuration

information.
Monitor
Add
Create a time range.
Configure
Remove
Delete a time range.
Configure
Summary
Display IPv4 ACL configuration

information.
Monitor
Add
Create an IPv4 ACL.
Configure
Basic Setup
Configure a rule for a basic IPv4 ACL.
Configure
Advanced Setup
Configure a rule for an advanced IPv4

ACL.
Configure
Link Setup
Create a rule for an Ethernet frame

header ACL.
Configure
Remove
Delete an IPv4 ACL or its rules.
Configure
Monitor Record
History Record
WIDS Setup
WIDS
History Record
Statistics
Blacklist
Filter
White List
User Isolation
Time Range
QoS
ACL IPv4
14
Function menu
ACL IPv6
Description
User level
Summary
Display IPv6 ACL configuration

information.
Monitor
Add
Create an IPv6 ACL.
Configure
Basic Setup
Configure a rule for a basic IPv6 ACL.
Configure
Advanced Setup
Configure a rule for an advanced IPv6

ACL.
Configure
Remove
Delete an IPv6 ACL or its rules.
Configure
Display wireless QoS, including SVP

mapping, CAC admission policy,
radio EDCA and client EDCA.
Monitor
Configure wireless QoS, including SVP

mapping, CAC admission policy,
radio EDCA and client EDCA.
Configure
Display radio statistics, including

WMM status and detailed radio
information.
Monitor
Display radio statistics, including

WMM status and detailed radio
information, and clear the radio
statistics.
Configure
Display client statistics, including

WMM status and detailed client
information.
Monitor
Display client statistics, including

WMM status and detailed client
information, and clear the client
statistics.
Configure
Display the configured client rate limit

information.
Monitor
Configure and modify client rate

limiting mode, direction and rate.
Configure
Display bandwidth settings for different

radio types.
Monitor
Configure bandwidth guarantee

settings.
Configure
Summary
Display line rate configuration

information.
Monitor
Setup
Configure the line rate.
Configure
Display the priority and trust mode of a

port.
Monitor
Modify the priority and trust mode of a

port.
Configure
Display priority trust mode

configuration information.
Management
Wireless QoS
Radio Statistics
Wireless
QoS
Client Statistics
Client Rate Limit
Bandwidth
Guarantee
Line Rate
Port Priority
Trust Mode
15
Function menu
Classifier
Behavior
QoS Policy
Port Policy
Description
User level
Configure the priority trust mode.
Management
Summary
Display classifier configuration

information.
Monitor
Add
Create a class.
Configure
Setup
Configure the classification rules for a

class.
Configure
Remove
Delete a class or its classification rules.
Configure
Summary
Display traffic behavior configuration

information.
Monitor
Add
Create a traffic behavior.
Configure
Setup
Configure actions for a traffic

behavior.
Configure
Remove
Delete a traffic behavior.
Configure
Summary
Display QoS policy configuration

information.
Monitor
Add
Create a QoS policy.
Configure
Setup
Configure the classifier-behavior

associations for a QoS policy.
Configure
Remove
Delete a QoS policy or its

classifier-behavior associations.
Configure
Summary
Display the QoS policy applied to a

port.
Monitor
Setup
Apply a QoS policy to a port.
Configure
Remove
Remove the QoS policy from the port.
Configure
Display the QoS policy applied to a

WLAN-ESS port.
Monitor
Configure the QoS policy applied to a

WLAN-ESS port.
Configure
Display the country/region code.
Monitor
Modify the country/region code.
Configure
Service Policy
Country/Region Code
AC Backup
Advanced
Display the address of the backup AC.
Monitor
Setup
Configure the address of the backup

AC.
Configure
Status
Display the status of the AC.
Monitor
Display the continuous transmitting

mode of an AP.
Monitor
Switch the continuous transmitting

mode of an AP.
Configure
Display channel busy rate test results.
Monitor
Test busy rate of channels, and output

test results.
Configure
Continuous Transmit
Channel Busy Test
16
Function menu
Load Balance
Load
Balancing
Load Balance Group
AP Module
AP
Switch to fat AP
Wireless Location
Wireless Sniffer
Band Navigation
Multicast Optimization
High
Reliability
Stateful Failover
Description
User level
Display the load balancing mode and

the current connection status.
Monitor
Configure the load balancing mode

and refresh the current connection
status.
Configure
Display load balancing group

configuration.
Monitor
Configure a load balancing group.
Configure
Display the AP version, including the

AP model and software version.
Monitor
Upgrade the software.
Configure
Display the model and IP address of the

AP.
Monitor
Switch to fat AP.
Configure
Display wireless location settings.
Monitor
Configure, enable, and disable

wireless location.
Configure
Display wireless sniffer configuration.
Monitor
Configure, enable, and disable

wireless sniffer parameters.
Configure
Display band navigation settings.
Monitor
Set band navigation parameters.
Configure
Display multicast optimization settings

and view multicast optimization
information.
Monitor
Configure multicast optimization and

display multicast optimization
information.
Configure
Display stateful failover information.
Monitor
Modify stateful failover configuration.
Configure
Common items on the Web pages

Buttons and icons
Table 3 Commonly used buttons and icons
Button and icon
Description
Applies the configuration on the current page.
Cancels the configuration on the current page, and returns to the
corresponding list page or the Device Info page.
17
Button and icon
Description
Refreshes the current page.
Clears all entries in a list or all statistics.
Adds an item.
Removes the selected items.
Selects all the entries in a list, or selects all ports on the device panel.
Clears all the entries in a list, or clears all ports on the device panel.
Restores the values of all the entries on the current page to the default.
Buffers settings you made and proceeds to the next step without applying
the settings.
This button is typically present on the configuration wizard.
Buffers settings you made and returns to the previous step without applying
the settings.
Applies all settings you made at each step and finishes the configuration
task.
Accesses a configuration page to modify settings.
This icon is typically present in the Operation column in a list,
Deletes an entry.
This icon is typically present in the Operation column in a list,
Page display
The Web interface can display contents by pages, as shown in Figure 4. You can set the number of
entries displayed per page, and view the contents on the first, previous, next, and last pages, or go to any
page that you want to check.
NOTE:
A list can contain a maximum of 20000 entries if displayed in pages.
18
Figure 4 Content display by pages
Searching function
The Web interface provides you with the basic and advanced searching functions to display only the
entries that match specific searching criteria.
Basic searchAs shown in Figure 4, input the keyword in the text box above the list, select a search
item from the list and click Search to display the entries that match the criteria. Figure 5 shows an
example of searching for entries with 00e0 included in the MAC address.
Figure 5 Basic search function example
Advanced searchAdvanced search function: As shown in Figure 4, you can click the Advanced
Search link to open the advanced search page, as shown in Figure 6. Specify the search criteria,
and click Apply to display the entries that match the criteria.
19
Figure 6 Advanced search
Take the ARP table shown in Figure 4 as an example. If you want to search for the ARP entries with 000f
at the beginning of the MAC address, and IP address range being 192.168.1.50 to 192.168.1.59, follow
these steps:
1.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 7, and click Apply. The ARP entries with 000f at the beginning of the MAC address are
displayed.
Figure 7 Advanced search function example (I)
2.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 8, and click Apply. The ARP entries with 000f at the beginning of the MAC address and
IP address range 192.168.1.50 to 192.168.1.59 are displayed as shown in Figure 9.
20
Figure 8 Advanced search function example (II)
Figure 9 Advanced search function example (III)
Sorting function
The Web interface provides you with the basic functions to display entries in certain orders.
On a list page, you can click the blue heading item of each column to sort the entries based on the
heading item you selected. After your clicking, the heading item is displayed with an arrow beside it as
shown in Figure 10. The upward arrow indicates the ascending order, and the downward arrow
indicates the descending order.
21
Figure 10 Basic sorting function example (based on IP address in the descending order)
22
Logging in to the Web interface

You can log in to the Web interface of the device through HTTP.
Figure 11 Web-based network management environment
Restrictions and guidelines

To ensure a successful login, verify that your operating system and Web browser meet the requirements,
and follow the guidelines in this section.
Operating system requirements
The device supports the following operating systems:

Linux
MAC OS
Windows 2000
Windows 7
Windows Server 2003 Enterprise Edition
Windows Server 2003 Standard Edition
Windows Vista
Windows XP
If you are using a Windows operating system, turn off the Windows firewall. The Windows firewall
limits the number TCP connections. When the limit is reached, you cannot log in to the Web
interface.
Web browser requirements
The device supports the following Web browsers:

Google Chrome 2.0.174.0 or higher
Microsoft Internet Explorer 6.0 SP2 or higher
HP recommends that you select Display all websites in Compatibility View for Microsoft Internet
Explorer 9.0 or higher.
Mozilla Firefox 3.0 or higher
If you are using a Microsoft Internet Explorer browser, you must enable the security settings (see
"Enabling securing settings in a Microsoft Internet Explorer browser"), including Run ActiveX
controls and plug-ins, Script ActiveX controls marked safe for scripting, and Active scripting.
23
If you are using a Mozilla Firefox browser, you must enable JavaScript (see "Enabling JavaScript in
a Firefox browser").
Enabling securing settings in a Microsoft Internet Explorer browser

1.
Launch the Internet Explorer, and select Tools > Internet Options from the main menu.
2.
Select the Security tab, and select the content zone where the target Website resides, as shown
in Figure 12.
Figure 12 Internet Explorer settings (I)
3.
Click Custom Level.
4.
In the Security Settings dialog box, enable Run ActiveX controls and plug-ins, Script ActiveX
controls marked safe for scripting, and Active scripting.
24
Figure 13 Internet Explorer settings (II)
5.
Click OK to save your settings.
Enabling JavaScript in a Firefox browser

1.
Launch the Firefox browser, and select Tools > Options.
2.
In the Options dialog box, click the Content icon, and select Enable JavaScript.
25
Figure 14 Firefox browser settings
3.
Click OK to save your settings.
Others
Make sure the management PC and the device can reach each other.
Do not use the Back, Next, Refresh buttons provided by the browser. Using these buttons might
result in Web page display problems.
To ensure correct display of Web page contents after software upgrade or downgrade, clear data
cached by the browser before you log in.
You cannot log in to the Web interface while the device is performing spanning tree calculation.
If you click the verification code displayed on the Web login page, you can get a new verification
code.
Up to 24 users can concurrently log in to the device through the Web interface.
After logging in to the Web interface, you can select Device > Users from the navigation tree, create
a new user, and select Wizard or Network > VLAN interface to configure the IP address of the
VLAN interface acting as the management interface.
26
Logging in to the Web interface

You can use the following default settings to log in to the Web interface through HTTP:
Usernameadmin
Passwordadmin
IP address of VLAN-interface 1 of the device192.168.0.100.
To log in to the device through HTTP:

1.
Connect the GigabitEthernet interface of the device to a PC by using a crossover Ethernet cable.
By default, all interfaces belong to VLAN 1.
The PC in this procedure is used for configuring basic device settings, and it is not necessarily the
PC you use for Web-based management.
2.
Configure an IP address for the PC and make sure the PC and device can reach each other.
For example, assign the PC an IP address 192.168.0.0/24 (excluding 192.168.0.100,
192.168.0.2 for example).
3.
Open the browser, and input the login information.

a. In the address bar, type the IP address http://192.168.0.100, and press Enter.
The login page of the Web interface (see Figure 15) appears.
b. Enter the username admin, password admin, and the verification code, and click Login.
Figure 15 Logging in to the Web interface
c. Select a country/region code from the Country/Region list, and click Apply.
27
Figure 16 Selecting a country/region code
Logging out of the Web interface

CAUTION:
You cannot log out by directly closing the browser.
1.
Save the current configuration.

Because the system does not save the current configuration automatically, HP recommends that
you perform this step to avoid loss of configuration.
2.
Click Logout in the upper-right corner of the Web interface.
28
Quick Start
Quick Start wizard home page
From the navigation tree, select Quick Start to enter the home page of the Quick Start wizard.
Figure 17 Home page of the Quick Start wizard
Basic configuration
1.
On the home page of the Quick Start wizard, click start.

The basic configuration page appears.
29
Figure 18 Basic configuration page
2.
Configure the parameters as described in Table 4.
Table 4 Configuration items

Item
System Name
Description
Specify the name of the current device.
By default, the system name of the device is HP.
Country/Region Code
Select the code of the country in which you are located. This field defines the radio
frequency characteristics, such as the power and the total number of channels for
frame transmission. Before configuring the device, you need to configure the
country code correctly. If the Country Code field is grayed out, it cannot be
modified.
Time Zone
Select a time zone for the system.
Time
Specify the current time and date.
Admin configuration
1.
On the basic configuration page, click Next.

The Admin Configuration page appears.
30
Figure 19 Admin Configuration page
2.

Item
Description
Password
Specify the password for user Admin to use to log into the device, in cipher text.
Confirm Password
Enter the password again to confirm the password.

Select the attribute for the password encryption method:
Password Encryption
Reversible
Irreversible
IP configuration
1.
On the Admin Configuration page, click Next.

The IP Configuration page appears.
31
Figure 20 IP Configuration page
2.

Item
Description
IP Address
Specify the IP address of VLAN-interface 1. This IP address is used for logging into
the device.
The default is 192.168.0.100.
Mask
Default Gateway
Specify the IP address mask of VLAN-interface 1.

By default, the mask is 24 bits long.
Specify the IP address of the default gateway that connects the device to the
network.
By default, the IP address of the default gateway is not specified.
Wireless configuration
1.
On the IP Configuration page, click Next.

The wireless configuration page appears.
32
Figure 21 Wireless configuration page
2.

Item
Description
Select the authentication type for the wireless service:
Primary Service
Authentication type
NonePerforms no authentication.
User authentication (802.1X)Performs 802.1X authentication.
PortalPerforms Portal authentication.
Wireless Service
Specify the Service Set Identifier (SSID).

Select this box to go to the 7/13: Encryption Configuration step.
Encrypt
By default, no encryption is performed. If this option is not selected, the 7/13:

Encryption Configuration step is skipped.
RADIUS configuration
1.
On the wireless configuration page, select User authentication (802.1X) or Portal for the Primary
Service Authentication Type field.
2.
Click Next.
3.
The RADIUS Configuration page appears.
33
Figure 22 RADIUS Configuration page
4.

Item
Description
Select the type of the RADIUS server:
extendedSpecifies extended RADIUS server, which is usually an IMC server.

Service Type
In this case, the RADIUS client (access device) and the RADIUS server exchange
packets based on the specifications and packet format definitions of a private
RADIUS protocol.
standardSpecifies the standard RADIUS server. In this case, the RADIUS
client (access device) and the RADIUS server exchange packets based on the
specifications and packet format definitions of the standard RADIUS protocols
(RFC 2138, RFC 2139, and the updates).
Authentication IP
Enter the IP address of the RADIUS authentication server.
Authentication UDP Port
Enter the port number of the RADIUS authentication server.
Authentication Key
Enter the shared key of the RADIUS authentication server.
Accounting IP
Enter the IP address of the RADIUS accounting server.
Accounting UDP Port
Enter the port number of the RADIUS accounting server.
Accounting Key
Enter the shared key of the RADIUS accounting server.
34
Portal configuration
1.
On the wireless configuration page, select Portal for the Primary Service Authentication Type field.
2.
Click Next.
The RADIUS Configuration page appears.
3.
After you complete RADIUS configuration, click Next.

The Portal Configuration page appears.
Figure 23 Portal configuration page
4.

Item
Description
Server-name
Specify the system name of the portal server.
Server-IP
Enter the IP address of the portal server.
Port
Enter the port number of the portal server.
Redirect-URL
Enter the URL of the portal authentication server.
35
Item
Description
Specify the portal authentication method to be used:
DirectBefore authentication, a user manually configures an IP address or
directly obtains a public IP address through DHCP, and can access only the
portal server and predefined free websites. After passing authentication, the
user can access the network resources. The authentication process of direct
authentication is simpler than that of the re-DHCP authentication.
Method
Layer3Layer 3 authentication is similar to direct authentication but allows
Layer 3 forwarding devices to be present between the authentication client and

the access device.
RedhcpBefore authentication, a user gets a private IP address through DHCP
and can access only the portal server and predefined free websites. After
passing authentication, the user is allocated a public IP address and can access
the network resources.
Encryption configuration
On the wireless configuration page, select User authentication (802.1X) for Primary Service
Authentication Type, and click Next to enter the encryption configuration page, as shown in Figure 24.
Figure 24 Encryption Configuration page
36

Item
Description
Specify whether to use WEP keys provided automatically or use static WEP keys.
EnableUse WEP keys provided automatically.

DisableUse static WEP keys.
Provide Key
Automatically
By default, static WEP keys are used.

After you select Enable, WEP104 is displayed for WEP.
IMPORTANT:
Automatically provided WEP keys must be used together with 802.1X authentication.
Therefore, this option is available only after you select User authentication (802.1X)
for Primary Service Authentication type on the wireless configuration page.
WEP
Key ID
Select the key type of the WEP encryption mechanism: WEP40, WEP104, or WEP
128.
Select the WEP key index: 1, 2, 3, or 4. Each number represents one of the four
static keys of WEP. The selected key index will be used for frame encryption and
decryption.
IMPORTANT:
If you select the option to enable Provide Key Automatically, only 1, 2, and 3 are
available for the Key ID option.
Select the key length.
When the key type is WEP40, the key length can be five alphanumeric
characters or ten hexadecimal characters.
Key Length
When the key type is WEP104, the key length can be 13 alphanumeric
characters or 26 hexadecimal characters.
When the key type is WEP128, the key length can be 16 alphanumeric
characters or 32 hexadecimal characters.
WEP Key
Enter the WEP key.
AP configuration
1.
On the Encryption Configuration page, click Next.

The AP Configuration page appears.
2.
Configure an AP and click Add.

You can configure multiple APs on the page. The section at the bottom of the page displays all
existing APs.
37
Figure 25 AP Configuration page
3.

Item
Description
AP Name
Enter the name of the AP.
Model
Select the model of the AP.

Specify the serial ID of the AP.
If the Auto box is not selected, you need to manually enter a serial ID.
If the Auto box is selected, the AC automatically searches the serial ID of the AP.
Serial ID
This option needs to cooperate with the auto AP function to implement

automatic AP discovery so that the AP can connect with the AC automatically.
If there are a large number of APs, the automatic AP discovery function can
avoid repeated configuration of AP serial numbers. For information about
configuring auto AP, see "Configuring APs."
Select a country/region code for the AP.

Country/Region Code
By default, no country/region code is configured for the AP and the AP uses the
global country/region code (which is configured on the AC). If the country/region
code is specified on this page, the AP uses this configuration. For information
about the country/region code configured on the AC, see "Configuring advanced
settings."
Radio
Radio unit of the AP.
Mode
Select the radio mode. The radio mode depends on the AP model.
38
Item
Description
Select the working channel.
The channel list for the radio depends on the country/region code and radio
mode, and it varies with device models.
Channel
Auto: Specifies the automatic channel mode. With Auto specified, the AC
evaluates the quality of channels in the wireless network, and selects the best
channel as the working channel.
After the channel is changed, the power list is refreshed.
Select the transmission power.
Power
The maximum power of the radio depends on the country/region code, working
channel, AP model, radio mode, and antenna type. If 802.11n is specified as the
radio mode, the maximum power of the radio also depends on the bandwidth
mode.
Configuration summary
1.
On the AP Configuration page, click Next.

The configuration summary page appears, displaying all configurations you have made.
2.
Click finish to save your configurations.
Figure 26 Configuration summary page
39
Displaying information summary

Device information
You can view the following information on the Device Info menu:
Device information
System resource state
Device interface information
Recent system logs (five at most)
After logging in to the Web interface, you enter the Summary > Device Info page.
Figure 27 Device info page
Select the refresh mode from the Refresh Period list.
If you select a specific refresh period (for example, 1 minute), the system periodically refreshes the
Device Info page according to the selected refresh period.
If you select Manual, you need to click Refresh to refresh the page.
40
Device info
Table 12 Field description
Field
Description
Device Name
Display the device model.
Product Information
Display the product information.

Display the location of the device.
Device Location
To configure the device location information, select Device > SNMP > Setup.
For more information, see "Configuring SNMP."
Display the contact information for device maintenance.
Contact Information
To configure the contact information, select Device > SNMP > Setup. For more
information, see "Configuring SNMP."
SerialNum
Display the serial number of the device.
Software Version
Display the software version of the device.
Hardware Version
Display the hardware version of the device.
Bootrom Version
Display the Boot ROM version of the device.
Running Time
Display the running time after the latest boot of the device.
System resource state

Field
Description
CPU Usage
Display the real-time CPU usage.
Memory Usage
Display the real-time memory usage and the total memory size.
Temperature
Display the temperature of the device.
Device interface information

Field
Description
Interface
Display interface name and interface number.
IP Address/Mask
Display the IP address and mask of an interface.

Display interface status.
Status
The interface is up and is connected.

The interface is up, but not connected.
The interface is down.
41
For more information about device interfaces, click More below the Device Interface Information area to
enter the Device > Interface page to view and operate the interfaces. For more information, see
"Managing interfaces."
Recent system logs

Field
Description
Time
Display the time when the system logs are generated.
Level
Display the level of the system logs.
Description
Display the contents of the system logs.
For more information about system logs, click More below the Recent System Operation Logs area to
enter the Device > Syslog > Loglist page to view the logs. For more information, see "Managing logs."
Displaying WLAN service

1.
Select Summary > Wireless Service from the navigation tree.
2.
Click the specified WLAN service to view the detailed information, statistics, or connection history.
Displaying detailed information about WLAN service

Figure 28 shows the page that displays detailed information about clear-type WLAN services. Table 16
describes the fields on the page.
Figure 28 Displaying detailed information about the WLAN service (clear type)
42

Field
Description
Service Template Number
Service template number.
SSID
Service set identifier (SSID) for the ESS.
Binding Interface
Name of the interface bound with the service template.
Service Template Type
Service template type.
Authentication Method
Type of authentication used.

WLAN service of the clear type only uses open system authentication.
Authentication mode:
Authentication Mode
SSID-hide
CentralUses AC central authentication.

LocalUses AP local authentication.
BackupUses backup authentication.
DisableThe SSID is advertised in beacon frames.
EnableDisables the advertisement of the SSID in beacon frames.
Forwarding mode:
Bridge Mode
Local forwardingUses local forwarding in the service template.

Remote forwardingUses AC remote forwarding in the service template.
Status of service template:
Service Template Status
EnableEnables WLAN service.

DisableDisables WLAN service.
Maximum clients per BSS
Maximum number of associated clients per BSS.
Figure 29 shows the page that displays detailed information about crypto-type WLAN services. Table 17
describes the fields on the page.
Figure 29 Displaying detailed information about the WLAN service (crypto type)
43

Field
Description
SSID
SSID for the ESS.
Binding Interface
Name of the interface bound with the service template.
Security IE
Security IE: WPA or WPA2 (RSN)
Authentication method: open system or shared key.
SSID-hide
DisableThe SSID is advertised in beacon frames.

EnableDisables the advertisement of the SSID in beacon frames.
Cipher Suite
Cipher suite: AES-CCMP, TKIP, WEP40, WEP104, or WEP128.
TKIP Countermeasure Time(s)
TKIP countermeasure time in seconds.
PTK Life Time(s)
PTK lifetime in seconds.
GTK Rekey
GTK rekey configured.
GTK Rekey Method
GTK rekey method configured: packet based or time based.

Time for GTK rekey in seconds.
If Time is selected, the GTK will be refreshed after a specified period

GTK Rekey Time(s)
of time.
If Packet is selected, the GTK will be refreshed after a specified

number of packets are transmitted.
Forwarding mode:
Bridge Mode
Local forwardingUses local forwarding in the service template.

Remote forwardingUses AC remote forwarding in the service
template.
Status of service template:

EnableEnables WLAN service.

DisableDisables WLAN service.
44
Displaying statistics of WLAN service

Figure 30 Displaying WLAN service statistics
Displaying connection history information of the WLAN service

Figure 31 Displaying connection history information of the WLAN service
45
Displaying AP
Select Summary > AP from the navigation tree to enter the AP page, as shown in Figure 32. You can
display the WLAN service information, connection history, radio, and detailed information of an AP by
clicking the tabs on the page.
Displaying WLAN service information of an AP

The WLAN service information of an AP is, as shown in Figure 32.
Figure 32 Displaying WLAN service information
Displaying AP connection history information

The connection history information of an AP is as shown in Figure 33.
46
Figure 33 Displaying AP connection history information
Displaying AP radio information

Select Summary > AP from the navigation tree to enter the AP page, click the Radio tab on the page, and
click the name of the specified AP to view the radio statistics of an AP, as shown in Figure 34.
47
Figure 34 Displaying AP radio information
The Noise Floor item in the table indicates various random electromagnetic waves that occur during the
wireless communication. For an environment with a high noise floor, you can improve the signal-to-noise
ratio (SNR) by increasing the transmit power or reducing the noise floor.
The Service Type item in the table has two options: Access and Mesh.
Resource Usage represents the resource utilization of a radio within a certain period. For example, in a
period of 10 seconds, if a radio has occupied the channel for five seconds, the resource utilization of the
radio is 5 seconds divided by 10 seconds: 50%.
48

Field
Description
AP name
Access point name.
Radio Id
Radio ID.
Transmitted Frames Statistics
Statistics of transmitted frames.
Total Frames
Total number of frames (probe response frames and beacon frames)

transmitted.
Total Frames = Unicast Frames + Broadcast/Multicast Frames +
Others.
Unicast Frames
Number of unicast frames (excluding probe response frames)

transmitted.
Broadcast/Multicast Frames
Number of broadcast or multicast frames (excluding beacon frames)

transmitted.
Others
Total number of other type of frames transmitted.
Discard Frames
Number of frames discarded.
Retry Count
Number of transmission retries.
Multiple Retry Count
Number of frames that have been retransmitted.
Authentication Frames
Number of authentication responses transmitted.
Failed RTS
Number of RTSs failed during transmission.
Successful RTS
Number of RTSs transmitted successfully.
Failed ACK
Number of transmitted frames for which no acknowledgement is

received.
Packet Count Statistics Based on Size
Packet statistics classified by packet size.
Packet Count Statistics Based on Rate
Packet statistics classified by rate.
Packet Count Statistics Based on

802.11n Rate
Packet statistics classified by 802.11n rate. The field is not displayed

if the device does not support 802.11n.
Association Frames
Number of association responses transmitted.
Received Frames Statistics
Statistics of received frames.
Total Frames
Number of frames received.
Unicast Frames
Number of unicast frames received.
Broadcast/Multicast Frames
Number of broadcast or multicast frames received.
Fragmented Frames
Number of fragmented frames received.
FCS Failures
Number of frames dropped due to FCS failure.
Authentication Frames
Number of authentication requests received.
Duplicate Frames
Number of duplicate frames received.
Decryption Errors
Number of frames dropped due to decryption error.
Association Frames
Number of association requests received.
49
Displaying AP detailed information

Select Summary > AP from the navigation tree to enter the AP page, click the Detail tab on the page, and
click the name of the specified AP to view the detailed information of an AP, as shown in Figure 35.
Figure 35 Displaying AP detailed information

Field
Description
APID
Access point identifier.
AP System Name
Access point name.
Map Configuration
Configuration file mapped to the AP.
50
Field
Description
Current state of the AP:
ImageDownloadThe AP is downloading the version. If the
ImageDownload state persists, check the following: 1) The version of the

fit AP saved on the AC matches with the version that the AC requires; 2)
The space of the flash is enough.
IdleThe AP is idle. If the Idle state persists, check the following: 1) If the
State
fields of Latest IP Address and Tunnel Down Reason are displayed as

-NA-, it indicates that the AP has never connected to the AC successfully.
You need to check the network cable, power supply of the fit AP, and the
AP serial number if the serial number was manually entered. 2) If the
fields of Latest IP Address and Tunnel Down Reason are displayed as
other contents, it indicates that the AP has connected to the AC
successfully. See the output of the Tunnel Down Reason field for the
detailed reason.
RunThe AP is operating. It indicates that the AP has connected to the

AC successfully.
ConfigThe AC is delivering a configuration file to the fit AP, and the fit
AP is collecting radio information through the radio interface and
reporting to the AC. This state is an instantaneous state.
Up Time(hh:mm:ss)
Time duration for which the AP has been connected to the AC. NA indicates
AP is not connected to the AC.
Model
AP model name.
Serial-ID
Serial ID of the AP.
IP Address
IP address of the AP.
H/W Version
Hardware version of the AP.
S/W Version
Software version of the AP.
Boot-Rom version
Boot ROM version of the AP.
Description
Description of the AP.
Connection Type
AP connection type: Master or Backup.
Peer AC MAC Address
Peer AC MAC address in case of AC backup.
Priority Level
AP connection priority.
Echo Interval(s)
Interval for sending echo requests, in seconds.
Statistics report Interval(s)
Interval for sending statistics messages, in seconds.
Cir (Kbps)
Committed information rate in kbps.
Cbs (Bytes)
Committed burst size in bytes.
Jumboframe Threshold
Threshold value of jumbo frames.
Transmitted control packets
Number of transmitted control packets.
Received control packets
Number of received control packets.
Transmitted data packets
Number of transmitted data packets.
Received data packets
Number of received data packets.
Configuration Failure Count
Count of configuration request message failures.
Last Failure Reason
Last configuration request failure reason.

51
Field
Description
Last reboot reason of the AP:
Last Reboot Reason
NormalThe AP was powered off.

CrashThe AP crashed, and the information is needed for analysis.
Tunnel InitiatedThe reset wlan ap command is executed on the AC (in
this case, the Tunnel Down Reason is displayed as Reset AP).
Tunnel Link FailureThe fit AP rebooted abnormally because an error

occurred when the AP was establishing a connection with the AC.
Latest IP Address
IP address of the last AP.

The tunnel between the AC and the AP is down when one of the following
occurs:
Neighbor Dead Timer ExpireThe AC does not receive an Echo request

from the AP within three times the handshake interval.
Tunnel Down Reason
Response Timer ExpireThe AC sends a control packet to the AP but

does not receive any response within the specified waiting time.
Reset APThe AP is rebooted by the execution of a command on the AC.

AP Config ChangeThe corresponding configurations are modified on
the AC.
No ReasonOther reasons.
Connection count between the AP and AC. This field is reset in one of the
following situations:
Connection Count
AC is rebooted.
You re-configure an AP template after deleting the old one.
If you click Reboot on this page to reboot the AP, the connection count will
not be reset.
AP Mode
Mode supported by the AP. Currently only the split MAC mode is supported.
AP operation mode
Operation mode of AP. Currently Normal and Monitor modes are

supported.
Portal Service
Whether the portal service is enabled.
Device Detection
Whether device detection is enabled.
Maximum Number of Radios
Maximum number of radios supported by the AP.
Current Number of Radios
Number of radios in use on the AP.
Client Keep-alive Interval
Interval to detect clients segregated from the system due to various reasons
(such as power failure or crash) and disconnect them from the AP.
Client Idle Interval(s)
If the client is idle for more than the specified interval (if the AP does not
receive any data from the client within the specified interval), the client will
be removed from the network.
Broadcast-probe Reply Status
Whether the AP is enabled to respond to broadcast probe requests.
Basic BSSID
MAC address of the AP.
Current BSS Count
Number of BSSs connected with the AP.
Running Clients Count
Number of clients currently running.
Wireless Mode
Wireless mode: 802.11a, 802.11b, 802.11g, 802.11an, or 802.11gn.
Client Dot11n-only
EnabledOnly 802.11n clients can be associated with the AP.

Disabled802.11a/b/g/n clients can be associated with the AP.
52
Field
Description
Channel Band-width
Channel bandwidth: 20 MHz or 40 MHz.

Secondary channel information for 802.11n radio mode:
SCA (Second Channel Above)The AP operates in 40 MHz bandwidth

Secondary channel offset
mode, and the secondary channel is above the primary channel.
SCB (Second Channel Below)The AP operates in 40 MHz bandwidth

mode, and the secondary channel is below the primary channel.
SCNThe AP operates in 20 MHz bandwidth mode.

802.11n protection modes:
no protection mode(0)The clients associated with the AP, and the
wireless devices within the coverage of the AP operate in 802.11n mode,

and all the clients associated with the AP operate in either 40 MHz or 20
MHz mode.
Non-member mode(1)The clients associated with the AP operate in

HT protection mode
802.11n mode, but non-802.11n wireless devices exist within the coverage
of the AP.
20 MHz mode(2)The radio mode of the AP is 40 MHz. The clients
associated with the AP and the wireless devices within the coverage of the
AP operate in 802.11n mode, and at least one 802.11n client operating in
20 MHz mode is associated with the radio of the AP.
Non-HT mix mode(3)All situations except the above three.

Short GI for 20MHz
Whether the AP supports short GI when it operates in 20 MHz mode.
Short GI for 40MHz
Whether the AP supports short GI when it operates in 40 MHz mode.
Mandatory MCS Set
Mandatory MCS for the AP.
Supported MCS Set
Supported MCS for the AP.
A-MSDU
Status of the A-MSDU function: enable or disable.
A-MPDU
Status of the A-MPDU function: enable or disable.

Operating channel:
If the channel is manually configured, the configured channel number is

displayed.
Configured Channel
If the channel is automatically selected, auto(channel) is displayed, where
channel is the optimal channel automatically selected by the AC.If the AP

operates in 802.11n radio mode and 40 MHz bandwidth mode, this field
displays the primary channel.
Transmission power on the radio:
If one-time (transmit power control) is adopted, the configured transmit

Configured Power(dBm)
power is displayed.
If auto TPC is adopted, two values are displayed, with the first being the
maximum power, and the second auto (number), where number in the
brackets represents the actual power.
Interference (%)
Interference observed on the operating channel, in percentage.
Channel Load (%)
Load observed on the operating channel, in percentage.
Utilization (%)
Utilization rate of the operating channel, in percentage.
Co-channel Neighbor Count
Number of neighbors found on the operating channel.
Channel Health
Status of the channel.

53
Field
Description
Preamble Type
Type of preamble that the AP can support: short or long.
Radio Policy
Radio policy used.
Service Template
SSID
SSID for the ESS.
Port
WLAN-DBSS interface associated with the service template.
Mesh Policy
Mesh policy adopted.
ANI Support
ANI (Adaptive Noise Immunity) status: enabled or disabled.
11g Protection
11.g protection status: enable or disable.
Admin State
Administrative state of the radio.
Physical State
Physical state of the radio.
Operational Rates (Mbps)
Operational rates in Mbps.
Radar detected Channels
Channels on which radar signals are detected.
Antenna Type
Antenna type of the radio.
Resource Using Ratio
Resource utilization of the radio.
Noise Floor
Noise floor of the radio.
Displaying clients
Select Summary > Client from the navigation tree to enter the page, as shown in Figure 36
Figure 36 Displaying clients

Field
Description
Refresh
Refresh the current page.
Add to Blacklist
Add the selected client to the static blacklist, which you can display by
selecting Security > Filter from the navigation tree.
Reset Statistic
Clear statistics of the specified client.
Disconnect
Log off the selected client.
54
Displaying client detailed information

Select Summary > Client from the navigation tree to enter the Client page, click the Detail Information tab
on the page, and click the name of the specified client to view the detailed information of the client, as
shown in Figure 37.
Figure 37 Displaying client detailed information

Field
Description
MAC address
MAC address of the client.
AID
Association ID of the client.

Username of the client.
The field is displayed as NA if the client adopts plain-text

User Name
authentication or an authentication method that does not require a

username.
The field is irrelevant to the portal authentication method. If the client
uses the portal authentication method, the field does not display the
portal username of the client.
AP Name
Name of the AP.
Radio Id
Radio ID of the client.
SSID
SSID of the AP.
BSSID
BSSID of the AP.
Port
WLAN-DBSS interface associated with the client.
VLAN
VLAN to which the client belongs.

55
Field
State
Description
State of the client.
Backup indicates a backup client.
Power Save Mode
Client's power save mode: active or sleep.
Wireless Mode
Wireless mode such as 802.11a, 802.11b, 802.11g, 802.11an, or

803.11gn.
Channel Band-width
Channel bandwidth: 20 MHz or 40 MHz.
SM Power Save Enable
Short GI for 20MHz
Short GI for 40MHz
Support MCS Set
SM Power Save enables a client to have one antenna in active state,

and others in sleep state to save power.
Enabled: SM Power Save is supported.

Disabled: SM Power Save is not supported.
Whether the client supports short GI when its channel bandwidth is 20
MHz:
Not Supported.
Supported.
Whether the client supports short GI when its channel bandwidth is 40
MHz:
Not Supported.
Supported.
MCS supported by the client.
BLOCK ACK is negotiated based on QoS priority ID 0:
BLOCK ACK-TID 0
OUTOutbound direction.
INInbound direction.
BOTHBoth directions.
QoS Mode
Whether the AP supports the WMM function.
Listen Interval (Beacon Interval)
Specifies how often the client wakes up to receive frames saved in the
AP and is expressed in units of beacon intervals.
RSSI
Received signal strength indication. This value indicates the client

signal strength detected by the AP.
Rx/Tx Rate
Represents the frame reception/transmission rate of the client,

including data, management, and control frames. For the AC + fit AP
mode, there is a delay because the Rx Rate is transmitted from AP to AC
periodically depending on the statistics interval.
Client Type
Client type: RSN, WPA, or Pre-RSN.
Authentication method: open system or shared key.
AKM Method
AKM suite used: Dot1X or PSK.

Displays the 4-way handshake states:
4-Way Handshake State
IDLEDisplayed in initial state.

PTKSTARTDisplayed when the 4way handshake is initialized.
PTKNEGOTIATINGDisplayed after valid message 3 was sent.
PTKINITDONEDisplayed when the 4-way handshake is successful.
56
Field
Description
Displays the group key states:
IDLEDisplayed in initial state.

REKEYNEGOTIATEDisplayed after the AC sends the initial
Group Key State
message to the client.
REKEYESTABLISHEDDisplayed when re-keying is successful.

Encryption Cipher
Encryption password: clear or crypto.
Roam Status
Displays the roaming status: Normal or Fast Roaming.

Roaming count of the client:
For intra-AC roaming, this field is reset after the client is

disassociated from the AP connected to the AC.
Roam Count
For inter-AC roaming, this field is reset after the client leaves the
mobility group to which the AC belongs.
Up Time
Time for which the client has been associated with the AP.
Displaying client statistics

Select Summary > Client from the navigation tree to enter the Client page, click the Statistic Information
tab on the page, and click the name of the specified client to view the statistics of the client, as shown
in Figure 38.
Figure 38 Displaying client statistics

Field
Description
AP Name
Name of the associated access point.
Radio Id
Radio ID.
SSID
SSID of the AP.

57
Field
Description
BSSID
BSSID of the AP.
MAC Address
MAC Address of the client.
RSSI
Received signal strength indication. This value indicates the client signal
strength detected by the AP.
Transmitted Frames
Number of transmitted frames.
Back Ground(Frames/Bytes)
Statistics of background traffic, in frames or in bytes.
Best Effort(Frames/Bytes)
Statistics of best effort traffic, in frames or in bytes.
Video(Frames/Bytes)
Statistics of video traffic, in frames or in bytes.
Voice(Frames/Bytes)
Statistics of voice traffic, in frames or in bytes.
Received Frames
Number of received frames.
Discarded Frames
Number of discarded frames.
You can collect statistics of priority queues such as Back Ground, Best Effort, Video and Voice on a QoS
client only. The Best Effort priority queue includes traffic including SVP packets sent and received on a
client where QoS is not enabled. Therefore, the queues collected might be different from the queues
actually sent. You can collect statistics of priority queues carried in Dot11E or WMM packets. Otherwise,
statistics collection of priority queues on the receive end might fail.
Displaying client roaming information

Select Summary > Client from the navigation tree to enter the Client page, click the Roam Information tab
on the page, and click the name of the specified client to view the roaming information of the client, as
shown in Figure 39.
Figure 39 Displaying client roaming information
58

Field
Description
BSSID
BSSID of the AP associated with the client.
Online-time
Online time of the client.
AC-IP-address
The IP address of the AC connected with the client. When the configured roaming
channel type is IPv6, the IPv6 address of the AC is displayed.
Displaying RF ping information

Radio Frequency Ping (RF Ping) is a ping function performed on wireless links. This function enables you
to obtain the connection information between the AP and its associated clients, such as signal strength,
packet re-transmission attempts, and round trip time (RTT).
Select Summary > Client from the navigation tree to enter the Client page, click the Link Test Information
tab on the page, and click the name of the specified client to view the link test information of the client,
as shown in Figure 40.
Figure 40 View link test information

Field
Description
No./MCS
Rate number for a non-802.11n client.

MCS value for an 802.11n client.
Rate(Mbps)
Rate at which the radio interface sends wireless ping frames.
TxCnt
Number of wireless ping frames that the radio interface sent.
RxCnt
Number of wireless ping frames that the radio interface received from the client.
RSSI
Received signal strength indication. This value indicates the client signal strength
detected by the AP.
59
Field
Description
Retries
Total number of retransmitted ping frames.
RTT(ms)
Round trip time.
60
Managing licenses
A license controls the maximum number of online APs. You can add a license on a device to increase the
maximum number of online APs that the device supports. The upper limit of online APs that a device
supports is restricted by its specification and varies by device model. For more information, see "About
the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN
Configuring enhanced licenses

Some features can be used only after you register them by using an enhanced license. The enhanced
license required for registration can be a beta or official version. A beta version has a lifetime, and the
features registered by using the version cannot be used after the version expires. An official version,
obtained by purchasing the features, provides the serial number for registering the features and includes
a description for the features.
Registering an enhanced license

IMPORTANT:
After registering an enhanced license, you must reboot the device to validate the newly added features.
You can also increase the number of allowed APs by adding a license. For more information about
license, see "Managing licenses."
1.
Select Device > License from the navigation tree.

The Enhanced License tab appears.
Figure 41 Enhanced license
61
2.
Configure enhanced license information as described in Table 25.
3.
Click Add.

Item
Feature Name
License Key
Description
Select the name of the feature to be registered.
For example, AP allows you to increase the number of APs.
Activation key of the license.
Displaying registered enhanced licenses

1.
Select Device > License from the navigation tree.

The page in Figure 41 appears.
2.
View the registered enhanced licenses at the lower part of the page.

Field
Description
Feature Name
Name of the feature registered.
License Key
Serial number of the license.
Available Time Left

AP Number
Time left for the license. After the time elapses, the license expires.
The value Forever means that the license is an official version.
Number of APs that the license supports.
62
Configuring basic device settings

The device basic information feature allows you to:
Set the system name of the device. The configured system name will be displayed at the top of the
navigation bar.
Set the idle timeout period for a logged-in user. The system logs an idle user off the Web for security
purposes after the configured period.
Configuring system name

1.
Select Device > Basic from the navigation tree

The page for configuring the system name appears.
Figure 42 Configuring the system name
2.
Set the system name for the device.
3.
Click Apply.
Configuring Web idle timeout

1.
Select Device > Basic from the navigation tree.
2.
Click the Web Idle Timeout tab.

The page for configuring Web idle timeout period appears.
Figure 43 Configuring Web idle timeout
3.
Set the Web idle timeout for a logged-in user.
4.
Click Apply.
63
Maintaining devices
Upgrading software
IMPORTANT:
During a software upgrade, avoid performing any operation on the Web interface. Otherwise, the
upgrade operation may be interrupted.
A boot file, also known as the system software or device software, is an application file used to boot the
device. Software upgrade allows you to obtain a target application file from the local host and set the file
as the boot file to be used at the next reboot. You can keep or change the original filename (do not
change the extension name, for example, .bin) after you obtain the target application file from the local
host. In addition, you can select whether to reboot the device to make the upgrade software take effect.
To upgrade software:
1.
Select Device > Device Maintenance from the navigation tree.

The software upgrade configuration page appears.
Figure 44 Software upgrade configuration page
2.
Configure the software upgrade parameters as described in Table 27.
3.
Click Apply.

Item
Description
File
Specify the path of the local application file, which must be

with the extension .app or .bin.
File Type
MainBoots the device.

BackupBoots the device when the main boot file is
Specify the type of the boot file for the next boot:
unavailable.
64
Item
Description
Specify whether to overwrite the file with the same name.
If a file with the same name already exists,

overwrite it without any prompt
Reboot after the upgrade is finished.
If you do not select the option, when you rename a file with
the same name, the system prompts "The file has existed.",
and you cannot upgrade the software.
Specify whether to reboot the device to make the upgraded
software take effect after the application file is uploaded.
Rebooting the device

CAUTION:
Before rebooting the device, save the configuration. Otherwise, all unsaved configurations are lost after
device reboot.
1.
2.
Click the Reboot tab.

The reboot tab page appears.
Figure 45 Device reboot page
3.
Clear the box before "Check whether the current configuration is saved in the next startup
configuration file" or keep it selected.
4.
Click Apply.
A confirmation dialog box appears.
5.
Click OK.
If you select the box next to Check whether the current configuration is saved in the next startup
configuration file, the system checks the configuration before rebooting the device. If the check
succeeds, the system reboots the device. If the check fails, the system displays a dialog box to
inform you that the current configuration and the saved configuration are inconsistent, and does
not reboot the device. You must save the current configuration manually before you can reboot
the device.
If you do not select the box next to Check whether the current configuration is saved in the next
startup configuration file, the system reboots the device automatically.
6.
Log in again in to the Web interface after the device reboots.
65
Generating the diagnostic information file

Each functional module has its own running information. Typically, you need to view the output
information for each individual module. You can generate the diagnostic information file to receive as
much information as possible in one operation during daily maintenance or when system failure occurs.
When you perform the diagnostic information generation operation, the system saves the running
statistics of multiple functional modules to a file named default.diag, and use the file to locate problems.
To generate the diagnostic information file:
1.
2.
Click the Diagnostic Information tab.

The diagnostic information tab page appears.
Figure 46 Diagnostic information
3.
Click Create Diagnostic Information File.

The system begins to generate the diagnostic information file, and after the file is generated, the
page in Figure 47 appears.
Figure 47 The diagnostic information file is created
4.
Click Click to Download.

The File Download dialog box appears. You can select to open this file or save this file to the local
host.
NOTE:
During the generation of the diagnostic file, do not perform any operation on the Web interface.
To view this file after the diagnostic file is generated successfully, select Device > File Management, or
download this file to the local host. For more information, see "Managing files."
66
Configuring the system time

Configure a correct system time so that the device can work with other devices correctly. System time
allows you to display and set the device system time on the Web interface.
You can set the system time using manual configuration or automatic synchronization of NTP server time.
Changing the system clock on each device within a network is time-consuming and does not guarantee
clock precision.
Defined in RFC 1305, the Network Time Protocol (NTP) synchronizes timekeeping among distributed
time servers and clients.
NTP can keep consistent timekeeping among all clock-dependent devices within the network and ensure
a high clock precision so that the devices can provide diverse applications based on consistent time.
Configuration guidelines
A device can act as a server to synchronize the clock of other devices only after its clock has been
synchronized. If the clock of a server has a stratum level higher than or equal to that of a client's
clock, the client will not synchronize its clock to the server's clock.
Because the synchronization process takes a period of time, the clock status may be displayed as
unsynchronized after your configuration. Refresh the page to update the clock status.
If the system time of the NTP server is ahead of the system time of the device, and the difference
between them exceeds the Web idle time specified on the device, all online Web users are logged
out because of timeout.
Displaying the system time

1.
Select Device > System Time from the navigation tree.

The page for configuring system time appears.
Figure 48 Displaying the system time
2.
View the current system time on the top of the page.
Configuring the system time

1.

67
2.
Click the System Time Configuration calendar button.

The calendar page appears.
Figure 49 Configuring the system time
3.
Modify the system time either in the System Time Configuration field, or through the calendar
page.
You can perform the following operations on the calendar page:
a. Click Today to set the current date on the calendar to the current system date of the local host.
The time is not changed.
b. Set the year, month, date and time, and then click OK.
4.
Click Apply in the system time configuration page to save your configuration.
Configuring the network time

1.
2.
Click Net Time.

The network time page appears.
68
Figure 50 Configuring the network time
3.
Configure system time parameters as described in Table 28.
4.
Click Apply.

Item
Description
Clock status
Display the synchronization status of the system clock.

Set the IP address of the local clock source to 127.127.1.u, where u is
in the range of 0 to 3, representing the NTP process ID.
If the IP address of the local clock source is specified, the local clock
Local Reference Source
is used as the reference clock, and can provide time for other
devices.
If the IP address of the local clock source is not specified, the local
clock is not used as the reference clock.
Set the stratum level of the local clock.

Stratum
The stratum level of the local clock determines the precision of the local
clock. A higher value indicates a lower precision. A stratum 1 clock has
the highest precision, and a stratum 16 clock is not synchronized and
cannot be used as a reference clock.
Set the source interface for an NTP message.
Source Interface
If you do not want the IP address of a specific interface on the local

device to become the destination address of response messages, you
can specify the source interface for NTP messages so that the source IP
address in the NTP messages becomes the primary IP address of this
interface. If the specified source interface is down, the source IP
address of the NTP messages sent is the primary IP address of the
outbound interface.
69
Item
Description
Set NTP authentication key.
The NTP authentication feature should be enabled for a system running
NTP in a network where there is a high security demand. This feature
enhances the network security by means of client-server key
authentication, which prohibits a client from synchronizing with a
device that has failed authentication.
Key 1
You can set two authentication keys, each of which is composed of a

key ID and key string.
Key 2
ID is the ID of a key.
Key string is a character string for MD5 authentication key.
NTP Server
1/Reference
Key ID
You can configure two NTP servers. The clients will choose the optimal
reference source.
External
Reference Source
NTP Server
2/Reference
Key ID
TimeZone
Specify the IP address of an NTP server, and configure the

authentication key ID used for the association with the NTP server. The
device synchronize its time to the NTP server only if the key provided by
the server is the same with the specified key.
IMPORTANT:
The IP address of an NTP server is a unicast address, and cannot

be a broadcast or a multicast address, or the IP address of the
local clock source.
Set the time zone for the system.
System time configuration example

Network requirements
As shown in Figure 51, the local clock of the switch is set as the reference clock.
The AC operates in client mode, and uses the switch as the NTP server.
NTP authentication is configured on both the AC and switch.
Configuring the switch

Configure the local clock as the reference clock, with the stratum of 2, configure authentication, with the
key ID of 24, and trusted key as aNiceKey. (Details not shown.)
Configuring the AC
To configure the switch as the NTP server of the AC:
1.
2.
Click the Net Time tab.

The Net Time tab page appears.
70
Figure 52 Configuring the switch as the NTP server of the AC
3.
Enter 24 for the ID of key 1, and aNiceKey for the key string. Enter 1.0.1.12 in the NTP Server 1
box and 24 in the Reference Key ID box.
4.
Click Apply.
Verifying the configuration

After you complete the configuration, the current system time displayed on the System Time page is the
same for AC and Switch.
71
Managing logs
System logs contain a large amount of network and device information, including running status and
configuration changes. System logs allow administrators to access network and device status. With
system logs, administrators can take corresponding actions against network and security problems.
The system sends system logs to the following destinations:
Console.
Monitor terminal, which is a user terminal that has login connections through the AUX, VTY, or TTY
user interface.
Log buffer.
Loghost.
Web interface.
Displaying syslog
The Web interface provides abundant search and sorting functions for viewing logs.
To display syslog:
1.
Select Device > Syslog from the navigation tree.

The page for displaying syslog appears.
Figure 53 Displaying syslog
TIP:
You can click Reset to clear all system logs saved in the log buffer on the Web interface.
You can click Refresh to manually refresh the page, or you can set the refresh interval on the Log Setup
page to enable the system to automatically refresh the page. For more information, see "Setting buffer
capacity and refresh interval."
2.
View system logs.
72

Field
Description
Time/Date
Display the time/date when system logs are generated.
Source
Display the module that generates system logs.

Display the system information levels. The information is classified into eight levels
depending on severity:
Level
EmergencyThe system is unusable.

AlertAction must be taken immediately.
CriticalCritical conditions.
ErrorError conditions.
WarningWarning conditions.
NotificationNormal but significant condition.
InformationInformational messages.
DebuggingDebug-level messages.
Digest
Display the brief description of system logs.
Description
Display the contents of system logs.
Setting the log host

You can set the loghost on the Web interface to enable the system to output syslogs to the log host. You
can specify a maximum of four different log hosts.
To set the log host:
1.
2.
Click the Loghost tab.

The loghost configuration page appears.
73
Figure 54 Setting loghost
3.
Configure the log host as described in Table 30.
4.
Click Apply.

Item
Description
IPv4/Domain
IPv6
Set the IPv4 address, domain, or IPv6 address of the loghost.
Loghost IP/Domain
Setting buffer capacity and refresh interval

1.
2.
Click the Log Setup tab.

The syslog configuration page appears.
74
Figure 55 Syslog configuration page
3.
Configure buffer capacity and refresh interval as described in Table 31.
4.
Click Apply.

Item
Description
Buffer Capacity
Set the number of logs that can be stored in the log buffer of the Web interface.
Set the refresh period on the log information displayed on the Web interface.
You can select manual refresh or automatic refresh:
Refresh Interval
ManualClick Refresh to refresh the Web interface when displaying log

information.
AutomaticYou can select to refresh the Web interface every 1, 5, or 10 minutes.
75
Managing the configuration

IMPORTANT:
When backing up a configuration file, back up the configuration file with the extension .xml. Otherwise
configuration information might not be restored in some cases (for example, when the configuration is
removed).
Backing up the configuration

Configuration backup provides the following functions:
Open and view the configuration file (.cfg file or .xml file) for the next startup
Back up the configuration file (.cfg file or .xml file) for the next startup to the host of the current user
To back up the configuration:

1.
Select Device > Configuration from the navigation tree.

The page for backing up configuration appears.
Figure 56 Backing up the configuration
2.
Click the upper Backup button.

A file download dialog box appears. You can select to view the .cfg file or to save the file locally.
3.
Click the lower Backup button.

A file download dialog box appears. You can select to view the .xml file or to save the file locally.
Restoring the configuration

IMPORTANT:
The restored configuration file takes effect at the next device reboot.
Configuration restore provides the following functions:
Upload the .cfg file on the host of the current user to the device for the next startup
Upload the .xml file on the host of the current user to the device for the next startup, and delete the
previous .xml configuration file that was used for the next startup
76
To restore the configuration:

1.
2.
Click the Restore tab.

The page for restoring configuration appears.
Figure 57 Restoring the configuration
3.
Click the upper Browse button.

The file upload dialog box appears. You can select the .cfg file to be uploaded.
4.
Click the lower Browse button.

The file upload dialog box appears. You can select the .xml file to be uploaded.
5.
Click Apply.
Saving the configuration

IMPORTANT:
HP recommends that you do not perform any operation on the Web interface while the configuration is
being saved.
The system does not support saving the configuration of two or more consecutive users. The system
prompts the users to try again if one user's configuration is being saved.
The save configuration module provides the function to save the current configuration to the configuration
file (.cfg file or .xml file) to be used at the next startup. You can save the configuration by using one of the
following ways: fast or common.
Fast
Click the Save button at the upper right of the auxiliary area, and you can save the configuration to the
configuration file.
77
Figure 58 Saving the configuration
Common
1.
2.
Click the Save tab.

3.
Click Save Current Settings to save the current configuration to the configuration file.
Initializing the configuration

This operation restores the system to factory defaults, delete the current configuration file, and reboot the
device.
To initialize the configuration:
1.
2.
Click the Initialize tab.

The initialize confirmation page appears.
Figure 59 Initializing the configuration
3.
Click Restore Factory-Default Settings to restore the system to factory defaults.
78
Managing files
IMPORTANT:
There are different types of storage media, such as flash and compact flash (CF). Different devices support
different types of storage device. For more information, see "About the HP 830 Series PoE+ Unified
Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN Module Web-Based
Configuration Guide."
The device saves critical files, such as host, software and configuration files, into the storage device, and
the system provides the file management function for the users to manage those files.
Displaying file list

1.
Select Device > File Management from the navigation tree.

The file management page appears.
Figure 60 File management
2.
Select a disk from the Please select disk list on the top of the page.
3.
View the used space, free space and capacity of the disk at the right of the list.
4.
View all files saved in this disk (in the format of path + filename), file sizes, and the boot file types
(Main or Backup is displayed if the file is an application file, with the extension of .bin or .app).
79
Downloading a file
1.

2.
Select a file from the list.

You can select one file at a time.
3.
Click Download File.

The File Download dialog box appears. You can select to open the file or to save the file to a
specified path.
Uploading a file
IMPORTANT:
HP recommends that you do not perform any operation on the Web interface during the upgrade
procedure.
1.

2.
Select the disk to save the file in the Upload File box.
3.
Click Browse to set the path and name of the file.
4.
Click Apply.
Removing a file
1.

2.
Select one or multiple files from the file list,
3.
Click Remove File.
NOTE:
You can also remove a file by clicking the
icon.
Specifying the main boot file

1.

2.
Select the box to the left of an application file (with the extension of .bin or .app).
You can set one file at a time.
3.
Click Set as Main Boot File to set the main boot file to be used at the next startup.
80
Managing interfaces
Interface management overview
An interface is the point of interaction for exchanging data between entities. There are two types of
interfaces: physical and logical. A physical interface refers to an interface that physically exists as a
hardware component, for example, Ethernet interfaces. A logical interface is an interface that can
implement data switching but does not exist physically, and must be created manually, for example,
VLAN interfaces.
You can use the interface management feature on the Web-based configuration interface to manage the
following types of interfaces:
Layer 2 Ethernet interfacePhysical interface operating on the data link layer for forwarding Layer
2 protocol packets.
Management Ethernet interfacePhysical interface operating on the network layer. You can
configure IP addresses for a management Ethernet interface. To manage the device, you can log in
to the device through a management Ethernet interface.
Loopback interfaceA loopback interface is a software-only virtual interface. The physical layer
state and link layer protocols of a loopback interface are always up unless the loopback interface
is manually shut down. You can enable routing protocols on a loopback interface, and a loopback
interface can send and receive routing protocol packets. When you assign an IPv4 address whose
mask is not 32-bit, the system automatically changes the mask into a 32-bit mask.
Null interfaceA null interface is a completely software-based logical interface, and is always up.
However, you cannot use it to forward data packets or configure an IP address or link layer protocol.
With a null interface specified as the next hop of a static route to a specific network segment, any
packets routed to the network segment are dropped. The null interface provides a method to filter
packets than ACL. You can filter uninteresting traffic by transmitting it to a null interface instead of
applying an ACL.
VLAN interfaceVirtual Layer 3 interface used for Layer 3 communications between VLANs. A
VLAN interface corresponds to a VLAN. You can assign an IP address to a VLAN interface and
specify it as the gateway of the corresponding VLAN to forward traffic destined for an IP network
segment different from that of the VLAN.
Virtual template (VT) interfaceTemplate used for configuring virtual access (VA) interfaces.
Bridge-Aggregation interface (BAGG)Multiple Layer 2 Ethernet interfaces can be combined to

form a Layer 2 aggregation group. The logical interface created for the group is called an
aggregate interface.
With the interface management feature, you can view interface information, create/remove logical
interfaces, change interface status, and reset interface parameters.
Displaying interface information and statistics

1.
Select Device > Interface from the navigation tree.

The interface management page appears. The page displays the interfaces' names, IP addresses,
masks, and status.
81
Figure 61 Displaying interface information
2.
Click an interface name in the Name column to display the statistics of that interface.
The page for displaying interface statistics appears.
Figure 62 Displaying interface statistics
82
Creating an interface
1.

2.
Click Add.
The page for creating an interface appears.
Figure 63 Creating an interface
3.
Configure the interface as described in Table 32.
4.
Click Apply.

Item
Description
Interface Name
Set the type and number of a logical interface.

If you are creating a Layer 3 Ethernet subinterface, set the VLANs associated with
the subinterface.
VID
This parameter is available only for Layer 3 Ethernet subinterfaces.

IMPORTANT:
This configuration item is not configurable because the device does not support Layer
3 Ethernet subinterfaces.
83
Item
Description
Set the maximum transmit unit (MTU) of the interface.
The MTU value affects fragmentation and reassembly of IP packets.
MTU
IMPORTANT:
Support for this configuration item depends on the interface type. All Layer 3 interfaces
support MTU.
Set the maximum segment size (MSS) for IP packets on the interface.
The TCP MSS value affects fragmentation and reassembly of IP packets.
TCP MSS
IMPORTANT:
Support for this configuration item depends on the interface type. All Layer 3 interfaces
support MTU.
Set the way for the interface to obtain an IP address, include:
NoneSelect this option if you do not want to assign an IP address for the
interface.
Static AddressSelect the option to manually assign an IP address and mask for
the interface. If this option is selected, you must set the IP Address and Mask
fields.
DHCPSelect the option for the interface to obtain an IP address through DHCP
automatically.
IP Config
BOOTPSelect the option for the interface to obtain an IP address through

BOOTP automatically.
PPP NegotiateSelect the option for the interface to obtain an IP address

through PPP negotiation.
UnnumberedSelect this option to borrow the IP address of another interface on
the same device for the interface. If this option is selected, you must select the
interface whose IP address you want to borrow in the Unnumbered Interfaces list.
IMPORTANT:
Support for the way of obtaining an IP address depends on the interface type.
IP Address/Mask
After selecting the Static Address option for the IP Config configuration item, you
need to set the primary IP address and mask, and secondary IP addresses and
masks for the interface.
IMPORTANT:
Secondary IP
Address/Mask
The primary and secondary IP addresses cannot be 0.0.0.0.

For a loopback interface, the mask is fixed to 32 bits and is not configurable.
The number of secondary IP addresses supported by the device depends on the
device model.
Unnumbered Interface
If the Unnumbered option is selected as the way for the interface to obtain an IP
address, you must set the interface whose IP address is to be borrowed.
Set the option for the interface to obtain an IPv6 link-local address, include.
NoneSelect this option if you do not want to assign an IPv6 link-local address
to the interface.
IPv6 Config
AutoSelect this option for the system to automatically assign an IPv6 link-local
address to the interface.
ManualSelect this option to manually assign an IPv6 link-local address to the
interface. If this option is selected, you must set the IPv6 Link Local Address field.
84
Item
Description
IPv6 Link Local Address
If the Manual option is selected for the interface to obtain an IPv6 link-local address,
you must set an IPv6 link-local address for the interface.
Modifying a Layer 2 interface

1.

2.
Click the
icon corresponding to a Layer 2 interface.
The page for modifying a Layer 2 interface appears.

Figure 64 Modifying a Layer 2 physical interface
3.
Modify the information about the Layer 2 physical interface as described in Table 33.
4.
Click Apply.

Item
Description
Enable or disable the interface.
Port State
In some cases, modification to the interface parameters does not take effect
immediately. You need to shut down and then bring up the interface to make the
modification take effect.
85
Item
Description
Set the transmission rate of the interface.
Available options include:
Speed
1010 Mbps.
100100 Mbps.
10001000 Mbps.
AutoAuto-negotiation.
Auto 10The auto-negotiation rate of the interface is 10 Mbps.
Auto 10 100The auto-negotiation rate of the interface is 10 Mbps or 100 Mbps.
Auto 10 1000The auto-negotiation rate of the interface is 10 Mbps or 1000
Mbps.
Auto 100 1000The auto-negotiation rate of the interface is 100 Mbps or 1000
Mbps.
Auto 10 100 1000The auto-negotiation rate of the interface is 10 Mbps, 100

Mbps or 1000 Mbps.
Set the duplex mode of the interface.

Duplex
AutoAuto-negotiation.
FullFull duplex.
HalfHalf duplex.
Set the link type of the current interface, which can be access, hybrid, or trunk. For
more information, see Table 34.
Link Type
IMPORTANT:
To change the link type of a port from trunk to hybrid or vice versa, you must first set its
link type to access.
Set the default VLAN ID of the hybrid or trunk port.
PVID
IMPORTANT:
The trunk ports at the two ends of a link must have the same PVID.
86
Item
Description
Set the Medium Dependent Interface (MDI) mode for the interface.
Two types of Ethernet cables can be used to connect Ethernet devices: crossover and
straight-through. To accommodate these two types of cables, an Ethernet interface
on the device can operate in one of the following MDI modes:
Across mode.
Normal mode.
Auto mode.
An Ethernet interface is composed of eight pins. By default, each pin has its
particular role. For example, pin 1 and pin 2 are used for transmitting signals; pin 3
and pin 6 are used for receiving signals. Pin roles are set as a result of how you set
the MDI mode:
MDI
In across mode, pin 1 and pin 2 are used for transmitting signals, and pin 3 and
pin 6 are used for receiving signals.
In auto mode, the pin roles are determined through auto negotiation.
In normal mode, pin 1 and pin 2 are used for receiving signals while pin 3 and
pin 6 are used for transmitting signals.
Configure the MDI mode depending on the cable types:
Typically, the auto mode is recommended. The other two modes are useful only
when the device cannot determine the cable types.
When straight-through cables are used, the local MDI mode must be different
from the remote MDI mode.
When crossover cables are used, the local MDI mode must be the same as the
remote MDI mode, or the MDI mode of at least one end must be set to auto.
Enable or disable flow control on the interface.
Flow Control
If there is traffic congestion on the device on the local end after flow control is
enabled on both ends, the device sends information to notify the peer end to stop
sending packets temporarily. To avoid packet loss, the peer end and the device stop
sending packets when the device receives the information.
IMPORTANT:
Flow control can be realized only when it is enabled on both ends.
Jumbo Frame
Forwarding
Max MAC Count
Enable or disable the forwarding of jumbo frames.

Set the maximum number of MAC addresses the interface can learn. Available
options include:
User DefinedSelect this option to set the limit manually.

No LimitedSelect this option to set no limit.
Set broadcast suppression. You can suppress broadcast traffic by percentage or by
PPS:
ratioSets the maximum percentage of broadcast traffic to the total transmission

Broadcast Suppression
capability of an Ethernet interface. When this option is selected, you need to

enter a percentage in the box below this option.
ppsSets the maximum number of broadcast packets that can be forwarded on

an Ethernet interface every second. When this option is selected, you need to
enter a number in the box below this option.
87
Item
Description
Set multicast suppression. You can suppress multicast traffic by percentage or by
PPS:
ratioSets the maximum percentage of multicast traffic to the total transmission

Multicast Suppression

ppsSets the maximum number of multicast packets that can be forwarded on an

Ethernet interface per second. When this option is selected, you need to enter a
number in the box below this option.
Set unicast suppression. You can suppress unicast traffic by percentage or by PPS:
ratioSets the maximum percentage of unicast traffic to the total transmission

Unicast Suppression

ppsSets the maximum number of unicast packets that can be forwarded on an

Ethernet interface every second. When this option is selected, you need to enter
a number in the box below this option.
Table 34 Link type description

Link type
Description
Access
An access port can belong to only one VLAN and is typically used to connect a user
device.
Hybrid
A hybrid port can be assigned to multiple VLANs to receive and send packets for the
VLANs. A hybrid port allows packets of multiple VLANs to pass through untagged.
Hybrid ports can be used to connect network devices and user devices.
Trunk
A trunk port can be assigned to multiple VLANs to receive and send packets for the
VLANS. A trunk port allows only packets of the default VLAN to pass through
untagged.
Trunk ports are typically used to connect network devices.
Modifying a Layer 3 interface

1.

2.
Click the
icon corresponding to a Layer 3 interface.
The page for modifying a Layer 3 interface appears.
88
Figure 65 Modifying a Layer 3 physical interface
3.
Modify the information about the Layer 3 interface.

The configuration items of modifying the Layer 3 interface are similar to those for creating an
interface. Table 35 describes configuration items that apply to modifying a Layer 3 interface.
4.
Click Apply.

Item
Description
Interface Type
Set the interface type, which can be Electrical port, Optical port, or None.
Display and set the interface status.
Connected indicates that the current status of the interface is up and connected.
You can click Disable to shut down the interface.
Not connected indicates that the current status of the interface is up but not
connected. You can click Disable to shut down the interface.
Interface Status
Administratively Down indicates that the interface is shut down by the

administrator. You can click Enable to bring up the interface.
After you click Enable or Disable, the page displaying interface information appears.
IMPORTANT:
For an interface whose status cannot be changed, the Enable or Disable button is not
available.
Working Mode
Set the interface to work in bridge mode or router mode.
89
Interface management configuration example

Create VLAN-interface 100 and specify its IP address as 10.1.1.2.
Configuration procedure
1.
Create VLAN 100:

a. Select Network > VLAN from the navigation tree.
The VLAN tab page appears.
b. Click Add.
The page for creating VLANs appears.
Figure 66 Creating VLAN 100
c. Enter VLAN ID 100.

d. Click Apply.
2.
Create VLAN-interface 100 and assign an IP address for it:

a. Select Device > Interface from the navigation tree.
b. Click Add.
The page for creating an interface appears.
90
Figure 67 Creating VLAN-interface 100
c. Select Vlan-interface from the Interface Name list, enter the interface ID 100, select the Static
Address option in the IP Config area, enter the IP address 10.1.1.2, and select 24
(255.255.255.0) from the Mask list.
d. Click Apply.
91
Managing users
In the user management part, you can perform the following configuration:
Create a local user, and set the password, access level, and service type for the user.
Set the super password for switching the current Web user level to the management level.
Switch the current Web user access level to the management level.
Creating a user
1.
Select Device > Users from the navigation tree.
2.
Click the Create tab.

The page for creating local users appears.
Figure 68 Creating a user
3.
Configure the user information as described in Table 36.
4.
Click Apply.

Item
Description
Username
Set the username for a user.
92
Item
Description
Set the access level for a user. Users of different levels can perform different operations.
The following Web user levels, from low to high, are available:.
VisitorUsers of this level can perform the ping and traceroute operations, but they
cannot access the device data or configure the device.
Access Level
MonitorUsers of this level can only access the device data but cannot configure the
device.
ConfigureUsers of this level can access data on the device and configure the
device, but they cannot upgrade the host software, add/delete/modify users, or back
up/restore the application file.
ManagementUsers of this level can perform any operations on the device.

Password
Set the password for a user.
Confirm Password
Enter the same password again. Otherwise, the system prompts that the two passwords
are not consistent when you apply the configuration.
Service Type
Set the service type, including Web, FTP, and Telnet services. This option is required.
Select at least one of the service types.
Setting the super password

Management level users can specify the password for a lower-level user to switch from the current access
level to the management level. If this password is not configured, the switchover will fail.
To set the super password:
1.
2.
Click the Super Password tab.

The super password configuration page appears.
Figure 69 Setting the super password
3.
Set the super password as described in Table 37.
4.
Click Apply.
93

Item
Description
Set the operation type:
Create/Remove
CreateConfigure or modify the super password.

RemoveRemove the current super password.
Password
Set the password for a user to switch to the management level.
Confirm Password
Enter the same password again. Otherwise, the system prompts that the two passwords
are not consistent when you apply the configuration.
Switching the user access level to the management

level
This function is provided for a user to switch the current user level to the management level. Note the
following:
Before switching, make sure that the super password is already configured. A user cannot switch to
the management level without a super password.
The access level switchover of a user is valid for the current login only. The access level configured
for the user is not changed. When the user logs in again to the Web interface, the access level of
the user is still the original level.
To switch the user access level to the management level:

1.
2.
Click the Switch To Management tab.

The access level switching page appears.
Figure 70 Switching to the management level
3.
Enter the super password.
4.
Click Login.
94
Configuring SNMP
SNMP overview
Simple Network Management Protocol (SNMP) provides the communication rules between a
management device and the managed devices on the network. It defines a series of messages, methods
and syntaxes to implement the access and management from the management device to the managed
devices. SNMP shields the physical differences between various devices and realizes automatic
management of products from different manufacturers.
An SNMP enabled network comprises the network management system (NMS) and agents.
The NMS manages agents by exchanging management information through SNMP. The NMS and
managed agents must use the same SNMP version.
SNMP agents support SNMPv1, SNMPv2c, and SNMPv3.
SNMPv1Uses community names for authentication. To access an SNMP agent, an NMS must use
the same community name as the one that is set on the SNMP agent. If the community name used
by the NMS is different from that set on the agent, the NMS cannot establish an SNMP session to
access the agent or receive traps from the agent.
SNMPv2cUses community names for authentication. SNMPv2c is compatible with SNMPv1 but
supports more operation modes, data types, and error codes.
SNMPv3Uses a user-based security model (USM) to secure SNMP communication. You can
configure authentication and privacy mechanisms to authenticate and encrypt SNMP packets for
integrity, authenticity, and confidentiality.
For more information about SNMP, see HP 830 Series PoE+ Unified Wired-WLAN Switch and HP
10500/7500 20G Unified Wired-WLAN Module Network Management and Maintenance
Configuration Guide.
SNMP configuration task list

SNMPv1 or SNMPv2c configuration task list
Perform the tasks in Table 38 to configure SNMPv1 or SNMPv2c.
Table 38 SNMPv1 or SNMPv2c configuration task list
Task
Remarks
Required.
The SNMP agent function is disabled by default.
Enabling SNMP
IMPORTANT:
If SNMP agent is disabled, all SNMP agent-related configurations are
removed.
95
Task
Remarks
Optional.
Configuring an SNMP view
After creating SNMP views, you can specify an SNMP view for an
SNMP group to limit the MIB objects that can be accessed by the
SNMP group.
Configuring an SNMP community
Required.
Optional.
Configuring SNMP trap function
Allows you to configure that the agent can send SNMP traps to the
NMS, and configure information about the target host of the SNMP
traps.
By default, an agent is allowed to send SNMP traps to the NMS.
Displaying SNMP packet statistics
Optional.
SNMPv3 configuration task list

Perform the tasks in Table 39 to configure SNMPv3.
Table 39 SNMPv3 configuration task list
Task
Remarks
Required.
The SNMP agent function is disabled by default.
Enabling SNMP
IMPORTANT:
If SNMP agent is disabled, all SNMP agent-related configurations are
removed.
Optional.
After creating SNMP views, you can specify an SNMP view for an SNMP
group to limit the MIB objects that can be accessed by the SNMP group.
Required.
Configuring an SNMP group
After creating an SNMP group, you can add SNMP users to the group
when creating the users. Therefore, you can realize centralized
management of users in the group through the management of the group.
Required.
Configuring an SNMP user
Before creating an SNMP user, you need to create the SNMP group to
which the user belongs.
Optional.
Allows you to configure that the agent can send SNMP traps to the NMS,
and configure information about the target host of the SNMP traps
By default, an agent is allowed to send SNMP traps to the NMS.
Displaying SNMP packet

statistics
Optional.
Enabling SNMP
1.
Select Device > SNMP from the navigation tree.

96
The SNMP configuration page appears.

Figure 71 Configuring SNMP settings
2.
Configure SNMP settings on the upper part of the page as described in Table 40.
3.
Click Apply.

Item
Description
SNMP
Specify to enable or disable SNMP.

Configure the local engine ID.
Local Engine ID
Maximum Packet Size
The validity of a user after it is created depends on the engine ID of the SNMP
agent. If the engine ID when the user is created is not identical to the current
engine ID, the user is invalid.
Configure the maximum size of an SNMP packet that the agent can
receive/send.
97
Item
Description
Contact
Set a character string to describe the contact information for system

maintenance.
Location
Set a character string to describe the physical location of the device.
SNMP Version
Set the SNMP version run by the system.

Creating an SNMP view
1.
2.
Click the View tab.

The view page appears.
Figure 72 View page
3.
Click Add.
The Add View window appears.
Figure 73 Creating an SNMP view (1)
4.
Enter the view name.
5.
Click Apply.
98
6.
7.
Click Add.
8.
Repeat steps 6 and 7 to add more rules for the SNMP view.
9.
Click Apply.
To cancel the view, click Cancel.

Item
Description
View Name
Set the SNMP view name.
Rule
Select to exclude or include the objects in the view range determined by the MIB
subtree OID and subtree mask.
Set the MIB subtree OID (such as 1.4.5.3.1) or name (such as system).
MIB Subtree OID
MIB subtree OID identifies the position of a node in the MIB tree, and it can
uniquely identify a MIB subtree.
Set the subtree mask.
Subtree Mask
If no subtree mask is specified, the default subtree mask (all Fs) will be used for
mask-OID matching.
Adding rules to an SNMP view

1.
2.
Click the View tab.

3.
Click the
icon of the target view.
The Add rule for the view ViewDefault window appears.
99
Figure 75 Adding rules to an SNMP view
4.
5.
Click Apply.
NOTE:
You can modify the rules of a view in the page you enter by clicking the
Configuring an SNMP community

1.
2.
Click the Community tab.

The community tab page appears.
Figure 76 Configuring an SNMP community
3.
Click Add.
The Add SNMP Community page appears.
100
icon of that view.
Figure 77 Creating an SNMP Community
4.
Configure SNMP community settings as described in Table 42.
5.
Click Apply.

Item
Description
Community Name
Set the SNMP community name.

Configure the access rights:
Access Right
Read onlyThe NMS can perform read-only operations to the MIB objects
when it uses this community name to access the agent.
Read and writeThe NMS can perform both read and write operations to
the MIB objects when it uses this community name to access the agent.
View
Specify the view associated with the community to limit the MIB objects that
can be accessed by the NMS.
ACL
Associate the community with a basic ACL to allow or prohibit the access to the
agent from the NMS with the specified source IP address.
Configuring an SNMP group

1.
2.
Click the Group tab.

The group tab page appears.
101
Figure 78 SNMP group
3.
Click Add.
The Add SNMP Group page appears.
Figure 79 Creating an SNMP group
4.
Configure SNMP group settings as described in Table 43.
5.
Click Apply.

Item
Description
Group Name
Set the SNMP group name.

Select the security level for the SNMP group:
Security Level
Read View
NoAuth/NoPrivNo authentication no privacy.

Auth/NoPrivAuthentication without privacy.
Auth/PrivAuthentication and privacy.
Select the read view of the SNMP group.
Select the write view of the SNMP group.
Write View
If no write view is configured, the NMS cannot perform the write operations to all MIB
objects on the device.
102
Item
Notify View
Description
Select the notify view of the SNMP group. The notify view can send trap messages.
If no notify view is configured, the agent does not send traps to the NMS.
Associate a basic ACL with the group to restrict the source IP address of SNMP packets.
You can configure to allow or prohibit SNMP packets with a specific source IP address
to restrict the intercommunication between the NMS and the agent.
ACL
Configuring an SNMP user

1.
2.
Click the User tab.

The user tab page appears.
Figure 80 SNMP user
3.
Click Add.
The Add SNMP User page appears.
103
Figure 81 Creating an SNMP user
4.
Configure SNMP user settings as described in Table 44.
5.
Click Apply.

Item
Description
User Name
Set the SNMP user name.

Select the security level for the SNMP group:
Security Level
NoAuth/NoPrivNo authentication no privacy.

Auth/NoPrivAuthentication without privacy.
Auth/PrivAuthentication and privacy.
Select an SNMP group to which the user belongs.
When the security level is NoAuth/NoPriv, you can select an SNMP

group with no authentication no privacy.
Group Name
When the security level is Auth/NoPriv, you can select an SNMP
group with no authentication no privacy or authentication without

privacy.
When the security level is Auth/Priv, you can select an SNMP group
of any security level.
Authentication Mode
Select an authentication mode (including MD5 and SHA) when the

security level is Auth/NoPriv or Auth/Priv.
104
Item
Description
Authentication Password
Set the authentication password when the security level is Auth/NoPriv

or Auth/Priv.
Confirm Authentication Password
The confirm authentication password must be the same as the

authentication password.
Privacy Mode
Select a privacy mode (including DES56, AES128, and 3DES) when

the security level is Auth/Priv.
Privacy Password
Set the privacy password when the security level is Auth/Priv.
Confirm Privacy Password
The confirm privacy password must be the same as the privacy

password.
ACL
Associate a basic ACL with the user to restrict the source IP address of
SNMP packets. You can configure to allow or prohibit SNMP packets
with a specific source IP address to allow or prohibit the specified
NMS to access the agent by using name of the associated user.

1.
2.
Click the Trap tab.

The trap configuration page appears.
Figure 82 Traps configuration
3.
Select Enable SNMP Trap.
4.
Click Apply.
5.
Click Add.
The page for adding a target host of SNMP traps appears.
105
Figure 83 Adding a target host of SNMP traps
6.
Configure the settings for the target host as described in Table 45.
7.
Click Apply.

Item
Description
Set the destination IP address or domain.
Destination IP Address
Security Name
Select the IP address type: IPv4/Domain or IPv6, and then type the corresponding IP
address or domain in the field according to the IP address type.
Set the security name, which can be an SNMPv1 community name, an SNMPv2c
community name, or an SNMPv3 user name.
Set UDP port number.
IMPORTANT:
UDP Port
The default port number is 162, which is the SNMP-specified port used for receiving
traps on the NMS. Typically (such as using IMC or MIB Browser as the NMS), you can
use the default port number. To change this parameter to another value, you need to
make sure that the configuration is the same as the configuration on the NMS.
Security Model
Select the security model, which is the SNMP version. The model must be the same
as the model running on the NMS. Otherwise, the NMS cannot receive any trap.
Security Level
Set the authentication and privacy mode for SNMP traps when the security model is
selected as v3. The available security levels are: no authentication no privacy,
authentication but no privacy, and authentication and privacy.
Displaying SNMP packet statistics

1.

The page for displaying SNMP packet statistics appears.
106
Figure 84 SNMP packet statistics
SNMP configuration example

The NMS connects to the agent, an AC, through an Ethernet. The IP address of the NMS is 1.1.1.2/24.
The IP address of the VLAN interface on the AC is 1.1.1.1/24. Configure SNMP to achieve the following
results.
The NMS monitors the agent by using SNMPv3.
The agent reports errors or faults to the NMS.
Configuring the agent

1.
Enable SNMP agent:

a. Select Device > SNMP from the navigation tree.
b. Select the Enable option.
c. Select the v3 box.
d. Click Apply.
107
Figure 86 Enabling SNMP
2.
Configure an SNMP view:

a. Click the View tab.
b. Click Add.
d. Enter view1 in the field.
e. Click Apply.
f. Select the Included radio box, enter the MIB subtree OID interfaces, and click Add.
g. Click Apply.
A configuration progress dialog box appears.
h. Click Close after the configuration process is complete.
108
3.
Configure an SNMP group:

a. Click the Group tab.
b. Click Add.
c. Enter group1 in the field of Group Name, select view1 from the Read View box, and select
view1 from the Write View box.
d. Click Apply.
Figure 89 Creating an SNMP group
4.
Configure an SNMP user:

a. Click the User tab.
b. Click Add.
c. Enter user1 in the field of User Name and select group1 from the Group Name box.
109
d. Click Apply.
Figure 90 Creating an SNMP user
5.
Enable the agent to send SNMP traps:

a. Click the Trap tab
b. Select the Enable SNMP Trap box.
c. Click Apply.
Figure 91 Enabling the agent to send SNMP traps
6.
Add target hosts of SNMP traps:

a. Click Add on the Trap tab.
110

b. Select the destination IP address type as IPv4/Domain, enter the destination address 1.1.1.2,
enter the user name user1, and select v3 from the Security Model list.
c. Click Apply.
Figure 92 Adding target hosts of SNMP traps
Configuring the NMS

CAUTION:
The configuration on the NMS must be consistent with the configuration on the agent. Otherwise, you
cannot perform corresponding operations.
SNMPv3 uses a security mechanism of authentication and privacy. You must configure username and
security level. You must configure the related authentication mode (for example, authentication password,
privacy mode, and privacy password) according to the configured security level.
You must also configure the aging time and retry times. After these configurations, you can configure the
device as needed through the NMS. For more information about NMS configuration, see the manual
provided with the NMS.
After the configuration, an SNMP connection is established between the NMS and the agent. The
NMS can get and configure the values of some parameters on the agent through MIB nodes.
If an idle interface on the agent is shut down or brought up, the NMS receives a trap information
sent by the agent.
111
Configuring loopback
You can check whether an Ethernet port works normally by performing the Ethernet port loopback test.
During the test the port cannot correctly forward data packets.
Ethernet port loopback test can be an internal loopback test or an external loopback test.
In an internal loopback test, self loop is established in the switching chip to check whether there is
a chip failure related to the functions of the port.
In an external loopback test, a self-loop header is used on the port. Packets forwarded by the port
will be received by itself through the self-loop header. The external loopback test can be used to
check whether there is a hardware failure on the port.
When you perform a loopback test, follow these guidelines:
You can perform an internal loopback test but not an external loopback test on a port that is
physically down, while you can perform neither test on a port that is manually shut down.
The system does not allow Rate, Duplex, Cable Type, and Port Status configuration on a port under
a loopback test.
An Ethernet port operates in full duplex mode when the loopback test is performed, and restores its
original duplex mode after the loopback test.
Loopback operation
1.
Select Device > Loopback from the navigation tree.

The loopback test configuration page appears.
112
Figure 93 Loopback test configuration page
2.
Configure the loopback test parameters as described in Table 46.

Item
Testing
type
3.
Description
External
Set the loopback test type to External or Internal.
Internal
Support for the test type depends on the device model.
Click Test to start the loopback test.

The Result box displays the test results.
113
Figure 94 Loopback test result
114
Configuring MAC addresses

MAC address configurations related to interfaces apply only to Layer 2 Ethernet interfaces.
This chapter provides information about the management of static and dynamic MAC address entries. It
does not provide information about multicast MAC address entries.
Overview
A device maintains a MAC address table for frame forwarding. Each entry in this table indicates the
MAC address of a connected device, to which interface this device is connected and to which VLAN the
interface belongs. A MAC address table consists of two types of entries: static and dynamic. Static
entries are manually configured and never age out. Dynamic entries can be manually configured or
dynamically learned and will age out.
When a frame arrives at a port, Port A for example, the device performs the following tasks:
1.
Checks the frame for the source MAC address (MAC-SOURCE for example).
2.
Looks up the MAC address in the MAC address table.

If an entry is found, updates the entry.
If no entry is found, adds an entry for the MAC address and the receiving port (Port A) to the
MAC address table.
When receiving a frame destined for MAC-SOURCE, the device looks up the MAC address in the MAC
address table and forwards the frame from port A.
NOTE:
Dynamically learned MAC addresses cannot overwrite static MAC address entries, but the static MAC
address entries can overwrite dynamically learned MAC addresses.
When forwarding a frame, the device uses the following forwarding modes based on the MAC address
table:
Unicast modeIf an entry matching the destination MAC address exists, the device forwards the
frame directly from the sending port recorded in the entry.
Broadcast modeIf the device receives a frame with a destination address of all Fs, or no entry
matches the destination MAC address, the device broadcasts the frame to all the ports except the
receiving port.
115
Figure 95 MAC address table of the device

MAC address
Port
MAC A
MAC B
MAC C
MAC D
MAC A
MAC C
MAC B
MAC D
Port 1
Port 2
Configuring a MAC address entry

1.
Select Network > MAC from the navigation tree. The system automatically displays the MAC tab,
which shows all the MAC address entries on the device.
Figure 96 The MAC tab
2.
Click Add in the bottom to enter the page for creating MAC address entries.
116
Figure 97 Creating a MAC address entry
3.
Configure the MAC address entry as described in Table 47.
4.
Click Apply.

Item
Description
MAC
Set the MAC address to be added.

Set the type of the MAC address entry:
staticStatic MAC address entries that never age out.

dynamicDynamic MAC address entries that will age out.
blackholeBlackhole MAC address entries that never age out.
The tab displays the following types of MAC address entries:
Type
Config staticStatic MAC address entries manually configured by the users.

Config dynamicDynamic MAC address entries manually configured by the
users.
BlackholeBlackhole MAC address entries.

LearnedDynamic MAC address entries learned by the device.
OtherOther types of MAC address entries.
VLAN
Set the ID of the VLAN to which the MAC address belongs.
Port
Set the port to which the MAC address belongs.
Setting the aging time of MAC address entries

1.
Select Network > MAC from the navigation tree.
2.
Click the Setup tab.

The page for setting the MAC address entry aging time appears.
117
Figure 98 Setting the aging time for MAC address entries
3.
Set the aging time as described in Table 48.
4.
Click Apply.

Item
Description
No-aging
Specify that the MAC address entry never ages out.
Aging Time
Set the aging time for the MAC address entry.
MAC address configuration example

Use the MAC address table management function of the Web-based NMS. Create a static MAC address
00e0-fc35-dc71 for Bridge-Aggregation 1 in VLAN 1.
1.
Create a static MAC address entry:

a. Select Network > MAC from the navigation tree to enter the MAC tab.
b. Click Add.
The page shown in Figure 99 appears.
c. Enter MAC address 00e0-fc35-dc71, select static from the Type list, select 1 from the VLAN list,
and select Bridge-Aggregation1 from the Port list.
d. Click Apply.
118
Figure 99 Creating a static MAC address entry
119
Configuring VLANs
Overview
Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect
(CSMA/CD) mechanism. The medium is shared, so collisions and excessive broadcasts are common on
an Ethernet. To address this issue, virtual LAN (VLAN) was introduced to break a LAN down into
separate VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all
broadcast traffic is contained within it, as shown in Figure 100.
Figure 100 A VLAN diagram
VLAN 2
Router
Switch A
Switch B
VLAN 5
You can implement VLANs based on a variety of criteria. However, the Web interface, is available only
for port-based VLANs, which group VLAN members by port. A port forwards traffic for a VLAN only after
it is assigned to the VLAN.
For more information about VLAN, see HP 830 Series PoE+ Unified Wired-WLAN Switch and HP
10500/7500 20G Unified Wired-WLAN Module Layer 2 Configuration Guide.
When you configure VLAN, follow these guidelines:
VLAN 1 is the default VLAN, which cannot be manually created or removed.
Some VLANs are reserved for special purposes. You cannot manually create or remove them.
Dynamic VLANs cannot be manually removed.
120
Recommended configuration procedure

Step
Remarks
1.
Creating a VLAN
Required.
2.
Modifying a VLAN
Required.
Select either task.
3.
Modifying a port
Configure the untagged member ports and tagged member ports

of the VLAN, or remove ports from the VLAN.
Creating a VLAN
1.
Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab
and enters the page shown in Figure 101.
Figure 101 VLAN configuration page
TIP:
To easily configure a specific range of VLANs within a large number of VLANs, enter a VLAN range in the
VLAN Range field and click Select, and all undesired VLANs will be filtered out. If you click Remove, all
VLANs within this range will be deleted.
2.
Click Add to enter the page for creating a VLAN.
3.
On the page that appears, enter the ID of the VLAN you want to create.
4.
Click Apply.
121
Figure 102 Creating a VLAN
Modifying a VLAN
1.
Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab
and enters the page shown in Figure 101.
2.
Click the
icon of the VLAN you want to modify to enter the page shown in Figure 103.
Figure 103 Modifying a VLAN
3.
Configure the description and port members for the VLAN as described in Table 49.
4.
Click Apply.

Item
Description
ID
Display the ID of the VLAN to be modified.
Description
Set the description string of the VLAN.

By default, the description string of a VLAN is its VLAN ID, such as VLAN 0001.
122
Item
Description
Untagged Member
Find the port to be modified and select the Untagged Member, Tagged Member,
or Not a Member option for the port:
UntaggedIndicates that the port sends the traffic of the VLAN with the
VLAN tag removed.
TaggedIndicates that the port sends the traffic of the VLAN without
Port
Tagged Member
removing the VLAN tag.
Not a MemberRemoves the port from the VLAN.

IMPORTANT:
Not a Member
When you configure an access port as a tagged member of a VLAN, the link type
of the port is automatically changed into hybrid.
Modifying a port
1.
Select Network > VLAN from the navigation tree
2.
Click the Port tab.
Figure 104 Port configuration page
3.
Click the
icon for the port to be modified.
Figure 105 Modifying a port
4.
Configure the port as described in Table 50.
5.
Click Apply.
123

Item
Description
Port
Display the port to be modified.
Untagged Member
Display the VLAN(s) to which the port belongs as an untagged member.
Tagged Member
Display the VLAN(s) to which the port belongs as a tagged member.

Select the Untagged, Tagged, or Not a Member option:
Untagged
UntaggedIndicates that the port sends the traffic of the VLAN with the VLAN
tag removed.
TaggedIndicates that the port sends the traffic of the VLAN without removing
the VLAN tag.
Member
Type
Tagged
Not a MemberRemoves the port from the VLAN.

IMPORTANT:
You cannot configure an access port as an untagged member of a nonexistent

VLAN.
When you configure an access port as a tagged member of a VLAN, or

Not a
Member
configure a trunk port as an untagged member of multiple VLANs in bulk, the link
type of the port is automatically changed into hybrid.
You can configure a hybrid port as a tagged or untagged member of a VLAN

only if the VLAN is an existing, static VLAN.
VLAN ID
Specify the VLAN to which the port belongs.
VLAN configuration examples

As shown in Figure 106:
GigabitEthernet 3/0/1 of the switch installed with an HP 10500/7500 20G unified wired-WLAN
module is connected to GigabitEthernet 1/0/1 of Switch.
Ten-GigabitEthernet 1/0/1 on both devices are access ports with VLAN 1 as their default VLAN.
Configure Ten-GigabitEthernet 1/0/1 to permit packets of VLAN 2, VLAN 6 through VLAN 50,
and VLAN 100 to pass through.

GE3/0/1
AC
GE1/0/1
Switch
Configuring the module

1.
Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100:

a. Select Network > VLAN from the navigation tree to enter the VLAN tab.
b. Click Add.
c. Enter VLAN IDs 2,6-50,100.
d. Click Apply.
124
Figure 107 Creating a VLAN
2.
Configure Ten-GigabitEthernet 1/0/1 as an untagged member of VLAN 100:

a. Enter 100 in the VLAN Range field.
b. Click Select to display only the information of VLAN 100.
Figure 108 Selecting a VLAN
c. Click the
icon of VLAN 100.
d. On the page that appears, select the Untagged Member option for port Ten-GigabitEthernet
1/0/1.
e. Click Apply.
125
Figure 109 Modifying a VLAN
3.
Configure Ten-GigabitEthernet 1/0/1 as a tagged member of VLAN 2, and VLAN 6 through

VLAN 50:
a. Select Network > VLAN from the navigation tree and then select the Port tab.
b. Click the
icon of port Ten-GigabitEthernet 1/0/1.
c. On the page that appears, select the Tagged option, and enter VLAN IDs 2, 6-50.
Figure 110 Modifying a port
d. Click Apply. A dialog box appears asking you to confirm the operation.
e. Click OK in the dialog box.
Configuring the switch where the module resides

The configuration on the switch is similar to the configuration on the module.
Configuring Switch
The configuration on Switch is similar to the configuration on the module.
126
Configuring ARP
Overview
Introduction to ARP
The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or
physical address).
In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding
MAC address.
For more information about ARP, see HP 830 Series PoE+ Unified Wired-WLAN Switch and HP
Introduction to gratuitous ARP

Gratuitous ARP packets
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the
sending device, the sender MAC address is the MAC address of the sending device, and the target MAC
address is the broadcast address ff:ff:ff:ff:ff:ff.
A device sends a gratuitous ARP packet for either of the following purposes:
Determine whether its IP address is already used by another device. If the IP address is already used,
the device will be informed of the conflict by an ARP reply.
Inform other devices of the change of its MAC address.
Learning of gratuitous ARP packets

With this feature enabled, a device, upon receiving a gratuitous ARP packet, adds an ARP entry that
contains the sender IP and MAC addresses in the packet to its ARP table. If the corresponding ARP entry
exists, the device updates the ARP entry.
With this feature disabled, the device uses the received gratuitous ARP packets to update existing ARP
entries, but not to create new ARP entries.
Displaying ARP entries

Select Network > ARP Management from the navigation tree to enter the default ARP Table page shown
in Figure 111. All ARP entries are displayed on the page.
127
Figure 111 Displaying ARP entries
Creating a static ARP entry

1.
Select Network > ARP Management from the navigation tree to enter the default ARP Table page
shown in Figure 111.
2.
Click Add .
The New Static ARP Entry page appears.
Figure 112 Adding a static ARP entry
3.
Configure the static ARP entry as described in Table 51.
4.
Click Apply.
128

Item
Description
IP Address
Enter an IP address for the static ARP entry.
MAC Address
Enter a MAC address for the static ARP entry.
Advanced
Options
VLAN ID
Port
Enter a VLAN ID and specify a port for the static ARP entry.
The VLAN ID must be the ID of the VLAN that has already been created,
and the port must belong to the VLAN. The corresponding VLAN
interface must have been created.
Removing ARP entries

1.
Select Network > ARP Management from the navigation tree to enter the default ARP Table page
2.
Remove ARP entries:

To remove specific ARP entries, select target ARP entries, and click Del Selected.
To remove all static and dynamic ARP entries, click Delete Static and Dynamic.
To remove all static ARP entries, click Delete Static.
To remove all dynamic ARP entries, click Delete Dynamic.
Configuring gratuitous ARP

1.
Select Network > ARP Management from the navigation tree.
2.
Click the Gratuitous ARP tab.
Figure 113 Configuring gratuitous ARP
3.
Configure gratuitous ARP as described in Table 52.

Item
Description
Disable gratuitous ARP packets

learning function
Disable learning of ARP entries according to gratuitous ARP packets.

Enabled by default.
129
Item
Description
Send gratuitous ARP packets when

receiving ARP requests from another
network segment
Enable the device to send gratuitous ARP packets when it receives ARP
requests from another network segment.
Disabled by default.
Static ARP configuration example

To enhance communication security between the AC and the router, configure a static ARP entry on the
AC.
1.
Create VLAN 100:

a. Select Network > VLAN from the navigation tree to enter the default VLAN page.
b. Click Add.
c. Enter 100 for VLAN ID.
d. Click Apply.
2.
Add Ten-GigabitEthernet 1/0/1 to VLAN 100:

a. On the VLAN page, click the
icon of VLAN 100.
b. Select the Untagged Member option for Ten-GigabitEthernet1/0/1.

c. Click Apply.
130
Figure 116 Adding Ten-GigabitEthernet 1/0/1 to VLAN 100
3.
Configure VLAN-interface 100:

a. Select Device > Interface from the navigation tree.
b. Click Add.
c. On the page that appears, select Vlan-interface from the Interface Name list, and enter 100,
select the Static Address option for IP Config, enter 192.168.1.2 for IP Address., and select 24
(255.255.255.0) for Mask.
d. Click Apply.
131
Figure 117 Configuring VLAN-interface 100
4.
Create a static ARP entry:

a. Select Network > ARP Management from the navigation tree to enter the default ARP Table
page.
b. Click Add.
c. On the page that appears, enter 192.168.1.1 for IP Address, enter 00e0-fc01-0000 for MAC
Address, select the Advanced Options option, enter 100 for VLAN ID, and select
Ten-GigabitEthernet1/0/1 from the Port list.
d. Click Apply.
132
Figure 118 Creating a static ARP entry
133
Configuring ARP attack protection

Although ARP is easy to implement, it does not provide any security mechanism and is prone to network
attacks and viruses, which threaten LAN security. This chapter describes features that a device can use to
detect and prevent attacks.
ARP detection
The ARP detection feature enables access devices to block ARP packets from unauthorized clients to
prevent user spoofing and gateway spoofing attacks.
ARP detection provides the following functions:
User validity checkThe device compares the sender IP and MAC addresses of a received ARP
packet against the static IP source guard binding entries, DHCP snooping entries, 802.1X security
entries, or OUI MAC addresses. If no match is found, the ARP packet is discarded.
ARP packet validity checkThe device does not check ARP packets received from an ARP trusted
port. Upon receiving an ARP packet from an ARP untrusted port, the device checks the ARP packet
based on source MAC address, destination MAC address, or source and destination IP addresses.
ARP packets that fail the check are discarded.
For more information about ARP detection, see HP 830 Series PoE+ Unified Wired-WLAN Switch and HP
10500/7500 20G Unified Wired-WLAN Module Security Configuration Guide.
Source MAC address based ARP attack detection

This feature allows the device to check the source MAC address of ARP packets delivered to the CPU. If
the number of ARP packets from a MAC address exceeds the specified threshold within 5 seconds, the
device considers this an attack and adds the MAC address to the attack detection table. Before the attack
detection entry is aged out, the device generates a log message when it receives an ARP packet sourced
from that MAC address and filters out subsequent ARP packets from that MAC address (in filter mode),
or only generates a log message upon receiving an ARP packet sourced from that MAC address (in
monitor mode).
A gateway or critical server may send a large number of ARP packets. To prevent these ARP packets from
being discarded, you can specify the MAC address of the gateway or server as a protected MAC
address. A protected MAC address is excluded from ARP attack detection even if it is an attacker.
ARP active acknowledgement

The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP
packets.
ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid
generating any incorrect ARP entry.
134
ARP packet source MAC address consistency check

This feature enables a gateway device to filter out ARP packets with the source MAC address in the
Ethernet header different from the sender MAC address in the ARP message, so that the gateway device
can learn correct ARP entries.
Configuring ARP detection

IMPORTANT:
If both the ARP detection based on specified objects and the ARP detection based on static IP Source
Guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses are
enabled, the ARP detection based on specified objects applies first, and then the ARP detection based on
static IP Source Guide binding entries applies.
1.
Select Network > ARP Anti-Attack from the navigation tree to enter the default ARP Detection page
Figure 119 ARP Detection configuration page
2.
Configure ARP detection as described in Table 53.
3.
Click Apply.

Item
Description
Select VLANs on which ARP detection is to be enabled.
VLAN Settings
To add VLANs to the Enabled VLANs list box, select one or multiple VLANs from the
Disabled VLANs list box and click the << button.
To remove VLANs from the Enabled VLANs list box, select one or multiple VLANs from the
list box and click the >> button.
Select trusted ports and untrusted ports.
Trusted Ports
To add ports to the Trusted Ports list box, select one or multiple ports from the Untrusted
Ports list box and click the << button.
To remove ports from the Trusted Ports list box, select one or multiple ports from the list box
and click the >> button.
135
Item
Description
Select the ARP packet validity check mode:
Discard the ARP packet whose sender MAC address is different from the source MAC
address in the Ethernet header.
Discard the ARP packet whose target MAC address is all 0s, all 1s, or inconsistent with
ARP Packet
Validity Check
the destination MAC address in the Ethernet header.
Discard the ARP request whose source IP address is all 0s, all 1s, or a multicast address,
and discard the ARP reply whose source and destination IP addresses are all 0s, all 1s,
or multicast addresses.
ARP packet validity check takes precedence over user validity check. If none of the ARP
packet validity check modes are selected, the system does not check the validity of ARP
packets
Configuring other ARP attack protection functions

Other ARP attack protection functions include source MAC address-based ARP attack detection, ARP
active acknowledgement, and ARP packet source address consistency check.
1.
Select Network > ARP Anti-Attack from the navigation tree.
2.
Click the Advanced Configuration tab.
Figure 120 Advanced Configuration page
3.
Configure ARP attack protection parameters as described in Table 54.
4.
Click Apply.
136

Item
Description
Select the detection mode for source MAC address based ARP attack
detection:
Detection Mode
DisableThe source MAC address attack detection is disabled.

Filter ModeThe device generates an alarm and filters out ARP packets
sourced from a MAC address if the number of ARP packets received from
the MAC address within five seconds exceeds the specified value.
The device only generates an alarm if the number of ARP packets sent
Source
MAC
Address
Attack
Detection
from a MAC address within five seconds exceeds the specified value.
Aging Time
Enter the aging time of the source MAC address based ARP attack detection
entries.
Threshold
Enter the threshold of source MAC address based ARP attack detection.
To add a protected MAC address:
Protected MAC
Configuration
1.
Expand Protected MAC Configuration to display information, as shown

in Figure 121.
2.
Enter a MAC address.
3.
Click Add.
A protected MAC address is excluded from ARP attack detection even if it is

an attacker. You can specify certain MAC addresses as a protected MAC
address, for example, a gateway or a specific server.
Enable ARP Packet Active
Acknowledgement
Enable or disable ARP packet active acknowledgement.
Enable Source MAC Address

Consistency Check
Enable or disable source MAC address consistency check.
Figure 121 Protected MAC configuration
137
Configuring IGMP snooping

Overview
Internet Group Management Protocol (IGMP) snooping is a multicast constraining mechanism that runs
on Layer 2 devices to manage and control multicast groups.
By analyzing received IGMP messages, a Layer 2 device that is running IGMP snooping establishes
mappings between ports and multicast MAC addresses and forwards multicast data based on these
mappings.
As shown in Figure 122, when IGMP snooping is not running on the switch, multicast packets are flooded
to all devices at Layer 2. However, when IGMP snooping is running on the switch, multicast packets for
known multicast groups are multicast to the receivers at Layer 2, rather than broadcast to all hosts.
Figure 122 Multicast forwarding before and after IGMP snooping runs
IGMP snooping sends Layer 2 multicast packets to the intended receivers only. This mechanism provides
the following advantages:
Reduces Layer 2 broadcast packets and saving network bandwidth
Enhances the security of multicast packets
Facilitates the implementation of accounting for each host
For more information about IGMP snooping, see HP 830 Series PoE+ Unified Wired-WLAN Switch and
HP 10500/7500 20G Unified Wired-WLAN Module IP Multicast Configuration Guide.
138

Step
1.
Remarks
Enabling IGMP snooping globally
Required.
By default, IGMP snooping is disabled.
Required.
Enable IGMP snooping in the VLAN and configure the IGMP
snooping version and querier feature.
2.
Configuring IGMP snooping on a

VLAN
By default, IGMP snooping is disabled in a VLAN.

IMPORTANT:
IGMP snooping must be enabled globally before it can be

enabled in a VLAN.
When you enable IGMP snooping in a VLAN, this function takes

effect for ports in this VLAN only.
Optional.
Configure the maximum number of multicast groups allowed and the
fast leave function for ports in the specified VLAN.
3.
Configuring IGMP snooping on a

port
IMPORTANT:
Multicast routing or IGMP snooping must be enabled globally

before IGMP snooping can be enabled on a port.
IGMP snooping configured on a port takes effect only after IGMP

snooping is enabled in the VLAN or IGMP is enabled on the
VLAN interface.
4.
Displaying IGMP snooping

multicast entry information
Optional.
Enabling IGMP snooping globally

1.
Select Network > IGMP snooping from the navigation tree.
2.
Select Enable, and click Apply.
139
Figure 123 Basic IGMP snooping configurations
Configuring IGMP snooping on a VLAN

1.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
2.
Click the
icon corresponding to the VLAN to enter the page where you can configure IGMP
snooping in the VLAN, as shown in Figure 124.
140
Figure 124 Configuring IGMP snooping in the VLAN
3.
Configure IGMP snooping as described in Table 55.
4.
Click Apply.

Item
Description
VLAN ID
This field displays the ID of the VLAN to be configured.
IGMP snooping
Enable or disable IGMP snooping in the VLAN.

You can proceed with the subsequent configurations only if Enable is selected.
By configuring an IGMP snooping version, you configure the versions of IGMP
messages that IGMP snooping can process.
Version
IGMP snooping version 2 can process IGMPv1 and IGMPv2 messages, but
not IGMPv3 messages, which will be flooded in the VLAN.
IGMP snooping version 3 can process IGMPv1, IGMPv2, and IGMPv3

messages.
Enable or disable the function of dropping unknown multicast packets.

Unknown multicast data refers to multicast data for which no entries exist in the
IGMP snooping forwarding table.
Drop Unknown
With the function of dropping unknown multicast data enabled, the device
drops all the received unknown multicast data.
With the function of dropping unknown multicast data disabled, the device
floods unknown multicast data in the VLAN to which the unknown multicast
data belong.
141
Item
Description
Enable or disable the IGMP snooping querier function.
On a network without Layer 3 multicast devices, no IGMP querier-related
function can be implemented because a Layer 2 device does not support
IGMP. To implement IGMP querier-related function, you can enable IGMP
snooping querier on a Layer 2 device so that the device can generate and
maintain multicast forwarding entries at data link layer.
Querier
Query interval
Configure the IGMP query interval.
General Query Source IP
Source IP address of IGMP general queries.
Special Query Source IP
Source IP address of IGMP group-specific queries.
Configuring IGMP snooping on a port

1.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.
2.
Click the Advance tab.
Figure 125 Advanced configuration
3.
Configure IGMP snooping on a port as described in Table 56.
4.
Click Apply.

Item
Description
Port
After a port is selected, advanced features configured on this port are displayed at
the lower part of the page.
Select the port on which advanced IGMP snooping features are to be configured.
142
Item
Description
VLAN ID
Specify a VLAN in which you can configure the fast leave function for the port or the
maximum number of multicast groups allowed on the port.
Configure the maximum number of multicast groups that the port can join.
With this feature, you can regulate multicast traffic on the port.
IMPORTANT:
When the number of multicast groups a port has joined reaches the configured
Group Limit
threshold, the system deletes all the forwarding entries persistent on that port from
the IGMP snooping forwarding table, and the hosts on the port must join the
multicast groups again.
Support for the maximum number of multicast groups that a port can join may
vary depending on your device model. For more information, see "About the HP
830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G
Unified Wired-WLAN Module Web-Based Configuration Guide."
Enable or disable the fast leave function for the port.
Fast Leave
When receiving an IGMP leave message on the port with the fast leave function
enabled, the device immediately deletes that port from the outgoing port list of the
corresponding forwarding table entry. Then, when receiving IGMP group-specific
queries for that multicast group, the device will not forward them to that port. In
VLANs where only one host is attached to each port, the fast leave function helps
improve bandwidth and resource usage.
IMPORTANT:
When one host leaves a multicast group with fast leave enabled for a port to which
more than one host is attached, the other hosts listening to the same multicast group will
fail to receive multicast data.
Displaying IGMP snooping multicast entry

information
1.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
2.
Click the plus sign (+) in front of Show Entries to display IGMP snooping multicast entries, as shown
in Figure 126.
Figure 126 Displaying entry information
3.
Click the
icon corresponding to an entry to display the detailed information of the entry, as
143
Figure 127 Detailed information of an entry

Field
Description
VLAN ID
ID of the VLAN to which the entry belongs.
Source
Multicast source address, where 0.0.0.0 indicates all multicast sources.
Group
Multicast group address.
Router port
All router ports.
Member port
All member ports.
IGMP snooping configuration examples

As shown in Figure 128, a switch installed with an HP 10500/7500 20G unified wired-WLAN
module to serve as an AC. Router A connects to a multicast source (Source) through Ethernet 1/2,
and to the switch through Ethernet 1/1.
The multicast source sends multicast data to group 224.1.1.1. Host A is a receiver of the multicast
group.
IGMPv2 runs on Router A and IGMP snooping version 2 runs on AC.
The function of dropping unknown multicast packets is enabled on AC to prevent AC from flooding
multicast packets in the VLAN if no corresponding Layer 2 forwarding entry exists.
The fast leave function is enabled for Ten-GigabitEthernet 1/0/1 on the AC to improve bandwidth
and resource usage.
Configuring IP addresses
Configure the IP address for each interface, as shown in Figure 128. (Details not shown.)
144
Configuring Router A
Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/1.
(Details not shown.)
Configuring the AC
1.
Create VLAN 100:

a. Select Network > VLAN from the navigation tree to enter the VLAN displaying page.
b. Click Add.
c. Enter the VLAN ID 100.
d. Click Apply.
2.
Configure Ten-GigabitEthernet 1/0/1 as an untagged member of VLAN 100:

a. Click the
icon of VLAN 100 to enter its configuration page.
b. Select the Untagged Member option for Ten-GigabitEthernet 1/0/1, as shown in Figure 130.
c. Click Apply.
Figure 130 Adding a port to the VLAN
3.
Enable IGMP snooping globally:

a. Select Network > IGMP snooping from the navigation tree to enter the basic configuration
page.
145
b. Select the Enable option for IGMP Snooping.

c. Click Apply.
Figure 131 Enabling IGMP snooping globally
4.
Enable IGMP snooping and enable the function for dropping unknown multicast data on VLAN 1:
a. Click the
icon corresponding to VLAN 100.
b. On the page that appears, select the Enable option for IGMP Snooping, select the 2 option for
Version, and select the Enable option for Drop Unknown.
c. Click Apply.
Figure 132 Configuring the VLAN
5.
Enable the fast leave function for GigabitEthernet 1/0/2:

a. Click the Advanced tab.
146
b. Select GigabitEthernet 1/0/2 from the Port list, enter the VLAN ID 100, and select the Enable
option for Fast Leave.
c. Click Apply.
Figure 133 Configuring advanced settings
Configuring the switch

Configure GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 as the untagged members of VLAN 100
on the switch. (Details not shown.)

Display the IGMP snooping multicast entry information on AC.
1.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.
2.
Click the plus sign (+) in front of Show Entries to view IGMP snooping multicast entries, as shown
in Figure 134.
Figure 134 IGMP snooping multicast entry information displaying page
3.
Click the
icon corresponding to the multicast entry to view information about this entry, as
shown in Figure 135. The page shows that Ten-GigabitEthernet 1/0/1 of AC is added to multicast
group 224.1.1.1.
147
Figure 135 Information about an IGMP snooping multicast entry
148
Configuring IPv4 and IPv6 routing

The term router in this document refers to routers, access controllers, unified switches, and access
controller modules.
Overview
Upon receiving a packet, a router determines the optimal route based on the destination address and
forwards the packet to the next router in the path. When the packet reaches the last router, it forwards the
packet to the destination host. Routing provides the path information that guides the forwarding of
packets.
A router selects optimal routes from the routing table, and sends them to the forwarding information base
(FIB) table to guide packet forwarding. Each router maintains a routing table and a FIB table.
Static routes are manually configured. If a network's topology is simple, you only need to configure static
routes for the network to work correctly. Static routes cannot adapt to network topology changes. If a fault
or a topological change occurs in the network, the network administrator must modify the static routes
manually.
For more information about routing table and static routing, see HP 830 Series PoE+ Unified
Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN Module Layer 3 Configuration
Guide.
When you configure a static route, follow these guidelines:
1.
If you do not specify the preference when you configure a static route, the default preference is
used. Reconfiguration of the default preference applies only to newly created static routes. The
Web interface does not support configuration of the default preference.
2.
When you configure a static route, the static route does not take effect if you specify the next hop
address first and then configure it as the IP address of a local interface, such as an Ethernet
interface and VLAN interface.
3.
When specifying the output interface, note that the following guidelines:
If NULL 0 or a loopback interface is specified as the output interface, you do not need to
configure the next hop address.
If a point-to-point interface is specified as the output interface, you do not need to specify the
next hop or change the configuration after the peer address has changed. For example, a PPP
interface obtains the peer's IP address through PPP negotiation, and you only need to specify it
as the output interface.
If the output interface is an NBMA or P2MP interface, which supports point-to-multipoint
networks, the IP address-to-link layer address mapping must be established. Therefore, HP
recommends that you specify the next hop IP address when you configure it as the output
interface.
149
If you want to specify a broadcast interface (such as an Ethernet interface, virtual template, or
VLAN interface) as the output interface, which may have multiple next hops, you must specify
the next hop at the same time.
Displaying the IPv4 active route table

Select Network > IPv4 Routing from the navigation tree to enter the page shown in Figure 136.
Figure 136 IPv4 active route table

Field
Mask
Protocol
Preference
Description
Destination IP address and subnet mask of the IPv4 route.
Protocol that discovered the IPv4 route.
Preference value for the IPv4 route.
The smaller the number, the higher the preference.
Next Hop
Next hop IP address of the IPv4 route.
Interface
Outgoing interface of the IPv4 route. Packets destined for the specified
network segment will be sent out of the interface.
Creating an IPv4 static route

1.
Select Network > IPv4 Routing from the navigation tree.
2.
150
Figure 137 Creating an IPv4 static route
3.
Specify relevant information as described in Table 59.
4.
Click Apply.

Item
Description
Enter the destination host or network IP address, in dotted decimal notation.
Mask
Enter the mask of the destination IP address.

You can enter a mask length or a mask in dotted decimal notation.
Set a preference value for the static route. The smaller the number, the higher the
preference.
Preference
For example, specifying the same preference for multiple static routes to the
same destination enables load sharing on the routes, while specifying different
preferences enables route backup.
Next Hop
Enter the next hop IP address in dotted decimal notation.

Select the outgoing interface.
Interface
You can select any available Layer 3 interface of the device, for example, a
virtual interface. If you select NULL 0, the destination IP address is unreachable.
If you select this option, leave the Next Hop field blank. Otherwise, your
configuration does not take effect.
Displaying the IPv6 active route table

Select Network > IPv6 Routing from the navigation tree to enter the page shown in Figure 138.
151
Figure 138 Displaying the IPv6 active route table

Field
Prefix Length
Protocol
Preference
Description
Destination IP address and prefix length of the IPv6 route.
Protocol that discovered the IPv6 route.
Preference value for the IPv6 route.
The smaller the number, the higher the preference.
Next Hop
Next hop IP address of the IPv6 route.
Interface
Outgoing interface of the IPv6 route. Packets destined for the

specified network segment will be sent out the interface.
Creating an IPv6 static route

1.
Select Network > IPv6 Routing from the navigation tree.
2.
152
Figure 139 Creating an IPv6 static route
3.
Specify relevant information as described in Table 61.
4.
Click Apply.

Item
Description
Enter the destination host or network IP address, in the X:X::X:X format. The 128-bit
destination IPv6 address is a hexadecimal address with eight parts separated by
colons (:). Each part is represented by a 4-digit hexadecimal integer.
Prefix Length
Enter the prefix length of the destination IPv6 address.

Set a preference value for the static route. The smaller the number, the higher the
preference.
Preference
For example, specifying the same preference for multiple static routes to the same
destination enables load sharing on the routes, while specifying different priorities
for them enables route backup.
Next Hop
Enter the next hop address, in the same format as the destination IP address.
Select the outgoing interface.
Interface
You can select any available Layer 3 interface, for example, a virtual interface, of
the device. If you select NULL 0, the destination IPv6 address is unreachable.
IPv4 static route configuration example

The IP addresses of devices are shown in Figure 140. IPv4 static routes must be configured on Switch A,
Switch B and AC for Host A and Host B to communicate with each other.
153
Configuration outlines
1.
On Switch A, configure a default route with Switch B as the next hop.
2.
On Switch B, configure one static route with Switch A as the next hop and the other with AC as the
next hop.
3.
On AC, configure a default route with Switch B as the next hop.
1.
Configure a default route with the next hop address 1.1.4.2 on Switch A.
2.
Configure two static routes on Switch B: one with destination address 1.1.2.0/24 and next hop
address 1.1.4.1, and the other with destination address 1.1.3.0/24 and next hop address
1.1.5.6.
3.
Configure a default route on AC:

a. Select Network > IPv4 Routing from the navigation tree.
b. Click the Create tab to enter the IPv4 static route configuration page, as shown in Figure 141.
c. Enter 0.0.0.0 for Destination IP Address, 0 for Mask, and 1.1.5.5 for Next Hop.
d. Click Apply.
Figure 141 Configuring a default route
154

1.
Display the route table:

Enter the IPv4 route page of Switch A, Switch B, and AC, respectively, to verify that the newly
configured static routes are displayed as active routes on the page.
2.
Ping Host B from Host A (assuming both hosts run Windows XP):
C:\Documents and Settings\Administrator>ping 1.1.3.2
Pinging 1.1.3.2 with 32 bytes of data:

Reply from 1.1.3.2: bytes=32 time=1ms TTL=128
Ping statistics for 1.1.3.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
IPv6 static route configuration example

The IP addresses of devices are shown in Figure 142. IPv6 static routes must be configured on Switch A,
Switch B and AC for Host A and Host B to communicate with each other.
Vlan-int200
4::2/64
Vlan-int300
5::2/64
Switch B
Vlan-int200
4::1/64
Vlan-int300
5::1/64
Vlan-int500
3::1/64
Vlan-int100
1::1/64
Host A 1::2/64
AC
Switch A
AP
Host B 3::2/64
Configuration outlines
1.
On Switch A, configure a default route with Switch B as the next hop.
2.
On Switch B, configure one static route with Switch A as the next hop and the other with AC as the
next hop.
3.
On AC, configure a default route with Switch B as the next hop.
1.
Configure a default route with the next hop address 4::2 on Switch A.
2.
Configure two static routes on Switch B: one with destination address 1::/64 and next hop
address 4::1, and the other with destination address 3::/64 and next hop address 5::1.
3.
Configure a default route on AC:

155
a. Select Network > IPv6 Routing from the navigation tree.

b. Click the Create tab to enter the IPv6 static route configuration page, as shown in Figure 143.
c. Enter :: for Destination IP Address, select 0 for Prefix Length, and enter 5::2 for Next Hop.
d. Click Apply.
Figure 143 Configuring a default route

1.
Display the route table:

Enter the IPv6 route page of Switch A, Switch B, and AC, respectively, to verify that the newly
configured static routes are displayed as active routes on the page.
2.
Ping Host B from Switch A:

<SwitchA> system-view
[SwitchA] ping ipv6 3::2
PING 3::2 : 56
data bytes, press CTRL_C to break
Reply from 3::2

bytes=56 Sequence=1 hop limit=254
time = 63 ms
Reply from 3::2

time = 62 ms
Reply from 3::2

time = 62 ms
Reply from 3::2

time = 63 ms
Reply from 3::2

time = 63 ms
--- 3::2 ping statistics --5 packet(s) transmitted

5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/62/63 ms
156
DHCP overview
After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and
other configuration parameters from the DHCP server. This facilitates configuration and centralized
management. For more information about the DHCP client configuration, see "Managing interfaces."
For more information about DHCP, see HP 830 Series PoE+ Unified Wired-WLAN Switch and HP
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration
information to network devices.
DHCP uses the client/server model. Figure 144 shows a typical a DHCP application.
Figure 144 A typical DHCP application
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet through a DHCP relay agent.
Figure 145 DHCP relay agent application
DHCP client
DHCP client
IP network
DHCP relay agent
DHCP client
DHCP client
DHCP server
157
Introduction to DHCP snooping

IMPORTANT:
The DHCP snooping-enabled device must be between the DHCP client and relay agent, or between the
DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.
As a DHCP security feature, DHCP snooping can implement the following functionality:
1.
Record IP-to-MAC mappings of DHCP clients.
2.
Ensure DHCP clients to obtain IP addresses from authorized DHCP servers.
Recording IP-to-MAC mappings of DHCP clients

DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record
DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports
that connect to DHCP clients, and VLANs to which the ports belong.
Enabling DHCP clients to obtain IP addresses from authorized DHCP servers

If there is an unauthorized DHCP server on a network, DHCP clients may obtain invalid IP addresses and
network configuration parameters, and cannot communicate correctly with other network devices. With
DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients to
obtain IP addresses from authorized DHCP servers.
TrustedA trusted port forwards DHCP messages correctly.
UntrustedAn untrusted port discards the DHCP-ACK or DHCP-OFFER messages received from
any DHCP server.
Recommended configuration procedure (for DHCP

server)
Step
Remarks
Required.
1.
Enabling DHCP
Enable DHCP globally.

By default, global DHCP is disabled.
Required.
Use at least one method.
2.
Creating an address pool for the

DHCP server
Creating a static address pool for
the DHCP server
Creating a dynamic address pool for
the DHCP server
IMPORTANT:
If the DHCP server and DHCP clients are on the same subnet,
make sure the address pool is on the same network segment
as the interface with the DHCP server enabled. Otherwise, the
clients will fail to obtain IP addresses.
If a DHCP client obtains an IP address via a DHCP relay
agent, an IP address pool on the same network segment as the

DHCP relay agent interface must be configured. Otherwise,
the client will fail to obtain an IP address.
158
Step
Remarks
Optional.
When receiving a client's request on an interface with the DHCP
server enabled, the DHCP server will assign an IP address from its
address pool to the DHCP client.
3.
Enabling the DHCP server on an

interface
With DHCP enabled, interfaces operate in DHCP server mode.

IMPORTANT:
An interface cannot serve as both the DHCP server and the
DHCP relay agent. The most recent configuration takes effect.
The DHCP server works on interfaces with IP addresses

manually configured only.
4.
Displaying information about

assigned IP addresses
Optional.
Enabling DHCP
1.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 146.
2.
Select the Enable option on the upper part of the page to enable DHCP globally.
159
Figure 146 Enabling DHCP
Creating a static address pool for the DHCP server

1.
in Figure 146.
2.
Select the Static option in the Address Pool field to view all static address pools.
3.
Click Add.
160
Figure 147 Creating a static address pool
4.
Configure the static address pool as described in Table 62.
5.
Click Apply.

Item
Description
IP Pool Name
Enter the name of a static address pool.
IP Address
Enter an IP address and select a subnet mask for the static address pool.
Mask
The IP address cannot be the IP address of any interface on the DHCP server.
Otherwise, an IP address conflict may occur and the bound client cannot obtain an
IP address correctly.
You can enter a mask length or a mask in dotted decimal notation..
Client MAC Address
Configure the client MAC address or the client ID for the static address pool.
IMPORTANT:
Client ID
The client ID must be identical to the ID of the client to be bound. Otherwise, the client
cannot obtain an IP address.
Enter the domain name suffix for the client.
Client Domain Name
With the suffix assigned, the client only needs to enter part of a domain name, and
the system adds the domain name suffix for name resolution.
Enter the gateway addresses for the client.
Gateway Address
A DHCP client that wants to access an external host needs to send requests to a
gateway. You can specify gateways in each address pool and the DHCP server will
assign gateway addresses while assigning an IP address to the client.
Up to eight gateways can be specified in a DHCP address pool, separated by
commas.
Enter the DNS server addresses for the client.
DNS Server Address
To allow the client to access a host on the Internet through DNS, you need to specify
a DNS server address.
Up to eight DNS servers can be specified in a DHCP address pool, separated by
commas.
161
Item
Description
Enter the WINS server addresses for the client.
WINS Server Address
If b-node is specified for the client, you do not need to specify any WINS server
address.
Up to eight WINS servers can be specified in a DHCP address pool, separated by
commas.
NetBIOS Node Type
Select the NetBIOS node type for the client.
Creating a dynamic address pool for the DHCP

server
1.
in Figure 146.
2.
Select the Dynamic option in the Address Pool field to view all dynamic address pools.
3.
Click Add.
Figure 148 Creating a dynamic address pool
4.
Configure the dynamic address pool as described in Table 63.
5.
Click Apply.

Item
Description
IP Pool Name
Enter the name of a dynamic address pool.
162
Item
Description
Enter an IP address segment for dynamic allocation.
IP Address
To avoid address conflicts, the DHCP server excludes the IP addresses used
by gateways or FTP servers from dynamic allocation.
Mask
Lease
Duration
You can enter a mask length or a mask in dotted decimal notation.

Unlimited.
days/hours/minut
es/seconds.
Configure the address lease duration for the address pool.

Unlimited indicates the infinite duration.
Enter the domain name suffix for the client.
Client Domain Name
With the suffix assigned, the client only needs to enter part of a domain
name, and the system will add the domain name suffix for name resolution.
Enter the gateway addresses for the client.
DHCP clients that want to access hosts outside the local subnet request
gateways to forward data. You can specify gateways in each address pool
for clients and the DHCP server will assign gateway addresses while
assigning an IP address to the client.
Gateway Address
Up to eight gateways can be specified in a DHCP address pool, separated

by commas.
Enter the DNS server addresses for the client.
DNS Server Address
To allow the client to access a host on the Internet via the host name, you need
to specify DNS server addresses.
Up to eight DNS servers can be specified in a DHCP address pool, separated
by commas.
Enter the WINS server addresses for the client.
WINS Server Address
If b-node is specified for the client, you do not need to specify any WINS
server address.
Up to eight WINS servers can be specified in a DHCP address pool,
separated by commas.
NetBIOS Node Type
Select the NetBIOS node type for the client.
Enabling the DHCP server on an interface

1.
in Figure 146.
2.
Click the
3.
Select the Enable option for DHCP Server.
4.
Click Apply.
icon next to a specific interface to enter the page shown in Figure 149.
163
Figure 149 Configuring a DHCP server interface
Displaying information about assigned IP

addresses
1.
Select Network > DHCP > DHCP Server from the navigation tree to enter the page, as shown
in Figure 146.
2.
Click Addresses in Use in the Address In Use field on the lowest part of the page to view
information about the IP address assigned from the address pool.
Figure 150 Displaying addresses in use

Field
Description
IP Address
Assigned IP address.
Client MAC Address/Client ID
Client MAC address or client ID bound to the IP address.
Pool Name
Name of the DHCP address pool where the IP address belongs.
Lease Expiration
Lease time of the IP address.
164

relay agent)
Step
1.
Remarks
Enabling DHCP and configuring
advanced parameters for the
DHCP relay agent
Required.
Enable DHCP globally and configure advanced DHCP parameters.
By default, global DHCP is disabled.
Required.
2.
Creating a DHCP server group
To improve reliability, you can specify several DHCP servers as a

group on the DHCP relay agent and correlate a relay agent interface
with the server group. When the interface receives requesting
messages from clients, the relay agent will forward them to all the
DHCP servers of the group.
Required.
Enable the DHCP relay agent on an interface, and correlate the
interface with a DHCP server group.
With DHCP enabled, interfaces work in the DHCP server mode by
default.
IMPORTANT:
3.
Enabling the DHCP relay agent

on an interface
An interface cannot serve as both the DHCP server and the DHCP
relay agent. The most recent configuration takes effect.
If the DHCP relay agent is enabled on an Ethernet subinterface, a
packet received from a client on this interface must contain a VLAN

tag and the VLAN tag must be the same as the VLAN ID of the
subinterface. Otherwise, the packet is discarded.
The DHCP relay agent works on interfaces with only IP addresses

manually configured.
If an Ethernet subinterface serves as a DHCP relay agent, it conveys

IP addresses only to subinterfaces of DHCP clients. In this case, a
PC cannot obtain an IP address as a DHCP client.
Optional.
Create a static IP-to-MAC binding, and view static and dynamic
bindings.
4.
Configuring and displaying

clients' IP-to-MAC bindings
The DHCP relay agent can dynamically record clients' IP-to-MAC

bindings after clients get IP addresses. It also supports static bindings.
You can manually configure IP-to-MAC bindings on the DHCP relay
agent so that users can access external network using fixed IP
addresses.
By default, no static binding is created.
165
Enabling DHCP and configuring advanced

parameters for the DHCP relay agent
1.
Select Network > DHCP from the navigation tree.
2.
Click the DHCP Relay tab.
3.
Select the Enable option for DHCP Service.
4.
Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration
field, as shown in Figure 152.
166
Figure 152 Advanced DHCP relay agent configuration field
5.
Configure the advanced DHCP relay agent parameters as described in Table 65.
6.
Click Apply. You must also click Apply for enabling the DHCP service.

Item
Description
Enable or disable unauthorized DHCP server detection.
There are unauthorized DHCP servers on networks, which reply to DHCP clients with
incorrect IP addresses.
Unauthorized Server
Detect
When this feature is enabled, the DHCP relay agent will record the IP address of any
DHCP server that assigned an IP address to the DHCP client and the receiving
interface when it receives a DHCP request. The administrator can use this information
to monitor and performs subsequent actions for DHCP unauthorized servers. The
device creates a record once for each DHCP server for the administrator to determine
unauthorized DHCP servers. After the information of recorded DHCP servers is
cleared, the relay agent will record server information again.
Enable or disable periodic refresh of dynamic client entries, and set the refresh
interval.
Dynamic Bindings
Refresh
Through the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast
message to the DHCP server to relinquish its IP address. The DHCP relay agent
conveys the message to the DHCP server, but does not remove the IP address from
dynamic client entries. To solve this problem, use the periodic refresh of dynamic
client entries feature.
When this feature is enabled, the DHCP relay agent uses the IP address of a client
and the MAC address of the DHCP relay agent interface to periodically send a
DHCP-REQUEST message to the DHCP server.
If the server returns a DHCP-ACK message or does not return any message within
Track Timer Interval
a specified interval, which means that the IP address is assignable, the DHCP
relay agent will age out the client entry.
If the server returns a DHCP-NAK message, which means the IP address is still in
use, the relay agent will not age it out.
If the Auto option is selected, the refresh interval is calculated by the relay agent
according to the number of client entries.
167
Creating a DHCP server group

1.
2.
Click the DHCP Relay tab to enter the page shown in Figure 151.
3.
In the Server Group field, click Add.
Figure 153 Creating a server group
4.
Specify the DHCP server group information as described in Table 66.
5.
Click Apply.

Item
Server Group ID
Description
Enter the ID of a DHCP server group.
You can create up to 20 DHCP server groups.
Enter the IP address of a server in the DHCP server group.
IP Address
The server IP address cannot be on the same subnet as the IP address of the DHCP
relay agent. Otherwise, the client cannot obtain an IP address.
Enabling the DHCP relay agent on an interface

1.
2.
3.
In the Interface Config field, click the

in Figure 154.
icon of a specific interface to enter the page shown
Figure 154 Configuring a DHCP relay agent interface
4.

168
5.
Click Apply.

Item
Description
Interface Name
This field displays the name of a specific interface.

Enable or disable the DHCP relay agent on the interface.
DHCP Relay
If the DHCP relay agent is disabled, the DHCP server is enabled on the
interface.
Enable or disable IP address check.
Address Match Check
Server Group ID
With this function enabled, the DHCP relay agent checks whether a requesting
client's IP and MAC addresses match a binding (dynamic or static) on the
DHCP relay agent. If not, the client cannot access outside networks via the
DHCP relay agent. This prevents invalid IP address configuration.
Correlate the interface with a DHCP server group.
A DHCP server group can be correlated with multiple interfaces.
Configuring and displaying clients' IP-to-MAC

bindings
1.
Select Network > DHCP from the navigation tree
2.
3.
In the User Information field, click User Information to view static and dynamic bindings.
Figure 155 Displaying clients' IP-to-MAC bindings
4.
Click Add.
Figure 156 Creating a static IP-to-MAC binding
169
5.
Configure static IP-to-MAC binding as described in Table 68.
6.
Click Apply.

Item
Description
IP Address
Enter the IP address of a DHCP client.
MAC Address
Enter the MAC address of the DHCP client.

Select the Layer 3 interface connected with the DHCP client.
IMPORTANT:
Interface Name
The interface of a static binding entry must be configured as a DHCP relay agent.
Otherwise, address entry conflicts may occur.

snooping)
Step
1.
Remarks
Enabling DHCP snooping
Required.
By default, DHCP snooping is disabled.
Required.
Specify an interface as trusted and configure DHCP snooping to support
Option 82.
2.
Configuring DHCP snooping

functions on an interface
By default, an interface is untrusted and DHCP snooping does not support

Option 82.
IMPORTANT:
You need to specify the ports connected to the authorized DHCP servers as
trusted to make sure DHCP clients can obtain valid IP addresses. The trusted
port and the port connected to the DHCP client must be in the same VLAN.
3.
Displaying clients' IP-to-MAC

bindings
Optional.
Display clients' IP-to-MAC bindings recorded by DHCP snooping.
Enabling DHCP snooping

1.
2.
Click the DHCP Snooping tab.
3.
Select the Enable option for DHCP Snooping.
170
Figure 157 Enabling DHCP snooping
Configuring DHCP snooping functions on an

interface
1.
2.
Click the DHCP Snooping tab to enter the page shown in Figure 157.
3.
In the Interface Config field, click the
icon of a specific interface.
Figure 158 Configuring DHCP snooping functions on an interface
4.
5.
Click Apply.

Item
Description
Interface Name
This field displays the name of a specific interface.
171
Item
Description
Interface State
Configure the interface as trusted or untrusted.
Option 82 Support
Configure DHCP snooping to support Option 82 or not.

Select the handling strategy for DHCP requests containing Option 82. The strategies
include:
Option 82 Strategy
DropThe message is discarded if it contains Option 82.

KeepThe message is forwarded without its Option 82 being changed.
ReplaceThe message is forwarded after its original Option 82 is replaced with
the Option 82 padded in normal format.
Displaying clients' IP-to-MAC bindings

1.
2.
Click the DHCP Snooping tab to enter the page shown in Figure 157.
3.
Click User Information to enter the DHCP snooping user information page, as shown in Figure
159.
4.
View clients' IP-to-MAC bindings recorded by DHCP snooping as described in Table 70.

Item
Description
IP Address
This field displays the IP address assigned by the DHCP server to the client.
MAC Address
This field displays the MAC address of the client.

This field displays the client type, which can be:
Type
DynamicThe IP-to-MAC binding is generated dynamically.

StaticThe IP-to-MAC binding is configured manually. Static bindings are not
supported.
Interface Name
This field displays the device interface to which the client is connected.
VLAN
This field displays the VLAN to which the device belongs.
Remaining Lease Time
This field displays the remaining lease time of the IP address.
172
DHCP server configuration example

As shown in Figure 160, the DHCP client on subnet 10.1.1.0/24 obtains an IP address dynamically from
the DHCP server (AC). The IP address of VLAN-interface 2 of the AC is 10.1.1.1/24.
In subnet 10.1.1.0/24, the address lease duration is ten days and twelve hours and the gateway address
is 10.1.1.1.
Vlan-int2
10.1.1.1/24
Host
DHCP client
AP
DHCP client
AC
DHCP server
1.
Enable DHCP:
a. Select Network > DHCP from the navigation tree to enter the default DHCP Server page.
b. Select the Enable option for DHCP Service.
173
2.
Enable the DHCP server on VLAN-interface 2: (This operation can be omitted because the DHCP
server is enabled on the interface by default.)
a. In the Interface Config field, click the
icon of VLAN-interface 2.
b. Select the Enable option for DHCP Server.

c. Click Apply.
Figure 162 Enabling the DHCP server on VLAN-interface 2
3.
Configure a dynamic address pool for the DHCP server:

a. Select the Dynamic option in the Address Pool field (default setting), and click Add.
b. On the page that appears, enter test for IP Pool Name, enter 10.1.1.0 for IP Address, enter
255.255.255.0 for Mask, enter 10 days 12 hours 0 minutes 0 seconds for Lease Duration, and
enter 10.1.1.1 for Gateway Address.
c. Click Apply.
Figure 163 Configuring a dynamic address pool for the DHCP server
DHCP relay agent configuration example

As shown in Figure 164, VLAN-interface 1 on the DHCP relay agent (AC) connects to the network where
DHCP clients reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and the IP address of
174
VLAN-interface 2 is 10.1.1.1/24. VLAN-interface 2 is connected to the DHCP server whose IP address is

10.1.1.1/24.
The AC forwards messages between DHCP clients and the DHCP server.
Because the DHCP relay agent and server are on different subnets, you must configure a static route or
dynamic routing protocol so they can communicate.
1.
Enable DHCP:
a. Select Network > DHCP from the navigation tree.
b. Click the DHCP Relay tab.
c. Select the Enable option for DHCP Service.
d. Click Apply.
175
2.
Configure a DHCP server group:

a. In the Server Group field, click Add.
b. Enter 1 for Server Group ID, and 10.1.1.1 for IP Address.
c. Click Apply.
Figure 166 Adding a DHCP server group
3.
Enable the DHCP relay agent on VLAN-interface 1:

a. In the Interface Config field, click the
icon of VLAN-interface 1.
b. Select the Enable option for DHCP Relay, and select 1 for Server Group ID.
c. Click Apply.
Figure 167 Enabling the DHCP relay agent on an interface and correlate it with a server group
DHCP snooping configuration example

As shown in Figure 168, a switch is installed with an HP 10500/7500 20G unified wired-WLAN module
to serve as an AC. The AC is connected to a DHCP server through GigabitEthernet 3/0/2, and to an AP
through GigabitEthernet 1/0/1.
Enable DHCP snooping on the AC.
Configure the AC to record clients' IP-to-MAC address bindings in DHCP-REQUEST messages and
DHCP-ACK messages received from a trusted port.
176

GE3/0/1
Host
DHCP client
AP
DHCP client
GE3/0/2
AC
DHCP snooping
DHCP server
1.
Enable DHCP snooping:

b. Click the DHCP Snooping tab.
c. Select the Enable option for DHCP Snooping.
Figure 169 Enabling DHCP snooping
2.
Configure DHCP snooping functions on Ten-GigabitEthernet 1/0/1:

a. Click the
icon of Ten-GigabitEthernet 1/0/2 on the interface list.
b. Select the Trust option for Interface State.

c. Click Apply.
177
Figure 170 Configuring DHCP snooping functions on Ten-GigabitEthernet 1/0/1
3.
Display clients' IP-to-MAC bindings

b. Click the DHCP Snooping tab.
c. Click User Information to enter the DHCP snooping user information page, as shown in Figure
171.
178
Configuring DNS
Overview
Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain
names into corresponding IP addresses. With DNS, you can use simple domain names in some
applications and the DNS server translates them into correct IP addresses.
There are two types of DNS services: static and dynamic. After a user specifies a name, the device checks
the local static name resolution table for an IP address. If no IP address is available, it contacts the DNS
server for dynamic name resolution, which takes more time than static name resolution. Therefore, to
improve efficiency, frequently queried name-to-IP address mappings are stored in the local static name
resolution table.
Static domain name resolution

Static domain name resolution requires you to set up mappings between domain names and IP
addresses manually. IP addresses of the corresponding domain names can be found in the static domain
resolution table when you use applications such as telnet.
Dynamic domain name resolution

Dynamic domain name resolution is implemented by querying the DNS server.
DNS proxy
A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server.
A DNS client considers the DNS proxy as the DNS server and sends a DNS request to the DNS proxy.
The DNS proxy forwards the request to the designated DNS server, and conveys the reply from the DNS
server to the client.
The DNS proxy simplifies network management. When the DNS server address is changed, you only
need to change the configuration on the DNS proxy, instead of on each DNS client.
For more information about DNS, see HP 830 Series PoE+ Unified Wired-WLAN Switch and HP
179

Configuring static name resolution table
Step
Remarks
Required.
By default, no host name-to-IP address mappings are

configured in the static domain name resolution table.
Configuring dynamic domain name resolution

Step
Remarks
1.
2.
Adding a DNS server address
3.
Adding a domain name suffix
4.
Clearing dynamic DNS cache
Required.
This function is disabled by default.
Required.
Not configured by default.
Optional.
Optional.
Configuring DNS proxy

Step
Remarks
1.
2.
Required.
By default, the device is not a DNS proxy.
Required.

1.
Select Network > DNS from the navigation tree to enter the default static domain name resolution
configuration page shown in Figure 172.
180
Figure 172 Static domain name resolution configuration page
2.
Click Add.
Figure 173 Creating a static domain name resolution entry
3.
4.
Click Apply.

Item
Description
Host Name
Configure the mapping between a host name and an IP address in the static domain
mane table.
Host IP Address
Each host name corresponds to only one IP address. If you configure multiple IP
addresses for a host name, the most recently configured IP address takes effect..

1.
Select Network > DNS from the navigation tree.
2.
Click the Dynamic tab.
3.
Select the Enable option for Dynamic DNS.
4.
Click Apply.
181
Figure 174 Dynamic domain name resolution configuration page

1.
2.
Click the Dynamic tab to enter the page shown in Figure 174.
3.
Select the Enable option for DNS Proxy.
4.
Click Apply.

1.
2.
3.
Click Add IP to enter the page shown in Figure 175.
4.
Enter an IP address in DNS Server IP Address field.
5.
Click Apply.
Figure 175 Adding a DNS server address
182
Adding a domain name suffix

1.
2.
3.
Click Add Suffix to enter the page shown in Figure 176.
4.
Enter a DNS suffix in the DNS Domain Name Suffix field.
5.
Click Apply.
Figure 176 Adding a domain name suffix
Clearing dynamic DNS cache

1.
2.
3.
Select the Clear Dynamic DNS cache box.
4.
Click Apply.
DNS configuration example

As shown in Figure 177, the AC wants to access the host by using a simple domain name rather than an
IP address, and to request the DNS server on the network for an IP address by using dynamic domain
name resolution. The IP address of the DNS server is 2.1.1.2/16 and the DNS server has a com domain,
which stores the mapping between domain name host and IP address 3.1.1.1/16.
AC serves as a DNS client, and uses dynamic domain name resolution and the suffix to access the host
with the domain name host.com and the IP address 3.1.1.1/16.
183
NOTE:
Before performing the following configuration, make sure the AC and the host are reachable to each
another, and the IP addresses of the interfaces are configured. See Figure 177.
This configuration may vary with DNS servers. The following configuration is performed on a PC
running Windows Server 2000.
Configuring the DNS server

1.
Create zone com:

a. Select Start > Programs > Administrative Tools > DNS.
b. As shown in Figure 178, right click Forward Lookup Zones and select New Zone.
c. Follow the instructions to create a new zone named com.
Figure 178 Creating a zone
2.
Create a mapping between host name and IP address:

a. In Figure 179, right click zone com, and then select New Host.
184
Figure 179 Adding a host
b. In the dialog box shown in Figure 180, enter host name host and IP address 3.1.1.1.
c. Click Add Host.
Figure 180 Adding a mapping between domain name and IP address
Configuring the AC
1.
Enable dynamic domain name resolution.

185
a. Select Network > DNS from the navigation tree.

b. Click the Dynamic tab
c. Select the Enable option for Dynamic DNS.
d. Click Apply.
Figure 181 Enabling dynamic domain name resolution
2.
Configure the DNS server address:

a. Click Add IP in Figure 181 to enter the page for adding a DNS server IP address.
b. Enter 2.1.1.2 for DNS Server IP Address.
c. Click Apply.
Figure 182 Adding a DNS server address
3.
Configure the domain name suffix:
Click Add Suffix in Figure 181.
Enter com for DNS Domain Name Suffix.
Click Apply.
186
Figure 183 Adding a DNS domain name suffix

Use the ping host command on the AC to verify that the communication between the AC and the host is
normal and that the corresponding destination IP address is 3.1.1.1.
1.
Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.
2.
Enter host in the Destination IP address or host name field.
3.
Click Start to execute the ping command
4.
View the result in the Summary field.
Figure 184 Ping operation
187
Managing services
Overview
The service management module provides the following types of services: FTP, Telnet, SSH, SFTP, HTTP
and HTTPS. You can enable or disable the services as needed to enhance the performance and security
of the system, and achieve secure management of the device.
The service management module also provides the function to modify HTTP and HTTPS port numbers,
and the function to associate the FTP, HTTP, or HTTPS service with an ACL, which reduces attacks of
illegal users on these services.
FTP service
The File Transfer Protocol (FTP) is an application-layer protocol for sharing files between server and client
over a TCP/IP network.
Telnet service
The Telnet protocol is an application layer protocol that provides remote login and virtual terminal
functions on the network.
SSH service
Secure Shell (SSH) offers an approach to securely log in to a remote device. It protects devices against
attacks such as IP spoofing and plain text password interception using encryption and authentication.
SFTP service
The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to
provide secure data transfer. The device can serve as the SFTP server, allowing a remote user to log in to
the SFTP server for secure file management and transfer. The device can also serve as an SFTP client,
enabling a user to login from the device to a remote device for secure file transfer.
HTTP service
The Hypertext Transfer Protocol (HTTP) is used for transferring Web page information across the Internet.
It is an application-layer protocol in the TCP/IP protocol suite.
You can log in to the device using the HTTP protocol with HTTP service enabled, accessing and
controlling the device with Web-based network management.
HTTPS service
The Secure HTTP (HTTPS) refers to the HTTP protocol that supports the Security Socket Layer (SSL)
protocol.
The SSL protocol of HTTPS enhances the security of the device in the following ways:
Uses the SSL protocol to ensure legal clients' secure access to the device and prohibit illegal clients.
Encrypts the data exchanged between the HTTPS client and the device to ensure the data security
and integrity.
Defines certificate attribute-based access control policy for the device to control the access right of
the client, to avoid attacks from illegal clients.
188
Configuring service management

1.
Select Network > Service from the navigation tree to enter the service management configuration
page.
Figure 185 Service management
2.
Enable or disable various services on the page as described in Table 72.
3.
Click Apply.

Item
Description
Enable FTP
service
FTP
ACL
Specify whether to enable the FTP service.

The FTP service is disabled by default.
Associate the FTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the FTP service.
You can view this configuration item by clicking the expanding button in
front of FTP.
Telnet
Enable Telnet
service
Specify whether to enable the Telnet service.
SSH
Enable SSH
service
Specify whether to enable the SSH service.
The Telnet service is enabled by default.

The SSH service is disabled by default.
Specify whether to enable the SFTP service.
SFTP
Enable SFTP
service
The SFTP service is disabled by default.

IMPORTANT:
When you enable the SFTP service, the SSH service must be enabled.
HTTP
Enable HTTP
service
Specify whether to enable the HTTP service.

The HTTP service is disabled by default.
189
Item
Description
Set the port number for HTTP service.
Port Number
front of HTTP.
IMPORTANT:
When you modify a port, make sure the port is not used by another service.
ACL
Enable HTTPS
service
Associate the HTTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTP service.
front of HTTP.
Specify whether to enable the HTTPS service.
The HTTPS service is disabled by default.
Set the port number for HTTPS service.
Port Number
front of HTTPS.
IMPORTANT:
When you modify a port, make sure the port is not used by another service.
ACL
HTTPS
Associate the HTTPS service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTPS service.
front of HTTPS.
Set the local certificate for the HTTPS service. The list displays certificate
subjects.
Certificate
You can configure the available PKI domains by selecting Authentication >
Certificate Management from the navigation tree at the left side of the
interface. For more information, see "Managing certificates."
IMPORTANT:
The service management, portal authentication and local EAP service
modules always reference the same PKI domain. Changing the referenced
PKI domain in any of the three modules also changes the PKI domain
referenced in the other two modules.
190
Using diagnostic tools

Ping
You can use the ping function to check whether a device with a specified address is reachable, and to
examine network connectivity.
A successful execution of the ping command includes the following steps:
1.
The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device.
2.
The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source
device after receiving the ICMP echo request.
3.
The source device displays related statistics after receiving the reply.
Output of the ping command includes the following:
The ping command can be applied to the destination's host name or IP address. If the destination's
host name is unknown, the prompt information is displayed.
If the source device does not receive an ICMP echo reply within the timeout time, it displays the
prompt information and the statistics during the ping operation. If the source device receives an
ICMP echo reply within the timeout time, it displays the number of bytes of the echo reply, the
message sequence number, Time to Live (TTL), the response time, and the statistics during the ping
operation. Statistics displayed during the ping operation include number of packets sent, number of
echo reply messages received, percentage of messages not received, and the minimum, average,
and maximum response time.
Trace route
By using the trace route command, you can display the Layer 3 devices involved in delivering a packet
from source to destination. In the event of network failure, this function can identify failed nodes.
The trace route command includes the following steps in its execution:
1.
The source device sends a packet with a TTL value of 1 to the destination device.
2.
The first hop (the Layer 3 device that first receives the packet) responds by sending a TTL-expired
ICMP message to the source, with its IP address encapsulated. In this way, the source device can
obtain the address of the first Layer 3 device.
3.
The source device sends a packet with a TTL value of 2 to the destination device.
4.
The second hop responds with a TTL-expired ICMP message, which gives the source device the
address of the second Layer 3 device.
5.
This process continues until the ultimate destination device is reached. In this way, the source
device can trace the addresses of all the Layer 3 devices involved in reaching the destination
device.
The traceroute command can be applied to the destination's host name or IP address. If the destination's
host name is unknown, the prompt information is displayed.
191
Ping operation
IPv4 ping operation
1.
Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.
2.
Click the expansion button before Advanced Setup to display the configurations of the advanced
parameters of IPv4 ping operation.
Figure 186 IPv4 ping configuration page
3.
Enter the IPv4 address or host name of the destination device in the Destination IP address or host
name field.
4.
Set the advanced parameters for the IPv4 ping operation.
5.
Click Start to execute the ping command.
6.
192
Figure 187 IPv4 ping operation results
IPv6 ping operation

1.
Select Diagnostic Tools > Ping from the navigation tree.
2.
Enter the IPv6 ping configuration page (default setting).
3.
Expand Advanced Setup to display the configurations of the advanced parameters of IPv6 ping
operation.
193
Figure 188 IPv6 ping
4.
Enter the IPv6 address or host name of the destination device in the Destination IP address or host
name field.
5.
Set the advanced parameters for the IPv6 ping operation.
6.
Click Start to execute the ping command.
7.
Figure 189 IPv6 ping operation results
194
Trace route operation

The Web interface does not support trace route on IPv6 addresses.
Before performing the trace route operations, execute the ip ttl-expires enable command on the
intermediate device to enable the sending of ICMP timeout packets and the ip unreachables enable
command on the destination device to enable the sending of ICMP destination unreachable packets.
1.
Select Diagnostic Tools > Trace Route from the navigation tree.
2.
Click the Trace Route tab to enter the Trace Route configuration page.
Figure 190 Trace Route configuration page
3.
Enter the destination IP address or host name.
4.
Click Start to execute the trace route command.
5.
195
Figure 191 Trace route operation results
196
Configuring APs
The AP configuration module allows you to perform the following configurations:
Establish a connection between AC and AP
Configure auto AP
Configure an AP group
AC-AP connection
An AP and an AC establish a tunnel connection based on UDP.
An AP uses a data tunnel to encapsulate data packets to be sent to the AC. These packets can be raw
802.11 packets or 802.11 to 802.3 translated packets. An AC provides a control tunnel to support remote
AP configuration and management, and WLAN and mobile management.
The AC can dynamically configure an AP based on the information provided by the administrator.
Auto AP
The auto AP feature allows an AP to automatically connect to an AC. When you deploy a wireless
network with multiple APs, the auto AP function avoids configuration of many AP serial IDs, simplifying
configuration.
AP group
Some wireless service providers need to control the access positions of clients. For example, as shown in
the figure below, to meet security or billing needs, it is required to connect wireless clients 1, 2 and 3 to
the wired network through APs 1, 2 and 3 respectively. To achieve this, you can configure an AP group
that the clients can be associated with and then apply the AP group in a user profile.
Figure 192 Client access control
197
Configuring an AP
Creating an AP
1.
Select AP > AP Setup from the navigation tree.
2.
Click Add to enter the page for adding an AP.
Figure 193 Adding an AP
3.
Create the AP as described in Table 73.
4.
Click Apply.

Item
Description
AP Name
AP name.
Model
AP model.
AutoIf selected, the AC automatically searches the AP serial ID. This function is
used together with the auto AP function. For more information about configuring auto
AP, see "Configuring auto AP."
Serial ID
ManualIf this mode is selected, you need to type an AP serial ID.
Configuring an AP
1.
2.
Click the
icon corresponding to the target AP to enter the page for configuring an AP.
198
Figure 194 AP setup
3.
Configure the AP as described in Table 74.
4.
Click Apply.

Item
Description
AP Name
Display the name of the AP selected.
199
Item
Description
By default, the country/region code of an AP depends on the AP model. If no
country/region code is configured for an AP, the AP uses the global country/region code.
If both country/region code and global country/region code are configured, the AP uses its
own country/region code. For how to configure the global country/region code, see
"Configuring advanced settings".
Follow these guidelines when you configure a country/region code:
If the global country/region code you have configured conflicts with the country/region
code supported by the AP, the connection between the AP and AC is terminated. To
enable the AP to connect with the AC again, the administrator must configure a correct
country/region code for the AP.
Configure a valid country/region code to meet the specific country regulations.

IMPORTANT:
Country/Region
code
Some ACs and fit APs use locked country/region codes, depending on the following
scenarios:
An AC's locked global country/region code cannot be changed, and all managed fit
APs whose country/region codes are not locked must use the AC's locked global
country/region code.
A fit AP's locked country/region code cannot be changed and the fit AP can only use the
If an AC and a managed fit AP use different locked country/region codes, the fit AP uses
its own locked country/region code.
If an AP model contains IL, the default country/region code of the AP is IL. You cannot
modify it.
If an AP model contains JP, the default country/region code of the AP is JP. You cannot
modify it.
If an AP model contains AM, no country/region code is configured for the AP by default.

You can only configure a country/region code to as one used in North America.
If an AP model contains WW, no country/region code is configured for the AP by
default. You can only configure a country/region code other than IL, JP, and North
America.
Radio Number
Select the number of the radios on the AP. The value depends on the AP model.
Select the radio type, which can be one of the following values:
Radio Type
802.11a.
802.11b.
802.11g.
802.11n (2.4 GHz)
802.11n (5 GHz)
The value depends on the AP model and radio type.

Set a serial ID for the AP.
AutoIf selected, the AP serial ID is automatically found. This option is used together
with the auto AP function. For more information about configuring auto AP, see
"Configuring auto AP."
Serial ID
ManualYou need to enter an AP serial ID.

IMPORTANT:
The serial ID is the unique identity of the AP. If the AP has connected to the AC, changing or
deleting its serial ID renders the tunnel down and the AP needs to discover the AC to connect
again.
200
Item
Description
Description
Description of the AP.
Configuring advanced settings

1.
2.
Click the
3.
On the page that appears, expand Advanced Setup to enter the page for advanced AP setup.
icon corresponding to the target AP.
Figure 195 Advanced setup
4.
Configure advanced settings for the AP as described in Table 75.
5.
Click Apply.

Item
Description
AP connection priority.
AP Connection
Priority
Specify the AP connection priority on the AC. For more information, see "AP connection
priority configuration example." It can also be used together with the backup function.
For more information, see "Configuring advanced settings."
201
Item
Description
EnableEnable the AP to respond to broadcast probe requests. The AP will respond
to broadcast probe requests with the SSID null.
Broadcast Probe
DisableDisable the AP from responding to broadcast probe requests. The AP will

respond to broadcast probe requests with the specified SSID.
By default, this option is enabled.

Specify a name for the configuration file in the storage media to map the specified
configuration file to the AP.
Configuration File
When local forwarding is enabled, you can use the configuration file to configure the
AP. For example, when you configure a user profile when local forwarding is enabled,
you must write the user profile, QoS policy, and ACL commands to the configuration
file, and download the configuration file to the AP.
IMPORTANT:
The commands in the configuration file must be in their complete form.
Set the maximum size of jumbo frames.
Jumbo Frame Size
When this function is enabled, the AC can send frames whose size does not exceed the
maximum size to the AP.
By default, the AC cannot send jumbo frames to the AP.
Set the interval for sending echo requests.
AP Echo Interval
There is a keep-live mechanism between AP and AC, to confirm whether or not the
tunnel is working. An AP periodically sends echo requests to an AC. The AC responds
to echo requests by sending echo responses, which indicate that the tunnel is up.
Set the client keep alive interval.
Client Alive Time
The keep-alive mechanism is used to detect clients segregated from the system due to
reasons such as power failure or crash, and disconnect them from the AP.
By default, the client keep-alive functionality is disabled.
Client Free Time
Maximum interval for which the link between the AP and a client can be idle. A
connection that remains idle for the specified period of time is removed.
Backup AC IPv4
Address
Set the IPv4 address of the backup AC for

the AP.
Backup AC IPv6
Address
Set the IPv6 address of the backup AC for

the AP.
Band Navigation
Enable or disable band navigation.

By default, band navigation is enabled.
202
If you configure the global backup AC

information both in Advanced Setup > AC
Backup and AP > AP Setup, the
configuration in AP > AP Setup takes
precedence. For more information about
AC backup, see "Configuring advanced
settings."
Item
Description
Configure the LED flashing mode. All LEDs on the AP are steady on when an error
occurs.
normalSpecifies the default LED mode, depending on the AP state.

quietTurns off all LEDs, including the power LED, Ethernet port LEDs, and radio
LEDs, on the AP.
awakeFlashes the power LED every 1 minute and turns off the Ethernet port LEDs
and radio LEDs.
always-onTurns on all LEDs.

IMPORTANT:
The default LED mode, depending on the AP state:
LED Mode
The power LED flashes every 2 secondsThe AP is starting up.

The power LED flashes once per secondThe AP is looking for an IP address, or
building the list of VLANs on which to perform discovery. The management tool is
available until discovery occurs.
The power, Ethernet, and radio LEDs flash in sequence from left to rightThe AP has
obtained an IP address and is attempting to discover a controller.
The power LED is on. The Ethernet and radio LEDs flash alternativelyThe AP has
found a controller and is attempting to establish a secure management tunnel with it.
The power and Ethernet LEDs flash alternatively and quicklyThe AP has received a
discovery reply from two or more controllers with the same priority setting. It is
unstable to connect with either controller until the conflict is resolved.
The power and radio LEDs flash slowlyThe AP is attempting to establish a local
mesh link to a master node.
The power and Ethernet LEDs flash slowlyThe AP is attempting to establish wired
connectivity.
AP CAR
Select this box to configure CAR for the AP.

By default, no CAR is set for an AP.
EnableEnable the remote AP function.

DisableDisable the remote AP function.
By default, the remote AP function is disabled.
Remote AP
When this function is enabled, the AP automatically enables local forwarding (whether
or not local forwarding is configured on the AC) to provide wireless access for logged-in
clients when the tunnel between the AP and AC is terminated. However, it does not
allow new clients. When a tunnel is established between the AP and AC again, the AP
automatically switches to centralized forwarding mode and logs off all clients on the
remote AP.
IMPORTANT:
If a tunnel has been established between the remote AP and AC, the remote AP uses the
backup tunnel to provide wireless access for logged-in clients when the tunnel between the
AP and AC is terminated. For more information about AC backup, see "Configuring
advanced settings."
CIR
Committed information rate, in Kbps.

Committed burst size, in bits.
CBS
By default, the CBS is the number of bytes transmitted in 500 ms at the rate of CIR. For
example, if CIR is 100, CBS is 50000 bits, or, 6250 bytes by default.
203
Configuring auto AP
Enabling auto AP
1.
Select AP > Auto AP from the navigation tree.
Figure 196 Configuring auto AP
2.
Enable auto AP as described in Table 76.

Item
Description
enableEnable the auto AP function. You must also select Auto from the Serial ID
list on the AP setup page to use the auto AP function.
disableDisable the auto AP function.

Auto AP
By default, the auto AP function is disabled.

IMPORTANT:
After using the auto AP function, HP recommends that you disable the auto AP function.
Renaming an AP
1.
After enabling auto AP, click Refresh.
2.
To modify the automatically found AP name, click the
204
icon in the Operation column.
Figure 197 Renaming an AP
3.
On the page that appears, rename the AP as described in Table 77.
4.
Click Apply.

Item
Description
Old AP Name
Display the name of the automatically discovered AP.
AP Rename
Select the AP Rename check box, and type the new AP name.
For an example of configuring auto AP, see "Configuring access services."
Batch conversion
If you do not need to modify the automatically found AP names, you can select the AP Name box, and
then click Transmit All AP to complete auto AP setup.
Configuring an AP group
Creating an AP group
1.
Select AP > AP Group from the navigation tree.
2.
Click Add.
Figure 198 Creating an AP group
3.
Create the AP group as described in Table 78.
205

Item
Description
AP group ID.
The value range varies with devices. For more information, see "About the HP 830 Series
PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN
AP Group ID
Configuring an AP group
1.
Select AP > AP Group from the navigation tree.
2.
Click the
group.
icon corresponding to the target AP group to enter the page for configuring an AP
Figure 199 Configuring an AP group
3.
Configure the AP group as described in Table 79.
4.
Click Apply.

Item
Description
AP Group ID
Display the ID of the selected AP group.
Description
Select this option to configure a description for the AP group.

Set the APs in the configured AP group.
To add the APs to the Selected AP List, click the APs to be added to the AP group, and click
Exist AP List
the > button in the AP List area.
To delete the selected APs from the AP group, select the APs to be deleted in the Selected AP
List, and click the < button.
The APs to be added in AP Group ID should be created by selecting AP > AP Setup first.
206
Applying the AP group

Select Authentication > Users from the navigation tree to apply the AP group. For the related
configuration, see "Managing users."
AP connection priority configuration example

Configure a higher AP connection priority on AC 1 to enable the AP to establish a connection with AC
1.
AC 1
Switch
AP
Client
AC 2
Configuring AC 1
1.
Configure AP-related information:

For the detailed configuration, see "Configuring access services."
2.
Configure an AP connection priority:

a. Select AP > AP Setup from the navigation tree.
b. Click the
icon corresponding to the target AP to enter the AP setup page.
c. Expand Advanced Setup to enter the page shown in Figure 201 and set the AP connection
priority to 6.
d. Click Apply.
207
Figure 201 Configuring AP connection priority
Configuring AC 2
1.
Configure AP-related information:

For the detailed configuration, see "Configuring access services."
2.
Configure AP connection priority:

Use the default AP connection priority on AC 2.

A higher AP connection priority is configured on AC 1, so AP must establish a connection with AC 1.
208
Configuring access services

Wireless Local Area Networks (WLAN) provide the following services:
Connectivity to the Internet
Secured WLAN access with different authentication and encryption methods
Seamless roaming of WLAN clients in a mobility domain
Access service overview

Terminology
Wireless clientA handheld computer or laptop with a wireless Network Interface Card (NIC) or
a terminal supporting WiFi can be a WLAN client.
Access pointAn AP bridges frames between wireless and wired networks.
Access controllerAn AC can control and manage APs associated with it in a WLAN. The AC
communicates with an authentication server for WLAN client authentication.
Service set identifierAn SSID identifies a wireless network. A client scans all networks at first, and
then selects a specific SSID to connect to a specific wireless network.
Client access
A client access process has three steps: active/passive scanning surrounding wireless services,
authentication, and association, as shown in Figure 202.
Figure 202 Establishing a client access
Scanning
Wireless clients use active scanning and passive scanning to obtain information about surrounding
wireless networks.
1.
Active scanning
209
A wireless client periodically sends probe request frames and obtains wireless network
information from received probe response frames. Active scanning includes the following modes:
Active scanning without an SSIDThe client periodically sends a probe request frame without
an SSID on each of its supported channels. APs that receive the probe request send a probe
response, which includes the available wireless network information. The client associates with
the AP with the strongest signal. This mode enables the client to find the optimal wireless
network.
Figure 203 Active scanning without an SSID
Client
no
(with
uest
q
e
r
e
e
Prob
pons
e res
b
o
r
P
AP 1
AC 1
AP 2
AC 2
)
SSID
Prob
e re q
uest
(with
no S
Prob
SID)
e re s
pons
e
Active scanning with an SSIDIf the wireless client is configured to access a wireless network
or has associated with a wireless network, the client periodically sends a probe request that
carries the SSID of that wireless network. When the target AP receives the probe request, it
sends a probe response. This mode enables the client to access a specified wireless network.
Figure 204 Active scanning with an SSID
2.
Passive scanning
A wireless client listens to the beacon frames periodically sent by APs to discover surrounding
wireless networks. Passive scanning is used when a client wants to save battery power. Typically,
VoIP clients adopt passive scanning.
210
Figure 205 Passive scanning
Authentication
To secure wireless links, APs perform authentication on wireless clients. A wireless client must pass
authentication before it can access a wireless network. 802.11 define two authentication methods: open
system authentication and shared key authentication.
Open system authentication

Open system authentication is the default authentication algorithm and is the simplest of the
available authentication algorithms. It is a null authentication algorithm. Any client that requests
authentication with this algorithm can become authenticated. Open system authentication is not
required to be successful, because an AP may decline to authenticate the client. Open system
authentication involves a two-step authentication process. In the first step, the wireless client sends
a request for authentication. In the second step, the AP returns the result to the client.
Figure 206 Open system authentication process
Client
AC
AP
Authentication request
Authentication response
Shared key authentication

Figure 207 shows a shared key authentication process. The two parties have the same shared key
configured.
a. The client sends an authentication request to the AP.
b. The AP randomly generates a challenge and sends it to the client.
c. The client uses the shared key to encrypt the challenge and sends it to the AP.
d. The AP uses the shared key to encrypt the challenge and compares the result with the challenge
received from the client. If they are identical, the client passes the authentication. If not, the
authentication fails.
211
Figure 207 Shared key authentication process
Association
To access a wireless network via an AP, a client must associate with that AP. After the client passes
authentication on the AP, the client sends an association request to the AP. The AP checks the capability
information in the association request to determine the capability supported by the wireless client, and
sends an association response to notify the client of the association result. A client can associate with only
one AP at a time, and an association process is always initiated by the client.
WLAN data security

Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN
devices share the same medium and every device can receive data from any other sending device. If no
security service is provided, plain-text data is transmitted over the WLAN.
To secure data transmission, 802.11 protocols provide encryption methods to make sure devices without
the right key cannot read encrypted data.
Plain-text data.
It is a WLAN service without security protection. No data packets are encrypted.
WEP encryption.
Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized
users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream
encryption algorithm) for confidentiality. WEP encryption uses static and dynamic encryption
depending on how a WEP key is generated.
Static WEP encryption
With Static WEP encryption, all clients using the same SSID must use the same encryption key.
If the encryption key is deciphered or lost, attackers will access all encrypted data. In addition,
periodical manual key update enhances the management workload.
Dynamic WEP encryption
Dynamic WEP encryption is an improvement over static WEP encryption. With dynamic WEP
encryption, WEP keys are negotiated between the client and server through the 802.1X
protocol so that each client is assigned a different WEP key, which can be updated
periodically to further improve unicast frame transmission security.
Although WEP encryption increases the difficulty of network interception and session hijacking,
it has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.
TKIP encryption.
212
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP provides
advantages over WEP, and provides more secure protection for WLAN, as follows:
TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP
encryption uses 128bit RC4 encryption algorithm, and increases the length of IVs from 24 bits
to 48 bits.
TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single
static key with a base key generated by an authentication server. TKIP dynamic keys cannot be
easily deciphered.
TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC, the
data may be tampered, and the system may be attacked. If two packets fail the MIC in a specific
period, the AP automatically takes countermeasures. It will not provide services to prevent
attacks while it takes countermeasures.
CCMP encryption.
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM
combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the
integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The
AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP
contains a dynamic key negotiation and management method, so that each wireless client can
dynamically negotiate a key suite, which can be updated periodically to further enhance the
security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit
packet number (PN) to ensure that each encrypted packet uses a different PN, which improves
security.
Client access authentication
PSK authentication
To implement PSK authentication, the client and the authenticator must have the same shared key
configured. Otherwise, the client cannot pass pre-shared key (PSK) authentication.
802.1X authentication
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at
the port level. A device connected to an 802.1X-enabled port of a WLAN access control device
can access the resources on the WLAN only after passing authentication.
The administrators of access devices can select to use RADIUS or local authentication to cooperate
with 802.1X for authenticating users. For more information about remote/local 802.1X
authentication, see "Configuring 802.1X."
MAC authentication
MAC authentication provides a method to authenticate users based on ports and MAC addresses.
You can configure permitted MAC address lists to filter MAC addresses of clients. However, the
efficiency will be reduced when the number of clients increases. Therefore, MAC authentication is
applicable to environments without high security requirements, for example, SOHO and small
offices.
MAC authentication includes the following modes:
Local MAC authenticationWhen this authentication mode is used, you need to configure a
permitted MAC address list on the device. If the MAC address of a client is not in the list, its
access request will be denied.
213
Figure 208 Local MAC authentication
Permitted MAC
address list:
0009-5bcf-cce3
0011-9548-4007
000f-e200-00a2
Client: 0009-5bcf-cce3
Client: 0011-9548-4007
AC
L2 switch
AP
Client: 001a-9228-2d3e
Remote Authentication Dial-In User Service-based MAC authenticationWhen RADIUS-based

MAC authentication is used, if the device finds that the current client is an unknown client, it
sends an unsolicited authentication request to the RADIUS server. After the client passes the
authentication, the client can access the WLAN network and the corresponding authorized
information.
Figure 209 Remote MAC authentication
When a RADIUS server is used for MAC authentication, you can specify a domain for each wireless
service, and send MAC authentication information of different SSIDs to different remote RADIUS servers.
802.11n
As the next generation wireless LAN technology, 802.11n supports both 2.4GHz and 5GHz bands. It
provides higher throughput to customers by using the following methods:
1.
Increasing bandwidth: 802.11n can bond two adjacent 20-MHz channels together to form a
40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with
214
one acting as the primary channel and the other acting as the secondary channel. They can also
work together as a 40-MHz channel, which provides a simple way to double the data rate.
2.
Improving channel utilization:

802.11n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU
can accommodate multiple Message Protocol Data Units (MPDUs) which have their PHY
headers removed. This reduces the overhead in transmission and the number of ACK frames to
be used, and improves network throughput.
Similar with MPDU aggregation, multiple MAC Service Data Units (MSDU) can be aggregated
into a single A-MSDU. This reduces the MAC header overhead and thus improves MAC layer
forwarding efficiency.
To improve physical layer performance, 802.11n introduces the short GI function, which
shortens the GI interval of 800 us in 802.11a/g to 400 us. This can increase the data rate by
10 percent.
Configuring access service

Step
Remarks
1.
Creating a WLAN service
Required.
2.
Configuring wireless service:
Required.
Configuring clear-type wireless service
Use either approach.
Configuring crypto-type wireless service
Complete the security settings as needed.
3.
Enabling a wireless service
Required.
4.
Binding an AP radio to a wireless service
Required.
5.
Enabling a radio
Required.
6.
Displaying detailed information about a wireless service
Optional.
Creating a WLAN service

1.
Select Wireless Service > Access Service from the navigation tree.
215
Figure 210 Configuring access service
2.
Click Add.
Figure 211 Creating a wireless service
3.
Configure the wireless service as described in Table 80.
4.
Click Apply.

Item
Description
Set the Service Set Identifier (SSID), a case-sensitive string of 1 to 32
characters, which can include letters, digits, underlines, and spaces.
Wireless Service Name
An SSID should be as unique as possible. For security, the company

name should not be contained in the SSID. Meanwhile, HP
recommends that you do not use a long random string as the SSID,
because a long random string only adds payload to the header
field, and does not improve wireless security.
216
Item
Description
Select the wireless service type:
clearIndicates the wireless service will not be encrypted.

cryptoIndicates the wireless service will be encrypted.
Wireless Service Type
Configuring clear-type wireless service

Configuring basic settings for a clear-type wireless service
IMPORTANT:
Before configuring a clear-type wireless service, disable it first and then click the corresponding
icon.
1.
2.
Click the
icon corresponding to the target clear-type wireless service to enter the page for
configuring wireless service.
Figure 212 Configuring clear-type wireless service
3.
Configure basic settings for the clear-type wireless service as described in Table 81.
4.
Click Apply.

Item
Description
Wireless Service
Display the selected Service Set Identifier (SSID).
VLAN (Untagged)
Enter the ID of the VLAN whose packets are to be sent untagged. VLAN
(Untagged) indicates that the port sends the traffic of the VLAN with the VLAN tag
removed.
Set the default VLAN of a port.
Default VLAN
By default, the default VLAN of all ports is VLAN 1. After you set the new default
VLAN, VLAN 1 is the ID of the VLAN whose packets are to be sent untagged.
Delete VLAN
Remove the IDs of the VLANs whose packets are to be sent untagged and tagged.
217
Item
Description
EnableDisable the advertisement of the SSID in beacon frames.
DisableEnable the advertisement of the SSID in beacon frames.
By default, the SSID is advertised in beacon frames.
IMPORTANT:
SSID Hide
If the advertising of the SSID in beacon frames is disabled, the SSID must be
configured for the clients to associate with the AP.
Disabling the advertising of the SSID in beacon frames does not improve
wireless security.
Enabling the advertising of the SSID in beacon frames allows a client to

discover an AP more easily.
Configuring advanced settings for the clear-type wireless service

1.
2.
Click the
configuring advanced settings for a clear-type wireless service.
Figure 213 Configuring advanced settings for the clear-type wireless service
3.
Configure advanced settings for the clear-type wireless service as described in Table 82.
4.
Click Apply.
218

Item
Description
Local Forwarding
Local forwarding enables an AP to forward data frames between clients. In a

centralized WLAN architecture, an AP transparently transmits data frames to
an AC for processing. When there is an increase of clients, the forwarding
load of the AC also increases. When local forwarding is enabled, an AP, and
not the AC, forwards client data, which reduces the load of the AC.
EnableIf local forwarding is enabled, data frames from an associated

station will be forwarded by the AP.
DisableIf local forwarding is disabled, data frames from an associated

station will be handled by the AC.
Local Forwarding VLAN
Clients using the same SSID may belong to different VLANs. You can configure
a local forwarding VLAN when configuring a local forwarding policy.
CentralThe AC authenticates clients. In this authentication mode, the data

forwarding mode is determined by the local forwarding settings.
LocalThe AP authenticates clients. In this mode, the AP directly forwards

data frames from clients.
BackupWhen the AP-AC connection is working correctly, the AC

Authentication Mode
authenticates clients. When the connection fails, the AP authenticates

clients, and performs local forwarding. When the AP re-establishes a
connection with the AC, the AP logs out all clients and the AC
re-authenticates clients. The clients can associate with the AP only after they
pass the authentication.
The clients adopt centralized authentication by default if they are not

configured with local authentication.
Maximum number of clients of an SSID to be associated with the same radio of
the AP.
Client Max Users
IMPORTANT:
When the number of clients of an SSID to be associated with the same radio of
the AP reaches the maximum, the SSID is automatically hidden.
Web interface management right of online clients.
Management Right
MAC VLAN
DisableDisable the web interface management right of online clients.

EnableEnable the web interface management right of online clients.
EnableEnable the MAC VLAN feature for the wireless service.
DisableDisable the MAC VLAN feature for the wireless service.
IMPORTANT:
Before binding an AP radio to a VLAN, enable the MAC VLAN feature first.
EnableEnable fast association.

DisableDisable fast association.
Fast Association
By default, fast association is disabled.

When fast association is enabled, the device does not perform band
navigation and load balancing calculations for associated clients.
Configure the AP to deauthenticate the clients or drop the packets when it
receives the packets from unknown clients.
Unknown Client
deauthenticateThe AP sends deauthentication packets to unknown

clients.
dropThe AP drops the packets sent by unknown clients.

219
Item
Description
Aging time for the cache that saves the PMK and authorized VLAN information
when a client logs off.
Client Cache Aging-time
If you configure the aging time as 0, the AP clears the cache after logging off
the client. The client cannot roam between APs.
Configuring security settings for a clear-type wireless service

1.
2.
Click the
configuring security settings for the clear-type wireless service.
Figure 214 Configuring security settings for the clear-type wireless service
3.
Configure security settings for the clear-type wireless service as described in Table 83.
4.
Click Apply.

Item
Description
Authentication Type
For the clear-type wireless service, you can select Open-System only.
220
Item
Description
mac-authenticationPerform MAC address authentication on users.
mac-else-userlogin-secureThis mode is the combination of the
mac-authentication and userlogin-secure modes. MAC authentication has a higher

priority than userlogin-secure mode. Upon receiving a non-802.1X frame, a port in
this mode performs only MAC authentication. When it receives an 802.1X frame,
the port performs MAC authentication. It performs 802.1X if MAC authentication
fails.
mac-else-userlogin-secure-extThis mode is similar to the
mac-else-userlogin-secure mode, except that it supports multiple 802.1X and MAC

authentication users on the port.
userlogin-secureIn this mode, MAC-based 802.1X authentication is performed
for users. Multiple 802.1X authenticated users can access the port, but only one user
can be online.
userlogin-secure-or-macThis mode is the combination of the userlogin-secure
and mac-authentication modes. 802.1X authentication has a higher priority than

MAC authentication. For a wireless user, 802.1X authentication is performed first. If
802.1X authentication fails, MAC authentication is performed.
userlogin-secure-or-mac-extThis mode is similar to the userlogin-secure-or-mac

Port Mode
mode, except that it supports multiple 802.1X and MAC authentication users on the
port.
userlogin-secure-extIn this mode, a port performs 802.1X authentication on users

in macbased mode and supports multiple 802.1X users.
TIP:
There are multiple security modes. The following rules explain the port security mode
names:
userLogin indicates port-based 802.1X authentication.

mac indicates MAC address authentication.
The authentication mode before Else is used preferentially. If the authentication fails,
the authentication after Else may be used depending on the protocol type of the
packets to be authenticated.
The authentication modes before Or and after Or have the same priority. The device
determines the authentication mode according to the protocol type of the packets to
be authenticated. For wireless users, the 802.1X authentication mode is used
preferentially.
userLogin together with Secure indicates MAC-based 802.1X authentication.

A security mode with Ext allows multiple 802.1X users to pass the authentication. A
security mode without Ext allows only one 802.1X user to pass the authentication.
Max User
Maximum number of users that can be connected to the network through a specific
port.
a. Configure mac-authentication:
221
Figure 215 Configuring mac-authentication port security

Item
Description
mac-authenticationMAC-based authentication is performed on access users.
Port Mode
Select Wireless Service > Access Service from the navigation tree, click MAC
Authentication List, and enter the MAC address of the client.
Max User
Control the maximum number of users allowed to access the network through the
port.
MAC Authentication
Select MAC Authentication.

Select an existing domain from the list.
The default domain is system. To create a domain, select Authentication > AAA from
the navigation tree, click the Domain Setup tab, and enter a new domain name in the
Domain Name field.
Domain
The selected domain name applies to only the current wireless service, and all
clients accessing the wireless service use this domain for authentication,
authorization, and accounting.
Do not delete a domain name in use. Otherwise, the clients that access the
wireless service will be logged out.
b. Configure userlogin-secure/userlogin-secure-ext
222
Figure 216 Configuring userlogin-secure/userlogin-secure-ext port security (userlogin-secure is taken

for example)

Item
Description
userlogin-securePerform MAC-based 802.1X authentication for access users.
Port Mode
In this mode, multiple 802.1X authenticated users can access the port, but only
one user can be online.
userlogin-secure-extPerform MAC-based 802.1X authentication for access

users. In this mode, the port supports multiple 802.1X users.
Max User
Control the maximum number of users allowed to access the network through the
port.
The default domain is system. To create a domain, select Authentication > AAA from
the navigation tree, click the Domain Setup tab, and enter a new domain name in
the Domain Name field.
Mandatory Domain
The selected domain name applies to only the current wireless service, and all
clients accessing the wireless service use this domain for authentication,
authorization, and accounting.
Do not delete a domain name in use. Otherwise, the clients that access the
wireless service will be logged out.
EAPUse the Extensible Authentication Protocol (EAP). With EAP authentication,
the authenticator encapsulates 802.1X user information in the EAP attributes of

RADIUS packets and sends the packets to the RADIUS server for authentication.
It is not required to repackage the EAP packets into standard RADIUS packets for
authentication.
CHAPUse the Challenge Handshake Authentication Protocol (CHAP). By
default, CHAP is used. CHAP transmits usernames in simple text and passwords
in cipher text over the network. This method is safer than the other two methods.
PAPUse the Password Authentication Protocol (PAP). PAP transmits passwords

in plain text.
EnableEnable the online user handshake function so that the device can
Handshake
periodically send handshake messages to a user to check whether the user is

online. By default, the function is enabled.
DisableDisable the online user handshake function.
223
Item
Description
EnableEnable the multicast trigger function of 802.1X to send multicast trigger
messages to the clients periodically for initiating authentication. By default, the
multicast trigger function is enabled.
DisableDisable the 802.1X multicast trigger function.

Multicast Trigger
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the AP can discover
users and trigger authentication. Therefore, the ports do not need to send 802.1X
multicast trigger messages for initiating authentication periodically. HP recommends
that you disable the multicast trigger function in a WLAN because the multicast trigger
messages consume bandwidth.
c. Configure the other four port security modes

Figure 217 Configuring port security for the other four security modes (mac-else-userlogin-secure is
taken for example)
224

Item
Description
mac-else-userlogin-secureThis mode is the combination of the mac-authentication
and userlogin-secure modes. MAC authentication has a higher priority than the
userlogin-secure mode. Upon receiving a non-802.1X frame, a port in this mode
performs only MAC authentication. When it receives an 802.1X frame, the port
performs MAC authentication and if MAC authentication fails, the port performs
802.1X authentication.
mac-else-userlogin-secure-extThis mode is similar to the mac-else-userlogin-secure

Port Mode
port.
userlogin-secure-or-macThis mode is the combination of the userlogin-secure and
mac-authentication modes, with 802.1X authentication having a higher priority. For a

wireless user, 802.1X authentication is performed first. If 802.1X authentication fails,
MAC authentication is performed.
userlogin-secure-or-mac-extThis mode is similar to the userlogin-secure-or-mac
port.
Select Wireless Service > Access Service from the navigation tree, click MAC
Authentication List, and enter the MAC address of the client.
Max User
Mandatory
Domain
Control the maximum number of users allowed to access the network through the port.
Select an existing domain from the list. After a mandatory domain is configured, all
802.1X users accessing the port are forced to use the mandatory domain for
authentication, authorization, and accounting.
The default domain is system. To create a domain, select Authentication > AAA from the
navigation tree, click the Domain Setup tab, and enter a new domain name in the
Domain Name field.
EAPUse the Extensible Authentication Protocol (EAP). With EAP authentication, the
Authentication
Method
authenticator encapsulates 802.1X user information in the EAP attributes of RADIUS

packets and sends the packets to the RADIUS server for authentication. It is not
required to repackage the EAP packets into standard RADIUS packets for
authentication.
CHAPUse the Challenge Handshake Authentication Protocol (CHAP). By default,
CHAP is used. CHAP transmits usernames in simple text and passwords in cipher text
over the network. This method is safer than the other two methods.
PAPUse the Password Authentication Protocol (PAP). PAP transmits passwords in

plain text.
EnableEnable the online user handshake function so that the device can
Handshake
periodically send handshake messages to a user to check whether the user is online.
By default, the function is enabled.
DisableDisable the online user handshake function.
225
Item
Description
EnableEnable the multicast trigger function of 802.1X to send multicast trigger
messages to the clients periodically to initiate authentication. By default, the multicast
trigger function is enabled.
DisableDisable the 802.1X multicast trigger function.

Multicast Trigger
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the AP can discover users
and trigger authentication. Therefore, the ports do not need to send 802.1X multicast
trigger messages periodically for initiating authentication. HP recommends that you disable
the multicast trigger function in a WLAN because the multicast trigger messages consume
bandwidth.
MAC
Authentication

The default domain is system. To create a domain, select Authentication > AAA from the
navigation tree, click the Domain Setup tab, and enter a new domain name in the
Domain Name field.
Domain
The selected domain name applies to only the current wireless service, and all clients
accessing the wireless service use this domain for authentication, authorization, and
accounting.
Do not delete a domain name in use. Otherwise, the clients that access the wireless
service will be logged out.
Configuring crypto-type wireless service

Configuring basic settings for a crypto-type wireless service
1.
2.
Click the
icon corresponding to the target crypto-type wireless service to enter the page for
Figure 218 Configuring crypto-type wireless service
3.
Configure basic settings for the crypto-type wireless service as described in Table 81.
4.
Click Apply.
226
Configuring advanced settings for a crypto-type wireless service

1.
2.
Click the
Figure 219 Configuring advanced settings for the crypto-type wireless service
3.
Configure advanced settings for the crypto-type wireless service as described in Table 87.
4.
Click Apply.

Item
Description
Local Forwarding
Local forwarding enables an AP to forward data frames between clients. In a

centralized WLAN architecture, an AP transparently transmits data frames to an AC
for processing. When there is an increase of clients, the forwarding load of the AC
also increases. When local forwarding is enabled, an AP, and not the AC, forwards
client data, which reduces the load of the AC.
EnableIf local forwarding is enabled, data frames from an associated station

will be forwarded by the AP.
DisableIf local forwarding is disabled, data frames from an associated station

will be handled by the AC.
Local Forwarding VLAN
Clients using the same SSID may belong to different VLANs. You can configure a
local forwarding VLAN when configuring a local forwarding policy.
227
Item
Description
CentralThe AC authenticates clients. In this authentication mode, the data
forwarding mode is determined by the local forwarding settings.
LocalThe AP authenticates clients. In this mode, the AP directly forwards data

frames from clients.
BackupWhen the AP-AC connection is normal, the AC authenticates clients.

Authentication Mode
When the connection fails, the AP authenticates clients, and performs local
forwarding. When the AP re-establishes a connection with the AC, the AP logs
out all clients and the AC re-authenticates clients. The clients can associate with
the AP only after they pass the authentication.
The clients use centralized authentication by default if they are not configured with
local authentication.
Maximum number of clients of an SSID to be associated with the same radio of the
AP.
Client Max Users
IMPORTANT:
When the number of clients of an SSID to be associated with the same radio of the AP
reaches the maximum, the SSID is automatically hidden.
PTK Life Time
Set the pairwise transient key (PTK) lifetime. A PTK is generated through a four-way
handshake.
Set the TKIP countermeasure time.
By default, the TKIP countermeasure time is 0 seconds and the TKIP countermeasure
policy is disabled.
TKIP CM Time
Message integrity check (MIC) is designed to avoid hacker tampering. It uses the
Michael algorithm and is very secure. When failures occur to MIC, the data may
have been tampered, and the system may be under attack. With the
countermeasure policy enabled, if more than two MIC failures occur within the
specified time, the TKIP associations are disassociated and no new associations are
allowed within the TKIP countermeasure time.
Web interface management right of online clients.
Management Right
MAC VLAN
DisableDisable the web interface management right of online clients.

EnableEnable the web interface management right of online clients.
EnableEnable the MAC VLAN feature for the wireless service.
DisableDisable the MAC VLAN feature for the wireless service.
IMPORTANT:
Before you bind an AP radio to a VLAN, enable the MAC VLAN feature first.
EnableEnable fast association.

DisableDisable fast association.
Fast Association
By default, fast association is disabled.

When fast association is enabled, the device does not perform band navigation
and load balancing calculations for associated clients.
Unknown Client
Configure the AP to deauthenticate the clients or drop the packets when it receives
the packets from unknown clients.
deauthenticateThe AP sends deauthentication packets to unknown clients.

dropThe AP drops the packets sent by unknown clients.
228
Item
Client Cache Aging-time
Description
Aging time for the cache that saves the PMK and authorized VLAN information
when a client logs off.
If you configure the aging time as 0, the AP clears the cache after logging off the
client. The client cannot roam between APs.
An AC generates a group transient key (GTK) and sends the GTK to a client during
the authentication process between an AP and the client through group key
handshake/the 4-way handshake. The client uses the GTK to decrypt broadcast and
multicast packets.
GTK Rekey Method
If Time is selected, the GTK will be refreshed after a specified period of time.
If Packet is selected, the GTK will be refreshed after a specified number of
packets are transmitted.
By default, the GTK rekeying method is time-based, and the interval is 86400
seconds.
GTK User Down Status
Enable refreshing the GTK when a client goes offline.

By default, the GTK is not refreshed when a client goes off-line.
Configuring security settings for a crypto-type wireless service

1.
2.
Click the
configuring crypto-type wireless service.
Figure 220 Configuring security settings for the crypto-type wireless service
3.
Configure security settings for the crypto-type wireless service as described in Table 88.
4.
Click Apply.
229

Item
Description
Open-SystemNo authentication. With this authentication mode enabled, all
the clients will pass the authentication.
Shared-KeyThe two parties need to have the same shared key configured for
this authentication mode. You can select this option only when WEP encryption
mode is used.
Open-System and Shared-KeyIndicates that you can select both open-system

and shared-key authentication.
Authentication Type
IMPORTANT:
WEP encryption can be used together with open system and shared-key
authentication.
Open system authenticationWhen this authentication mode is used, a WEP

key is used for encryption only. If the two parties do not use the same key, a
wireless link can still be established, but all data will be discarded.
Shared-key authenticationWhen this authentication mode is used, a WEP
key is used for both authentication and encryption. If the two parties do not use
the same key, the client cannot pass the authentication, and cannot access the
wireless network.
Encryption mechanisms supported by the wireless service:
Cipher Suite
AES-CCMPEncryption mechanism based on the AES encryption algorithm.

TKIPEncryption mechanism based on the RC4 algorithm and dynamic key
management. When a client that uses TKIP wants to associate with an AP
supporting 802.11n, the client cannot operate in 802.11n mode.
AES-CCMP and TKIPIndicates that you can select both CCMP and TKIP
encryption.
Wireless service type (IE information carried in the beacon or probe response
frame):
Security IE
WPAWi-Fi Protected Access.

RSNAn RSN is a security network that allows only the creation of robust
security network associations (RSNAs). It provides greater protection than WEP

and WPA.
WPA and RSNIndicates that you can select both WPA and RSN..
Encryption
EnableA WEP key is dynamically assigned.

DisableA static WEP key is used.
By default, a static WEP key is used.
When you enable this function, the WEP option is automatically set to wep104.
Provide Key
Automatically
IMPORTANT:
This function must be used together with 802.1X authentication.

When dynamic WEP encryption is configured, the WEP key used to encrypt
unicast frames is negotiated between client and server. If the WEP default key is
configured, the WEP default key is used to encrypt multicast frames. If not, the
device randomly generates a multicast WEP key.
WEP
wep40Indicates the WEP40 key option.

230
Item
Description
Key ID
1Key index 1.
2Key index 2.
3Key index 3.
4Key index 4.
There are four static keys in WEP. The key index can be 1, 2, 3 or 4. The key
corresponding to the specified key index will be used for encrypting and
decrypting broadcast and multicast frames.
For wep40, the key is a string of five alphanumeric characters or a 10-digit

hexadecimal number.
Key Length
For wep104, the key is a string of 13 alphanumeric characters or a 26-digit

hexadecimal number.
For wep128, the key is a string of 16 alphanumeric characters or a 32-digit

hexadecimal number.
WEP Key
Configure the WEP key.

See Table 83.
Parameters such as authentication type and encryption type determine the port
mode. For more information, see Table 91.
After you select the Cipher Suite option, the following port security modes are
added:
mac and pskMAC-based authentication must be performed on access users

Port Security
first. If MAC-based authentication succeeds, an access user has to use the

preconfigured PSK to negotiate with the device. Access to the port is allowed
only after the negotiation succeeds.
pskAn access user must use the pre-shared key (PSK) that is preconfigured to
negotiate with the device. The access to the port is allowed only after the
negotiation succeeds.
userlogin-secure-extPerform MAC-based 802.1X authentication for access

users. In this mode, the port supports multiple 802.1X users.
a. Configure mac and psk
231
Figure 221 Configuring mac and psk port security

Item
Description
Port Mode
mac and psk: MAC-based authentication must be performed on access

users first. If MAC-based authentication succeeds, an access user is
required to use the pre-configured PSK to negotiate with the device.
Access to the port is allowed only after the negotiation succeeds.
Select Wireless Service > Access Service from the navigation tree, click
MAC Authentication List, and enter the MAC address of the client.
Max User
Control the maximum number of users allowed to access the network

through the port.
MAC Authentication

The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain Setup
tab, and enter a new domain name in the Domain Name field.
Domain
The selected domain name applies to only the current wireless

service, and all clients accessing the wireless service use this
domain for authentication, authorization, and accounting.
Do not delete a domain name in use. Otherwise, the clients that

access the wireless service will be logged out.
pass-phraseEnter a PSK in the form of a character string. You must

Pre-shared Key
enter a string that can be displayed and consists of 8 to 63

characters.
raw-keyEnter a PSK in the form of a hexadecimal number. You

must enter a valid 64-bit hexadecimal number.
b. Configure psk
232
Figure 222 Configuring psk port security

Item
Description
Port Mode
psk: An access user must use the pre-shared key (PSK) that is pre-configured to negotiate
with the device. The access to the port is allowed only after the negotiation succeeds.
Max User
Control the maximum number of users allowed to access the network through the port.
pass-phraseEnter a PSK in the form of a character string. You must enter a string that
Pre-shared Key
can be displayed and consists of 8 to 63 characters.
raw-keyEnter a PSK in the form of a hexadecimal number. You must enter a valid
64-bit hexadecimal number.
c. Configure userlogin-secure-ext:
Perform the configurations shown in Configure userlogin-secure/userlogin-secure-ext.
Security parameter dependencies

For a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are
shown in Table 91.
Table 91 Security parameter dependencies
Service
type
Authenticati
on mode
Encryption
type
Security IE
WEP
encryption/key ID
Port mode
mac-authentication
mac-else-userlogin-secu
re
mac-else-userlogin-secu
Clear
Open-System
Unavailable
Unavailable
233
Unavailable
re-ext
userlogin-secure
userlogin-secure-ext
userlogin-secure-or-mac
userlogin-secure-or-mac
-ext
Service
type
Authenticati
on mode
Encryption
type
Selected
Security IE
Required
Open-System
Unselected
Crypto
Shared-Key
Unavailable
Selected
Unavailable
Unavailable
Required
Open-System
and
Shared-Key
Unselected
Unavailable
WEP
encryption/key ID
WEP encryption is
available
The key ID can be 2,
3, or 4.
WEP encryption is
required
2, or 3.
WEP encryption is
required
2, 3 or 4.
WEP encryption is
required
2, 3 or 4.
WEP encryption is
required
2, 3 or 4.
Port mode
mac and psk
psk
mac-authentication
userlogin-secure
mac-authentication
mac and psk

psk
mac-authentication
userlogin-secure
Enabling a wireless service

1.
Figure 223 Enabling a wireless service
2.
Select the wireless service to be bound.
3.
Click Enable.

1.
2.
Click the
icon corresponding to the target wireless service to enter the page for binding an AP
radio to a wireless service.
234
Figure 224 Binding an AP radio to a wireless service
3.
Select the AP radio to be bound.
4.
Click Bind.
5.
After the configuration process is complete, click Close.
Binding an AP radio to a VLAN

Traffic of different services is identified by SSIDs. Locations are identified by APs. Users at different
locations access different services. For a user roaming between different APs, you can provide services
for the user based on its access AP. The detailed requirements are as follows:
Users with the same SSID but accessing through different APs can be assigned to different VLANs
based on their configurations.
A roaming user always belongs to the same VLAN.
For a user roaming between ACs, if the local AC does not have a VLAN-interface, the user is
required to use an HA in the AC group for forwarding packets to avoid packet loss.
235
Figure 225 Schematic diagram for WLAN support for AP-based access VLAN recognition
RADIUS server
AC 1
HA
AC 2
IACTP tunnel
FA
VLAN 2
VLAN 3
VLAN 3
Intra AC roaming
VLAN 3
Inter AC roaming
AP 1
AP 2
AP 3
AP 4
Client 1
Client 1
Client 1
Client 2
As shown in Figure 225, Client 1 goes online through AP 1 and belongs to VLAN 3. When Client 1
roams within an AC or between ACs, Client 1 always belongs to VLAN 3. When Client 1 roams between
ACs, if FA, that is, AC 2, has VLAN-interface 3, AC 2 forwards packets from Client 1. Otherwise, packets
from Client 1 are sent to HA (AC 1) through the data tunnel and then HA forwards these packets.
Client 2 goes online through AP 4 and belongs to VLAN 2. A client going online through a different AP
is assigned to a different VLAN.
1.
2.
Click the
icon corresponding to the target wireless service to enter the AP radio setup page, as
3.
Select the box corresponding to the AP radio mode to be bound.
4.
Enter the VLAN to be bound in the Binding VLAN field.
5.
Click Bind.
Enabling a radio
1.
Select Radio > Radio from the navigation tree.
236
Figure 226 Enabling 802.11n radio
2.
Select the box of the target radio.
3.
Click Enable.
4.
Displaying detailed information about a wireless service

Displaying detailed information about a clear-type wireless service
1.
2.
Click the specified clear-type wireless service to see its detailed information.
Figure 227 Displaying detailed information about a clear-type wireless service
237

Field
Description
Current service template number.
SSID
Service set identifier.
Binding Interface
Name of the WLAN-ESS interface bound with the service template.
SSID-hide
Type of authentication used.

A clear-type wireless service can use only Open System authentication.
DisableIndicates that SSID advertisement is enabled.

EnableIndicates that SSID advertisement is disabled, and the AP does not
advertise the SSID in the beacon frames.
Forwarding mode:
Bridge Mode
Local ForwardingUse the local forwarding mode.

Remote ForwardingUse the remote forwarding mode, and use the AC to
forward data.
Service template status, which can be:

EnableIndicates that the wireless service is enabled.

DisableIndicates that the wireless service is disabled.
Displaying the detailed information about a crypto-type wireless service

1.
2.
Click a crypto-type wireless service to see its detailed information.
238
Figure 228 Displaying the detailed information about a crypto-type wireless service

Field
Description
Current service template number.
SSID
Service set identifier.
Binding Interface
Name of WLAN-ESS the interface bound with the service template.
Security IE
Security IE: WPA or WPA2.
Type of authentication used: Open System or Shared Key.
SSID-hide
DisableIndicates that SSID advertisement is enabled.

EnableIndicates that SSID advertisement is disabled, and the
AP does not advertise the SSID in the beacon frames.
Cipher Suite
Cipher suite: CCMP, TKIP, or WEP40/WEP104/WEP128.
WEP Key Index
WEP key index for encryption or de-encryption frames.

WEP key mode:
WEP Key Mode
HEXWEP key in hexadecimal format.

ASCIIWEP key in the format of string.
WEP Key
WEP key.
TKIP Countermeasure Time(s)
TKIP MIC failure holdtime, in seconds.
PTK Life Time(s)
PTK lifetime in seconds.
GTK Rekey
GTK rekey configured.
239
Field
Description
GTK rekey method configured:
GTK Rekey Method
Time-based, which displays the GTK rekey time in seconds.

Packet-based, which displays the number of packets.
GTK Rekey Time(s)
Time for GTK rekey in seconds.
Bridge Mode
Local ForwardingUse the local forwarding mode.

Remote ForwardingUse the remote forwarding mode, and
Forwarding mode:
use the AC to forward data.
Service template status:

EnableIndicates that the wireless service is enabled.

DisableIndicates that the wireless service is disabled.
Wireless service configuration example

As shown in Figure 229, an AP is required to enable employees to access the internal resources at any
time. More specifically:
An AC and the AP (serial ID 210235A29G007C000020) is connected through a Layer 2 switch.
The AP provides clear-type wireless access service with SSID service1.
802.11n (2.4GHz) radio mode is adopted.
Select a correct district code.
Configuring the AC
1.
Create an AP:
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select
the serial ID Manual, and enter the serial ID of the AP.
d. Click Apply.
240
Figure 230 Creating an AP
2.
Configure a wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to service1 and select the wireless service type
clear.
d. Click Apply.
3.
Enable the wireless service:

b. On the page that appears, select the service1 box and click Enable.
Figure 232 Enabling wireless service
4.
Bind an AP radio to a wireless service:

b. Click the
icon corresponding to the wireless service service1.

241
c. On the page that appears, select the box before ap with radio type 802.11n(2.4GHz).
d. Click Bind.
Figure 233 Binding an AP radio
5.
Enable 802.11n(2.4GHz) radio:

a. Select Radio > Radio from the navigation tree.
b. Select the box before ap with the radio mode 802.11n(2.4GHz).
c. Click Enable.
Figure 234 Enabling 802.11n(2.4GHz) radio
The client can successfully associate with the AP and access the WLAN network.
You can view the online clients on the page that you enter by selecting Summary > Client from the
navigation tree.
242
Figure 235 Viewing the online clients
Auto AP configuration example

As shown in Figure 236, enable the auto-AP function to enable APs to automatically connect to the AC.
The AP provides a clear-type wireless service with the SSID service1.
802.11n(2.4GHz) radio mode is adopted.
Follow these guidelines when you configure an auto AP:
Select a correct district code.
Select the renamed AP (AP 1 in the example) rather than the auto AP (ap in the example) when
enabling the radio. If you enable the radio of the automatically found AP, the radios of all the
automatically found APs are enabled.
Configuring the AC
1.
Create an AP:
243

b. Click Add.
the serial ID Auto, and click Apply.
2.
Configure a wireless service:

b. Click Add.
c. On the page that appears, set the service name to service1, select the wireless service type
clear, and click Apply.
3.

b. Select the service1 box.
c. Click Enable.
Figure 239 Enabling the wireless service
244
4.
Bind an AP to a wireless service:

b. Click the
icon corresponding to the wireless service service1.
c. On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz), and
click Bind.
Figure 240 Binding an AP
d. To view the AP status, select AP > AP Setup from the navigation tree. The AP is in IDLE state.
Figure 241 AP status before auto AP is enabled
5.
Enable auto AP
a. Select AP > Auto AP from the navigation tree.
b. Select enable.
c. Click Apply.
Figure 242 Configuring auto AP
245
d. To view the automatically found AP (ap_0001), click Refresh.

Figure 243 Viewing the automatically found AP
6.
Rename the automatically found AP

If you do not need to rename the automatically found AP, select the ap_0001 box, and then click
Transmit All AP.
To rename the automatically found AP:
a. Select AP > Auto AP from the navigation tree.
b. Click the
icon of the target AP.
c. On the page that appears, select AP Rename and enter ap1.

d. Click Apply.
Figure 244 Modifying the AP name
e. To view the renamed AP, select AP > AP Setup from the navigation tree.
246
Figure 245 Displaying AP
7.
Enable 802.11n(2.4GHz) radio

b. Select the box of the target AP.
c. Click Enable.
You can see that the AP is in the Run state on the page you enter by selecting AP > AP Setup from
the navigation tree.
You can view the online clients on the page that you enter by selecting Summary > Client from the
navigation tree.
247
802.11n configuration example

As shown in Figure 247, deploy an 802.11n network to provide high bandwidth access for multi-media
applications.
The AP provides a plain-text wireless service with SSID service.
802.11gn is used to work with the existing 802.11g network and protect the current investment.
Follow these guidelines when you configure 802.11n:
Select Radio > Radio from the navigation tree, select the AP to be configured, and click
to enter
the page for configuring a radio. Then you can modify the 802.11n parameters, including
bandwidth mode, A-MPDU, A-MSDU, short GI and whether 802.11n clients are allowed.
Select Radio > Rate from the navigation tree to set 802.11n rates.
248
Configuring the AC
1.
Create an AP:
b. Click Add.
c. On the page that appears, set the AP name to 11nap, select the AP model MSM460-WW,
select the serial ID Manual, enter the serial ID of the AP, and click Apply.
2.
Create a wireless service:

b. Click Add.
c. On the page that appears, set the service name to 11nservice, select the wireless service type
3.
Enable wireless service:

b. Select the 11nservice box.
c. Click Enable.
4.
Bind an AP radio:
b. Click the
icon corresponding to the target wireless service.
c. Select the 11nap box.

d. Click Bind.
5.
Enable 802.11n(2.4GHZ) radio:

b. Select the 11nap box of the target AP.
c. Click Enable.
You can view the online clients on the page you enter by selecting Summary > Client from the
navigation tree.
In this example, 0014-6c8a-43ff is an 802.11g user, and 001c-f0bf-9c92 is an 802.11n user. Both of the
two users can access the WLAN network because there is no limit on the user type. If you enable client
802.11n only, only 001c-f0bf-9c92 can access the WLAN network.
249
WPA-PSK authentication configuration example

As shown in Figure 249, connect the client to the wireless network through WPA-PSK authentication. The
PSK key configuration on the client is the same as the key configuration on the AC: 12345678.
Configuring the AC
1.
Create an AP:
b. Click Add.
the serial ID Manual, enter the AP serial ID, and click Apply.
2.

b. Click Add.
c. On the page that appears, set the service name to psk, select the wireless service type crypto,
and click Apply.
250
3.
Configure wireless service:

After you create a wireless service, you will enter the wireless service configuration page.
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select the Cipher Suite box, select ASE-CCMP and TKIP (select an encryption type as needed),
and then select WPA from the Security IE list.
c. Select the Port Set box, and select psk from the Port Mode list.
d. Select pass-phrase from the Pre-shared Key list, and enter the key ID 12345678.
e. Click Apply.
Figure 252 Configuring security settings
4.

b. Select the psk[Bind] box.
c. Click Enable.
251
5.

b. Click the
icon corresponding to the wireless service psk.
c. On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz) and
click Bind.
d. After the configuration progress is complete, click Close.
6.

b. Select the ap box before 802.11n(2.4GHz).
c. Click Enable.
d. After the configuration process is complete, click Close.
252
Configuring the client

1.
Launch the client, and refresh the network list.
2.
Select the configured service in Choose a wireless network (PSK in this example).
3.
Click Connect.
4.
In the popup dialog box, enter the key (12345678 in this example), and then click Connect.
253
Figure 256 Configuring the client
The client has the same pre-shared PSK key as the AP, so the client can associate with the AP.
254
Figure 257 The client is associated with the AP
navigation tree.
Local MAC authentication configuration example

AC is connected to AP through a Layer 2 switch, and they are in the same network. Perform MAC
authentication on the client.
Configuring the AC
1.
Create an AP:
255
b. Click Add.
2.

b. Click Add.
c. On the page that appears, set the service name to mac-auth, select the wireless service type
3.
Configure the wireless service:

After you have created a wireless service, you enter the wireless service configuration page.
b. Select the Port Set box, and select mac-authentication from the Port Mode list.
c. Select the MAC Authentication box, and select system from the Domain list.
To create a domain, select Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a domain name in the Domain Name field.
d. Click Apply.
256
4.

b. Select the mac-auth box.
c. Click Enable.
5.
Configure a MAC authentication list:

257
b. Click MAC Authentication List.
c. On the page that appears, add a local user in the MAC Address field. 0014-6c8a-43ff is used
in this example.
d. Click Add.
Figure 263 Adding a MAC authentication list
6.

b. Click the
icon corresponding to the wireless service mac-auth.
c. On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz) and
click Bind.
7.
Enable 802.11n (2.4GHz) radio:

b. Select the ap 802.11n(2.4GHz) box of the target AP.
c. Click Enable.
258

Configuring the client

1.
Launch the client, and refresh the network list.
2.
Select the configured service in Choose a wireless network (mac-auth in this example).
3.
Click Connect.
If the MAC address of the client is in the MAC address list, the client can pass the MAC
authentication and access the wireless network.
259
Figure 266 Configuring the client
You can view the online clients on the page you enter by selecting Summary > Client.
Remote MAC authentication configuration example

As shown in Figure 267, perform remote MAC authentication on the client.
Use the intelligent management center (IMC) as the RADIUS server for authentication, authorization,
and accounting (AAA). On the RADIUS server, configure the client's username and password as
the MAC address of the client and the shared key as expert. The IP address of the RADIUS server
is 10.18.1.88.
The IP address of the AC is 10.18.1.1. On the AC, configure the shared key for communication with
the RADIUS server as expert, and configure the AC to remove the domain name of a username
before sending it to the RADIUS server.
260
Configuring the AC
1.
Assign an IP address to the AC:

a. Select Network > VLAN to create a VLAN on the AC.
b. Select Device > Interface Management to assign an IP address to the VLAN interface.
2.
Configure a RADIUS scheme:

a. Select Authentication > RADIUS from the navigation tree.
b. Click Add.
c. On the page that appears, add two servers in the RADIUS Server Configuration area, and
specify the key expert.
d. Enter mac-auth in the Scheme Name field.
e. Select Extended as the server type.
f. Select Without domain name from the Username Format List.
g. Click Apply.
Figure 268 Configuring RADIUS
261
3.
Configure AAA:
a. From the navigation tree, select Authentication > AAA.
b. Optional: On the Domain Setup tab, create a new ISP domain.
This example uses the default domain system.
c. On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box,
select the authentication mode RADIUS, select the authentication scheme mac-auth from the
Name list, and click Apply.
Figure 269 Configuring the AAA authentication method for the ISP domain
e. On the Authorization tab, select the ISP domain system, select the LAN-access AuthZ box,
select the authorization mode RADIUS, select the authorization scheme mac-auth from the
f. After the configuration process is complete, click Close.
Figure 270 Configuring the AAA authorization method for the ISP domain
4.
Create an AP:
262

b. Click Add.
c. On the page that appears, set the AP name to ap., select the AP model MSM460-WW, select
Figure 271 Configuring an AP
5.

b. Click Add.
c. On the page that appears, set the wireless service name to mac-auth, select the wireless
service type clear, and click Apply.
6.
Configure MAC authentication:

After you create a wireless service, the wireless service configuration page appears.
b. Select the Port Set box, and select mac-authentication from the Port Mode list.
c. Select the MAC Authentication box, and select system from the Domain list.
d. Click Apply.
e. After the configuration process is complete, click Close.
263
7.

b. On the page that appears, select the mac-auth box.
c. Click Enable.
264
8.
Bind an AP radio to the wireless service:

b. Click the
icon corresponding to the wireless service mac-auth.
c. Select the box of the AP with the radio mode 802.11n(2.4GHz).

d. Click Bind.
9.

b. Select the ap 802.11n(2.4GHz) box of the target AP.
c. Click Enable.
265
Configuring the RADIUS server (IMC v5)

The following example uses the IMC (IMC PLAT 5.0 and IMC UAM 5.0) to illustrate the basic
configuration of the RADIUS server.
To configure the RADIUS server:
1.
Add an access device:

a. Click the Service tab in the IMC Platform.
b. Select User Access Manager > Access Device Management from the navigation tree.
c. Click Add.
d. On the page that appears, enter 12345678 as the Shared Key, keep the default values for
other parameters, select or manually add the access device with the IP address 10.18.1.1,
and click Apply.
Figure 277 Adding access device
2.
Add service:
a. Click the Service tab.
b. Select User Access Manager > Service Configuration from the navigation tree.
266
c. Click Add.
d. On the page that appears, set the service name to mac, keep the default values for other
parameters, and click Apply.
Figure 278 Adding service
3.
Add an account:
b. Select User > All Access Users from the navigation tree to enter the user page.
c. Click Add.
d. On the page that appears, enter username 00146c8a43ff, set the account name and
password both to 00146c8a43ff, select the service mac, and click Apply.
Figure 279 Adding account
During authentication, the user does not need to enter the username or password. After passing
MAC authentication, the client can associate with the AP and access the WLAN.
navigation tree.
267
Remote 802.1X authentication configuration

example
Perform remote 802.1X authentication on the client.
Use IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username as
user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
On the AC, configure the shared key as expert, and configure the AC to remove the domain name
of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
Configuring the AC
1.
Assign an IP address to the AC:

a. Select Network > VLAN to create a VLAN on the AC.
b. Select Device > Interface Management to assign an IP address to the VLAN interface.
2.

b. Click Add.
c. On the page that appears, add two servers in the RADIUS Server Configuration, and specify
the key expert.
d. Enter 802.1x in the Scheme Name field.
e. Select the server type Extended, and select Without domain name from the Username Format
list.
f. Click Apply.
268
Figure 281 Configuring RADIUS
3.
Configure AAA:
a. Select Authentication > AAA from the navigation tree.
b. Optional: On the Domain Setup tab, create a new ISP domain.
This example uses the default domain system.
c. On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box,
select the authentication mode RADIUS, select the authentication scheme system from the
Figure 282 Configuring the AAA authentication method for the ISP domain
d. On the Authorization tab, select the domain name system, select the LAN-access AuthZ box,
select the authorization mode RADIUS, select the authorization scheme system from the Name
list, and click Apply.
4.
Create an AP:
269

b. Click Add.
5.

b. Click Add.
c. On the page that appears, set the service name to dot1x, select the wireless service type crypto,
and click Apply.
6.
Configure 802.1X authentication:

a. In the Security Setup area, select Open-System from the Authentication Type list, select the
Cipher Suite box, select AES-CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list.
b. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
c. Select system from the Mandatory Domain list.
d. Select EAP from the Authentication Method list.
e. Disable Handshake and Multicast Trigger (recommended).
f. Click Apply.
g. A progress dialog box appears. During the process, another dialog box appears asking you
whether or not to enable EAP authentication. Click OK.
h. After the configuration progress is complete, click Close.
270
7.

b. On the page that appears, select the dot1x box and click Enable.
8.

b. Click the
icon corresponding to the wireless service dot1x.
c. Select the box of the AP with the radio mode 802.11n(2.4GHz).

d. Click Bind.
271

9.

b. Select the box of the target AP.
c. Click Enable.
Configuring the RADIUS server (IMC v5)

The following example uses IMC (IMC PLAT 5.0 and IMC UAM 5.0) to illustrate the basic configuration
of the RADIUS server.
To configure the RADIUS server:
1.
Add an access device:

a. Click the Service tab in the IMC platform.
b. Select User Access Manager > Access Device Management from the navigation tree.
272
c. Click Add.
d. On the page that appears, enter 12345678 as the Shared Key, keep the default values for
other parameters, and select or manually add the access device with the IP address 10.18.1.1,
and click Apply.
Figure 289 Adding access device
2.
Add a service:
a. Click the Service tab.
b. Select User Access Manager > Service Configuration from the navigation tree.
c. Click Add.
d. On the page that appears, set the service name to dot1x, and set the Certificate Type to
EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply.
Figure 290 Adding a service
273
3.
Add an account:
b. Select User > All Access Users from the navigation tree.
c. Click Add.
d. On the page that appears, enter username user, set the account name to user and password
to dot1x, and select the service dot1x, and click Apply.
Figure 291 Adding account
Configuring the wireless client

1.
Double click the
icon at the bottom right corner of your desktop.
The Wireless Network Connection Status window appears.

2.
Click Properties in the General tab.

The Wireless Network Connection Properties window appears.
3.
In the Wireless Networks tab, select wireless network with the SSID dot1x, and then click
Properties.
The dot1x Properties window appears.
4.
In the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
5.
In the popup window, clear Validate server certificate, and click Configure.
6.
In the popup dialog box, clear Automatically use my Windows logon name and password (and
domain if any).
274
Figure 292 Configuring the wireless client (I)
275
Figure 293 Configuring the wireless client (II)
276
Figure 294 Configuring the wireless client (III)
After the user enters username user and password dot1x in the popup dialog box, the client can
associate with the AP and access the WLAN.
Dynamic WEP encryption-802.1X authentication

configuration example
Perform dynamic WEP encryption-802.1X authentication on the client.
Use IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username as
user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
On the AC, configure the shared key as expert, and configure the AC to remove the domain name
of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
277
1.
Assign an IP address for the AC:

See "Assign an IP address to the AC:."
2.

See "Configure a RADIUS scheme."
3.
Configure AAA:
See "Configure AAA."
4.
Configure the AP:

See "Create an AP."
5.

b. Click Add.
c. On the page that appears, set the service name to dot1x, select the wireless service type crypto,
and click Apply.
6.
Configure 802.1X authentication:

b. Select Encryption, and select Enable from the Provide Key Automatically list.
c. Select the Cipher Suite box, select CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list.
d. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
e. Select system from the Mandatory Domain list.
f. Select EAP from the Authentication Method list.
278
g. Disable Handshake and Multicast Trigger (recommended).

h. Click Apply.
7.

b. On the page that appears, select the dot1x box and click Enable.
8.

279
b. Click the
icon corresponding to the wireless service dot1x.
c. On the page that appears, select the box of the AP with the radio mode 802.11n(2.4GHz)
and click Bind.
9.

See "Enable 802.11n(2.4GHz) radio."
10. Configure the RADIUS server (IMCv5):

See "Configuring the RADIUS server (IMC v5)."
Configuring the wireless client

1.
Double click the
icon at the bottom right corner of your desktop.
2.
The Wireless Network Connection Status window appears.
3.
Click Properties.
The Wireless Network window appears.
4.
Click Add.
5.
Click the Association tab, and enter dot1x in the Network name (SSID) field. Make sure that you
have selected The key is provided for me automatically.
280
Figure 300 Configuring the wireless client (I)
6.
On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
7.
In the popup window, clear Validate server certificate, and click Configure.
8.
In the popup dialog box, clear Automatically use my Windows logon name and password (and
domain if any), and then click OK.
281
Figure 301 Configuring the wireless client (II)
282
Figure 302 Configuring the wireless client (III)
After the user enters username user and password dot1x in the popup dialog box, the client can
associate with the AP and access the WLAN.
283
Configuring mesh services

A WLAN mesh network allows for wireless connections between APs, making the WLAN more mobile
and flexible. Also, you can establish multi-hop wireless links between APs. In these ways, a WLAN mesh
network differs from a traditional WLAN. However, from the perspective of end users, a WLAN mesh
network is no different from a traditional WLAN.
Mesh overview
Basic concepts in WLAN mesh
Figure 303 Typical WLAN mesh network
AC
MPP
MP
MP
MP
MAP
MAP
MAP
MAP
WLAN mesh network
Client
Client
Client
Client
As shown in Figure 303, the concepts involved in WLAN mesh are described below.
Concept
Description
Access controller (AC)
Device that controls and manages all the APs in the WLAN.
Mesh point (MP)
Wireless AP that connects to a mesh portal point (MPP) through a

wireless connection but cannot have any client attached.
Mesh access point (MAP)
AP providing the mesh service and the access service concurrently.
Mesh portal point (MPP)
Wireless AP that connects to an AC through a wired connection.
Mesh link
Wireless link between MPs.
284
Advantages of WLAN mesh

The WLAN mesh technology allows operators to easily deploy wireless networks anywhere and anytime.
WLAN mesh offers the following advantages:
High performance/price ratioIn a mesh network, only the MPPs need to connect to a wired
network. In this way, the dependency on the wired network is reduced to the minimum extent, and
the investment in wired devices, cabling, and installation is also reduced.
Excellent scalabilityIn a mesh network, the APs can automatically discover each other and initiate
wireless link setup. To add new APs to the mesh network, you need to install these new APs and
perform the related configurations.
Fast deploymentSince only the MPPs need to connect to a wired network, WLAN mesh reduces
the network deployment time.
Various application scenariosThe mesh network is applicable to enterprise, office, and campus
networks, which are common application scenarios of traditional WLANs, and also applicable to
large-sized warehouse, port, MAN, railway transportation, and crisis communication networks.
High reliabilityIn a traditional WLAN, when the wired upstream link of an AP fails, all clients
associated with the AP cannot access the WLAN. Comparatively, in a mesh network, all APs are
fully meshed. There are multiple available wireless links for a mesh AP to reach a portal node in the
wired network to effectively avoid single point failure.
Deployment scenarios
This section includes WLAN mesh deployment scenarios.
Normal fit MP scenario

As shown in Figure 304, two mesh networks are controlled by the same AC. At least one MPP in a mesh
has wired connectivity with the AC. When an MP comes up, it scans the network and forms temporary
connections with all available MPs in its vicinity. These temporary connections allow the MP to connect
to the AC to download its configurations. After downloading its configurations from the AC, the MP will
establish secure connections with neighbors sharing the same pre-shared key.
285
Figure 304 Normal fit MP scenario
One fit MP with two radios, each on a different mesh

As shown in Figure 305, to avoid cross-interruption between Mesh 1 and Mesh 2, you can configure two
radios for an MP, each of which is present in a different mesh network. The only constraint is that both
meshes must be managed by the same AC.
Figure 305 Two radios on different meshes
286
One fit MP with two radios on the same mesh

As shown in Figure 306, Radio 1 of MP 1 joins the mesh through the MPP. In this case, only Radio 1 can
provide access for downstream MPs. Radio 2 cannot automatically access the mesh and provide the
mesh service.
Figure 306 Two radios on different meshes
WLAN mesh security

A WLAN network uses air as the communication medium, so it is vulnerable to malicious attacks. In a
mesh network, a wireless connection passes through multiple hops, and a mesh network is also
vulnerable to malicious attacks. Therefore, WLAN mesh network security becomes an essential part of
WLAN mesh networks. Security involves encryption algorithms and distribution and management of keys.
A PSK + CCMP combination is used for securing mesh networks.
Deployment scenarios
Mesh link backhaul deployment is supported. As shown in Figure 307, the MAP is a dual-radio AP, with
one radio for WLAN access and the other for mesh link backhaul. You can configure the MAC address
of the MPP connected to the MAP to establish a mesh link between them.
Figure 307 Mesh link backhaul
AC
PC 1
Client 1
mesh-link
Client 2
MAP
MPP
Client 3
287
PC 2
Configuring mesh service

Configuring mesh service
Creating a mesh service
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Service tab.
Figure 308 Configuring mesh service
3.
Click Add.
Figure 309 Creating a mesh service
4.
Configure the mesh service as described in Table 94.
5.
Click Apply.

Item
Description
Mesh Service Name
Name of the created mesh service.
Configuring a mesh service

1.
2.
Click the Mesh Service tab.
3.
Click the
service.
icon corresponding to the target mesh service to enter the page for configuring mesh
288
Figure 310 Configuring mesh service
4.
Configure the mesh service as described in Table 95.
5.
Click Apply.

Item
Description
Mesh Service
Display the selected mesh service name.
VLAN (Tagged)
Enter the ID of the VLAN whose packets are to be sent tagged. VLAN (Tagged)
indicates that the port sends the traffic of the VLAN without removing the VLAN tag.
VLAN (Untagged)
Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged)
indicates that the ports send the traffic of the VLAN with the VLAN tag removed.
Set the default VLAN.
Default VLAN
By default, the default VLAN of all ports is VLAN 1. After you set the new default
VLAN, VLAN 1 is the ID of the VLAN whose packets are to be sent untagged.
Exclude VLAN
Remove the IDs of the VLANs whose packets are to be sent untagged and tagged.
Mesh Route
DisableDisable the mesh route selection algorithm.

EnableEnable the mesh route selection algorithm.
Enable or disable mesh route selection algorithm:
By default, the mesh route selection algorithm is enabled.

Link Keep Alive Interval
Configure the mesh link keep-alive interval.
Link Backhaul Rate
Configure the backhaul radio rate.
Security Configuration
Pass Phrase
Enter a pre-shared key in the format of character string.
Raw Key
Enter a pre-shared key in the format of hexadecimal digits.

289
Item
Description
Pre-shared key, which takes one of the following values:
Pre-shared Key
A string of 8 to 63 characters.
A valid hexadecimal number of 64 bits.
Binding an AP radio to a mesh service

1.
2.
Click the
3.
4.
Click Bind.
icon to enter the page for binding an AP radio to a mesh service.
Figure 311 Binding an AP radio to a mesh service
Enabling a mesh service

1.
2.
Click the Mesh Service tab to enter the mesh service configuration page.
Figure 312 Enabling a mesh service
3.
Select the mesh service to be enabled.
4.
Click Enable.
Displaying the detailed information about a mesh service

1.
290
2.
Click the Mesh Service tab to enter the mesh service configuration page.
3.
Click a mesh service to see its detailed information.
Figure 313 Displaying detailed mesh service information

Field
Description
Mesh Profile Number
Mesh service number.
Mesh ID
Mesh ID of the mesh service.
Binding Interface
Mesh interface bound to the mesh service.

MKD service status:
MKD Service
EnableIndicates that the MKD service is enabled.

DisableIndicates that the MKD service is disabled.
Link Keep Alive Interval
Interval to send keep-alive packets.
Link Backhaul Rate
Link backhaul rate.

Mesh service status:
Mesh Profile Status
EnableIndicates that the mesh service is enabled.

DisableIndicates that the mesh service is disabled.
Configuring a mesh policy

Creating a mesh policy
1.
291
2.
Click the Mesh Service tab to enter the mesh policy configuration page.
Figure 314 Mesh policy configuration page
3.
Click Add.
Figure 315 Creating a mesh policy
4.
Configure the mesh policy as described in Table 97.
5.
Click Apply.

Item
Description
Name of the created mesh policy.
Mesh Policy Name
The created mesh policies use the contents of the default mesh policy
default_mp_plcy.
Configuring a mesh policy

1.
2.
Click the Mesh Policy tab.
3.
Click the
page.
icon corresponding to the target mesh policy to enter the mesh policy configuration
292
Figure 316 Configuring a mesh policy
4.
Configure the mesh policy as described in Table 98.
5.
Click Apply.

Item
Description
Mesh Policy
Display the name of the created mesh policy.
Link establishment
By default, link initiation is enabled.

Set the link hold time.
Minimum time to hold a link
An active link remains up within the link hold time, even if the link
switch margin is reached. This mechanism is used to avoid
frequent link switch.
Set the maximum number of links that an MP can form in a mesh
network.
Maximum number of links
IMPORTANT:
When configuring mesh, if the number of mesh links configured on
an AP is greater than two, you need to configure the maximum links
that an MP can form as needed.
Set the link formation/link hold RSSI (received signal strength
indicator).
Minimum rssi to hold a link
This is the minimum RSSI to allow a link to be formed and held.

Therefore, the minimum RSSI must be used at any given point in
the tunnel. Otherwise, the error rate can be very high.
293
Item
Description
Set the link switch margin.
Minimum margin rssi
If the RSSI of the new link is greater than that of the current active
link by the link switch margin, active link switch will occur. This
mechanism is used to avoid frequent link switch.
Set link saturation RSSI.
Maximum rssi to hold a link
This is the upper limit of RSSI on the active link. If the value is
reached, the chipset is saturated and link switch will occur.
Interval between probe requests
Set the probe request interval.
Role as authenticator
By default, whether or not a device plays the role of an

authenticator is based on negotiation results.
fixedThis is the default mode. The rate adopted is of a fixed

value. It is the maximum rate of the current radio.
ratemode
realtimeThe rate adopted changes with the link quality. The

rate changes with the change of the RSSI of the current radio.
The Mobile Link Switch Protocol (MLSP) implements high-speed link switch with zero packet loss during train
movement (not supported).
Proxy MAC Address
Select the Proxy MAC Address option to specify the MAC address
of the peer device.
Proxy VLAN
VLAN ID of the peer device.
Binding an AP radio to a mesh policy

1.
2.
Click the Mesh Policy tab.
3.
Click the
4.
5.
Click Bind.
button corresponding to the target mesh policy.
Displaying the detailed information about a mesh policy

1.
2.
Click the Mesh Policy tab to enter the mesh policy configuration page.
3.
Click a mesh policy to see its detailed information.
294
Figure 317 Displaying detailed mesh policy information

Field
Description
MP Policy Name
Name of the mesh policy.
Mesh Link Initiation
Whether link initiation is enabled or not.

Mobile Link Switch Protocol (MLSP) status (not supported):
Mlsp
EnableIndicates that MLSP is enabled.

DisableIndicates that MLSP is disabled.
Authenticator role status:
Authenticator Role
EnableIndicates that the authenticator role is enabled.

DisableIndicates that the authenticator role is disabled.
Max Links
Maximum number of links on a device using this mesh policy.
Probe Request Interval (ms)
Interval between probe requests sent by a device using this mesh policy.
Link Hold RSSI
Link hold RSSI.
Link Hold Time (ms)
Link hold time.
Link Switch Margin
Link switch margin.
Link saturation RSSI
Link saturation RSSI.

Method of calculating the link cost:
Link rate-mode
FixedIndicates that the mesh interface rate is fixed.

real-timeIndicates that the mesh interface rate changes with the RSSI
in real-time.
295
Mesh global setup

Mesh basic setup
1.
2.
Click the Global Setup tab to enter the mesh global setup page.
Figure 318 Configuring basic mesh settings
3.
Configure the basic mesh settings as described in Table 100.
4.
Click Apply.

Item
Description
MKD-ID
Make sure the MAC address configured is unused and has the correct
vendor specific part.
The MAC address of an AC should not be configured as the MKD ID.
ManualSelect one-time dynamic channel selection (DFS) and click
Apply to enable it. After manual mode is selected, if no mesh network is

manually specified when the next calibration interval is reached, the AC
will refresh radio information of all mesh networks that it manages, and
display it on the Radio Info tab of the Mesh Channel Optimize page. You
can view the radio information and select mesh networks for which
one-time DFS will be performed on the Mesh Channel Optimize tab. After
that, if you want the AC to perform DFS for the mesh network, you have
to make this configuration again.
AutoSelect auto-DFS and click Apply to enable it. Auto-DFS applies to

Dynamic Channel Select:
all mesh networks where the working channels of the radios are
automatically selected. With auto DFS enabled, an AC makes DFS
decisions at the calibrate interval automatically.
CloseClose DFS. At the next calibration interval, the radio information
and channel switching information on the Mesh Channel Optimize page

will be cleared.
By default, DFS for a mesh network is disabled.

IMPORTANT:
Before enabling auto or one-time DFS for a mesh network, make sure that auto
mode is selected for the working channel of radios in the mesh network. For
the related configuration, see "Configuring radios."
Enabling mesh portal service

1.
296
2.
Click the Global Setup tab to enter the mesh portal service configuration page.
Figure 319 Enabling mesh portal service
3.
Select the AP for which mesh portal service is to be enabled.
4.
Click Enable.
Configuring a working channel

You can configure a working channel by using one of the following methods:
Manual
1.
Figure 320 Configuring a radio
2.
On the page that appears, select a specified channel from the Channel list.
3.
Click Apply.
297
NOTE:
Specify a working channel for the radios of the MAP and MPP. Specify the same working channel for the
radio of the MAP and the radio of the MPP.
Auto
Set the working channel mode on the MPP and MAP to auto so that the working channel is automatically
negotiated when a WDS link is established between the MPP and MAP.
NOTE:
If you configure the working channel mode of the radios of the MPP and MAP as auto, the automatically
selected working channel is a non-radar channel.
Enabling radio
1.
Select Radio > Radio from the navigation tree to enter the radio setup page.
Figure 321 Enabling a radio
2.
Select the radio mode to be enabled.
3.
Click Enable.
Configuring a peer MAC address

1.
2.
Click
3.
Select the AP radio to be bound, and click the

MAC address.
to enter the page for binding an AP radio to a mesh service.
298
icon to enter the page for configuring a peer
Figure 322 Configuring a peer MAC address
4.
Configure the peer MAC address as described in Table 101.
5.
Click Apply.

Item
Description
Peer MAC Address
The mesh feature supports three topologies. For more information, see
"Deployment scenarios." The mesh feature is implemented through configuration
of peer MAC addresses for each AP.
Sets the STP cost of the mesh link to the peer. If not configured, the STP cost is
automatically calculated by STP.
cos
You can view the cost of the mesh link on the page shown in Figure 322.
Mesh DFS
Displaying radio information
1.
2.
Click the Mesh Channel Optimize tab to enter the mesh optimization tab.
3.
Click the specified mesh network, and click the Radio Info tab to enter the page shown in Figure
323 to view radio information.
299
Figure 323 Displaying radio information
Displaying channel switch information

1.
2.
Click the Mesh Channel Optimize tab to enter the mesh optimization tab.
3.
Click the mesh network, and then select the Channel Switch Info tab to enter the page shown
in Figure 324 to view the channel switching information.
Figure 324 Displaying mesh channel switching information
NOTE:
If you select Auto or Close for dynamic channel selection on the Global Setup tab, when you enter the
Mesh Channel Optimize page, the Channel Optimize button is grayed out, and you cannot perform
the operation.
If you select manual DFS on the Global Setup tab, select mesh networks where DFS will be performed,
and then click Channel Optimize to complete DFS. In auto mode, DFS is performed at the calibration
interval. In manual mode, DFS is performed one time.
300

Field
Description
AP
AP name in the mesh network.
Radio
Radio of the AP.
Chl(After/Before)
Channels before and after channel optimization.
Date(yyyy-mm-dd)
Date, in the format of yyyy-mm-dd.
Time(hh:mm:ss)
Time, in the format of hh:mm:ss.
Displaying the mesh link status

Mesh link monitoring
1.
2.
Click the Mesh Link Info tab to enter the mesh link monitoring page.
Figure 325 Displaying the mesh link monitoring information
You can monitor the mesh link status in real-time on the mesh link monitoring page.
Mesh link test

1.
2.
Click the Mesh Link Test tab to enter the mesh link test page.
301
Figure 326 Displaying mesh link test information
3.
Select the box of the target AP.
4.
Click Begin.
WLAN mesh configuration example

As shown in Figure 327, establish a mesh link between the MAP and the MPP.
Configure 802.11n (5GHz) on the MAP so that the client can access the network.
1.
Establish a mesh link between the MPP and the MAP by following these steps:
Configure MAP and MPPSelect AP > AP Setup from the navigation tree, and click Add to
configure MAP and MPP. For more information, see "Create an MAP and MPP."
Configure mesh serviceAfter creating a mesh service and configuring a pre-shared key, you
can bind the mesh service to the AP and enable the mesh service. For more information, see
"Create a mesh service:."
Configure a mesh policyA mesh policy exists by default. You can create a mesh policy and
bind the mesh policy to an AP. For more information, see "(Optional) Configure a mesh policy."
Mesh global setupConfigure an MKD-ID (which exists by default), enable mesh portal service
for the MPP. For more information, see "Configure mesh service globally."
Configure the same working channel, and enable the radio. For more information, see
"Configure the same working channel and enable the radio on the MAP and MPP:."
2.
Configure 802.11n (5GHz) service on the MAP to enable the client to access the WLAN network.
For more information, see "Wireless service configuration example."

302
Configuring the AC
1.
Create an MAP and MPP:

a. Select AP> AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to map, select the AP model MSM460-WW, select
d. Configure MPP by following the same steps.

2.
Create a mesh service:

a. Select Wireless Service > Mesh Service from the navigation tree.
b. Click the Mesh Service tab.
c. Click Add.
d. On the page that appears, set the mesh service name to outdoor and click Apply.
After completing mesh service configuration, you enter the page shown in Figure 330.
Figure 329 Creating a mesh service
Figure 330 Configuring a pre-shared key
e. Select Pass Phrase, and set the pre-shared key to 12345678.

f. Click Apply.
303
3.
Bind an AP radio to the mesh service:

b. Click the
icon corresponding to the mesh service outdoor to enter the page for binding an
AP radio to a mesh service.
c. Select the AP radios to be bound.
d. Click Bind.
Figure 331 Binding an AP radio to a mesh service
4.
Enable the mesh service:

Figure 332 Enabling the mesh service
b. Select the mesh service to be enabled.

c. Click Enable.
5.
(Optional) Configure a mesh policy (by default, the default mesh policy default_mp_plcy already
exists.)
NOTE:
A mesh policy exists by default. You can create a mesh policy and bind the mesh policy to an AP as
needed. By default, the default_mp_plcy mesh policy is mapped to an AP.
6.
Configure mesh service globally:

304
a. (Optional) Select Wireless Service > Mesh Service from the navigation tree, and click the
Global Setup tab to enter the mesh global setup page to set the MKD-ID (By default, the MKD-ID
exists.)
b. Select the MPP that has wired connectivity with the AC to enable mesh portal service.
c. Click Enable.
Figure 333 Configuring mesh portal service
7.
Configure the same working channel and enable the radio on the MAP and MPP:
b. Click the
icon corresponding to the target MAP to enter the radio setup page.
Figure 334 Configuring the working channel
305
c. Select the channel to be used from the Channel list.

d. Click Apply.
You can follow this step to configure the working channel for the MPP. The working channel of
the radio on the MPP must be the same as the working channel of the radio on the MAP.
8.
Enable radio:
b. Select the radio modes to be enabled for the MAP and MPP.
c. Click Enable.
Figure 335 Enabling radio
The mesh link between the MAP and the MPP has been established, and they can ping each other.
After 802.11n(2.4GHz) is configured on the MAP, the client can access the network through the
mesh link.
Mesh DFS configuration example

As shown in Figure 336, establish an 802.11n (5Ghz) mesh link between the MAP and MPP. The
working channel is automatically selected.
Enable one-time DFS. After that, the AC performs DFS for the radios when certain trigger conditions
are met on the channel.

802.11n(5GHz)
AC
MPP
MAP
306
The mesh configuration in this example is similar to a common wireless mesh configuration. Note the
following guidelines:
Configure the working channel mode of the radios that provide mesh services as auto.
Do not configure any wireless service on radios that provide mesh services.
The mesh configuration is the same as the normal WLAN mesh configuration. For configuration
procedures, see "WLAN mesh configuration example." Perform the following operations after
completing mesh configuration:
1.
(Optional) Set a calibration interval:

a. Select Radio > Calibration from the navigation tree.
b. Click the Parameters tab.
c. On the page that appears, enter the calibration interval 3 and click OK.
Figure 337 Setting mesh calibration interval
2.
Configure mesh DFS:

b. Click the Global Setup tab.
c. On the page that appears, select the Manual box for Dynamic Channel Select.
d. Click OK.
Figure 338 Configuring mesh DFS
3.
Enable one time DFS for the mesh network:

307
b. Click the Mesh Channel Optimize tab.

c. Select the outdoor mesh network.
d. Click Channel Optimize.
Figure 339 Configuring one-time mesh DFS

After a next calibration interval, you can view the channel switching information:
1.
2.
Click the Mesh Channel Optimize tab to enter the Mesh Channel Optimize tab.
3.
Click the Channel Info tab.
4.
Select the target mesh network to display the radio information.
Figure 340 Displaying mesh channel switching information
308
Configuring WLAN roaming

IACTP tunnel
The Inter AC Tunneling Protocol (IACTP) is an HP-proprietary protocol that provides a generic packet
encapsulation and transport mechanism for ACs to securely communicate with each other.
IACTP provides a control tunnel to exchange control messages, and a data tunnel to transmit data
packets between ACs. IACTP supports both IPv4 and IPv6.
WLAN roaming, AC backup, and AC-BAS collaboration must support IACTP for inter-AC
communication.
WLAN roaming overview

WLAN roaming enables clients to roam between ACs in a mobility group or within an AC. ACs in a
mobility group communicate with each other through IACTP tunnels.
When a client supporting fast roaming associates with one of the ACs in a mobility group for the first time,
the AC (called the HA) performs 802.1X authentication and 11 Key exchange for the client. The client
information is synchronized across ACs in the mobility group. When this client roams to another AC in
the mobility group (called the FA), the FA uses stored client information to fast authenticate the client by
skipping 802.1X authentication, and performing only 802.11 key exchange and associates with the
client.
Configuring a roaming group

IMPORTANT:
Roaming group configuration is available only for inter-AC roaming. For the configuration example of
inter-AC roaming, see "Inter-AC roaming configuration example."
1.
Select Roam > Roam Group from the navigation tree.
Figure 341 Configuring a roaming group
2.
Configure a roaming group as described in Table 103.
3.
Click Apply.
309

Item
Description
Service
EnableEnable IACTP service.

DisableDisable IACTP service.
IP Type
Select IPv4 or IPv6.
Source Address
Source address of the IACTP protocol.

MD5: Select the MD5 authentication mode. This item is optional.
Auth Mode
The control message integrity can be verified when the MD5

authentication mode is selected. The sender (an AC) calculates a digest
based on the content of a control message. On receiving such a message,
the receiver (another AC in the roaming group) will calculate the digest
again and compare it against the digest present in the message to verify
the integrity of the packet received. If the digests are the same, the packet
is not tampered.
MD5 authentication key.
Auth Key
If you select the MD5 authentication mode, you need to input an

authentication key.
Adding a group member

1.
Select Roam > Roam Group from the navigation tree.
Figure 342 Adding a group member
2.
Add a group member as described in Table 104.
3.
Click Add.
4.
Click Apply.
310

Item
Description
Add the IP address of an AC to a roaming group.
IP Address
IMPORTANT:
When you configure a roaming group, the roaming group name configured
for the ACs in the same roaming group must be the same.
Configure the VLAN to which the roaming group member belongs.
VLAN
This configuration item is optional.

If multiple ACs exist in a roaming group, make sure no loop occurs on the
IACTP tunnels between ACs in the group when configure this option.
NOTE:
The user profile configurations of the ACs in a roaming group must be the same. For more information,
see "Managing users."
The ACs in a roaming group cannot be configured as hot backup ACs.
Displaying client information

1.
Select Roam > Roam Client from the navigation tree.
Figure 343 Displaying client information
2.
View the detailed information and roaming information of the client by clicking a target client. For
more information, see "Summary."
WLAN roaming configuration examples

Intra-AC roaming configuration example
As shown in Figure 344, an AC has two APs associated and all of them are in VLAN 1. A client is
associated with AP 1. Configure intra-AC roaming so that the client can associate with AP 2 when
roaming to AP 2.
311
When you configure intra-AC roaming, the SSIDs of the two APs must be the same. The same wireless
service must be bound to the radios of the two APs in Bind AP radios to the wireless service.
Configuring the AC
If remote authentication is required in the authentication mode you select, configure the RADIUS server.
For information about how to configure the RADIUS server, see "Configuring AAA."
1.
Create two APs:

b. Click Add.
c. On the page that appears, set the AP name to ap1, select the AP model MSM460-WW, select
manual from the Serial ID list, enter the serial ID of the AP, and click Apply.
d. Follow the same steps to create the other AP.
2.

b. Click Add.
c. On the page that appears, set the service name to Roam. And click Apply.
NOTE:
For information about how to configure the authentication mode, see "Configuring access services."
However, fast roaming can be implemented only when the RSN+802.1X authentication mode is adopted.
3.

b. Select the Roam box.
c. Click Enable.
4.
Bind AP radios to the wireless service:

312
b. Click the
radio.
icon to the right of the wireless service Roam to enter the page for binding AP
c. Select the box before ap1 with radio type 802.11n(2.4GHz), and the box before ap2 with
radio type 802.11n(2.4GHz).
d. Click Bind.
Figure 345 Binding AP radios
5.
Enable dot11g radio:

a. Select Radio > Radio Setup from the navigation tree.
b. On the page that appears, select the box before ap1 with the radio mode 802.11n(2.4GHz),
and select the box before ap2 with the radio mode 802.11n(2.4GHz).
c. Click Enable.
313

1.
Display the roaming information of the client:

a. Select Summary > Client from the navigation tree.
b. Select the Roam Information tab.
c. Click the desired client to view the roaming information of the client.
From the roaming information, you can see that the client accesses the WLAN through AP 1,
and the BSSID of AP 1 is 984b-e122-1410 (see Figure 347.).
Figure 347 Client status before intra-AC roaming
d. Click Refresh, and click Roam Information.

On the page that appears, you can see that the client is connected to the WLAN through AP
2, and the BSSID of AP 2 is 984b-e122-0430.
314
Figure 348 Client status after intra-AC roaming
2.
View the Roam Status field:

a. Select Summary > Client from the navigation tree.
You are placed in the Detail Information tab.
b. Click the desired client.
Intra-AC roam association appears in the Roam Status field.
Figure 349 Verifying intra-AC roaming
315
Inter-AC roaming configuration example

As shown in Figure 350, two ACs that each are connected to an AP are connected through a Layer 2
switch. Both ACs are in the same network. The IP address of AC 1 is 192.168.11.3 and that of AC 2 is
192.168.11.4 A client associates with AP 1.
Configure inter-AC roaming so that the client can associate with AP 2 when roaming to it.
Follow these guidelines when you configure inter-AC roaming:
The SSIDs and the authentication and encryption modes of two APs should be the same.
A roaming group must be configured on both of the two ACs.
Configuring AC 1 and AC 2
If remote authentication is required in the authentication mode you select, configure the RADIUS server.
For information about how to configure the RADIUS server, see "Configuring AAA."
1.
Establish AC-AP connections:

Configure AC 1 and AC 2 to establish a connection between AP 1 and AC 1, and between AP 2
and AC 2. You see that the two APs are in the running status only after you establish the
connections. To view the AP status, select Summary > AP or AP > AP Setup.
For the related configuration, see "Configuring access services."
NOTE:
For the configuration of authentication mode, see "Configuring access services." Fast roaming supporting
key caching can be implemented only when RSN+802.1X authentication is adopted.
316
2.
Configure a roaming group:

a. Select Roam > Roam Group from the navigation tree.
b. On the page that appears, select enable from the Service status list, select IPv4 from the IP Type
list, enter 192.168.1.100 for Source address, the IP address of AC 1, enter the IP address of
AC 2 in the member list, and click Add.
c. Click Apply.
Figure 351 Configuring a roaming group on AC 1
d. Create a roaming group on AC 2.

The source address is the IP address of AC 2, and the member address is the IP address of AC
1. (Details not shown.)

1.
Verify the status of the roaming group:

a. On AC 1, select Roam > Roam Group from the navigation tree.
You can see that the group member 192.168.11.4 is in Run state.
Figure 352 Verifying the roaming group state
317
b. On AC 2, select Roam > Roam Group from the navigation tree.

You can see that the group member 192.168.11.3 is in Run state.
Figure 353 Verifying the roaming group state:
2.
Display the client information:

a. After the client roams from AP 1 to AP 2, select Roam > Roam Client on AC 1.
You can see that the client roams out of 192.168.11.3.
Figure 354 Viewing client information
b. Select Roam > Roam Client on AC 2.

You can see that the client roams in to 192.168.1.11.3.
Figure 355 Viewing client information
3.
View connection information about the client that is associated with the AP, and the Roam Status
field in the client detailed information:
a. Before roaming, select Summary > Client from the navigation tree on AC 1.
You can see that the client is associated with AP 1.
b. After roaming: Select Summary > Client from the navigation tree on AC 1.
The client has roamed from AP 1 to AP 2, so no client information is displayed on the page.
c. Select Summary > Client from the navigation tree on AC 2.
You can view the client information.
d. Select the Detail Information tab, and then click the desired client.
318
Inter-AC roam association appears in the Roam Status field. This indicates that the client has
roamed to AP 2.
Figure 356 Verifying inter-AC roaming
4.
View the BSSID field:

a. Before roaming, select Summary > Client from the navigation tree on AC 1, select the Detail
Information tab, and click the desired client to view the roaming information of the client.
The roaming information in Figure 357 shows that the client connects to the WLAN through AP
Figure 357 Client status before inter-AC roaming
b. Select Summary > Client, from the navigation tree on AC 2, select the Detail Information tab,
and click the desired client to view the roaming information of the client.
319
The roaming information in Figure 358 shows that the client connects to the WLAN through AP
Figure 358 Client status after intra-AC roaming
320
Configuring WLAN RRM

Radio overview
Radio frequency (RF) refers to electrical signals that can be transferred over the space to a long distance.
802.11b/g in the IEEE 802.11 standards operates at the 2.4 GHz band, 802.11a operates at the 5 GHz
band, and 802.11n operates at both the 2.4 GHz and 5 GHz bands. Radio frequency is allocated in
bands, each of which corresponds to a range of frequencies.
WLAN RRM overview

WLAN radio resource management (RRM) is a scalable radio resource management solution. APs
collect radio environment information in real time. The AC analyzes the collected information. The AC
makes radio resource adjustment configurations according to analysis results. APs implement the
configurations made by the AC for radio resource optimization. Therefore, through information collection,
information analysis, decision-making, and implementation, WLAN RRM delivers a real-time, intelligent,
and integrated radio resource management solution. This enables a WLAN network to quickly adapt to
radio environment changes and remain in a healthy state.
Dynamic frequency selection

A WLAN has limited working channels. Channel overlapping can easily occur. In addition, other radio
sources such as radar and micro-wave ovens may interfere with the operation of APs. Dynamic frequency
selection (DFS) can solve these problems.
With DFS, the AC selects an optimal channel for each AP in real time to avoid co-channel interference
and interference from other radio sources.
The following conditions determine DFS:
Error code ratePhysical layer error code and CRC errors.
InterferenceInfluence of 802.11 and non-802.11 wireless signals on wireless services.
RetransmissionAPs retransmit data if they do not receive ACK messages from the AC.
Radar signal detected on a working channelThe AC immediately notifies the AP to change its
working channel.
If the first three conditions are met, the AC calculates the channel quality. The AP does not use the new
channel until the channel quality difference between the new and old channels exceeds the tolerance
level.
321
Figure 359 Dynamic channel adjustment
Transmit power control

Traditionally, an AP uses the maximum power to cover an area as large as possible. However, this
method affects the operation of surrounding wireless devices. Transmit power control (TPC) is used to
select a proper transmission power for each AP to satisfy both coverage and usage requirements.
Whether the transmission power of an AP is increased or decreased is determined by these factors: the
maximum number of neighbors (detected neighbors that are managed by the same AC), the neighbor
AP that performs power detection, and the power adjustment threshold.
NOTE:
You cannot configure the neighbor AP that performs power detection and the power adjustment threshold
on the web interface.
As shown in Figure 360, APs 1, 2 and 3 cover an area. When AP 4 joins, the default maximum neighbor
number 3 (configurable) is reached. Then, the APs perform power adjustment. You can find from the
figure that they all reduce their transmission power.
322
Figure 360 Power reduction
As shown in Figure 361, when AP 3 fails or goes offline, the other APs increase their transmission power
to cover the signal blackhole.
323
Figure 361 Power increasing
Spectrum analysis
WLAN systems operate on shared bands. Many devices, such as microwave ovens, cordless phones,
and Bluetooth devices also operate on these bands and can negatively affect the WLAN systems.
The spectrum analysis feature is designed to solve this problem. Spectrum analysis delivers the following
functions:
Identifies 12 types of interferences and provides interference device reports.
Calculates the number of interferences on each channel and average and worst channel quality,
and provides channel quality reports.
The AP collects Fast Fourier Transform (FFT) data, including frequency, FFT power, maximum power,
and FFT duty cycle, and sends the data to the NMS through the AC.
324
With RRM collaboration enabled, if the detected channel quality is lower than the threshold, the AC
automatically adjusts the working channel upon detecting a channel with a higher quality.
Administrators can view the interference information on the AC, or view real-time spectrum analysis data
on the NMS to locate and remove the interferences.
For more information about WIDS, see "Configuring WLAN security."
Configuring radios
Configuring radio parameters
1.
2.
Click the
icon of the desired AP to enter the page for AP radio setup.
Figure 362 Radio setup
3.
Configure the radio as described in Table 105.

Item
Description
AP Name
Display the selected AP.
Radio Unit
Display the selected AP's radios.
Radio Mode
Display the selected AP's radio mode.
Transmit Power
Maximum radio transmission power, which varies with country/region codes,

channels, AP models, radio modes and antenna types. If you adopt the
802.11n mode, the maximum transmit power of the radio also depends on the
bandwidth mode.
325
Item
Description
Specify the working channel of the radio, which varies with radio types and
country/region codes. The working channel list varies with device models.
Channel
auto: The working channel is automatically selected. If you select this mode,
the AP checks the channel quality in the WLAN network, and selects the
channel of the best quality as its working channel.
If you modify the working channel configuration, the transmit power is
automatically adjusted.
802.11n
The option is available only when the AP supports 802.11n.

802.11n can bond two adjacent 20-MHz channels together to form a
40-MHz channel. During data forwarding, the two 20-MHz channels can
work separately with one acting as the primary channel and the other acting
as the secondary channel or work together as a 40-MHz channel. This
provides a simple way of doubling the data rate.
bandwidth mode
By default, the channel bandwidth of the 802.11n radio (5 GHz) is 40 MHz,

and that of the 802.11n radio (2.4GHz) is 20 MHz.
IMPORTANT:
If the channel bandwidth of the radio is set to 40 MHz, a 40 MHz channel

is used as the working channel. If no 40 MHz channel is available, a 20
MHz channel is used. For the specifications, see IEEE P802.11n D2.00.
If you modify the bandwidth mode configuration, the transmit power is

automatically adjusted.
Auto-switch
Select this option to allow automatic bandwidth switch. If the channel

bandwidth of an 802.11gn radio is 40 MHz, the automatic bandwidth switch
function is not enabled by default.
Configure the MIMO mode for a radio:
MIMO
DefaultNo MIMO mode is set.

1x1Enables a radio to transmit and receive 1 space stream at a time.
2x2Enables a radio to transmit and receive 2 space streams at a time.
3x3Enables a radio to transmit and receive 3 space streams at a time.
Select this option to enable energy saving. The function is disabled by default.
Green Energy Management
client dot11n-only
IMPORTANT:
When this function is enabled, an AP automatically changes the MIMO of it s
radio to 1X1 if no clients are associated with the radio.
If you select the client dot11n-only option, non-802.11n clients are prohibited
from access. If you want to provide access for all 802.11a/b/g clients, you
must disable this function.
Select the A-MSDU option to enable A-MSDU.
A-MSDU
Multiple MAC Service Data Units (MSDU) can be aggregated into a single
A-MSDU. This reduces the MAC header overhead and thus improves MAC
layer forwarding efficiency.
At present, only A-MSDUs can be received.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, ensure that they have the
same A-MSDU configuration.
326
Item
Description
Select the A-MPDU option to enable A-MPDU.
A-MPDU
802.11n introduces the A-MPDU frame format. By using only one PHY header,
each A-MPDU can accommodate multiple Message Protocol Data Units
(MPDUs) which have their PHY headers removed. This reduces the overhead in
transmission and the number of ACK frames to be used, and thus improves
network throughput.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, ensure that they have the
same A-MPDU configuration.
Select short GI to enable short GI.
short GI
4.
The 802.11a/g GI is 800ns. You can configure a short GI, 400 ns for
802.11n. The short GI increases the throughput by 10 percent.
Expand Advanced Setup.
Figure 363 Radio setup (advanced setup)
5.
Configure the radio as described in Table 106.
6.
Click Apply.
327

Item
Description
Preamble is a pattern of bits at the beginning of a frame so that the receiver
can sync up and be ready for the real data.
Short preambleShort preamble improves network performance.

Preamble
Therefore, this option is always selected.
Long preambleLong preamble ensures compatibility between access
point and some legacy client devices. Therefore, you can select this option
to make legacy client devices support short preamble.
802.11a/802.11n (5 GHz) does not support this configuration.

Transmit Distance
Maximum coverage of a radio.
ANI
Adaptive Noise Immunity (ANI). After the ANI function is enabled, the device
automatically adjusts the noise immunity level according to the surrounding
signal environment to eliminate RF interference.
Client Max Count
Maximum number of clients that can be associated with one radio.
EnableEnable ANI.
DisableDisable ANI.
Specify the maximum length of frames that can be transmitted without
fragmentation. When the length of a frame exceeds the specified fragment
threshold value, it is fragmented.
In a wireless network where error rate is high, you can decrease the
Fragment Threshold
fragment threshold by a rational value. In this way, when a fragment of a

frame is not received, only this fragment rather than the whole frame needs
to be retransmitted, and thus the throughput of the wireless network is
improved.
In a wireless network where no collision occurs, you can increase the
fragment threshold by a rational value to decrease acknowledgement

packets, and increase network throughput.
Beacon Interval
Interval for sending beacon frames. Beacon frames are transmitted at a regular
interval to allow mobile clients to join the network. Beacon frames are used for
a client to identify nearby APs or network control devices.
328
Item
Description
There are two data collision avoidance mechanisms, RTS/CTS and CTS-to-self.
RTS/CTSIn this mode, an AP sends an RTS packet before sending data to

a client. After receiving the RTS packet, all the devices within the coverage
of the AP will not send data within the specified time. Upon receiving the
RTS packet, the client sends a CTS packet, ensuring that all the devices
within the coverage of the client will not send data within the specified time.
The RTS/CTS mechanism requires two frames to implement data collision
avoidance, and thus has a higher cost.
RTS (CTS)
CTS-to-SelfIn this mode, an AP uses its IP address to send a CTS packet

before sending data to a client, ensuring that all the devices within the
coverage of the AP will not send data within the specified time. The
CTS-to-Self mechanism uses only one frame to avoid data collision.
However, if another device is in the coverage of the client, but not in the
coverage of the AP, data collision still may occur.
Compared with RTS/CTS, CTS-to-Self reduces the number of control frames.

However, data collisions still occur when some clients are hidden and thus
cannot receive the CTS frames sent by the AP. Therefore, the RTS/CTS
mechanism can solve the data collision problem in a larger coverage than
RTS/CTS.
If a frame is larger than the RTS (CTS) threshold, the data collision avoidance
mechanism is used.
RTS (CTS) Threshold
A smaller RTS/CTS threshold causes RTS/CTS packets to be sent more often,

thus consuming more bandwidth. However, the more often RTS/CTS packets
are sent, the quicker the system can recover from collisions.
In a high-density WLAN, you can decrease the RTS threshold to reduce
collisions in the network.
IMPORTANT:
The data collision avoidance mechanism occupies bandwidth. Therefore, this
mechanism applies only to data frames larger than the RTS/CTS threshold.
DTIM Period
Number of beacon intervals between delivery traffic indication message

(DTIM) transmissions. The AP sends buffered broadcast/multicast frames when
the DTIM counter reaches 0.
Long Retry Threshold
Number of retransmission attempts for unicast frames larger than the RTS/CTS
threshold.
Short Retry Threshold
Number of retransmission attempts for unicast frames smaller than the

RTS/CTS threshold if no acknowledgment is received for it.
Max Receive Duration
Interval for which a frame received by an AP can stay in the buffer memory.
Enabling a radio
1.
Select Radio > Radio from the navigation tree to enter the radio setup page.
329
2.
3.
Click Enable.
Locking the channel

1.
Select Radio > Radio from the navigation tree to enter the page shown in Figure 365.
Figure 365 Locking a channel
2.
3.
Click Lock Channel.

Channel locking takes effect only when the AC adopts the auto mode. For more information
about automatic channel adjustment, see "Configuring radio parameters."
If you enable channel locking and then enable the radio, the AC automatically selects an
optimal channel, and then locks the channel.
330
When the AC detects any radar signals, it immediately selects another channel even if the
current channel is locked, and then locks the new channel.
If you lock the current channel first, and then enable channel adjustment, channel adjustment
does not work because the current channel is locked. Therefore, before enabling channel
adjustment, make sure that the current channel is not locked. If you enable channel adjustment
and then lock the current channel, the last selected channel is locked. For information about
channel adjustment, see "Dynamic frequency selection." For more information about channel
adjustment configuration, see "Setting parameters."
Locking the power

1.
Select Radio > Radio from the navigation tree to enter the page shown in Figure 366.
Figure 366 Locking the current power
2.
3.
Click Lock Power.

For transmission power configuration, see "Configuring radio parameters."
If you lock the current power first, and then enable power adjustment, power adjustment does
not work because the power is locked. Therefore, before enabling power adjustment, make sure
that the current power is not locked. If you enable power adjustment, and then lock the current
power, the last selected power is locked. For information about power adjustment, see "Transmit
power control." For information about how to configure power adjustment, see "Setting
parameters."
Configuring data transmit rates

Configuring 802.11a/802.11b/802.11g rates
1.
Select Radio > Rate from the navigation tree to enter the rate setting page.
331
Figure 367 Setting 802.11a/802.11b/802.11g rates
2.
Configure 802.11a/802.11b/802.11g rates as described in Table 107.
3.
Click Apply.

Item
Description
Configure rates (in Mbps) for 802.11a.
By default:
802.11a
Mandatory rates6, 12, and 24.

Supported rates9, 18, 36, 48, and 54.
Multicast rateAutomatically selected from the mandatory rates. The transmission rate
of multicasts in a BSS is selected from the mandatory rates supported by all the clients.
Configure rates (in Mbps) for 802.11b.

By default:
802.11b
Mandatory rates1 and 2.

Supported rates5.5 and 11.
332
Item
Description
Configure rates (in Mbps) for 802.11g.
By default:
802.11g
Mandatory rates, 2, 5.5, and 11.

Supported rates6, 9, 12, 18, 24, 36, 48, and 54.
Configuring 802.11n MCS

Introduction to MCS
Configuration of mandatory and supported 802.11n rates is achieved by specifying the maximum
Modulation and Coding Scheme (MCS) index. The MCS data rate table shows relations between data
rates, MCS indexes, and parameters that affect data rates. Sample MCS data rate tables for 20 MHz
and 40 MHz are shown in Table 108 and Table 109, respectively. For the entire table, see IEEE P802.11n
D2.00.
Table 108 and Table 109 indicate that MCS 0 through 7 are for one single spatial stream, and when the
MCS is 7, the data rate is the highest. MCS 8 through 15 are for two spatial streams, and when the MCS
is 15, the data rate is the highest.
Table 108 MCS index table (20 MHz)
MCS index
Number of
spatial streams
Modulation
Data rate (Mbps)

800ns GI
400ns GI
BPSK
6.5
7.2
QPSK
13.0
14.4
QPSK
19.5
21.7
16-QAM
26.0
28.9
16-QAM
39.0
43.3
64-QAM
52.0
57.8
64-QAM
58.5
65.0
64-QAM
65.0
72.2
BPSK
13.0
14.4
QPSK
26.0
28.9
10
QPSK
39.0
43.3
11
16-QAM
52.0
57.8
12
16-QAM
78.0
86.7
13
64-QAM
104.0
115.6
14
64-QAM
117.0
130.0
15
64-QAM
130.0
144.4
333
Table 109 MCS index table (40 MHz)

MCS index
Number of
spatial streams
Modulation
Data rate (Mbps)

800ns GI
400ns GI
BPSK
13.5
15.0
QPSK
27.0
30.0
QPSK
40.5
45.0
16-QAM
54.0
60.0
16-QAM
81.0
90.0
64-QAM
108.0
120.0
64-QAM
121.5
135.0
64-QAM
135.0
150.0
BPSK
27.0
30.0
QPSK
54.0
60.0
10
QPSK
81.0
90.0
11
16-QAM
108.0
120.0
12
16-QAM
162.0
180.0
13
64-QAM
216.0
240.0
14
64-QAM
243.0
270.0
15
64-QAM
270.0
300.0
For example, if you specify the maximum MCS index as 5 for mandatory rates, rates corresponding to
MCS indexes 0 through 5 are configured as 802.11n mandatory rates.
Mandatory rates must be supported by the AP and the clients that want to associate with the AP.
Supported rates allow some clients that support both mandatory and supported rates to choose
higher rates when communicating with the AP.
Multicast MCS: Specifies 802.11n multicast data rates.
Configuring 802.11n rates

1.
Select Radio > Rate from the navigation tree to enter the rate setting page.
Figure 368 Setting 802.11n rate
2.
Configure the 802.11n rate as described in Table 110.
3.
Click Apply.
334

Item
Description
Set the maximum MCS index for 802.11n mandatory rates.
Mandatory Maximum MCS
IMPORTANT:
If you select the client dot11n-only option, you must configure the mandatory
maximum MCS.
Set the multicast MCS for 802.11n.
The multicast MCS is adopted only when all the clients use 802.11n. If a non
802.11n client exists, multicast traffic is transmitted at a mandatory MCS data
rate.
Multicast MCS
IMPORTANT:
If you configure a multicast MCS index greater than the maximum MCS
index supported by the radio, the maximum MCS index is adopted.
When the multicast MCS takes effect, the corresponding data rates defined
for 20 MHz are adopted no matter whether the 802.11n radio operates in
40 MHz mode or in 20 MHz mode.
Supported Maximum MCS
Set the maximum MCS index for 802.11n supported rates.
NOTE:
When 802.11n radios are used in a mesh WLAN, make sure that they have the same MCS configuration.
Configuring channel scanning

For more information about active passive scanning, see "Configuring access services."
1.
Select Radio > Channel Scan from the navigation tree to enter the page for setting channel
scanning.
Figure 369 Setting channel scanning
2.
Configure channel scanning as described in Table 111.

335
3.
Click Apply.

Item
Description
Set the scan mode.
Scan Mode
AutoLegal channels with the scanning mode under country/region code

are scanned.
AllAll the channels of the radio band are scanned.
Scan Non-802.11h Channel
Some of 802.11h channels, also called radar channels, overlap some

802.11a channels. If the device operates on an overlapping channel, the
service quality of the WLAN might be affected. With this function enabled, the
device selects a working channel from non-802.11h channels belonging to the
configured district code to avoid channel collision.
Selecting the Scan Non-802.11h Channel option enables the function of
scanning non-802.11h channels.
By default, the scan mode is auto, that is, all channels of the country/region
code being set are scanned.
Set the scan type.
ActiveActive scanning requires a client to send a probe request. This

scanning mode enables a client to discover APs more easily.
PassivePassive scanning is used by a client when it wants to save battery

power. Typically, VoIP clients adopt the passive scanning mode.
Scan Type
For an AP that has the monitoring function:
ActiveThe AP simulates a client to send probe requests during the

scanning process.
PassiveThe AP does not send probe requests during the scanning

process.
If you set active scanning for the AP, it is more likely to discover devices in the
WLAN.
Set the scan report interval.
A longer scan interval enables an AP to discover more devices in the

WLAN.
Scan Interval
A shorter scan interval enables an AP to send scanning reports to an AC

more frequently.
If an AP has the monitoring function, the scan report interval will affect whether
the scanning results can be processed in time and the frequency of message
exchanges. Therefore, you need to set the interval properly according to the
actual network conditions.
336
Item
Description
To avoid selecting improper channels, you can exclude specific channels from
automatic channel selection. The excluded channels will not be available for
initial automatic channel selection, DFS, and mesh DFS. This feature does not
affect rogue detection and WIDS.
Select a channel and add it to the 5GHz Excluded Channel or 2.4GHz
Excluded Channel.
By default, no channels exist in the 5GHz Excluded Channel or 2.4GHz
Excluded Channel.
IMPORTANT:
The channel exclusion list is not restricted by the country/region code. You
5GHz Excluded
Channel/2.4GHz Excluded
Channel
can add channels not supported by the country/region code to the list, and
changing the country/region code does not change the channel list. The
device will select an available channel from the channels supported by the
country/region code and not in the channel exclusion list. When you
configure this feature, do not add all channels supported by the
country/region code to the channel exclusion list.
This feature takes effect only for initial automatic channel selection, DFS,
and mesh DFS.
If you add an automatically selected channel into the channel exclusion list,
the AC disables the radio, enables the radio, and then selects an available
channel from the channels supported by the country/region code and not
in the channel exclusion list.
If you add an automatically selected primary channel to the channel
exclusion list, the AC selects another available primary channel. If you add
a secondary channel into the channel exclusion list in this case, the AC
selects another secondary channel. If the AP cannot find an available
secondary channel, no channels are available for the wireless, mesh, and
WDS services.
Configuring calibration
Setting parameters
1.
Select Radio > Calibration from the navigation tree.
2.
Click the Parameters tab.
337
Figure 370 Setting channel calibration
3.
Configure channel calibration as described in Table 112.
4.
Click Apply.
NOTE:
Channel switching results in temporary service interruption, so use the dynamic channel adjustment
function with caution.
Item
Basic Setup
Description
Calibration
Interval
Channel and power calibration interval. A calibration interval takes effect on

both the mesh network channel calibration and channel and power
calibration of wireless services.
338
Item
Description
RTS/CTSUse RTS/CTS mode to implement 802.11g protection. Before
802.11g
Protection
Mode
sending data to a client, an AP sends an RTS packet to the client, ensuring

that all the devices within the coverage of the AP do not send data in the
specified time after receiving the RTS packet. Upon receiving the RTS
packet, the client will send a CTS packet again, ensuring that all the
devices within the coverage of the client do not send data in the specified
time.
CTS-to-SelfUses CTS-to-Self mode to implement 802.11g protection.
When an AP sends packets to a client, it uses its IP address to send a CTS

packet to inform the client that it will send a packet, ensuring that all the
devices within the coverage of the AP do not send data in the specified
time.
802.11b devices and 802.11g devices use different modulation modes, so

802.11g protection needs to be enabled for a 802.11g device to send
RTS/CTS or CTS-to-self packets to 802.11b devices, which will defer
access to the medium.
EnableEnable 802.11g protection.

CloseDisable 802.11g protection.
802.11g
Protection
An AP running 802.11g uses the 802.11g protection function in the

following two cases:
An 802.11b client is associated with it.

It detects APs or clients running 802.11b on the same channel.
IMPORTANT:
Enabling 802.11g protection reduces network performance.

Enabling 802.11g protection applies to the second case only, because
802.11g protection is always enabled for the first case.
802.11n
Protection
Mode
Both RTS/CTS and CTS-to-Self modes can be adopted. The implementation

of the two modes is the same as 802.11g.
EnableEnables 802.11n protection. When non 802.11n wireless devices

802.11n
Protection
or non 802.11n clients exist within the coverage of the AP, you need to
enable 802.11n protection.
CloseDisables 802.11n protection.

Follow these guidelines when configuring channel adjustment:
Before configuring channel adjustment, make sure the AC adopts the auto channel
adjustment mode (for more information, see "Configuring radio parameters."). Otherwise,
channel adjustment does not work.
Channel
Setup
If you lock the channel first, and then enable channel adjustment (by selecting Dynamic
Channel Select), channel adjustment does not work because the channel is locked. Before
enabling channel adjustment, make sure that the channel is not locked.
If you enable channel adjustment and then lock the channel, the last selected channel is
locked.
For information about how to lock the channel, see "Locking the channel."
339
Item
Description
CloseDisables the DFS function.
AutoWith auto DFS enabled, an AC performs DFS for a radio when
Dynamic
Channel Select
certain trigger conditions are met on the channel, and returns the result to
the AP after a calibration interval (the default calibration interval is 8
minutes, which can be set through the Calibration Interval option). After
that, the AC will make DFS decisions at the calibration interval
automatically.
ManualWith one-time DFS configured for a radio, an AC performs DFS
for the radio when certain trigger conditions are met on the channel, and
returns the result to the AP after a calibration interval. After that, if you
want the AC to perform DFS for the radio, you have to make this
configuration again.
IMPORTANT:
If you select the manual mode, click Calibration on the Calibration page every
time you perform channel calibration.
CRC Error
Threshold
Set the CRC error threshold value, in percentage.
Channel
Interference
Threshold
Set the channel interference threshold value, in percentage.
Tolerance
Factor
A new channel is selected when either the configured CRC error threshold or
interference threshold is exceeded on the current channel. However, the new
channel is not applied until the quality of the current channel is worse than
that of the new channel by the tolerance threshold.
Spectrum
Management
EnableEnable spectrum management.

CloseDisable spectrum management.
When spectrum management is enabled, the AP notifies its power capacity
and power restriction on clients.
Follow these guidelines when configuring power adjustment:
If you lock the power first, and then enable power adjustment (by selecting Dynamic
Power Setup
Channel Select), power adjustment does not work because the power is locked. Therefore,
before enabling power adjustment, make sure that the power is not locked.
If you enable power adjustment and then lock the power, the last selected power is locked.
For information about how to lock the power, see "Locking the power."
340
Item
Description
CloseDisables transmit power control (TPC).
AutoWith auto TPC enabled, the AC performs TPC for an AP upon
certain interference and returns the result to the AP after a calibration

interval (the default calibration interval is 8 minutes, which can be set
through the Calibration Interval option). After that, the AC makes TPC
decisions at the calibration interval automatically.
Dynamic
Power Select
ManualWith one-time TPC configured, an AC performs TPC for the AP
upon certain interference, and returns the result to the AP after a

calibration interval (the default calibration interval is 8 minutes, which
can be set through the Calibration Interval option). After that, if you want
the AC to perform TPC for the AP, you have to make this configuration
again.
IMPORTANT:
If you select the manual mode, click Calibration on the Calibration page every
time you perform channel calibration.
Max Neighbor
Count
Power
Constraint
Specify the maximum number of neighbors, which are managed by the same
AC.
Set the power constraint for all 802.11a radios. After power constraint is set,
the transmission power of a client is the current transmission power minus the
configured power constraint value.
IMPORTANT:
Enable spectrum management before configuring the power constraint;
otherwise, the configuration does not take effect.
Configuring a radio group

With DFS or TPC configured for a radio, the AC calculates the channel quality or power of the radio at
the calibration interval. When the result meets a trigger condition, the AC selects a new channel or
power for the radio. In an environment where interference is serious, frequent channel or power
adjustments may affect user access to the WLAN network. In this case, you can configure a radio group
to keep the channel or power of radios in the group unchanged within a specified time. The channel and
power of radios not in the radio group are adjusted normally.
After a channel or power adjustment (one-time, auto, or initial DFS or TPC), the channel or power of any
radio in the radio group keeps unchanged within the specified holddown time. When the holddown time
expires, the AC calculates the channel or power again. If the result meets a trigger condition, the channel
or power is changed, and the new channel or power keeps unchanged within the specified holddown
time. This mechanism continues.
NOTE:
Before entering the Radio Group page, configure channel or power adjustment on the Parameters tab.
1.
2.
Click Radio Group.
3.
Click Add.
The Radio Group page appears.
341
Figure 371 Configuring a radio group
4.
Configure the radio group as described in Table 113.
5.
Click Apply.

Item
Description
Group ID
ID of the radio group
Description
Channel
Holddown
Interval
Power
Holddown
Interval
Description of the radio group

By default, a radio group has no description.
Specify that the current channel keeps unchanged within the specified time after a channel
adjustment (manual, automatic, or initial channel selection).
IMPORTANT:
The AC immediately selects another channel when it detects any radar signals on the current
channel, and then resets the channel holddown timer.
Specify that the current power keeps unchanged within the specified time after a power
adjustment (manual or automatic power adjustment).
Select the target radios from the Radios Available area, and then click << to add them
Radio List
into the Radios Selected area.
Select the radios to be removed from the Radios Selected, and the click >> to remove
them from the radio group.
Calibration operations
If RRM is not enabled, or the radio to be displayed works on a fixed channel, you can only view the work
channel and the power of the radio on the Operations tab in the Radio > Calibration page. Other
342
information such as interference observed and the number of neighbors is displayed when RRM is
enabled, that is, dynamic power selection or automatic dynamic frequency selection is enabled. For the
configuration of RRM parameters, see "Setting parameters."
Displaying channel status

1.
2.
On the Operations tab, click the Channel Status tab.
3.
Click the desired radio to enter the page for displaying channel status.
Figure 372 Channel status

Item
Description
Channel NO
Running channel.
Neighbor Num
Number of neighbors on a channel.
Load (%)
Load detected on a channel.
Utilization (%)
Channel utilization.
Interference (%)
Interference detected on a channel.
Packet Error Rate (%)
Error rate for packets on a channel.
Retransmission Rate (%)
Retransmission rate on a channel.
Radar Detect
Radar detection status.
Displaying neighbor information

1.
2.
On the Operations tab, click the Neighbor Info tab.
3.
Click the desired radio to enter the page for displaying neighbor information.
343
Figure 373 Neighbor information

Field
Description
AP MAC Address
MAC address of an AP.
Channel No
Running channel.
Interference (%)
Interference detected on a channel.
RSSI (dBm)
Received signal strength indication (RSSI) of AP, in dBm.
AP Type
AP type, managed or unmanaged.
Displaying history information

History information is available only if channel switching or power adjustment occurs after RRM is
enabled.
1.
2.
On the Operations tab, click History Info.
3.
Click the desired radio to enter the page for displaying neighbor information.
344
Figure 374 History information

Field
Description
Radio
Radio ID of the AP.
Basic BSSID
MAC address of the AP.
Chl
Channel on which the radio operates in case of the change of channel or power.
Power
Power of the radio in case of the change of channel or power.
Load
Load observed on the radio in percentage in case of the change of channel or power.
Util
Utilization of the radio in percentage in case of the change of channel or power.
Intf
Interference observed on the radio in percentage in case of the change of channel or power.
PER
Packet error rate observed on a channel, in percentage.
Retry
Percentage of retransmission happened on the radio before/after the change of channel or

power.
Reason
Reason for the change of channel or power, such as Interference, packets discarded,
retransmission, radar or coverage.
Date
Date when the channel or power change occurred.
Time
Time when the channel or power change occurred.
Selecting an antenna
1.
Select Radio > Antenna Switch to select an appropriate antenna for the corresponding radio.
2.
Select either Internal Antenna or User-Default external antenna for a specific radio from the
Antenna list.
3.
Click Apply.
345
Figure 375 Antenna switch
Configuring spectrum analysis

Support for this feature depends on the device model.
Configuring the operating mode for an AP

The channels that an AP can detect depend on the operating mode of the AP:
When operating in normal mode, an AP can only detect interference devices and channel quality,
and collect FFT data for its working channel.
When operating in monitor or hybrid mode, the channels that an AP can detect depend on the scan
channel command. If you configure the scan channel auto command, the AP detects interference
devices and channel quality, and collects FFT data for the channels supported by the country code.
If you configure the scan channel all command, the AP detects interference devices and channel
quality, and collects FFT data for all channels.
HP recommends that you enable spectrum analysis for APs operating in monitor or hybrid mode.
For information about how to configure the operating mode for an AP, see "Configuring WLAN IDS."
Configuring spectrum analysis

This section configures spectrum analysis on 2.4 GHz radios.
Select Radio > Spectrum Analysis from the navigation tree, and click 802.11bg.
346
Figure 376 Spectrum analysis
Enabling spectrum analysis

The AP begins to detect interferences and channel quality, and collects FFT data when spectrum analysis
is enabled.
Item
Description
Spectrum Analysis
EnableEnable spectrum analysis.

DisableDisable spectrum analysis.
By default, spectrum analysis is disabled.
Enable spectrum
analysis on a radio
See "Enabling spectrum analysis on a

radio."
IMPORTANT:
Spectrum analysis takes effect only
when enabled both globally and on a
radio.
Specify the device types to detect.
To add a device type to the Device Types area, select a device type in the Device
Device Types to Detect
Types to Detect area, and click <<.
To remove a device type from the Device Types area, select a device type in this
area, and click >>.
By default, all device types in the Device Types to Detect area are detected.
Configuring event-driven RRM

This function enables the AC to start calculating the channel quality, and switches to a new channel with
a higher quality when the channel quality is lower than the sensitivity level and when an interference
device is detected.
347

Item
Description
Event Driven RRM
EnableEnable event-driven RRM.

DisableDisable event-driven RRM.
By default, spectrum analysis does not trigger channel adjustment.
Sensitivity Threshold
HighSpecify the high sensitivity threshold.

LowSpecify the low sensitivity threshold.
MediumSpecify the medium sensitivity threshold.
By default, the sensitivity threshold is medium.
Enabling SNMP traps

This function enables the AC to send SNMP traps to the NMS when detecting an interference device or
when detecting the channel quality is lower than the alarm threshold.
Item
Description
Configure channel quality trap
EnableThe AC sends SNMP traps to the NMS when the channel quality is
lower than the threshold.
Channel Quality Trap
DisableThe AC does not send SNMP traps to the NMS when the channel
quality is lower than the threshold.
By default, the AC sends SNMP traps to the NMS when the channel quality is
lower than the threshold.
Trap Threshold
Channel quality trap threshold.
Configure interference device trap
EnableThe AC sends SNMP traps to the NMS when an interference device is

detected.
Interference Trap
DisableThe AC does not send SNMP traps to the NMS when an interference
device is detected.
By default, the AC sends SNMP traps to the NMS when an interference device is
detected.
Configure the AC to send SNMP traps to the NMS when a specified interference
device is detected.
To add a device type to the Device Types area, select a device type in the Trap
on Device Types area, and click <<.
Trap on Device Types
To remove a device type from the Device Types area, select a device type in this
area, and click >>.
By default, all device types in the Trap on Device Types area are detected.
IMPORTANT:
Before using this function, you must select the target devices in the Devices Types to
Detect area. Otherwise, interference device trap does not take effect.
348
Enabling spectrum analysis on a radio

1.
Select Radio > Spectrum Analysis from the navigation tree.
2.
Click Radio.
Figure 377 Enabling spectrum analysis
3.
Select the radio for which spectrum analysis is to be enabled.
4.
Click Enable.
Displaying interference device state

1.
2.
Click Interference Info.

You can view the non-802.11 interference devices detected by the AP.
Figure 378 Displaying interference device state

Field
Description
Severity Index
Interference severity level in the range of 1 to 100. A greater value indicates a stronger
interference.
Duty Cycle(%)
Percentage of time for which the interference device was active.
Signal Strength
Signal strength of the detected interference device.
349
Displaying channel quality information

1.
2.
Click Channel Quality Info.
Figure 379 Displaying channel quality information
Manual channel adjustment configuration example

As shown in Figure 380, configure manual channel adjustment on the AC so that the AC can perform
manual channel adjustment when the channel of AP 1 is unavailable.
If you select manual channel adjustment, click Channel Optimize on the Operation tab every time you
perform manual channel adjustment.
1.
Before you configure manual channel adjustment, configure AP 1 on the AC to establish a

connection between them.
2.
Configure manual channel adjustment:

b. Select the Parameters tab.
c. Select Manual from the Dynamic Channel Select list.
d. Click Apply.
350
Figure 381 Configuring manual channel adjustment
3.
Perform manual channel adjustment:

b. On the Operation tab, select the box of the target radio.
c. Click Channel Optimize..
351
Figure 382 Performing manual channel adjustment
You can view the channel status on the Operation tab you enter by selecting Radio > Calibration
from the navigation tree.
After you perform manual channel calibration, the AC informs the adjusted channel to the AP after
a calibration interval.
You can view the detailed information, such as the specific reason for channel adjustment on the
History Info tab you enter by selecting Radio > Calibration from the navigation tree, clicking
Operation, and then clicking History Info.
Automatic power adjustment configuration

example
As shown in Figure 383, AP 1 through AP 3 are connected to the AC. Configure automatic power
adjustment and specify the adjacency factor as 3 on the AC. In this way, when AP 4 joins, the AC
performs automatic power adjustment to avoid interference.
352
1.
Before you configure automatic power adjustment, configure AP 1 through AP 3 on the AC to

establish a connection between the AC and each AP.
2.
Configure automatic power adjustment:

c. Select Auto from the Dynamic Power Select list.
d. Click Apply.
Figure 384 Configuring automatic power adjustment
You can view the power of each AP on the Operation tab you enter by selecting Radio > Calibration
from the navigation tree.
353
When AP 4 joins (the adjacency number becomes 3), the maximum number of neighbors reaches
the upper limit (3 by default), and the AC performs power adjustment after the calibration interval.
You can view the detailed information, such as decrease of the Tx power value, on the History Info
tab you enter by selecting Radio > Calibration from the navigation tree, selecting the Operation tab,
and then selecting History Info.
Radio group configuration example

As shown in Figure 385, AP 1 through AP 3 are connected to the AC.
Configure automatic channel adjustment so that the AC can automatically switch the channel when
the signal quality on a channel is degraded to a certain level.
Configure automatic power adjustment so that the AC can automatically adjust the power when the
third neighbor is discovered (or in other words, when AP 4 joins) to avoid interference.
Add radio 2 of AP 1 and radio 2 of AP 2 to a radio group to prevent frequent channel or power
adjustments for the radios.
1.
Before you configure a radio group, configure AP 1 through AP 3 on the AC to establish a

connection between the AC and each AP.
2.
Configure automatic channel and power adjustment:

c. Select Auto from the Dynamic Channel Select list, select Auto from the Dynamic Power Select list,
and click Apply.
354
Figure 386 Configuring automatic channel and power adjustment
3.
Configure a radio group:

b. Click Radio Group.
c. Click Add.
d. On the page that appears, enter the channel holddown interval 20 and enter the power
holddown interval 30.
e. In the Radios Available area, select the target radios and click << to add them into the Radios
Selected area.
f. Click Apply.
355
Figure 387 Configuring the radio group
The working channel of radio 2 of AP 1 and that of radio 2 of AP 2 do not change within 20
minutes after each automatic channel adjustment.
The power of radio 2 of AP 1 and that of radio 2 of AP 2 do not change within 30 minutes after
each automatic power adjustment.
Spectrum analysis configuration example

As shown in Figure 388, AP 1 is operating in normal mode to provide WLAN access services. AP 2 is
operating in monitor mode to detect interferences, channel quality, and FFT data. If AP 2 detects an
microwave oven or bluetooth device, AP 2 notifies the AC, which sends alarms to the NMS.
356

NMS
Client
AP 1
AC
Microwave
oven
Switch
Bluetooth device
AP 2
1.
Configure AP 1 to operate in normal mode. For more information, see "Configuring WLAN
access."
2.
Configure AP 2 to operate in monitor mode. For more information, see "Configuring WLAN
security."
3.
Enable spectrum analysis on a specified radio:

a. Select Radio > Spectrum Analysis from the navigation tree.
b. Click Radio.
Figure 389 Configuring radio
c. Select the radio with the radio mode 802.11n(2.4GHz).

d. Click Enable.
4.
Enable spectrum analysis globally on 2.4 GHz radios:

a. Select Radio > Spectrum Analysis from the navigation tree.
b. Click 802.11bg.
c. Enable spectrum analysis, disable channel quality trap (enabled by default), and keep
Microwave oven and Bluetooth in the Trap on Device Types area (remove other devices from
the area by selecting them and clicking >>).
d. Click OK.
357
Figure 390 Configuring spectrum analysis
Select Radio > Spectrum Analysis from the navigation tree, and click Interference Info to display
information about the non-802.11 interferences detected by AP 2.
Select Radio > Spectrum Analysis from the navigation tree, and click Channel Quality Info to
display channel quality information detected by AP 2.
358
Configuring 802.1X
802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN
committee for the security of wireless LANs (WLANs). It has been widely used on Ethernet networks for
access control.
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
You can also configure the port security feature to perform 802.1X. Port security combines and extends
802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different
authentication methods for different users on a port. Port security is beyond the scope of this chapter. It
is described in Security Configuration Guide for the product.
Overview
802.1X architecture
802.1X operates in the client/server model. It has three entities: the client (supplicant), the network
access device (authenticator), and the authentication server, as shown in Figure 391.
Figure 391 802.1X architecture
Device
Authentication server
Client
ClientA user terminal seeking access to the LAN. It must have 802.1X software to authenticate to
the network access device.
Network access deviceAuthenticates the client to control access to the LAN. In a typical 802.1X
environment, the network access device uses an authentication server to perform authentication.
Authentication serverProvides authentication services for the network access device. The
authentication server authenticates 802.1X clients by using the data sent from the network access
device, and returns the authentication results for the network access device to make access
decisions. The authentication server typically is a RADIUS server. In a small LAN, you can also use
the network access device as the authentication server.
For more information about the 802.1X protocol, see HP WX Series Access Controllers Security
Access control methods

HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to
support MAC-based access control.
359
Port-based access controlOnce an 802.1X user passes authentication on a port, any subsequent
user can access the network through the port without authentication. When the authenticated user
logs off, all other users are logged off.
MAC-based access controlEach user is authenticated separately on a port. When a user logs off,
no other online users are affected.
802.1X timers
This section describes the timers used on an 802.1X device to guarantee that the client, the device, and
the RADIUS server can interact with each other properly.
Username request timeout timerStarts when the device sends an EAP-Request/Identity packet to
a client in response to an authentication request. If the device receives no response before this timer
expires, it retransmits the request. The timer also sets the interval at which the network device sends
multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.
Client timeout timerStarts when the access device sends an EAP-Request/MD5 Challenge packet
to a client. If no response is received when this timer expires, the access device retransmits the
request to the client.
Server timeout timerStarts when the access device sends a RADIUS Access-Request packet to the
authentication server. If no response is received when this timer expires, the access device
retransmits the request to the server.
Handshake timerSets the interval at which the access device sends client handshake requests to
check the online status of a client that has passed authentication. If the device receives no response
after sending the maximum number of handshake requests, it considers that the client has logged
off. For information about how to enable the online user handshake function, see "Configuring
802.1X on a port."
Quiet timerStarts when the access device sends a RADIUS Access-Request packet to the
authentication server. If no response is received when this timer expires, the access device
retransmits the request to the server.
Periodic online user re-authentication timerSets the interval at which the network device
periodically re-authenticates online 802.1X users. For information about how to enable periodic
online user re-authentication on a port, see "Configuring 802.1X on a port."
Configuration prerequisites
Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. For
more information, see "Configuring AAA" and "Configuring RADIUS."
If you use RADIUS authentication, create user accounts on the RADIUS server.
If you use local authentication, create local user accounts on the access device and use the LAN
access service.
If you want to use EAP relay when the RADIUS server does not support any EAP authentication
method or no RADIUS server is available, configure the EAP server function on your network access
device.
NOTE:
Configure 802.1X on a wired port. Wireless ports support only the port security feature, and the port
security is enabled by default on the wireless ports.
360
Task
Description
Required.
1.
Configuring 802.1X globally
Enable 802.1X authentication globally and configure the authentication

method and advanced parameters.
By default, 802.1X authentication is disabled globally.
Required.
2.
Configuring 802.1X on a port
Enable 802.1X authentication on specified ports and configure 802.1X

parameters for the ports.
By default, 802.1X authentication is disabled on a port.
Configuring 802.1X globally

1.
From the navigation tree, select Authentication > 802.1X.
Figure 392 802.1X global configuration
2.
In the 802.1X Configuration area, select the Enable 802.1X box.
3.
Select an authentication method for 802.1X users. Options include CHAP, PAP, and EAP.
CHAPSets the access device to perform EAP termination and use the CHAP to communicate
with the RADIUS server.
PAPSets the access device to perform EAP termination and use the PAP to communicate with
the RADIUS server.
361
EAPSets the access device to relay EAP packets, and supports any of the EAP authentication
methods to communicate with the RADIUS server.
When you configure EAP relay or EAP termination, consider the following factors:
Whether the RADIUS server supports EAP packets.
The authentication methods supported by the 802.1X client and the RADIUS server.
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP
authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay.
To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay.
4.
Click Advanced to expand the advanced 802.1X configuration area.
5.
Configure advanced 802.1X settings as described in Table 121.
6.
Click Apply.

Item
Description
Specify whether to enable the quiet timer.
Quiet
The quiet timer enables the network access device to wait a period of time before it
can process any authentication request from a client that has failed an 802.1X
authentication.
Quiet Period
Set the value of the quiet timer.

Set the maximum number of authentication request attempts.
Retry Times
The network access device retransmits an authentication request if it receives no

response to the request it has sent to the client within a period of time (specified by
using the TX Period option or the Supplicant Timeout Time option). The network
access device stops retransmitting the request, if it has made the maximum number of
request transmission attempts but still received no response.
TX Period
Set the username request timeout timer.
Handshake Period
Set the handshake timer.
Re-Authentication
Period
Set the periodic online user re-authentication timer.

Set the client and server timeout timers.
Supplicant Timeout
Time
Server Timeout Time
TIP:
You can set the client timeout timer to a high value in a low-performance network,
and adjust the server timeout timer to adapt to the performance of different
authentication servers. In most cases, the default settings are sufficient.
For more information about 802.1X timers, see "802.1X timers."
362
IMPORTANT:
Do not change the timer parameters of global 802.1X from their default values unless you have
determined that the changes would better the interaction process.
Configuring 802.1X on a port

1.
From the navigation tree, select Authentication > 802.1X to enter the page, as shown in Figure
392.
The Ports With 802.1X Enabled area shows the 802.1X configuration on ports.
2.
Click Add.
Figure 394 802.1X configuration on a port
3.
Configure 802.1X features on a port as described in Table 122.
4.
Click Apply.

Item
Port
Description
Select the port to be enabled with 802.1X authentication. Only 802.1X-disabled ports
are available.
NOTE:
802.1X is mutually exclusive with link aggregation group configuration on a port.
Set the access control method for the port: MAC Based or Port Based.
Port Control
NOTE:
To use both 802.1X and portal authentication on a port, you must select MAC Based.
363
Item
Description
Select the port authorization state for 802.1X.
Options include:
AutoPlaces the port initially in unauthorized state to allow only EAPOL packets to
Port Authorization
pass, and after a user passes authentication, sets the port in authorized state to allow
access to the network. You can use this option in most scenarios.
Force-AuthorizedPlaces the port in authorized state, enabling users on the port to

access the network without authentication.
Force-UnauthorizedPlaces the port in unauthorized state, denying any access

requests from users on the port.
Max Number of
Users
Set the maximum number of concurrent 802.1X users on the port.

Specify whether to enable the online user handshake function.
Enable Handshake
The online user handshake function checks the connectivity status of online 802.1X users.
The network access device sends handshake messages to online users at the interval
specified by the Handshake Period setting. If no response is received from an online user
after the maximum number of handshake attempts (set by the Retry Times setting) has
been made, the network access device sets the user in offline state. For information about
the timers, see "802.1X timers."
NOTE:
If the network has 802.1X clients that cannot exchange handshake packets with the network
access device, disable the online user handshake function to prevent their connections from
being inappropriately torn down.
Specify whether to enable periodic online user re-authentication on the port.
Periodic online user re-authentication tracks the connection status of online users and
updates the authorization attributes assigned by the server, such as the ACL, and VLAN.
The re-authentication interval is specified by the Re-Authentication Period setting in Table
121.
NOTE:
The periodic online user re-authentication timer can also be set by the authentication
Enable
Re-Authentication
server in the session-timeout attribute. The server-assigned timer overrides the timer
setting on the access device, and enables periodic online user re-authentication, even
if the function is not configured. Support for the server assignment of re-authentication
timer and the re-authentication timer configuration on the server vary with servers.
The VLAN assignment status must be consistent before and after re-authentication. If
the authentication server has assigned a VLAN before re-authentication, it must also
assign a VLAN at re-authentication. If the authentication server has assigned no VLAN
before re-authentication, it must not assign one at re-authentication. Violation of either
rule can cause the user to be logged off. The VLANs assigned to an online user before
and after re-authentication can be the same or different.
Guest VLAN
Specify an existing VLAN as the guest VLAN. For more information, see "Configuring an
802.1X guest VLAN."
Select the box to enable MAC-based VLAN.
Enable MAC VLAN
NOTE:
Only hybrid ports support the feature.
Auth-Fail VLAN
Specify an existing VLAN as the Auth-Fail VLAN to accommodate users that have failed
802.1X authentication.
For more information, see "Configuring an Auth-Fail VLAN."
364
Configuring an 802.1X guest VLAN

You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different
ports can be different.
Assign different IDs to the default VLAN and 802.1X guest VLAN on a port, so the port can correctly
process incoming VLAN tagged traffic.
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member.
After the assignment, do not re-configure the port as a tagged member in the VLAN.
Use Table 123 when you configure multiple security features on a port.
Table 123 Relationships of the 802.1X guest VLAN and other security features
Feature
Relationship description
MAC authentication guest VLAN on a port that

performs MAC-based access control
Only the 802.1X guest VLAN take effect. A user that fails
MAC authentication will not be assigned to the MAC
authentication guest VLAN.
802.1X Auth-Fail VLAN on a port that performs

MAC-based access control
The 802.1X Auth-Fail VLAN has a higher priority.
Port intrusion protection on a port that performs

MAC-based access control
The 802.1X guest VLAN function has higher priority than the
block MAC action, but lower priority than the shutdown port
action of the port intrusion protection feature.
Create the VLAN to be specified as the 802.1X guest VLAN.
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger at
the CLI. (802.1X multicast trigger is enabled by default.)
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,
enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an
untagged member.
Configuring an Auth-Fail VLAN

You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on
different ports can be different.
Assign different IDs to the default VLAN and 802.1X Auth-Fail VLAN on a port, so the port can
correctly process VLAN tagged incoming traffic.
Use Table 124 when you configure multiple security features on a port.
Table 124 Relationships of the 802.1X Auth-Fail VLAN with other features
Feature
MAC authentication guest VLAN on a port

that performs MAC-based access control
The 802.1X Auth-Fail VLAN has a high priority.
365
Feature
Port intrusion protection on a port that

performs MAC-based access control
The 802.1X Auth-Fail VLAN function has higher priority than the
block MAC action, but lower priority than the shutdown port
action of the port intrusion protection feature.
Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.
(802.1X multicast trigger is enabled by default.)
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,
enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged
member.
366
Configuring portal authentication

Overview
Portal authentication helps control access to the Internet. It is also called Web authentication. A website
implementing portal authentication is called a portal website.
With portal authentication, an access device redirects all users to the portal authentication page. All
users can access the free services provided on the portal website. However, to access the Internet, a user
must pass portal authentication.
A user can access a known portal website and enter username and password for authentication. This
authentication mode is called active authentication. There is also another authentication mode, forced
authentication, in which the access device forces a user who is trying to access the Internet through HTTP
to log on to a portal website for authentication.
The portal feature provides the flexibility for ISPs to manage services. A portal website can, for example,
present advertisements and deliver community and personalized services. In this way, broadband
network providers, equipment vendors, and content service providers form an industrial ecological
system.
A typical portal system comprises these basic components: authentication client, access device, portal
server, authentication/accounting server, and security policy server.
Figure 395 Portal system components
Authentication client
Security policy server
Access device
Portal server
Authentication/accounting
server
The components of a portal system interact in the following procedure:

1.
When an unauthenticated user enters a website address in the browser's address bar to access the
Internet, an HTTP request is created and sent to the access device. The access device then redirects
the HTTP request to the portal server's Web authentication homepage. For extended portal
functions, authentication clients must run the portal client software.
367
2.
On the authentication homepage/authentication dialog box, the user enters and submits the
authentication information, which the portal server then transfers to the access device.
3.
Upon receipt of the authentication information, the access device communicates with the
authentication/accounting server for authentication and accounting.
4.
After successful authentication, the access device checks whether there is a corresponding security
policy for the user. If not, it allows the user to access the Internet. Otherwise, the client
communicates with the access device and the security policy server for security check. If the client
passes security check, the security policy server authorizes the user to access the Internet
resources.
NOTE:
The Web interface of the device supports configuring portal authentication only on Layer 3 interfaces. For
more information about portal authentication, see HP WX Series Access Controllers Security
Although the portal feature provides a solution for user identity authentication and security checking, the
portal feature cannot implement this solution by itself. RADIUS authentication needs to be configured on
the access device to cooperate with the portal feature to complete user authentication.
The prerequisites for portal authentication configuration are as follows:
The portal server and the RADIUS server have been installed and configured properly. Local portal
authentication requires no independent portal server.
With re-DHCP authentication, the IP address check function of DHCP relay is enabled on the access
device, and the DHCP server is installed and configured properly.
The portal client, access device, and servers can reach each other.
With RADIUS authentication, usernames and passwords of the users are configured on the RADIUS
server, and the RADIUS client configurations are performed on the access device. For information
about RADIUS client configuration, see "Configuring RADIUS."
To implement extended portal functions, install and configure IMC EAD. Make sure the ACLs
configured on the access device correspond to those specified for the resources in the quarantined
area and for the restricted resources on the security policy server. For information about security
policy server configuration on the access device, see "Configuring RADIUS."
Step
Remarks
Required.
1.
Configuring the portal service
Configure a portal server, apply the portal server to a Layer 3

interface, and configure the portal authentication parameters.
By default, no portal server is configured.
368
Step
2.
Remarks
Configuring advanced
parameters for portal
authentication
Optional.
Specify an auto redirection URL, set the time that the device must wait
before redirecting an authenticated user to the auto redirection URL,
and add Web proxy server port numbers.
Optional.
Configure a portal-free rule, specifying the source and destination
information for packet filtering.
3.
Configuring a portal-free rule
A portal-free rule allows specified users to access specified external

websites without portal authentication. Packets matching a portal-free
rule will not trigger portal authentication and the users can directly
access the specified external websites.
By default, no portal-free policy is configured.
Configuring the portal service

1.
From the navigation tree, select Authentication > Portal.

The portal server configuration page appears.
369
Figure 396 Portal server configuration
TIP:
On the page shown in Figure 396, the portal service applied on a Layer 3 interface can be in either of the
following states:
RunningPortal authentication has taken effect on the interface.
EnabledPortal authentication has been enabled on the interface, but has not taken effect.
2.
Click Add to enter the portal service application page.
370
Figure 397 Portal service application
3.
Configure the portal application settings as described in Table 125.
4.
Click Apply.

Item
Description
Interface
Specify the Layer 3 interface to be enabled with portal authentication.

Specify the portal server to be applied on the specified interface. Options include:
Select ServerSelect an existing portal server from the Portal Server list.
New ServerIf you select Add under this option from the list, the portal server
Portal Server
configuration area, as shown in Figure 398, will be displayed at the lower part of the
page. You can add a remote portal server and apply the portal server to the interface.
For detailed configuration, see Table 126.
Enable Local ServerIf you select this option from the list, the local portal service
configuration area, as shown in Figure 399, will be displayed at the lower part of the
page. You can configure the parameters for local portal service. For detailed
configuration, see Table 127.
Specify the portal authentication mode:
DirectDirect portal authentication.

Layer3Cross-subnet portal authentication.
Re DHCPRe-DHCP portal authentication.
IMPORTANT:
Method
In cross-subnet portal authentication mode, Layer 3 forwarding devices are not
required to be present between the authentication client and the access device.
However, if they are present, you must select the cross-subnet portal authentication
mode.
In re-DHCP portal authentication mode, a client is allowed to send out packets using
a public IP address before it passes portal authentication. However, responses of the

packets are restricted.
If the local portal server is used, you can configure the re-DHCP mode but it does not
take effect.
371
Item
Description
Specify the IP address and mask of the authentication subnet. This field is configurable
when you select the Layer3 mode (cross-subnet portal authentication).
Auth Network IP
Network Mask
By configuring an authentication subnet, you specify that only HTTP packets from users on
the authentication subnet can trigger portal authentication. If an unauthenticated user is
not on any authentication subnet, the access device discards all the user's HTTP packets
that do not match any portal-free rule.
IMPORTANT:
The authentication subnet in direct mode is any source IP address, and that in re-DHCP
mode is the private subnet to which the interface's private IP address belongs.
Specify the authentication domain for Layer 3 portal users.
Authentication
Domain
After you specify an authentication domain on a Layer 3 interface, the device will use the
authentication domain for authentication, authorization, and accounting (AAA) of the
portal users on the interface, ignoring the domain names carried in the usernames. You
can specify different authentication domains for different interfaces as needed.
The available authentication domains are those specified on the page you enter by
selecting Authentication > AAA from the navigation tree. For more information, see
"Configuring AAA."
Figure 398 Adding a portal server

Item
Description
Server Name
Enter a name for the remote portal server.
IP
Enter the IP address of the remote portal server.
Key
Enter the shared key to be used for communication between the device and the remote
portal server.
Port
Enter the port number of the remote portal server.

Specify the URL for HTTP packets redirection, in the format http://ip-address. By default,
the IP address of the portal server is used in the URL.
URL
IMPORTANT:
Redirection URL supports domain name resolution. However, you must configure a
portal-free rule and add the DNS server address into the portal-free address range.
372
Figure 399 Local portal service configuration

Item
Description
Server Name
Specify the local portal server name.
IP
Specify the IP address of the local portal server. You need to specify the IP address of
the interface where the local portal server is applied.
Specify the URL for HTTP packets redirection, in the format
http://ip-address/portal/logon.htm or https://ip-address/portal/logon.htm
(depending on the protocol type).
By default, the IP address of the local portal server is used in the URL.
URL
IMPORTANT:
To use the local portal server for stateful failover in a wireless environment, you must
specify the redirection URL, and the IP address of the URL must be the virtual IP
address of the VRRP group where the VRRP downlink resides.
URL redirection supports domain name resolution, but you need to configure a
portal-free rule and add the DNS server address into the portal-free address range.
Protocol
Specify the protocol to be used for authentication information exchange between the
local portal server and the client. It can be HTTP or HTTPS.
Specify the PKI domain for HTTPS. This field is configurable when you select HTTPS.
PKI Domain
The available PKI domains are those specified on the page you enter by selecting
Authentication > Certificate Management from the navigation tree. For more
information, see "Managing certificates."
IMPORTANT:
The service management, local portal authentication, and local EAP service modules
always reference the same PKI domain. Changing the referenced PKI domain in any of the
three modules will also change that referenced in the other two modules.
373
Item
Description
Specify the authentication page files to be bound with SSIDs as required.
Page Customization
SSID
Page File
After you bind SSIDs with authentication page files, when a user access the portal
page, the local portal server pushes the authentication pages according to the SSID of
the user login interface and the bound authentication page file.
By default, an SSID is not bound with any authentication page file. In this case, the
system pushes the default authentication pages.
You can edit an authentication page file as required and save it in the root directory or
the portal directory under the root directory of the access device. For rules of
customizing authentication pages, see "Customizing authentication pages."
Configuring advanced parameters for portal

authentication
1.
2.
Expand the Advanced area to show the advanced parameters for portal authentication.
3.
Configure the advanced parameters as described in Table 128.
4.
Click Apply.
374
Table 128 Advanced portal parameters

Item
Description
Add the Web proxy server ports to allow HTTP requests proxied by the specified proxy
servers to trigger portal authentication. By default, only HTTP requests that are not
proxied can trigger portal authentication.
Different clients may have different Web proxy configurations. To make sure that clients
using a Web proxy can trigger portal authentication, you must first complete some other
relevant configurations. When the IMC portal server is used, you must first complete the
following configurations:
If the client does not specify the portal server's IP address as a proxy exception, ensure
the IP connectivity between the portal server and the Web proxy server and perform
the following configurations on the IMC portal server:
Select NAT as the type of the IP group associated with the portal device.
Specify the proxy server's IP address as the IP address after NAT.
Web Proxy Server

Ports
Configure the port group to support NAT.
If the client specifies the portal server's IP address as an exception of the Web proxy
server, configure the IP group and port group to not support NAT.
IMPORTANT:
If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover
Web proxy servers, add the port numbers of the Web proxy servers on the device, and
configure portal-free rules to allow user packets destined for the IP address of the
WPAD server to pass without authentication.
If the Web proxy server port 80 is added on the device, clients that do not use a proxy
server can trigger portal authentication only when they access a reachable host
enabled with the HTTP service.
Authorized ACLs to be assigned to users who have passed portal authentication must
contain a rule that permits the Web proxy server's IP address. Otherwise, the user
cannot receive heartbeat packets from the remote portal server.
Specify the auto redirection URL to which users will be automatically redirected after they
pass portal authentication.
Redirection URL
Wait-Time
To access the network, an unauthenticated user either goes to or is automatically forced

to the portal authentication page for authentication. If the user passes portal
authentication and the access device is configured with an auto redirection URL, the
access device will redirect the user to the URL after a specified period of time.
Period of time that the device must wait before redirecting an authenticated portal user to
the auto redirection URL.
Configuring a portal-free rule

1.
2.
Click the Free Rule tab.
375
Figure 401 Portal-free rule configuration
3.
Click Add.
The page for adding a new portal-free rule appears.
Figure 402 Adding a portal-free rule
4.
Configure the portal-free rule as described in Table 129.
5.
Click Apply.

Item
Description
Number
Specify the sequence number of the portal-free rule.
Source-interface
Source IP address
Mask
Specify the source interface of the portal-free rule.

The SSIDs in the list are the corresponding SSIDs of the wireless ESS interfaces.
Specify the source IP address and mask of the portal-free rule.
376
Item
Description
Specify the source MAC address of the portal-free rule.
Source MAC
IMPORTANT:
If you configure both the source IP address and the source MAC address, make sure
that the mask of the specified source IP address is 255.255.255.255. Otherwise, the
specified source MAC address will not take effect.
Specify the source VLAN of the portal-free rule.
Source-VLAN
Mask
IMPORTANT:
If you configure both a source interface and a source VLAN for a portal-free rule, make
sure that the source interface is in the source VLAN. Otherwise, the portal-free rule will
not take effect.
Specify the destination IP address and mask of the portal-free rule.
Customizing authentication pages

When the local portal server is used for portal authentication, the local portal server pushes
authentication pages. You can define the authentication pages for users. Otherwise, the local portal
server pushes the default authentication pages.
Customized authentication pages exist in the form of HTML files. You can compress them, and then save
them in the storage medium of the access device.
A set of authentication pages include six main pages and their page elements.
The six main pages are the logon page, the logon success page, the logon failure page, the online page,
the system busy page, and the logoff success page.
The page elements are the files that the authentication pages reference. For example, back.jpg is for
page Logon.htm. Each main authentication page can reference multiple page elements. If you define
only some of the main pages, the local portal server pushes the default authentication pages for the
undefined ones.
For the local portal server to operate normally and steadily, use the following rules in this section when
customizing authentication pages.
File name rules

The names of the main authentication page files cannot be changed. You can define the names of the
files other than the main authentication page files. File names and directory names are case-insensitive.
Table 130 Main authentication page file names
Main authentication page
File name
Logon page.
logon.htm
Logon success page.
logonSuccess.htm
Logon failure page.
logonFail.htm
377
Main authentication page
File name
Online page.
Pushed after the user gets online for online notification.
System busy page.
Pushed when the system is busy or the user is in the logon process.
Logoff success page.
online.htm
busy.htm
logoffSuccess.htm
Page request rules

The local portal server supports only Post and Get requests.
Get requestsUsed to get the static files in the authentication pages, and allow no recursion. For
example, if file logon.htm includes contents that perform Get action on file ca.htm, file ca.htm
cannot include any reference to file logon.htm.
Post requestsUsed when users submit usernames and passwords, log on to the system, and log off
the system.
Post request attribute rules

1.
Observe the following requirements when editing a form of an authentication page:

An authentication page can have multiple forms, but there must be one and only one form
whose action is logon.cgi. Otherwise, user information cannot be sent to the local portal server.
The username attribute is fixed as PtUser. The password attribute is fixed as PtPwd.
Attribute PtButton is required to indicate the action that the user requests, either Logon or Logoff.
A logon Post request must contain PtUser, PtPwd, and PtButton attributes.
A logoff Post request must contain the PtButton attribute.
2.
Authentication pages logon.htm and logonFail.htm must contain the logon Post request.
The following example shows part of the script in page logon.htm.
<form action=logon.cgi method = post >
<p>User name:<input type="text" name = "PtUser" style="width:160px;height:22px"
maxlength=64>
<p>Password :<input type="password" name = "PtPwd" style="width:160px;height:22px"
maxlength=32>
<p><input type=SUBMIT value="Logon" name = "PtButton" style="width:60px;"
onclick="form.action=form.action+location.search;>
</form>
3.
Authentication pages logonSuccess.htm and online.htm must contain the logoff Post request.
The following example shows part of the script in page online.htm.
<form action=logon.cgi method = post >
<p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;">
</form>
378
Page file compression and saving rules
A set of authentication page files must be compressed into a standard .zip file. The name of a .zip
file can contain only letters, numbers, and underscores. The .zip file of the default authentication
pages must be saved with name defaultfile.zip.
The set of authentication pages must be located in the root directory of the .zip file.
Zip files can be transferred to the device through FTP or TFTP. The default authentication pages file
must be saved in the root directory of the device, and other authentication files can be saved in the
root directory or in the portal directory under the root directory of the device.
File size and content rules

The following size and content requirements for authentication pages allows the system to push
customized authentication pages smoothly:
The size of the zip file of each set of authentication pages, including the main authentication pages
and the page elements, must be no more than 500 KB.
The size of an uncompressed page, including the main authentication page and its page elements,
must be no more than 50 KB.
Page elements can contain only static contents such as HTML, JS, CSS, and pictures.
Logging off a user who closes the logon success or online page
After a user passes authentication, the system pushes the logon success page named logonSuccess.htm.
If the user initiates another authentication through the logon page, the system pushes the online page
named online.htm. You can configure the device to forcibly log off the user when the user closes either
of these two pages. To do so, add the following contents in logonSuccess.htm and online.htm:
1.
Reference to file pt_private.js.
2.
Function pt_unload(), which is for triggering page unloading.
3.
Function pt_submit(), the event handler function for Form.
4.
Function pt_init(), which is for triggering page loading.
The following is a script example with the added contents highlighted in gray:
<html>
<head>
<script type="text/javascript" language="javascript" src="pt_private.js"></script>
</head>
<body onload="pt_init();" onbeforeunload="return pt_unload();">
... ...
<form action=logon.cgi method = post onsubmit="pt_submit()">
... ...
</body>
</html>
If a user refreshes the logon success or online page, or jumps to another website from either of the pages,
the device also logs off the user.
Google Chrome browsers do not support this function.
379
Make sure that the browser of an authentication client permits pop-ups or permits pop-ups from the
access device. Otherwise, the user cannot log off by closing the logon success or online page, and can
only click Cancel to return back to the logon success or online page
Redirecting authenticated users to a specific webpage

To make the device automatically redirect authenticated users to a specified webpage, do the following
in logon.htm and logonSuccess.htm:
1.
In logon.htm, set the target attribute of Form to blank.

See the contents in gray:
<form method=post action=logon.cgi target="blank">
2.
Add the function for page loading pt_init() to logonSucceess.htm.

See the contents in gray:
<html>
<head>
<title>LogonSuccessed</title>
<script type="text/javascript" language="javascript"
src="pt_private.js"></script>
</head>
<body onload="pt_init();" onbeforeunload="return pt_unload();">
... ...
</body>
</html>
HP recommends using browser IE 6.0 or later on the authentication clients.
Portal authentication configuration example

As shown in Figure 403, the wireless client belongs to VLAN 2 and accesses the network through the AP,
which belongs to VLAN 3. The model and serial ID of the AP is MSM460-WW and CN2AD330S8,
respectively.
AC supports the local portal server, which runs HTTPS. The local portal server can push the
corresponding customized pages according to the SSID of the user logon interface.
A RADIUS server (running on IMC) serves as the authentication/accounting server.
The client must pass direct portal authentication to access Internet resources. Before authentication, the
client can access only the local portal server.
380
Complete the follow tasks before you perform the portal configuration:
Configure IP addresses for the devices, as shown in Figure 403, and make sure they can reach each
other.
Configure PKI domain test, and make sure that a local certificate and a CA certificate are obtained
successfully. For more information, see "Managing certificates."
Complete the editing of the authentication page files to be bound with the client SSID.
Configure the RADIUS server properly to provide authentication and accounting functions for users.
Configuring the AC
1.
Configure the RADIUS scheme system:

a. From the navigation tree, select Authentication > RADIUS.
b. Click Add.
c. On the page that appears, enter the scheme name system, select the server type Extended, and
select Without domain name for Username Format.
d. In the RADIUS Server Configuration area, click Add.
e. On the page that appears, select Primary Authentication as the server type, enter the IP
address 1.1.1.2, the port number 1812, and the key expert, enter expert again in the Confirm
Key field, and click Apply.
The RADIUS server configuration page closes, and the RADIUS Server Configuration area on
the RADIUS scheme configuration page displays the authentication server you have just
configured.
f. In the RADIUS Server Configuration area, click Add.
g. On the page that appears, select Primary Accounting as the server type, enter the IP address
1.1.1.2, the port number 1813, and the key expert, enter expert again in the Confirm Key field,
and click Apply.
The RADIUS server configuration page closes, and the RADIUS Server Configuration area on
the RADIUS scheme configuration page displays the accounting server you have just
configured.
h. Click Apply.
381
Figure 404 Configuring the RADIUS scheme
2.
Configure ISP domain test as the default domain:

The Domain Setup tab appears.
b. Enter the domain name test, and select Enable from the Default Domain list.
c. Click Apply.
382
Figure 405 Creating an ISP domain
3.
Configure an authentication method for the ISP domain:

a. Click the Authentication tab.
b. Select the domain name test.
c. Select the Default AuthN box, and then select RADIUS as the authentication mode.
d. From the Name list, select system to use it as the authentication scheme
e. Click Apply.
f. After the configuration process is complete, click Close.
383
Figure 406 Configuring the authentication method for the ISP domain
4.
Configure an authorization method for the ISP domain:

a. Click the Authorization tab.
b. Select the Default AuthZ box, and then select RADIUS as the authorization mode.
c. From the Name list, select system to use it as the authorization scheme
d. Click Apply.
A configuration progress dialog box appears
Figure 407 Configuring the authorization method for the ISP domain
5.
Configure an accounting method for the ISP domain:

a. Click the Accounting tab.
b. Select the domain name test.
c. Select the Accounting Optional box, and then select Enable for this parameter.
d. Select the Default Accounting box, and then select RADIUS as the accounting mode.
e. From the Name list, select system to use it as the accounting scheme
384
f. Click Apply.
The configuration progress dialog box appears
g. After the configuration process is complete, click Close.
Figure 408 Configuring the accounting method for the ISP domain
6.
Create an AP:
a. From the navigation tree, select AP > AP Setup.
b. Click Create.
c. Enter the AP name ap1.
d. Select model MSM460-WW.
e. Select the manual mode for serial ID, and then enter the serial ID CN2AD330S8.
f. Click Apply.
7.

a. From the navigation tree, select Wireless Service > Access Service.
b. Click New.
c. On the page as shown in Figure 410, enter the wireless service name abc, select clear as the
wireless service type, and click Apply.
The wireless service configuration page appears.
385
d. On the page as shown in Figure 411, enter 2 in the VLAN (Untagged) field, enter 2 in the
Default VLAN field, and click Apply.
Figure 411 Configuring parameters for the wireless service
8.

a. On wireless service list as shown in Figure 412, select the box before wireless service abc.
b. Click Enable.
c. After the configuration process is complete, click Close.
386
9.
Bind an AP radio with the wireless service:

a. On the wireless service list, click the
icon in the Operation column of wireless service abc.
b. On the page that appears, select the box before ap1 with the radio mode of 802.11n(5GHz).
c. Click Bind.
387
10. Enable radio:

a. From the navigation tree, select Radio > Radio.
b. Select the box before ap1 with the radio mode of 802.11n(5GHz).
c. Click Enable.
388
Figure 414 Enabling 802.11n(5GHz) radio
11. Configure portal authentication:

a. From the navigation tree, select Authentication > Portal.
b. Click Add.
c. Configure a portal server:
Select interface Vlan-interface2.
Select Enable Local Server for Portal Server.
Select Direct as the authentication method.
Select the authentication domain test.
Enter 192.168.1.1 as the server IP address.
Select HTTPS as the protocol type.
Select test as the PKI domain.
Select Page Customization.
Select the authentication page file ssid1.zip for SSID abc.
d. Click Apply.
389
Figure 415 Portal service application
12. Configure a portal-free rule for port Bridge-Aggregation 1:

a. Click the Free Rule tab.
b. Click Add.
c. On the page that appears, enter the rule number 0, and select the source interface
Bridge-Aggregation1.
d. Click Apply.
390
Figure 416 Configuring a portal-free rule for port Bridge-Aggregation 1

When a user accesses subnet 1.1.1.0/24 by using a Web browser, the user is redirected to page
https://192.168.1.1/portal/logon.htm. After entering the correct username and password on the
webpage, the user passes the authentication.
391
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It provides the following security functions:
AuthenticationIdentifies users and determines whether a user is valid.
AuthorizationGrants user rights and controls user access to resources and services. For example,
a user who has successfully logged in to the device can be granted read and print permissions to
the files on the device.
AccountingRecords all network service usage information, including the service type, start time,
and traffic. The accounting function provides information required for charging and allows for
network security surveillance.
AAA can be implemented through multiple protocols. The device supports RADIUS. For more information,
see "Configuring RADIUS."
AAA typically uses a client/server model. The client runs on the network access server (NAS) and the
server maintains user information centrally. In an AAA network, the NAS is a server for users, but a client
for AAA servers.
Figure 417 AAA application scenario
AAA allows you to manage users based on their access types:
LAN usersUsers on a LAN who must pass 802.1X or MAC address authentication to access the
network.
Login usersUsers who want to log in to the device, including SSH users, Telnet users, FTP users,
and terminal users.
Portal usersUsers who must pass portal authentication to access the network.
PPP usersUsers who access through PPP.
To improve device security, AAA provides command authorization for login users. Command
authorization enables the NAS to defer to the authorization server to determine whether a command
entered by a login user is permitted for the user, and allows login users to execute only authorized
commands.
392
For more information about AAA and ISP, see HP WX Series Access Controllers Security Configuration
Guide.
To deploy local authentication, configure local users on the access device. See "Configuring users."
To deploy remote authentication, authorization, or accounting, create the RADIUS schemes to be

referenced. See "Configuring RADIUS."
Step
Remarks
Optional.
1.
Configuring an ISP domain
2.
Configuring authentication
methods for the ISP domain
3.
4.
Configuring authorization
Configuring accounting
Create ISP domains and specify one of them as the default ISP domain.
By default, there is an ISP domain named system, which is the default ISP
domain.
Optional.
Configure authentication methods for various types of users.
By default, all types of users use local authentication.
Optional.
Specify the authorization methods for various types of users.
By default, all types of users use local authorization.
Required.
Specify the accounting methods for various types of users.
By default, all types of users use local accounting.
Configuring an ISP domain

1.
From the navigation tree, select Authentication > AAA.

The Domain Setup page appears.
393
Figure 418 Domain Setup page
2.
Configure an ISP domain as described in Table 131.
3.
Click Apply.

Item
Description
Enter an ISP domain name for uniquely identifying the domain.
Domain Name
You can enter a new domain name to create a domain, or specify an existing domain
to change its status (whether it is the default domain).
Specify whether to use the ISP domain as the default domain. Options include:
Default Domain
EnableUses the domain as the default domain.

DisableUses the domain as a non-default domain.
There can only be one default domain at a time. If you specify a second domain as
the default domain, the original default domain will become a non-default domain.
Configuring authentication methods for the ISP

domain
1.
2.
Click the Authentication tab to enter the authentication method configuration page.
394
Figure 419 Authentication method configuration page
3.
Configure authentication methods for different types of users in the domain, as described in Table
132.
4.
Click Apply.
5.
After the configuration progress is complete, click Close.

Item
Description
Select an ISP domain
Select the ISP domain for which you want to specify authentication methods.
Configure the default authentication method and secondary authentication method for
all types of users.
Options include:
Default AuthN
Name
Secondary Method
HWTACACSHWTACACS authentication. You must specify the HWTACACS

scheme to be used.
LocalLocal authentication.
NoneNo authentication. This method trusts all users and is not for general use.
RADIUSRADIUS authentication. You must specify the RADIUS scheme to be used.
Not SetThe device uses the default authentication setting, which is local
authentication.
Configure the authentication method and secondary authentication method for LAN
users.
LAN-access AuthN
Options include:
Name
Secondary Method
Not SetThe device uses the settings in the Default AuthN area for LAN users.
395
Item
Description
Configure the authentication method and secondary authentication method for login
users.
Options include:
Login AuthN

scheme to be used.
Name
Secondary Method
Not SetThe device uses the settings in the Default AuthN area for login users.
Configure the authentication method and secondary authentication method for PPP
users.
Options include:
PPP AuthN

scheme to be used.
Name
Secondary Method
Not SetThe device uses the settings in the Default AuthN area for PPP users.
Configure the authentication method and secondary authentication method for portal
users.
Portal AuthN
Options include:
Name
Secondary Method
Not SetThe device uses the settings in the Default AuthN area for portal users.
Configuring authorization methods for the ISP

domain
1.
2.
Click the Authorization tab to enter the authorization method configuration page.
396
Figure 420 Authorization method configuration page
3.
Configure authorization methods for different types of users in the domain, as described in Table
133.
4.
Click Apply.
5.

Item
Description
Select the ISP domain for which you want to specify authorization methods.
Configure the default authorization method and secondary authorization method for
all types of users.
Options include:
Default AuthZ
Name
Secondary Method
HWTACACSHWTACACS authorization. You must specify the HWTACACS

scheme to be used.
LocalLocal authorization.
NoneThis method trusts all users and assigns default rights to them.
RADIUSRADIUS authorization. You must specify the RADIUS scheme to be used.
Not SetThe device uses the default authorization setting, which is local
authorization.
Configure the authorization method and secondary authorization method for LAN
users.
LAN-access AuthZ
Options include:
Name
Secondary Method
Not SetThe device uses the settings in the Default AuthZ area for LAN users.
397
Item
Description
Configure the authorization method and secondary authorization method for login
users.
Options include:
Login AuthZ

scheme to be used.
Name
Secondary Method
Not SetThe device uses the settings in the Default AuthZ area for login users.
Configure the authorization method and secondary authorization method for PPP
users.
Options include:
PPP AuthZ

scheme to be used.
Name
Secondary Method
Not SetThe device uses the settings in the Default AuthZ area for PPP users.
Configure the authorization method and secondary authorization method for portal
users.
Portal AuthZ
Options include:
Name
Secondary Method
Not SetThe device uses the settings in the Default AuthZ area for portal users.
Configure the authorization method for command users.

Command AuthZ
Name
Options include:

scheme to be used.
Not SetThe device uses the settings in the Default AuthZ area for command users.
Configuring accounting methods for the ISP domain

1.
2.
Click the Accounting tab to enter the accounting method configuration page.
398
Figure 421 Accounting method configuration page
3.
Configure accounting methods for different types of users in the domain, as described in Table
134.
4.
Click Apply.
5.

Item
Description
Select the ISP domain for which you want to specify accounting methods.
Specify whether to enable the accounting optional feature.
Accounting Optional
With the feature enabled, a user that will be disconnected otherwise can use the
network resources even when there is no accounting server available or
communication with the current accounting server fails.
If accounting for such a user fails, the device will not send real-time accounting updates
for the user anymore.
Configure the default accounting method and secondary accounting method for all
types of users.
Options include:
Default Accounting
HWTACACSHWTACACS accounting. You must specify the HWTACACS scheme

to be used.
Name
Secondary Method
LocalLocal accounting.
NoneNo accounting.
RADIUSRADIUS accounting. You must specify the RADIUS scheme to be used.
Not SetThe device uses the default accounting setting, which is local accounting.
Configure the accounting method and secondary accounting method for LAN users.
LAN-access
Accounting
Name
Secondary Method
Options include:
NoneNo accounting.
Not Set The device uses the settings in the Default Accounting area for LAN users.
399
Item
Description
Configure the accounting method and secondary accounting method for login users.
Options include:
Login Accounting
Name
Secondary Method

to be used.
NoneNo accounting.
Not SetThe device uses the settings in the Default Accounting area for login users.
Configure the accounting method and secondary accounting method for PPP users.
Options include:
PPP Accounting
Name
Secondary Method

to be used.
NoneNo accounting.
Not SetThe device uses the settings in the Default Accounting area for PPP users.
Configure the accounting method and secondary accounting method for portal users.
Portal Accounting
Name
Secondary Method
Options include:
NoneNo accounting.
Not SetThe device uses the settings in the Default Accounting area for portal
users.
AAA configuration example

As shown in Figure 422, configure the AC to perform local authentication, authorization, and accounting
for Telnet users.
1.
Configure a local user:

a. From the navigation tree, select Authentication > Users.
The local user management page appears.
400
b. Click Add.
c. Enter telnet as the username.
d. Enter abcd as the password.
e. Enter abcd again to confirm the password.
f. Select Common User as the user type.
g. Select Configure as the level.
h. Select Telnet as the service type.
i.
Click Apply.
Figure 423 Configuring the local user
2.
Configure ISP domain test:

The Domain Setup page appears, as shown in Figure 424.
b. Enter test as the domain name.
c. Click Apply.
401
Figure 424 Configuring ISP domain test
3.
Configure the ISP domain to use local authentication for login users:
b. Click the Authentication tab.
c. Select the domain test.
d. Select the Login AuthN box, and then select the authentication method Local.
e. Click Apply.
f. After the configuration progress is complete, click Close.
Figure 425 Configuring the ISP domain to use local authentication
4.
Configure the ISP domain to use local authorization for login users:
402

b. Click the Authorization tab.
c. Select the domain test.
d. Select the Login AuthZ box, and then select the authorization method Local.
e. Click Apply.
Figure 426 Configuring the ISP domain to use local authorization
5.
At the CLI, enable the Telnet service and configure the AC to use AAA for Telnet users.
<AC> system-view
[AC] telnet server enable
[AC] user-interface vty 0 4
[AC-ui-vty0-4] authentication-mode scheme
[AC-ui-vty0-4] quit

Telnet to the AC and enter the username telnet@test and password abcd. You are serviced as a user in
domain test.
403
Configuring RADIUS
Overview
The Remote Authentication Dial-In User Service (RADIUS) protocol implements Authentication,
Authorization, and Accounting (AAA). RADIUS uses the client/server model. It can protect networks
against unauthorized access, and is often used in network environments where both high security and
remote user access are required. RADIUS defines the packet format and message transfer mechanism,
and uses UDP as the transport layer protocol for encapsulating RADIUS packets. It uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL.
RADIUS provides access authentication and authorization services. Its accounting function collects and
records network resource usage information.
For more information about AAA and RADIUS, see HP WX Series Access Controllers Security
When you configure the RADIUS client, follow these guidelines:
Accounting for FTP users is not supported.
If you remove the accounting server used for online users, the device cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the
stop-accounting messages are not buffered locally.
The status of RADIUS servers (blocked or active) determines which servers the device will
communicate with or turn to when the current servers are not available. In practice, you can specify
one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers
that function as the backup of the primary servers. Generally, the device chooses servers based on
these rules:
When the primary server is in active state, the device communicates with the primary server. If
the primary server fails, the device changes the state of the primary server to blocked, starts a
quiet timer for the server, and turns to a secondary server in active state (a secondary server
configured earlier has a higher priority). If the secondary server is unreachable, the device
changes the state of the secondary server to blocked, starts a quiet timer for the server, and
continues to check the next secondary server in active state. This search process continues until
the device finds an available secondary server or has checked all secondary servers in active
state. If the quiet timer of a server expires or an authentication or accounting response is
received from the server, the status of the server changes back to active automatically, but the
device does not check the server again during the authentication or accounting process. If no
server is found reachable during one search process, the device considers the authentication or
accounting attempt a failure.
Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove
404
the accounting server, real-time accounting requests and stop-accounting requests for the user
cannot be delivered to the server any more.
If you remove an authentication or accounting server in use, the communication of the device
with the server will soon time out, and the device will look for a server in active state from scratch:
it checks the primary server (if any) first and then the secondary servers in the order they are
configured.
When the primary server and secondary servers are all in blocked state, the device
communicates with the primary server. If the primary server is available, its statues changes to
active. Otherwise, its status remains to be blocked.
If one server is in active state, but all the others are in blocked state, the device only tries to
communicate with the server in active state, even if the server is unavailable.
After receiving an authentication/accounting response from a server, the device changes the
status of the server identified by the source IP address of the response to active if the current
status of the server is blocked.
It is a good practice to use the recommended real-time accounting intervals listed in Table 135.
Table 135 Recommended real-time accounting intervals

Number of users
Real-time accounting interval (in minutes)
1 to 99
100 to 499
500 to 999
12
1000
15
Configuring a RADIUS scheme

A RADIUS scheme defines a set of parameters that the device uses to exchange information with the
RADIUS servers. There might be authentication servers and accounting servers, or primary servers and
secondary servers. The parameters mainly include the IP addresses of the servers, the shared keys, and
the RADIUS server type. By default, no RADIUS scheme exists.
To configure a RADIUS scheme:
1.
From the navigation tree, select Authentication > RADIUS.
Figure 427 RADIUS scheme list
2.
Click Add.
405
Figure 428 RADIUS scheme configuration page
3.
Enter a scheme name.
4.
Select a server type and a username format.

Item
Description
Select the type of the RADIUS servers supported by the device:
StandardStandard RADIUS servers. The RADIUS client and server

Server Type
communicate by using the standard RADIUS protocol and packet format defined
in RFC 2865/2866 or later.
ExtendedExtended RADIUS servers, usually running on IMC. The RADIUS
client and server communicate by using the proprietary RADIUS protocol and
packet format.
Select the format of usernames to be sent to the RADIUS server.
Username Format
Typically, a username is in the format of userid@isp-name, of which isp-name is

used by the device to determine the ISP domain to for the user. If a RADIUS server
does not accept a username that contains an ISP domain name, configure the
device to remove the domain name of a username before sending it to the RADIUS
server.
Original formatConfigure the device to send the username of a user on an "as

is" basis.
With domain nameConfigure the device to include the domain name in a

username.
Without domain nameConfigure the device to remove the domain name from
a username.
406
5.
Click the expand button before Advanced in the Common Configuration area to expand the
advanced configuration area.
Figure 429 Advanced configuration area
6.
Configure the advanced parameters.
407

Item
Description
Set the shared key for RADIUS authentication packets and that for RADIUS
accounting packets.
Authentication Key
Confirm Authentication Key
Accounting Key
Confirm Accounting Key
The RADIUS client and the RADIUS authentication/accounting server use MD5
to encrypt RADIUS packets. They verify the validity of packets through the
specified shared key. The client and the server can receive and respond to
packets from each other only when they use the same shared key.
IMPORTANT:
The shared keys configured on the device must be consistent with those
configured on the RADIUS servers.
The shared keys configured in the common configuration part are used only
when no corresponding shared keys are configured in the RADIUS server
configuration part.
Set the time the device keeps an unreachable RADIUS server in blocked state.
Quiet Time
If you set the quiet time to 0, when the device needs to send an authentication
or accounting request but finds that the current server is unreachable, it does
not change the server's status that it maintains. It simply sends the request to the
next server in active state. As a result, when the device needs to send a request
of the same type for another user, it still tries to send the request to the server
because the server is in active state.
You can use this parameter to control whether the device changes the status of
an unreachable server. For example, if you determine that the primary server
is unreachable because the device's port for connecting the server is out of
service temporarily or the server is busy, you can set the time to 0 so that the
device uses the primary server as much.
Set the RADIUS server response timeout time and the maximum number of
attempts for transmitting a RADIUS packet to a single RADIUS server.
Server Response Timeout

Time
Request Transmission
Attempts
If the device sends a RADIUS request to a RADIUS server but receives no

response within the specified server response timeout time, it retransmits the
request. Setting a proper value according to the network conditions helps in
improving the system performance.
If the device does not receive a response to its request from the RADIUS server
within the response timeout period, it retransmits the RADIUS request. If the
number of transmission attempts exceeds the limit but the device still receives
no response from the RADIUS server, the device considers the request a failure.
IMPORTANT:
The server response timeout time multiplied by the maximum number of RADIUS
packet transmission attempts must not exceed 75.
Set the interval for sending real-time accounting information. The interval must
be a multiple of 3.
To implement real-time accounting, the device must send real-time accounting
packets to the accounting server for online users periodically.
Realtime Accounting Interval
Different real-time accounting intervals impose different performance

requirements on the NAS and the RADIUS server. A shorter interval helps
achieve higher accounting precision but requires higher performance. Use a
longer interval when a large number of users (1000 or more) exist. For more
information about the recommended real-time accounting intervals, see
"Configuration guidelines."
408
Item
Description
Realtime Accounting Attempts
Set the maximum number of attempts for sending a real-time accounting

request.
Specify the unit for data flows sent to the RADIUS server:
Unit for Data Flows
Byte.
Kilo-byte.
Mega-byte.
Giga-byte.
Specify the unit for data packets sent to the RADIUS server:
Unit for Packets
One-packet.
Kilo-packet.
Mega-packet.
Giga-packet.
Enable or disable the EAP offload function.

Some RADIUS servers do not support EAP authentication. They cannot process
EAP packets. In this case, it is necessary to preprocess the EAP packets
received from clients on the access device. This is where the EAP offload
function comes in.
Enable EAP offload
Security Policy Server
After receiving an EAP packet, the access device enabled with the EAP offload
function first converts the authentication information in the EAP packet into the
corresponding RADIUS attributes through the local EAP server, encapsulates
the EAP packet into a RADIUS request and then sends the request to the
RADIUS server for authentication. When the RADIUS server receives the
request, it analyzes the carried authentication information, encapsulates the
authentication result in a RADIUS packet, and then sends the packet to the
local EAP server on the access device for subsequent interaction with the client.
Specify the IP address of the security policy server.
Specify the source IP address for the device to use in RADIUS packets sent to
the RADIUS server.
RADIUS Packet Source IP
HP recommends you to use a loopback interface address instead of a physical

interface address as the source IP address, because if the physical interface is
down, the response packets from the server cannot reach the device.
Specify the backup source IP address for the device to use in RADIUS packets
sent to the RADIUS server.
RADIUS Packet Backup

Source IP
In a stateful failover environment, the backup source IP address must be the

source IP address for the remote device to use in RADIUS packets sent to the
RADIUS server.
Configuring the backup source IP address in a stateful failover environment
makes sure that the backup server can receive the RADIUS packets sent from
the RADIUS server when the master device fails.
Buffer stop-accounting
packets
Enable or disable buffering of stop-accounting requests for which no responses

are received.
409
Item
Description
Set the maximum number of stop-accounting attempts.
The maximum number of stop-accounting attempts, together with some other
parameters, controls how the NAS deals with stop-accounting request packets.
Stop-Accounting Attempts
Suppose that the RADIUS server response timeout period is three seconds, the
maximum number of transmission attempts is five, and the maximum number of
stop-accounting attempts is 20. For each stop-accounting request, if the device
receives no response within three seconds, it retransmits the request. If it
receives no responses after retransmitting the request five times, it considers
the stop-accounting attempt a failure, buffers the request, and makes another
stop-accounting attempt. If 20 consecutive attempts fail, the device discards
the request.
Enable or disable the accounting-on feature.
Send accounting-on packets
The accounting-on feature enables a device to send accounting-on packets to

RADIUS servers after it reboots, making the servers forcedly log out users who
logged in through the device before the reboot.
IMPORTANT:
When enabling the accounting-on feature on a device for the first time, you must
save the configuration so that the feature takes effect after the device reboots.
Accounting-On Interval
Set the interval for sending accounting-on packets. This field is configurable
only when the Send accounting-on packets option is selected.
Accounting-On Attempts
Set the maximum number of accounting-on packets transmission attempts. This

field is configurable only when the Send accounting-on packets option is
selected.
Attribute
Interpretation
7.
Enable or disable the device to interpret the RADIUS class attribute as CAR
parameters.
In the RADIUS Server Configuration area, click Add.
Figure 430 RADIUS server configuration page
8.
Configure a RADIUS server for the RADIUS scheme as described in Table 138.
9.
Click Apply to add the server to the RADIUS scheme.
10. Repeat step 7 through step 9 to add more RADIUS servers to the RADIUS scheme.
11. On the RADIUS scheme configuration page, click Apply.
410

Item
Description
Server Type
Select the type of the RADIUS server to be configured. Possible values include
primary authentication server, primary accounting server, secondary
authentication server, and secondary accounting server.
IP Address
Specify the IP address of the RADIUS server.
Port
Specify the UDP port of the RADIUS server.
Key
Specify the shared key for communication with the RADIUS server.
Confirm Key
If no shared key is specified here, the shared key specified in the common
configuration part is used.
RADIUS configuration example

As shown in Figure 431, a RADIUS server running on IMC uses UDP ports 1812 and 1813 to provide
authentication and accounting services, respectively.
Configure the AC to use the RADIUS server for Telnet user authentication and accounting, and to remove
domain names from the usernames sent to the server.
On the RADIUS server, configure a Telnet user account with the username hello@bbb and the password
abc, and set the EXEC privilege level to 3 for the user.
Set the shared keys for packet exchange between the AC and the RADIUS server to expert.
1.
Configure RADIUS scheme system:

a. From the navigation tree, select Authentication > RADIUS.
b. Click Add.
c. Enter the scheme name system, select the server type Extended, and select the username format
Without domain name.
d. In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration
page.
e. Select the server type Primary Authentication, enter 10.1.1.1 as the IP address of the primary
authentication server, 1812 as the port number, and expert as the key, and click Apply to add
the primary authentication server to the scheme.
411
Figure 432 RADIUS authentication server configuration page
f. In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration
page again.
g. Select Primary Accounting as the server type, enter 10.1.1.1 as the IP address of the primary
accounting server, port number 1813, and the key expert, and click Apply, as shown in Figure
433.
The RADIUS scheme configuration page refreshes and the added servers appear in the server
list, as shown in Figure 434.
h. Click Apply to finish the scheme configuration.
Figure 433 RADIUS accounting server configuration page
412
Figure 434 RADIUS scheme configuration
2.
Create an ISP domain:

The domain setup page appears.
b. Enter bbb in the Domain Name box.
c. Click Apply.
413
Figure 435 Creating an ISP domain
3.
Configure an authentication method for the ISP domain:

a. Click the Authentication tab.
b. Select the domain name bbb.
c. Select the Default AuthN box, and then select the authentication mode RADIUS.
d. From the Name list, select the RADIUS scheme system to use it as the authentication scheme.
e. Click Apply.
414
Figure 436 Configuring an authentication method for the ISP domain
4.
Configure an authorization method for the ISP domain:

c. Select the Default AuthZ box, and then select the authorization mode RADIUS.
d. From the Name list, select the RADIUS scheme system to use it as the authorization scheme.
e. Click Apply.
Figure 437 Configuring an authorization method for the ISP domain
5.
Configure an accounting method for the ISP domain and enable accounting optional:
c. Select the Accounting Optional box, and then select Enable.
d. Select the Default Accounting box, and then select accounting mode RADIUS.
415
e. From the Name list, select the RADIUS scheme system to use it as the accounting scheme.
f. Click Apply.
g. After the configuration progress is complete, click Close.
Figure 438 Configuring an accounting method for the ISP domain
6.
Enable the Telnet service:

a. From the navigation tree, select Network > Service.
b. Select the Enable Telnet service box.
c. Click Apply.
Figure 439 Enabling the Telnet service
7.
Log in to the CLI, and configure the VTY user interfaces to use AAA for user access control.
<AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] authentication-mode scheme
[AC-ui-vty0-4] quit
416

Telnet to the AC and enter the username hello@bbb and password abc. You can log in and access
commands of levels 0 through 3.
417
Configuring the local EAP service

In some simple application environments, you may want to use a NAS to authenticate users locally,
instead of deploying AAA servers for user authentication. When the Extensible Authentication Protocol
(EAP) is used for user authentication, configure the local EAP authentication server to cooperate with
local authentication method of AAA for local EAP authentication. For more information about AAA, see
"Configuring AAA."
1.
From the navigation tree, select Authentication > Local EAP Server.
The local EAP service configuration page appears.
Figure 440 Local EAP service configuration page
2.
Configure the local EAP service as described in Table 139.
3.
Click Apply.

Item
Description
Enable or disable the EAP server.
Status
If the EAP server is enabled, the EAP authentication method and PKI domain
configurations are required.
418
Item
Description
Specify the EAP authentication methods:
MD5Uses Message Digest 5 (MD5) for authentication.

TLSUses the Transport Layer Security (TLS) protocol for authentication.
PEAP-MSCHAPV2Uses the Protected Extensible Authentication Protocol (PEAP) for
authentication and uses the Microsoft Challenge Handshake Authentication Protocol
version 2 (MSCHAPv2) for authentication in the established TLS tunnel.
PEAP-GTCUses the Protected Extensible Authentication Protocol (PEAP) for

authentication and uses the Microsoft Generic Token Card (GTC) for authentication
in the established TLS tunnel.
Method
When an EAP client and the local server communicate for EAP authentication, they first
negotiate the EAP authentication method to be used. During negotiation, the local
server prefers the authentication method with the highest priority from the EAP
authentication method list. If the client supports the authentication method, the
negotiation succeeds and they proceed with the authentication process. Otherwise, the
local server tries the one with the next highest priority until a supported one is found, or
if none of the authentication methods are found supported, the local server sends an
EAP-Failure packet to the client for notification of the authentication failure.
TIP:
You can select more than one authentication method. An authentication method
selected earlier has a higher priority.
PEAP-MSCHAPV2 and PEAP-GTC are mutually exclusive.

Specify the PKI domain for EAP authentication.
PKI domain
The available PKI domains are those configured on the page you enter by selecting
Authentication > Certificate Management. For more information, see "Managing
certificates."
NOTE:
The service management, local portal authentication, and local EAP service modules
always reference the same PKI domain. Changing the referenced PKI domain in any of the
three modules will also change that referenced in the other two modules.
Local EAP service configuration example

As shown in Figure 441, configure the AC to perform local EAP authentication and authorization for
802.1X users by using the authentication method EAP-TLS.
To implement local EAP authentication and authorization for 802.1X users, make sure port security is
enabled and 802.1X authentication uses the EAP authentication mode.
419
To use the authentication method of EAP-TLS, configure the network properties of the connection and the
client certificate properly on the client.
For information about configuring PKI domain test, requesting a local certificate, and retrieving a CA
certificate, see "Managing certificates."
1.
Configure local user usera:

a. From the navigation tree, select Authentication > Users.
b. Click Add.
c. Enter the username usera and password 1234, and select the service type LAN-Access.
d. Click Apply.
Figure 442 Local user configuration page
2.
Configure the ISP domain system to use local authentication and local authorization.
The ISP domain system uses local authentication and local authorization by default. For the
configuration procedure, see "Configuring AAA."
3.
Enable the EAP server, configure the authentication method as TLS, and the PKI domain as test:
a. From the navigation tree, select Authentication > Local EAP Server.
b. Select Enabled for Status.
c. Select TLS from the Available methods list and click << to add TLS to the Selected methods list.
d. Select test from the PKI domain list.
e. Click Apply.
420
Figure 443 Configuring a local EAP server
4.
Configure the AP:

a. From the navigation tree, select AP > AP Setup.
b. Click Add.
c. Enter the AP name ap1.
d. Select the device model MSM460-WW.
e. Select Manual and enter the serial number in the following box.
f. Click Apply.
Figure 444 Configuring the AP
5.
Create the wireless service:

a. From the navigation tree, select Wireless Service > Access Service.
b. Click Add.
c. Enter the wireless service name 802.1x-auth.
d. Select the service type crypto.
e. Click Apply.
The wireless service configuration page appears.
421
6.
Configure the wireless service:

a. Click the expand button before Security Setup to expand the configuration items.
b. Select the authentication type Open-System.
c. Select the Cipher Suite box, and then select AES-CCMP and TKIP (select a cipher suite
according to your actual network requirements).
d. Select WPA as the security IE.
e. Click the expand button before Port Security to expand the configuration items.
f. Select the Port Set box, and then select the port mode userlogin-secure-ext.
g. Select the Mandatory Domain box, and then select system.
h. Select the authentication method EAP.
i.
Disable handshake and multicast trigger.
j.
Click Apply.
k. When a dialog box appears asking for your confirmation to enable the EAP service, confirm
the operation to proceed.
l.
422
Figure 446 Wireless service configuration page
7.

a. On the access service list page, select the wireless service 802.1x-auth.
b. Click Enable.
A progress dialog box appears.
c. After the configuration process is complete, click Close.
423
8.
Bind the AP's radio mode with the wireless service:

a. In the wireless service list, click the
icon of wireless service 802.1x-auth.
b. Select the AP of ap1 with the radio mode 802.11n(2.4GHz).

c. Click Bind.
Figure 448 Binding the radio mode with the wireless service
9.
Enable 802.11n(2.4GHz):
a. From the navigation tree, select Radio > Radio.
b. Select the AP of ap1 with the radio mode 802.11n(2.4GHz).
c. Click Enable.
424
Figure 449 Enabling 802.11n(2.4GHz)

After the configuration, a client should be able to pass EAP authentication and access the wireless
network. You can ping the client successfully from the AC.
425
Configuring users
Overview
This module allows you to configure local users, user groups, guests, and user profiles.
Local user
A local user represents a set of user attributes configured on a device (such as the user password, user
type, service type, and authorization attribute). It is uniquely identified by the username. For a user
requesting a network service to pass local authentication, you must add an entry as required in the local
user database of the device. For more information about local authentication, see "Configuring AAA."
User group
A user group consists of a group of local users and has a set of local user attributes. You can configure
local user attributes for a user group to implement centralized management of user attributes for the local
users in the group. All local users in a user group inherit the user attributes of the group, but if you
configure user attributes for a local user, the settings of the local user take precedence over the settings
for the user group.
By default, every newly added local user belongs to a user group named system, which is automatically
created by the system.
Guest
A guest is a local user for specific applications. You can create a guest account for portal and LAN users
to temporarily access the network.
User profile
A user profile is a configuration template for saving predefined configurations. You can configure
different items such as Quality of Service (QoS) policy, rate limit, wireless service, and AP group for
different user profiles to accommodate to different application scenarios.
During the authentication process for a user, the authentication server sends the user profile name to the
device, which then enables the configurations in the user profile. After the user passes the authentication
and accesses the device, the device restricts the user's access based on the configurations in the user
profile. When the user logs out, the device automatically disables the configurations in the user profile,
removing the restrictions on the user as a result. As the mechanism indicates, user profiles are for
restricting online users' access. If no user is online (no user is accessing the network, no user has passed
authentication, or all users have logged out), user profiles do not take effect.
With user profiles, you can:
Make use of system resources more granularly. For example, you can apply a QoS policy on a
per-user basis.
Restrict users' access rate more flexibly. For example, you can deploy traffic policing on a per-user
basis by defining a rate limit in user profiles.
Restrict users' access more specifically. For example, you can deploy user access control on a
per-wireless service basis by defining an SSID in user profiles. Or you can deploy user access
control on a per-AP basis by defining APs in the user profiles.
426
Configuring a local user

1.
From the navigation tree, select Authentication > Users.

The local user management page appears, displaying information about all local users including
common users, security log administrator, guest administrator, and guests.
NOTE:
On the Local User tab, you can modify a guest user, but the user type changes to another one after your
modification.
Figure 450 Local user list
2.
Click Add.
The local user configuration page appears. On this page, you can create a local user of any type
except guest.
Figure 451 Local user configuration page
3.
Configure a local user as described in Table 140.

427
4.
Click Apply.

Item
Description
Username
Specify a name for the local user.

Specify a password for the local user and confirm the password.
Password
Confirm
The two passwords must be identical.

IMPORTANT:
It is a good practice to specify a password with no leading spaces. The spaces will be
ignored, but they count at the user login page.
Password Encryption
Group
Reversible
Irreversible
Select a user group for the local user.
For information about user group configuration, see "Configuring a user group."
Specify the user type for the local user:
User Type
Common User.
Security Log AdminUsers of this type can only manage security log files through
the Web interface. Only Users of this type can manage security log files.
Guest AdminUsers of this type can only manage guest accounts through the Web
interface, log in to the Authentication > User > Guest page to add, modify, or delete
a guest user.
Select an authorization level for the local user: Visitor, Monitor, Configure, or
Management, in ascending order of priority. A local user has the rights of the specified
level and all levels lower than the specified level (if any).
VisitorA user of this level can perform ping and trace route operations but cannot
read any data from the device or configure the device.
MonitorA user of this level can read data from the device but cannot configure the
Level
device.
ConfigureA user of this level can read data from the device and configure the
device but cannot upgrade the device software, add/delete/modify users, or
backup/restore configuration files.
ManagementA user of this level can perform all operations except for security log
file reading and management.
IMPORTANT:
This option is effective only for Web, FTP, Telnet, and SSH users.
Select the service types for the local user to use: FTP, Telnet, PPP, Portal, LAN access
(accessing through the Ethernet, such as 802.1X users), or SSH.
IMPORTANT:
Service Type
If you do not specify any service type for a local user who uses local authentication,
the user cannot pass authentication and cannot log in.
The service type of the guest administrator and security log administrator is Web.
The service type of the guest administrator and security log administrator is Portal
and LAN-Access.
428
Item
Description
Specify an expiration time for the local user.
Expire-time
When authenticating a local user with the expiration time configured, the access
device checks whether the expiration time has elapsed. If not, the device permits the
user to log in.
Specify the VLAN to be authorized to the local user after the user passes authentication.
VLAN
IMPORTANT:
This option is effective only for portal and LAN users.
Specify the ACL to be used by the access device to restrict the access of the local user
after the user passes authentication.
ACL
IMPORTANT:
This option is effective only for PPP, portal, and LAN users.
Specify the user profile for the local user.
User-profile
IMPORTANT:
This option is effective only for PPP, portal, and LAN users.
Configuring a user group

1.
2.
Click the User Group tab to display the existing user groups.
Figure 452 User group list
3.
Click Add to enter the user group configuration page.
429
Figure 453 User group configuration page
4.
Add a user group as described in Table 141.
5.
Click Apply.

Item
Description
Group-name
Specify a name for the user group.
Level
Select an authorization level for the user group: Visitor, Monitor, Configure, or
Management, in ascending order of priority.
VLAN
Specify the VLAN to be authorized to a user in the user group after the user passes
authentication.
ACL
Specify the ACL to be used by the access device to restrict the access of a user in the user
group after the user passes authentication.
User-profile
Specify the user profile for the user group.
Allow Guest
Accounts
Specify whether to allow a guest to join the user group.

IMPORTANT:
User group system is an optional group of guest accounts by default, and cannot be modified.
Configuring a guest
Two categories of administrators can configure guests: guest administrators and administrators of the
management level. A guest administrator can only manage guests through the Web interface. For
information about the user type and authorization level, see Table 140.
Configuring a guest by a management level administrator

1.
2.
Click the Guest tab to display the guest information.

430
Figure 454 Guest list
3.
Click Add to enter the guest configuration page.
Figure 455 Guest configuration page
4.
Configure a single guest or a batch of guests as described in Table 142.
5.
Click Apply.

Item
Description
Create Users in a Batch
Specify whether to create guests in a batch.
Username
Specify a name for the guest when users are not created in a batch.
Specify the username prefix and number for guests to be created in a batch.
User-name(prefix)
For example, if you specify the username prefix as abc and number as 50, 50 guests
will be created, with the usernames abc0 through abc49.
431
Item
Description
Specify a password for the guest.
Password
Same as the Username
Confirm
If you select this option, you do not need to enter the password and confirm
password, and the guest password is the same as the username.
If you do not select this option, you must enter the password and confirm password,
and they must be the same.
IMPORTANT:
If the password starts with a space, the space will be omitted.
Password Encryption
Group
Reversible
Irreversible
Select a user group for the guest.
For information about user group configuration, see "Configuring a user group."
Specify a valid time range for the guest, including the start time and end time.
ValidTime
When authenticating a local user with the valid time configured, the access device
checks whether the valid time has elapsed. If it is not, the device permits the user to
log in.
Configuring a guest by a guest administrator

1.
Log in to the AC as a guest administrator, and then select Authentication > User from the
navigation tree.
The guest management page appears.
Figure 456 Guest management page
2.
Click Add to enter the guest configuration page.
432
Figure 457 Guest configuration page
3.
Configure the guest as described in Table 142.
4.
Click Apply.
NOTE:
The guest accounts are also displayed in the local user list. You can click the icon
to edit the guest information and authorization attributes.
Configuring a user profile

1.
2.
Click the User Profile tab to display the existing user profiles
Figure 458 User profile list
3.
Click Add to enter the user profile name configuration page.
433
of a guest in the list
Figure 459 User profile name configuration item
4.
Enter a profile name profile.
5.
Click Apply.
The user profile configuration page appears.
434
Figure 460 User profile configuration page
6.
Configure the profile as described in Table 143.
7.
Click Apply.

Item
Description
Userprofile name
This field displays the user profile name.
435
Item
Description
Qos-out policy
Select a QoS policy in the outbound direction.
Qos-in policy
Select a QoS policy in the inbound direction.
limited-out rate
Specify the rate limit in the outbound direction.
limited-in rate
Specify the rate limit in the inbound direction.

Specify the wireless services permitted in the user profile:
Services permitted
Select the services in the Services list box and click the < button to add them to the
Selected services list box.
The available wireless services are those configured on the page you enter by
selecting Wireless Service > Access Service. For more information, see "Access
service configuration."
Specify the APs permitted in the user profile:
APs permitted
Select the APs in the APs list box and click the < button to add them to the Selected
APs list box.
The available APs are those you configured on the page you enter by selecting
AP > AP Group. For more information, see "AP configuration."
8.
From the page displaying the existing user profiles, select the option before the user profile to be
enabled.
9.
Click Enable.
By default, a newly added user profile is disabled.

A user profile takes effect and the authentication server notifies users of authentication results only after
the user profile is enabled. Therefore, if you do not enable the user profile, users using the user profile will
not be able to get online.
Only enabled user profiles can be referenced by users. Disabling a user profile logs out all users using
the user profile.
Enabled user profiles cannot be modified or removed. To modify or remove an enabled user profile, you
must disable it first.
436
Managing certificates
Overview
The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security
through public key technologies. It is the most widely applied encryption mechanism currently. HP's PKI
system provides certificate management for IP Security (IPsec), and Secure Sockets Layer (SSL).
PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt data. The key pair
consists of a private key and a public key. The private key must be kept secret, but the public key needs
to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
A key problem of PKI is how to manage the public keys. Currently, PKI employs the digital certificate
mechanism to solve this problem. The digital certificate mechanism binds public keys to their owners,
helping distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication and e-commerce with security
services such as user authentication, data non-repudiation, data confidentiality, and data integrity.
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI
has a wide range of applications. Here are some application examples:
Secure emailEmails require confidentiality, integrity, authentication, and non-repudiation. PKI

can address these needs. The secure email protocol that is currently developing rapidly is
Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for
transfer of encrypted mails with signature.
Web securityFor Web security, two peers can establish a Secure Sockets Layer (SSL) connection
first for transparent and secure communications at the application layer. With PKI, SSL enables
encrypted communications between a browser and a server. Both the communication parties can
verify the identity of each other through digital certificates.
For more information about PKI, see HP WX Series Access Controllers Security Configuration Guide.
When you configure PKI, note the following guidelines:
Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates will be abnormal.
The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server will not
respond to the certificate request.
The SCEP plug-in is required when you use the Windows Server as the CA. In this case, you need
to specify RA as the authority for certificate request when you configure the PKI domain.
The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case, you
need to specify CA as the authority for certificate request when you configure the PKI domain.
437
Configuration procedures
The system supports the following PKI certificate request modes:
ManualIn manual mode, you must retrieve a CA certificate, generate a local RSA key pair, and
submit a local certificate request for an entity.
AutoIn auto mode, an entity automatically requests a certificate through the Simple Certification
Enrollment Protocol (SCEP) when it has no local certificate or the existing certificate is about to
expire.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes
require different configurations.
Configuration procedure for manual request

Step
Remarks
Required.
Create a PKI entity and configure the identity information.
1.
Creating a PKI entity
A certificate is the binding of a public key and an entity, where an entity is the
collection of the identity information of a user. A CA identifies a certificate
applicant by entity.
The identity settings of an entity must be compliant to the CA certificate issue
policy. Otherwise, the certificate request might be rejected.
Required.
Create a PKI domain, setting the certificate request mode to Manual.
2.
Creating a PKI domain
Before requesting a PKI certificate, an entity needs to be configured with some

enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other
applications like IKE and SSL, and has only local significance.
Required.
Generate a local RSA key pair.
By default, no local RSA key pair exists.
3.
Generating an RSA key

pair
Generating an RSA key pair is an important step in certificate request. The key
pair includes a public key and a private key. The private key is kept by the
user, and the public key is transferred to the CA along with some other
information.
IMPORTANT:
If a local certificate already exists, you must remove the certificate before
generating a new key pair, so as to keep the consistency between the key pair
and the local certificate.
438
Step
Remarks
Required.
Certificate retrieval serves the following purposes:
Locally store the certificates associated with the local security domain for
improved query efficiency and reduced query count,
4.
Retrieving the CA
certificate
Prepare for certificate verification.

IMPORTANT:
If a local CA certificate already exists, you cannot perform the CA certificate
retrieval operation. This will avoid possible mismatch between certificates and
registration information resulting from relevant changes. To retrieve the CA
certificate, you must remove the CA certificate and local certificate first.
Required.
When requesting a certificate, an entity introduces itself to the CA by
providing its identity information and public key, which will be the major
components of the certificate.
A certificate request can be submitted to a CA in online mode or offline mode.
In online mode, if the request is granted, the local certificate will be

5.
Requesting a local
certificate
retrieved to the local system automatically.
In offline mode, you must retrieve the local certificate by an out-of-band

means.
IMPORTANT:
If a local certificate already exists, you cannot perform the local certificate
retrieval operation. This will avoid possible mismatch between the local
certificate and registration information resulting from relevant changes. To
retrieve a new local certificate, you must remove the CA certificate and local
certificate first.
Optional.
6.
Destroying the RSA key

pair
If the certificate to be retrieved contains an RSA key pair, you must destroy the
existing RSA key pair. Otherwise, the certificate cannot be retrieved.
Destroying the existing RSA key pair also destroys the corresponding local
certificate.
Required if you request a certificate in offline mode.
Retrieve an existing certificate and display its contents.
7.
Retrieving and
displaying a certificate
IMPORTANT:
If you request a certificate in offline mode, you must retrieve the CA

certificate and local certificate by an out-of-band means.
Before retrieving a local certificate in online mode, be sure to complete

LDAP server configuration.
8.
Retrieving and
displaying a CRL
Optional.
Retrieve a CRL and display its contents.
439
Configuration procedure for automatic request

Step
Remarks
Required.
Create a PKI entity and configure the identity information.
1.
A certificate is the binding of a public key and an entity, where an entity is the
collection of the identity information of a user. A CA identifies a certificate
applicant by entity.
The identity settings of an entity must be compliant to the CA certificate issue
policy. Otherwise, the certificate request might be rejected.
Required.
Create a PKI domain, setting the certificate request mode to Auto.
2.
Before requesting a PKI certificate, an entity needs to be configured with some

enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other
applications like IKE and SSL, and has only local significance.
Optional.
3.
Destroying the RSA key

pair
If the certificate to be retrieved contains an RSA key pair, you must destroy the
existing RSA key pair. Otherwise, the certificate cannot be retrieved.
Destroying the existing RSA key pair also destroys the corresponding local
certificate.
Optional.
Retrieve an existing certificate and display its contents.
IMPORTANT:
4.
Retrieving and
displaying a certificate
Before retrieving a local certificate in online mode, be sure to complete

LDAP server configuration.
If a CA certificate already exists, you cannot retrieve another CA certificate.
This restriction avoids inconsistency between the certificate and registration

information due to related configuration changes. To retrieve a new CA
certificate, remove the existing CA certificate and local certificate first.
5.
Retrieving and
displaying a CRL
Optional.
Retrieve a CRL and display its contents.

1.
From the navigation tree, select Authentication > Certificate Management.

The PKI entity list page is displayed by default.
440
Figure 461 PKI entity list
2.
Click Add to enter the PKI entity configuration page.
Figure 462 PKI entity configuration page
3.
4.
Click Apply.

Item
Description
Entity Name
Enter the name for the PKI entity.
Common Name
Enter the common name for the entity.
IP Address
Enter the IP address of the entity.

Enter the fully qualified domain name (FQDN) for the entity.
FQDN
An FQDN is a unique identifier of an entity on the network. It consists of a host name

and a domain name and can be resolved to an IP address. For example,
www.whatever.com is an FQDN, where www indicates the host name and
whatever.com the domain name.
Country/Region Code
Enter the country or region code for the entity.
State
Enter the state or province for the entity.

441
Item
Description
Locality
Enter the locality for the entity.
Organization
Enter the organization name for the entity.
Organization Unit
Enter the unit name for the entity.

1.
2.
Click the Domain tab.
Figure 463 PKI domain list
3.
Click Add to enter the PKI domain configuration page.
Figure 464 PKI domain configuration page
4.
5.
Click Apply.
442

Item
Domain Name
Description
Enter the name for the PKI domain.
By default, the device contains a PKI domain named local_domain.
Enter the identifier of the trusted CA.
CA Identifier
An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility
of certificate registration, distribution, and revocation, and query.
In offline mode, this item is optional. In other modes, this item is required.
Select the local PKI entity.
Entity Name
When submitting a certificate request to a CA, an entity needs to show its identity
information.
Available PKI entities are those that have been configured.
Select the authority for certificate request.
Institution
CAThe entity requests a certificate from a CA.

RAThe entity requests a certificate from an RA.
RA is recommended.
Enter the URL of the RA.
Requesting URL
The entity will submit the certificate request to the server at this URL through the SCEP
protocol. The SCEP protocol is intended for communication between an entity and an
authentication authority.
In offline mode, this item is optional. In other modes, this item is required.
IMPORTANT:
This item does not support domain name resolution.
LDAP IP
Enter the IP address, port number and version of the LDAP server.
Port
Version
In a PKI system, the storage of certificates and CRLs is a crucial problem, which is usually
addressed by deploying an LDAP server.
Request Mode
Select the online certificate request mode: Auto or Manual.
Password Encrypt
Password
Select this box to display the password in cipher text.

This box is available only when the certificate request mode is set to Auto.
Enter the password for certificate revocation.
This item is available only when the certificate request mode is set to Auto.
443
Item
Description
Specify the fingerprint used for verifying the CA root certificate.
After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the
root certificate, namely, the hash value of the root certificate content. This hash value is
unique to every certificate. If the fingerprint of the root certificate does not match the one
configured for the PKI domain, the entity will reject the root certificate.
If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The fingerprint
must a string of 32 characters in hexadecimal notation.
Fingerprint Hash
Fingerprint
If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The fingerprint
must a string of 40 characters in hexadecimal notation.
If you do not specify the fingerprint hash, do not enter any fingerprint. The entity will
not verify the CA root certificate, and you yourself must make sure that the CA server
is trusted.
IMPORTANT:
The fingerprint must be configured if you specify the certificate request mode as Auto. If you
specify the certificate request mode as Manual, you can leave the fingerprint settings null. If
you do not configure the fingerprint, the entity will not verify the CA root certificate and you
yourself must make sure that the CA server is trusted.
Set the polling interval and attempt limit for querying the certificate request status.
Polling Count
Polling Interval
Enable CRL
Checking
After an entity makes a certificate request, the CA might need a long period of time if it
verifies the certificate request in manual mode. During this period, the applicant needs to
query the status of the request periodically to get the certificate as soon as possible after
the certificate is signed.
Click this box to specify that CRL checking is required during certificate verification.
By default, CRL checking is disabled in the default PKI domain local_domain.
Enter the interval at which the PKI entity downloads the latest CRLs.
CRL Update Period
This item is available when the Enable CRL Checking box is selected.
By default, the CRL update period depends on the next update field in the CRL file.
Enter the URL of the CRL distribution point.
This item is available when the Enable CRL Checking box is selected.
CRL URL
When the URL of the CRL distribution point is not set, you should acquire the CA
certificate and a local certificate, and then acquire a CRL through SCEP.
IMPORTANT:
This item does not support domain name resolution.
Generating an RSA key pair

1.
2.
Click the Certificate tab.
444
Figure 465 Certificate configuration page
3.
Click Create Key to enter RSA key pair parameter configuration page.
Figure 466 Key pair parameter configuration page
4.
Set the key length.
5.
Click Apply.
Destroying the RSA key pair

1.
2.
3.
Click Destroy Key to enter RSA key pair destruction page.
4.
Click Apply to destroy the existing RSA key pair and the corresponding local certificate.
Figure 467 Key pair destruction page
Retrieving and displaying a certificate

You can download an existing CA certificate or local certificate from the CA server, and save it locally.
To do so, you can use offline mode or online mode. In offline mode, you can retrieve a certificate by an
out-of-band means like FTP, disk, email and then import it into the local PKI system.
445
To retrieve a certificate:
1.
2.
3.
Click Retrieve Cert to enter PKI certificate retrieval page.
Figure 468 PKI certificate retrieval page
4.
5.
Click Apply.

Item
Domain Name
Description
Select the PKI domain for the certificate.
By default, the list displays the default PKI domain local_domain.
Certificate Type
Select the type of the certificate to be retrieved: CA or Local.
Enable Offline
Mode
Click this box to retrieve a certificate in offline mode (that is, by an out-of-band means
like FTP, disk, or email) and then import the certificate into the local PKI system.
Specify the path and name of the certificate file if you retrieve the certificate in offline
mode.
Get File From Device

Get File From PC
If the certificate file is saved on the device, select Get File From Device, and then
specify the path of the file on the device.
If the certificate file is saved on a local PC, select Get File From PC and then specify
the path to the file and select the partition of the device for saving the file.
Password
6.
Enter the password for protecting the private key if you retrieve the certificate in offline
mode. The password was specified when the certificate was exported.
After you retrieve a certificate, click View Cert corresponding to the certificate from the PKI
certificates list to display the contents of the certificate.
446
Figure 469 Certificate information
Requesting a local certificate

1.
2.
3.
Click Request Cert to enter the local certificate request page.
Figure 470 Local certificate request page
4.

447

Item
Domain Name
Description
Select the PKI domain for the certificate.
By default, the list displays the default PKI domain local_domain.
Password
Enter the password for certificate revocation.
Enable Offline Mode
Click this box to request a certificate in offline mode, that is, by an out-of-band
means like FTP, disk, or email.
5.
Click Apply.
If you request the certificate in online mode, the system displays Certificate request has been
submitted. Click OK. If you request the certificate in offline mode, the system displays the offline
certificate request information. You can submit the information to the CA by an out-of-band means.
Figure 471 Offline certificate request information page
Retrieving and displaying a CRL

1.
2.
Click the CRL tab.
Figure 472 CRL page
3.
Click Retrieve CRL to retrieve the CRL of a domain.
4.
Click View CRL for the domain to display the contents of the CRL.
448
Figure 473 CRL information
Certificate management configuration example

As shown in Figure 474, configure the AC as the PKI entity, so that:
The AC submits a local certificate request to the CA server, which runs the RSA Keon software.
The AC acquires CRLs for certificate verification.
Configuring the CA server

1.
Create a CA server named myca.

In this example, you must first configure the basic attributes of Nickname and Subject DN on the
CA server: the nickname is the name of the trusted CA, and the subject DN is the DN attributes of
the CA, including the common name (CN), organization unit (OU), organization (O), and country
(C). Leave the default values of the other attributes.
449
2.
Configure extended attributes.

After you configure the basic attributes, perform configuration on the Jurisdiction Configuration
page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP
autovetting function, and adding the IP address list for SCEP autovetting.
3.
Configure the CRL publishing behavior

After you complete the previous configuration, perform CRL related configurations.
In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to
http://4.4.4.133:447/myca.crl.
After this configuration, make sure that the system clock of the AC is synchronous to that of the CA,
so that the AC can request certificates and retrieve CRLs properly.
Configuring the AC
1.
Create a PKI entity.

a. From the navigation tree, select Authentication > Certificate Management.
The PKI entity list page is displayed by default.
b. Click Add.
c. Enter aaa as the PKI entity name.
d. Enter ac as the common name.
e. Click Apply.
Figure 475 Configuring a PKI entity
2.
Create a PKI domain.

a. Click the Domain tab.
b. Click Add.
c. Enter torsa as the PKI domain name.
450
d. Enter myca as the CA identifier.

e. Select aaa as the local entity.
f. Select CA as the authority for certificate request.
g. Enter http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for
certificate request.
The URL must be in the format of http://host:port/Issuing Jurisdiction ID, where Issuing
Jurisdiction ID is the hexadecimal string generated on the CA.
h. Select Manual as the certificate request mode.
i.
Click the expansion button before Advanced Configuration to display the advanced
configuration items.
j.
Click the Enable CRL Checking box.
k. Enter http://4.4.4.133:447/myca.crl as the CRL URL.

l.
Click Apply.
The system displays the following message: Fingerprint of the root certificate not specified. No
root certificate validation will occur. Continue?
m. Click OK.
Figure 476 Configuring a PKI domain
3.
Generate an RSA key pair.

a. Click the Certificate tab.
b. Click Create Key to enter the page.
451
c. Enter 1024 for the key length.

d. Click Apply to generate an RSA key pair.
Figure 477 Generating an RSA key pair
4.
Retrieve the CA certificate.

b. Click Retrieve Cert.
c. Select torsa as the PKI domain.
d. Select CA as the certificate type.
e. Click Apply.
Figure 478 Retrieving the CA certificate
5.
Request a local certificate.

b. Click Request Cert.
c. Select torsa for the PKI domain.
d. Select Password, and then enter challenge-word as the password.
e. Click Apply.
The system displays Certificate request has been submitted.
f. Click OK.
452
Figure 479 Requesting a local certificate
6.
Retrieve the CRL.

a. Click the CRL tab.
b. Click Retrieve CRL of the PKI domain of torsa.
Figure 480 Retrieving the CRL

After the configuration, you can select Certificate Management > Certificate from the navigation tree to
view detailed information about the retrieved CA certificate and local certificate, or select Certificate
Management > CRL from the navigation tree to view detailed information about the retrieved CRL.
453
Configuring WLAN security

WLAN security overview
802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients,
ad hoc networks, and Denial of Service (DoS) attacks. Rogue devices are a serious threat to enterprise
security. To ensure security, the wireless intrusion detection system (WIDS) is introduced. WIDS provides
early detection of malicious attacks and intrusions on a wireless network without affecting network
performance, and provides real-time countermeasures.
WLAN security provides these features:
Rogue detection
WIDS attack detection
Blacklist and white list.
Terminology
Rogue APAn unauthorized or malicious access point on the network, such as an employee setup
AP, misconfigured AP, neighbor AP or an attacker operated AP. Because it is not authorized, if there
is any vulnerability in the AP, the hacker will have a chance to compromise your network security.
Rogue clientAn unauthorized or malicious client on the network.
Rogue wireless bridgeUnauthorized wireless bridge on the network.
Monitor APAn AP that scans or listens to 802.11 frames to detect rogue devices in the network.
Ad hoc modeA wireless client in ad-hoc mode can communicate directly with other stations
without support from any other device.
Detecting rogue devices

Rogue detection is applicable to large wireless networks. It detects the presence of rogue devices in a
WLAN network based on the pre-configured rules.
Rogue detection can detect different types of devices in a WLAN network, for example, rogue APs, rogue
clients, rogue wireless bridges, and ad-hoc terminals. An AP can work in either of the following modes
for rogue detection:
Monitor mode: In this mode, an AP scans all 802.11g frames in the WLAN, but cannot provide
WLAN services. As shown in Figure 481, AP 1 works as an access AP, and AP 2 works as a monitor
AP to listen to all 802.11g frames. AP 2 cannot provide wireless access services.
454
Figure 481 Monitor AP for rogue detection
Hybrid mode: In this mode, an AP can both scan devices in the WLAN and provide WLAN data
services.
Figure 482 Hybrid AP for rogue detection
Taking countermeasures against rogue device attacks

You can enable the countermeasures on a monitor AP. The monitor AP downloads an attack list from the
AC according to the countermeasure mode, and takes countermeasures against detected rogue devices.
The processing methods vary with rogue devices:
If the rogue device is a rogue client, it is logged out.
If the rogue device is a rogue AP, legal clients will not use the rogue AP to access the WLAN.
If the rogue device is an ad-hoc client, it is denied, and ad-hoc clients cannot communicate with
each other.
455
Figure 483 Taking countermeasures against rogue devices
Functionalities supported
The rogue detection feature supports the following functionalities:
RF monitoring in different channels
Rogue AP detection
Rogue client detection
Ad hoc network detection
Wireless bridge detection
Countermeasures against rogue devices, clients and ad hoc networks
WIDS attack detection

The WIDS attack detection function detects intrusions or attacks on a WLAN network, and informs the
network administrator of the attacks by recording information or sending logs. WIDS detection supports
detection of the following attacks:
Flood attack
Spoofing attack
Weak IV attack
Flood attack detection

A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind
within a short span of time. When this occurs, the WLAN devices get overwhelmed, and are unable to
service normal clients.
WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic
generated by each device. When the traffic density of a device exceeds the limit, the device is
considered flooding the network. If the dynamic blacklist feature is enabled, the device is added to the
blacklist, and is forbidden to access the WLAN.
WIDS inspects the following types of frames:
456
Authentication requests and de-authentication requests
Association requests, disassociation requests and reassociation requests
Probe requests
802.11 null data frames
802.11 action frames.
Spoofing attack detection

In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For
instance, a client in a WLAN has been associated with an AP and works normally. In this case, a
spoofed de-authentication frame can cause a client to get de-authenticated from the network and can
affect the normal operation of the WLAN.
At present, spoofing attack detection counters this type of attack by detecting broadcast
de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it
is identified as a spoofed frame, and the attack is immediately logged.
Weak IV detection
Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame. The system uses
an IV and a key to generate a key stream, so encryptions using the same key have different results. Also,
when a WEP frame is sent, the IV used in encrypting the frame is sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all
frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is
compromised, the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a
weak IV is detected, it is immediately logged.
Blacklist and white list

You can configure the blacklist and white list functions to filter frames from WLAN clients and thereby
implement client access control.
WLAN client access control is accomplished through the following three types of lists.
White listContains the MAC addresses of all clients allowed to access the WLAN. If the white list
is used, only permitted clients can access the WLAN, and all frames from other clients are
discarded.
Static blacklistContains the MAC addresses of clients forbidden to access the WLAN. This list is
configured manually.
Dynamic blacklistContains the MAC addresses of clients forbidden to access the WLAN. A client
is added dynamically to the list if it is considered sending attacking frames until the timer of the
entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects
any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more
information about ARP detection, see "Configuring ARP attack defense."
When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the
frame as follows:
1.
If the source MAC address does not match any entry in the white list, the frame is dropped. If there
is a match, the frame is considered valid, and is processed further.
2.
If no white list entries exist, the static and dynamic blacklists are searched.
457
3.
If the source MAC address matches an entry in any of the two lists, the frame is dropped.
4.
If there is no match, or no blacklist entries exist, the frame is considered valid, and is processed
further.
A static blacklist or white list configured on an AC applies to all APs connected to the AC, while a
dynamic blacklist applies to APs that receive attack frames.
Figure 484 Network diagram for WLAN client access control
In the topology above, three APs are connected to an AC. Configure white list and static blacklist
entries on the AC, which will send all the entries to the APs. If the MAC address of a station, Client
1 for example, is present in the blacklist, it cannot access any of the APs. If only Client 1 is present
in the white list, it can access any of the APs, and other clients cannot access any of the APs.
Enable dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, a dynamic
blacklist entry is generated in the blacklist. Client 1 cannot associate with AP 1, but can associate
with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic blacklist
entry is generated in the blacklist.
Configuring rogue device detection

Recommended configure procedure
Step
Remarks
Required.
1.
Configuring AP operating mode
By default, the AP operates in normal mode and only

provides WLAN data services.
2.
Configuring detection rule lists
Required.
3.
Enabling countermeasures and configuring

aging time for detected rogue devices
Optional.
458
Configuring AP operating mode

1.
Select Security > Rogue Detection from the navigation tree.
Figure 485 AP monitor configuration
2.
On the AP Monitor tab, select the AP to be configured and click the

icon to enter the page
Figure 486 AP operating mode configuration
3.
Configure the AP operating mode as described in Table 148.
4.
Click Apply.

Item
Description
Configure the AP operating mode:
In normal mode, an AP provides WLAN data services but does not perform scanning.
In monitor mode, an AP scans all 802.11g frames in the WLAN, but cannot provide
WLAN services.
Work mode
In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN data
services.
IMPORTANT:
When an AP has its operating mode changed from normal to monitor, it does not
restart.
When an AP has its operating mode changed from monitor to normal, it restarts.
459
NOTE:
An AP operating in hybrid mode can provide WLAN data services as well as scanning devices in the
WLAN, so WLAN service configurations are needed.
An AP operating in monitor mode cannot provide WLAN data services, so WLAN service
configurations are not needed.
Configuring detection rules

Configuring detection rules is to configure rogue device classification rules. An AC classifies devices as
rogues and friends based on the configured classification rules.
Check whether an AP is a rogue.
Figure 487 Checking whether an AP is a rogue
Check whether a client is a rogue.
460
Figure 488 Checking whether a client is a rogue

Client
In the static
attack list?
Yes
No or the list is not

configured
In the permitted
MAC address list?
No or the list is not

configured
Yes
Check if AP (BSSID)
associated with the client
is legal
No
Yes
Legal client
(Friend)
Illegal client
(Rogue)
Check whether an ad hoc network or a wireless bridge is a rogue.
Figure 489 Checking whether an ad hoc network or a wireless bridge is a rogue
461
Configuring detection rule lists

1.
2.
Click the Rule List tab to enter detection rule list configuration page.
Figure 490 Rule list configuration
3.
Configure the rule list as described in Table 149.

Item
Description
List Type
4.
MACAdd MAC addresses to be permitted after selecting this option.

Wireless ServiceAdd SSIDs to be permitted after selecting this option.
VendorSpecify vendors to be permitted after selecting this option.
AttackerAdd the MAC address of a device to configure the device as a rogue.
Select MAC from the list and click Add to enter the MAC address configuration page.
462
Figure 491 MAC address list configuration page
5.
Configure the MAC address list as described in Table 150.
6.
Click Apply.

Item
Description
MAC
Enter the permitted MAC address in the box.
Select the existent devices
If you select this option, the MAC address table displays MAC addresses of the
current devices. Select the MAC addresses to be permitted.
The operation to add other types of lists is similar to the add operation of a MAC address list, so the
description is omitted.
Enabling countermeasures and configuring aging time for

detected rogue devices
1.
2.
On the AP Monitor tab, click Common Set.
463
Figure 492 Common configuration
3.
Perform common configuration as described in Table 151.
4.
Click Apply.

Item
Description
Unlaw SetAllows you to take countermeasures against rogue devices
(including illegal APs and illegal clients).
Reverse Mode
Unlaw Adhoc DeviceAllows you to take countermeasures against ad hoc

devices.
Static Unlaw DeviceAllows you to take countermeasures against rogue

devices configured in the detection rule list.
Configure the aging time of entries in the device list.

Device Aging-Duration
Once a rogue device is detected, an entry for it is added to the monitor record and
the aging time starts. The aging time restarts if the device is detected again during
the time. When the aging time is reached, the entry is deleted from the monitor
record and added to the history record.
Displaying monitor record

1.
2.
Click the Monitor Record tab to enter the monitor record page.
464
Figure 493 Monitor record

Type
Type
Description
rRogue device.
pPermitted device.
aAd hoc device.
wAP.
bWireless bridge.
cClient.
For example, pw represents a permitted AP while rb represents a rogue wireless bridge.
Displaying history record

1.
2.
Click the History Record tab to enter the history record page.
Figure 494 History record page
465
Configuring WIDS
Configuring WIDS
1.
Select Security > WIDS from the navigation tree.
Figure 495 WIDS configuration
2.
On the WIDS Setup tab, configure WIDS as described in Table 153.
3.
Click Apply.

Item
Flood Attack Detect
Description
If you select the option, flood attack detection is enabled.
It is disabled by default.
Spoofing Attack Detect
If you select the option, spoofing attack detection is enabled. It is disabled by

default.
Weak IV Attack Detect
If you select the option, Weak IV attack detection is enabled. It is disabled by

default.
Displaying history record

1.
2.
Click the History Record tab to enter the history information page.
466
Figure 496 History information
Displaying statistics information

1.
2.
Click the Statistics tab to enter the statistics information page.
Figure 497 Statistics
467
Configuring the blacklist and white list functions

A static blacklist or white list configured on an AC applies to all APs connected to the AC, while a
dynamic blacklist applies to APs that receive attack frames. For more information, see "Blacklist and
white list."
Configuring dynamic blacklist

1.
Select Security > Filter from the navigation tree.
Figure 498 Dynamic blacklist configuration page
2.
On the Blacklist tab, configure the dynamic blacklist as described in Table 154.
3.
Click Apply.

Item
Description
Dynamic Blacklist
EnableEnable dynamic blacklist.

DisableDisable dynamic blacklist.
Lifetime
Configure the lifetime of the entries in the blacklist. When the lifetime of an entry
expires, the entry is removed from the blacklist.
NOTE:
These attacks can be detected through a dynamic blacklist: Assoc-Flood, Reassoc-Flood, Disassoc-Flood,
ProbeReq-Flood, Action-Flood, Auth-Flood, Deauth-Flood and NullData-Flood.
Configuring static blacklist

1.
2.
On the Blacklist tab, click Static to enter the static blacklist configuration page.
468
Figure 499 Static blacklist configuration
3.
Click Add Static to enter the static blacklist configuration page.
Figure 500 Adding static blacklist
4.
Add a static blacklist as described in Table 155.
5.
Click Apply.

Item
Description
MAC Address
Select MAC Address, and then add a MAC address to the static blacklist.
Select from Connected

Clients
If you select the option, the table below lists the current existing clients. Select the
options of the clients to add their MAC addresses to the static blacklist.
Configuring white list

1.

469
2.
Click the Whitelist tab.
Figure 501 Whitelist configuration
3.
Click Add.
Figure 502 Adding a whitelist
4.
Add a white list as described in Table 156.
5.
Click Apply.

Item
Description
MAC Address
Select MAC Address, and then add a MAC address to the white list.
Select from Connected

Clients
If you select the option, the table below this option lists the current existing clients.
Select the options of the clients to add their MAC addresses to the white list.
470
Rogue detection configuration example

As shown in Figure 503, a monitor AP (AP 2 with serial ID SZ001) and AP 1 (serial ID SZ002) are
connected to an AC through a Layer 2 switch.
AP 1 operates in normal mode and provides WLAN data services only.
AP 2 operates in monitor mode, and scans all 802.11g frames in the WLAN.
Client 1 (MAC address 000f-e215-1515), Client 2 (MAC address 000f-e215-1530), and Client 3
(MAC address 000f-e213-1235) are connected to AP 1. They are configured as friends.
Client 4 (MAC address 000f-e220-405e) is connected to AP 2. It is configured as a rogue device.
The radio must be disabled so that the AP operation mode can be changed.
If you configure more than one detection rule, you need to specify the rogue device types (AP, client,
bridge, and ad hoc) and the rule matching order. For more information, see "Configuring user
isolation."
The wireless service configuration is needed for an AP operating in hybrid mode, and not needed
for an AP in monitor mode.
1.
Configure AP 1 to operate in normal mode:

In normal mode, AP 1 provides WLAN data services only. For information about how to configure
WLAN services, see "Configuring access services."
2.
Configure AP 2 to operate in monitor mode:

b. Click Add.
471
c. On the page that appears, set the AP name to ap2, select the AP model MSM460-WW, select
Manual, and enter the serial ID of AP 2.
d. Click Apply.
Figure 504 AP configuration
e. Select Security > Rogue Detection from the navigation tree.

f. On the AP Monitor tab, click the
mode configuration page.
icon corresponding to the target AP to enter the operating
g. Select the operating mode Monitor.

h. Click Apply.
Figure 505 AP operating mode configuration
3.
Enable the 802.11n(2.4GHz) radio mode:

a. Select Radio > Radio from the navigation tree to enter the AP radio configuration page.
b. Select the AP with the radio mode 802.11n(2.4GHz).
c. Click Enable.
472
Figure 506 Radio configuration
4.
Configure rogue detection rules:

a. Select Security > Rogue Detection from the navigation tree.
b. Click the Rule List tab and click Add.
c. On the page that appears, enter 000f-e215-1515, 000f-e215-1530, and 000f-e213-1235 in
the MAC Address field, and then click Apply.
d. Select Attacker, and click Add. Enter 000f-e220-405e in the MAC Address field and click
Apply.
5.
Enable countermeasures against the static rogue device:

a. Select Security > Rogue Detection from the navigation tree.
b. Click the AP Monitor tab, and click Common Set to enter the common configuration page.
c. Select Static Rogue Device. This is because the MAC address of Client 4 is added manually to
the attacker list.
d. Click Apply.
Figure 507 Common configuration
473
Configuring user isolation

User isolation overview
Without user isolation, all the devices in the same VLAN can access each other directly. This causes
security problems. User isolation can solve this problem. When an AC configured with user isolation
receives unicast packets (broadcast packets and multicast packets in a VLAN are not isolated) from a
wireless client to another wireless client or a wired PC in the same VLAN, or from a wired PC to a wireless
client in the same VLAN, the AC determines whether to isolate the two devices according to the
configured list of permitted MAC addresses.
To avoid user isolation from affecting communications between users and the gateway, you can add the
MAC address of the gateway to the list of permitted MAC addresses.
User isolation both provides network services for users and isolates users, disabling them from
communication at Layer-2 and thus ensuring service security.
Before user isolation is enabled

As shown in Figure 508, before user isolation is enabled in VLAN 2 on the AC, wireless terminals Client
A and Client B and wired terminal Host A in the VLAN can communicate with each other and access the
Internet.
Figure 508 User communication
474
After user isolation is enabled

As shown in Figure 508, user isolation is enabled on the AC. Client A and Client B, and Host A in VLAN
2 access the Internet through the gateway.
If you add the MAC address of the gateway to the permitted MAC address list, Client A, Client B,
and Host A in the same VLAN are isolated, but they can access the Internet.
If you add the MAC address of a user (Client A, for example) to the permitted MAC address list,
Client A and Client B, and Client A and Host A can access each other directly, but Client B and Host
A cannot.
To enable all the users in the VLAN to access one another and the Internet, you need to add the MAC
address of the gateway and the MAC addresses of the users to the permitted MAC address list.

1.
Select Security > User Isolation from the navigation tree.
2.
Click Add .
The page for configuring user isolation appears.
Figure 509 Configuring user isolation
3.
Configure user isolation as described in Table 157.
4.
Click Apply.

Item
Description
VLAN ID
Specify the VLAN in which user isolation is enabled.

475
Item
Description
Specify the MAC addresses to be permitted by the AC. For more information, see
"After user isolation is enabled."
AccessMAC
Enter a MAC address in the field next to the Add button.

Click Add to add the MAC address to the permitted MAC list.
To delete a MAC address from the list, select an entry and click Delete.
IMPORTANT:
Broadcast or multicast MAC addresses cannot be specified as permitted MAC

addresses.
Up to 16 permitted MAC addresses can be configured for one VLAN.
To avoid network disruption caused by user isolation, add the MAC address of the gateway to the
permitted MAC address list, and then enable user isolation.
If you configure user isolation for a super VLAN, the configuration does not take effect on the sub-VLANs
in the super VLAN, and you must configure user isolation on the sub-VLANs if needed.
Displaying user isolation information

Select Security > User Isolation from the navigation tree to enter the page displaying user isolation
configuration summary.
Figure 510 Displaying user isolation summary
User isolation configuration example

As shown in Figure 511, isolate Client A, Client B, and Host A in VLAN 2 from one another while allowing
them to access the Internet. The MAC address of the gateway is 000f-e212-7788.
476
1.

For information about how to configure wireless service, see "Configuring access services."
2.
Configure user isolation:

a. Select Security > User Isolation from the navigation tree.
b. Click Add to enter the page for configuring user isolation.
c. On the page that appears, enter the VLAN ID 2, add MAC address 000f-e212-7788 to the
permitted MAC address list, and click Apply.
477
Figure 512 Configuring user isolation
478
Configuring ACL and QoS

Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.
ACL overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also used by many modules for traffic identification,
for example, QoS and IP routing.
ACLs fall into the following categories.
Category
ACL number
Basic ACLs
2000 to 2999
Advanced ACLs
Ethernet frame
header ACLs
IP version
Match criteria
IPv4
Source IPv4 address.
IPv6
Source IPv6 address.
IPv4
Source/destination IPv4 address, protocols over

IPv4, and other Layer 3 and Layer 4 header fields.
IPv6
Source/destination IPv6 address, protocols over

IPv6, and other Layer 3 and Layer 4 header fields.
IPv4 and IPv6
Layer 2 header fields, such as source and

destination MAC addresses, 802.1p priority, and
link layer protocol type.
3000 to 3999
4000 to 4999
For more information about ACL, see ACL and QoS Configuration Guide.
QoS overview
Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to
meet customer needs. Generally, QoS does not focus on grading services precisely, but on improving
services under certain conditions.
In the Internet, QoS refers to the ability of the network to forward packets. The evaluation on QoS of a
network can be based on different aspects because the network may provide various services. Generally,
QoS refers to the ability to provide improved service by solving the core issues such as delay, jitter, and
packet loss ratio in the packet forwarding process.
Traditional packet forwarding services

On traditional IP networks, devices treat all packets equally and handle them using the first in first out
(FIFO) policy. All packets share the resources of the network and devices. The amount of resources the
packets can obtain completely depends on the time they arrive. This service is called "best-effort." It
delivers packets to their destinations as best it can, without any guarantee for such issues as delay, jitter,
packet loss ratio, and reliability.
479
This service policy is only suitable for applications insensitive to bandwidth and delay, such as WWW,
file transfer and email.
New requirements from new applications

The Internet has been growing along with the fast development of networking technologies. More and
more users take the Internet as their data transmission platform to implement various applications.
Besides traditional applications such as WWW, email and FTP, network users are implementing new
services, such as tele-education, telemedicine, video telephone, videoconference and Video-on-Demand
(VoD). The enterprise users expect to connect their regional branches together through VPN technologies
to carry out operational applications (for example, to access the database of the company or to monitor
remote devices through Telnet).
These new applications have one thing in common, and they all have special requirements for
bandwidth, delay, and jitter. For instance, videoconference and VoD need large bandwidth, low delay,
and low jitter. Mission-critical applications, such as transactions and Telnet, may not require large
bandwidth but require low delay and preferential service during congestion.
The new emerging applications require higher service performance of IP networks. Required network
services during packet forwarding include providing dedicated bandwidth, reducing packet loss ratio,
managing and avoiding congestion, regulating network traffic, and setting the precedence of packets.
To meet these requirements, networks must provide improved services.
For more information about QoS, see ACL and QoS Configuration Guide.
When you configure an ACL and QoS, follow these guidelines:
You cannot add an ACL rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which case
the other settings remain the same.
When you configure rate limit and traffic policing for a behavior, make sure the ratio of CBS to CIR
is more than 100:16. Otherwise, the handling for bursty traffic may be affected.
If an ACL is referenced by a QoS policy for defining traffic classification rules, the operation of the
QoS policy varies by interface (the definition of software/hardware interface varies with device
models). The specific process is as follows:
If the QoS policy is applied to a software interface and the referenced ACL rule is a deny clause,
the ACL rule does not take effect and packets go to the next classification rule.
If the QoS policy is applied to a hardware interface, packets matching the referenced ACL rule
are organized as a class and the behavior defined in the QoS policy applies to the class
regardless of whether the referenced ACL rule is a deny or permit clause.
If a QoS policy is applied in the outbound direction of a port, the QoS policy cannot influence local
packets. Local packets refer to the important protocol packets that maintain the normal operation of
the device. QoS must not process such packets to avoid packet drop. Commonly used local packets
are: link maintenance packets, ISIS packets, OSPF packets, RIP packets, BGP packets, LDP packets,
RSVP packets, and SSH packets and so on.
When you configure queuing for a traffic behavior:
480
In a policy, a traffic behavior with EF configured cannot be associated with the default class,
and a traffic behavior with WFQ configured can only be associated with the default class.
In a policy, the total bandwidth assigned to the AF and EF classes cannot be greater than the
available bandwidth of the interface to which the policy applies. The total bandwidth
percentage assigned to the AF and EF classes cannot be greater than 100%.
In the same policy, the same bandwidth unit must be used to configure bandwidth for AF classes
and EF classes, either absolute bandwidth value or percent.
Configuring an ACL
ACL configuration procedures
IPv4 ACL configuration procedure
Step
Remarks
Optional.
1.
Adding a time range
2.
Adding an IPv4 ACL
The category of the added ACL depends on the

ACL number that you specify.
3.
Configuring a rule for a basic IPv4 ACL
Required.
4.
Configuring a rule for an advanced IPv4 ACL
5.
Configuring a rule for an Ethernet frame header ACL
Complete one of the three steps according to the

ACL category.
A rule referencing a time range takes effect only

during the specified time range.
Required.
Recommended IPv6 ACL configuration procedure

Step
Remarks
Optional.
1.
Adding a time range
2.
Adding an IPv6 ACL
The category of the added IPv6 ACL depends on the

ACL number that you specify.
3.
Required.
4.
Complete one of the steps according to the ACL

category.
A rule referencing a time range takes effect only

during the specified time range.
Required.
Adding a time range

1.
Select QoS > Time Range from the navigation tree.
2.
Click the Add tab to enter the time range adding page.
481
Figure 513 Adding a time range
3.
Configure the time range information, as described in Table 158.
4.
Click Apply.

Item
Description
Time Range Name
Set the name for the time range.
Start TimeSet the start time of the periodic time range.

End TimeSet the end time of the periodic time range. The end time must be later
than the start time.
Periodic Time Range
Sun, Mon, Tue, Wed, Thu, Fri, and SatSelect the day or days of the week on
which the periodic time range is valid. You can select any combination of the days
of the week.
NOTE:
These items are available after you select the Periodic Time Range option.
FromSet the start time of the absolute time range. The time of the day is in the
hh:mm format (24-hour clock), and the date is in the MM/DD/YYYY format.
ToSet the end time of the absolute time range. The time of the day is in the hh:mm
Absolute Time Range
format (24-hour clock), and the date is in the MM/DD/YYYY format. The end time
must be later than the start time.
NOTE:
These items are available after you select the Absolute Time Range option.
482
Adding an IPv4 ACL

1.
Select QoS > ACL IPv4 from the navigation tree.
2.
Click the Add tab to enter the IPv4 ACL adding page, as shown in Figure 514.
Figure 514 Adding an IPv4 ACL
3.
Configure the IPv4 ACL information, as described in Table 159.
4.
Click Apply.

Item
Description
ACL Number
Set the number of the IPv4 ACL.

Set the match order of the ACL:
Match Order
ConfigPackets are compared against ACL rules in the order that the rules are
configured.
AutoPackets are compared against ACL rules in the depth-first match order.
Description
Set the description for the ACL.

1.
483
2.
Click the Basic Setup tab to enter the rule configuration page for a basic IPv4 ACL, as shown
in Figure 515.
Figure 515 Configuring an basic IPv4 ACL
3.
Configure a basic IPv4 ACL, as described in Table 160.
4.
Click Add.

Item
ACL
Description
Select the basic IPv4 ACL for which you want to configure rules.
Available ACLs are basic IPv4 ACLs.
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system assigns one automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, this procedure modifies the configuration
of the existing rule.
Select the action to be performed for IPv4 packets matching the rule:
Action
PermitAllows matched packets to pass.

DenyDrops matched packets.
Select this option to apply the rule to only non-first fragments.
Check Fragment
If you do not select this option, the rule applies to all fragments and non-fragments.
NOTE:
Do not select this option for an AC, because an AC does not support fragmentation.
484
Item
Description
Select this option to keep a log of matched IPv4 packets.
Check Logging
A log entry contains the ACL rule number, operation for the matched packets,
protocol that IP carries, source/destination address, source/destination port
number, and number of matched packets.
NOTE:
Do not select this option for an AC, because an AC does not support logging.
Source IP Address
Source Wildcard
Select the Source IP Address option, and enter a source IPv4 address and source
wildcard, in dotted decimal notation.
Time Range
Select the time range during which the rule takes effect.

1.
2.
Click the Advanced Setup tab to enter the rule configuration page for an advanced IPv4 ACL, as
485
Figure 516 Configuring an advanced IPv4 ACL
3.
Configure an advanced IPv4 ACL rule, as described in Table 161.
4.
Click Add.

Item
Description
ACL
Select the advanced IPv4 ACL for which you want to

configure rules.
Available ACLs are advanced IPv4 ACLs.
486
Item
Description
If you do not specify the rule number, the system assigns one
automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, this procedure
modifies the configuration of the existing rule.
Select the action to be performed for IPv4 packets matching
the rule:
Action

Non-First Fragments Only
If you do not select this option, the rule applies to all

fragments and non-fragments.
NOTE:
Do not select this option for an AC, because an AC does not
support fragmentation.
A log entry contains the ACL rule number, operation for the
matched packets, protocol that IP carries, source/destination
address, source/destination port number, and number of
matched packets.
Logging
NOTE:
Do not select this option for an AC, because an AC does not
support logging.
Source IP Address
IP Address Filter
Source Wildcard
Destination Wildcard
Select the Source IP Address option, and enter a source IPv4

address and source wildcard, in dotted decimal notation.
Select the Destination IP Address option, and enter a
destination IP address and destination wildcard, in dotted
decimal notation.
Select the protocol to be carried by IP.
If you select 1 ICMP, you can configure the ICMP message
type and code; if you select 6 TCP or 17 UDP, you can
configure the TCP or UDP specific items.
Protocol
ICMP Type
ICMP Message
Specify the ICMP message type and code.
ICMP Type
These items are available only when you select 1 ICMP from
the Protocol list.
ICMP Code
If you select Other from the ICMP Message list, you must enter
values in the ICMP Type and ICMP Code fields. Otherwise, the
two fields will take the default values, which cannot be
changed.
487
Item
Description
TCP Connection
Established
Operation
Source
Port
-
TCP/UDP Port
Operation
Port
Select this option to make the rule match packets used for
establishing and maintaining TCP connections.
These items are available only when you select 6 TCP from the
Protocol list.
Select the operations, and enter the source port numbers and
destination port numbers as required.
These items are available only when you select 6 TCP or 17
UDP from the Protocol list.
Different operations have different configuration
requirements for the port number fields:
Not CheckThe following port number fields cannot be

configured.
Destination
-
RangeThe following port number fields must be

configured to define a port range.
Other valuesThe first port number field must be
configured and the second port number field must not.
Precedence
Filter
Time Range
DSCP
Specify the DSCP value.
TOS
Specify the ToS preference.
Precedence
Specify the IP precedence.

Configuring a rule for an Ethernet frame header ACL

1.
2.
Click the Link Setup tab to enter the rule configuration page for an Ethernet frame header ACL, as
488
Figure 517 Configuring a rule for an Ethernet frame header ACL
3.
Configure an Ethernet frame header ACL rule, as described in Table 162.
4.
Click Add.

Item
ACL
Description
Select the Ethernet frame header ACL for which you want to configure rules.
Available ACLs are Ethernet frame header ACLs.
Rule ID
IMPORTANT:
If the rule number you specify already exists, this procedure modifies the
configuration of the existing rule.
Select the action to be performed for Layer 2 frames matching the rule:
Action
PermitAllows matched frames to pass.

DenyDrops matched frames.
489
Item
Description
Source MAC
Address
MAC
Address
Filter
Source Mask
Destination MAC
Address
Destination Mask
COS(802.1p priority)
LSAP Type
Type Filter
LSAP Mask
Protocol Type
Select the Source MAC Address option and enter a source MAC address
and wildcard.
Select the Destination MAC Address option and enter a destination MAC
address and wildcard.
Specify the 802.1p priority for the rule.
Select the LSAP Type option and specify the DSAP and SSAP fields in the LLC
encapsulation by configuring the following items:
LSAP TypeFrame encapsulation format.

LSAP MaskLSAP wildcard.
TIP:
The AC does not support the LSAP Type or Protocol Type option. They do not
take effect after being configured.
Select the Protocol Type option and specify the link layer protocol type by
configuring the following items:
Protocol TypeFrame type. It corresponds to the type-code field of

Protocol Mask
Time Range
Ethernet_II and Ethernet_SNAP frames.
Protocol MaskWildcard.
Adding an IPv6 ACL

1.
2.
Click the Add tab to enter the IPv6 ACL adding page, as shown in Figure 518.
490
Figure 518 Adding an IPv6 ACL
3.
Configure the IPv6 ACL information, as described in Table 163.
4.
Click Apply.

Item
Description
ACL Number
Enter a number for the IPv6 ACL.

Select a match order for the ACL:
Match Order
ConfigPackets are compared against ACL rules in the order the rules are
configured.
AutoPackets are compared against ACL rules in the depth-first match order.
Description
Set the description for the ACL.

1.
Select QoS > ACL IPv6 from the navigation tree
2.
Click the Basic Setup tab to enter the rule configuration page for a basic IPv6 ACL, as shown
in Figure 519.
491
Figure 519 Configuring a rule for a basic IPv6 ACL
3.
Configure the basic IPv6 ACL rule information, as described in Table 164.
4.
Click Add.

Item
Description
Select Access Control List

(ACL)
Select the basic IPv6 ACL for which you want to configure rules.
Available ACLs are basic IPv6 ACLs.
Rule ID
IMPORTANT:
Select the operation to be performed for IPv6 packets matching the rule:
Operation

Check Fragment
If you do not select this option, the rule applies to all fragments and non-fragments.
NOTE:
Do not select this option for an AC, because an AC does not support fragmentation.
Check Logging
A log entry contains the ACL rule number, operation for the matched packets,
protocol that IP carries, source/destination address, source/destination port
number, and number of matched packets.
NOTE:
Do not select this option for an AC, because an AC does not support logging.
492
Item
Description
Source IP Address
Select the Source IP Address option, and enter a source IPv6 address and prefix
length.
Source Prefix
Time Range
The IPv6 address must be in a format like X:X::X:X. An IPv6 address consists of eight
16-bit long fields, each of which is expressed with two hexadecimal numbers and
separated from its neighboring fields by colon (:).

1.
Select QoS > ACL IPv6 from the navigation tree
2.
Click the Advanced Setup tab to enter the rule configuration page for an advanced IPv6 ACL.
493
Figure 520 Configuring a rule for an advanced IPv6 ACL
3.
Configure the advanced IPv6 ACL rule information, as described in Table 165.
4.
Click Add.

Item
Select Access Control List (ACL)
Description
Select the advanced IPv6 ACL for which you want to configure rules.
Available ACLs are advanced IPv6 ACLs.
494
Item
Description
If you do not specify the rule number, the system assigns one
automatically.
Rule ID
IMPORTANT:
Select the operation to be performed for IPv6 packets matching the rule:

Operation
Check Fragment
If you do not select this option, the rule applies to all fragments and
non-fragments.
NOTE:
Do not select this option for an AC, because an AC does not support
fragmentation.
Check Logging
A log entry contains the ACL rule number, operation for the matched
packets, protocol that IP carries, source/destination address,
source/destination port number, and number of matched packets.
NOTE:
Do not select this option for an AC, because an AC does not support
logging.
Source IP Address
Source Prefix
IP
Address
Filter
Destination Prefix
Select the Source IP Address option, and enter a source IPv6 address and
prefix length.
The IPv6 address must be in a format like X:X::X:X. An IPv6 address
consists of eight 16-bit long fields, each of which is expressed with two
hexadecimal numbers and separated from its neighboring fields by colon
(:).
Select the Destination IP Address option, and enter a destination IPv6
address and prefix length.
The IPv6 address must be in a format like X:X::X:X. An IPv6 address
consists of eight 16-bit long fields, each of which is expressed with two
hexadecimal numbers and separated from its neighboring fields by colon
(:).
Select the protocol to be carried by IP.
Protocol
If you select 58 ICMPv6, you can configure the ICMPv6 message type
and code. If you select 6 TCP or 17 UDP, you can configure the TCP or
UDP specific items.
495
Item
ICMPv6
Type
Description
Named ICMPv6 Type
Specify the ICMPv6 message type and code.
ICMPv6 Type
These items are available only when you select 58 ICMPv6 from the
Protocol list.
ICMPv6 Code
Operator
Source
Port
To Port
Operator
TCP/UD
P Port
Port
Destinatio
n
Port
If you select Other from the Named ICMPv6 Type list, you must enter
values in the ICMPv6 Type and ICMPv6 Code fields. Otherwise, the two
fields will take the default values, which cannot be changed.
Select the operators, and enter the source port numbers and destination
port numbers as required.
These items are available only when you select 6 TCP or 17 UDP from the
Protocol list.
Different operators have different configuration requirements for the port
number fields:
Not CheckThe following port number fields cannot be configured.

RangeThe following port number fields must be configured to define
a port range.
Other valuesThe first port number field must be configured and the
second must not.
Time Range
Configuring rate limit

Rate limit uses token buckets to control traffic. The rate limit of a physical interface specifies the maximum
rate for forwarding packets (including critical packets). Rate limit can limit all the packets passing a
physical interface.
To configure rate limit:
1.
Select QoS > Line rate from the navigation tree.
2.
Click the Setup tab to enter the rate limit configuration page, as shown in Figure 521.
496
Figure 521 Configuring rate limit on a port
3.
Configure rate limit, as described in Table 166.
4.
Click Apply.

Item
Please select an interface type
Rate Limit
Direction
Description
Select the types of interfaces to be configured with rate limit.
The interface types available for selection depend on your device model.
Select Enable or Disable to enable or disable rate limit on the specified port.
Select a direction to which the rate limit is to be applied:
OutboundLimits the rate of packets sent by the specified port.
CIR
Set the committed information rate (CIR), the average traffic rate.
CBS
Set the committed burst size (CBS), number of bits that can be sent in each
interval.
EBS
Set the excess burst size (EBS).

This configuration item is not supported.
Specify the ports to be configured with rate limit.
Please select port(s)
Click the ports to be configured with rate limit in the port list. You can select
one or more ports.
497
Configuring the priority trust mode of a port

Priority mapping overview
When a packet enters a device, the device assigns a set of QoS priority parameters to the packet based
on a certain priority field carried in the packet and sometimes may modify its priority, according to
certain rules depending on device status. This process is called "priority mapping". The set of QoS
priority parameters decides the scheduling priority and forwarding priority of the packet.
The device provides various types of priority mapping tables, or rather, priority mappings. By looking up
a priority mapping table, the device decides which priority value is to assign to a packet for subsequent
packet processing.
You can configure priority mapping by configuring trusting packet priority or trusting port priority.
If packet priority is trusted, the device uses the specified priority field of the incoming packet to look
up the priority mapping tables for the set of QoS priority parameters to assign to the packet. Note
that, if a received packet does not carry the specified priority field, the device uses the port priority
to look up the priority mapping tables for the set of QoS priority parameters to assign to the packet.
If port priority is trusted, the device uses the port priority rather than packet priority to look up the
priority mapping tables for the set of QoS priority parameters to assign to the packet.
Configuring priority mapping

Two methods are available for you to configure the priority trust mode on a port for priority mapping:
By using the first method, you can configure a port to use the 802.1p or 802.11e priority carried in
received packets for priority mapping. This method is supported for the WLAN-ESS interface in
addition to other types of interface.
By using the second method, more options are available. In addition, you can change port priority
(local precedence) of a port for priority mapping. This method is not supported on the WLAN-ESS
interface.
Configuring the trust mode

1.
Select QoS > Trust Mode from the navigation tree to enter the priority trust mode configuration
page, as shown in Figure 522.
498
Figure 522 Configuring priority trust mode
2.
Configure the priority trust mode of the interfaces, as described in Table 167.
3.
Click Apply.

Item
Description
Select the type of the ports to be configured. The interface types available for
selection depend on your device model.
Please select the interface type
IMPORTANT:
If a WLAN-ESS interface in use has WLAN-DBSS interfaces created on it, its
priority cannot be modified. To modify the priority of the WLAN-ESS interface,
you must stop the service the interface provides (make the current users on the
interface offline).
499
Item
Description
Select the priority trust mode:
Dot1pUses the 802.1p priority of received packets for mapping.

DscpUses the DSCP value of received packets for mapping.
Dot11eUses the 802.11e priority of received packets for mapping. This
Trust Mode
option is applicable to only WLAN-ESS interfaces.

IMPORTANT:
Support for priority trust modes depends on the interface type. The supported
priority trust modes are shown in the Trust Mode list.
Specify the ports to be configured.
(Select the ports)
Click the ports to be configured in the port list. You can select one or more
ports.
Configuring the port priority

1.
Select QoS > Port Priority from the navigation tree to enter the page shown in Figure 523.
Figure 523 Port priority
2.
Click the
icon for a port to enter the page for configuring the priority and priority trust mode of
the port, as shown in Figure 524.
Figure 524 Modifying the port priority
3.
Set the port priority, as described in Table 168.
4.
Click Apply.

Item
Remarks
Interface Name
Name of the interface to be configured.
500
Item
Remarks
Set the local precedence value for the port.
Priority
Local precedence is allocated by the device and has only local significance. A local
precedence value corresponds to an output queue. A packet with higher local
precedence is assigned to a higher priority output queue to be preferentially
scheduled.
Set the priority trust mode of the port:
UntrustUses the port priority rather than a packet priority value for priority
mapping.
Trust Mode
Dot1pUses the 802.1p priority of received packets for priority mapping.

DSCPUses the DSCP value of received packets for priority mapping.
IMPORTANT:
Support for priority trust modes depends on the interface type.
Configuring a QoS policy

A QoS policy defines what QoS actions to take on what class of traffic for purposes such as traffic
shaping or traffic policing. Before configuring a QoS policy, be familiar with these concepts: class, traffic
behavior, and policy.
Class
Classes identify traffic.
A class is identified by a class name and contains some match criteria for identifying traffic. The
relationship between the criteria can be:
ANDA packet is considered belonging to a class only when the packet matches all the criteria in
the class.
ORA packet is considered belonging to a class if it matches any of the criteria in the class.
Traffic behavior
A traffic behavior, identified by a name, defines a set of QoS actions for packets.
Policy
A policy associates a class with a traffic behavior to define what actions to take on which class of traffic.
You can define multiple class-traffic behavior associations in a policy.
501
You can apply a policy to a port to regulate traffic sent or received on the port. A QoS policy can be
applied to multiple ports, but in one direction (inbound or outbound) of a port, only one QoS policy can
be applied.
QoS policy configuration procedure

Step
Remarks
1.
Adding a class
2.
Configuring traffic classification rules
3.
Adding a traffic behavior
4.
Configuring actions for a traffic behavior
5.
Adding a policy
Required.
Add a class and specify the operation of the class.
Required.
Configure match criteria for the class.
Required.
Add a traffic behavior.
Configure various actions for the traffic behavior.
Required.
Add a policy.
Required.
6.
Configuring classifier-behavior
associations for the policy
7.
Apply the policy
Applying a policy to a port

Applying a QoS policy to a WLAN service
Associate a traffic behavior with a class in the QoS policy.

You can associate a class with only one traffic behavior in a
QoS policy. If a class is associated with multiple traffic
behaviors, the last associated one takes effect.
Apply the QoS policy to a port or a WLAN service.
Adding a class
1.
Select QoS > Classifier from the navigation tree.
2.
Click the Add tab to enter the page for adding a class, as shown in Figure 525.
502
Figure 525 Adding a class
3.
Configure the class information, as described in Table 169.
4.
Click Add.

Item
Description
Classifier Name
Specify a name for the classifier to be added.

Specify the logical relationship between rules of the classifier:
AndSpecifies the relationship between the rules in a class as logic AND. The
Operation
device considers a packet belongs to a class only when the packet matches all the
rules in the class.
OrSpecifies the relationship between the rules in a class as logic OR. The device
considers a packet belongs to a class as long as the packet matches one of the
rules in the class.
Configuring traffic classification rules

1.
Select QoS > Classifier from the navigation tree.
2.
Click the Setup tab to enter the page for setting a class, as shown in Figure 526.
503
Figure 526 Configuring classification rules
3.
Configuration classification rules, as described in Table 170.
4.
Click Apply.
5.
Click Close on the progress dialog box when the progress dialog box prompts that the
configuration succeeds.
504

Item
Description
Please select a classifier
Select an existing classifier in the list.
Any
Define a rule to match all packets.

Select the option to match all packets.
Define a rule to match DSCP values.
DSCP
If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
You can configure up to eight DSCP values at a time. If multiple identical DSCP
values are specified, the system considers them as a single value. The
relationship between different DSCP values is OR. After configuration, all the
DSCP values are arranged in ascending order automatically.
Define a rule to match IP precedence values.
IP Precedence
You can configure up to eight IP precedence values at a time. If multiple

identical IP precedence values are specified, the system considers them as a
single value. The relationship between different IP precedence values is OR.
After configuration, all the IP precedence values are arranged in ascending
order automatically.
Define a rule to match a QoS class.
Classifier
TIP:
Define a rule to match inbound interfaces.
Inbound Interface
TIP:
Define a rule to match a range of RTP ports.
RTP Port
Specify the start port in the from field and the end port in the to field.
TIP:
505
Item
Description
Define a rule to match the service 802.1p precedence values.
Service 802.1p
You can configure up to eight Dot1p values at a time. If multiple identical Dot1p
relationship between different Dot1p values is OR. After configuration, all the
Dot1p values are arranged in ascending order automatically.
TIP:
Dot1p

Define a rule to match the customer 802.1p precedence values.
Customer
802.1p
You can configure up to eight Dot1p values at a time. If multiple identical Dot1p
relationship between different Dot1p values is OR. After configuration, all the
Dot1p values are arranged in ascending order automatically.
Define a rule to match a source MAC address.
Source MAC
A rule to match a source MAC address is significant only to Ethernet interfaces.
MAC
Define a rule to match a destination MAC address.

Destination MAC
A rule to match a destination MAC address is significant only to Ethernet
interfaces.
Define a rule to match service VLAN IDs.
VLAN
Service VLAN
You can configure multiple VLAN IDs at a time. If the same VLAN ID is specified
multiple times, the system considers them as a single value. The relationship
between different VLAN IDs is logical OR. You can specify VLAN IDs by using
one of the following methods:
Enter a range of VLAN IDs, such as 10-500. The number of VLAN IDs in the
range is not limited.
Specify a combination of individual VLAN IDs and VLAN ID ranges, such as

3, 5-7, 10. You can specify up to eight VLAN IDs.
TIP:
506
Item
Description
Define a rule to match customer VLAN IDs.
Customer VLAN
You can configure multiple VLAN IDs at a time. If the same VLAN ID is specified
multiple times, the system considers them as a single value. The relationship
between different VLAN IDs is logical OR. You can specify VLAN IDs in two
ways:
Enter a range of VLAN IDs, such as 10-500. The number of VLAN IDs in the
range is not limited.
Specify a combination of individual VLAN IDs and VLAN ID ranges, such as

3, 5-7, 10. You can specify up to eight VLAN IDs in this way.
ACL
ACL IPv4
Define an IPv4 ACL-based rule.
ACL IPv6
Define an IPv6 ACL-based rule.
Adding a traffic behavior

1.
Select QoS > Behavior from the navigation tree.
2.
Click the Add tab to enter the page for adding a traffic behavior, as shown in Figure 527.
3.
Set the traffic behavior name.
4.
Click Add.
Figure 527 Adding a traffic behavior
Configuring actions for a traffic behavior

1.
Select QoS > Behavior from the navigation tree.
2.
Click the Setup tab to enter the page for setting a traffic behavior, as shown in Figure 528.
507
Figure 528 Setting a traffic behavior
3.
Configure the traffic behavior actions, as described in Table 171.
4.
Click Apply.
5.
Click Close on the progress dialog box when the progress dialog box prompts that the
508

Item
Description
Please select a behavior
Select an existing behavior in the list.
Enable/Disable
Enable or disable CAR
CIR
Set the committed information rate (CIR), the average traffic rate.
CBS
Set the committed burst size (CBS), number of bits that can be sent
in each interval.
CAR
Discard
Red
Pass
Set the action to perform for exceeding packets.

After selecting the Red option, you can select one of the following
options:
DiscardDrops the exceeding packet.

PassPermits the exceeding packet to pass through.
Configure the action of marking IP precedence for packets.
IP Precedence
Select the IP Precedence option and then select the IP precedence

value to be marked for packets in the following list. Select Not Set to
cancel the action of marking IP precedence.
TIP:
Configure the action of marking 802.1p precedence for packets.
Select the Dot1p option and then select the 802.1p precedence
value to be marked for packets in the following list. Select Not Set to
cancel the action of marking 802.1p precedence.
Dot1p
Remark
Configure the action of marking local precedence for packets.

Local Precedence
Select the Local Precedence option and then select the local
precedence value to be marked for packets in the following list.
Select Not Set to cancel the action of marking local precedence.
Configure the action of marking DSCP values for packets.
Select the DSCP option and then select the DSCP value to be marked
for packets in the following list. Select Not Set to cancel the action of
marking DSCP values.
DSCP
TIP:
EF
Queue
Max Bandwidth
Configure the maximum bandwidth for

Expedited Forwarding (EF).
CBS
Configure the CBS for EF.
Percent
Configure the percent of available bandwidth

for EF.
CBS-Ratio
Configure the ratio of CBS to CIR for EF.
Min Bandwidth
Configure the minimum guaranteed bandwidth

for Assured Forwarding (AF).
Percent
Configure the percent of available bandwidth

for AF.
AF
509
TIP:
These
configuration
items are not
supported.
Item
Description
WFQ
Configure WFQ for the default class by

entering the total number of fair queues, which
must be the power of two.
Configure the packet filtering action.
After selecting the Filter option, select one item in the following list:
Filter
PermitForwards the packet.

DenyDrops the packet.
Not SetCancels the packet filtering action.
Configure the traffic accounting action.
Accounting
Select the Accounting option and select Enable or Disable in the

following list to enable/disable the traffic accounting action.
TIP:
Adding a policy
1.
Select QoS > QoS Policy from the navigation tree.
2.
Click the Add tab to enter the page for adding a policy, as shown in Figure 529.
3.
Set the policy name.
4.
Click Add.
Figure 529 Adding a policy
Configuring classifier-behavior associations for the policy

1.
Select QoS > QoS Policy from the navigation tree.
2.
Click the Setup tab to enter the page for setting a policy, as shown in Figure 530.
510
Figure 530 Setting a policy
3.
Configure classifier-behavior associations, as described in Table 172.
4.
Click Apply.

Item
Description
Please select a policy
Select an existing policy in the list.
Classifier Name
Select an existing classifier in the list.
Behavior Name
Select an existing behavior in the list.
Applying a policy to a port

1.
Select QoS > Port Policy from the navigation tree.
2.
Click the Setup tab to enter the page for applying a policy to a port, as shown in Figure 531.
511
Figure 531 Applying a policy to a port
3.
Select a policy and apply the policy to the specified ports, as described in Table 173.
4.
Click Apply.

Item
Description
Please select a policy
Select an existing policy in the list.

Set the direction in which you want to apply the policy:
Direction
Please select port(s)
InboundApplies the policy to the incoming packets of the specified ports.

OutboundApplies the policy to the outgoing packets of the specified ports.
Click the ports to which the QoS policy is to be applied in the port list. You can select
one or more ports.
Applying a QoS policy to a WLAN service

1.
Select QoS > Service Policy from the navigation tree to enter the service policy page shown
in Figure 532.
512
Figure 532 Service policy
2.
Click the
icon for a wireless service to enter the service policy setup page shown in Figure 532.
Figure 533 Service policy setup
3.
Apply the policy to the wireless service, as described in Table 174.
4.
Click Apply.

Item
Remarks
Wlan Service
Display the specified WLAN service to which you want to apply a QoS policy.
Inbound Policy
Apply the QoS policy to the packets received by the wireless service.
Outbound Policy
Apply the QoS policy to the packets sent by the wireless service.
Set the priority trust mode:
Trust Mode
UntrustTrusts the port priority.

DscpUses the DSCP values of received packets for mapping.
802.11eUses the 802.11e priority of received 802.11 packets for mapping.
513
Item
Remarks
QoS Priority
Set the local precedence value.
ACL and QoS configuration example

As shown in Figure 534, in the WLAN, the FTP server (10.1.1.1/24) is connected to the AC (SSID:
service1), and the wireless clients are connected to the AC through APs and a Layer 2 switch and access
the network resources.
Configure an ACL and a QoS policy on the AC to prohibit the wireless clients from accessing the FTP
server from 8:00 to 18:00 every day:
1.
Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.
2.
Configure a QoS policy to drop the packets matching the ACL.
3.
Apply the QoS policy in the inbound direction of the wireless service named service1.
10.1.1.1/24
Client 1
AP 1
L2 switch
Client 2
AC
FTP server
AP 2
Before performing the following configurations, make sure the AC has been configured with wireless
service service1. For more information about the wireless service configuration, see "Configuring access
services."
1.
Define a time range to cover the time range from 8:00 to 18:00 every day:
a. Select QoS > Time Range from the navigation tree.
b. Click the Add tab.
c. On the page as shown in Figure 535, enter the time range name test-time, select the Periodic
Time Range option, set the Start Time to 8:00 and the End Time to 18:00, and select the
options Sun through Sat.
d. Click Apply.
514
Figure 535 Defining a time range covering 8:00 to 18:00 every day
2.
Add an advanced IPv4 ACL:

a. Select QoS > ACL IPv4 from the navigation tree.
c. Enter the ACL number 3000.
d. Click Apply.
515
Figure 536 Adding an advanced IPv4 ACL
3.
Define an ACL rule for traffic to the FTP server:

a. Click the Advanced Setup tab.
b. On the page as shown in Figure 537, select 3000 in the ACL list, select the Rule ID option, and
enter rule ID 2.
c. Select Permit in the Action list.
d. Select the Destination IP Address option, and enter IP address 10.1.1.1 and destination
wildcard 0.0.0.0.
e. Select test-time in the Time Range list.
f. Click Add.
516
Figure 537 Defining an ACL rule for traffic to the FTP server
4.
Add a class:
a. Select QoS > Classifier from the navigation tree.
c. On the page as shown in Figure 538, enter the class name class1.
d. Click Add.
517
Figure 538 Adding a class
5.
Define classification rules:

a. Click the Setup tab.
b. On the page as shown in Figure 539, select the class name class1 in the list, select the ACL IPv4
option, and select ACL 3000 in the following list.
c. Click Apply.
d. Click Close on the progress dialog box when the progress dialog box prompts that the
518
Figure 539 Defining classification rules
6.
Add a traffic behavior:

a. Select QoS > Behavior from the navigation tree.
c. On the page as shown in Figure 540, enter the behavior name behavior1.
d. Click Add.
519
Figure 540 Adding a traffic behavior
7.
Configure actions for the traffic behavior:

b. On the page as shown in Figure 541, select behavior1 in the list, select the Filter option, and
then select Deny in the following list.
c. Click Apply.
d. Click Close when the progress dialog box prompts that the configuration succeeds.
520
Figure 541 Configuring actions for the behavior
8.
Add a policy:
a. Select QoS > QoS Policy from the navigation tree.
c. On the page as shown in Figure 542, enter the policy name policy1.
d. Click Add.
521
Figure 542 Adding a policy
9.
Configure classifier-behavior associations for the policy:

b. On the page as shown in Figure 543, select policy1, select class1 in the Classifier Name list,
and select behavior1 in the Behavior Name list.
c. Click Apply.
Figure 543 Configuring classifier-behavior associations for the policy
10. Apply the QoS policy in the inbound direction of the wireless service named service1:
a. Select QoS > Service Policy from the navigation tree.
b. Click the
icon for wireless service service1.
c. On the page as shown in Figure 544, select the Inbound Policy option, and select policy1 from
the following list.
522
d. Click Apply.
Figure 544 Applying the QoS policy in the inbound direction of WLAN service service1

After you complete these configurations, the QoS policy is successfully applied to the wireless service
named service1. The wireless clients cannot access the FTP server at IP address 10.1.1.1/24 from 8:00 to
18:00 every day, but they can do that at any other time.
523
Configuring wireless QoS

Overview
An 802.11 network offers wireless access based on the carrier sense multiple access with collision
avoidance (CSMA/CA) channel contention. All clients accessing the WLAN have equal channel
contention opportunities. All applications carried on the WLAN use the same channel contention
parameters. A live WLAN, however, is required to provide differentiated access services to address
diversified requirements of applications for bandwidth, delay, and jitter.
When IEEE 802.11e was being standardized, Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM)
standard to allow QoS provision devices of different vendors to interoperate. WMM makes a WLAN
network capable of providing QoS services.
Terminology
WMM
WMM is a wireless QoS protocol designed to preferentially transmit packets with high priority, and
guarantees better QoS services for voice and video applications in a wireless network.
EDCA
Enhanced distributed channel access (EDCA) is a channel contention mechanism designed by WMM to
preferentially transmit packets with high priority and allocate more bandwidth to such packets.
AC
WMM uses access categories (ACs) for handling channel contentions. WMM assigns WLAN data to
four access categories: AC-VO (voice), AC-VI (video), AC-BE (best-effort), and AC-BK (background), in
the descending order of priority. Each access category uses an independent priority queue for
transmitting data. When contention occurs, WMM guarantees that a high-priority access category
preempts a low-priority access category.
CAC
Connection admission control (CAC) limits the number of clients that are using high-priority access
categories (AC-VO and AC-VI) to guarantee sufficient bandwidth for existing high-priority traffic.
U-APSD
Unscheduled automatic power-save delivery (U-APSD) is a new power saving mechanism defined by
WMM to enhance the power saving capability of clients.
SVP
SpectraLink voice priority (SVP) is a voice priority protocol designed by the Spectralink company to
guarantee QoS for voice traffic.
524
WMM protocol overview

The distributed coordination function (DCF) in 802.11 stipulates that access points (APs) and clients use
the CSMA/CA access mechanism. APs or clients listen to the channel before they hold the channel for
data transmission. When the specified idle duration of the channel times out, APs or clients randomly
select a backoff slot within the contention window to perform backoff. The device that finishes backoff first
gets the channel. With 802.11, all devices have the same idle duration and contention window. They are
equal when contending for a channel. In WMM, this fair contention mechanism is changed.
EDCA parameters
WMM assigns data packets to four access categories. By allowing a high-priority access category to
have more channel contention opportunities than a low-priority access category, WMM offers different
service levels to access categories.
WMM define a set of EDCA parameters for each access category, covering the following:
Arbitration inter-frame spacing number (AIFSN)Different from the 802.11 protocol where the idle
duration (set using DIFS) is a constant value, WMM can define an idle duration per access category.
The idle duration increases as the AIFSN value increases (see Figure 545 for the AIFS durations).
Exponent of CWmin (ECWmin) and exponent of CWmax (ECWmax)Determine the average

backoff slots, which increases as the two values increase (see Figure 545 for the backoff slots).
Transmission opportunity limit (TXOPLimit)Indicates the maximum time for which a user can hold
a channel after a successful contention. The greater the TXOPLimit, the longer the user can hold the
channel. The value 0 indicates that the user can send only one packet each time it holds the
channel.
Figure 545 Per-AC channel contention parameters in WMM
CAC admission policies

CAC requires that a client obtain permission of the AP before it can use a high-priority access category
for transmission, and guarantees bandwidth to the clients that have gained access. CAC controls
real-time traffic (AC-VO and AC-VI traffic) but not common data traffic (AC-BE and AC-BK traffic).
525
To use a high-priority access category, a client must send a request to the AP. The AP returns a positive
or negative response based on either of the following admission control policy:
Channel utilization-based admission policyThe AP calculates the total time that the existing
high-priority access categories occupy the channel in one second, and then calculates the time that
the requesting traffic will occupy the channel in one second. If the sum of the two values is smaller
than or equal to the maximum hold time of the channel, the client can use the requested access
category. Otherwise, the request is rejected.
Users-based admission policyIf the number of clients using high-priority access categories plus
the requesting clients is smaller than or equal to the maximum number of high-priority access
category clients, the request is accepted. Otherwise, the request is rejected. During calculation, a
client is counted once even if it is using both AC-VO and AC-VI.
U-APSD power-save mechanism

U-APSD improves the 802.11 APSD power saving mechanism. When associating clients with access
categories, specify some access categories as trigger-enabled, some access categories as
delivery-enabled, and the maximum number of data packets that can be delivered after receiving a
trigger packet. You can modify both the trigger attribute and the delivery attribute when flows are
established using CAC. When a client sleeps, the delivery-enabled AC packets destined for the client are
buffered. The client needs to send a trigger-enabled AC packet to get the buffered packets. After the AP
receives the trigger packet, packets in the transmit queue are sent. The number of sent packets depends
on the agreement made when the client was admitted. Access categories without the delivery attribute
store and transmit packets as defined in the 802.11 protocol.
SVP service
SVP service implements differentiated treatment of SVP packets by mapping each SVP packet (IP protocol
number 119) to an access category, which corresponds to a transmit queue with certain priority.
ACK policy
WMM defines the following ACK policies:
No ACKWhen the no acknowledgement (No ACK) policy is used, the recipient does not
acknowledge received packets during wireless packet exchange. This policy can improve
transmission efficiency in the environment where communication quality is good and interference is
weak. However, in the environment where communication quality is poor, it can cause increased
packet loss and deteriorated communication quality.
Normal ACKWhen the Normal ACK policy is used, the recipient acknowledges each received
unicast packet.
Enabling wireless QoS

1.
Select QoS > Wireless QoS from the navigation tree.

By default, the Wireless QoS tab is displayed, as shown in Figure 546.
526
Figure 546 Wireless QoS
2.
Select the option in front of the radio unit to be configured.
3.
Click Enable.
By default, wireless QoS is enabled.
NOTE:
The WMM protocol is the foundation of the 802.11n protocol. When the radio operates in 802.11n (5
GHz) or 802.11n (2.4 GHz) radio mode, you must enable WMM. Otherwise, the associated 802.11n
clients may fail to communicate.
Setting the SVP service

1.

By default, the Wireless QoS tab is displayed, as shown in Figure 547.
Figure 547 Mapping SVP service to an access category
2.
Click the
icon in the Operation column for the desired AP to enter the page for mapping SVP
service to an access category, as shown in Figure 548.
527
Figure 548 Mapping SVP service to an access category
3.
Configure SVP mapping, as described in Table 175.
4.
Click Apply.

Item
Description
AP Name
Displays the selected AP.
Radio
Displays the selected AP's radio.

Select the option before SVP Mapping, and then select an access category for SVP
service:
SVP Mapping
AC-VO.
AC-VI.
AC-BE.
AC-BK.
NOTE:
SVP mapping is applicable only to non-WMM clients.
Setting CAC admission policy

1.

By default, the Wireless QoS tab is displayed.
2.
Click the
icon in the Operation column for the desired AP to enter the page for setting CAC
admission policy, as shown in Figure 549.
Figure 549 Setting CAC admission policy
3.
Configure the CAC admission policy, as described in Table 176.

528
4.
Click Apply.

Item
Client Number
Channel Utilization
Description
Users-based admission policy, or the maximum number of clients allowed to be
connected. A client is counted only once, even if it is using both AC-VO and AC-VI.
By default, the users-based admission policy applies, with the maximum number of
users being 20.
Channel utilization-based admission policy, or the rate of the medium time of the
accepted AC-VO and AC-VI traffic to the valid time during the unit time. The valid
time is the total time during which data is transmitted.
Setting radio EDCA parameters for APs

1.

2.
Click the
icon in the Operation column for the desired AP to enter the page for configuring
wireless QoS.
3.
On the radio EDCA list, click the

icon in the Operation column for the desired priority type
(AC_BK, for example) to enter the page for setting radio EDCA parameters.
Figure 550 Setting radio EDCA parameters
4.
Configure the radio EDCA parameters, as described in Table 177.
5.
Click Apply.

Item
Description
AP Name
Radio
Priority type
Displays the priority type.
AIFSN
Arbitration inter-frame spacing number used by the AP.
TXOP Limit
Transmission opportunity limit used by the AP.
ECWmin
Exponent of CWmin used by the AP.
ECWmax
Exponent of CWmax used by the AP.
529
Item
Description
If you select the option before No ACK, the No ACK policy is used by the AP.
No ACK
By default, the normal ACK policy is used by the AP.
Table 178 Default radio EDCA parameters

Access category
TXOP Limit
AIFSN
ECWmin
ECWmax
AC-BK
10
AC-BE
AC-VI
94
AC-VO
47
NOTE:
ECWmin cannot be greater than ECWmax.
On an AP operating in 802.11b radio mode, HP recommends that you set the TXOP-Limit to 0, 0, 188,
and 102 for AC-BK, AC-BE, AC-VI, and AC-VO.
Setting EDCA parameters for wireless clients

Configuration restrictions and guidelines
ECWmin cannot be greater than ECWmax.
If all clients operate in 802.11b radio mode, set TXOPLimit to 188 and 102 for AC-VI and AC-VO.
If some clients operate in 802.11b radio mode and some clients operate in 802.11g radio mode in
the network, HP recommends the TXOPLimit parameters in Table 180.
Once you enable CAC for an access category, it is enabled automatically for all higher priority
access categories. For example, if you enable CAC for AC-VI, CAC is also enabled for AC-VO.
However, enabling CAC for AC-VO does not enable CAC for AC-VI.
1.

2.
Click the
wireless QoS.
3.
On the client EDCA list, click the

icon in the Operation column for the desired priority type
(AC_BK, for example) to enter the page for setting client EDCA parameters.
530
Figure 551 Setting client EDCA parameters
4.
Configure the client EDCA parameters, as described in Table 179.
5.
Click Apply.

Item
Description
AP Name
Radio
Priority type
Displays the priority type.
AIFSN
Arbitration inter-frame spacing number used by clients.
TXOP Limit
Transmission opportunity limit used by clients.
ECWmin
Exponent of CWmin used by clients.
ECWmax
Exponent of CWmax used by clients.

Enable CAC:
EnableEnable CAC.
DisableDisable CAC.
CAC
AC-VO and AC-VI support CAC, which is disabled by default. This item is not
available for AC-BE or AC-BK, because they do not support CAC.
Table 180 Default EDCA parameters for clients

Access category
TXOP Limit
AIFSN
ECWmin
ECWmax
AC-BK
10
AC-BE
10
AC-VI
94
AC-VO
47
Displaying radio statistics

1.
2.
Click the Radio Statistics tab to enter the page displaying radio statistics.
3.
Click an AP to see its details.
531
Figure 552 Displaying the radio statistics
Table 181 Filed description

Field
Description
AP ID
AP ID.
AP Name
AP name.
Radio
Radio ID.
Client EDCA update count
Number of client EDCA parameter updates.

QoS mode:
QoS mode
WMMThe client is a QoS client.

NoneThe client is a non-QoS client.
Radio chip QoS mode
Radio chip's support for the QoS mode.
Radio chip max AIFSN
Maximum AIFSN allowed by the radio chip.
Radio chip max ECWmin
Maximum ECWmin allowed by the radio chip.
Radio chip max TXOPLimit
Maximum TXOPLimit allowed by the radio chip.
Radio chip max ECWmax
Maximum ECWmax allowed by the radio chip.
Client accepted
Number of clients that have been admitted to access the radio, including the
number of clients that have been admitted to access the AC-VO and the AC-VI
queues.
Total request
mediumtime(us)
Total requested medium time, including that of the AC-VO and the AC-VI
queues.
Calls rejected due to

insufficient resource
Number of requests rejected due to insufficient resources.
Calls rejected due to invalid

parameters
Number of requests rejected due to invalid parameters.
532
Field
Description

mediumtime
Number of requests rejected due to invalid medium time.

delaybound
Number of requests rejected due to invalid delay bound.
Displaying client statistics

1.
2.
Click the Client Statistics tab to enter the page displaying client statistics.
3.
Click a client name to see its details.
Figure 553 Displaying the client statistics

Field
Description
MAC address
MAC address of the client.
SSID
Service set ID (SSID)

QoS mode:
QoS Mode
WMMQoS mode is enabled.

NoneQoS mode is not enabled.
Max SP length
Maximum service period.
AC
Access category.
APSD attribute of an access category:
State
TThe access category is trigger-enabled.

DThe access category is delivery-enabled.
T | DThe access category is both trigger-enabled and delivery-enabled.
LThe access category is of legacy attributes.
533
Field
Description
Assoc State
APSD attribute of the four access categories when a client accesses the AP.
Uplink CAC packets
Number of uplink CAC packets.
Uplink CAC bytes
Number of uplink CAC bytes.
Downlink CAC packets
Number of downlink CAC packets.
Downlink CAC bytes
Number of downlink CAC bytes.
Downgrade packets
Number of downgraded packets.
Downgrade bytes
Number of downgraded bytes.
Discard packets
Number of dropped packets.
Discard bytes
Number of dropped bytes.
Setting rate limiting

The WLAN provides limited bandwidth for each AP. Because the bandwidth is shared by wireless clients
attached to the AP, aggressive use of bandwidth by a client will affect other clients. To ensure fair use of
bandwidth, rate limit traffic of clients in either of the following approaches:
Configure the total bandwidth shared by all clients in the same BSS. This is called "dynamic mode".
The rate limit of a client is the configured total rate/the number of online clients. For example, if the
configure total rate is 10 Mbps and five clients are online, the rate of each client is 2 Mbps.
Configure the maximum bandwidth that can be used by each client in the BSS. This is called "static
mode". For example, if the configured rate is 1 Mbps, the rate limit of each user online is 1 Mbps.
When the set rate limit multiplied by the number of access clients exceeds the available bandwidth
provided by the AP, no clients can get the guaranteed bandwidth.
Setting wireless service-based client rate limiting

You can configure the access controller to limit client rates for a service within a BSS.
To set wireless service-based client rate limiting:
1.
Select QoS > Wireless QoS from the navigation tree on the left.
2.
Click the Client Rate Limit tab.
3.
Click Add in the Service-Based Configuration area to enter the page for setting wireless
service-based client rate limits, as shown in Figure 554.
Figure 554 Setting wireless service-based client rate limiting
534
4.
Configure service-based client rate limiting, as described in Table 183.
5.
Click Apply.

Item
Description
Wireless Service
Select an existing wireless service.

Set the traffic direction:
Direction
InboundTraffic from client to AP.

OutboundTraffic from AP to client.
BothBoth inbound and outbound traffic.
Set a rate limiting mode:
Mode
StaticLimits the rate of each client to a fixed value.

DynamicLimits the rate of a client to the configured total rate/the number of
online clients.
Set the rate of the clients.
If you select the static mode, Per-Client Rate is displayed, and the rate is the rate
of each client.
Rate
If you select the dynamic mode, Total Rate is displayed, and the rate is the total
rate of all clients.
Setting radio-based client rate limiting

You can configure the access controller to limit client rates for a radio.
To set radio-based client rate limiting:
1.
2.
Click the Client Rate Limit tab.
3.
Click Add in the Radio-Based Configuration area to enter the page for setting radio-based client
rate limiting, as shown in Figure 554.
535
Figure 555 Setting radio-based client rate limiting
4.
Configure radio-based client rate limiting, as described in Table 184.
5.
Click Apply.

Item
Description
Radio List
List of radios available. You can create the rate limiting rules for one or multiple radios.
Traffic direction:
Direction
InboundTraffic from clients to the AP.

OutboundTraffic from the AP to clients.
BothIncludes inbound traffic (traffic from clients to the AP) and outbound traffic (traffic
from the AP to clients)
Rate limiting mode:

Mode
StaticLimits the rate of each client to a fixed value.

DynamicLimits the rate of a client to the configured total rate/the number of online
clients.
Set the rate of the clients:

Rate
If you select the static mode, Per-Client Rate is displayed, and the rate is the rate of each
client.
If you select the dynamic mode, Total Rate is displayed, and the rate is the total rate of all
clients.
Configuring the bandwidth guarantee function

When traffic is heavy, a BSS without any rate limitation may aggressively occupy the available
bandwidth for other BSSs. If you limit the rate of the BSS, it cannot use the idle bandwidth of other BSSs.
536
To improve bandwidth use efficiency when ensuring bandwidth use fairness among wireless services, use
the bandwidth guarantee function. Bandwidth guarantee makes sure all traffic from each BSS can pass
through when the network is not congested, and each BSS can get the guaranteed bandwidth when the
network is congested. For example, suppose you guarantee SSID1, SSID2, and SSID3 25%, 25%, and
50% of the bandwidth. When the network is not congested, SSID1 can use all idle bandwidth in addition
to its guaranteed bandwidth. When the network is congested, SSID1 can use at least its guaranteed
bandwidth, 25% of the bandwidth.
NOTE:
Bandwidth guarantees apply only to the traffic from AP to client.
Setting the reference radio bandwidth

1.
2.
Click the Bandwidth Guarantee tab to enter the page, as shown in Figure 556.
Figure 556 Setting the reference radio bandwidth
3.
Set the reference radio bandwidth, as described in Table 185.
4.
Click Apply.

Item
802.11a Mode
802.11b Mode
802.11g Mode
802.11n Mode
Description
Set the reference radio bandwidth.
IMPORTANT:
Set the reference radio bandwidth slightly lower than the maximum available bandwidth.
NOTE:
After you set the reference radio bandwidth values, the new settings do not take effect for the radios with
bandwidth guarantee enabled. To make the new settings take effect, you must disable and then enable the
radios.
Setting guaranteed bandwidth percents

1.

537
2.
Select a radio from the bandwidth guarantee setup list, and click the
icon for the radio in the
Operation column to enter the page for setting guaranteed bandwidth, as shown in Figure 557.
Figure 557 Setting guaranteed bandwidth
3.
Set the guaranteed bandwidth, as described in Table 186.
4.
Click Apply.

Item
Description
Guaranteed Bandwidth
Percent (%)
Allocate a percentage of the total radio bandwidth to each wireless service as the
guaranteed bandwidth. The total guaranteed bandwidth cannot exceed 100% of
the ratio bandwidth.
Enabling bandwidth guaranteeing

After the configurations above, the bandwidth guarantee tab appears.
To validate the bandwidth guarantee settings for a radio unit, enable its bandwidth guarantee function.
To enable the bandwidth guarantee function:
1.
2.
Click the Bandwidth Guarantee tab to enter the page for configuring bandwidth guarantee.
3.
Select the AP and the corresponding radio mode for which you want to enable bandwidth
guarantee on the list under the Bandwidth Guarantee title bar.
4.
Click Enable.
538
Figure 558 Enabling the bandwidth guarantee function
Displaying guaranteed bandwidth settings

1.
2.
Click Bandwidth Guarantee.
3.
Click the specified radio unit of the AP on the list under the Bandwidth Guarantee title bar to view
the wireless services bound to the radio unit and the guaranteed bandwidth setting for each
wireless service.
Figure 559 Displaying guaranteed bandwidth settings
CAC service configuration example

As shown in Figure 560, a WMM-enabled AP accesses the Ethernet.
Enable CAC for AC-VO and AC-VI on the AP. To guarantee high priority clients (AC-VO and AC-VI clients)
sufficient bandwidth, use the user number-based admission policy to limit the number of access users to
10.
539
Configuring the wireless service

1.
Configure the AP, and establish a connection between the AC and the AP.
For related configurations, see "Configuring access services." Follow the steps in the related
configuration example to establish a connection between the AC and the AP.
Configuring CAC
1.

2.
Make sure WMM is enabled.
Figure 561 Wireless QoS configuration page
3.
As shown in Figure 561, select the AP to be configured on the list, and click the
in the Operation column to enter the page for configuring wireless QoS.
4.
On the Client EDCA list, select the priority type (AC_VO, for example) to be modified, and click the
icon for the priority type in the Operation column to enter the page for setting client EDCA
parameters.
5.
Select Enable from the CAC list.
6.
Click Apply.
540
icon for the AP
Figure 562 Enabling CAC
7.
Enable CAC for AC_VI in the same way. (Details not shown.)
8.

9.
Click the
wireless QoS.
10. Select the Client Number option, and then enter 10.
11. Click Apply.
Figure 563 Setting CAC client number

If the number of existing clients in the high-priority access categories plus the number of clients requesting
for high-priority access categories is smaller than or equal to the user-defined maximum number of users
allowed in high-priority access categories (10 in this example) the request is allowed. Otherwise, the
request is rejected.
Wireless service-based static rate limiting

As shown in Figure 564, two wireless clients access the WLAN through a SSID named service1.
541
Limit the maximum bandwidth per wireless client to 128 kbps for traffic from the wireless clients to the AP.

For the configuration procedure, see "Configuring access services."
Configuring static rate limiting

1.
2.
Click Client Rate Limit.
3.
Click Add in the Service-Based Configuration area to enter the page for configuring wireless
service-based rate limit settings for clients, as shown in Figure 565.
4.
Configure static rate limiting:

a. Select service1 from the Wireless Service list.
b. Select Inbound from the Direction list.
c. Select Static from the Mode list.
d. Enter 128 in the Per-Client Rate field.
5.
Click Apply.
Figure 565 Configuring static rate limiting

1.
Client1 and Client2 access the WLAN through the SSID named service1.
2.
Check that traffic from Client1 is rate limited to around 128 kbps, so is traffic from Client2.
542
Wireless service-based dynamic rate limiting

As shown in Figure 566, wireless clients access the WLAN through a SSID named service2.
Configure all wireless clients to share 8000 kbps of bandwidth in any direction.

For the configuration procedure, see "Configuring access services."
Configuring dynamic rate limiting

1.
2.
Click Client Rate Limit.
3.
Click Add in the Service-Based Configuration area to enter the page for configuring wireless
service-based rate limit settings for clients, as shown in Figure 567.
4.
Configure dynamic rate limiting:

a. Select service2 from the Wireless Service list.
b. Select Both from the Direction list.
c. Select Dynamic from the Mode list.
d. Enter 8000 in the Total Rate field.
5.
Click Apply.
543
Figure 567 Configuring dynamic rate limiting

Check that:
1.
When only Client1 accesses the WLAN through SSID service2, its traffic can pass through at a rate
as high as 8000 kbps.
2.
When both Client1 and Client2 access the WLAN through SSID service2, their traffic flows can
each pass through at a rate as high as 4000 kbps.
Bandwidth guarantee configuration example

As shown in Figure 568, three wireless clients use wireless services research, office, and entertain to
access the wireless network.
To make sure the enterprise network works properly, guarantee the office service 20% of the bandwidth,
the research service 80%, and the entertain service none.
Configuring the wireless services

For the configuration procedure, see "Configuring access services." Follow the related configuration
example to configure the wireless services.
544
Configuring bandwidth guaranteeing

1.
2.
Click Bandwidth Guarantee to enter the page for configuring bandwidth guarantee, as shown
in Figure 569.
3.
Use the default reference radio bandwidth for 802.11a.
4.
Click Apply.
Figure 569 Setting the reference radio bandwidth
5.
Click the
icon in the Operation column for 802.11n (5 GHz) to enter the page for setting
guaranteed bandwidth, as shown in Figure 570.
6.
Set the guaranteed bandwidth:

a. Set the guaranteed bandwidth percent to 80 for wireless service research.
b. Set the guaranteed bandwidth percent to 20 for wireless service office.
c. Set the guaranteed bandwidth percent to 0 for wireless service entertain.
7.
Click Apply.
After you apply the guaranteed bandwidth settings, the page for enabling bandwidth guarantee
appears, as shown in Figure 571.
545
Figure 570 Setting guaranteed bandwidth
8.
Select the option specific to 802.11n(5GHz).
9.
Click Enable.
546
Figure 571 Enabling bandwidth guarantee
Send traffic from the AP to the three wireless clients at a rate lower than 30000 kbps. The rate of
traffic from the AP to the three wireless clients is not limited.
Send traffic at a rate higher than 6000 kbps from the AP to Client 1 and at a rate higher than
24000 kbps from the AP to Client 2. The total rate of traffic rate from the AP to the two wireless
clients exceeds 30000 kbps. Because you have enabled bandwidth guarantee for wireless services
research and office, the AP forwards traffic to Client 1 and Client 2 at 6000 kbps and 24000 kbps,
respectively, and limits the traffic to Client 3.
NOTE:
Guaranteed bandwidth in kbps = reference radio bandwidth guaranteed bandwidth percent.
Set the reference radio bandwidth slightly lower than the available maximum bandwidth.
The guaranteed bandwidth configuration applies to only the traffic from the AP to clients.
547
Configuring advanced settings

Advanced settings overview
Country/Region code
Radio frequencies for countries and regions vary based on country regulations. A country/region code
determines characteristics such as frequency range, channel, and transmit power level. Configure the
valid country/region code for a WLAN device to meet the specific country regulations.
1+1 AC backup
Support for the 1+1 backup feature might vary depending on your device model. For more information,
see "About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified
Wired-WLAN Module Web-Based Configuration Guide."
Dual-link backup
Dual links:
Dual links allow for AC backup. An AP establishes links with two different ACs. The active AC
provides services for APs in the network, and the standby AC provides backup service for the
active AC. If the active AC fails, the standby AC takes over to provide services for the APs.
Figure 572 Dual link topology
AC 1 is operating in active mode and providing services to AP 1, AP 2, AP 3, and AP 4. AC 2 is

operating in standby mode. APs are connected to AC 2 through backup links. When AC 1 is down,
AC 2 converts to operate in active mode even when AC 1 is up again, in which case, AC 1 is in
standby mode. However, this is not so if an AC is configured as the primary AC. For more
information about primary AC, see "Primary AC recovery."
548
Using fast link fault detection, you can configure 1+1 fast backup (see "1+1 fast backup") to
provide uninterrupted services.
Primary AC recovery:
Primary AC provides a mechanism to make sure the primary AC is chosen in precedence by APs
as an active AC. When the primary AC goes down, the APs switch to connect to the standby AC.
As soon as the active AC recovers, the APs automatically connect to the primary AC again.
Figure 573 Primary AC recovery
AC 1 is the primary AC with the connection priority of 7, and it establishes a connection with the
AP. AC 2 acts as the secondary AC. If AC 1 goes down, AC 2 takes over to provide services to
AP until AC 1 recovers. Once the primary AC is reachable again, the AP automatically establishes
a connection with the primary AC. For more information about priority configuration, see
"Configuring AP connection priority."
1+1 fast backup

Fast link fault detection allows two ACs in 1+1 backup to detect the failure of each other. To achieve this,
a heartbeat detection mechanism is used. When the active AC goes down, the standby AC can quickly
detect the faults and become the new active AC.
NOTE:
Support for the 1+1 fast backup feature might vary depending on your device model. For more
information, see "About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G
Unified Wired-WLAN Module Web-Based Configuration Guide."
1+N AC backup
1+N AC backup allows an AC to operate as a backup for multiple ACs. The active ACs independently
provide services for APs that connect to them, and only one standby AC provides backup service for the
active ACs. If an active AC goes down, the APs connecting to it can detect the failure quickly and make
connections to the standby AC. As soon as the active AC recovers, the APs automatically connect to the
original active AC again. This makes sure the standby AC operates as a dedicated backup for the active
ACs. 1+N AC backup delivers high reliability and saves network construction cost.
549
Continuous transmitting mode

The continuous transmitting mode is used for testing only. Do not use the function unless necessary.
Channel busy test

The channel busy test is a tool to test how busy a channel is. It tests channels supported by the
country/region code individually, and provides a busy rate for each channel. This avoids the situation in
which some channels are heavily loaded and some are idle.
During a channel busy test, APs do not provide any WLAN services. All the connected clients are
disconnected, and WLAN packets are discarded.
WLAN load balancing

WLAN load balancing dynamically adjusts loads among APs to ensure adequate bandwidth for clients.
It is mainly used in high-density WLAN networks.
Requirement of WLAN load-balancing implementation

As shown in Figure 574, Client 6 wants to associate with AP 3. AP 3 has reached its maximum load, so
it rejects the association request. Then, Client 6 tries to associate with AP 1 or AP 2, but it cannot receive
signals from these two APs, so it has to resend an association request to AP 3.
To implement load-balancing, the APs must be managed by the same AC, and the clients can find the
APs.
Figure 574 Requirement of WLAN load-balancing implementation
Load-balancing modes
The AC supports two load balancing modes: session mode and traffic mode.
Session mode load-balancing:

Session-mode load balancing is based on the number of clients associated with the AP/radio.
550
As shown in Figure 575, Client 1 is associated with AP 1, and Client 2 through Client 6 are
associated with AP 2. The AC has session-mode load balancing configured: the maximum number
of sessions is 5, and the maximum session gap is 4. Then, Client 7 sends an association request
to AP 2. The maximum session threshold and session gap have been reached on AP 2, so AP 2
rejects the request. Finally, Client 7 associates with AP 1.
Figure 575 Network diagram for session-mode load balancing
Traffic mode load-balancing

Traffic snapshot is considered for traffic mode load balancing.
As shown in Figure 576, Client 1 and Client 2 that run 802.11g are associated with AP 1. The AC
has traffic-mode load balancing configured: the maximum traffic threshold is 10%, and the
maximum traffic gap is 20%. Then, Client 3 wants to access the WLAN through AP 1. The
maximum traffic threshold and traffic gap (between AP 1 and AP 2) have been reached on AP 1,
so AP 1 rejects the request. Finally, Client 3 associates with AP 2.
Figure 576 Network diagram for traffic-mode load balancing
551
Load-balancing methods
The AC supports AP-based load balancing and group-based load balancing.
1.
AP-based load balancing

AP-based load balancing can be implemented either among APs or among the radios of an AP.
AP-based load balancingAPs can carry out either session-mode or traffic-mode load
balancing. An AP starts load balancing when the maximum threshold and gap are reached,
and it does not accept any association requests unless the load decreases below the maximum
threshold or the gap is less than the maximum gap. However, if a client has been denied more
than the specified maximum times, the AP considers that the client is unable to associate with
any other AP, and it accepts the association request from the client.
Radio-based load balancingThe radios of a balanced AP can carry out either session-mode
or traffic-mode load balancing. A radio starts load balancing when the maximum threshold and
gap are reached, and it will reject any association requests unless the load decreases below the
maximum threshold or the gap is less than the maximum gap. However, if a client has been
denied more than the specified maximum times, the AP considers that the client is unable to
associate with any other AP, and it accepts the association request from the client.
2.
Group-based load balancing:

To balance loads among the radios of different APs, you can add them to the same load balancing
group.
The radios in a load balancing group can carry out either session-mode or traffic-mode load
balancing. The radios that are not added to any load balancing group do not carry out load
balancing. A radio in a load balancing group starts load balancing when the maximum threshold
and gap are reached on it, and it does not accept any association requests unless the load
decreases below the maximum threshold or the gap is less than the maximum gap. However, if a
client has been denied more than the specified maximum times, the AP considers that the client is
unable to associate with any other AP, and it accepts the association request from the client.
AP version setting
A fit AP is a zero-configuration device. It can automatically discover an AC after it is powered on. To
make sure a fit AP can associate with an AC, their software versions must be consistent by default, which
complicates maintenance. This task allows you to designate the software version of an AP on the AC, so
that they can associate with each other even if their software versions are inconsistent.
Switching to fat AP
You can switch the working mode of an AP between the fit mode and the fat mode.
Wireless location
Wireless location is a technology to locate, track and monitor specified devices by using WiFi-based
Radio Frequency Identification (RFID) and sensors. With this function enabled, APs send Tag or MU
messages to an AeroScout Engine (referred to as AE hereinafter), which performs location calculation
and then sends the data to the graphics software. You can get the location information of the assets by
maps, forms, or reports. Meanwhile, the graphics software provides the search, alert and query functions
to facilitate your operations.
552
Wireless location can be applied to medical monitoring, asset management, and logistics, helping users
effectively manage and monitor assets.
Architecture of the wireless location system

A wireless location system is composed of three parts: devices or sources to be located, location
information receivers, and location systems.
Devices or sources to be located include Tags (small, portable RFIDs, which are usually placed or
glued to the assets to be located) of Aero Scout or Mobile Units (MU), and MUs (wireless terminals
or devices running 802.11). The tags and MUs can send wireless messages periodically.
Location information receivers include 802.11 APs.
Location systems include the location server, AE calculation software, and different types of
graphics software.
Wireless locating process

A wireless location system can locate wireless clients, APs, rogue APs, rogue clients, Tags and other
devices supporting WLAN protocols. All wireless devices except Tags will be identified as MUs by the
wireless location system.
1.
Send Tag and MU messages:

A Tag message is a message sent by an RFID. A Tag message contains the channel number so that
an AP can filter Tag messages whose channel numbers are not consistent with the AP's operating
channel. To make sure more Tags can be detected by the AP, a Tag sends messages on different
channels. A Tag periodically sends messages on one or multiple pre-configured channels, and
then periodically sends location messages on channels 1, 6, and 11, in turn.
MU messages are sent by standard wireless devices. An MU message does not contain the
channel number, so an AP cannot filter MU messages whose channel numbers are not consistent
with the AP's operating channel or illegal packets. The filtering is done by the location server,
according to a certain algorithm and certain rules.
2.
Collect Tag and MU messages:

The working mode of an AP determines how it collects Tag and MU messages.
When the AP operates in monitor mode or hybrid mode, it can locate wireless clients or other
wireless devices that are not associated with it.
When the AP operates in normal mode, it can only locate wireless clients associated with it. The
wireless location system considers wireless clients associated with the AP as wireless clients, and
it considers wireless clients or other wireless devices not associated with the AP as unknown
devices.
NOTE:
For more information about monitor mode and hybrid mode, see "Configuring WLAN security."
An AP operates in normal mode when it functions as a WLAN access point. For more information, see
"Configuring access services."
After the processes, the AP begins to collect Tag and MU messages.
Upon receiving Tag messages (suppose that the Tags mode has been configured on the AC,
and the location server has notified the AP to report Tag messages), the AP checks the Tag
messages, encapsulates those passing the check, and reports them to the location server. The
AP encapsulates Tag messages by copying all the information (including the message header
and payload) except the multicast address, and adding the BSSID, channel, timestamp, data
553
rate, RSSI, SNR, and radio mode of the radio on which the relevant Tag messages were
received.
Upon receiving MU messages (suppose that the MUs mode has been configured on the AC,
and the location server has notified the AP to report MU messages), the AP checks the messages,
encapsulates those that pass the check, and reports the messages to the location server. The AP
encapsulates an MU message by copying its source address, Frame Control field, and
Sequence Control field, and adding the BSSID, channel, timestamp, data rate, RSSI, SNR, and
radio mode of the radio on which the relevant Tag messages were received.
3.
Calculate the locations of Tags or MUs:

After receiving Tag and MU messages from APs, the location server uses an algorithm to calculate
the locations of the Tag and MU devices according to the RSSI, SNR, radio mode, and data rate
carried in the messages, and displays the locations on the imported map. Typically, a location
server can calculate the locations if more than 3 APs operating in monitor or hybrid mode report
Tag or MU messages.
Wireless sniffer
IMPORTANT:
Wireless tracing is limited and is intended for support only and assisting additional troubleshooting tool
only.
In a wireless network, it is difficult to locate signal interference or packet collision by debugging
information or terminal display information of WLAN devices. To facilitate the troubleshooting, configure
an AP as a packet sniffer to listen to, capture, and record wireless packets. The sniffed packets are
recorded in the .dmp file for troubleshooting.
As shown in Figure 577, enable wireless sniffer on the Capture AP. The Capture AP is able to listen to the
wireless packets in the network, including the packets from other APs, rouge APs, and clients.
Administrators can download the .dmp file to the PC and make further analysis.
Client
AP 1
Switch
Capture AP
AC
Rogue AP
AP 2
PDA
PC
554
Band navigation
The 2.4 GHz band is often congested. Band navigation enables APs to accept dual-band (2.4 GHz and
5 GHz) clients on their 5 GHz radio, increasing overall network performance.
When band navigation is enabled, the AP directs clients to its 2.4 GHz or 5 GHz radio by following
these principles:
For a 2.4 GHz client, the AP associates with the client after rejecting it several times.
For a dual-band client, the AP directs the client to its 5 GHz radio.
For a 5 GHz client, the AP associates with the client on its 5 GHz radio.
The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz radio. If the RSSI is
lower than the specified value, the AP does not direct the client to the 5 GHz band.
If the number of clients on the 5 GHz radio reaches the upper limit, and the gap between the number of
clients on the 5 GHz radio and that on the 2.4 GHz radio reaches the upper limit, the AP denies the
clients association to the 5 GHz radio and allows new clients to associate with the 2.4 GHz radio. If a
client has been denied more than the maximum number of times on the 5 GHz radio, the AP considers
that the client is unable to associate with any other AP, and it allows the 5 GHz radio to accept the client.
Configuring multicast optimization

WLAN selects the lowest transmit rate for multicast packets and provides no multicast retransmission
mechanism. Therefore, WLAN cannot meet the requirements of some multicast applications that are not
delay-sensitive but are data-integrity sensitive, such as HD VoD. The multicast optimization feature can
solve these problems by enabling APs to convert multicast packets to unicast packets, so WLAN can
provide retransmission service and higher transmit rates for the converted unicast packets.
Unless otherwise specified, the unicast packets in this chapter refer to the wireless unicast packets that
have the priority of video.
Figure 578 Multicast data transmission when multicast optimization is enabled
Multicast stream
Unicast stream
Client 1
Source
AC
Switch
AP
Client 2
Client 3
With multicast optimization enabled, the AP listens to the IGMP reports and leave messages sent by
clients. When the AP receives an IGMP report, it adds or updates a multicast optimization entry and
updates the multicast source addresses allowed by the client (for IGMPv3 and MLDv2 packets). When
the AP receives an IGMP leave message or when a multicast optimization entry ages out, the AP removes
the entry. When the AP is disconnected from the AC, or when multicast optimization is disabled, all
multicast optimization entries are removed.
555
After creating multicast entries, the AP listens to non-IGMP and non-MLD multicast packets sent from the
multicast source to clients, and matches the multicast address of the packets to the multicast optimization
entries. If a match is found, the AP converts the multicast packets to unicast packets and sends the unicast
packets to all the clients in the multicast entries. If no match is found, the AP directly sends the multicast
packets.
To avoid performance degradation, you can configure the maximum number of clients that multicast
optimization can support. When the maximum number is reached, the AC takes either of the following
actions, depending on which one is configured:
HaltA new client can join a multicast group and receive multicast packets, and a multicast
optimization entry can be created for the client. However, the multicast optimization function for all
clients in the multicast group becomes invalid. When the number of clients drops below the upper
limit, the multicast optimization function takes effect again.
Reject-clientA new client can join a multicast group, but no new multicast optimization entries can
be created. If multicast optimization entries have been created for other clients in the multicast group,
the client cannot receive multicast packets. Otherwise, the client can receive multicast packets.
Configuring WLAN advanced settings

Setting a country/region code
1.
Select Advanced > Country/Region Code from the navigation tree to enter the page for setting a
Figure 579 Setting a country/region code
2.
Configure a country/region code as described in Table 187.
3.
Click Apply.

Item
Description
Select a country/region code.
Country/Region Code
Configure the valid country/region code for a WLAN device to meet the
country regulations.
If the list is grayed out, the setting is preconfigured to meet the
requirements of the target market and is locked. It cannot be changed.
If you do not specify a country/region code for an AP, the AP uses the global country/region code
configured on this page. For information about how to specify the country/region code for an AP, see
"Quick start." If an AP is configured with a country/region code, the AP uses its own country code.
556
Some ACs and APs have fixed country/region codes. The codes to be used are determined as follows:
An AC's fixed country/region code cannot be changed, and all managed APs whose
country/region codes are not fixed must use the AC's fixed country/region code.
An AP's fixed country/region code cannot be changed, and the AP can only use the
If an AC and a managed AP use different fixed country/region codes, the AP uses its own fixed
Configuring 1+1 AC backup

Configuring AP connection priority
1.
2.
Click the icon
3.
Expand the Advanced Setup area.
corresponding to the target AP to enter the configuration page.
Figure 580 Configuring connection priority
4.
Configure an AP connection priority as described in Table 188.
5.
Click Apply.

Item
Description
AP Connection Priority
Set the priority for the AP connection to the AC.
Configure 1+1 AC backup

1.
Select Advanced > AC Backup from the navigation tree.
557
Figure 581 Configuring AC backup
2.
Configure an IP address and switch delay time for the backup AC as described in Table 189.
3.
Click Apply.

Item
Description
IPv4 address
Enter the IPv4 address of the

backup AC.
IPv6 address
Enter the IPv6 address of the

backup AC.
Switch Delay
Delay time for the AP to switch from the primary AC to the backup AC.
If the backup AC is configured on the page you

enter by selecting AP > AP Setup, the configuration
on this page is used first. For more information, see
"Configuring APs."
The access mode configuration on the two ACs
should be the same.
Specify the IP address of one AC on the other AC
in an AC backup.
Configuring 1+1 fast backup

1.
Select Advanced > AC Backup from the navigation tree to enter the page shown in Figure 581.
2.
Configure fast backup as described in Table 190.
3.
Click Apply.
558

Item
Description
Fast Backup Mode
disableDisable fast backup.

enableEnable fast backup.
By default, fast backup is disabled.
Heartbeat interval for an AC connection. If no heartbeat is received during the
continuous three intervals, the device considers the peer down.
Hello Interval
The value range varies with devices. For more information, see "About the HP 830
Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified
VLAN ID
ID of the VLAN to which the port where the backup is performed belongs.
Backup Domain ID
ID of the domain to which the AC belongs.
Displaying status information of 1+1 fast backup

1.
2.
Click the Status tab to enter the page shown in Figure 582.
Figure 582 Status information

Field
Description
AP Name
Select to display the AP connecting to the AC.
Status
Current status of the current AC.

559
Field
Description
Vlan ID
ID of the VLAN to which the port belongs.
Domain ID
Domain to which the AC belongs.

Link status of the AC connection:
CloseNo connection is established.

InitThe connection is being set up.
ConnectThe connection has been established.
Link State
Peer Board MAC
MAC address of the peer AC.

Status of the peer AC.
NormalThe peer AC is normal.

AbnormalThe peer AC is malfunctioning.
UnknownNo connection is present.
Peer Board State
Hello Interval
Heartbeat interval for an AC connection.
Configuring 1+N AC backup

Configuring AP connection priority
1.
2.
Click the icon
3.
560
Figure 583 Configuring connection priority
4.
Configure a connection priority as described in Table 192.
5.
Click Apply.

Item
Description
AP Connection Priority
Set the priority for the AP connection to the AC.
Configuring 1+N AC backup

1.
2.
Click the
3.
icon corresponding to the target AP to enter the configuration page.
561
Figure 584 Configuring 1+N AC backup
4.
Configure 1+N back as described in Table 193.
5.
Click Apply.

Item
Description
Backup AC IPv4 Address
Set the IPv4 address of the backup

AC.
Backup AC IPv6 Address
Set the IPv6 address of the backup

AC.
If the global backup AC is also configured

on the page you enter by selecting
Advanced > AC Backup, the configuration
on this page is used first.
Configuring continuous transmitting mode

1.
Select Advanced > Continuous Transmit from the navigation tree to enter the continuous
transmitting mode configuration page.
562
Figure 585 Configuring continuous transmitting mode
2.
Click the
icon corresponding to the target radio to enter the page for configuring transmission
rate. The transmission rate varies with radio mode.
When the radio mode is 802.11a/b/g, the page shown in Figure 586 appears. Select a
transmission rate from the list.
Figure 586 Selecting a transmission rate (802.11b/g)
When the radio mode is 802.11n, the page shown in Figure 587 appears. Select an MCS index
value to specify the 802.11n transmission rate. For more information about MCS, see
"Configuring radios"
Figure 587 Selecting an MCS index (802.11n)
3.
Click Apply.
To stop the continuous transmitting mode, click the

icon of the target radio. After the continuous
transmit is stopped, the transmission rate value on the page shown in Figure 586 is displayed as 0.
NOTE:
When continuous transmit is enabled, do not perform any operations other than transmission rate
configuration.
563
Configuring a channel busy test

1.
Select Advanced > Channel Busy Test from the navigation tree to enter the channel busy test
configuration page.
Figure 588 Configuring a channel busy test
2.
Click the
icon corresponding to a target AP to enter channel busy testing page.
Figure 589 Testing busy rate of channels
3.
Configure channel busy test as described in Table 194.
4.
Click Start to start the testing.

Item
Description
AP Name
Display the AP name.
Radio Unit
Display the radio unit of the AP.
Radio Mode
Display the radio mode of the AP.
Test time per channel
Set a time period in seconds within which a channel is tested.

It defaults to 3 seconds.
564
NOTE:
During a channel busy test, the AP does not provide any WLAN services. All the connected clients are
disconnected.
Before the channel busy test completes, do not start another test for the same channel.
Configuring load balancing

Band navigation and load balancing can be used simultaneously.
Before you configure load balancing, make sure of the following:
The target APs are associated with the same AC.
The clients can find the APs.
The fast association function is disabled. By default, the fast association function is disabled. For
more information about fast association, see "Configuring access services."

Task
1.
Remarks
Configuring a load balancing mode
Required.
Required.
2.
Configuring AP-based load balancing
AP-based load balancingAfter you complete Configuring a

load balancing mode, the AC adopts AP-based load
balancing by default.
3.
Configuring group-based load

balancing
4.
Configuring parameters that affect

load balancing
Group-based load balancingHP recommends that you

complete Configuring a load balancing mode first. A load
balancing group takes effect only when a load balancing
mode is configured.
Optional.
This configuration takes effect for both AP-based load balancing
and radio group-based load balancing.
Configuring a load balancing mode

If the AC has a load balancing mode configured but has no load balancing group created, it uses
AP-based load balancing by default.
1.
Configure session-mode load balancing:

a. Select Advanced > Load Balance from the navigation tree to enter the page for setting load
balancing.
b. Select Session from the Loadbalance Mode list.
c. Click Apply.
565
Figure 590 Setting session-mode load balancing

Item
Loadbalance Mode
Description
Select Session.
The function is disabled by default.
Threshold
Load balancing is carried out for a radio when the session threshold
and session gap threshold are reached.
Gap
Load balancing is carried out for a radio when the session threshold
and session gap threshold are reached.
2.
Configure traffic-mode load balancing:

a. Select Advanced > Load Balance from the navigation tree to enter the page for setting load
balancing.
b. Select Traffic from the Loadbalance Mode list.
c. Click Apply.
Figure 591 Setting traffic-mode load balancing
566

Item
Loadbalance Mode
Description
Select Traffic.
The function is disabled by default.
Traffic
Load balancing is carried out for a radio when the traffic threshold and traffic
gap threshold are reached.
Gap
Load balancing is carried out for a radio when the traffic threshold and traffic
gap threshold (the traffic gap between the two APs) are reached.
NOTE:
If you select traffic-mode load balancing, the maximum throughput of 802.11g/802.11a is 30 Mbps.
Configuring group-based load balancing

HP recommends that you complete Configuring a load balancing mode on the Load Balance tab page.
A load balancing group takes effect only when a load balancing mode is configured.
1.
Select Advanced > Load Balance from the navigation tree.
2.
Click the Load Balance Group tab to enter the page for configuring a load balancing group.
3.
Click Add.
Figure 592 Configuring a load balancing group
4.
Configure a load balancing group as described in Table 197.
5.
Click Apply.
567

Item
Remarks
Group ID
Display the ID of the load balancing group.
Description
Configure a description for the load balancing group.

By default, the load balancing group has no description.
In the Radios Available area, select the target radios, and then click << to add them to
Radio List
the Radios Selected area.
In the Radios Selected area, select the radios to be removed, and then click >> to remove
them from the load balancing group.
Configuring parameters that affect load balancing

1.
Select Advanced > Load Balance from the navigation tree. See Figure 590.
2.
Configure parameters that affect load balancing as described in Table 198.
3.
Click Apply.

Item
Remarks
Maximum denial count of client association requests.
Max Denial Count
If a client has been denied more than the specified maximum times, the AP
considers that the client is unable to associate with any other AP and accepts the
association request from the client.
Load balancing RSSI threshold.
RSSI Threshold
A client may be detected by multiple APs. An AP considers a client whose RSSI

is lower than the load balancing RSSI threshold to be not detected. If only one AP
can detect the client, the AP increases the access probability for the client even
if it is overloaded.
Configuring AP
Upgrading AP version
1.
Select Advanced > AP from the navigation tree.
2.
On the AP Module tab, select the desired AP.
3.
Click Version Update to enter the page for AP version upgrade.
4.
Configure AP upgrade as described in Table 199.
5.
Click Apply.

Item
Description
AP Model
Display the selected AP model.
Software Version
Enter the software version of the AC in the correct format.
568
Switching to fat AP
1.
Select Advanced > AP Setup from the navigation tree.
2.
Click the Switch to Fat AP tab.
3.
Select the desired AP.
4.
Click Switch to Fat AP to perform AP working mode switchover.
NOTE:
Before you switch the work mode, you must download the fat AP software to the AP.
Configuring wireless location

1.
Select Advanced > Wireless Location from the navigation tree to enter the page for displaying and
configuring wireless location on an AC.
Figure 593 Configuring wireless location
2.
Configure wireless location as described in Table 200.
3.
Click Apply.
569

Item
Description
EnableEnables the wireless location function globally. The device begins to
listen to packets when wireless location is enabled.
DisableDisables wireless location globally.

To ensure the location function, complete the configuration on the location server
and AC:
On the location serverConfigure whether to locate Tags or MUs, Tag

Location Function
message multicast address, and dilution factor on the location server. These
settings will be notified to the APs through the configuration message. For more
information about location server and configuration parameters, see the
location server manuals.
On the ACConfigure the AP mode settings, and enable the wireless location
function.
When configurations are made correctly, APs wait for the configuration message
sent by the location server. After receiving that message, the APs start to receive
and report Tag and MU messages.
Vendor Port
Set the listening port number for vendors. The port number must be the same as that
defined in AE.
Tag Mode
Select this option to enable the Tag report function on the radio (you must also
enable Tags mode on the AE).
MU Mode
Select this option to enable the MU report function on the radio (you must also
enable the MUs mode on the AE).
An AP reports IP address change and device reboot events to the location server so that the location
server is able to respond in time. The AP reports a reboot message according to the IP address and port
information of the location server recorded in its flash.
The AP updates the data in the flash after receiving a configuration message. To protect the flash,
the AP does not update the flash immediately after receiving a configuration message, but waits for
10 minutes. If the AP receives another configuration message within 10 minutes, it only updates the
configuration information in the cache, and when the 10-minute timer is reached, it saves the cache
information in the flash.
If the AP reboots within 10 minutes after receiving the first configuration message, and no
configuration is saved in the flash, it does not send a reboot message to the location server.
Configuring wireless sniffer

1.
Select Advanced > Wireless Sniffer from the navigation tree to enter the wireless sniffer
configuration page.
570
Figure 594 Configuring wireless sniffer
2.
To enable the wireless sniffer function for a specified radio, click the
icon of the radio.
Before you enable wireless sniffer, make sure the AP operates in normal mode and in run state.
Wireless sniffer can be enabled for only one radio configured with a fixed channel.
When you configure wireless sniffer, follow these guidelines:
Auto APs do not support wireless sniffer.
Wireless sniffer can be enabled for one radio at one time.
When the Capture AP is capturing packets, if the radio for which the wireless sniffer is disabled, the
Capture AP is deleted, the Capture AP is disconnected from the AC, or the number of captured
packets reaches the upper limit, the sniffer operation is stopped and the packets are saved to the
specified .dmp file. The default storage medium varies with device models.
You can click Stop to stop the wireless sniffer and choose whether to save the packets to a CAP file.
Otherwise, no CAP file is generated.
The working mode of the AP cannot be changed when it is capturing packets.
NOTE:
Do not enable or run wireless services for the radio with wireless sniffer enabled. Disable all wireless
services before enabling wireless sniffer.
3.
Configure wireless sniffer as described in Table 201.
4.
Click Apply.
571

Item
Capture Limit
Description
The maximum number of packets that can be captured. Once the limit is exceeded, the
device stops capturing packets.
IMPORTANT:
You cannot change the value when the device is capturing packets.
Name of the CAP file to which the packets are saved.
Filename
By default, the name is SnifferRecord.

IMPORTANT:
You cannot change the file name when the device is capturing packets.
Configuring band navigation

When band navigation is enabled, client association efficiency is reduced, so this feature is not
recommended in a scenario where most clients use 2.4 GHz.
Band navigation is not recommended in a delay-sensitive network.
Band navigation and load balancing can be used simultaneously.
To enable band navigation to operate correctly, make sure of the following:
The fast association function is disabled. By default, the fast association function is disabled. For
more information about fast association, see "Configuring access services."
Band navigation is enabled for the AP. By default, band navigation is enabled for the AP.
The SSID is bound to the 2.4 GHz and 5 GHz radios of the AP.
Configuring band navigation

1.
Select Advance > Band Navigation from the navigation tree.
572
Figure 595 Configuring band navigation
2.
Configure band navigation as described in Table 202.
3.
Click Apply.

Item
Description
Band Navigation
EnableEnable band navigation.

DisableDisable band navigation.
By default, band navigation is disabled globally.
Session Threshold
Gap
Session ThresholdSession threshold for clients on the 5 GHz band.

GapSession gap, which is the number of clients on the 5 GHz band minus the
number of clients on the 2.4 GHz band.
If the number of clients on the 5 GHz radio has reached the upper limit, and the gap
between the number of clients on the 5 GHz radio and that on the 2.4 GHz radio has
reached the upper limit, the AP denies the clients association to the 5 GHz radio, and
allows new clients to associate with the 2.4 GHz radio.
When band navigation is enabled, the value is 0 by default. To restore the default value
0, delete the configured number.
Maximum denial count of client association requests.
Max Denial Count
If a client has been denied more than the maximum times on the 5 GHz radio, the AP
considers that the client is unable to associate with any other AP, and allows the 5 GHz
radio to accept the client.
When band navigation is enabled, the value is 0 by default. To restore the default value
0, delete the configured number.
Band navigation RSSI threshold.
RSSI Threshold
The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz
radio. If the RSSI is lower than the value, the AP does not direct the client to the 5 GHz
band.
573
Item
Description
Client information aging time.
Aging Time
The AP records the client information when a client tries to associate with it. If the AP
receives the probe request or association request sent by the client before the aging time
expires, the AP refreshes the client information and restarts the aging timer. If not, the AP
removes the client information, and does not count the client during band navigation.
Configuring multicast optimization

In centralized forwarding mode, enable IGMP/MLD snooping on the AC before enabling multicast
optimization and configure the aging time of multicast optimization entries to be greater than the aging
time of IGMP/MLD snooping dynamic member ports. Whether IGMP/MLD snooping is enabled does
not affect the multicast optimization function in local forwarding mode.
To enable multicast optimization to operate correctly in a WLAN roam environment, make sure the
multicast optimization function is enabled on all ACs on IACTP tunnels.
Enabling multicast optimization

1.
Select Advanced > Multicast Optimization from the navigation tree.
Figure 596 Configuring multicast optimization
2.
Configure multicast optimization as described in Table 203.
3.
Click Apply.
574

Item
Description
Aging Time
Specify the aging time for multicast optimization entries. If the AP does not receive an
IGMP report from a client within the aging time, the AP removes the client from the
multicast optimization entry.
If you enable IGMP snooping, configure the aging time of multicast optimization entries
to be greater than the aging time of IGMP snooping dynamic member ports.
Specify the maximum number of clients supported by multicast optimization.
Multicast
Optimization Max
Clients
A client can join up to eight multicast groups.

If a client joins multiple multicast groups, the client is counted as multiple clients in
multicast optimization statistics. For example, if a client has joined two multicast groups,
the client is counted as two clients in the multicast optimization statistics.
Pause Multicast Optimization for All ClientsInvalidate the multicast optimization
Max Client Limit

Exceeded Action
function. A new client can join a multicast group and receive multicast packets, and
a multicast optimization entry can be created for the client. However, the multicast
optimization function for all clients in the multicast group becomes invalid. When the
number of clients drops below the upper limit, the multicast optimization function
takes effect again.
Exclude New Clients for Multicast OptimizationReject new clients. A new client
can join a multicast group, but no new multicast optimization entries can be created.
If multicast optimization entries have been created for other clients in the multicast
group, the client cannot receive multicast packets. Otherwise, the client can receive
multicast packets.
By default, the multicast optimization function becomes invalid when the maximum
number of clients supported by multicast optimization is reached.
4.
Select the target wireless service.
5.
Click Enable.
Displaying multicast optimization information

1.
2.
Click the target radio.
575
Figure 597 Displaying multicast optimization information

Field
Description
AP Name
Name of the AP.
Radio ID
ID of the radio to which the clients are associated.

Total number of clients served by multicast optimization.
Total Clients
If a client joins multiple multicast groups, the client is counted as multiple

clients. For example, if a client has joined two multicast groups through a
radio, the client is counted as two clients by multicast optimization.
Operating status of the multicast optimization function:
Action
OptimizeThe multicast optimization function is operating.

HaltThe multicast optimization function is halted.
Multicast Address
Address of the multicast group that the clients have joined.
MAC Address
MAC addresses of the clients that have joined the multicast group.
Advanced settings configuration examples

1+1 fast backup configuration example
As shown in Figure 598, AC 1 and AC 2 back up each other, with AC 1 acting as the active AC. When
the active AC fails, the standby AC takes over to provide services, ensuring no service interruption.
576
Assign a higher priority to the AP connection to AC 1 (which is 6 in this example) to make sure AP
will first establish a connection with AC 1. In this way, AC 1 acts as the active AC.
When AC 1 is down, AC 2 becomes the new active AC.
When AC 1 recovers, no switchover to AC 1 occurs, in which case AC 2 remains the active AC, and
AC 1 acts as the standby AC. This is because the AP connection on AC 1 does not have the highest
priority.
The wireless services configured on the two ACs should be consistent.
Specify the IP address of the backup AC on each AC.
AC backup has no relation to the access authentication method. However, the authentication
method of the two ACs must be the same.
Configuring AC 1
1.
Configure AP to establish a connection between AC 1 and AP. For more information about
configurations, see "Configuring access services."
2.
3.
Click the icon
4.
5.
Set the connection priority to 6.
6.
Click Apply.
577
Figure 599 Configuring the AP connection priority
7.
Select Advance > AC Backup from the navigation tree.
8.
On the page that appears, set the IP address of the backup AC to 1.1.1.5, and select enable to
enable the fast backup mode.
9.
Click Apply.
578
Figure 600 Configuring the IP address of the backup AC
Configuring AC 2
1.
Configure AP to establish a connection between AC 2 and AP.

For more information about configurations, see "Configuring access services."
2.
Leave the default value of the AP connection priority unchanged. (Details not shown.)
3.
4.
On the page that appears, set the address of the backup AC to 1.1.1.4, and select enable to
enable the fast backup mode.
5.
Click Apply.
579
Figure 601 Configuring the address of the backup AC

1.
When AC 1 operates correctly, view the AP status on AC 1 and AC 2, respectively. The AP

connection priority on AC 1 is set to 6 (the higher one), so AC 1 becomes the active AC. The AP
establishes a connection to AC 1 based on priority.
a. On AC 1, select Advanced > AC Backup from the navigation tree.
b. Click the Status tab to enter the page shown in Figure 602.
The status information shows that AC 1 is the active AC.
580
Figure 602 Displaying the AP status on AC 1
c. On AC 2, select Advanced > AC Backup from the navigation tree.

d. Click the Status tab.
The information shows that AC 1 is acting as the standby AC.
581
Figure 603 Displaying the AP status on AC 2
2.
When AC 1 operates correctly, display the client status on AC 1 and AC 2. The client establishes
connections with the AP through AC 1, and AC 2 has backed up the client status.
a. On AC 1, select Summary > Client from the navigation tree.
b. Click the Detail Information tab.
c. Click the name of the specified client to view the detailed information of the client.
The information shows that the client is running and is connecting to AC 1 through an active
link.
582
Figure 604 Displaying the client information on AC 1
d. On AC 2, select Summary > Client from the navigation tree.

e. Click the Detail Information tab.
f. Click the name of the specified client to view the detailed information of the client.
The information shows that the client is running and is connecting to AC 2 through a standby
link.
Figure 605 Displaying the client information on AC 2
3.
When AC 1 goes down, the standby AC (AC 2) detects the failure immediately through the
heartbeat detection mechanism. Then AC 2 takes over to become the new active AC, providing
services to AP.
On AC 2 (the new active AC), display the AP status. (Details not shown.)
The information shows that AC 2 has become the active AC.
On AC 2, display the client information. (Details not shown.)
583
The value for the State field becomes Running, which indicates that the client is connecting to
AC 2 through an active link.
4.
When AC 1 recovers, AC 2 still acts as the active AC, and AC 1 becomes the standby AC. AC 1
establishes a backup link with the AP and backs up the client status.
1+N backup configuration example

As shown in Figure 606, AC 1 and AC 2 are active ACs, and AC 3 acts as the standby AC. When an
active AC fails, AC 3 (the standby AC) takes over to provide services. As soon as the active AC recovers,
the AP connects to the original active AC again.
AP connects to AC 1, AC 2, and AC 3 through a Layer 2 switch. The IP addresses of AC 1, AC 2,

and AC 3 are 1.1.1.3, 1.1.1.4, and 1.1.1.5, respectively.
Assign the highest AP connection priority of 7 on AC 1 and AC 2 to make sure AP 1 establishes a

connection with AC 1, and that AP 2 establishes a connection with AC 2.
If one of the two active AC is down, AC 3 becomes the new active AC.
When the faulty AC recovers, the AP that connects to AC 3 automatically connects to the original
active AC. This is because the AP connection priority on the active AC has the highest priority. In this
way, AC 3 can always act as a dedicated standby AC to provide backup services for AC 1 and AC
2.
Configuring AC 1
1.
Configure AC 1 so that a connection is set up between AC 1 and AP 1.

2.
3.
Click the icon
4.
5.
Set the connection priority to 7.
6.
Click Apply.
584
Figure 607 Configuring the AP connection priority for AP 1
Configuring AC 2
1.
Configure AC 2 so that a connection is set up between AC 2 and AP 2.

2.
Set the AP connection priority to 7.

The configuration steps are the same as those on AC 1 (Details not shown.).
3.
Configure AC 3 (the backup AC):

a. Configure the related information of AP 1 and AP 2.
b. Select AP > AP Setup from the navigation tree.
c. Click the
icon corresponding to the target AP to enter the configuration page.
d. Expand Advanced Setup.

e. Enter 1.1.1.3 in the Backup AC IPv4 Address field.
f. Click Apply.
585
Figure 608 Backing up the IP address of AC 1
g. Select AP > AP Setup from the navigation tree.

h. Click the icon
i.
j.
Enter 1.1.1.4 in the Backup AC IPv4 Address field.
k. Click Apply.
586
Figure 609 Backing up the IP address of AC 2

1.
When AC 1 goes down, AC 3 becomes the new active AC.
2.
When AC 1 recovers, the AP connecting to AC 3 connects to AC 1 again. This is because the

highest AP connection priority of 7 on AC 1 ensures an automatic switchover.
AP-based session-mode load balancing configuration example

As shown in Figure 610, all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client
2 through Client 6 are associated with AP 2.
Configure session-mode load balancing on the AC. The threshold (the maximum number of sessions)
is 5, and the session gap is 4.
587
An AP starts session-mode load balancing only when both the maximum sessions and maximum session
gap are reached.
1.
Before you configure load balancing, configure AP 1 and AP 2 on the AC to establish a

2.
Configure session-mode load balancing:

a. Select Advanced > Load Balance from the navigation tree.
b. On the Load Balance tab, select the Session mode, enter the threshold 5, and use the default
value for the gap.
c. Use the default values for Max Denial Count and RSSI Threshold.
d. Click Apply.
588
Figure 611 Setting session-mode load balancing

Client 1 is associated with AP 1, and Client 2 through Client 6 are associated with AP 2. Because the
number of clients associated with AP 1 reaches 5 and the session gap between AP 2 and AP 1 reaches
4, Client 7 is associated with AP 1.
AP-based traffic-mode load balancing configuration example

As shown in Figure 612, all APs operate in 802.11g mode. Client 1 and Client 2 are associated with
AP 1, and no client is associated with AP 2.
Configure traffic-mode load balancing on the AC. The traffic threshold is 3 Mbps, which
corresponds to the threshold value of 10 in percentage, and the traffic gap is 12 Mbps, which
corresponds to the traffic gap value 40 in percentage.
589
An AP starts traffic-mode load balancing only when both the maximum traffic threshold and maximum
traffic gap are reached.
1.

2.
Configure traffic-mode load balancing:

b. On the Load Balance tab, select the Traffic mode, enter the threshold 10, and the traffic gap
40.
d. Click Apply.
Figure 613 Setting traffic-mode load balancing

Client 1 and Client 2 are associated with AP 1. Add Client 3 to the network. When the maximum traffic
threshold and traffic gap are reached on AP 1, Client 3 is associated with AP 2.
Group-based session-mode load balancing configuration

example
As shown in Figure 614, all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client
2 through Client 6 are associated with AP 2, and no client is associated with AP 3.
Configure session-mode load balancing on the AC. The maximum number of sessions is 5, and the
maximum session gap is 4.
590
Session-mode load balancing is required on only radio 2 of AP 1 and radio 2 of AP 2. Therefore,

add them to a load balancing group.

AC
L2 Switch
Client 1
AP 1
AP 3
AP 2
Client 2
Client 7
Client 5
Client 3
Client 4
1.

2.
Configure load balancing:

b. On the Load Balance tab, select Session from the Loadbalance Mode list, enter the threshold 5,
and use the default value for the gap.
d. Click Apply.
Figure 615 Configuring session-mode load balancing
591
3.
Configure a load balancing group:

b. Click the Load Balance Group tab to enter the load balancing group configuration page.
c. Click Add.
d. On the page that appears, select ap1. radio 2 and ap2. radio 2 in the Radios Available area,
click << to add them to the Radios Selected area, and click Apply.
Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group. The radio of AP 3 does
not belong to any load balancing group. Because load balancing takes effect only on radios in a
load balancing group, AP 3 does not take part in load balancing.
Assume Client 7 wants to associate with AP 2. The number of clients associated with radio 2 of AP
2 reaches 5 and the session gap between radio 2 of AP 2 and AP 1 reaches 4, so Client 7 is
associated with AP 1.
Group-based traffic-mode load balancing configuration

example
As shown in Figure 617, all APs operate in 802.11g mode. Client 1 and Client 2 are associated with
AP 1, and no client is associated with AP 2 and AP 3.
Configure traffic-mode load balancing on the AC. The maximum traffic threshold is 10%, and the
maximum traffic gap is 20%.
592
Traffic-mode load balancing is required only on radio 2 of AP 1 and radio 2 of AP 2. Therefore, add
them to a load balancing group.
1.

2.
Configure load balancing:

b. On the Load Balance tab, select Traffic from the Loadbalance Mode list, enter the threshold 10
and the gap 40.
d. Click Apply.
593
Figure 618 Configuring traffic load balancing
3.
Configure a load balancing group:

b. Click the Load Balance Group tab to enter the load balancing group configuration page.
c. Click Add.
d. On the page that appears, select ap1. radio 2 and ap2. radio 2 in the Radios Available area,
click << to add them to the Radios Selected area, and click Apply.
594
Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group, and the radio of AP
3 does not belong to any load balancing group. Because load balancing takes effect only on
radios in a load balancing group, AP 3 does not take part in load balancing.
Assume Client 3 wants to associate with AP 1. Because the maximum traffic threshold and traffic
gap have been reached on radio 2 of AP 1, Client 3 is associated with AP 2.
Wireless location configuration example

As shown in Figure 620, AP 1, AP 2, and AP 3 operate in monitor mode. They send the collected tag and
MU messages to an AE (the location server), which performs location calculation and then sends the
data to the graphics software. You can obtain the location information of the rogue AP, APs, and clients
by using maps, forms or reports.
AE (location server)
Client
AP 1
AC
Switch
Rogue AP
AP 2
AP 3
AP
Before you enable the wireless location function, make sure at least three APs operate in monitor or
hybrid mode so that the APs can detect Tags and clients not associated with them, and that the AE
can implement location calculation.
An AP monitors clients on different channels periodically, so if the Tag message sending interval is
configured as 1 second, the AP scans and reports Tag messages every half a minute. If higher
location efficiency is required, you can set the Tag sending interval to the smallest value, which is
124 milliseconds.
Configuring the AE
1.
Configure the IP addresses of AP 1, AP 2, and AP 3 on the AE, or select the broadcasting mode
for the AE to discover APs.
2.
Perform configuration related to wireless location on the AE.
Configuring AP 1 to operate in monitor mode

AP 1, AP 2, and AP 3 are configured similarly, and the following only describes how to configure AP 1
for illustration.
595
1.
2.
Click Add.
3.
On the page that appears, enter the AP name ap1, select the model MSM460-WW, select Manual
from the Serial ID list, enter the AP serial ID in the field, and click Apply.
4.
5.
On the AP Monitor tab, click the icon

configuring the work mode.
6.
Select the work mode Monitor.
7.
Click Apply.
corresponding to the target AP to enter the page for
Figure 622 Setting the work mode
Enabling 802.11n
1.
Select Radio > Radio from the navigation tree to enter the page for configuring radio.
2.
Select the target AP.
3.
Click Enable.
Figure 623 Enabling 802.11n (2.4 GHz)
596
Enabling wireless location

1.
Select Advanced > Wireless Location from the navigation tree.
2.
On the page that appears, select Enable, and select the tag mode and MU mode for 802.11n (2.4
GHz).
3.
Click Apply.
Figure 624 Enabling wireless location

You can display the location information of the rogue AP, APs, and clients by using maps, forms or
reports.
Wireless sniffer configuration example

As shown in Figure 625, configure a Capture AP, and enable wireless sniffer on this AP to capture
wireless packets. The captured packets are then saved in a .dmp file for troubleshooting.
597
Client
AP 1
Switch
Capture AP
AC
Rogue AP
AP 2
PDA
PC
Configuring Capture_AP
1.
2.
Click Add.
3.
On the page that appears, enter the AP name capture_ap, select the model MSM460-WW, select
Manual from the Serial ID list, enter the AP serial ID in the field, and click Apply.
Figure 626 Creating a Capture AP
4.
5.
Click the
6.
Select 6 from the Channel list.
7.
Click Apply.
icon of the Capture_AP to enter the radio configuration page.
598
Figure 627 Setting the channel
8.
9.
Select the target AP.
10. Click Enable.

Figure 628 Enabling 802.11n (2.4 GHz)
Configuring and enabling wireless sniffer

1.
Select Advanced > Wireless Sniffer from the navigation tree.
2.
On the page that appears, enter the capture limit 5000, enter the file name CapFile, and click
Apply.
3.
Click the
icon corresponding to the target radio to enable wireless sniffer for the radio.
599
Figure 629 Configuring and enabling wireless sniffer
Capture AP captures wireless packets and saves the packets to a CAP file in the default storage
medium. Administrators can download the file to the PC and get the packet information by using
tools such as Ethereal.
When the total number of captured packets reaches the upper limit, Capture AP stops capturing
packets.
Band navigation configuration example

As shown in Figure 630, Client 1 through Client 4 try to associate with AP 1, and the two radios of AP
1 operate at 5 GHz and 2.4 GHz, respectively. Client 1, Client 2, and Client 3 are dual-band clients,
and Client 4 is a single-band (2.4 GHz) client. Configure band navigation to direct clients to different
radios of the AP.
600
Configuring the AC
To enable band navigation to operate correctly, make sure of the following:
The fast association function is disabled. By default, the fast association function is disabled.
Band navigation is enabled for the AP. By default, band navigation is enabled for the AP.
1.
Create an AP:
b. Click New.
c. On the page that appears, enter the AP name ap 1, select the model MSM460-WW, select
Manual from the Serial ID list, and enter the AP serial ID in the field.
d. Click Apply.
2.

b. Click Add.
c. On the page that appears, set the service name to band-navigation, select the wireless service
type Clear, and click Apply.
3.

b. Set the band-navigation box.
c. Click Enable.
4.

b. Click the
radio.
icon for the wireless service band-navigation to enter the page for binding an AP
c. Select the boxes next to ap1 with radio types 802.11n(2.4GHz) and 802.11n(5GHz).
d. Click Bind.
601
5.
Enable 802.11n(2.4GHz) and 802.11n(5GHz) radios:

a. Select Radio > Radio Setup from the navigation tree.
b. Select the boxes next to ap1 with the radio modes 802.11n(2.4GHz) and 802.11n(5GHz).
c. Click Enable.
6.
Configure band navigation:

a. Select Advance > Band Navigation from the navigation tree.
b. On the page that appears, click Enable, and type the Session Threshold 2 and Gap 1. Use the
default values for other options.
c. Click Apply.
Figure 632 Configuring band navigation

Client 1 and Client 2 are associated with the 5 GHz radio of AP 1, and Client 4 can only be associated
with the 2.4 GHz radio of AP 1. Because the number of clients on the 5 GHz radio has reached the upper
602
limit 2, and the gap between the number of clients on the 5 GHz radio and 2.4 GHz radio has reached
the session gap 1, Client 3 will be associated with the 2.4 GHz radio of AP 1.
Multicast optimization configuration example

As shown in Figure 633, enable multicast optimization for the AP to convert multicast packets to unicast
packets for up to two clients.
Enable IGMP snooping on the AC before enabling multicast optimization and configure the aging time
of multicast optimization entries to be greater than the aging time of IGMP snooping dynamic member
ports.
Configuring the AC
1.
2.
Set the Aging Time to 300 seconds, the Multicast Optimization Max Clients to 2, and Max Client
Limit Exceeded Action to Exclude New Clients for Multicast Optimization.
3.
Click Apply.
4.
Select the target wireless service.
5.
Click Enable.
603
Figure 634 Configuring multicast optimization

Client 1 and Client 2 are associated with a radio of the AP. Because the number of clients on the radio
has reached the upper limit 2, Client 3 cannot be added to multicast optimization entries.
604
Configuring stateful failover

NOTE:
Support for the stateful failover feature may vary depending on your device model. For more information,
see "About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified
Overview
Introduction to stateful failover
Some customers require their wireless networks to be highly reliable to ensure continuous data
transmission. In Figure 635, deploying only one AC (even with high reliability) risks a single point of
failure and therefore cannot meet the requirement.
Figure 635 Network with one AC deployed
The stateful failover feature (supporting portal service) was introduced to meet the requirement. In Figure
636, two ACs that are enabled with stateful failover are deployed in the network. You need to specify a
VLAN on the two ACs as the backup VLAN, and add the interfaces between the ACs to the backup
VLAN. The backup VLAN is like a failover link, through which the two ACs exchange state negotiation
messages periodically. After the two ACs enter the synchronization state, they back up the service entries
of each other to make sure that the service entries on them are consistent. If one AC fails, the other AC,
which has already backed up the service information, takes over to avoid service interruption.
605
Figure 636 Network diagram for stateful failover
Stateful failover states

Stateful failover includes the following states:
SilenceThe device has just started, or is transiting from synchronization state to independence
state.
IndependenceThe silence timer has expired, but no failover link is established.
SynchronizationThe device has completed state negotiation with the other device and is ready for
data backup.
The following figure shows state relations.

Figure 637 Stateful failover state diagram
When you configure stateful failover, follow these guidelines:
You must configure the 1+1 AC backup function to make sure that the traffic can automatically
switch to the other device if one device fails. For more information, see "Advanced settings."
To back up portal related information from the active device to the standby device, you must
configure portal to support stateful failover besides the configurations described in this chapter. For
606
more information, see HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500
20G Unified Wired-WLAN Module Security Configuration Guide.
Stateful failover can be implemented only between two devices rather than among more than two
devices.
Configuring stateful failover

1.
From the navigation tree, select High reliability > Stateful Failover.
The stateful failover configuration page appears.
2.
View the current stateful failover state at the lower part of the page, as described in Table 206.
Figure 638 Stateful failover configuration page
3.
Configure stateful failover parameters at the upper part of the page, as described in Table 205.
4.
Click Apply.

Item
Description
Enable Stateful Failover
Enable/disable the stateful failover feature.

Select whether to support asymmetric path:
Unsupport Asymmetric PathSessions enter and leave the internal network

Backup Type
through one device. The two devices operate in the active/standby mode.
Support Asymmetric PathSessions enter and leave the internal network
through different devices to achieve load sharing. The two devices operate in
the active/active mode.
Set the backup VLAN.

After a VLAN is configured as a backup VLAN, the interfaces in the VLAN are used
to transmit stateful failover packets.
IMPORTANT:
Backup VLAN
A device uses VLAN tag+protocol number to identify stateful failover packets,
and broadcasts stateful failover packets to the peer within the backup VLAN.
Therefore, HP recommends that you not configure other services (such as voice
VLAN) for a backup VLAN to avoid impact on the operation of stateful failover.
An interface added to the backup VLAN can transmit other packets besides
stateful failover packets.
607

Field
Description
Current Status
Displays the failover state of the device.
Stateful failover configuration example

In Figure 639, the IP address of VLAN-interface 1 on AC 1 is 8.190.1.60/16, and that on AC 2 is
8.190.1.61/16. The client and AP each obtain an IP address from the DHCP server at 8.190.0.13/16, and
the ACs perform portal authentication through the IMC server. Configure stateful failover on AC 1 and
AC 2 so that when one AC fails, the other AC can take over portal and other services.
NOTE:
The portal group configuration on the two ACs must be consistent.
Configuring AC 1
1.
Configure the backup AC and enable fast backup:

a. From the navigation tree, select Advanced > AC Backup.
The default Setup page appears.
b. Type the IPv4 address of AC 2 (8.190.1.61) as the backup AC address, and select Enable from
the Fast Backup Mode list.
c. Click Apply.
608
Figure 640 Setup page
2.
Configure stateful failover:

a. Select High reliability > Stateful Failover from the navigation tree.
b. Select the Enable Stateful Failover box, select Unsupport Asymmetric Path from the Backup
Type list, and Type 2 for Backup VLAN.
c. Click Apply.
Figure 641 Configuring stateful failover
3.
Configure RADIUS scheme system:

b. Click Add.
The RADIUS scheme configuration page appears.
c. Type system for Scheme Name, select Extended for Server Type, and select Without domain
name for Username Format.
d. Click Add in the RADIUS Server Configuration field.
The Add RADIUS Server page appears.
609
e. Select Primary Authentication for Server Type, specify an IPv4 address 8.1.1.16 and 1812 as
the port number.
f. Type expert for Key and expert for Confirm Key.
g. Click Apply.
Figure 642 Configuring a primary RADIUS authentication server
h. Click Add in the RADIUS Server Configuration field.

The Add RADIUS Server page appears.
i.
Select Primary Accounting for Server Type, and specify an IPv4 address 8.1.1.16 and 1813 as
the port number.
j.
Type expert for Key and expert for Confirm Key.
k. Click Apply.
Figure 643 Configuring a RADIUS accounting server
l.
After the configurations are complete, click Apply on the RADIUS scheme configuration page.
610
Figure 644 RADIUS scheme configuration page
4.
Configure AAA authentication scheme for ISP domain system:

a. Select Authentication > AAA from the navigation tree.
b. Click the Authentication tab.
c. Select system from the Select an ISP domain list, select the Default AuthN box, select RADIUS
from the list, and select system from the Name list.
d. Click Apply.
A dialog box appears, showing the configuration progress.
e. After the configuration is successfully applied, click Close.
611
Figure 645 Configuring AAA authentication scheme for the ISP domain
5.
Configure AAA authorization scheme for ISP domain system:

b. Select system from the Select an ISP domain list, select the Default AuthZ box, select RADIUS
from the list, and select system from the Name list.
c. Click Apply.
d. After the configuration is successfully applied, click Close.
Figure 646 Configuring AAA authorization scheme for the ISP domain
6.
Configure AAA accounting scheme for ISP domain system:

b. Select system from the Select an ISP domain list, and select the Accounting Optional box.
c. Select Enable from the list, and select the Default Accounting box.
d. Select RADIUS from the list and system from the Name list.
612
e. Click Apply.
f. After the configuration is successfully applied, click Close.
Figure 647 Configuring AAA accounting scheme for the ISP domain
7.
Configure portal authentication:

a. Select Authentication > Portal from the navigation tree.
The default Portal Server configuration page appears.
b. Click Add.
c. Select Vlan-interface1 from the Interface list, Add from the Portal Server list, and Direct from the
Method list, and select system for Authentication Domain.
d. Enter newpt for Server Name, 8.1.1.16 for IP, expert for Key, 50100 for Port, and
http://8.1.1.16:8080/portal for URL.
e. Click Apply.
613
Figure 648 Configuring a portal server
8.
Add a portal-free rule:

a. Click the Free Rule tab.
b. Click Add.
c. Type 0 for Number, and select Bridge-Aggregation1 as the source interface.
d. Click Apply.
614
Figure 649 Adding a portal-free rule
9.
Configure portal to support stateful failover at the command line interface (CLI):
# Specify AC 1's device ID to be used in stateful failover mode as 1, and specify portal group 2
for interface VLAN-interface 1.
<AC1>system-view
[AC1]nas device-id 1
[AC1]interface Vlan-interface 1
[AC1-Vlan-interface1]portal backup-group 2
# Configure the virtual IP address of VRRP group 1 as 8.190.1.100, and specify the priority of AC
1 as 200. AC 2 uses the default priority.
[AC1-Vlan-interface1]vrrp vrid 1 virtual-ip 8.190.1.100
[AC1-Vlan-interface1]vrrp vrid 1 priority 200
[AC1-Vlan-interface1]quit
# Configure the source IP address for RADIUS packets as 8.190.1.100.

[AC1]radius nas-ip 8.190.1.100
# Configure the source IP address for portal packets as 8.190.1.100 (same as the AC's IP address
configured on the IMC server for portal authentication).
[AC1-Vlan-interface1]portal nas-ip 8.190.1.100
Configuring AC 2
Configure AC 2 in the same way you configure AC 1 except that:
When you configure AC backup, specify AC 1's IP address as the backup AC address.
Specify the device ID to be used in stateful failover mode as 2.
For more information, see the configuration on AC 1.
615
Support and other resources

Contacting HP
For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
Product model names and numbers
Technical support registration number (if applicable)
Product serial numbers
Error messages
Operating system type and revision level
Detailed questions
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.
Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
For related documentation, navigate to the Networking section, and select a networking category.
For a complete list of acronyms and their definitions, see HP FlexNetwork Technology Acronyms.
Websites
HP.com http://www.hp.com
HP Networking http://www.hp.com/go/networking
HP manuals http://www.hp.com/support/manuals
HP download drivers and software http://www.hp.com/support/downloads
HP software depot http://www.software.hp.com
HP Education http://www.hp.com/learn
616
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention
Description
Boldface
Bold text represents commands and keywords that you enter literally as shown.
Italic
Italic text represents arguments that you replace with actual values.
[]
Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
Asterisk-marked braces enclose a set of required syntax choices separated by vertical

bars, from which you select at least one.
[ x | y | ... ] *
Asterisk-marked square brackets enclose optional syntax choices separated by vertical

bars, from which you select one choice, multiple choices, or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
A line that starts with a pound (#) sign is comments.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in bold text. For
example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Convention
Description
Symbols
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
An alert that calls attention to essential information.
NOTE
TIP
An alert that contains additional or supplementary information.

An alert that provides helpful information.
617
Network topology icons

Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Represents an access controller, a unified wired-WLAN module, or the switching engine
on a unified wired-WLAN switch.
Represents an access point.
Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.
618
Index
ABCDEFGILMOPQRSTUVW
Configuration prerequisites,393
Configuration procedure,368
AAA configuration example,400
AC-AP connection,197
Access service overview,209
ACL and QoS configuration example,514
Configuration procedures,438
ACL overview,479
Configuration summary,39
Adding a DNS server address,182
Configuring 802.1X globally,361
Adding a domain name suffix,183
Configuring 802.1X on a port,363
Adding a group member,310
Configuring a guest,430
Admin configuration,30
Configuring a local user,427
Advanced settings configuration examples,576
Configuring a MAC address entry,116
Advanced settings overview,548
Configuring a portal-free rule,375
AP configuration,37
Configuring a QoS policy,501
AP connection priority configuration example,207
Configuring a RADIUS scheme,405
AP group,197
Configuring a roaming group,309
Auto AP,197
Configuring a user group,429
Auto AP configuration example,243
Configuring a user profile,433
Automatic power adjustment configuration

example,352
Configuring access service,215

Configuring accounting methods for the ISP
domain,398
Configuring advanced parameters for portal

authentication,374
Backing up the configuration,76

Bandwidth guarantee configuration example,544
Configuring an ACL,481
Basic configuration,29
Configuring an AP,198
Configuring an AP group,205
CAC service configuration example,539
Configuring an ISP domain,393
Certificate management configuration example,449
Configuring an SNMP view,98
Clearing dynamic DNS cache,183
Configuring and displaying clients' IP-to-MAC

bindings,169
Common items on the Web pages,17

Configuration guidelines,404
Configuring ARP detection,135
Configuring authentication methods for the ISP

domain,394
Configuring authorization methods for the ISP

domain,396
Configuring auto AP,204
Configuring calibration,337
Configuring channel scanning,335
Configuring data transmit rates,331

619
Configuring DHCP snooping functions on an

interface,171
DHCP relay agent configuration example,174

DHCP server configuration example,173
Configuring DNS proxy,182
DHCP snooping configuration example,176
Configuring dynamic domain name resolution,181
Displaying AP,46
Configuring enhanced licenses,61
Displaying ARP entries,127
Configuring gratuitous ARP,129
Displaying client information,311
Configuring IGMP snooping on a port,142
Displaying client statistics,533
Configuring IGMP snooping on a VLAN,140
Displaying clients,54
Configuring mesh service,288
Displaying clients' IP-to-MAC bindings,172
Configuring other ARP attack protection functions,136
Displaying file list,79
Configuring radios,325
Displaying IGMP snooping multicast entry

information,143
Configuring rate limit,496

Configuring service management,189
Displaying information about assigned IP

addresses,164
Configuring spectrum analysis,346
Displaying interface information and statistics,81
Configuring rogue device detection,458
Configuring stateful failover,607
Displaying radio statistics,531
Configuring static name resolution table,180
Displaying SNMP packet statistics,106

Displaying syslog,72
Configuring system name,63
Displaying the IPv4 active route table,150
Configuring the bandwidth guarantee function,536
Displaying the IPv6 active route table,151
Configuring the blacklist and white list functions,468

Configuring the portal service,369
Displaying the system time,67
Configuring the priority trust mode of a port,498
Displaying WLAN service,42
Configuring user isolation,475
DNS configuration example,183
Configuring Web idle timeout,63
Downloading a file,80
Configuring WLAN advanced settings,556
Dynamic WEP encryption-802.1X authentication

configuration example,277
Contacting HP,616
Conventions,617
Enabling DHCP,159
Configuring WIDS,466
Creating a DHCP server group,168
Enabling DHCP and configuring advanced

parameters for the DHCP relay agent,166
Creating a dynamic address pool for the DHCP

server,162
Enabling DHCP snooping,170
Creating a PKI domain,442
Enabling IGMP snooping globally,139
Creating a PKI entity,440
Enabling SNMP,96
Creating a static address pool for the DHCP server,160
Enabling the DHCP relay agent on an interface,168
Creating a static ARP entry,128
Enabling the DHCP server on an interface,163
Creating a user,92
Enabling wireless QoS,526
Creating a VLAN,121
Encryption configuration,36
Creating an interface,83
Creating an IPv4 static route,150

Creating an IPv6 static route,152
Feature matrix,3
Customizing authentication pages,377
Generating an RSA key pair,444
Destroying the RSA key pair,445
Generating the diagnostic information file,66
Device information,40
I
620
Ping operation,192
IACTP tunnel,309
IGMP snooping configuration examples,144
Portal authentication configuration example,380
Initializing the configuration,78
Portal configuration,35
Inter-AC roaming configuration example,316
Interface management configuration example,90
QoS overview,479
Interface management overview,81
Quick Start wizard home page,29
Intra-AC roaming configuration example,311

IP configuration,31
IPv4 static route configuration example,153
Radio group configuration example,354
IPv6 static route configuration example,155
Radio overview,321
RADIUS configuration,33
RADIUS configuration example,411
Local EAP service configuration example,419
Rebooting the device,65
Local MAC authentication configuration example,255
Recommended configuration procedure,121
Logging in to the Web interface,27
Logging out of the Web interface,28
Loopback operation,112
M

relay agent),165
MAC address configuration example,118

server),158
Manual channel adjustment configuration

example,350

snooping),170
Mesh DFS configuration example,306
Related information,616
Mesh overview,284
Remote 802.1X authentication configuration

example,268
Modifying a Layer 2 interface,85

Modifying a Layer 3 interface,88
Remote MAC authentication configuration

example,260
Modifying a port,123
Modifying a VLAN,122
Removing a file,80
Removing ARP entries,129
Overview,359
Requesting a local certificate,447
Overview,115
Restoring the configuration,76
Overview,404
Restrictions and guidelines,23
Overview,149
Retrieving and displaying a certificate,445
Overview,437
Retrieving and displaying a CRL,448
Overview,367
Rogue detection configuration example,471
Overview,392
Overview,426
Saving the configuration,77
Overview,138
Selecting an antenna,345
Overview,179
Setting buffer capacity and refresh interval,74
Overview,127
Setting CAC admission policy,528
Overview,524
Setting EDCA parameters for wireless clients,530
Overview,188
Setting radio EDCA parameters for APs,529
Overview,605
Setting rate limiting,534
Overview,120
Setting the log host,73
Setting the super password,93

621
Setting the SVP service,527
User isolation overview,474
SNMP configuration example,107
SNMP configuration task list,95
VLAN configuration examples,124
SNMP overview,95
Specifying the main boot file,80
Spectrum analysis,324
Web interface,5
Spectrum analysis configuration example,356
Web user level,5
Stateful failover configuration example,608
Web-based NM functions,6
Static ARP configuration example,130
Wireless configuration,32
Switching the user access level to the management

level,94
Wireless service configuration example,240

Wireless service-based dynamic rate limiting
System time configuration example,70
Wireless service-based static rate limiting

T
Trace route operation,195
WLAN mesh configuration example,302
Typical network scenarios,1
WLAN roaming configuration examples,311
WLAN roaming overview,309
Upgrading software,64
WLAN RRM overview,321
Uploading a file,80
WLAN security overview,454

WPA-PSK authentication configuration example,250
User isolation configuration example,476
622

HP Wifi Controller Configuration Guide PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HP Wifi Controller Configuration Guide PDF

Uploaded by

Copyright:

Available Formats

HP 830 Series PoE+ Unified Wired-WLAN

Switch and HP 10500/7500 20G Unified

Part number: 5998-3927

Legal and notice information

Displaying client roaming information 58

Configuring an SNMP view 98

Configuring loopback 112

Configuring IPv4 and IPv6 routing 149

IPv4 ping operation 192

Configuring APs 197

Configuring mesh service 288

Configuring WLAN roaming 309

802.1X timers 360

Configuring portal authentication 367

Managing certificates 437

Configuring a rule for an advanced IPv4 ACL 485

Configuring wireless QoS 524

Configuring the wireless service 542

Configuring advanced settings 548

Stateful failover states 606

Support and other resources 616

About the HP 830 Series PoE+ Unified

Typical network scenarios

Figure 1 Network diagram

HP 830 series PoE+ unified wired-WLAN switch network

CF card and USB

The number of group

The number of group

The number of group

Fast backup (Hello

(1) Navigation area

(2) Body area

(3) Title area

Web user level

ManagementUsers of this level can perform any operations to the device.

Perform quick configuration of the

Display and refresh system resource

Display the information of the queried

Display the information of the queried

Display the detailed information,

Clear statistics of the client, disconnect

Display license information.

Display enhanced license information.

Register enhanced licenses.

Display and configure the system

Web Idle Timeout

Display and configure the idle timeout

Upload the file to be upgraded from the

Reboot the device.

Generate a diagnostic information file,

Display the system date and time.

Manually set the system date and time.

Display time synchronization status

Set local and external clock sources

Display and refresh system logs.

Clear system logs.

Display and configure the loghost.

Display and configure the buffer

Back up the configuration file for the

Upgrade the configuration file on the

Save the current configuration to the

Restore the system to factory defaults.