01-02 Configuration Examples (Common AP) Huawei

Wireless Access Points(Fat AP)
Web-based Configuration Guide 2 Configuration Examples (Common AP)
2 Configuration Examples (Common AP)
About This Chapter
2.1 Example for Configuring Fat AP Layer 2 Networking

2.3 Example for Configuring Users on the Fat AP to Access the Public Network Through
NAT
2.4 Security Policy Configuration Examples
2.5 Example for Configuring Band Steering
2.6 Example for Configuring WIDS/WIPS
2.7 Example for Configuring the Passenger Flow Analysis Function
2.8 WLAN QoS Configuration Examples
2.9 Common Misconfigurations
Networking Requirements
As shown in Figure 2-1, a Fat AP is connected to the Internet in wired mode and connects to
STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime.
The requirements are as follows:
l A WLAN named wlan-net is available.
l Router functions as a DHCP server to assign IP addresses to STAs.
Issue 03 (2018-06-07) Huawei Proprietary and Confidential 21

Copyright © Huawei Technologies Co., Ltd.
Figure 2-1 Networking diagram for configuring basic Layer 2 WLAN services
Service VLAN:VLAN101
GE0/0/0
FAT AP VLAN101 Router
10.23.101.2/24
STA Internet
GE1/0/0
10.23.101.1/24
STA
Data planning
Item Data
Service VLAN for STAs VLAN 101
DHCP server Router functions as a DHCP server to assign

IP addresses to STAs.
IP address pool for STAs 10.23.101.3 to 10.23.101.254/24
SSID profile l Name: wlan-net

l SSID name: wlan-net
Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567
VAP profile l Name: wlan-net

l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net
Configuration Roadmap
1. Configure Router as a DHCP server to assign IP addresses to STAs.
2. Configure basic WLAN services using the WLAN configuration wizard.
3. Configure the AP channel and transmit power.
4. Associate STAs to the WLAN to verify services.

Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see 2.9.1 Multicast Packet Suppression Is Not Configured, Causing
Slow Network Access of STAs.
Procedure
Step 1 Configure Router as a DHCP server to assign IP addresses to STAs.
# Configure Router as a DHCP server to assign IP addresses to STAs from the IP address pool
on GE1/0/0.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Router] dhcp enable
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 10.23.101.1 24
[Router-GigabitEthernet1/0/0] dhcp select interface
[Router-GigabitEthernet1/0/0] dhcp server excluded-ip-address 10.23.101.2
[Router-GigabitEthernet1/0/0] quit
Step 2 Configure basic WLAN services.

1. Choose Wizard > Config Wizard. The Configure Wi-Fi Signals page is displayed.
2. Configure Wi-Fi signals.
# Click Create. The Basic Information page is displayed.
# Configure basic information about an SSID.

# Click Next. The IP and Rate page is displayed.

# Set IP address parameters.
# Click Finish.
3. Configure Internet connection parameters.
# Click Next. The Configure Internet Connection page is displayed.
# Add an interface to VLAN 101 in tagged mode.
NOTE
If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete
the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs.
As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs
communicate with the AP through this interface. You can use the default IP address of the AP to log in
to the web platform. If you need to use the default IP address to log in to the web platform, do not
delete VLAN 1.

# Click Finish.
Step 3 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and manually
configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > WLAN Service > WLAN Config > Radio0. The Radio0
page is displayed.
# Click Radio Management. The Radio 0 Setting(2.4G) page is displayed.
# On the Radio 0 Setting(2.4G) page, disable automatic channel and power calibration
functions, and set the AP channel to 20-MHz channel 6 and transmit power to 127 dBm.
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic channel

and power calibration functions of Radio 1, and set the AP channel to 20-MHz channel
149 and transmit power to 127 dBm.

# Click Apply. In the dialog box that is displayed, click OK.

Step 4 Configure the VLANIF interface.
1. Choose Configuration > Interface > VLAN > VLAN. The VLAN page is displayed.
2. Select VLAN 101. On the Modify VLAN page, set the IP address of VLANIF 101 to
10.23.101.2/24.
3. Click OK.
Step 5 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. STAs can associate with the WLAN and obtain IP addresses on the network segment
10.23.101.x/24.

3. Choose Monitoring > Terminal Manage > STA Management. In User, you can see
that STAs go online properly and obtain IP addresses.
----End
As shown in Figure 2-2, a Fat AP is connected to the Internet in wired mode and connected to
anywhere, anytime.
l Enterprise employees are assigned IP addresses on the network segment 10.23.101.0/24.

Figure 2-2 Networking diagram for configuring basic Layer 3 WLAN services
GE0/0/0
10.23.200.1/24
STA Internet
GE1/0/0
VLAN200
10.23.200.2/24
STA
Data planning
Item Data
DHCP server The AP functions as a DHCP server to

assign IP addresses to STAs.


+AES

The configuration roadmap is as follows:
1. Configure Router to communicate with the AP.

Configuration Notes
Procedure
Step 1 Configure the network devices.
# Add GE1/0/0 on Router to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 200
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 200
[Router-Vlanif200] ip address 10.23.200.2 24
[Router-Vlanif200] quit



NOTE
Configure the DNS server address as required.
# Click Finish.
3. Configure Internet connections.
NOTE
delete VLAN 1.

# Click Finish.
NOTE
page is displayed.


Step 4 Configure Layer 3 network connectivity.
1. Create a VLANIF interface.
# Choose Configuration > Interface > VLAN > VLAN. The VLAN page is displayed.
# Click Create. Create VLANIF 200, and set the IP address of VLANIF 200 to
10.23.200.1/24.

# Click OK.
2. Configure a default route.
# Choose Configuration > IP Service > Route. The Route page is displayed.
# Click Create in Static Route Configuration Table and create a static route.

# Click OK.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24 and its
gateway address is 10.23.101.1.
----End
2.3 Example for Configuring Users on the Fat AP to Access

the Public Network Through NAT
As shown in Figure 2-3, a Fat AP is connected to the Internet in wired mode and connected to
anywhere, anytime. The administrator wants enterprise employees to access the public
network using public IP addresses.


l Enterprise employees are assigned IP addresses on 10.23.101.0/24. These IP addresses
are translated to the IP address of the Fat AP outbound interface using Easy-IP for
employees to access the public network.
Figure 2-3 Networking diagram for configuring STAs to access the public network through
NAT
GE0/0/0
FAT AP VLAN200
202.169.10.1/24
STA Internet
202.169.10.2/24
STA
Data planning
Item Data



+AES

NAT Outbound The private IP address segment

10.23.101.0/24 is mapped to the public IP
address 202.169.10.1.

3. Configure NAT so that users can access the public network using public IP addresses.
Configuration Notes
Procedure


NOTE
# Click Finish.
3. Configure Internet connections.
NOTE
delete VLAN 1.

# Click Finish.
NOTE
page is displayed.


Step 3 Configure Layer 3 network connectivity.
1. Create a VLANIF interface.
# Choose Configuration > Interface > VLAN > VLAN. The VLAN page is displayed.
# Click Create. Create VLANIF 200, and set the IP address of VLANIF 200 to
202.169.10.1/24.

# Click OK.
2. Configure a default route.
# Choose Configuration > IP Service > Route. The Route page is displayed.
# Click Create in Static Route Configuration Table and create a static route.

# Click OK.
Step 4 Configure an ACL.
1. Choose Configuration > Security > ACL. The Basic ACL Settings page is displayed.
2. Click Create. On the Create Basic ACL page that is displayed, set ACL parameters.
3. Click OK.
4. In the new ACL, click Add Rule. On the Add Rule page, set ACL parameters.
5. Click OK.
Step 5 Configure NAT.
1. Choose Configuration > IP Service > NAT. The NAT page is displayed.
2. Click Create in NAT Mapping and create a NAT mapping.
3. Click OK.

4. STAs can access the public network successfully.
----End
2.4 Security Policy Configuration Examples

2.4.1 Example for Configuring a WPA2-PSK-AES Security Policy
Service Requirements
Because the WLAN is open to users, there are potential security risks if no security policy is
configured for the WLAN. Users do not require high WLAN security, so no authentication
server is required. A WEP or WPA/WPA2 (pre-shared key) security policy can be configured.
STAs support WPA/WPA2, TKIP encryption, and AES encryption, so pre-shared key
authentication and AES encryption are used to secure data transmission.
l DHCP deployment mode: The AP functions as a DHCP server to assign IP addresses to
STAs.

Figure 2-4 Networking diagram for configuring a WPA2-PSK-AES security policy
Data preparation
Item Data

IP address pool for STAs 10.23.101.2-10.23.101.254/24


+AES

Air scan profile l Name: wlan-airscan

l Probe channel set: calibration channels
RRM profile l Name: default

l Automatic channel calibration: enabled
l Automatic power calibration: enabled

Item Data
2G radio profile l Name: default

l Referenced profiles: air scan profile
wlan-airscan and RRM profile default
1. Use the WLAN configuration wizard to configure WLAN services. Set the security
policy to WPA-WPA2 PSK and AES.
2. Configure radio calibration.
3. Connect STAs to the WLAN to verify the configuration.
NOTE
During AP deployment, you can manually specify the working channels of the APs based on the network
planning or configure the radio calibration function to enable the APs to automatically select the optimal
channels. This example uses the latter configuration.
Procedure


NOTE
# Click Finish.
NOTE
delete VLAN 1.

# Click Finish.
Step 2 Enable radio calibration to allow APs to automatically select the optimal channels.
1. Enable automatic channel and power calibration functions of radios.
NOTE
Radio 0 is used as an example. The configuration for other radios is similar and will not be mentioned
here.
page is displayed.
# On the Radio 0 Settings(2.4G) configuration page, enable automatic channel and

power calibration.

2. Configure a radio profile.
NOTE
The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.
# Choose Radio0 > Radio Management > Radio Profile. On the Radio Profile
configuration page that is displayed, retain the default parameter settings in the radio
profile.
# Click next to Radio Profile. The profiles referenced by the radio profile are
displayed.
3. Create an air scan profile and configure the scan channel set, scan interval, and scan
duration.
# Click Air Scan Profile in Radio Profile. The air scan profile configuration page is
displayed.
# Click Create. On the Create Air Scan Profile page that is displayed, enter the profile
name wlan-airscan and click OK. The air scan profile configuration page is displayed.
# Configure the scan channel set, scan interval, and scan duration.


4. Enable radio calibration.
# Choose Configuration > WLAN Service > Basic Config > Radio Calibration
Configuration. The Radio Calibration Configuration page is displayed.
# Set Triggering condition to Manual.
# Click Radio Planning. The Radio Planning page is displayed.
# Click Immediate Calibration. Radio calibration is enabled.
# Radio calibration stops 1 hour after radio calibration is manually triggered. On the
Radio Calibration Configuration page, set Triggering condition to Scheduled and set
the calibration start time to 3:00 am.


4. The STA can access the WLAN after the wireless user enters the password.
----End
2.4.2 Example for Configuring 802.1x Authentication

Due to openness of the WLAN, there are security risks. To meet requirements for high
security, 802.1x authentication is used and the RADIUS server authenticates identities of
STAs.
STAs.

Figure 2-5 Networking for configuring 802.1x authentication
Data Planning
Table 2-1 AP data planning
Item Data


DNS: 8.8.8.8
Address that cannot be assigned:
10.23.101.2 (IP address of the router)


l Security policy: WPA-WPA2 802.X
+AES
Authentication profile l Name: wlan-net

l Referenced profile: 802.1X profile wlan-
net, RADIUS Server profile wlan-net
and authentication scheme wlan-net

l Referenced profile: SSID profile wlan-

Item Data
STA's gateway VLANIF101: 10.23.101.1
STA user name and password l User name: huawei

l Password: huawei123
RADIUS server l IP address: 10.23.102.1

l Port number: 1812
l Shared key: huawei123
1. Use the WLAN configuration wizard to configure WLAN services. Configure 802.1x
and RADIUS authentication and set RADIUS server parameters.
2. Configure a DNS server address in the DHCP address pool of the service VLAN to
provide the DNS service for the STA.
3. Configure a static route so that the AP forwards the packet to the router after receiving
the packet from the STA.
Procedure
Step 1 Configure the switches and router.
# Add GE0/0/1 and GE0/0/3 on the aggregation switch to VLAN 101.
# Assign an IP address 10.23.101.2/24 to GE1/0/0 on Router and configure the router as the
default gateway for the AP.
# Configure a RADIUS server, configure a user name and password, and set the shared key to
huawei123.
Step 2 Configure WLAN services.

# Click Finish.

NOTE
delete VLAN 1.
# Click Finish.
Step 3 Configure DNS.
NOTE
view.
1. Choose Configuration > IP Service > DHCP > DHCP Address Pool. In Address Pool
List, click Vlanif101. The Modify DHCP Address Pool page is displayed.
2. Configure the DNS server address for the STA and click OK.

Step 4 Configure a static route.

1. Choose Configuration > IP Service > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.
3. Click OK.
l The WLAN with SSID wlan-net is available for STAs connected to the AP.
l The wireless PC obtains an IP address after it associates with the WLAN.
l Use the 802.1x authentication client on a STA and enter the correct user name and
password. The STA is authenticated and can access the WLAN. You must configure the
client for PEAP authentication.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.

– Configuration on the Windows 7 operating system:

i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication
mode, set the identity authentication mode to User authentication, and click
OK.
l After wireless users connect to the network, run the display access-user access-type
dot1x command on the AP to view users in 802.1x authentication mode. The user
huawei has gone online successfully.
<Huawei> display access-user access-type dot1x
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1
----End
2.4.3 Example for Configuring External Portal Authentication

Because a WLAN is open to users, there are potential security risks. To enable users to easily
associate with a WLAN, an AP uses the default security policy, that is, no authentication and
no encryption. Portal authentication is configured on APs to centrally manage access users.
Any user who accesses a WLAN is redirected to the Portal authentication web page. After
entering the correct user name and password, the user is authenticated by the RADIUS server.
The user can access the WLAN after the authentication succeeds.
STAs.

Figure 2-6 Networking for configuring Portal authentication
Data Planning

Item Data


DNS: 8.8.8.8


l Security policy: OPEN

l Referenced profile: portal profile wlan-
net, RADIUS Server profile wlan-net,
authentication scheme wlan-net and
authentication-free rule profile
default_free_rule

Item Data

STA's gateway VLANIF 101: 10.23.101.1

RADIUS server l Name: wlan-net

l IP address: 10.23.102.1
l Port number: 1812
Portal server l Server template: huawei

l URL: http://10.23.103.1:8080/webauth
l Port number: 50100
1. Use the WLAN configuration wizard to configure WLAN services. Configure Portal and
RADIUS authentication and set parameters of the external Portal server and RADIUS
server.
4. Specify network resources accessible to authentication-free users.
Procedure
huawei123.

# Configure a Portal server and set the port number and shared key to provide the web
authentication page.


# Click Finish.

NOTE
delete VLAN 1.
# Click Finish.

NOTE
view.

3. Click OK.
Step 5 Configure network resources accessible to authentication-free users.

1. Choose Configuration > WLAN Service > Profile.The Profile Management page is
displayed.

2. Choose Wireless Service > VAP Profile > wlan-net > Authentication Profile >
Authentication-free Rule Profile. The Authentication-free Rule Profile page is
displayed.
3. Set Authentication-free Rule Profile to default_free_rule.
4. Click Create. On the Create Authentication-free Rule page that is displayed, set Rule
ID to 1 and the authentication-free resource to the IP address of the DNS server.
5. Click OK.
6. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that
is displayed, click OK.

4. When you open the browser on the STA, you are redirected to the Portal authentication
page. After you enter the correct user name and password and are successfully
authenticated, you can access the Internet.
----End
2.4.4 Example for Configuring MAC Address Authentication

The WLAN authentication client cannot be installed on wireless devices providing public
services, such as wireless printers and phones, so use MAC address authentication. The
RADIUS server authenticates wireless devices using their MAC addresses. No authentication
is required when STAs access the WLAN, facilitating the use of WLAN services.
STAs.

Figure 2-7 Networking for configuring MAC address authentication
Data Planning
Item Data


DNS: 8.8.8.8
Excluded IP address: 10.23.101.2 (IP
address of the router)


l Security policy: OPEN
MAC access profile l Name: wlan-net

l User name and password for MAC
address authentication:
– User name: wlan-net
– Password: huawei@123

l Referenced profiles: MAC
authentication profile wlan-net,
RADIUS Server profile wlan-net, and
authentication scheme wlan-net

Item Data

RADIUS server l Name: wlan-net

l Port number: 1812
l Shared key: huawei@123
1. Use the WLAN configuration wizard to configure WLAN services. Configure MAC
address and RADIUS authentication and set parameters of the RADIUS server.
Procedure
huawei123.


# Click Finish.
NOTE
delete VLAN 1.

# Click Finish.
NOTE
view.


3. Click OK.
Step 5 Configure MAC authentication.
1. Create the authentication profile wlan-net.
# Choose Configuration > WLAN Service > WLAN Config > Radio 0. The Radio 0
page is displayed.
# Choose VAP Configuration > wlan-net > Authentication Profile. The
Authentication Profile page is displayed.
# Click Create. On the Create Authentication Profile page that is displayed, enter the
profile name wlan-net and click OK. The authentication profile configuration page is
displayed.
# Set Access mode to MAC authentication and Authentication mode to RADIUS
authentication.

2. Configure the MAC access profile wlan-net.
# Click in front of Authentication Profile. Under it, click MAC Authentication.

The MAC Authentication Profile page is displayed.
# Click Create. On the Create MAC Authentication Profile page that is displayed,
enter the profile name wlan-net and click OK. On the MAC authentication profile
configuration page that is displayed, configure the user name format for MAC address
authentication.

3. Configure a RADIUS server profile.
# Click RADIUS Server in Authentication Profile. The RADIUS Server page is
displayed.
# Click under RADIUS Server Profile. The RADIUS Server Profile page is
displayed.
# Click Create. On the Create RADIUS Server Profile page that is displayed, set
Profile name to wlan-net and Profile default shared key to huawei@123.
# Click Create Server. In the Create Server Configuration dialog box that is
displayed, configure the RADIUS server parameters.

# Click OK. On the Create RADIUS Server Profile page that is displayed, select the
created RADIUS server and click OK. On the RADIUS Server Profile page that is
displayed, select the created RADIUS server profile wlan-net and click OK.

----End
2.4.5 Example for Configuring the RADIUS Server and AP to

Deliver User Group Rights to Users
If enterprise employees can access the Internet without restriction, enterprise information is
threatened. To disable STA1 in department A from accessing the RADIUS server and
employees in department A from communicating with each other, users can configure the
RADIUS server and AP to deliver user group rights to users.
STAs.

Figure 2-8 Configuring the RADIUS server and AP to deliver user group rights to users
Data Planning

Item Data


DNS: 8.8.8.8


l Security policy: WPA-WPA2 802.1X
+AES

l Referenced profile: 802.1X profile wlan-
net, RADIUS Server profile wlan-net
and authentication scheme wlan-net

Item Data


RADIUS server l IP address: 10.23.102.1

l Port number: 1812
FTP server IP address: 10.23.103.1
QoS profile Name: huawei
User group l Name: huawei

l Bound ACL number: 3002
l Bound QoS profile: huawei
1. Use the WLAN configuration wizard to configure WLAN services. Configure 802.1x
and RADIUS authentication and set RADIUS server parameters.
4. Configure the user group.
Procedure
huawei123.


# Click Finish.


NOTE
delete VLAN 1.
# Click Finish.
NOTE
view.


3. Click OK.
Step 5 Configure user group rights.
1. Create ACL 3002 that denies access to the FTP server 10.23.103.1/24.
# Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.
# Click Create. In the Create Advanced ACL page that is displayed, set the ACL name
to ACL3002 and number to 3002, and click OK.
# Click Add Rule and add a rule.

# Click OK.
2. Create the QoS profile huawei, and set the rate limits of uplink and downlink traffic to 3
Mbit/s and 5 Mbit/s respectively.
# Choose Configuration > Security > User Group > QoS Profile. The QoS Profile
page is displayed.
# Click Create. On the Create QoS Profile page that is displayed, set parameters.
# Click OK.
3. Create the user group huawei, and bind ACL 3002 and QoS profile huawei to the user
group, and enable intra-group and inter-group isolation.
# Choose Configuration > Security > User Group > User Group. The User Group
page is displayed.
# Click Create. On the Create User Group page that is displayed, set parameters.

# Click OK.
4. Bind the user group huawei to the authentication profile wlan-net.
# Choose Configuration > Security > AAA > Authentication Profile. The
Authentication Profile page is displayed.
# Click wlan-net, select the user group huawei on the parameter setting page of the
authentication profile

4. Two users go online and they cannot ping each other.
----End
2.4.6 Example for Configuring Built-in Portal Authentication for

Local Users

WLAN is open to users and therefore has potential security risks. To manage access users in a
centralized manner, Portal authentication is configured on the FAT AP. Any user that attempts
to access the WLAN is redirected to the Portal authentication page. Users are authorized to
access the WLAN after entering the correct user names and passwords. If the enterprise has a
few number of users, the FAT AP can function as the Portal server to authenticate users
locally to reduce costs. Built-in Portal authentication requires no additional Portal server,
allowing for easy and flexible deployment. However, as the Portal server, the FAT AP
provides only basic web functions (such as user login and logout) but cannot replace an
independent Portal server or provide extended functions of an external Portal server.
STAs.
Figure 2-9 Networking for configuring built-in Portal authentication
Data Planning
Item Data
DHCP server The FAT AP functions as a DHCP server to


DNS: 8.8.8.8

Item Data
Built-in portal server l Server IP: 10.23.101.1

l SSL policy: default_policy
l Port number: 20000
Local user l User name: guest

l Password: guest@123


l Security policy: open (no authentication,
no encryption)
Authentication Profile l Name: wlan-net

l Referenced profile: Authentication-free
rule profile default_free_rule

net, security profile wlan-net and
Authentication profile wlan-net
1. Select WLAN Wizard to configure WLAN services on the FAT AP. On the web
platform, the HTTPS service is enabled and an SSL policy is applied. When configuring
a built-in Portal server, configure the same SSL policy for the built-in Portal server.
3. Specify network resources accessible to authentication-free users.
4. Complete service verification.
Procedure
# Configure basic information about an SSID. Set Security settings to Portal
(applicable to enterprise networks) and Portal server to Built-in Portal server.
Under Built-in Portal Server Configuration, configure the server IP address and port
number.

# Click Manage next to Local user. The Local User page is displayed
# Click Create. The Create Local User page is displayed.
# Set Creation mode to Manually add and configure the local user name and password.
# Click OK.
# On the Create Local User page, select the new user and click OK.

# Click Finish.

NOTE
delete VLAN 1.
# Click Finish.

Step 3 Configure network resources accessible to authentication-free users.

1. Choose Configuration > WLAN Service > Profile.The Profile Management page is
displayed.
2. Choose Wireless Service > VAP Profile > wlan-net > Authentication Profile >
Authentication-free Rule Profile. The Authentication-free Rule Profile page is
displayed.
3. Set Authentication-free Rule Profile to default_free_rule.
4. Click Create. On the Create Authentication-free Rule page that is displayed, set Rule
ID to 1 and the authentication-free resource to the IP address of the DNS server.

5. Click OK.
6. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that
is displayed, click OK.

3. When a user browses a web page, the browser automatically redirects the user to the
Portal authentication page. After entering the correct user name and password, the user
passes the authentication and can access the web page.
Step 5 Maintain local user information.
# Choose Configuration > Security > AAA > Local User. Click a user name to modify the
password of the user. Click Delete to delete the selected user. Click Create to add a local user.
The following image shows adding a user.
----End
2.5 Example for Configuring Band Steering
To improve user experience and reduce burden on the 2.4 GHz frequency band, customers
require that STAs preferentially connect to the 5 GHz frequency band.
As shown in Figure 2-10, 2.4 GHz and 5 GHz wireless networks are deployed in the
conference hall. The AP works on dual frequency bands. STAs connected to the APs support
both 2.4 GHz and 5 GHz frequency bands.
Figure 2-10 Networking diagram
GE0/0/0
10.23.101.2/24
STA Internet
GE1/0/0
10.23.101.1/24
STA

Data preparation
Item Data

l Band steering function: enabled

l Start threshold for load balancing
between radios: 15
l Load difference threshold for load
balancing between radios: 25
Configure the band steering function and proper band steering parameters so that users can
preferentially access the 5 GHz frequency band.
Configuration Notes
l Use AP that supports both 5 GHz and 2.4 GHz frequency bands and configure the same
SSID and security policy on the 5 GHz and 2.4 GHz radios.
l To allow a STA to preferentially associate with the 5 GHz radio and achieve a better
access effect, configure larger power for the 5 GHz radio than the 2.4 GHz radio.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression on switch interfaces connected to APs to reduce impact of a
large number of low-rate multicast packets on the wireless network. Exercise caution
when configuring the rate limit; otherwise, the multicast services may be affected. For
details on how to configure traffic suppression, see 2.9.1 Multicast Packet Suppression
Is Not Configured, Causing Slow Network Access of STAs.
Procedure
Step 1 Configure the band steering function.
1. Enable the band steering function in the VAP profile wlan-net. By default, the band
steering function is enabled.
# Choose Configuration > WLAN Service > Profile.
# Choose Wireless Service > VAP Profile in Profile Management. The VAP Profile
List page is displayed.
# Click wlan-net. The VAP profile page is displayed.
# Enable the band steering function on the VAP profile page.

2. # In the RRM profile, configure load balancing between radios to prevent heavy load on
a single radio. Set the start threshold for load balancing between radios to 15, and the
load difference threshold to 25%.
# Choose Configuration > WLAN Service > Profile Management.
# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.
# Click the RRM profile default. The RRM profile configuration page is displayed.
# Set the start threshold for load balancing between radios to 15, and the load difference
threshold to 25% on the RRM profile configuration page.

Choose Monitoring > Terminal Manage > STA Statistics. Most STAs can connect to the 5
GHz frequency band, and users enjoy good service experience.
----End
2.6 Example for Configuring WIDS/WIPS

Due to openness of the WLAN, there are security risks. If attackers deploy an AP with the
SSID huawei on the network to forge an authorized AP, STAs may associate with the rogue
AP. If wireless terminals attack the WLAN network, for example, the terminals try to crack
the WAP2-PSK key or initiate flood attacks to the authorized AP, there are security risks on
the network. WIDS and WIPS need to be configured on the AP to detect attacks of rogue APs
and terminals.

STAs.
Figure 2-11 WIDS/WIPS networking
Data Preparation
Item Data
Radio 0 l Device detection and rogue device

containment on radio 0: enabled.
l Attack detection type on radio 0: Flood
and WPA2-PSK
WIDS and WIPS parameters l Rogue device containment mode:

containing rogue APs using spoofing
SSIDs
l Flood attack: More than 300
management packets of the same type
are received within 60 seconds.
l WPA2-PSK brute force password
cracking: An incorrect key is entered
more than 20 times during WPA2-PSK
authentication within 60 seconds.
l Dynamic blacklist: enabled
Dynamic blacklist aging time 200 seconds

1. Configure wireless services on the AP. For details, see 2.1 Example for Configuring
Fat AP Layer 2 Networking.
2. Configure WIDS and WIPS to detect and contain rogue APs and prevent STAs from
associating with the rogue APs. Add attacking devices to the dynamic blacklist so that
the APs discard packets from the attacking devices.
3. Verify the configuration.
NOTE
In this example, the AP works in normal mode and has the air interface scan function enabled; therefore, the
AP radios provide the monitoring function while transmitting common WLAN service data. When the AP
periodically scans channels, services may be interrupted for a short time. In this situation, the AP can only
take countermeasures on the channel used by WLAN services. To take countermeasures on all channels, you
need to configure the AP to work in monitor mode. However, WLAN services are unavailable in this mode.
The following example configures WIDS and WIPS on radio 0. The configuration on radio 1 is similar.
Procedure
Step 1 Enable WIDS and WIPS.
1. Choose Configuration > WLAN Service > WLAN Config > Radio0. The Radio0
page is displayed.
2. Click Radio Management. The configuration page of radio 0 is displayed.
3. Enable device detection, rogue device containment, flood attack detection, and WPA2-
PSK attack detection.
4. Click Apply. In the Info dialog box that is displayed, click OK.
Step 2 Set parameters related to WIDS and WIPS.
1. Choose Configuration > Security > WIDS > Global Settings. The Global Settings
page is displayed.
2. Set the rogue device containment mode and parameters for detection of brute force key
cracking attacks and flood attacks, and enable the dynamic blacklist function.

Step 3 Set the aging time of the dynamic blacklist.
1. Choose Configuration > WLAN Service > Basic Config > STA Blacklist And
Whitelist.
2. Set Dynamic blacklist aging time to 200 seconds.
1. Choose Configuration > Security > WIDS.
2. Check information about detected rogue devices on the Rogue Device tab page.
3. Check statistics on all detected attacks on the Attack Statistics tab page.
4. Check detailed information about attacks on the Attack Records tab page.
5. Check information about attack devices in the blacklist on the Dynamic Blacklist tab
page.
----End
2.7 Example for Configuring the Passenger Flow Analysis

Function
On the network of a shopping mall shown in Figure 2-12, a Fat AP interconnects with a
location server through a switch. It is required that the Fat AP provide Wi-Fi access for STAs
while implementing the passenger flow analysis function with the help of the location server.

Figure 2-12 Configuring the passenger flow analysis function
Service VLAN: 101
GE0/0/0
STA VLAN 101
Network
FAT AP Switch
STA
Location ser
Data preparation
Item Data



+AES

Air scan profile l Name: wlan-air-scan

l Probe channel set: calibration channels

l Referenced profile: air scan profile
wlan-air-scan

Item Data

l Referenced profile: air scan profile
wlan-air-scan
Location profile l Name: wlan-location

l Destination IP address/Port number used
by the AP to report channel scan
information: 10.23.100.2/32180
1. Configure basic WLAN services so that users can connect to the internal network
through the WLAN.
2. Configure the passenger flow analysis function so that APs can periodically scan
channels to collect radio signals and report the collected information to the location
server.
Procedure
Step 1 Configure the location server (details are not provided here).
Step 2 Configure basic WLAN services based on data planning. For details, see 2.1 Example for
Configuring Fat AP Layer 2 Networking.
Step 3 Configure the WLAN air scan function.
1. Create an air scan profile.
# Choose Configuration > WLAN Service > Profile > Radio Management > Air
Scan Profile. The Air Scan Profile List page is displayed.
# Click Create to create the air scan profile wlan-air-scan and click OK.
# Set Probe channel set to Country code channels.
# Click Apply.
2. Configure the 2G radio profile and bind the air scan profile to the 2G radio profile.
# Choose Configuration > WLAN Service > Profile > Radio Management > 2G
Radio Profile.
# Click next to the 2G radio profile default in Profile Management. The profiles
referenced by the 2G radio profile are displayed. Click Air Scan Profile.

# Set Air Scan Profile to wlan-air-scan.
# Click Apply.
3. Configure the 5G radio profile and bind the air scan profile to the 5G radio profile.
# Choose Configuration > WLAN Service > Profile > Radio Management > 5G
Radio Profile.
# Click next to the 5G radio profile default in Profile Management. The profiles
referenced by the 5G radio profile are displayed. Click Air Scan Profile.
# Set Air Scan Profile to wlan-air-scan.
# Click Apply.
Step 4 Configure the passenger flow analysis function.

1. Create a location profile.
# Choose Configuration > WLAN Service > Profile > WLAN Location > WLAN
Location Profile. The WLAN Location Profile List page is displayed.
# Click Create to create the location profile wlan-location and click OK.
# Configure terminal location parameters.
# Click Apply.
2. Apply the location profile to radio 0.
# Choose Configuration > WLAN Service > WLAN Config > Radio0 > WLAN
Location > WLAN Location Profile, select wlan-location, and click Apply.
3. Apply the location profile to radio 1.
# Choose Configuration > WLAN Service > WLAN Config > Radio1 > WLAN
Location > WLAN Location Profile, select wlan-location, and click Apply.
Check and collect statistics about STA online duration through the location server.
----End

2.8 WLAN QoS Configuration Examples

2.8.1 Example for Configuring WMM and Priority Mapping
As shown in Figure 2-13, an enterprise deploys an AP to provide a WLAN with the SSID
wlan-net so that users can access the network anywhere at any time. Voice, video, and data
services are transmitted within the coverage area of the AP. The enterprise requires that voice
and video services be assigned high priorities and preferentially guaranteed with sufficient
network resources and bandwidth.
Figure 2-13 Networking diagram for configuring WMM and priority mapping
Data Preparation
Item Data



+AES

Item Data
Traffic profile l Name: wlan-traffic

l Downlink priority mapping on air
interface: trusted priority DSCP and
default mapping value.

net, security profile wlan-net, and traffic
profile wlan-traffic.

l WMM: enabled
l Area: Voice and video
l EDCA parameters: default value
1. Use the WLAN configuration wizard to configure WLAN services.
2. Enable WMM in the radio profile and configure voice and video services to
preferentially use bandwidth on the wireless side.
3. Retain the default priority mapping in the traffic profile to ensure that voice and video
services can be preferentially forwarded on the wired side.
Procedure


NOTE
# Click Finish.

NOTE
delete VLAN 1.
# Click Finish.
Step 2 Configure the WMM function.

NOTE
The following example configures a 2G radio profile. The configuration of the 5G radio profile is similar.
# Choose Configuration > WLAN Service > WLAN Config.
# Choose Radio0 > Radio Management > Radio Profile in WLAN Config. The Radio
Profile page is displayed.
# Enable WMM in the 2G radio profile, select Voice and video, and retain the default settings
of EDCA parameters.

Step 3 Configure priority mapping.

In this example, you must set the highest DSCP priority for video and voice packets to ensure
that the video and voice packets can be preferentially forwarded. By default, the voice and
video packets already have the highest DSCP priorities in the traffic profile. You only need to
set the trusted priority of downstream packets to DSCP on the air interface but does not need
to change the mapping value.
If you want to change the default priority mapping, for example, to make the priority of the
video packets higher than that of the voice packets, perform the following configuration.
# In the WLAN Config navigation tree, click Radio0. Click in front of VAP
Configuration. Under it, click in front of wlan-net. Click Traffic Profile. The Traffic
# Click Create. The Create Traffic Profile page is displayed.
# Enter the traffic profile name wlan-traffic in Profile name and click OK. The parameter
setting page is displayed.
# Configure priority mapping and set the mapped priority of video packets higher than that of
the voice packets.
NOTE
By default, the user priority of voice packets is set to 6 or 7 on the terminal, and that of the video packets is
set to 4 or 5.
In the following figure, the DSCP priorities of video packets are 48 and 56, and those of the voice packets are
32 and 40. Based on the settings, video packets will be preferentially transmitted.
# Click Apply. In the Info dialog box that is displayed, click OK.

4. Normal voice and video communication improves user experience in voice and video
services.
----End
2.8.2 Example for Configuring Traffic Policing

wlan-net so that users can access the network anywhere at any time.
The enterprise network administrator needs to set the rate limit of upstream traffic on each
STA associated with the AP to 2 Mbps and the limit of total rates of upstream traffic on all
STAs associated with the VAP to 30 Mbps.

Figure 2-14 Networking diagram for configuring traffic policing
Data Preparation
Item Data



+AES

l Uplink rate limit for STAs: 2 Mbit/s
l Uplink rate limit for VAPs: 30 Mbit/s


2. Configure the traffic profile and set the uplink rate limit of each STA associated with the
AP to 2 Mbit/s and the total uplink rate limit of all STAs on a VAP to 30 Mbit/s.
Procedure

NOTE

# Click Finish.

NOTE
delete VLAN 1.
# Click Finish.
Step 2 Configure rate limits.

Configuration. Under it, click in front of wlan-net. Click Traffic Profile. The Traffic
# Enter the traffic profile name wlan-traffic in Profile name and click OK. The parameter
setting page is displayed.
# Set the uplink rate limit to 2 Mbit/s (2048 kbit/s) for STAs and to 30 Mbit/s (30720 kbit/s)
for VAPs.

4. Run the display traffic-profile name wlan-traffic command on the AP to check the
traffic profile configuration. The command output shows that the uplink rate limit of a
single STA is 2048 kbit/s (2 Mbit/s) and the total uplink rate limit of all STAs on a VAP
is 30720 kbit/s (30 Mbit/s).
----End
2.8.3 Example for Configuring Airtime Fair Scheduling

The enterprise network administrator expects that users can be assigned equal bandwidth
occupation time so that the overall user experience can be improved.

Figure 2-15 Networking diagram for configuring airtime fair scheduling
Data Preparation
Item Data



+AES


l Airtime fair scheduling: enabled

l Referenced profile: RRM profile default

2. Configure airtime fair scheduling to enable all users on a radio to occupy the network
bandwidth for equal time, improving the overall user experience.
Procedure

NOTE

# Click Finish.

NOTE
delete VLAN 1.
# Click Finish.
Step 2 Configure airtime fair scheduling.

1. Configure a radio profile.

NOTE
The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Radio0 > Radio Management > Radio Profile in WLAN Config. The Radio
Profile page is displayed. Retain the default settings of the radio profile parameters.
# Click next to Radio Profile. The profiles referenced by the radio profile are
displayed.
2. Configure the RRM profile and enable airtime fair scheduling in the RRM profile.
# Click RRM Profile in Radio Management. The RRM profile configuration page is
displayed.
# Enable airtime fair scheduling.


4. Run the display rrm-profile name default command on the AP to check the
configuration of the RRM profile. The command output shows that airtime fair
scheduling has been enabled. Therefore, users on the network can fairly use the channel
resources.
----End
2.8.4 Example for Configuring ACL-based Packet Filtering

The enterprise network administrator expects that an ACL can be configured to prohibit
packets with the source IP address 10.23.101.10 and destination IP address 10.23.101.11.

Figure 2-16 Networking diagram for configuring ACL-based packet filtering
Data Preparation
Item Data



+AES

l Referenced ACL: 3001



2. Configure ACL rules to filter packets.
Procedure

NOTE

# Click Finish.
NOTE
delete VLAN 1.
# Click Finish.
Step 2 Configure an ACL.
1. Configure ACL 3001 that rejects packets with the source IP address 10.23.101.10 and
destination IP address 10.23.101.11.

# Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.
# Click Create. In the Create Advanced ACL page that is displayed, set the ACL name
to ACL3001 and number to 3001, and click OK.
# Click Add Rule to add ACL rules.
# Click OK.
2. Create a traffic profile and apply the ACL to the profile.
Configuration. Under it, click in front of wlan-net. Click Traffic Profile. The
Traffic Profile page is displayed.
# Enter the traffic profile name wlan-traffic in Profile name and click OK. The
parameter setting page of the new traffic profile is displayed.
# In Inbound ACL, click Add, and set Packet Filtering Type to IPv4 and the packet
filtering ACL to ACL 3001. Click to save the settings.


4. Run the display traffic-profile name wlan-traffic command on the AP to check
applications of ACL-based packet filtering. The command output shows that the ACL
has been applied to the traffic profile, and packets with the source and destination IP
addresses 10.23.101.10 and 10.23.101.11 cannot pass through.
----End
2.9 Common Misconfigurations
2.9.1 Multicast Packet Suppression Is Not Configured, Causing

Slow Network Access of STAs
Symptom

are usually sent at low rates. If a large amount of abnormal multicast traffic is received on the
network side, the air interfaces may be congested, and STAs may suffer from slow network
access. You are advised to configure multicast packet suppression to reduce impact of a large
number of low-rate multicast packets on the wireless network. Exercise caution when
configuring the rate limit; otherwise, the multicast services may be affected.
l In direct forwarding mode, you are advised to configure multicast packet suppression on
switch interfaces connected to APs.
l In tunnel forwarding mode, you are advised to configure multicast packet suppression on
WLAN-ESS interfaces of the AC.
Procedure
l Configure multicast packet suppression in direct forwarding mode.
a. Create the traffic classifier test and define a matching rule.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 0100-5e00-0000 mac-
address-mask ffff-ff00-0000 //Match the destination MAC address of
multicast packets.
[SwitchA-classifier-test] quit
b. Create the traffic behavior test, enable traffic statistics collection, and set the traffic
rate limit.
[SwitchA] traffic behavior test
[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100
kbit/s. If multicast services are available, you are advised to set the
rate limit according to the service traffic.
[SwitchA-behavior-test] quit
c. Create the traffic policy test and bind the traffic classifier and traffic behavior to the
traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
d. Apply the traffic policy to inbound or outbound directions of interfaces.

[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] traffic-policy test inbound
[SwitchA-GigabitEthernet0/0/1] traffic-policy test outbound
[SwitchA-GigabitEthernet0/0/1] quit
----End


01-02 Configuration Examples (Common AP) Huawei

Uploaded by

Document Information

Copyright

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

01-02 Configuration Examples (Common AP) Huawei

Uploaded by

Copyright:

Wireless Access Points(Fat AP)

Web-based Configuration Guide 2 Configuration Examples (Common AP)

2 Configuration Examples (Common AP)

About This Chapter

2.1 Example for Configuring Fat AP Layer 2 Networking

2.1 Example for Configuring Fat AP Layer 2 Networking

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 21

Service VLAN for STAs VLAN 101

DHCP server Router functions as a DHCP server to assign

IP address pool for STAs 10.23.101.3 to 10.23.101.254/24

SSID profile l Name: wlan-net

Security profile l Name: wlan-net

VAP profile l Name: wlan-net

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 22

Step 2 Configure basic WLAN services.

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 23

# Click Next. The IP and Rate page is displayed.

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 24

# The configuration of Radio 1 is similar to that of Radio0. Disable automatic channel

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 25

# Click Apply. In the dialog box that is displayed, click OK.

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 26

2.2 Example for Configuring Fat AP Layer 3 Networking

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 27

Service VLAN for STAs VLAN 101

DHCP server The AP functions as a DHCP server to

IP address pool for STAs 10.23.101.2 to 10.23.101.254/24

SSID profile l Name: wlan-net

Security profile l Name: wlan-net

VAP profile l Name: wlan-net

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 28

Step 2 Configure basic WLAN services.

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 29

# Click Next. The IP and Rate page is displayed.

Configure the DNS server address as required.

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 30

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 31

# The configuration of Radio 1 is similar to that of Radio0. Disable automatic channel

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 32

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 33

2.3 Example for Configuring Users on the Fat AP to Access

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 34

l A WLAN named wlan-net is available.

Service VLAN for STAs VLAN 101

DHCP server The AP functions as a DHCP server to

IP address pool for STAs 10.23.101.2 to 10.23.101.254/24

SSID profile l Name: wlan-net

Security profile l Name: wlan-net

VAP profile l Name: wlan-net

NAT Outbound The private IP address segment

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 35

# Click Next. The IP and Rate page is displayed.

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 36

# Set IP address parameters.

Configure the DNS server address as required.

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 37

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 38

# The configuration of Radio 1 is similar to that of Radio0. Disable automatic channel

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 39

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 40

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 41

2.4 Security Policy Configuration Examples

Issue 03 (2018-06-07) Huawei Proprietary and Confidential 42

Figure 2-4 Networking diagram for configuring a WPA2-PSK-AES security policy

Service VLAN for STAs VLAN 101

DHCP server The AP functions as a DHCP server to

IP address pool for STAs 10.23.101.2-10.23.101.254/24