FS DeutschlandKostenloser Versand bei Bestellung über 79 € ohne MwSt.
KäuferschutzKäuferschutz
Uns kontaktieren
Deutschland / € EUR
Kostenloser Versand bei Bestellung über 79 € ohne MwSt.
Deutschland

Suchergebnis für „149656“

Typ

Typ

All
Software
Versionshinweis
User Manual
Datenblatt
Quick Start Anleitung
Konfigurationsleitfaden
Visio-Datei
Upgrade-Anleitung
111
Competitive Comparison

Sortieren nach

Relevanz

AP-N505 Access Point Quick Start Guide V2.1

image

20-11-2025 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

Startseite/
Dokumentation/
Wireless/
Wi-Fi 6E & Wi-Fi 6 Zugangspunkte/
AP-N303/
Quick Start Anleitung/

Comprehensive Guide to Wireless WLAN Products – Applicable to Software Version 11.X

image

10-11-2025 - Comprehensive Guide to Wireless WLAN Products – Applicable to Software Version 11.X 1. Review The FS wireless product is suitable for large, medium, and small wireless networks, offering powerful WLAN wireless access control functions. It is a wireless controller product for the next generation of high-speed wireless interconnect networks that provides powerful processing capabilities and multi-business expansion. It can break through the third-layer network to maintain communication with the AP and be deployed in Layer 2 or Layer 3 network environments without changing any network architecture, thereby providing seamless and secure wireless network control. This document details the operational steps and precautions for implementing and configuring various functional modules of the wireless controller in a scenario-based manner. Based on the requirements information collected before network implementation, network engineers develop deployment plans and perform testing on the wireless network, selecting appropriate network scenarios and configuring corresponding functions in accordance with the demands. After the implementation is completed, devices undergo operational inspections. The current wireless product document is applicable to the 11.X software platform, and its revision records are as follows: Thank you for using FS products. FS.com INC owns the copyright of this manual, and it is welcome to be widely circulated. If you have any questions, opinions, or suggestions, please contact us through the following channels: FS Service and Support Platform: https://www.fs.com/contact_us.html FS Service Hotline: +1(888)468-9910 2. Product Introduction and User Guide 2.1 AC Product Introduction 2.1.1 AC-1004 Product Introduction AC-1004 Wireless LAN Controller Datasheet 2.1.2 AC-224AP Product Introduction AC-224AP Wireless LAN Controller Datasheet 2.1.3 AC-7072 Product Introduction AC-7072 Wireless LAN Controller Datasheet 2.2 AC Products FAQ 2.2.1 AC Maintenance View Command - Version 11.x Maintenance commands 1. Check AC version, SN of device: show version. image.png 2. Check AP Information: show version all. You can view the AP model, software version, SN, MAC address and other information by show version all. image.png 3. Check the AC license and AC tunnel address: show ac-config. image.png 4. Check the mac and bssid correspondence of AP on AC: show ap-config bssid 5. Show AC Configuration: show run 6. Show AP Configuration: FS#show ap-config running-config ap-config 123 802.11n mcs support 23 radio 1 802.11n mcs support 23 radio 2 sta-limit 70 sta-limit 30 radio 1 sta-limit 30 radio 2 channel 6 radio 1 7. Show the configuration of a specific AP: FS#show ap-config running aa ----->"aa" indicates the name of the AP. The default name is the MAC address of the AP. (on the AP sticker, non-interface MAC address) ap-config aa 802.11n mcs support 23 radio 1 802.11n mcs support 23 radio 2 channel 6 radio 1 channel 153 radio 2 8. Show the cumulative traffic of users: There are two fields here, last min and total, and total is the cumulative one. FS#show wqos control flow sta ipv4 wqos fs sta cnt: 0 macup/down last min total 9. View the type and operating system of access terminals on the AC (dhcp snooping must be enabled): FS#sh terminal-identify user User entry list: 3 mac-address aging-time terminal-type ----------------------------------------- 68df.ddc7.de5a --:-- XIAOMI Phone Android 4.2 3859.f98b.658b --:-- PC Windows 7 a844.8130.c304 --:-- Nokia Phone Windows 8 Note: Due to the limitation of the terminal, it can not ensure 100% accuracy of terminal identification. The device will read the option 60 field in the DHCP message, and option 60 will carry the type information of the terminal, but not every DHCP message of the terminal will carry the option 60 field, so the reading success rate is not 100%. 10. Check AP offline Causes: show ap-config summary deny-ap: FS#show ap-config summary deny-ap Deny ap num: 1 Mac Address AP Name Reason -------------- ----------------------------- ----------------- 649d.99d0.e226 By conflict Note: By bind-ap-mac //AP-MAC binding rejection, MAC whitelist bind-ap-mac function is enabled on the AC, but the MAC of the AP is not in ap-config By wtp-limit //The number of online APs has reached the upper limit, which is usually due to insufficient licenses, online AP capacity limits, or rarely due to wtp-limit configuration restrictions By conflict //There is a conflict in the AP name or MAC address. Another AP with the same name or MAC address is already online or configured on the AC By deny-flag //The AC actively refuses to allow the AP to join, usually using deny-join restriction during network debugging By ap-auth //AP authentication is restricted. The AC enables certificate, serial number, and password By user-class //AP products in different industries. For example, SMB-AP can only be docked with SMB-AC and can not be docked with ordinary ACs By overdue-ap //There are expired APs on the AC, which is usually a temporary state. At this time, the AC will automatically clear the expired AP information, and the AP will reapply to join and succeed again By master-ap-mac //The satellite AP does not carry the MAC of the main AP. This is usually a temporary state. The satellite AP joins too quickly when it starts up By unknown //For unknown reasons By radio num //The AP has too many radio ports and cannot be docked, such as B7 version AC does not support AM5528 By vendor id //Other vendor's AP cannot be docked By new-ap-limit //The upper limit of new APs, for example, WS5708 only supports 100 B9 new wave2 APs By local-limit //Protecting a single AC device in VAC scenario, limiting the number of APs connected to the host, which may be caused by uneven switch load or too few working ACs By hot-backup //Limitations on hot backup. For example, if the AP uses AP virtualization technology and AP virtualization does not support hot backup function, the AP is still configured as hot backup By total-ap-num //The total number of APs (online + offline) or AP tunnel number has reached the upper limit. Delete unnecessary offline AP configurations By none-radio //AP is rejected because it does not carry radio, usually a temporary state, caused by the AP joining too quickly when it starts up If the interaction between AP and AC is abnormal, intermediate line packet capture analysis is required to locate the packet loss point, as well as the troubleshooting of the wired ring network mentioned earlier. 11. Check the AC and AP to establish a tunnel: FS#show capwap state index peer device state 2 10.36.253.37 : 10000 Run ------>"run" is the successful association status, if not, please refer to the "capwap tunnel" common failures 12. Check the online status, operating channel and power of the AP and other RF parameters: Command: FS#show ap-config summary Show ap-config summary to view AP name, IP address, mac address, RF card power, radio channel, online/offline status and time, etc. image.png 13. Check the associated wireless users: FS#show ac-config client Through show ac-config client, you can view the MAC, IP, access AP name, access AP's RF card, access signal duration and other information of the access terminal. FS#show ac-config client by-ap-name //Show user associations based on AP name image.png 14. Check the details of the associated wireless users, mac, ip, VLAN, WLAN, roaming status, associated AP name and IP, etc: FS#show ac-config client detail 001f.3b3b.b435 Mac Address: 001f.3b3b.b435 IP Address: 0.0.0.0 WLAN Id: 100 VLAN Id: 101 Roam State: Local ------>Non-roaming. If it is roaming, Roam is displayed Association ID: 0 WMM capability info: 0 Associated Ap Information: AP Name: wangkq001 AP IP: 192.168.10.1 15. Check the encryption method for wireless users: FS#show wclient security 001f.3b3b.b435 ------>001f.3b3b.b435 is the client MAC address Security policy finished: FALSE Security policy type: WPA-802.1X Security cipher mode: TKIP Security EAP type: PEAP Security NAC status: CLOSE 16. Check the hardware information of the wireless AC: FS#show ac-device information AC device information: CPU type: Cavium Octeon II V0.1, 1000MHz Memory type: DDR3 Flash size: 512MB 17. Check the AP hardware information that has been associated to the AC: FS#show ap-device information AP(AP-11)'s device information: CPU type: ARMv7 Processor rev 5 (v7l), 100MHz Memory type: Hynix DDR2(16bit) Flash size: 121MB MAC address: 649d.99d0.1870 18. How to check the AP list of an AP group? Only when there is an ap online in the ap group will it be displayed Check the ap status in each ap group: show ap-group aps summary image.png Check the ap status inside a specific group: show ap-group aps default (where default is the name of the ap group) image.png 19. How to check the information of WLAN list on AC? show WLAN-config sum image.png 20. How to check the default and actual user limit on AC or AP? (based on AC/AP/Radio/WLAN) Show on AC: a. Default number of users limit: AC-based: default is the maximum number of manageable APs *32 Based on WLAN: no limit Based on AP and radio: sh stamg limit-timeout dev (AP def means the default is 64 based on AP, regardless of AP model, radio def means the default limit based on radio, depending on the AP model, different AP based on radio). image.png b. Actual number of users limit Based on AC: sh stamg limit-timeout ac image.png Based on WLAN: sh stamg limit-timeout WLAN image.png Based on AP and radio: sh stamg limit-timeout sta image.png Note: sta-limit-num is based on AP; radio-info is based on radio; The above for ap-group and ap-config ap name or all under the number of users limit superimposed on the actual number of users based on AP and radio limit. And based on the number of users based on RF card and AP limit is not related, can not be understood as all AP's RF card user limit added up equal to the total user limit of the AP, the actual number of users can appear AP total user limit of 50, and AP's RF card 1 limit of 128, RF card 2 limit of 128, the actual connection is the sum of the two effects can only connect up to 50. Configuration priority: ap-config ap name is better than ap-group is better than ap-config all. Show on AP: Sh stamg limit image.png Note: The limits on the number of STAs under AC, WLAN, AP and AP's radio are in effect at the same time, which means that they need to be satisfied at the same time for the STAs to come online. 21. How to view WLAN, SSID name, associated user VLAN and radio information on AC? sh ap-group intf-WLAN-map default img_v2_2121e57c-f942-46ad-bbea-ec837c0066cg.jpg 22. How to confirm the information about the wireless signal, whether it is local forwarding, whether 5G priority is enabled, etc? For example, the information of WLAN 1, by the following method: sh WLAN-config cb 1, 1 is the WLAN-id image.png The name of WLAN 1 signal is FS.COM, which is locally forwarded with 5G priority turned on. 23. Is there a command to check the user history of AC web page? image.png Use the command: FS#sh WLAN diag sta sta-mac h.h.h In version 11.x, the web page provides historical statistics on the number of wireless users, updated once per hour. The system stores data for up to 24 hours, with a maximum of 8 records. When new records are generated, older ones are automatically overwritten. image.png 24. In a fit AP environment, how can I check on the AC which APs the terminal has been associated with? How long can the time be recorded for and what are the considerations? show WLAN diag sta H.H.H , where H.H.H is the MAC address of the terminal and supports version 11.x. The record time for this is 24 hours and does not exceed a certain number of entries (11.x maximum 8). After exceeding the entries, the oldest records will be aged out and only the latest ones will be kept. You can not modify the time, capacity and other information. Note: Open wlog must ensure sufficient memory, at least 300M or more. 25. How to view the cumulative traffic of wireless terminals? show wqos control flow sta ipv4 There are two fields here, last min and total, and total is the cumulative one. FS#show wqos control flow sta ipv4 wqos fs sta cnt: 0 macup/down last min total -------------- ------- -------------------- -------------------- 26. How to check the number of AP reboots from AC? On the AC, run show ap-config reboot apname to check the number of times the AP has rebooted. image.png Reboot Cnt reboot times → can determine whether there is a power failure reboot or artificial reboot Other parameters description: AC Init Cnt AC initialization Link Fail Cnt Number of link failures SW Fail Cnt Software Failure HW Fail Cnt Hardware Fail Cnt Other Fail Cnt Other reasons for failure Unknow Fail Cnt Fail for unknown reasons Last Fail Type Last failure type 27. How does 11.XAC check the DHCP IDLE status? show ip dhcp history 28. How can AC and AP check the SNR of the corresponding ap? a. On the AC: show ac-config 802.11b summary — to check 2.4 GHz show ac-config 802.11a summary — to check 5 GHz image.png b. show dot11 wireless 1/0 --Check the noise of 2.g on ap image.png 29. What does the AC web interface AP monitoring function side of the load and interference mean? image.png Load is the null port bandwidth utilization: the same bandwidth utilization of the wired port. Here is the null port. For example, the load becomes 100% because the bandwidth of all users below reaches the throughput of this AP. Interference is the maximum interference on the same frequency: through the AP STA signal strength, calculated by the algorithm. 30. How to view the history of operation commands on AC? FS#sh cli record image.png If the AC time is correct (show clock can check the current time of the device), you can check what commands were configured in what time period with what ip address to log into the device. 31. How to check which AP models and versions are in the AC (prerequisite to enable WLAN diag, for customers to check when requesting version upgrades)? FS#sh WLAN diag network image.png 32. How to check the noise of an AP RF card on AC? FS# sh ac-config 802.11b sum image.png FS# sh ap-con radio 1 status 649d.99d0.1870 (AP Name) (Version 11.) image.png 33. How to check the dhcp address assignment? FS#sh ip dh pool FS#sh ip dh pool Pool name Total Distributed Remained Percentage -------------------------------------------------------- user 253 0 253 0.00000 youxian 246 0 246 0.00000 10.X_AP 249 0 249 0.00000 11.X_AP 242 0 242 0.00000 l1 0 0 0 0.00000 l2 0 0 0 0.00000 ap 253 0 253 0.00000 Distributed : Addresses already distributed Remained: The remaining addresses Percent : Percentage of addresses distributed 34. How to quickly identify the correspondence between APname and device mac and RF port mac? The command is FS#sh ap-config radio image.png 35. How to determine whether the terminal supports WAVE2's MU-MIMO function? Check if the MU terminal identifier is present on the AC by command: AC-1#sh ac-config client ------------ ----------- ----------- -------- ----------- FS#sh ac-config client ========= show sta status ========= AP: ap name/radio id Status: Speed/Power Save/Work Mode/Roaming State/MU MIMO, E = enable power save, D = disable power save BACKUP = STA is on peer AC Total Sta Num : 855 Backup Sta Num : 0 STA MAC IP Address AP WLAN VLAN Status Asso Auth Net Auth Up time -------------- ------------------------------ ---------------------------------------- ---- ---- ------------------ --------------- --------------- ------------ 004b.f390.44bb 10.36.121.239 649d.99d0.d516/2 11 263 156.0M/D/ac WPA2_PSK OPEN 2:06:28:05 004b.f390.4557 10.36.100.115 649d.99d0.e62e/3 2 102 156.0M/D/ac WPA2_PSK OPEN 2:05:08:20 Check if the MU terminal identifier is present on the AP by command: 1-AP-3#show dot11 associations all-client RADIO-ID WLAN-ID ADDR AID CHAN RATE_DOWN RATE_UP RSSI ASSOC_TIME IDLE TXSEQ RXSEQ ERP STATE CAPS HTCAPS VHT_MU_CAP 1 1 b6:c9:65:aa:c1:d7 1 11 216.5M 8.5M 17 0:00:09 0 1 272 0x01 0x3 ERSs SU 36. How to check the model and number of APs associated with the AC? FS#show ap-config product Product ID Hardware Version Count Used Wtp -------------------- ---------------- -------- -------- AP-N505 1.00 67 67.0 AP-W6D2400C 1.00 17 17.0 AP-W6Q4134C 1.00 9 9.0 AP-W6T6817C 2.00 88 88.0 37. After the wireless project is deployed on the point, how to quickly confirm the IP, MAC, location, status and other information of the AP? FS#show ap-config summary location AP Name IP Address Mac Address Location State --------------------------------------- --------------- -------------- ----------------------------------- 1-AP-3 10.36.253.23 649d.99d0.e226 Run 1-AP-5 10.36.253.29 649d.99d0.e3ae Run 649d.99d0.1870 10.36.253.91 649d.99d0.1870 Run 649d.99d0.187a 10.36.253.111 649d.99d0.187a Run 38. How to get the device mac address of AC? WS#show ac-config | in mac In the case of multi-AC, it is obtained by the following ways: a. 1 + 1 redundancy, multi-AC case: In each AC enable mode: show ac-config | inc Mac b. Virtual AC case: In the main AC enable mode : show virtual-ac topology 39. How to check whether tcp and udp ports are open on AC devices? How can I check the ports occupied by each program? show tcp con ----check if the tcp port is open show ip udp ----check if the udp port is open show ip socket ----check the ports occupied by each program 40. How can I check the status information of ap partner 120-M on AC? show ap sum image.png 2.2.2 AC Products FAQ - Version 11.x FAQ 1. Number of APs that can be managed by each AC model. Model Default Number of Managed APs Max Number of Managed APs AC-1004 64 64 AC-224AP 224 224 AC-7072 128 1152 The support status of the new AC is as follows: Model Default Number of Managed APs Max Number of Managed APs AC-1004 64 64 AC-224AP 224 224 AC-7072 128 1152 2. The actual transmission rate of 300M, 130M and 54M in ideal situation. 300M: 150M-180M 130M: 70M-90M 54M: about 22M 3. Does AC support NAT function? Support. 4. Is there a license for use in wireless test projects? If the pre-sales test needs a temporary license, please apply for temporary license authorization in the license registration system, and one device can apply for temporary authorization at most three times. 5. After the wireless AC supports authentication, is the next access to wireless free of authentication? Please refer to Wireless Solution Deployment Guidance - BYOD Solution. 6. Does AC support netflow function? Not support. 7. Does the wireless capwap tunnel supports cross-NAT? Or is there a NAT network between AC and AP? Support. If the AP is in a NAT private network: The AP does not require static address mapping or port mapping. Simply configure regular source address translation to ensure connectivity between the AP and the AC. If the AC is in a NAT private network: Configure port mapping on the gateway router for the AC address (option 138 IP) — use the UDP protocol, with ports 5246 (control channel) and 5247 (data channel). On the AP, the AC address (option 138 IP) should be set to the public IP address mapped from the AC's internal address. If both the AP and AC are in their own NAT private networks: All three configurations above must be applied simultaneously. For reference: "05 Wireless General Function Configuration Guide – 02 Thin AP Configuration" and "07 Wireless AC and AP Deployment in Different NAT Networks." 8. If there is a firewall between AC and radius devices, what traffic should be put through the firewall? AC and radius will generally interact with radius and snmp protocols, and the server ports are: radius port: UDP protocol, default authentication port 1812, default billing port 1813 (these ports are on the radius device). snmp: udp protocol, 161 (this port is on the AC). 9. What is the difference between forced rate set and supported rate set for wireless AC? The wireless user will send the rate set information to AC when the wireless network is associated. If the rate set information does not have the mandatory rate of AC, the association will fail. The forced rate set is mandatory for the STA to support, and the supported rate set is supportable or unsupportable for the STA. 10. After the wireless device hides SSID, can STA automatically connect to wireless? When the SSID of a wireless device is hidden, the STA (station) cannot detect the wireless signal and is therefore unable to determine whether it is within the coverage area of that SSID, preventing automatic connection. To enable the STA to automatically connect to a hidden SSID, wireless configuration information must be manually added on the client device. Taking Windows 7 as an example: a. Open Control Panel → Network and Internet → Manage Wireless Networks in sequence. b. Click the Add button in the upper-left corner. 11. How to kick users offline on AC? (Note: Timed kicking of users offline is not supported) First, check the MAC address of the user: WS#show ac-con client by-ap-name Total Sta Num :849 Cnt STA MACAP NAMEWLAN Id Radio Id VLAN Id Valid ------ --------------- -------------------- --------- --------- --------- --------- 10021.6a99.6c5aBF2_AP_031122091 2701a.04a9.a1b2BF2_AP_062123091 3 0026.c690.0a06 BF7_AP_011122091 4001f.3b3b.b435BF7_AP_011122091 Kick users offline: WS(config)#ac-controller WS(config-ac)#client-kick H.H.H ----->H.H.H is the users mac address However, since the client will automatically reconnect, using show ac-con client by-ap-name after kicking the client offline will still show the STA that was kicked offline before. 12. Meaning of 11na_ht40, 11na_ht40plus, 11na_ht40minus. FS AP supports 802.11n by default and requires no additional configuration. If the radio is set to 11b, it operates as 802.11ng; if set to 11a, it operates as 802.11an. The term 11na_ht20 refers to 802.11na operating with a 20 MHz channel bandwidth, providing a connection rate of up to 130 Mbps. Similarly, 11na_ht40 indicates a 40 MHz channel bandwidth, supporting connection rates up to 300 Mbps. The 802.11n standard allows the use of a 40 MHz bandwidth by bonding two adjacent 20 MHz channels. When bonding, one channel acts as the primary channel and the other as the secondary channel. 11na_ht40plus means that the secondary channel is above the primary channel. For example, if the current channel is 149, bonding it with 153 forms a 40 MHz channel (149 + 153). 11na_ht40minus means that the secondary channel is below the primary channel. For instance, if the current channel is 161, it bonds with 157 to form a 40 MHz channel. For 802.11g, the concept is similar to 802.11a. However, since 802.11g only supports channels 1, 6, and 11, using a 40 MHz channel leaves only one non-overlapping channel available. Therefore, when operating in 802.11ng mode, it is not recommended to use a 40 MHz channel width. The default 20 MHz bandwidth is typically sufficient for optimal performance and interference avoidance. 13. Where is the AP ap-config on the AC saved? ap-config.text in AC flash 14. When will the ap-config on the AC be saved? Execute hot reboot on AC, that is, execute reload command Execute save name in AC, write 15. Is there a way to use static IP in a wireless arp-check environment? Allowing wireless clients to use static IP addresses in an arp-check environment is not supported. 16. Can wireless support VLAN-Group? The VLAN-Group function allows each VLAN group to contain multiple VLANs. By associating a WLAN with a VLAN group, a 1:N mapping between the WLAN and VLANs can be achieved, enabling flexible VLAN allocation for STAs that connect to the WLAN. There are two main VLAN assignment modes: After the STA passes 802.1X authentication, the authentication server assigns the corresponding VLAN to the STA. Only the 802.1X authentication method can be deployed. The authentication server must support VLAN assignment. Based on the available address pools of the DHCP server, the system assigns an available VLAN to the STA. 17. The meaning and difference between tunnel 8023 and tunnel local under AC wlan-config. 8023 refers to centralized forwarding, which is the default forwarding mode of WLAN. Configuration Example: WLAN-config 1 FS tunnel 8023 This indicates that centralized forwarding is configured. After executing the show run command, the line tunnel 8023 will not be displayed. If configured as tunnel local, it represents the local forwarding mode. 18. For AC with clock chip, how to write the time into the chip? In FS# mode, first execute clock set to set the time, then run clock update-calendar (to write the time to the hardware chip), and finally execute wr to save the configuration. 19. Does AC support DNS servers? Not support. 20. How to check the interface traffic trend on the AC web interface using the command line? The command corresponding to the WEB interface traffic trend is "show interface counter rate" 21. What are the reasons why dhcp is stuck in the offer state when the terminal ip address is obtained? The terminal sends a discover message, and the server responds with an offer after receiving it. If no request packet is received from the terminal afterwards, it will always be stuck in the offer state, and you can consider whether the access switch is open for snooping, and the trust port is not open. 22. When the WLAN is configured for local forwarding, why is the IP address of the STA not viewed on the AC after the STA comes online on this WLAN? Under local forwarding, the data of STA is generally not forwarded through AC, and the IP address of STA cannot be learned directly on AC, or learned indirectly through DHCP SNOOPING if DHCP SNOOPING is not enabled, so it is possible that the IP address of STA cannot be obtained at this time, and thus the IP address of STA cannot be viewed on AC. 23. How to check the type and operating system information of wireless terminal on AC? To enable the DHCP snooping feature, use the following command: FS#sh terminal-identify user User entry list: 794 mac-address aging-time terminal-type ----------------------------------------- 8e6a.720d.fd60 --:-- Phone Android 70d8.238e.521f --:-- Windows 70d8.238e.5206 --:-- Windows 3212.abf8.9864 --:-- Phone Android Note: Due to the limitation of the terminal, it can not ensure 100% accuracy of terminal identification. The device will read the option 60 field in the DHCP message, and option 60 will carry the type information of the terminal. But not every DHCP message of the terminal will carry the option 60 field, so the reading success rate is not 100%. 24. How to check terminal details (traffic, terminal type, etc.) on AC? DHCP snooping needs to be enabled. Use the following command to check terminal information: show ac-config debug client. Note: Due to terminal limitations, 100% identification accuracy cannot be guaranteed. 25. AP Configuration Instructions. a. Users can enter the configuration mode of all APs with the command "ap-config all", and the configuration in this mode will take effect for all APs associated with this AC. The configuration priority in the specified AP configuration mode is higher than the configuration in all AP configuration modes. If a configuration exists in ap-config ap-name configuration mode (i.e., not the default configuration), it will be used first; otherwise, the configuration in "ap-config all" configuration mode will be inherited. b. Users can delete the specified offline AP configuration by the "no ap-config ap-name" command. c. Users can delete all offline AP configurations on this AC with the command "no ap-config all". Generally, the AP goes online by matching the AP name with the AP configuration name to decide which configuration the AP uses. And MAC address binding is a stronger binding relationship than name matching, and its priority is higher than name matching. Therefore, as long as the MAC address bound by the AP configuration matches the MAC address of the AP, the AP uses that configuration when it comes online. 26. The "ap-conf all" configures a certain parameter and logs into ap without seeing the configuration sent. Normal Condition. Many configurations of ap-config all will not be displayed even if show ap-config run or log in to ap show run is in effect. 27. Which of the configurations in ap-config name or ap-config all takes effect? The configuration of "ap-config name" for a specific ap will take effect first, and if there is no such option under the ap of "ap-config name", the configuration of "ap-config all" will take effect. For example: ap-config all sta-limit 256 sta-limit 128 radio 1 sta-limit 128 radio 2 ap-config AP-W6T6817C ap-mac 649d.99d0.e226 ap-group ap630 sta-limit 198 sta-limit 128 radio 1 sta-limit 70 radio 2 ap-config AP-W6D2400C ap-mac 649d.99d0.2c2a ap-group ap330i acip ipv4 1.1.1.1 ip address 192.168.253.246 255.255.255.0 192.168.253.1 no 11acsupport enable radio 2 response-rssi 10 radio 2 The above configuration achieves: The maximum number of access users for AP-W6T6817C radio 1 is 128, radio 2 is 70; AP-W6D2400C radio 1 =128 radio 2= 128. 28. Wireless configuration to limit the number of user access instructions. a. The following configuration assumes that if the number of users on radio 1 exceeds 64, it will be unable to access, so you need to change the limit of the whole machine. Error case: ap-config AP-W6D2400C sta-limit 64 sta-limit 128 radio 1 sta-limit 128 radio 2 Correct case: ap-config AP-W6D2400C sta-limit 256 sta-limit 128 radio 1 sta-limit 128 radio 2 b. The following configuration, if there are 10 AP-W6D2400C each to access 110 users, will also prompt the number of users access to reach the maximum limit (Error is due to all ap access to the number of users more than the overall AC limit of 1024). Error case: ap-config AP-W6D2400C sta-limit 256 sta-limit 128 radio 1 sta-limit 128 radio 2 FS(config)#ac-controller FS(config-ac)#sta-limit 1024 Correct case: ap-config AP-W6D2400C sta-limit 256 sta-limit 128 radio 1 sta-limit 128 radio 2 FS(config)#ac-controller FS(config-ac)#sta-limit 2048 29. Does the wireless AC support viewing user online and offline status over a specific period of time? Not supported. The information can be viewed through the SNC network management software or the Radius server. 30. Does AC have other methods to transfer files besides tftp? FTP and Web (refer to the configuration manual for specific matching values). 31. Does 11.x AC support anti-gateway spoofing? Support. 32. Wireless AC ping other devices or pinged devices appear 50% packet loss. If it is regular packet loss, it may be caused by nfpp. This problem is found to be caused by the configuration of AC, which is optimized according to the following: nfpp no nd-guard enable no dhcp-guard enable icmp-guard rate-limit per-src-ip 1 icmp-guard attack-threshold per-src-ip 1 no arp-guard enable 33. Can AC put out a SSID, only cell phones and pads can be connected, windows can not be connected? No, AC can not do 100% identification of the terminal, and also can not be used to do control. 34. AC and switch direct ping sometimes pass and sometimes not. "show int counter summary" The interface has high traffic and is able to communicate properly by trimming the VLAN of the interconnect port. After the switch troubleshooting, it is caused by the switch loop. 35. Configuration instructions for limiting the number of users access in "ap-group". The value range is 1-1536; it is valid for all ap's that have joined the group; and the limit is the number of access users of a single ap FS(config)#ap-group AP-W6D2400C FS(config-group)#sta-limit ? <1-1536> Set the limit STA attached to this AP 36. Does AC support web agents? The agent in the environment is in the browser. The application is generally the output router or behavior management features. AC does not support for the time being. 37. Does AC support G.711 UDP SIP RTP? These protocols are transparent to our AC and will be forwarded directly. 38. Does AC support access to Airware? Support. 39. If AC is DHCP for wireless users, is it normal that the DHCP lease time becomes 5 minutes after wireless users go offline? It is normal. After the wireless user goes offline, the wireless module will notify the dhcp module to change the lease time to 5 minutes, and the IDLE status will be available when the 5-minute time is over, and the time can not be modified. 40. Does AC support sending large packets with MTU larger than 1536? Support. 41. How to calculate the traffic trend in the AP details on the AC WEB interface? The value is the cumulative value of traffic since the AP online, once per hour, will only keep rising. 42. Do AC and AP support redirection to do page jumping but not authentication? No. Wireless AC and AP do not support this function, which is an output device function, and FS output gateway SG supports it. 43. Does sntp server deployment support domain name? 11.x supports domain name. 44. When the number of users per radio is adjusted for an AP on the AC web interface, will the total number of users for that AP change automatically? For example, if the user limit of an AP is set to 50 for radio 1 and 60 for radio 2 on the web interface, the 11x version will automatically update the total user limit of that AP to 110. Note: In the 11x thin AP mode, only single-band and dual-band APs support automatic adjustment. Multi-band APs do not, and configurations made through the command line will not trigger automatic updates. 45. How to clear the dead stack information? The stack information of show exception needs to be cleared; FS#clear exception. 46. Instructions for using sta-limit on AC. The sta-limit command can be applied to WLAN-config, ap-group, ap-config and ac-controller. In this mode sta-limit has no priority relationship, and the number of sta is limited by these configurations. For example, if you configure sta-limit 20 on an ap, and configure sta-limit 50 under ac-controller, the maximum number of users that can be associated with this ap is only 20, not 50. 47. How far apart are the strong lines and the weak lines from each other to be more appropriate? It is recommended to separate the strong and weak power lines from different pipes, more than 50cm. 48. Can the AC and AP of 11.X export the current software version? 11.x version has been decomposed into different files during installation, and the main program rgos.bin is not visible on the device dir, so it is not possible to export the current running software version from the device. 49. What is autowifi mode? autowifi is to enable the AP partner to quickly put out a wireless signal, so that it is easy to modify the IP using Telnet after the terminal is accessed. 50. Does AC support ipv6 web authentication and 1x authentication? It supports pass-through of ipv6 messages. Web authentication don't support ipv6 ; 1x does not care about ip and will not upload ipv6 address, 1x is for mac authentication, ip address will be involved only after terminal authentication, if the server does not carry out ip authorization etc., ipv6 data can be pass-through. 51. Does AC/AP support DHCP option60? Not support. 52. Source of wireless terminal ip address on AC. The source of STA IP address obtains the IP address through dhcp snnoping learning dhcp messages. In the local forwarding scenario, snooping is generated on the AP and can be uploaded to the AC through "wtp event" messages; in addition, the IP address can be obtained through the destination ip of the downlink data messages and can learn static IP. 53. How to handle the device ping domain name not working? Phenomenon: AC#ping https://www.google.com/ www.amzon.com Translating "https://www.google.com/ www.amzon.com"... % Unrecognized host or address, or protocol not running. Additional configuration: AC(config)#ip name-server 8.8.8.8 (this is to configure the dns domain name for the device, which needs to be modified according to the actual environment) After that, just make sure that the AC and the external network communicate normally. 54. Can a WLAN be associated with different wireless user VLAN? The same WLAN-id under the same ap group can only be associated with one wireless user VLAN; You can create different ap groups, and associate WLAN-id and different wireless user VLAN-id in different ap groups respectively. 55. Will the device be damaged if it is powered off and then powered back on after a period of time, for example, two weeks? No, it will not be damaged. 56. The wireless signal is weak after going through the wall, for example, the 5G signal only has -80db signal strength after going through the wall, is it normal? Please test at the near end. If the signal is normal and there is no interference around, it means that it is the problem of signal attenuation; wireless deployment is not recommended to deploy through the wall. Different materials and thickness of the wall have different attenuation of the signal. Generally speaking, through the wall will lead to too weak signals to affect wireless device usage. 57. What is the reason why I see a smaller number of ap's online users in the web interface on AC, but more users are scanned with FS Airbox? The content displayed on the web page prevails. The FS Airbox scan is for a broadcast domain. 2.2.3 AC Parameter Adjustment - Version 11.x Parameter Adjustment 1. How to change the AP name? After the AP is associated with the WS wireless controller, the default name is the MAC address on the label attached to the back of the AP body. If you need to modify the name of the AP, do the following: FS(config)#ap-config ap-name1 FS(config-ap)#ap-name ap-name2 2. How to delete the name of an AP that has been taken offline? Perform the following operations: FS(config)#no ap-config ap-name1 FS(config)#no ap-config all ----Delete all ap-config that are not online Only the configurations of APs that have been taken offline can be deleted. 3. How to configure the location information of the fit AP? The reference configuration is as follows: FS(config)#ap-config 649d.99d0.18e3 FS(config-ap)#location M2 4. How to modify the address used by AC to create a capwap tunnel? FS(config)#ac-controller FS(config-ac)#capwap ctrl-ip 2.2.2.2 5. How to modify the SSID of wireless? n version 1.x, the SSID name of a WLAN can be modified without deleting the AP group or its associated configurations. The procedure is as follows: To modify the SSID name of WLAN 1: FS(config)#WLAN-config 1 (enter the corresponding WLAN) FS(config-WLAN)#SSID yy (yy is the new SSID name) Note: Do not enter wlan-config 1 xx (where xx is the old SSID name). 6. Statically configure the IP address of the AP in fit AP mode. Reference command: (Modifying this parameter will cause the AP to re-establish the tunnel) a. Login to the AP via console or telnet and enter global mode (enable password is apdebug) to configure static IP address, default route, AC IP address for the AP: FS(config)#acip ipv4 1.1.1.1 //Configure the AC IP address FS(config)#apip ipv4 172.16.1.34 255.255.255.0 172.16.1.109 b. After the AP and AC have established a tunnel, log in to the AC to configure a static IP address for the AP: FS(config)#ap-config ap-name FS(config-ap)#acip ipv4 1.1.1.1 ---->Configure the AC IP address FS(config-ap)#ip address 172.16.1.34 255.255.255.0 172.16.1.109 ---->The AP's address, netmask and gateway. The AP will re-establish the tunnel after configuration Both configurations will not disappear after saving the configuration and restarting the AP. 7. How to change the source IP address for interfacing with radius for AC? Reference command: FS(config)#ip radius source-interface loopback 0 8. How to switch the working band of the fit AP? Reference command: FS(config)#ap-config 649d.99d0.18e3 FS(config-ap)#Radio-type 1 802.11a Note: AP-T565, AP-T567, AP-W6D2400C are supported, other APs are not supported. 9. How to turn off the 802.11n function? FS(config)# ap-config AP0001 FS(config-ap)#no 11ngsupport enable radio 1 ---->Turn off radio 1 support for 802.11n in 2.4G FS(config-ap)#no 11nasupport enable radio 2 ---->Turn off radio 2 support for 802.11n in 2.4G 10. How to turn off the 802.11b function? FS(config)# ap-config AP0001 FS(config-ap)#no 11bsupport enable radio 1 ---->Turn off radio 1 support for 802.11b in 2.4G 11. Turn off Smart Antenna function. Fat mode: FS(config)#interface dot11radio1/0 FS(config-if-Dot11radio 1/0)#no smartant enable Fit mode: FS(config)#ap-config AP-N515 FS(config-ap)#no smartant enable radio 1 12. How to disable a radio in AP? In fat mode: just go to that radio and shutdown it. FS(config)#interface dot11radio 1/0 FS(config-if-dot11radio 1/0)#shutdown In fit mode: FS(config)#ap-config ap-name ---->Enter the AP FS(config-ap)#no enable-radio 1 ---->Disable radio 1 13. How to turn off the RRM channel auto-adjustment function? FS(config)#advanced 802.11a channel global off FS(config)#advanced 802.11b channel global off 14. It is recommended to disable low data rates such as 11b/g 1M, 2M, 5M and 11a 6M, 9M to prevent individual users from transmitting excessive low-rate packets that may affect overall wireless performance. FS(config)#ac-controller FS(config-ac)# 802.11b network rate 1 disabled FS(config-ac)# 802.11b network rate 2 disabled FS(config-ac)# 802.11b network rate 5 disabled FS(config-ac)# 802.11g network rate 1 disabled FS(config-ac)# 802.11g network rate 2 disabled FS(config-ac)# 802.11g network rate 5 disabled FS(config-ac)# 802.11a network rate 6 disabled FS(config-ac)# 802.11a network rate 9 disabled 15. AC enabled AAA, how to cancel the login management AC also use AAA login authentication? Adjust the configuration to remove the login to manage the AC to also use AAA. FS(config)#aaa new-model FS(config)#aaa authentication login no-login none ---->Create a AAA login authentication list named "no-login", with the authentication method "noe" (no authentication) FS(config)#line con 0 FS(config-line)#login authentication no-login ---->AAA login authentication list with "no-login" is applied on the console's line, indicating that AAA authentication is not used FS(config-line)#line vty 0 35 FS(config-line)#login authentication no-login ---->No password will be used when telnet 16. AC/AP optical-electrical multiplex interface switching configuration (this operation takes effect immediately without requiring a device reboot). a. AP configuration (regardless of fat mode or fit mode, this configuration operates on the AP and is not lost on reboot) FS(config)#interface gigabitEthernet0/1 FS(config-if-GigabitEthernet 0/1)# media-type baset ---->Enable electrical port FS(config-if-GigabitEthernet 0/1)#media-type basex ---->Enable optical port FS(config-if-GigabitEthernet 0/1)#end FS#write b. AC configuration FS(config)#interface gigabitEthernet 0/1 FS(config-if-GigabitEthernet 0/1)#medium-type copper ---->Enable electrical port FS(config-if-GigabitEthernet 0/1)#medium-type fiber ---->Enable optical port FS(config-if-GigabitEthernet 0/1)#end FS#write 17. AC how to open the function of monitoring AP traffic? Reference command: FS(config)#advanced 802.11b monitor mode enable FS(config)#advanced 802.11b monitor interval 100 FS(config)#advanced 802.11b monitor load 100 FS(config)#advanced 802.11a monitor mode enable FS(config)#advanced 802.11a monitor interval 100 FS(config)#advanced 802.11a monitor load 100 You can view the AP traffic by "show ap auto-rf radio 1 ap_name" 18. Configure the device time synchronization of AC to AP. FS(config)# ap-config AP0001 //Enter the configuration mode of the AP FS(config-ap)# timestamp //Configure AP0001 to synchronize the time of this AC 19. How does AC modify the mtu value for establishing a tunnel? The command for version 11.X is as follows: 代码块 FS(config)#ac-controller FS(config-ac)#capwap ctrl-mtu ? FS(config-ac)#capwap ctrl-mtu1422 (Value range 1-1500) FS(config-ac)#end FS#write 20. How to turn off all 5g signals on AC? FS(config)#ac-controller FS(config-ac)#802.11a network disable FS(config-ac)#end FS#write 21. AC how to kick AP offline (for scenarios where the AP wants to switch to another AC)? FS(config)#ac-con FS(config-ac)#kick-ap ? all Kick all ap Debug. H.H.H MAC address 22. How can AC make AP restart regularly every day? In order to avoid overload caused by the AP working for a long time and affect the user's Internet quality, it is recommended to configure the AP to restart regularly every day, so that the user's Internet quality can be guaranteed every day. Configure FS-AP1 to reboot at 1:00:00 every day at the following time: FS(config)#ap-config FS-AP1 FS(config-ap)#reload at 1:00:00 23. Can I add spaces to the SSID, such as AIRPORT FREE WIFI? Yes, you can add double quotes to the SSID with spaces. FS(config)#WLAN-config 10 "AIRPORT FREE WIFI" 24. When SG does integrated AC, does it support cross-nat management AP and how to turn off and turn on AC function with one click? Not support. ac-controller ac-control disable Turn off AC function no ac-control disable Turn on 25. How to configure the broadcast message forwarding weight? Configuration in Global Mode FS(config)#data-plane queue-weight The queue-weight command configures the forwarding weight ratio for different packet types. It defines the token increment multiplier for each packet category: Known unicast (default: 16) Known multicast (default: 4) Broadcast (default: 1) Unknown multicast (default: 1) Unknown unicast (default: 1) The default configuration is: data-plane queue-weight 16 4 1 1 1 (supported in version 11.x) Command to Modify Token Update Interval and Rate data-plane token interval rate (supported in version 11.x) Interval: Token update interval, measured in 10 ms units. Each token corresponds to 10 ms; the default value is 1. Rate: Base number of tokens added per update interval. Default value is 64 for AC and 5 for AP. Calculation of Actual Packet Rate per Second data-plane token x y data-plane queue-weight z The rate limit can be calculated as: Rate limit=[1/(x×0.01)]×y×z\text{Rate limit} = [1 / (x × 0.01)] × y × zRate limit=[1/(x×0.01)]×y×z Example: For known unicast with default parameters: interval = 1 rate = 5 weight = 16 [1/(1×0.01)]×5×16=100×5×16=8000[1 / (1 × 0.01)] × 5 × 16 = 100 × 5 × 16 = 8000[1/(1×0.01)]×5×16=100×5×16=8000 Therefore, the known unicast packet rate is 8000 packets per second. 26. How to specify the terminals with these IP addresses for local forwarding when some terminals have high traffic? FS(config)#ac-controller FS(config-ac)#local fw ip A.B.C.D A.B.C.D is the ip address of the terminal FS(config-ac)#end FS#write 27. AC wireless in the ap-config set U.S. code unsuccessful. FS(config-ap)#country US radio 1 The country-code(US) is invalid, please check. It needs to be added to the ac-controller before it works, as follows: FS(config)#ac-controller FS(config-ac)#country US 28. How can I detect if a radius server is alive without testing terminal? The following example defines a RADIUS secure server host in an IPv4 environment, with active detection enabled and a default detection interval of 60 minutes: 代码块 FS(config)# radius-server host 192.168.100.1 test username test idle-time 60 key FS. Disables the detection of the bookkeeping UDP port. The command is as follows: FS(config)# radius-server host 192.168.100.1 test username test ignore-acct-port idle-time 60 key FS. 29. When the AC acts as a DHCP server, DHCP relay packets are not supported after DHCP snooping is enabled. How can the device be configured to support relay packets? Configuration in global mode: WS(config)#ip dhcp snooping check-giaddr Application Scenario Description: AC as a dhcp server, terminal gateway on the core, AC's uplink is a three-layer address interconnection, then the core needs to be configured with dhcp relay, AC processing dhcp relay messages to send down the address. AC can assign the address to the outside without configuring the management address of the dhcp segment at this time. However, for this network, if the AC also has dhcp snooping enabled (the uplink port should be configured as a trusted port), then the AC needs to enable "ip dhcp snooping check-giaddr", otherwise the address will be issued abnormally. Additional non-relay scenario description: AC as a dhcp server, gateway on the core, AC uplink port is trunk or access layer 2 port, AC needs to configure the management address of the dhcp segment, otherwise dhcp will not be sent to the cpu for processing and the address will be sent down abnormally. For example, if the dhcp allocation address segment is VLAN10, then AC needs to configure the management address of VLAN10 to ensure that the dhcp distribution of the segment is normal. 2.3 AP Product Introduction 2.3.1 Wi-Fi 6 Indoor AP AP-N505 AP-N505 Access Point Datasheet AP-N515 AP-N515 Access Point Datasheet AP-W6D2400C AP-W6D2400C Access Point Datasheet AP-W6T6817C AP-W6T6817C Access Point Datasheet AP-W6T3267C AP-W6T3267C Access Point Datasheet AP-N515H AP-N515H Access Point Datasheet AP-W6D1775C AP-W6D1775C Access Point Datasheet 2.3.2 Wi-Fi 6 Outdoor AP AP-T565 AP-T565 Access Point Datasheet AP-T567 AP-T567 Access Point Datasheet 2.4 AP Products FAQ 2.4.1 AP Maintenance Commands - Version 11.x Maintenance commands 1. How to check the current working mode of ap? Login to the ap command line through the console port FS>show ap-mode current mode: fit ------>fit is fit mode; fat is fat mode 2. How to get the MAC address of the AP device (not the physical interface MAC address)? There are several ways to find the AP MAC address: a. The MAC address of the device can be seen on the AP body sticker b. "show verison all" or "show ap-device information" on the AC to see the MAC address of the AP c. Login to the AP to check the MAC of the physical interface. In general, the MAC of the device is the MAC address of the physical interface minus 1 3. How to view wireless clients in AP fat mode? View with the "show dot11 associations all-client" command FS#show dot11 associations all-client INTF-IDX ADDR AID CHAN RATE RSSI IDLE TXSEQ RXSEQ ERP STATE CAPS HTCAPS 0 00:1f:3b:3b:b4:35 2 11 48.0M 70 120 15 6416 0x0 0x37 ES Q 0 00:24:d6:94:11:44 1 11 130.0M 55 120 38 31488 0x0 0x2f RSSI indicates the signal strength of the wireless client, generally reaching 40 or more signals are fine. RATE indicates the connection rate of the wireless client 4. Can a fit AP be accessed via Telnet, and what information can be viewed after logging in? The Fit AP supports Telnet access. The default password is admin, and it is not necessary to enter enable mode. Basic information can be viewed from the FS> prompt. Example: FS#telnet 10.36.253.91 Trying 10.36.253.91, 23... User Access Verification Password:admin FS> a. Check AP's mode FS>show ap-mode current mode: fit b. Check the AP configuration: FS>show running-config c. Check the capwap tunnel establishment of AP and AC, so as to determine the start-up of AP FS>show capwap state index peer device state 1 10.36.253.254 : 5246 Run d. Check the AP version and running time to check if the AP has been rebooted FS>show version System description: FS Access Point (AP-W6D2400C) By FS.COM Inc. System start time: 2023-03-26 11:32:52 System uptime: 59:00:49:43 ------>Power on time: days:hours:minutes:seconds System hardware version: 1.10 System software version: AP_FSOS 11.9(6)W1S7, Release(09221414) System patch number: NA System serial number: G1PHAAH001652 ------>Product serial number System boot version: 2017.09 e. View the wireless users connected to the AP FS>show dot11 associations all There is no station information for interface index(0) INTF-IDX ADDR AID CHAN RATE RSSI IDLE TXSEQ RXSEQ ERP STATE CAPS HTCAPS 1 00:1f:3c:12:04:99 2 6 54.0M 64 135 938 46944 0x0 0x27 ER Q 1 00:1f:3c:12:84:a4 1 6 54.0M 65 120 59850 15296 0x0 0x27 ER Q 1 78:e4:00:a3:27:df 4 6 130.0M 62 120 64004 50144 0x0 0x22f ERS P 1 90:4c:e5:e2:2f:3e 5 6 104.0M 63 120 63425 864 0x0 0x2f ERs WPSM 1 f0:7b:cb:14:33:71 3 6 54.0M 40 120 29978 768 0x0 0x27 ERSs Q f. Check the BSSID and radio related information of this AP FS>show dot11 wireless 1/0 WLAN ID : 0 Network Name (SSID): NULL Interface.................... Dot11radio 1/0 VLAN (group) id.............. 0 MAC Address.................. 649d.99d0.1873 Beacon Period................ 100 RTS Threshold................ 2347 Fragment Threshold........... 2346 Radio Mode................... 11axg_he20_2g Channel...................... 2412(1) Noise Floor.................. -90 dBm Channel width................ 20Mhz Current Tx Power Level....... 100% Current CCA ................. 35 Current Channel Use ......... 59% Tx/Rx Chain: Antenna Gain................. 3 Tx Chain Mask................ 0x3 Num of Antenna Tx............ 2 Rx Chain Mask................ 0x3 Num of Antenna Rx............ 2 Power Save: DTIM Period.................. 1 DTIM Count................... 0 Stations In Power Save....... 0 Stations Total............... 0 5. How does a fit AP view the AP's configuration information from the AC? "show ap-config run xx" in AC, where xx is the name of the AP. 6. How can a fit AP check the cpu usage of the AP from the command line of the AC? show ap-config debug detail 7. How can I confirm on the AP if it is a local forwarder? FS#debug fwd dump-mode WLAN 1 tunnel local 2.4.2 AP Products FAQ - Version 11.x Parameter Adjustment 1. Can AP's fat mode be web managed? The fat AP is web enabled by default, the default username and password is admin, and the administrative address is 192.168.110.1/24. 2. What is the relationship between the MAC address of the default AP name on the AC and the MAC address on the AP interface? In fit mode, the AP's ap-config name in AC is displayed as a mac, and this mac address is the MAC address of the device sticker, which is generally 1 less than the AP's physical interface MAC address. for example, if the interface mac is 649d.99d0.e226, then the device mac is generally 649d.99d0.e225. The specific mac of the device is based on the sticker on the back of the device. 3. How much is the initial password of the AP? Default AP fit mode, telnet and console password is admin, fit mode without the need to enter the AP privileges to configure. Fat AP's default password are admin. 4. Does AP support NAT, PPPOE? Support. 5. Does the AP support Layer 2 roaming? Not supported. But if all the APs are in the same broadcast domain, and the downlinked clients are all using the same DHCP to get the address, then when the client is automatically associated from one AP to another AP, it can have a similar effect to roaming. When re-associating from one AP to another, the STA's wireless will be disconnected briefly and reacquire the IP, but the STA is getting the IP from the same DHCP server, so it will generally get the same IP address, and on the surface the STA is roaming. 6. Which core of the network cable is used to power the AP? As a powered device, AP supports two power supply modes: Alternative A (1,2,3,6 signal line) and Alternative B (4, 5, 7, 8 idle line) power supply mode. Which power supply mode is decided by POE-powered devices. PoE power supply equipment generally supports only one type of power supply. If the power supply device supports mode A power supply, then the AP uses mode A to receive power; if the power supply device supports mode B power supply, then the AP uses mode B to receive power. 7. What is the difference between the primary and sub-interface encapsulation dot1q of the AP physical interface? interface GigabitEthernet 0/1 encapsulation dot1Q 200 ------>Equivalent to configuring GI0/1 port access VLAN 200 interface GigabitEthernet 0/1.200 encapsulation dot1Q 200 ------>Equivalent to configuring a trunk channel for VLAN 200 8. Does AP fat mode support web authentication? Support, AC is configured and used in the same way. But only the management address of AP is configured in int bvi x. Not recommended. 9. How to negotiate the wireless user connection rate? When the AP sends out the signal (beacon frame), its supported rate set information will be included in it. Computer will also send its own supported rate set to the AP when sniffing. After a successful connection, AP and computer will use different rate sets according to each other's signal strength, and it is possible that the rate we see on the computer and the rate AP sees will be different. The connection rate depends on the supported rate set and signal strength. 10. What is the wireless transmitting power of AP? Refer to the installation manual for details about this parameter. Note: The actual transmitting power varies according to the regulations of different countries and regions. 11. What power supply methods are available for APs? a. PoE power supply includes: Using PSM-CW6AP power supply module Using PoE switch supporting 802.3af or 802.3at for power supply b. 48v adapter power supply (only for APs that support DC power supply) 12. What is the output power of POE power supply module PSM-CW6AP? PSM-CW6AP output power is 30W; support 802.3at/802.3af power supply mode of AP 13. AP external power connector positive and negative. The AP external power connector is external positive and internal negative. 14. What is the maximum distance of PoE power supply? The maximum distance of PoE power supply is recommended to be no more than 100M. 15. What is the wire sequence used to power the wireless adapter E120/130? wire sequence: 4578 16. Which power supply takes precedence for an AP in the following environment: POE Switch -- PoE Injector -- AP -- DC Power Adapter? The order of entry into force is as follows: DC adapter priority is higher than POE adapter: a. If the PoE adapter and DC adapter are connected together, the DC adapter will take effect and the PoE adapter will not be powered; b. If the DC adapter is connected first and then the PoE adapter, the DC adapter will be powered and the PoE adapter will not be powered; c. If you connect the PoE adapter first (which has normal power supply to the device), and then connect the DC adapter, the power supply of the AP will automatically cut to the DC adapter (the AP will not reboot), and the PoE adapter power supply will no longer take effect. (In the above three cases, if the DC adapter is unplugged, the AP will reboot and then powered by the PoE adapter). PoE adapter priority than PoE switch, PoE switch and PoE adapter used together, PoE adapter priority. Theoretically, the AP connected to the PoE adapter will not negotiate for power from the switch. 17. How to check on the AP whether the AP is PoE powered or PoE+ powered? FS#debug pdpoe-test 1 FS#debug pdpoe-test 2 For example: 1-AP-3#debug pdpoe 1 hw power mode: poe1[802.3 AT], poe2[no connect], all hw_mode[802.3 AT]. get gpio value from pdpoe driver[0] 18. Can you access AP individual configuration in fit mode? Fit mode can not be configured separately under the AP, the configuration are issued by the AC unified. 19. How to optimize wireless user connection rate to 300M? a. The wireless card should support 802.11abgn dual-band, try to use 802.11na (5.8GHz band) when testing, because this band 5.8G is cleaner, less interference, the test result will be better; b. The chan-width of the AP's radio is configured to 40M; basically, using the 40M chan-width of 802.11na, you can achieve a connection rate of 300M; in order to achieve good test results, there are the following to note: c. Pay attention to whether there is interference in the same frequency band around, and if so, be sure to set the channel manually; d. Fit AP default on the AC channel auto-tuning this function is auto mode, will affect the AP throughput; need to turn off the channel auto-tuning advanced 802.11b channel global off; e. The signal strength of the AP should be appropriate, not too weak because the connection speed of the client will decrease as the signal strength weakens. However, it cannot be too strong. You can try testing it one or two meters away from the AP. If using the AP-T565 for testing, be careful not to get too close to the AP as it is a high-power outdoor AP. The strong signal in an indoor environment can affect test results, therefore the power of the AP-T565 needs to be reduced for testing; f. If you use the chariot for WLAN throughput testing, you need to add 10 streams. This will hit all the throughput of the AP and reflect the real AP performance. g. The throughput of the AP is related to wireless card hardware as well as the driver and the computer. Try testing with several different computers. 20. Can AP modify the port number of capwap? Not support. 21. What is an exposed node? An exposed node is a node that is within the coverage range of the sending node but outside the coverage range of the receiving node. The exposed terminal may delay sending because it hears the sending node sending. However, it is actually outside the communication range of the receiving node, and its transmission does not cause conflicts. This introduces unnecessary latency. Exposed terminals can be further divided into two types: exposed transmitting terminals and exposed receiving terminals. Under single-channel conditions, the exposed receive terminal problem can not be solved because all messages sent to the exposed receive terminal cause conflicts; the exposed send terminal problem also can not be solved because the exposed send terminal can not successfully handshake with the destination node. For the delay problem of exposed nodes, when B sends data to A, C only hears the RTS control message, knows that it is an exposed terminal, and thinks that it can send data to D. C sends the RTS control message to D. If it is a single channel, the CTS from D will conflict with the data message sent by B. C cannot successfully handshake with D, and it can not send a message to D. Therefore, under single-channel conditions, the exposed terminal problem can not be solved at all. The method of using control packets under single-channel conditions can only solve the hidden sending terminal, and can not solve the hidden receiving end and exposed terminal problems. Therefore, a dual-channel approach must be used, i.e., the data channel is used to send and receive data, and the control channel is used to send and receive control signals. 1.jpg 22. How to understand the angle of directional antenna and omni-directional antenna, how to understand the vertical angle of directional antenna 30 horizontal 60? An omnidirectional antenna can be compared to a streetlight at night, where the illuminated area represents the antenna's coverage area. A directional antenna, on the other hand, is like a flashlight—its beam represents the focused coverage area. Think of yourself as the AP: the angle you see from left to right represents the horizontal angle, while the angle you see from top to bottom represents the vertical angle. 23. The AP's system time is set. Why does it revert to 1970 once the power is cut and reboote. The AP does not have a clock chip and cannot retain time. To achieve time synchronization, configure an SNTP server on the device, then set up DNS to enable communication with the external network and synchronize time with the time server. 24. Is there a relationship between the MAC address of the AP's BSSID and the AP's MAC address? There is no direct relationship. The BSSID is generated through a series of formulas, which vary among different APs, so there is no inherent correlation. 25. Status light silent support limitation. Configure quiet-mode on the wireless AP to turn on the status light silence function, which is supported by all APs of FS wireless. 26. When configuring the wireless signal on the WEB page, what is the default password when wireless encryption is selected? ewebwifi 27. Can the device's SN number be used to distinguish whether the AP is single-band or dual-band? It cannot be determined directly. Record the SN code and provide it to 4008, who will assist in identifying the product model for verification. 28. What is the priority of the time scheduling function, WLAN-based, ap-based, ap-group-based? ap>ap-group>ap-con all The ap-based is not directly related to WLAN-based. ap-based is to turn off radio directly, WLAN-based is to turn off SSID 29. AP-N515 connected to an AP-N505 AP can not get ip address and can not come online. It is possible that AP-N515 needs to turn isolation off (command no bridge-l2) in order to prevent loops from turning on mutual isolation between wired ports by default. 30. Does the fit AP support enabling or disabling SSH login? Fit AP does not support opening SSH login. 31. AP Bandwidth bundle unsuccessful. Bandwidth bundling is to bundle the current and later available channels. If the current channel is later in the band, the later channel for bundling is not enough, it can not be bundled. For example, channel 11, because the bandwidth of the channel behind is very small, there is not enough bandwidth to bundle further back, there will be a bandwidth setting of 40Mth unsuccessful. 32. How does asso-rssi work, and how can it be verified whether it is effective? When the average rssi of the terminal for a period of time is lower than the asso-rssi, it will kick off the line, and this terminal will not be kicked again after 10 minutes, which is used for the roaming optimization scenario and is used to promote roaming. The AP can see the kicked sta records by debug sta-mng dump-kick-sta as follows: FS#*Apr 6 18:08:24: %7: dump kick sta info: sta 1 *Apr 6 18:08:24: %7: ================================================================== *Apr 6 18:08:24: %7: f823.b28a.09e5 *Apr 6 18:08:24: %7: kick_count: 0 kick_time: 0s *Apr 6 18:08:24: %7: kick_count: 1 kick_time: 3s The result output looks like this, which is kicked over and will not be kicked again for 10min. 33. The following log of Board: FS WIreless Access Point By FS Network appears repeatedly after AP reboot, how to solve it? This is a hardware problem. Send it directly to repair it. 34. Is it possible to modify the name iBezcon of the Bluetooth function ibeacon broadcast and is it possible to modify the power of Bluetooth? Neither can be modified; in addition, Bluetooth power and wireless power are independent, there is no relationship between the two. 35. Is there a limit to the number of users for the Bluetooth ibeacon function? There is no limit to the number of people, because the AP only plays the equivalent function of broadcasting. The actual interaction is the phone receives the information in the Bluetooth signal and interacts directly with the server. 36. Will the device be damaged if it is powered off and then powered back on after a period of time, say two weeks? It will not be damaged. 37. Is it normal that the wireless signal is weak after going through the wall? For example, only -80db signal strength after 5G signal goes through the wall. Please take a proximal test. If the signal is normal, and there is no interference around the case, it means that it is a serious problem of signal attenuation; wireless deployment is not recommended through the wall deployment, different materials and thickness of the wall on the signal attenuation is different. In general, through the wall will lead to too weak signal to affect wireless use. 2.4.3 Maintenance Commands - Version 11.x Parameter Adjustment 1. Fat and fit AP switch with each other: Conversion of fit AP to fat AP FS>ap-mode fat Conversion of fat AP to fit AP FS#config terminal FS(config) #ap-mode fit In version 11.x, fat and fit switching of AP will cause the whole AP to reboot. 2. How to enter privileged mode when the AP is working in FIT AP mode? When the AP is working in FIT AP mode, the AP is managed by the AC, and the fit AP user mode can view the device operating status and configuration without access to privileged mode. When the AP works in FAT AP mode, the AP can enter the privileged mode for management and configuration. 3. How to modify the number of wireless users? By default, the AP supports up to 32 users, meaning its performance is optimal when the number of connected users does not exceed 32. If more users are connected, packet loss and latency may occur, so modifying the user limit is not recommended. If necessary, the default number of connected users can be adjusted using the following command. FIT AP: FS(config)#ap-config BF3_AP_01(AP-name) FS(config-ap)# sta-limit 50 ----->Modify the total number of wireless users allowed to access the entire AP FS(config-ap)# sta-limit 20 radio 1 ----->Modify the number of wireless users allowed to access the AP's radio 1 FS(config-ap)# sta-limit 20 radio 2 ----->Modify the number of wireless users allowed to access the AP's radio 2 Note: The number of radio 1 users + the number of radio 2 users <= the total number of wireless users allowed to access the entire AP FAT AP: FS(config)#interface dot11radio1/0 FS(config-inf-dot11radio1/0)#sta-limit 20 4. Turn off certain rate sets for wireless: FS(config)#interface dot11radio1/0 FS(config-if-Dot11radio 1/0)#rate-set 11b disable ? <1-54> Set 5 for 5.5 | 11b[1,2,5.5,11] / 11a[6,9,12,18,24,36,48,54] /11g[1,2,5.5,6,9,11,12,18,24,36,48,54] 5. How to represent the spatial flow of wireless? Fit mode: FS(config-ap)#802.11n mcs support X radio 1 ---->Values of X: 7 single streams; 15 double streams; 23 triple streams Fat mode: FS(config-if-Dot11radio 1/0)#rate-set 11n mcs-support X 6. Does the AP support turning off the LED indicator light? What is the specific operation method? Support, as follows: a. The first step is to define a schedule session AC(config)#schedule session 1 AC(config)#schedule session 1 time-range 1 period Sun to Sat time 00:00 to 23:59 b. Call this schedule in AP Enter the configuration mode of AP AC(config)#ap-config ap-name Specify a session for the AP AC(config-ap)#quiet-mode session 1 7. For AP-N515 and other APs with optical ports. How to supply power in the case of using optical ports? How to switch the interface to electric port? The power supply can still use the PoE port, you need to switch the interface to the optical port. When using the optical port to transmit data, the electrical port only supports PoE power. The operation of switching the interface to the electrical port on the AP is as follows: AP(config)#interface GigabitEthernet 0/1 AP(config-if-GigabitEthernet 0/1)#medium-type ? auto-select Set medium type to auto-select copper Set medium type to copper --------copper is electrical port fiber Set medium type to fiber --------fiber is optical port AP(config-if-GigabitEthernet 0/1)#end AP#write Note: Fat and fit mode switch the same way, all need to log into the AP to switch. It is recommended to upgrade to the latest version to use. The original version may lead to configuration after the restart switch configuration loss problem. 8. Which AP models can change the RF card RF standard (802.11a/b)? AP-T565、AP-T567、AP-W6D2400C Command: Fat mode: FS(config)#interface dot11radio 1/0 FS(config-if-dot11radio 1/0)#radio-type 802.11a //Switching RF card 1 to 5.8G Fit mode: FS(config)#ap-config AP-Name FS(config-ap)#radio-type 1 802.11b //Switching RF card 1 to 2.4G 9. How to reset a fit AP to factory default settings? Login to the AP and execute RFS#apm factory-reset, the device will reboot automatically. The operation on AC is as follows: In ac-c mode, factory-reset xx, xx is the name of the ap, which can be viewed by show ap-config sum. 10. In fat AP mode, how to kick users offline. FS(config)#wids FS(config-wids)#kickout client H.H.H (H.H.H is the MAC address of the wireless network card of the terminal that needs to be kicked off the line) 11. Can the fit AP be set to reboot regularly every day? FS(config)#ap-config AP1 FS(config-ap)#reload at 1:00:00 1:00 a.m. Daily FS(config-ac)#no reload at Turn off automatic reboot FS(config-ac)#end FS#write 12. How to keep the acquired IP after switching from fit AP to fat mode? ap-mode fat dhcp 13. How to switch AP online mode through AC? Under ac-c mode: switch2fat ap-name FS(config)#ac-controller FS(config-ac)#switch2fat AP1 (AP1 is the name of the AP) 14. How to adjust the channel auto-adjustment time? After the automatic channel adjustment feature is enabled, the product performs adjustments by default at 2:00 a.m. When testing at a customer site, all time periods throughout the day need to be enabled to observe real-time adjustment effects: advanced 802.11b channel dca anchor-time 0 23 15. Can the 5.8G RF card change the channel to 36 by modifying the country code? Support. Change the country code to US first. FS(config)#ac-controller FS(config-ac)# country US FS(config)#ap-config AP-N505 FS(config-ap)# country US radio 2 FS(config-ap)# channel 36 radio 2 16. How do I change the telnet login username and password from the AC on a fit AP? In fit AP mode, the following example sets the AP's telnet login username and password to both admin (the first admin refers to the username, the second admin is the password): FS(config)#ap-config ap-name FS(config-ap)#credential admin admin FS(config-ap)#end FS#write 17. Is it possible to delete an AP group with online APs in the AP group? Version 11.x is supported. Example of deleting an AP group named test-group: FS(config)#no ap-group test-group 18. Is it possible to switch the electrical port to optical port on the AC in the fit mode of AP-N515 and other APs that support optical port? Support, access to ap on AC for command issuance: ap-config aaa : Enters the AP configuration mode. In this example, "aaa" is the AP name. To execute a specific command on the AP, use the exec-cmd syntax: exec-cmd mode "interface GigabitEthernet 0/1" cmd "medium-type fiber" Note: After changing the interface type to fiber, if the physical connection is not switched accordingly, the device may experience link abnormalities. It is recommended to prepare for the optical port switch in advance—connect the fiber interface first, and then bring the device online to avoid connectivity issues. 3. Wireless Preparation and Tools Introduction 3.1 Preparation for Wireless Products 3.1.1 Terminal Distribution and Density Confirm the location of the wireless signal to be covered and the approximate number of clients to be brought to each location by field survey. If you have CAD drawings, you can plan and confirm the AP location. 3.1.2 Application Type User applications and the number of wireless APs with users are closely related. Only after confirming the type of wireless user application can we confirm the number of APs with users. Various applications of users need to be converted into traffic. For applications with large traffic, the specific traffic is not clear and needs to be measured. For example, HD cameras occupy different network bandwidths depending on the pixels. It is also necessary to consider other network requirements of the application, such as roaming and specific signal strength requirements for certain STAs. Traffic requirements for common applications: Application Type Individual customer traffic Website Traffic 50KB/s (fluent, can be opened in 5s ) Webpage Games 40KB/s Online Games 80KB/s~130KB/s Online Music 300KB/s P2P Related Applications 320KB/s P2P Streaming 200Kbps Video Sharing 250Kbps Video Services (SD) 150KB/s Video Services (HD) 500KB/s or above When the signal strength is guaranteed, the calculation method for the number of users of a single radio frequency card can be referred to: Number of users = 5M/single customer traffic (Wireless users may need to use multiple applications. The traffic value of a single customer is the highest application. 3.1.3 Signal Strength Index The coverage signal strength index can be set according to different customers. Refer to the following: User Type Signal Strength Index Description Carrier Users, Education Industry Users -75dbm Although the signal strength of -75dbm cannot guarantee normal IInternet access for mobile phone users, it is mainly used for entertainment applications, and people will not surf the Internet in the location with the worst signal. Therefore, thhe signal strength indicator does not need to be too high. However, in school, it is necessary to ensure that the receiving signal strength of teaching equipment is >-70dbm. Government and Financial Industry Users -70dbm There are many high-end business people. Therefore, the application is more important and requires higher reliability of communication messages. Medical Industry Users -65dbm Application is extremely important. There are many types of STAs, and there are often handheld terminal devices such as PDAs. PDA reception sensitivityis weak and requires higher signal strength. 3.1.4 Customer Building Structure The building structure includes information such as actual dimensions, wall structure, thickness, windows and doors, room distribution, and functions. It is better to have the building structure drawing. If all the information is not included in the drawing, be sure to confirm it through an on-site visit. Different buildings have different levels of signal attenuation and the on-site environment may be complex. It is recommended to conduct an on-site investigation. The following values are for reference only: Floors 30db Load-bearing walls 20-40db Brick wall 10db Metal door 6db Student dormitory room windows (10mm) 3db Human body 3db Open corridor 30db/50m Outdoor high places 30db/200m 3.1.5 RF Environment WLAN interference. Confirm whether there are a large number of 2.4G or 5.8G wireless signals in the radio frequency environment. If so, this risk factor needs to be considered in the deployment plan. It is recommended to turn off these wireless signals. Non-WLAN interference. Currently, common non-WLAN interference sources include microwave ovens, radars, Bluetooth, and certain medical equipment. According to past deployment experience, only microwave ovens are the most common and will have a greater impact on APs. The following three points are recommended for consideration in the deployment: Location and use of microwave ovens. Whether there are large airports nearby that may cause interference from other spectrums. If the signal energy in these non-2.4G frequency bands is too large, it will also affect the reception of the AP. Whether there are other APs and the use of these APs. Through the above site survey process, the engineer outputs information such as the building structure sketch, RF environment risk report, wireless user density, and wireless application types. Based on this information, the engineer can calculate parameters including the wireless user rate limit, the number of users supported per AP, and signal strength indicators. 3.1.6 Select Different AP Models According to The Scenario Engineers select different AP models according to different application scenarios to meet customer needs. Please refer to the following for selection: It is recommended to use AP-N515 in areas with relatively open environments such as large conference rooms or libraries, where the number of users is relatively high. It is recommended to use AP-N505 in environments such as small offices, where there are no obstructions in the area to be covered, and where wall-to-wall coverage is not required. It is recommended to use AP-N515H in environments such as hospital wards, student dormitories, and hotels, where small rooms need to be covered and the number of people is relatively fixed. It is recommended to use hotel wireless solutions if the hotel environment is inconvenient to deploy smart antennas in the room openings. It is recommended to use AP-T565 in an outdoor environment or playground. It is recommended to use indoor deployment AP-N515H if coverage wireless network requires a small number of users but needs to ensure signal strength. 3.1.7 AP Deployment Location Confirmation The engineer confirms the AP deployment location based on the building structure sketch and the on-site environment. It is recommended that there is no obstruction between the AP and the wireless terminal to avoid coverage through walls. If the customer scenario is more complex and requires wall-to-wall coverage, a fat AP needs to be set up for signal testing. Ensure that the signal strength of the coverage area can not be less than the signal strength index. The following are reference examples of AP deployment locations: a. Classroom planning cases3.1.8 Channel Planning 2.jpg 3.1.8 Channel Planning Channel planning mainly plans the 2.4G frequency band. The 5.8 frequency band has more channel resources and less interference, so there is no need to plan. (If you encounter special circumstances, such as 5.8G requiring bandwidth binding, and most network cards are 5.8G, 5.8G channel planning will also be required.) Channel planning needs to follow several principles: 2.4G can only use channel 1, channel 6, and channel 11 for planning. These three channels are in 2.4G and do not interfere with each other. The co-channel signal can not exceed -70db, and the AP position of the co-channel channel should be as far apart as possible. Channel planning case reference is as follows: a. Classroom planning cases 2.jpg 3.1.9 AP Naming The default name of the AP when shipped from the factory is the AP MAC address (You can obtain the MAC address on the back of the AP). To facilitate subsequent maintenance, the AP needs to be named. It is recommended to name the AP according to its location. For example, there is an AP on the east side of the 2nd floor of Teaching Building No. 1. The naming reference is as follows: JXL_1#_2_D The engineer needs to output the AP model and AP deployment location. The after-sales engineer performs channel planning and naming based on the AP model and deployment location and outputs the AP Planning Table in the form of an EXL table. image.png 4. Maintenance of Wireless Devices 4.1 AP Installation Guide 4.1.1 Preparation for Installation a. Collect the MAC addresses of APs and record them. Confirm the location of each AP. Generally, the MAC of the AP is located at the back of the AP: image.png The MAC of the AP-N515H is located under the front cover: image.png b. Name the APs and tag them according to their location. Subsequent APs can be directly handed over to the construction team for implementation. c. For physical installation of AP, you can refer to the indoor AP installation guide, outdoor AP installation guide, panel installation guide and other installation guides. 4.1.1.1 Wall-Plate AP Installation Guide Installation tool requirements: Phillips screwdriver, Phillips screwdriver, telephone cable, network cable, standard 86 box, screws. a. Installation of 86 boxes to the wall Installation of 86 boxes to the wall. One end of the network cable and telephone cable are connected to the corresponding interface on the AP host through the 86 box respectively. b. Connecting network and phone cables to the AP The network cable is connected to the corresponding interface of the AP host. The telephone terminal on the AP with a screwdriver to loosen the 86 box to leave any two cores of the telephone cable to the AP telephone terminal (telephone cable connected to the middle two holes in the AP). c. Installing plate AP to 86 box The face frame is removed from the panel, and then the AP panel is installed into the 86 box. M4*25mm screw tightening AP. d. Snapping the top box, installation is complete The face frame is mounted to the AP panel (align the two Foolproof Hole on the right side and snap down). Installation completed. 4.1.1.2 Outdoor AP Installation Guide a. Install AP-T565 on the shelf fixed Install the fixing bracket to the opposite side of the main unit and lock the screws on the fixing bracket, as shown in Figure 1. image.png Figure 1 Prepare to mount the mainframe to the holding bar, either parallel placement (Figure 2) or vertical placement (Figure 3). image.png Figure 2 image.png Figure 3 There are 2 sets of fixing holes on the fixing bracket. Install the rings in the different fixing holes according to the placement method and fix AP-T565 on the holding bar. image.psd.png image.png image.png Fixing holes on the mounting bracket, Figure 4 image.png Use screws to fix the iron ring, Figure 6 b. AP waterproof treatment AP need to be waterproof treatment are antenna, feeder, lightning arrester. The following is the waterproof operation: Wrap the first layer with tape From the bottom up half winding method: wrapped the first layer tape (half winding: the second circle pressed half of the first circle, and so on ....) Wrap the second layer with mastic Wrap the tape with mastic, wrap the first layer of tape, with both ends of the mastic longer than the tape. Wrap the third layer with tape Wrap the tape around the mastic, with the ends of the tape longer than the mastic. The tape needs to be wrapped more and then pulled tight. 4.1.1.3 Installation Guide for Wall- or Ceiling-Mounted Access Points AP-W6D2400C、AP-W6T3267C、AP-W6Q4134C、AP-W6T6817C、AP-W6T10000C、AP-N505、AP-N515 Note: Different AP wall appearance and the number of screws slightly different, but the operation is basically the same. Installation steps are as follows: a. First, punch four holes of about 5mm on the wall with a spacing of 120×275mm for the four top corners of the rectangle. b. Place the installation conduit into the holes and make the outer edge of the installation conduit flush with the wall. c. Fix the wall hanging on the wall or ceiling with screws. image.png d. Align the three holes on the bottom of the wireless AP with the three positioning posts on the wall mount and fasten them, then pull the AP back in the direction of the wall mount screws by 8mm. e. Tighten the screws on the wall mount until the top is over the side holes of the AP. Note: AP bottom snap needs to be stuck. 4.2 Device Login Management 4.2.1 AP Forget IP Address Processing Method 4.2.1.1 FAQ 1. AP telnet password or login address forgotten how to deal with. If the management address is lost, and can not restore the factory settings, you can only grab the current address through the packet capture software (the method is also applicable to the console port but there is no current console conditions to log into the device scenario) 4.2.1.2 Configuration Cases 1. Network Requirements The administrator forgot the administrative address of the WALL-AP (this method is also applicable to the scenario where there is a console port but there is no console condition to log in to the device), but does not want to change the device configuration or the device cannot be restored to factory configuration. 2. Configuration Highlights Computer opens the packet capture software and captures packets on the wired interface; The WALL-AP network cable is connected to the computer and then powered on. 3. Configuration Steps The computer opens the packet capture software and captures packets on the wired port. (Take wireshark packet capture software as an example). Select the packet capture interfaces image.png Select the wired interface to which the AP is connected and click on Start image.png Connect the computer wired port to the AP Ethernet port that is not yet powered up. Power up the AP and observe the packet capture software's message output on the computer, focusing on ARP messages. Because the computer is directly connected to the AP, so in addition to the arp messages sent by the computer is the arp messages sent by the AP. image.png After learning the address of the AP through ARP messages, use telnet to try to log in to the device. AP may not send ARP resolution packets, you can get the management address of AP through LLDP protocol message, check the Management Address inside the LLDP message that is the management address of AP. If you still can't log into the AP, WALL-AP recommends restoring factory settings to the AP, then all configurations will be lost; other APs with console ports need to prepare serial lines for logging in processing. Restore factory settings operation reference: The actual packet capture in use found that the AP often does not send ARP resolution packets. You can get the management address of the AP through LLDP protocol message acquisition. a. The screenshots of the captured packets are as follows: image.png b. Click to open the LLDP message, marked below is the AP's administrative address: image.png 4.2.2 Management via WEB 4.2.2.1 Fat AP management via WEB Wireless AP, login via WEB as follows: Step 1: How to connect the computer to the device The Wall-Plate AP is connected to the device in the following three cases: DC adapter power supply image.png PoE power supply image.png PoE switch power supply image.png Note: Create an unused VLAN in the POE switch, named VLAN 2, and then configure the ports connecting the computer and AP as access ports and assign them to the VLAN. Step 2: device login via WEB interface a. Computer ip address settings (set to the same network segment as the AP default address) Configure the ip address of the computer's local network card to the same network segment as the AC, for example: 192.168.1.2 Netmask: 255.255.255.0 Gateway, DNS does not need to be configured. b. Login to AP's web interface Enter 192.168.1.1 in your browser (Google or Edge browser is recommended) image.png Enter the username and password as admin and click Login image.png Note: If the above connection, the computer directly connected to the LAN2 port of the non-panel AP, or the computer directly connected to the interface of the front panel of the panel AP, use 192.168.1.1 to log into the AP to modify the mode of the AP to fat mode, the lan 2 port of the non-panel AP and the front panel port interface of the panel AP ip address changed to 192.168.2.1, through 192.168.1.1 can not Login to the AP web interface, you need to change the IP address of the computer to 192.168.2.2, through 192.168.2.1 login to the device. If the device web service is disabled and the address needs to be configured, it needs to be configured on the command line Steps to start the device web service and configure the administrative address: WEB function Support web management, recommend using the latest version, version can be downloaded on FS.COM Log in to the device using telnet or console to enable AP web functionality Please refer to Console Login and Telnet Login for device login procedures. FS#configure terminal---->Enter global configuration mode FS (config)#enable service web-server ---->Enable web service Configure or change the administrative address and username password FS (config)#VLAN 1---->Create VLAN, VLAN 1 is available by default, other VLAN needs to be created FS(config-VLAN)#exit FS (config)#interface bvi 1---->If you want to configure in another VLAN, then configure VLAN FS (config-if-VLAN 1)#ip address 192.168.1.1 255.255.255.0 FS (config-if-VLAN 1)#exit FS (config)# FS (config)#interface gigabitEthernet 0/1 ------>Ethernet interface for AP FS (config-if-GigabitEthernet 0/1)#encapsulation dot1Q 1 ------>Encapsulate VLAN 1, data without VLAN tag %Warning: Remove all IP address. ------>Normal prompt, the default management address is under this interface FS (config-if-GigabitEthernet 0/1)#exit FS(config)#webmaster level 0 username admin password 123456 ---->Create user name as admin, password is 123456 FS(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254---->Configuring the default route FS(config)#end FS#wr ---->Save configuration Login to the device using the browser to manage the device Open the browser on your computer, type http://192.168.1.1 and enter, the default username and password is admin 4.2.2.2 AC Web-based Management Note: The default management IP address of AC is: 192.168.1.1 The default user password for web login is: admin Step 1: Computer and AC connection diagram Note: The first time you log into AC debugging, you should only access the PC for debugging after AC is powered on, and you cannot access AC to other network devices, otherwise it is easy to have IP conflict with the AP that has been accessed, resulting in the inability to log into AC. image.png Step 2: Device Login Computer wired network card configuration IP address 192.168.1.2 subnet mask: 255.255.255.0 default gateway: 192.168.1.1, the following figure: image.png Open the browser, enter the IP address 192.168.1.1 in the website bar. Then login to the device web interface, the device login default user password is admin/admin, as follows figure: image.png It is recommended to change the web login password of the device, which can be changed on the web or command line. Use the command to change the default password for the admin user as follows: FS(config)#webmaster level 0 username admin password admin123 ---->Password change to admin123 FS(config)#end FS#wr ---->Save the configuration image.png If the device web service is disabled and the address needs to be configured, it needs to be configured on the command line. Steps to start the device web service and configure the administrative address: WEB function All versions support web management. We recommend using the latest version, which can be downloaded from FS.COM Use telnet or console to log in to the device to enable AC web function Please refer to Console Login and Telnet Login for device login procedures. FS#configure terminal---->Enter global configuration mode FS(config)#enable service web-server ---->Enable web service Configure or change the administrative address and username password FS(config)#VLAN 1---->Create VLAN, VLAN 1 is available by default, other VLAN needs to be created FS(config-VLAN)#exit FS(config)#interface VLAN 1---->The default all interfaces of AC belong to VLAN1. The default management address is 192.168.1.1. If you want to configure in another VLAN, then configure VLAN. FS(config-if-VLAN 1)#ip address 192.168.1.1 255.255.255.0 FS(config-if-VLAN 1)#exit FS(config)#webmaster level 0 username admin password 123456 ---->Create user name as admin, password is 123456 FS(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254---->Configuring the default route FS(config)#end FS#wr ---->Save the configuration Login to the device using the browser to manage the device Open the browser on your computer, type http://192.168.1.1 and enter, the default username and password is admin. 4.2.2.3 Web FAQ 1. AC/AP default WEB management address and account password description. AC: The default web management is enabled, and the default web management username and password are admin, and the address is 192.168.1.1. Fat AP: The default web management is enabled, and the default web management username and password are admin, and the address is 192.168.1.1. WALL-AP: The default web management is enabled, and the default web management username and password are admin. Fat mode: The front panel LAN port IP address is 192.168.2.1/24; uplink port (rear panel uplink port) IP address is 192.168.1.1/24 2. How do I change the smartweb login port of my wireless device? ip http port 8000, use the following URL http://x.x.x.x:8000 to log in 3. Does Wireless WEB support English interface? Support. 4. Can AC turn off the web management function of all fit APs uniformly? Yes, configure in ap-config all modes of AC exec-cmd mode config cmd "no enable service web-server" 5. Unable to open the AP/AC web interface. Connectivity issues: You need to confirm whether the ip address of AC or AP can be pinged under cmd on your computer. If the ping does not work, we suggest referring to the section on how to log in to the device. If you can ping but cannot open the web page, go to the next step The web service is not open: Login to the device through console, show web-server status to see if the service is on, http server status is in disable state is not open web service, manually open the command: FS(config)#enable service web-server. If the web page is still not open in the enabled state, go to the next step. Browser issues: Change the browser to test, we recommend using Google Chrome to login. IP address conflicts: For example, if there is no prompt after entering your username and password or if you are prompted with "Network is down, please log in again", this is usually due to address conflicts. Incorrectly entered password: If the user name and password are incorrect, it is usually a password error. It is recommended to confirm or refer to the Password Recovery section for password recovery. Use a non-admin account to log in. We recommend using an admin account to log in and test. 4.2.3 Management via Telnet 4.2.3.1 Telnet Management Configuration Cases Configuration cases The ability to remotely log in and manage AC. AP devices via Telnet function. 1. Configuring AC telnet a. Configure AC telnet functionality via the web page: After logging into AC's web page, select System - System Settings After that, select Change Password to set the telnet password as follows: image.png c. After setting, select Save Settings, and then the device can log in via telnet. After setting according to the web page, the telnet password and enable password are the same. b. Login to AC through Console, open AC telnet and configure enalbe password: Refer to "Daily Maintenance > Device Login > Console Login" for console login settings. Configure AC IP address and routing FS>enable FS#configure terminal FS(config)#interface VLAN 1 ------>By default all interfaces on AC belong to VLAN 1 FS(config-if-VLAN 1)#ip address 192.168.1.1 255.255.255.0 FS(config-if-VLAN 1)#exit FS(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254 ------>Configure the default route to allow access to AC across network segments Configure Telnet password FS(config)#line vty 0 4 FS(config-line)#password FS ------>telnet password FS. If you need to change the password, use the same command. FS(config-line)#login FS(config-line)#exit Configure enable password FS(config)#enable password FS------>enable password FS. If you need to change the password, use this command. FS(config)#end FS#write 2. Configuring AP telnet Login to AP via Console or telnet, configure and change telnet and enable password Refer to "Daily Maintenance > Device Login > Console Login" for console login settings. Configure AC IP address and routing FS>enable FS#configure terminal FS(config)#interface bvi 1 ------>Management interface on the AP FS(config-if-bvi 1)#ip address 192.168.1.1 255.255.255.0 FS(config-if-bvi 1)#exit FS(config)#interface gigabitEthernet 0/1 ------>Ethernet interface on the AP FS(config-if-GigabitEthernet 0/1)#encapsulation dot1Q 1 ------>Encapsulate VLAN 1, data without VLAN tag %Warning: Remove all IP address. ------>Normal prompt, the default management address is under this interface FS(config-if-GigabitEthernet 0/1)#exit FS(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254 ------>Configure the default route to allow access to AC across network segments Configure telnet password FS(config)#line vty 0 4 FS(config-line)#password FS ------>telnet password FS. If you need to change the password, use the same command. FS(config-line)#login FS(config-line)#exit Configure enable password FS(config)#enable password FS------>telnet password FS. If you need to change the password, use the same command. 3. Confirm that the telnet configuration is correct In Start - Run, type cmd command, click "OK", in the pop-up CMD command line, type telnet 192.168.1.1 (AC IP address). image.png After enter, the Enter Password screen appears. The password is the telnet login password, which is hidden and not displayed when the password is entered. Enter the correct password and enter, enter the user mode of the device, FS> mode appears. image.png After entering enable in FS> mode, you will be prompted to enter the privileged password, enter the correct password and click enter to the privileged mode. image.png 4. After testing, save the configuration FS(config)#end FS#write 4.2.3.2 Telnet FAQ 1. AC/AP default management address description. AC: The default address of the version is 192.168.1.1, telnet requires web page or console line access for setting. Fat AP: The default address 192.168.1.1, telnet password is admin, there is no default enable password. Default vty 0 4 (telnet line) Login directly to FS#, no need to enable password. The default configuration of the fat AP is as follows: line vty 0 4 privilege level 15 login password admin WALL-AP: In Fit mode, the IP address of both LAN port and uplink port is 192.168.1.1/24 In Fat mode, the IP address of LAN port is 192.168.2.1/24; the IP address of uplink port is 192.168.1.1/24 2. Can the telnet password of the AP be changed uniformly on the AC (can the password of the AP be changed from the AC)? You can change the login password of the fit AP in ap-config or ap-group. For example: configure the user name of all APs under the AP group (test) as: first-ap, password as: 123456 FS(config)# ap-group test FS(config-ap-group)#credential first-ap 123456 FS(config)#end FS#wr ---->Save configuration 3. Error when running telnet command on WIN7 system, "Not an external or internal command". Windows 7/8 default telent client function is not enabled, you need to enable the windows telnet client function first. Take windows 7 as an example, the steps are as follows: Control panel ---- programs and features ---- turn on or off windows features ---- check the telnet client ---- click "OK" 4. Enable AAA authentication, device telnet function configuration. a. AAA login authentication to achieve direct access to FS> mode without username and password, how to configure: aaa new-model aaa authentication login default none line vty 0 4 login authentication default b. AAA login authentication requires only username and password, direct access to FS# mode, how to configure: aaa new-model aaa authentication login default local none username admin password admin line vty 0 4 login authentication default privilege level 15 c. AAA login authentication requires only the user name and direct access to FS# mode, how to configure: aaa new-model aaa authentication login default local none username admin nopassword line vty 0 4 login authentication default privilege level 15 d. Telnet does not require any username and password to log in: username admin nopassword username admin privilege 15 line vty 0 4 login e. AAA login authentication requires username and password, enter FS> mode first, then enter enable password. How to configure: aaa new-model aaa authentication login default local none username admin password admin enable password FS line vty 0 4 login authentication default 5. What is the number of input errors and lockout time after AAA authentication is turned on and how to change it? Check the input time and lock time as follows: FS#show aaa lockout Lock tries: 3 Lock timeout: 15 minutes FS# The modification method is as follows: FS(config)#aaa local authentication lockout-time ? //Lock time <1-43200> Local authentication lockout-time (minutes) (default value:15mins) FS(config)#aaa local authentication attempts ? //Number of repetitions <1-2147483647> Max attempts for local authentication user (default value:3) 6. When a user logs into AC via telnet, he enters the wrong user name but gets into privileged mode normally? After enabling the configuration aaa authentication login default local none, adding none allows access to privileged mode by entering any username other than the correct one. In other words, having a configuration line such as username admin pass does not mean that all usernames and passwords are verified. If a valid username such as admin is entered, the correct password is required. However, if an arbitrary username (for example, xx) is entered and no corresponding username record is found, access to privileged mode is granted without requiring a password. 7. How do I view and unbind users who are locked out of TELNET/ SSH login? FS#show aaa user lockout ----View locked out users FS#clear aaa local user lockout ? -----Clear locked out users all All user user-name User name 8. AC enabled AAA, how to cancel the login management AC also use AAA login authentication. Adjust the configuration to remove the login to manage the AC to also use AAA. FS(config)#aaa new-model FS(config)#aaa authentication login no-login none ---->Create a AAA login authentication list named "no-login", with the authentication method noe (no authentication) FS(config)#line con 0 FS(config-line)#login authentication no-login ---->AAA login authentication list with "no-login" is applied on the console's line, indicating that AAA authentication is not used FS(config-line)#line vty 0 35 FS(config-line)#login authentication no-login ---->No password will be used when telnet 4.2.4 Management via SSH 4.2.4.1 Network Requirements Requirement 1: SSH login using password authentication only Requirement 2: SSH login with username and password authentication 4.2.4.2 Network Topology 3.jpg 4.2.4.3 Configuration Points Turn on the SSH service function of AC; Generate encryption key; Configure the IP address of the router; configure SSH login password. 4.2.4.4 Configuration Steps 1. Enable the SSH service function of AC (the default SSH function is not enabled) FS#configure terminal------>Enter global configuration mode FS(config)#enable service ssh-server ------>Turn on SSH service 2. Generate encryption Keys FS(config)#crypto key generate dsa ------>There are two types of encryption: DSA and RSA, which can be chosen at will. Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]:------>Click directly on Enter % Generating 512 bit DSA keys ...[ok] 3. Configure the IP address of the AC FS(config)#interface VLAN 1 ------>AP is configured in interface bvi 1 FS(config-if-VLAN 1)#ip address 192.168.1.1 255.255.255.0 FS(config-if-VLAN 1)#exit FS(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2 Requirement 1: SSH login using password authentication only FS(config)#line vty 0 4------>Enter SSH password configuration mode, 0 4 means open remote virtual line 0 - 4, allowing a total of 5 users to login to the router at the same time FS(config-line)#password FS------>Configure the SSH password as FS, and use the same command to change the password FS(config-line)#login ------>Enable password authentication for SSH login devices FS(config-line)#exit ------>Exit to global configuration mode FS(config)#enable password FS ------>Configure the enable password as FS, and use the same command to change the password FS(config)#end------>Exit to privileged mode FS#write------>Save device configuration Verify that the configuration is correct: a. Open SecureCRT software (Note: SSH login to the router requires software that supports SSH client, windows CMD mode does not support SSH, here use SecureCRT software as SSH client), select the following red circle up icon. image.png b. Select SSH2 for the protocol and enter the IP address of the router for the host name. image.png c. Click on Connect, select Accept & Save in the following box. image.png d. The Enter Username screen appears. Enter a random username. image.png e. The Enter User Name and Password screen appears, enter the remote login password. image.png f. Enter user mode after confirmation, i.e. FS> mode. image.png g. After entering enable in FS> mode, you will be prompted to enter the privileged password, enter the correct password and enter to enter the privileged mode. image.png Requirement 2: SSH login using the user name and password authentication FS(config)#line vty 0 4------>Enter SSH password configuration mode, 0 4 means open remote virtual line 0 - 4, allowing a total of 5 users to login to the router at the same time FS(config-line)#login local------>Enable username and password based authentication for SSH login devices FS(config-line)#exit //Exit to global configuration mode FS(config)#username admin password FS------>Configure username and password FS(config)#enable password FS------>Configure the enable password FS(config)#end------>Exit to privileged mode FS#write------>Save device configuration Verify that the SSH configuration is correct: a. Open SecureCRT software, select the following red circle up icon. image.png b. Select SSH2 for the protocol and enter the IP address of the router for the host name. image.png c. Click on Connect, select Accept & Save in the following box. image.png d. The Enter Username screen appears. Enter a username admin. image.png e. The Enter User Name and Password screen appears, enter the remote login password. image.png f. Enter user mode after confirmation, i.e. FS> mode. image.png g. After entering enable in FS> mode, you will be prompted to enter the privileged password, enter the correct password and enter to enter the privileged mode. image.png 4.2.4.5 Configuration Verification a. Use the "show service" command to confirm whether the SSH service function is enabled or not. image.png b. Use the "show ssh" command to view the status of the SSH service. image.png c. Use the "show users" command to see which users are currently logged in. image.png 4.2.4.6 SSH FAQ 1. After SSH login to AC, is it possible to SSH login to other devices from AC. No, SSH does not support jump login. 4.2.5 Management via Console Wireless AC and AP devices are managed via Console Login to the command line configuration interface of the wireless device using Console Attention: Wireless APs all have default address 192.168.1.1. the default console password of fat AP is admin, no need to enable password; the default console password of fit AP is admin. 4.2.5.1 Tools needed Computers with CRT software and USB-A ports; Console port of the AC: There is a port marked "console" on the front panel of the device. Configuration cable: (One end is RJ45 port, another is USB-A port). image.png Login Device a. Please use the configuration cable to connect the COM port of the computer and the Console port of the AC. b. Configuring the CRT: Open the computer's "CRT" program. image.png Create a new quick connection, select the connection protocol as serial, select the COM port connected to the current configuration line (note that some computers may have more than one COM port, pay attention to the selection of the correct COM port), the device console port baud rate is 9600: (if 9600 can not be properly controlled then you can change the baud rate to 115200 to try, the data flow control must be selected as none), and then click "OK": image.png The following message will appear after pressing the "ENTER" key, proving that the login was successful: FS> 4.2.5.2 Console FAQ 1. The default password for wireless devices when logging in to manage using console AC: No default password. Fat AP: The console password is admin and there is no default enable password. Fit AP: console password is admin, enable password default admin. 2. The console line uses CRT login. There are messages output, but can not operate a. Failure phenomenon Customers report that only information pops up after console line login, no response to press enter, and can not enter commands b. Network environment New AP, just disassembled, using CRT login c. Processing steps Is the use of CRT or super terminal? If it is CRT, you need to remove the CTS/RTS tick. If there is an adapter cable, you need to ensure that the driver has been correctly installed. Try to modify the baud rate to 115200. Change the console line to change the computer. d. Troubleshooting The CTS / RTS tick removed after normal. e. Fault summary and attention Summary: CRT flow control is not off caused by some other failure phenomenon. Can't login to the operation console with CRT. After logging in with CRT, the operation window is blank and there is no information output, but the cursor is flashing and there is no response when pressing enter. After logging in with CRT, the operation window is blank without any information output, the cursor flashes again, and the cursor moves when you press Enter, but there is still no information output. After logging in with CRT, only information pops up all the time, but there is no response by pressing Enter, and no operation is possible. When logging in with HyperTerminal, the "com" property setting Data flow control option must be selected as "None". 3. Console line using CRT login, page shows blank If the following is displayed: image.png Description: The serial port is not connected, or the connection is abnormal Checking: a. USB to serial cable connection, check whether the USB driver is installed, you can download the driver wizard to check the installation. b. If you are using a serial line, it may be PC interface problems or serial cable problems. Change the cable or interface to try. After successful installation of the driver, if the following situation is displayed: image.png Description: As the above figure shows green, so the serial port or USB to serial port and PC connection is normal Checking: a. physical link to check whether the console cable is not plugged or the console port cable is plugged into the LAN port non-console port, or the console port is not plugged tightly. b. Software to check whether the flow control is not closed, resulting in the above blank screen, may also lead to half of the screen being loaded. Close the flow control operation: image.png c. Switch to another baud rate to test, such as 115200. d. Test the hardware problem. It may be the serial cable or console port problem. You can change the console cable or change the device to try (console port problem is not very likely). e. Test the software problem, whether you can use the CRT software to log in to other APs (or switch to HyperTerminal to try to log in to the AP). 4.2.6 Device Management (console/vty) FAQ 4.2.6.1 Maintenance Commands 1. How to check the number of APs the device can support? FS#sh ac-config AC Configuration info: max_wtp: 32 sta_limit: 1024 license wtp max: 32 license sta max: 1024 serial auth:Disable password auth: Disable certificate auth: Disable Bind AP MAC: Disable AP Priority: Disable supp_psk_cer: Disable ac_name:end ac location: FS_COM 2. How to check the MAC of AC? show ac-config or show member FS#sh ac-config AC State info: sta_num: 0 act_wtp: 6 localIpAddr: 1.1.1.1 localIpAddr6::: used wtp: 6.0(6 normal 0 half 0 zero) remain wtp: 42 normal 84 half 634 zero HW Ver: 1.01 SW Ver: AC_FSOS 11.9(6)W1S7, Release(09230210) Mac address: 649d.99d1.cc37 Product ID: FS NET ID: 9876543210012345 NAS ID: 649d.99d1.cc37 FS#show member System description: FS System Mac Address: 649d.99d1.cc37 FS#show member System description: FS System Mac Address: 649d.99d1.cc37 4.2.6.2 FAQ 1. Identification of terminal type on wireless smartweb page. The identification order is: HTTP---DHCP----MAC a. MAC OUI query (this can only be checked to the vendor, so it is only used as an aid to the last two identification methods) b. DHCP identification (DHCP server in AC or dhcp snooping function is enabled). The terminal type is usually in the "Option: (60) Vendor class identifier" field of the DHCP message. c. If web authentication is configured on the device, HTTP identification will be performed. Generally, it is identified in the user-agent of http. 2. How wireless devices record log information to FLASH? FS(config)#logging file flash:filename [max-file-size] [level] filename: Log file name, log file name without file type suffix. The log file suffix is fixed to TXT, and the profile suffix name will be rejected. max-file-size: Configure the maximum size of the log file level: The severity level of the logs, in increasing steps. 0-6 levels are log messages. Level 7 is debug information. 3. Configure automatic synchronization of log information on the AP to the AC. a. In AC configuration mode, start sending relevant information to AC on the specified AP, configured as follows: FS(config-ac)# tran-data-start ap-name {exception | memory} Start to get related information from the specified AP. exception: the specified AP sends the dead log information; memory: Specifies that the AP sends device status information, including: CPU information. b. In AC configuration mode, view the relevant information obtained from the specified AP, the corresponding view command is as follows: FS(config-ac)# tran-data-show ap-name {exception| cpuinfo| memory| syslog} View the related information obtained from the specified AP. exception: the dead log information of the specified AP; cpuinfo: CPU information of the specified AP; memory: the memory information of the specified AP; syslog: the general log information of the specified AP. 4. How to get a fit AP to restore factory configuration? Operation on AC: Execute "factory-reset xxx" under ac-controller, and the AP will automatically reboot to finish restoring the factory. The prerequisite is that the AP has already established a tunnel with the AC. Operation on AP: Enter the privileged mode of AP, execute "clear ap flash" and AP will reboot automatically to complete the factory reset operation. This command is a hidden command, privileged password apdebug. 5. WS configuration is garbled and cannot be deleted. Export the configuration, delete the garbled configuration, and then FS#copy startup-config running-config 6. How to turn off the web function of AP in bulk? Method 1: ap-con all exec-cmd mode config cmd "no enable service web-server" wr Method 2: First, import the ap-webmaster.txt file into the flash. ap-config all auto-cfg file flash:ap-webmaster.txt force 7. AC enabled AAA. How to remove the login to manage the AC to also use AAA login authentication? Adjust the configuration to remove the login to manage the AC to also use AAA. FS(config)#aaa new-model FS(config)#aaa authentication login no-login none ---->Create an AAA login authentication list named "no-login", with the authentication method noe (no authentication) FS(config)#line con 0 FS(config-line)#login authentication no-login ---->AAA login authentication list with "no-login" is applied on the console's line, indicating that AAA authentication is not used FS(config-line)#line vty 0 35 FS(config-line)#login authentication no-login ---->No password will be used when telnet 8. Device configuration VTY, timeout on console link, difference between exec-timeout and session-timeout parameters. a. exec-timeout Usage Guidelines: If this connection does not have any input and output information within the specified time, this connection will be disconnected and this LINE will be restored to the idle available state. That is, a connection session to this device is initiated for other terminals. The default timeout is 10 min. If you want to configure the command to never time out when logging into the device, such as telnet, you can configure the following command: line vty 0 4 exec-timeout 0 0 ------> The login device will not exit due to idle timeout when executing commands b. session-timeout Usage Guidelines If a session to a remote terminal has been established from the current LINE without any input and output information within the specified time, the connection is disconnected and the LINE is restored to the idle available state. This means that the connection session to other remote terminals is initiated for the device itself. The default timeout is 0 min, it never times out. 9. Troubleshooting common problems such as console port can not log into the device, or there is output can not input information. Perform the following steps to troubleshoot: a. Is the console port on HyperTerminal selected correctly? b. Is the flow control function of HyperTerminal/SecureCRT turned off ------> especially for the console port, the message is stuck at %SYS-5-COLDSTART: System coldstart. c. Does the reboot device output information. d. Change the baud rate to 115200 and try. e. Replace the console cable. f. Replace the computer. Turn off the flow control settings: Using the CRT software, close the flow control as follows image.png 10. After setting the enable password, the device found that entering the configured enable password prompted a password error. a. Check if there is more than one space after the enable password. b. Check the previous operation logs to see if the password is configured as follows: FS(config)#enable secret 5 FS or FS(config)#enable password 7 FS ----->If it is the wrong way to set the plaintext password according to the above two configurations with parameters like 5 and 7, then you can only reboot or recover the password c. Delete the original password after recovery: FS(config)#no enable secret or FS(config)#no enable password d. Then set a new password: FS(config)#enable password FS or FS(config)#enable secret FS Test first, whether it can be managed, if successful, wr save the configuration, if you can not estimate the configuration is wrong, need to reset, never wr. 11. When executing write to save the configuration, it prompts an error that the config.text file can not be created? Check whether the current flash space is insufficient by dir command, you can free up space by deleting some useless files. It is recommended to keep at least 1M space for storage. 12. How does the switch implement the user information and what commands were executed when the user console/vty logged in to the device, which can be recorded in the log? FS(config)#logging userinfo command-log//Enable the function of logging user information, including what commands were executed Apr 2 2011 03:24:31.779: %LOGIN-5-LOGIN_SUCCESS: User login from vty0(192.168.51.64) OK. *Aug 9 10:59:17: %SYS-5-CONFIG_I: Configured from console by console *Aug 9 10:59:46: %CLI-5-EXEC_CMD: Configured from console command: router ospf 1 *Aug 9 10:59:47: %CLI-5-EXEC_CMD: Configured from console command: exit //Once the user has logged in, you can see that the CLI interface prints a message about the user's VTY/console link login and which commands were executed, and you can also see that "show logging" has been saved to the log file 13. Does the device support associating ACLs to control the range of SSH login? Yes. The range of telnet and ssh login is controlled by the same command, FSOS platform switches mainly use access-class under line vty to associate ACLs to control telnet or ssh login hosts. Example configuration: ip access-list standard 1 10 permit 10.10.10.0 0.0.0.255 line vty 0 4 transport input ssh access-class 1 in login 14. Does the device support mac-based access restrictions by setting acl under line vty? Not support. Neither mac-acl nor expert acl can be implemented to restrict user login by matching mac addresses under vty. (Because vty is a socket application layer, which is a message above the network layer, the source mac is not available). If customers want to implement restricting access based on mac, they can call expert acl on the relevant interface to block the traffic of certain macs, but this method is more troublesome. 15. What is the effect of AAA service on console and vty line login authentication after the device is turned on? a. Effect on console port If no password verification was previously done under line console 0, then the AAA service can be turned on without requiring a password to log in, although the enable password remains the same and needs to be entered. If line console 0 is configured with password verification, then the default console login will no longer require a password after the AAA service is turned on, mainly because the configuration will change at this point. Show before starting AAA service line con 0 login password FS Show after opening AAA service aaa new-model line con 0 password FS //This password will be invalid If password authentication is still required on the console port after enabling the AAA service, the following configuration can be added. However, in this case, only username and password authentication is supported; password-only authentication is not available. username FS password FS // Configure the local username and password. // This step is required; otherwise, login will fail after exiting the console port because no username+password database exists. aaa authentication login default local or aaa authentication login con local line con 0 login authentication con // Recommended approach: use a custom authentication list for the console only. // Avoid using the default list, as it will also affect other login methods such as Telnet. b. Impact on vty links, such as telnet login If line vty is configured with login password verification, then after opening AAA service, vty port login will not be able to use the original password login. You need to use username + password to verify, so before opening AAA service, please make sure to add the following database configuration, username FS password FS otherwise telnet will not be successful. Show before starting AAA service line vty 0 4 login password FS ! Show before starting AAA service aaa new-model username FS password FS//You must configure the database, otherwise you will not be able to log in after exiting the console port because there is no database with username+password. line con 0 password FS //This password will be invalid If you need to change the authentication method of the vty interface, or with TACACS+, RADIUS server to do the verification of the login number, you can modify the authentication list, and call method, for example: aaa authentication login vtylog group radius local line vty 0 4 login authentication vtylog 16. How do I keep the console port from popping up the logs? How does telnet display logs? Keep the console port from popping up the logs: FS(config)#no logging console Telnet display logs: FS#terminal moniter; The command to disable it is: FS#terminal no monitor 17. How to check which SSH version the current device is using — version 1, version 2, or both enabled simultaneously? This can be checked using the command show ip ssh, which typically displays one of the following cases: a. version 1.99: by default, SSH version 1 and SSH version 2 are on at the same time by default, at this time, show ip SSH sees that it is version1.99; b. version 1.5: ip SSH version 1 is configured on the device, show ip SSH and see that it is version 1.5; c. version 2.0: ip SSH version 2 is configured on the device, show ip SSH and see that it is version 2.0; If we configure ip ssh version 1 or ip ssh version 2, only the ssh version we configured will take effect, if we want to restore the default two ssh versions are enabled, we can restore it by configuring default ip ssh version to restore the default ssh version; FS(config)#ip ssh version 2 FS(config)#show ip ssh SSH Disable - version 2.0 please enable service ssh-server Authentication timeout: 120 secs Authentication retries: 3 SSH SCP Server: disabled FS(config)#ip ssh version 1 FS(config)#show ip ssh SSH Disable - version 1.5 please enable service ssh-server Authentication timeout: 120 secs Authentication retries: 3 SSH SCP Server: disabled FS(config)#default ip ssh version FS(config)#show ip ssh //When no ssh version is configured by default, it also shows version 1.99 SSH Disable - version 1.99 please enable service ssh-server Authentication timeout: 120 secs Authentication retries: 3 SSH SCP Server: disabled 18. When the privilege level is set to 1, does the show run command display only partial configurations? To set level 1 permissions, the user can show run to see all current configurations. a. User's configuration: username admin1 password admin1 privilege exec level 1 show running-config privilege exec all level 1 show//This article refers to all the commands that show can use, not just a little bit of b. Test results: With this configuration, show run is only partially informative (a level 1 command), but not fully informative. Workaround: At present, it is not possible to make show run display all the contents by one command, you must add the contents to be displayed one by one. For example: privilege config all level 1 router ospf privilege config all level 1 router bgp privilege config all level 1 monitor session privilege config all level 1 spanning-tree privilege exec all level 1 ping privilege exec all level 1 ping length Test result: At this point you can see the configuration of ospf, bgp, mirror, spanning tree inside show run. 19. AC configuration aaa new-model, terminal login will be locked after 3 errors, how to change the parameters? aaa local authentication lockout-time ----Modify lock time aaa local authentication attempts max-attempts ---Modify the maximum number of errors. 20. How to make AC configuration single user only show permission? The expectation is to control the user to have only the ap-config configuration privileges and the corresponding show command by configuring the following command: privilege ap-config level 1 antdetect enable privilege ap-config level 1 antenna privilege ap-config level 1 ap-name privilege ap-config level 1 channel privilege ap-config level 1 ishare mode privilege ap-config level 1 power local privilege config level 1 ap-config privilege exec level 1 show antenna all privilege exec level 1 show antenna single privilege exec level 1 show ap-config privilege exec level 1 show ap-config sum username gc password gc123 username gc privilege 1 Because we logged in using the password enable default permission is 15, so will all commands are supported Need to configure: AC(config)#enable secret level 2 0 xxxx The corresponding enable permission settings, in addition to enable permission settings can not use 1. If it is 1, then you can not log into the device. AC>enable 2, you need to add level 2, and then enter the password xxxx, after that to achieve the demand. 21. When telnet login to the device, all information is displayed after show run. How can I achieve displaying a certain number of lines, and then displaying them after holding down the enter or spacebar? For telnet login display issue, please configure length x under line vty 0 4. x is the number of lines to be displayed at a time. If it is 0, it will be displayed all at once. 22. In the case of telnet login account and enable password linked with tacacs+ server, after I perform telnet login successfully, the enable password does not work. The configuration needs to be checked for problems with: aaa authentication enable default group tacacs+ enable // This command must be configured; otherwise, the enable password may not function properly. or aaa authentication enable default group tacacs+ local enable // In case the server fails, the system will use the local enable password instead. 4.3 Software Upgrade Management 4.3.1 Notes on Version Upgrade 1. Purpose of the equipment upgrade a. Get new features. b. Resolve software defects. 2. Pre-upgrade preparation a. For the latest version, please download it from the FS website (www.fs.com) or contact the service hotline at +1 (888) 468 7419. b. Before upgrading your device, the following pre-checks can be performed to help improve the success rate of the upgrade: Stop all non-upgrade related operations as much as possible; Check memory and CPU utilization in advance: do not upgrade at high CPU utilization (e.g. above 80%) and high memory occupation (e.g. above 80%), when the system is unstable and prone to transmission and upgrade failure; Check the file system space in advance: make sure there is sufficient storage space on the device to complete the upgrade; if the space is insufficient, the upgrade can be done in the form of U disk and SD card; Prepare the rollback in advance, if you also need to prevent the system from not functioning properly after the upgrade (e.g. trial version, etc.), and if the selected method does not support upgrade rollback, you also need to prepare the upgrade package for the old version in advance. c. Before upgrading, please prepare the console cable and use it to collect boot information in case of device upgrade failure. d. Before upgrading, please make sure to read and check the hardware support section in the release notes of the new version, check and confirm whether the hardware/engine type and line card model supported by the version are correct and whether the version used in the field can support the current hardware, please pay attention to the hardware version number of the field device (show ver can get the hardware version number of the device, line card version) and refer to whether it is included in the release of the version. e. Please pay attention to the upgrade to open the terminal software logging function, upgrade failure can be feedback to +1 (888) 468 7419 for support. f. The MD5 value of the AP version can be verified from the AC before upgrading the fit AP to verify the integrity of the version by the following method: FS#verify MAP752E-161214.bin When special characters are involved, escape characters must be used. For example, if the AP version name is AP_W6T6817C_FSOS11.9(6)W1S7_S2X4-04_09221414_install.bin, a backslash (\) must be added before the parentheses, as shown below: /data # md5sum AP_W6T6817C_FSOS11.9\(6\)W1S7_S2X4 04_09221414_install.bin 3. Upgrade Notes a. Upgrading the system requires more storage space, so there may be cases where the storage space of the device is not enough to support the upgrade. Unable to backup the old system. For example, the storage space can only hold one upgrade package, so the old one can only be deleted before the upgrade, which will cause inconvenience to roll back or temporarily try a version when the upgrade is unexpected. The storage space available in some low-end devices is too small to accommodate even one upgrade package. The problem of storing upgrade packages can be addressed in one of the following ways: Use remote (network) upgrade method: In this way, the upgrade package is downloaded directly to the memory to complete the upgrade; no local temporary storage space is needed. Using U disk, hard disk, etc. to expand the space: these media have huge capacity, are inexpensive, and can solve all storage space problems. b. AC device will automatically reboot after the upgrade is completed, so users should make the relevant preparations before upgrading the device. c. The FLASH space of the AC product may not be sufficient to store upgrade packages for all AP models. In this case, part of the AP series can be upgraded first. After the upgrade is completed, delete the corresponding AP series upgrade package, then import the next AP series upgrade package to continue the upgrade. d. After activating a version file, the activation configuration must be removed first (no active-bin-file filename) before deleting the version file; otherwise, a file deletion error will occur due to the file being in use. Upgrading the AP cannot be triggered by simply overwriting the existing upgrade package. The activation configuration must be deleted first, then the new upgrade package should be downloaded, the version reactivated, and the upgrade configuration reapplied to trigger the upgrade of the online APs. e. During the upgrade process, if an unexpected power failure occurs, the system should be checked immediately after reboot to verify whether the previous upgrade was successful. If the upgrade was not successful, try running the upgrade command again. If the system cannot enter FSOS after reboot, perform the system upgrade in BOOT mode. If BOOT also fails to start, contact after-sales support. f. If a file system error is reported during the upgrade or operation process, enter the system BOOT mode to reformat the storage device partitions, and then reinstall the entire system. g. New version verification fails and needs to be rolled back. Rollback of subsystem upgrade: need to use forced installation of the old upgrade package Rollback of component upgrade: re-force installation of the old version. Note: Since there may be dependencies between components, when a component needs to be rolled back, it may already be dependent on other components, making version rollback impossible. Therefore, component version rollback, in general, needs to be done immediately after the component upgrade to determine whether its function is normal in order to make a decision. h. Please make sure the configuration of the manual upgrade is correct. sh ac-config serial-product The above information will only be displayed if the version is activated, the serial number is configured, and the version and serial number are associated, i.e. the ap-image version serial number. i. To upgrade the version of ap on ac, if the upgrade has been turned on, the operation cannot be interrupted. Even if no ap-image is configured, it will not be interrupted, and the ap can be kicked offline by the command, which will not affect the half-downloaded devices, because the upgrade will not be carried out without a good download. If the hot standby uploads the version for upgrade on both the master and the standby, the upgrade operation on the standby is not effective for the online ap, and the newly added ap will be upgraded. 4.3.2 Wireless AC Upgrade Upgrade precautions: When performing an upgrade, prepare a console connection and ensure it is functioning properly. If the upgrade fails, console management must be used for recovery. The device will reboot during the upgrade, causing service interruption. It is recommended to perform the operation during off-peak hours when the wireless network can be temporarily disconnected. 4.3.2.1 Webpage Upgrade Method 1. Login to the web management page of the device, please make a configuration backup first, just in case. AC needs to backup both config.text and ap-config.text. Please click System - System Settings - Restore Factory Settings. Please choose to export the current configuration and export the ap-config configuration to be stored locally on the computer respectively. image.png 2. Click System - System Upgrade : image.png 3.On the Local Upgrade menu page, click Browse, select the software version of the device stored on your computer, and then click Start Upgrade. image.png 4. After that, there will be an update progress bar, a message that the main program is being updated and the device is being rebooted. The process lasts about 3 minutes, please wait patiently. 5. After about 3 minutes, the device will be upgraded successfully, the page will be refreshed automatically, click on the details of the current version, as follows: image.png 4.3.2.2 Command Line Upgrade Method 1. Upgrade Steps a. Log in to the device, confirm the device version and back up the relevant files. Log in to the device using the console line or another login method. See Console login: 代码块 FS#copy flash:config.text tftp://192.168.1.100/config.text --->Backup the AC configuration file to the computer with IP address 192.168.100 FS#copy flash:ap-config.text tftp://192.168.1.100/ap-config.text ---> Backup the configuration of the AP on the AC to the computer with IP address 192.168.100 FS#show version ---> Check version information System description: FS Wireless LAN Control (AC-224AP) By FS.COM Inc System start time: 2023-03-26 10:01:32 System uptime: 64:08:00:17 System hardware version: 1.00 System software version: AC_FSOS 11.9(6)W1S1, Release(09132804) System patch number: NA System serial number: G1Q92BF001971 System boot version: 1.2.12 Module information: Slot 0: AC-224AP Hardware version: 1.00 Boot version: 1.2.12 Software version: AC_FSOS 11.9(6)W1S1, Release(09132804) Serial number: G1Q92BF001971 b. Make sure that the computer and the device are connected, and put the bin file and the tftp software in the same folder, then open the tftp software. c. Upgrade AC, the device will reboot automatically after successful import. FS#upgrade download tftp://192.168.1.100/FSOS.bin ---> Put the computer 192.168.1.100 with the name "FSOS.bin" file as the main program of AC d. Check if you have upgraded to the target version after a successful reboot: FS#show version ---> Check version information System description: FS Wireless LAN Control (AC-224AP) By FS.COM Inc System start time: 2023-03-26 10:10:02 System uptime: 00:00:03:17 System hardware version: 1.00 System software version: AC_FSOS 11.9(6)W1S7, Release(09230210) System patch number: NA System serial number: G1Q92BF001971 System boot version: 1.2.12 Module information: Slot 0 : AC-224AP Hardware version: 1.00 Boot version: 1.2.12 Software version: AC_FSOS 11.9(6)W1S7, Release(09230210) Serial number: G1Q92BF001971 4.3.3 Fat AP Upgrade Upgrade precautions: Before performing the upgrade, prepare a console connection and verify that it functions properly. If the upgrade fails, console management must be used for recovery. The device will reboot during the upgrade, resulting in service interruption. It is recommended to carry out the operation during off-peak hours when the wireless network can be temporarily disconnected. 4.3.3.1 Webpage Upgrade Method: 1. Login to the web management page of the device, please make a configuration backup first, just in case. AC needs to backup both config.text and ap-config.text. Please click System - System Settings - Restore Factory Settings. Please choose to export the current configuration and export the ap-config configuration to be stored locally on the computer respectively. image.png 2.Click System - System Upgrade: image.png 3.On the Local Upgrade menu page, click Browse, select the software version of the device stored on your computer, and then click Start Upgrade. image.png 4. After that, there will be an update progress bar, a message that the main program is being updated and the device is being rebooted. The process lasts about 3 minutes, please wait patiently. 5. After about 3 minutes, the device will be upgraded successfully, the page will be refreshed automatically, click on the details of the current version, as follows: image.png 4.3.3.2 Command Line Upgrade Method 1. Upgrade precautions: Before performing the upgrade, prepare a console connection and verify that it is functioning properly. If the upgrade fails, console management must be used for recovery. 2. Upgrade Steps a. Log in to the device, confirm the device version and back up the relevant files. Log in to the device using the console line or another login method. See Console login: FS#copy flash:config.text tftp://192.168.1.100/config.text --->Backup the AC configuration file to the computer with IP address 192.168.100 FS#show version ---> Check version information System description: FS Access Point (AP-W6D2400C) By FS.COM Inc. System start time: 2023-05-25 16:36:23 System uptime: 4:18:54:54 System hardware version: 1.00 System software version: AP_FSOS 11.9(6)W1S7, Release(09132719) System patch number: NA System serial number: G1PHAAH017631 System boot version: 2017.09 b. Make sure that the computer and the device are connected, and put the bin file and the tftp software in the same folder, then open the tftp software. c. Upgrade AC, the device will reboot automatically after successful import. FS#upgrade download tftp://192.168.1.100/FSOS.bin ---> Put the computer 192.168.1.100 with the name "FSOS.bin" file as the main program of AP Upgrade the device must be auto-reset after finish, are you sure upgrading now?[Y/n]y Running this command may take some time, please wait. Please wait for a moment...... Press Ctrl+C to quit !!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!.!!! Begin to upgrade the install package FSOS.bin... --->Automatic reboot ready for upgrade *Jan 1 00:03:52: %7: Upgrade processing is 10% Uncompress file 330-b5.bin ........ d. Check if you have upgraded to the target version after a successful reboot. FS#show version ---> Check version information System description: FS Access Point (AP-W6D2400C) By FS.COM Inc. System start time: 2023-05-25 16:42:58 System uptime: 00:00:03:23 System hardware version: 1.00 System software version: AP_FSOS 11.9(6)W1S7, Release(09221414) System patch number: NA System serial number: G1PHAAH017631 System boot version: 2017.09 e. If the upgrade fails please check if the bin file is used correctly. You can refer to the version release notes. 4.3.4 Fit AP Upgrade 1. Network requirements Software version upgrade for APs operating in fit mode. 2. Network topology 4.jpg 3. Software version acquisition methods and notes: a. The software version can be downloaded from the official website of FS (link: WWW.FS.COM). Or AC communicate with the external network normally and choose to download from the official website from the AC web interface (the specific method will be described in detail below) b. No power failure or reboot during the transfer of software version 4.3.4.1 Webpage Upgrade Method 1. Login to the web management page of the device, please make a configuration backup first, just in case. AC needs to backup both config.text and ap-config.text. Please click System - System Settings - Restore Factory Settings. Please choose to export the current configuration and export the ap-config configuration to be stored locally on the computer respectively. image.png 2. Click the System - System Upgrade - AP Upgrade page. Turn on the button at the back of the AP auto-upgrade switch. It's ON when it's bright green. image.png 3. Browse the version of the AP you just downloaded into AC image.png 4. Follow the prompts to activate the software version, as follows: image.png 5. After a period of time (the time includes the time for AC to pass the version to AP and the reboot time of AP. The time it takes for AC to transfer the version to AP is related to the network condition and bandwidth from AC to AP, and the AP reboot time is about 3 minutes), the AP version upgrade is successful. Click System - System Upgrade - AP Upgrade to see the AP models and software versions that are already online, as follows: image.png 4.3.4.2 Command Line Upgrade Method 1. Configuration points Turn off your computer's antivirus and firewall. Make sure the tftp port of the computer is not occupied by other processes. Make sure the computer and wireless devices communicate properly. 2. Configuration steps a. Refer to the Console Login section to log in to the device and make sure the computer where the software version is stored can ping through to the AC address. b. Verify that the current configuration of the device allows all APs to be properly associated with the AC. Verify the command: Use "show capwap state" on the AC to see if the AP's operating mode is in "run" state. If the AC is empty, then please refer to the Individual Wireless Signal Configuration chapter for configuration. c. After login AC, use "show version" to check the AC version and make sure the AC and the upgraded AP version are the same. If it is not the same, please follow the AC upgrade chapter to upgrade the AC. FS#show version System description: FS Wireless LAN Control (AC-224AP) By FS.COM Inc System start time: 2023-03-26 10:10:02 System uptime: 00:00:03:17 System hardware version: 1.00 System software version: AC_FSOS 11.9(6)W1S7, Release(09230210) System patch number: NA System serial number: G1Q92BF001971 System boot version: 1.2.12 Module information: Slot 0 : AC-224AP Hardware version: 1.00 Boot version: 1.2.12 Software version: AC_FSOS 11.9(6)W1S7, Release(09230210) Serial number: G1Q92BF001971 d. Use "show version" to confirm the model, hardware and software version of the AP. Select different software versions according to different models and hardware versions. 1-AP-3#show version System description: FS Access Point (AP-W6T6817C) By FS.COM Inc. System start time: 2023-04-24 14:15:28 System uptime: 35:22:16:51 System hardware version: 2.00 System software version: AP_W6T6817C FSOS 11.9(6)W1S1, Release(09132719) System patch number: NA System serial number: G1QH5VE000032 System boot version: 1.6.1 e. In the computer where the AP software version is stored, put the AP version and the "TftpServer.exe" software in the same folder, and open the "TftpServer.exe" software. f. Login to the AC and use the following command to transfer the AP version from the computer to the AC's flash. Suppose the address of the computer is 192.168.1.100, and the software version of AP-W6T6817C is FSOS.bin. FS#copy tftp://192.168.1.100/FSOS.bin flash:FSOS.bin Press Ctrl+C to quit !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Copy success------>File transfer was successful g. Configure the upgrade command on the AC and prepare for the upgrade. Take the AP-W6T6817C with hardware version 2.0 as an example. FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#ac-controller FS(config-ac)#active-bin-file FSOS.bin------>Activate the AP software version. "FSOS.bin" means the ap version is saved in AC flash as FSOS.bin FS(config-ac)#ap-image auto-upgrade AP will be upgraded after access (if the AP is online, it will be upgraded immediately, which will lead to AP reboot service interruptions, so you need to upgrade the version during the low peak service period) (use "show ap-config" updating-list to view the progress of each AP upgrade) AP upgrades are indicated on the AC by the following: *Jul 8 11:10:19: %CAPWAP-6-UPGRADE: AP(649d.99d0.e226)'s image version will be updated from [1.0.0.495fc0c6] to [1.0.0.40ed0096]. h. After confirming the AP upgrade reboot to re-establish the tunnel and save the configuration: FS(config-ac)#show version all ------>Check the current software version of the AP or telnet to the AP and use "show version" to check FS(config-ac)#end------>Exit to privileged mode FS#write ------>Confirm that the configuration is correct and save it 3. Configuration Verification View the AP version on AC: FS#show version ap-name 649d.99d0.e226 AP(649d.99d0.e226)'s version: Product ID: AP-W6T6817C System uptime: 00:00:03:22 Hardware version: 2.00 Software version: AP_W6T6817C FSOS 11.9(6)W1S1, Release(09221414) Patch number: NA Software number: M19523701272022 Serial number: G1QH5VE000032 MAC address: 649d.99d0.e226 View the AP version on AP: 1-AP-3#show version System description: FS Access Point (AP-W6T6817C) By FS.COM Inc. System start time: 2023-04-24 14:15:28 System uptime: 00:00:04:10 System hardware version: 2.00 System software version: AP_W6T6817C FSOS 11.9(6)W1S1, Release(09132719) System patch number: NA System serial number: G1QH5VE000032 System boot version: 1.6.1 4.3.5 AC and AP Boot Layer Software Upgrade 4.3.5.1 With Console Cable Wireless AC and AP device boot layer software upgrade - with Console port device. Commonly available Console port device main program lost operation method: 1. Network Requirements Wireless device (AC or AP) software version upgrade, typically used when the main device program is lost. It requires the use of a console cable to operate. 2. Operation Steps a. Log in to the device using the console line or another login method, see the chapter on Console login, put the software version and the tftp software in one directory, and open the tftp software. b. Reboot the wireless device, press and hold ctrl and keep pressing C to enter the ROM level as prompted, then select "0". Boot 1.1.6-00481-gfaecb93 (Sep 20 2014 - 18:39:21) Board: FS Wireless Access Point By FS.COM Network DRAM: 128 MiB Flash: 2 MiB NAND: 128 MiB In:serial Out:serial Err:serial SETMAC: Setmac operation was performed at 1970-01-01 00:00:00 (version: 11.0) Press Ctrl+C to enter Boot Menu 0 Net:eth0 Entering simple UI.... ====== BootLoader Menu("Ctrl+Z" to upper level) ====== TOP menu items. ******** a. Tftp utilities. b. XModem utilities. c. Run main. d. SetMac utilities. e. Scattered utilities. ******** Press a key to run the command: 0 c. Then select the "1" option and follow the steps below to complete the upgrade. ====== BootLoader Menu("Ctrl+Z" to upper level) ====== Tftp utilities. ******** f. Upgrade bootloader. g. Upgrade kernel and rootfs by install package. h. Down to memory and jump to run. ******** Press a key to run the command: 1 Plz enter the Local IP:[192.168.1.100]:192.168.1.100 ----->Temporary IP address configured for the AP Plz enter the Remote IP:[192.168.1.5]: 192.168.1.5----->IP address of the computer Plz enter the Filename:[330.bin]: FSOS.bin ----->File name of the main program on the computer Erasing SPI flash...Writing to SPI flash...done Auto-update from TFTP: trying update file 'FSOS.bin' Speed: 100, full duplex Using eTSEC1 device TFTP from server 192.168.1.5; our IP address is 192.168.1.100 Filename 'FSOS.bin'. Load address: 0x1000000 Loading: ################################################################# ################################################################# ----->Start transferring files. Content omitted done----->Successful transmission Bytes transferred = 17946998 (111d976 hex) Uncompressing 0x111d1b7@0x10007bf to 0x1642f70@0x211d978 Uncompressed 0x1642f70 bytes Get boot addr 0x0,len 0x0; kernel addr 0x0,len 0x0; rootfs addr 0x21a9aa8, len 0x14a0000 Package information: rootfs version:1.0.0.10635701 rootfs target:AP-W6D2400C Determined to upgrade? [Y/N]: y ----->Select y Upgrading, keep power on and wait please ... Erasing SPI flash...Writing to SPI flash...done upgrade kernel... upgrade rootfs... ----->This state will last for about 1 minute, please be patient. ----->Log content omitted UBIFS: reserved for root: 0 bytes (0 KiB) SUCCESS: UPGRADING OK.----->The upgrade is successful and will return to the boot menu ====== BootLoader Menu("Ctrl+Z" to upper level) ====== Tftp utilities. ******** i. Upgrade bootloader. j. Upgrade kernel and rootfs by install package. k. Down to memory and jump to run. ******** Press a key to run the command: ----->Press ctrl z to return to the upper menu ====== BootLoader Menu("Ctrl+Z" to upper level) ====== TOP menu items. ******** l. Tftp utilities. m. XModem utilities. n. Run main. o. SetMac utilities. p. Scattered utilities. ******** Press a key to run the command: 2 ----->Option 2 Load main program ----->Log content omitted adding user fsosm... adding user guest... adding user sslvpn... adding user postgres... *Jan 1 00:00:11: %FS_SYSMON-5-WARMSTART: System warmstart. ----->Device started successfully use software md5! FS>----->Started successfully d. Check for upgrade to target version: FS#show version System description: FS Access Point (AP-W6D2400C) By FS.COM Inc. System start time: 2023-05-25 16:42:58 System uptime: 00:00:03:23 System hardware version: 1.00 System software version: AP_FSOS 11.9(6)W1S7, Release(09221414) System patch number: NA System serial number: G1PHAAH017631 System boot version: 2017.09 4.3.5.2 Without Console Cable Guidance Manual for Handling AP Master Program Related Issues 1. Main program lost a. Judgment of main program loss phenomenon Phenomenon 1: Judging from the AP indicator The indicator light has been in the initialization state, most of the products show green blinking state, see the corresponding product hardware installation manual for details of the indicator light. Phenomenon 2: Judging from the AC log If the AP is configured to manage the VLAN address pool and option 138 (138 option points to AC). And the tftp-server enable command is enabled on the AC. In the case of AC syslog enabled (the device is turned on by default, turn on the logging switch command FS(config)# logging on), you can see the following logs on AC (the log usually takes more than 7 minutes to print one, it is recommended to save syslog monitoring for more than 20 minutes.) : *Mar 15 16:26:00 *Mar 15 16:26:09: %TFTP_SERVER-6-REQUEST: RRQ from 50.1.1.3 filename FSOS.bin Phenomenon 3: Judging from the log of the uplink switch After the main program is lost, the AP will repeatedly try to download the main program and reboot. Usually the down time is very short, and the up time can be several minutes. b. Recovery Methods for Lost Master Programs: Ceiling/Outdoor/Wall-Plate AP Recovery Method Automatic Recovery via AC: Detailed configuration steps are as follows: a. Configure the AP's dhcp server and option 138 (if the correct IP address can be obtained and a tunnel established through this configuration when the main program is not lost, you can dispense with this configuration step) b. Enable tftp-server function on AC AC(config)#tftp-server enable AC(config)#tftp-server topdir flash:/ Import the AP's bin file to AC and the bin file needs to be named as follows: If the AP has previously been upgraded through the AC, the .bin file name should match the file name specified in the active-bin-file configuration during the last upgrade on the AC. Alternatively, the file name can be identified by enabling syslog on the AC (enabled by default). Use the following command to enable logging if needed: FS(config)# logging on Observe the logs for about 10 minutes. When the AC log shows that the AP is requesting the version file from the AC, rename the AP file to match the requested file name shown in the log. For example, as illustrated below, the requested file name is "FSOS.bin." Assuming the computer's IP address is 192.168.1.100 and the AP120-H software version file is FSOS.bin, use the following command to transfer the AP version file to the AC: AC# copy tftp://192.168.1.100/FSOS.bin flash:/FSOS.bin In addition, ensure that the file is not activated. If it has already been activated, deactivate it using the following configuration: AC(config)# ac-controller AC(config-ac)# no active-bin-file FSOS.bin // Deactivate the file Recovery Method via Local PC: Detailed configuration steps are as follows: a. Connect a PC and AP in the same LAN (layer 2 topology) or directly through the PC and LAN port direct connection, and set the PC's IP to 192.168.64.1 and mask to 255.255.255.0. b. Create a file named "FileList.txt", and in FileList.txt, list the names of the installation packages that need to be downloaded, please name it FSOS.bin, for example: c. Name the installation package to be updated as FSOS.bin, put TFTP Server (see attachment) and bin, Filelist.txt in the same directory, open TFTP Server on PC, and determine the download path as shown below, set the red circle as the path to store Filelist.txt and the installation package. d. Restart the AP to automatically download, the TFTP interface of the PC to see the implementation process as shown in the TFTP tool download process, such as tftp color block area, in addition when the tftp download process is completed 100% should wait at least 30s after restarting the device to complete the repair. The status prompts of the TFTP tool are as follows: No log ---Please confirm the physical connection of Ethernet, and confirm the IP address of the PC. Aborted ---Make sure the input file name of Filelist.txt is the same as the file name to be downloaded. Downloading ---Downloading is in progress Completed ---Downloading completed, waiting for update 2. Summary Based on the above 3 major problems, it is highly recommended to upgrade the version to the latest version and enable TFTP function during the project delivery: Upload the latest recommended software version of the corresponding AP to the AC. Select a time when there will be no power ups and downs (will not appear such as the implementation of plugging network cables / power outages) to activate the software version, and open the automatic upgrade. After the upgrade is completed, cancel the auto-upgrade (no ap-image auto-upgrade). Enable TFTP function (tftp-server enable). 4.3.6 Upgrade FAQ Maintenance commands 1. Check the upgrade status of the AP upgrade at: show ap-config updating-list AP NAME AP PID File Tx Time AP Reset Ready ---------------------------------------- ----------------- -------- -------- --------------- FS# 2. How can I view the AC upgrade history? The "show upgrade history" command allows you to see exactly when, how, and which files were upgraded, as shown in the following example: Checking the Software Upgrade History Use the following command on the AC to view the device software upgrade history: FS#show upgrade history Example Output: Upgrade History Information: Time : 2022-05-24 14:17:33 Method : BOOT Package Name : AC_224AP_FSOS_11.9(6)W1S1_G2C6-01_09132804_install.bin Package Type : MAIN Time : 2022-11-01 10:20:07 Method : BOOT Package Name : main-ac224ap.bin Package Type : MAIN Time : 2022-11-01 10:28:27 Method : BOOT Package Name : AC_224AP_FSOS_11.9(6)W1S1_G2C6-01_09132804_install.bin Package Type : MAIN Time : 2022-11-02 11:30:15 Method : BOOT Package Name : AC_FSOS11.9(6)W1S7_G2C6-01_09230210_install.bin Package Type : MAIN FAQ 1. Adaptive upgrade support AC is able to automatically identify the software version used based on the AP model, eliminating the need to specify the AP series and avoiding the need to configure the AP model and hardware version number. The command is ap-image auto-upgrade, and the Configuration Cases is as follows: Configure to upgrade AP-W6D2400C v1.0 and AP-W6T3267C v3.0 Method 2: Use the adaptive upgrade function FS(config)# ac-controller FS(config-ac)#active-bin-file AP-W6D2400C.bin FS(config-ac)#active-bin-file AP-W6T3267C.bin FS(config-ac)#ap-image auto-upgrade 2. AC Activation Software version has the following tips: AC-224AP(config-ac)#active-bin-file AP-W6D2400C.bin File is incorrect or already actived with same project,please check it or try download again. 37 -rwx 17.9M Tue Mar 29 10:43:31 2016 AP-W6D2400C.bin 38 drwx 448B Wed Dec 9 23:23:40 2015 fs_licns 39 drwx 13.0k Fri Mar 18 02:39:17 2016 syslog 40 -rwx 22.0M Fri Dec 4 10:32:05 2015 AP-W6D2400C.bin 41 -rwx 17.9M Fri Dec 4 10:39:37 2015 AP-W6T3267C.bin ac-controller active-bin-file AP-W6T3267C.bin Because the device already has the same software version to activate AP-W6D2400C, just because the version name is not the same to activate when there is this error (the above AP-W6D2400C.bin and AP-W6T3267C.bin is the same bin). 3. How to confirm the BIN file used for a particular AP? By downloading the release notes for the corresponding version, the version corresponding to the device model will be available in the upgrade file. 4. How can wireless AC limit the number of APs that are prompted to upgrade each time? In AC global mode: ac-controller capwap upgrade max-concurrent 10 ---------- Limit to 10, default limit 15 5. How to check which AP models and versions are available in AC? FS#sh WLAN diag network Time: 2023-05-29 15:03:46 AC uptime: 1541.3 h Online AP: 181 Offline AP:6 Online AP Version: PID HwVer SwVer AP Number --------------- ---------- -------------------------------------------------- --------- AP-W6D2400C 1.00 AP_FSOS 11.9(6)W1S7, Release(09221414) 17 AP-W6Q4134C 1.00 AP_W6Q4134C FSOS 11.9(6)B1S5, Release(08132509) 6 AP-W6Q4134C 1.00 AP_W6Q4134C FSOS 11.9(6)W1S1, Release(09132719) 3 AP-W6T6817C 2.00 AP_W6T6817C FSOS 11.9(6)W1S1, Release(09132719) 88 AP-N505 1.00 AP_FSOS 11.9(6)W1S7, Release(09212010) 67 6. How do I upgrade a single AP or an AP within an AP group on the AC? First, transfer the software version of the ap to the AC's flash, and then do the following on the AC. (only works for APs that have established a tunnel with AC) FS(config)#ac-con FS(config-ac)#active-bin-file ap1.bin ------>Activate the AP software version, "ap1.bin" means the ap version is saved in the AC flash with the name ap1.bin FS(config-ac)#ap-serial AP-W6D2400C hw-ver 1.x------>Define the AP product family, the name is AP-W6D2400C, the product is hardware version 1.x of AP-W6D2400C FS(config-ac)#exit Upgrade to a single AP: FS(config)#ap-config 649d.99d0.4581 ------>Go to the ap-config of the AP-W6D2400C to be upgraded FS(config-ap-config)#ap-image ap1.bin ------>Send the software version, the AP will restart automatically after the version is sent successfully To upgrade APs within an AP group: FS(config)#ap-group xx ------>Access the AP group to be upgraded FS(config-group)#ap-image ap1.bin ------>Send the software version, the AP will restart automatically after the version is sent successfully 7. Manual upgrade, transfer version into the device prompted the hard disk is full. The following prompt appears for the imported version: Prompt message: Copy failed. Maybe disk full, communication error or request was denied. dir to see if the flash is full and there is no other version under dir. Such cases exclude the flash space full of factors. Basically, there is tftp related problems caused. It is recommended to check the firewall, anti-virus software, connectivity, or replace the tftp software test. 8. Can AC and AP export the current software version? FSOS installation has been broken into different files, and the main FSOS.bin program is not visible on the device to dir, so it is not possible to export the currently running software version from the device 9. Solution for unsuccessful upgrade of versions with the same Release number. You can use the following command to perform the relevant version upgrade operation "Ac#upgrade download tftp://1.1.1.1/FSOS.bin force". Or you can upgrade to a different Release version for transition. 10. Fit AP synchronization upgrade instructions. AC performs distributed upgrades when upgrading to AP; i.e., AP to ap transfers versions to each other; Default distribution: depth is 5, concurrency is 3, if the concurrency configuration of ac is x, then the total concurrent upgrade ap is {(5*3)+1}*X = 16*X concurrent upgrades (setting the number of concurrent upgrade AP on AC needs to be executed in ac-c mode, the command is: FS(config-ac)#capwap upgrade max-concurrent) The schematic diagram is as follows: 5.jpg If the AP is downloading the version, then the show capwap state will show as image data. If the number of APs set on the AC to upgrade at the same time is 5, then the maximum number of simultaneous image data is 16*X=16*5=80. If the current queue is full, then the other AP will enter run mode first and wait for the version upgrade to enter image data. The default depth and concurrency can be modified with the command, ac-c mode: capwap upgrade max-depth num capwap upgrade ap-capacity num Understanding of depth: depth is the length of the string ap1 - "ap2 - "ap3 - "ap4 - "ap5 This is the string, an ap to another ap upgrade; Understand concurrency: one AP can issue versions to y ap at the same time. The upgrade order of AP is chosen according to the uptime of the AP, the longer the uptime, the more priority the upgrade order. 4.4 Password Recovery 4.4.1 AC, Fat AP Password Recovery To recover the password, please prepare the configuration cable first. Password recovery is an operation done by entering the CTRL level when rebooting the device and requires disconnection from the network. Please perform password recovery when it is convenient to disconnect the network. 1. Network Requirements If the administrator forgets the login password, then the password can be recovered by going to the CTRL level via the configuration line 2. Configuration Highlights a. The password recovery needs to prepare the configuration line, and the password recovery process needs to reboot the device at the CTRL level to complete the operation b. The password recovery of wireless AC is only effective at the current time: that is, after entering the CLI command line interface, if there is no key input within 10 minutes, the password is still required after the timeout. Or if you do not change the password after entering, the device will use the previous password after the next reboot. 3. Configuration Steps a. Login to the device by Console b. Reboot the wireless device (re-power the device to power up), and press the keyboard Ctrl and C keys continuously and quickly to enter the ROM layer after the device is powered up. image.png c. Enter the bootloader menu and enter the uboot command line by typing the Ctrl key and Q key at the same time. d. In the uboot command line, enter the command "main_config_password_clear". ====== BootLoader Menu("Ctrl+Z" to upper level) ====== TOP menu items. ************** 0. Tftp utilities. 1. XModem utilities. 2. Run main. 3. SetMac utilities. 4. Scattered utilities. 5. Set backplane info ************** Press a key to run the command AC-224AP#main_config_password_clear e. The device will automatically reboot, run the main program, and enter the configuration CLI command line interface without password after reboot. Note: If you have not entered the CLI command line interface, you will need a password when you enter it again. The default timeout is 10min, please change the password before the timeout. f. Change the password and save the configuration: FS#config terminal # Enter global configuration mode FS(config)# no enable secret # Delete enable secret password FS(config)# no enable password # Delete enable password FS(config)# enable password FS # enable password configured as FS FS(config)# username admin password FS # If AAA is enabled to invoke local user authentication, use this command to change the user password FS(config)# line vty 0 4 FS(config-line)#password FS # The password for Telnet login is configured as FS FS(config-line)#login FS(config-line)#end 4. Functional Verification Log back in to the device with the new user name and password to make sure you can log in successfully. 4.4.2 Fit AP Password Recovery (restore factory settings) 1. Network Requirements For the fit AP, it is already online on the AC, you can restore the factory settings of the AP on the AC. For the fit AP, the AP configuration is on the AC. There is no password recovery operation for the fit AP. Here is the method to restore the factory operation on the AP on the AC. 2. Configuration Highlights Fit AP Mode: Confirm the name of the AP to be restored to factory configuration. Restore the factory configuration of the AP by factory-reset. 3. Configuration Steps Log in to AC to perform the operation FS(config)#ac-controller FS(config-ac)# factory-reset ap-name # Use "show ap-config summary" to see the AP name Notes: After executing this operation, the AP will automatically reboot to complete the action of restoring the factory. If the AP is statically configured with IP address, you need to configure it again manually. For fit APs that are not online and need to restore factory settings, you can perform the operation on the AP and the AP will automatically restart after executing the following command: FS(config)# apm factory-reset 4.5 Restore Factory Setting 4.5.1 Using Hardware Reset Button Restore factory notes: a. Not all APs support resetting to restore the factory (some APs do not have reset keys, some reset keys can only reboot but not restore factory settings). b. For WALL AP such as AP-N515H long press the panel labeled "Reset" key greater than 3S to restore the factory (Note: short press less than 2S will carry out the system fat and fit switch). c. Hardware reset key to restore factory settings, restore the AP will be restored to the fit AP mode, if you need to do the fat AP deployment, please switch the mode again. 1. Product Requirements The following models are currently supported for reset recovery: Ceiling AP: AP-W6D2400C AP-W6T3267C AP-W6Q4134C AP-W6T6817C AP-W6T10000C AP-N505 AP-N515 Wall-Plate AP: AP-W6D1775C AP-N515H Outdoor AP: AP-T565 AP-T567 2. Configuration Highlights Fit AP mode: a. Confirm the name of the AP to be restored to factory configuration and restore the AP configuration to factory; b. Restore the factory configuration of the AP via factory-reset. Fat AP mode: Directly press and hold the "Reset" key marked on the panel for more than 3S. 3. Configuration Steps Fit AP mode: Log in to the AC to perform the operation: FS(config)#ac-controller FS(config-ac)#factory-reset ap-name --->Use "show ap-config summary" to see the AP name Notes: 1. The AP will automatically reboot after performing this operation to complete the action of restoring the factory. 2. Restoring the factory will make the AP back to the factory configuration, if the AP is statically configured IP address, you need to manually configure it again. Fat AP mode: Fat AP does not need to be configured, directly long press the panel labeled Reset "key greater than 3S after releasing and wait for a successful reboot to verify, as follows: a. Find the AP reset hole, refer to the specific hardware installation manual (available on the official website www.FS.com) (The diagram is for case reference only, not all AP reset hole locations are shown on the diagram. The Wall-Plate AP reset key needs to take off the shell, generally on the side of the AP.) b. After the device is powered on and running normally, use a small break pin and insert it into the reset hole and press it for more than 3 seconds (usually 5-8 seconds), the device can be restored to the factory by itself. 4. Function Verification After restoring the factory settings, log back in to: Trying 192.168.1.1, 23... User Access Verification Password: FS FS>en FS# Description: AP default management IP for 192.168.1.1, the default open web management, web login default user name password are admin. 4.5.2 Using Normal Mode Wireless device normal mode restore factory settings 1. Network Requirements Factory reset the wireless device (ac or ap) 2. Network Topology Computer and wireless device communication is normal, you can use the ping command to test. 3. Configuration Highlights a. You need to be able to log in to the device via Telnet or console line. b. Please follow the steps. 4. Configuration Steps Fit AP mode: Log in to AC to perform the operation: FS(config)#ac-controller FS(config-ac)#factory-reset ap-name --->Use "show ap-config summary" to see the AP name Note: 1. The AP will automatically reboot after performing this operation to complete the action of restoring the factory. 2. restore the factory will let the AP back to the factory configuration. If the AP is a static configuration of the IP address, you need to manually configure again 3. For no online fit ap needs to restore the factory settings, you can perform the operation on the ap, the execution of the following command after the ap automatically reboots: FS(config)#apm factory-reset Fat AP mode: a. Delete the configuration file operation method (after the operation AP or fat mode) Login to the device using telnet or console line See "Telnet Management" and "Console Management" in "Device Maintenance Management". Delete the configuration file config.text FS#del config.text Are you sure you want to delete "config.text"? [Yes/No]y ------>Type "y" Check if the configuration file config.text is deleted successfully. If it is not successful, repeat step 2 FS#dir Reboot the device FS#reload Proceed with reload? [no]y ------>Type "y" Operation completed b. Fully restore the factory settings (after manipulation AP for fit mode, fully restore the factory settings) FS(config)#apm factory-reset -------->After entering the command and pressing the Enter key, the device will automatically reboot to recover AC: Login to the device using telnet or console line See "Telnet Management" and "Console Management" in "Device Maintenance Management". 2. Delete the configuration file config.text FS#del config.text Are you sure you want to delete "config.text"?[Yes/No]y ------>Type "y" FS#del ap-config.text -------> (On AC if you need to clear the ap configuration, you also need to remove the ap-config.text as well) Are you sure you want to delete "config.text"?[Yes/No]y ------>Type "y" Check whether the configuration file config.text is deleted successfully. If it is not successful, repeat step 2 FS#dir Reboot the device FS#reload Proceed with reload? [no]y ------>Type "y" Finish the operation 4.6 Formatting Flash Operations 1. Network Requirements Doing a format flash operation on a wireless device (AC or AP). 2. Network Topology The computer is connected to the console port of the device using a console cable. 3. Configuration Highlights Must follow the steps. 4. Configuration Steps Note: This operation will cause all documents on the device to be cleared, including the configuration file and main program, and the device will enter boot mode, so you need to re-import the main program to boot normally. a. Refer to "console management" to log in the device. b. Reboot the wireless device and press CTRL and C at the same time to enter the ROM when Ctrl+C prompt appears. image.png ROM layer menu image.png c. Enter 4 to enter "4. Scattered utilities." image.png d. Enter 3 and select advanced operation 3. "Advanced settings." image.png e. Enter 3, select the format operation, and enter yes to confirm, the system will start the format operation automatically. After the operation is completed, the prompt "The flash has been formatted successfully". image.png f. Automatically return to the ROM layer menu after formatting is complete. 4.7 Configuration Backup 4.7.1 Backup Configuration on the Device 1. Network Requirements Backup of wireless device configuration. 2. Network Topology The operating computer can log in to the wireless device normally. 3. Configuration Highlights a. Log in to the device. b. Use the command to perform a backup. 4. Configuration Steps a. Login to the device using telnet or console line. See "Telnet Management" and Console Management in "Device Login". b. Check if the wireless device profile exists image.png c. Use the command backup configuration on the wireless device FS#copy flash:config.text flash:config.bak ------>Back up the configuration as config.bak d. Verify that the backup was successful image.png 4.7.2 Backup Configuration on the PC 1. Web page for configuration backup Web page configuration backup operation method: a. Fat AP configuration backup Login to the web management page of the device, AP needs to backup the config.text configuration file. Please click System - System Settings - Restore Factory Settings, please select Export current configuration and store it locally on your comput. image.png b. AC and fit AP configuration backup Log in to the web management page of the device, AC needs to backup both config.text and ap-config.text texts. Please click System - System Settings - Restore factory settings, please select export current configuration and export ap-config configuration respectively, and store them locally on your computer. image.png 2. Command line for configuration backup: a. Networking Requirements Backup the configuration of wireless devices. b. Network Topology The operating computer can normally log into the wireless device. c. Configuration Highlights Log in to the device. Use the command to backup. d. Configuration Steps Login to the device using telnet or console line. See "telnet management" and console management in "Device login". Check whether the wireless device configuration file exists. image.png You can use two ways to backup the configuration of the device: tftp and console line. Method 1: tftp method - The computer can ping through the wireless device, open the tftp software on the computer side. - Execute the following command on the device (assuming the computer address is 192.168.1.100): FS#copy flash:config.text tftp://192.168.1.100/config.text - Check whether the config.text file exists in the tftp software directory of the computer. Method 2: Console method - Log in to the device using the console line. - Execute the following command on the device to backup the configuration. - FS#copy flash:config.text xmodem. - If you are using SecureCRT to log in to the device, then perform some of the following operations: Transfer --- Receive Xomdem --- Select the storage directory and file name. - Check if the config.text file exists in the corresponding directory on the computer. 4.8 SNMP and Syslog 4.8.1 SNMP and MIB 1. How to define the legitimate hosts for SNMP access Method 1: Configure acl, and then call it when configuring snmp FS(config)#access-list 1 permit 192.168.1.0 0.0.0.255 FS(config)#snmp-server community FS rw 1 Control the legitimate hosts to access the SNMP service of the switch by the regular method of snmp-server association ACL. Method 2: Use to configure access to only one legitimate host IP FS(config)#snmp-server community FS rw host 1.1.1.1//This allows only the host of 1.1.1.1 to access the snmp service of the device. The host parameter controls access to a legitimate host IP. If configured multiple times, the later one will overwrite the original one, and only one legitimate host IP can be configured. 2. Is there a conflict between devices configured with multiple snmp communities? Our device allows the configuration of several different snmp community group attributes to meet the network management needs of different servers or applications to the device, so different communities are co-existing relationship and will not conflict. snmp-server community 123 rw snmp-server community 456 ro snmp-server community 789 rw 3. How to configure snmp on AC? Configure SNMP read/write group words: FS(config)#snmp-server community XX (Where XX is the snmp group word) rw (Must be configured as rw, can read and write) Configure the SNMP server: FS(config)#snmp-server host server IP traps version 2c XX (where XX is the snmp group word) 4. Is the default snmp service of the device turned on and can it be turned off? a. The snmp-agent agent function of all wireless devices is enabled, which means that all snmp messages can be processed by default, but if the snmp community group word is not configured on this device, or if this authentication word does not match the server configuration, it will also generate an error similar to this: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 54.214.18.121 b. If the cpu of the device is found to be high, the corresponding snmpd process occupancy is high and the console keeps reporting the above log of snmp authentication failure. If the device does not have the need for network management and does not need to match the snmp function, you can turn off this function to reduce the cpu, the command is as follows: FS(config)#no enable service snmp-agent 5. The wireless controller configures the snmp community in plaintext, but after show run it is an encrypted string. snmp-server community 7 0132564a3d1103 rw Similar to configuring passwords such as enable, if plaintext is required, the password encryption display needs to be turned off at: FS(config)#no service password-encryption 6. What is the value of AC sysoid? 1.3.6.1.4.1.4881.3.1.1.61 7. How to enable the trap operation of AP and wireless users up/down on AC devices? Make sure that both telent and snmp from SNC to ac are reachable, and configure the trap operation on the AC device for AP and wireless users up/down as follows: a. Turn on trap FS(config)#snmp-server enable traps b. Open STA up/down trap FS(config)# ac-controller FS(config-ac)#acctrl-trap acsta-oper-ctrl c. Open AP up/down trap FS(config)# ac-controller FS(config-ac)#acctrl-trap acap-updown-ctrl d. Save the configuration FS(config-ac)#end FS#write 8. SNMP trap and set descriptions SNMP If there is no trap configured, then the device will not send information to the server, and will only send it actively after the trap is configured; if the snmp server wants to get information from the device side, there are two ways: Wait for the trap information sent by the client , but it needs to be triggered by the corresponding trap node; The server actively sends get-request the main request, and then the device side responds by get-response to synchronize the information to the server. 9. What are the traps that can be enabled on AC to send outward, and are they enabled by default? The default is off, and the trap messages sent by the AC to the outside world include: CAPWAP tunnel up/down messages, AP join AC failure messages, CAPWAP tunnel message decryption failure messages, AP upgrade failure messages, time synchronization failure messages, and STA up/down messages. ac-controller acctrl-trap acap-updown-ctrl: Used to control the sending of trap messages for CAPWAP tunnel up/down. acctl-trap acap-joinfail-ctrl: Used to control the sending of trap messages when the AP fails to join the AC. acctrl-trap acap-decryeroreport-ctrl: Used to control the sending of trap messages for failed decryption of CAPWAP tunnel messages. acctrl-trap acap-imageupdt-ctrl: Used to control the sending of trap messages for the upgrade of the AP's bin file. acctrl-trap acap-timestamp-ctrl: Used to control the sending of time-synchronized trap messages. acctl-trap acsta-oper-Ctrl: Used to control the sending of trap messages up and down the line of the STA. The "show ac-config" command allows you to view the current switch status of various trap types. 4.8.2 SNMP Troubleshooting 1. Troubleshooting Guide a. Fault Information Collection When the failure phenomenon of snmp mib node acquisition failure occurs, the failure information that needs to be collected at once is as follows: FS# show version detail FS# show run FS# show snmp (Collected 5 times) FS# show snmp process-mib-time (Collected 3 times) Triggers mib reads, captures packets on the device and on the snmp mib server at the same time. Confirm whether it is individual or total: The current mib node is having problems getting, try other mib nodes to see if they also have this phenomenon. b. Fault Message Analysis Check the device configuration: Check whether the information configured by the device is correct and whether ACL filtering information is configured. Analyze the message information collected by the device and the snmp mib server: Check whether the triggered mib operation returns message information, if the triggered mib operation does not catch the acquired message, it means that it is the first reason mentioned above; otherwise it is the second reason. If it is the first reason, analyze the device configuration information and analyze the show task information; If it is the second reason, then analyze whether there are many snmp message requests and whether snmp messages carry many bind variables. If there are a lot of snmp message requests and snmp messages carrying a lot of bind variables, it means that there are a lot of snmp requests, resulting in this phenomenon, which can be circumvented through circumvention methods. If there are not many snmp message requests, then analyze the show snmp process-mid-time information. Analyze the information collected by showing snmp process-mid-time: The main thing is to collect 20 mib nodes with longer processing time, the information saved has processing cycle time and mib nodes. cycle time can be calculated by calculating the specific time of execution. The formula is: specific time (milliseconds) = cycle time * 10 / (device cpu frequency / 100), for example, the device cpu frequency is 750MHZ, the collected cycle time is 105841517, then the specific time is: 105841517 * 10 / (750 * 10^6 / 100) = 141ms, indicating that the acquisition of mib node internal processing time is 141ms. If the calculated time is longer, let the person in charge of the specific module corresponding to the mib node analyze it. Analyze the information collected by show tash: If the failure is due to the first cause, you need to analyze the stack information of the snmpd task in show task to see if there is a problem with snmpd. c. Fault Recovery or Avoidance Fault Recovery: If the failure is due to the first reason and is caused by the configuration, then modify the configuration; otherwise, it needs to be determined on a case-by-case basis. If the failure is due to the second reason and not caused by the long processing time of a single mib node, the failure disappears by setting the upper limit of messages through the configuration of snmp-server flow-control pps, which means that it can be circumvented by this method. If the failure is caused by the long processing time of a single mib node, further information needs to be collected to confirm. Failure Avoidance: If the failure is due to the second reason and is not caused by the long processing time of a single mib node, it can be circumvented by configuring snmp-server flow-control pps to set the upper limit of messages, analyzing the number of bindings processed by the device per second through the message information collected by the device and the snmp mib server. For example, the packet capture shows that the number of messages processed per second is 200, and the number of each message binding is 3. Then the number of binding variables processed by snmpd per second is 200 * 3 = 600, then you can set snmp-server flow-control pps 600, because setting the pps of snmp to 600 may lead to high cpu of the task of snmpd of the device, so it is also necessary to observe whether the device cpu is acceptable. 2. SNMP can not read the AC information Information was collected as follows: a. Please check the snmp configuration, whether the key is correct, and whether the udp161 port is reachable. b. Please check the software version, if the version is lower than version b8xp2, it is likely to be a known fault. show snmp message show snmp show snmp pro show ver detail show run Solution: Please upgrade the software version. 3. VAC scenarios exist that correspond to the slow reading of information from similar rill network management software VAC scenario there is a corresponding slow reading of information similar to rill network management software, need to pay attention to SNMP flow control optimization configuration and open SNMP cache function; Among them, the following points should be noted for SNMP flow control optimization configuration: snmp-server flow-control pps xxx //xxx value adjustment, need to pay close attention to the cpu situation. In addition, you can collect information by show snmp once in a row for 1s to confirm the growth rate of the Number of requested variables (the value is the cumulative value) field, and set the SNMP flow control according to the corresponding number of growth per second. If you encounter a similar situation where the oid node cannot be read, confirm the following points: 1) Verify that the oid node is normal; 2) Use mib browser to perform node read test to verify. Enable SNMP cache function, VAC needs Cache's OID list snmp-server cache oid 1.3.6.1.2.1.145.1.2.2.1 snmp-server cache oid 1.3.6.1.2.1.145.1.2.3.1 snmp-server cache oid 1.3.6.1.2.1.145.1.2.6.1 snmp-server cache oid 1.3.6.1.2.1.145.1.2.7.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.1.1.39.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.1.1.48.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.1.1.49.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.10.1.12.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.10.1.13.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.19.1.1.10.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.19.1.1.11.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.35.1.3.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.36.1.3.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.40.1.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.40.1.5.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.56.2.1.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.56.2.1.2.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.56.2.1.3.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.56.2.1.6.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.56.2.1.7.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.56.5.1.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.64.1.1.38.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.64.1.1.39.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.73.1.3.1.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.1.3.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.10.2.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.10.4.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.10.5.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.10.5.2.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.10.7.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.14.2.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.15.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.16.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.16.2.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.2.1.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.2.3.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.3.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.6.1.1 snmp-server cache enable 4.8.3 Syslog and Logging 1. How to set to save system log to flash a. You can specify the name of the log file, usually without adding a file extension, uniformly .txt; b. You can specify the size of the file. The default is 128KB. If it exceeds, then multiple files are generated to save, distinguished by increasing numbers, such as mylog_1, mylog_2, mylog_3, up to 16 files; c. You can specify which levels of logs are saved to flash. The default is to save all levels from 0-6; d. You can configure the size of the log memory cache. The default is 1MB, so that the logs after exceeding the cache space are saved to flash by the system. Example: FS(config)#logging file flash:filename [max-file-size] [level] filename: Log file name, log file name should not have file type suffix. The log file suffix is fixed to TXT, and the profile suffix name will be rejected. max-file-size: configure the maximum size of the log file level: the severity level of the log, increasing step by step. 0-6 levels are log messages, 7 levels are debug messages. FS(config)#logging file flash:mylog ?------>Specify the file name, logging level, file size, etc. <0-7> Logging severity level (default value: 6) ------>Severity level of logs, in increasing steps <131072-6291456> Max size of the destination file :128k-6M bytes (default value: 128k) alerts Immediate action needed (severity=1) critical Critical conditions(severity=2) debugging Debugging messages(severity=7) emergencies System is unusable(severity=0) errors Error conditions(severity=3) informational Informational messages (severity=6) notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) FS(config)#logging buffered ?------>Revise the size of the log cache and which log levels are cached, default 0-7 are cached <0-7> Logging severity level (default value: 7) <4096-10485760> Logging buffer size (default value: 1048576 bytes)------>Configure the maximum size of the log file 2. How to view the logs or configuration files saved to flash? FS#dir Mode Link Size MTime Name -------- ---- --------- ------------------- ------------------ 1 2313 2011-06-09 10:58:34 back.text 1 36129 2012-04-22 17:37:27 config.text 1 336 2011-06-09 11:49:28 dsa_private.bin 20 2011-04-07 11:01:10 grtd/ 1 72850 2011-12-12 15:38:23 sysylog.txt FS#more flash:syslog.txt //The following will print the saved log information, press the space bar to change pages 3. Why can't I see the file named in the dir when I set the log to be saved in flash? a. Frequent reading and writing of flash is harmful to flash, so it is not real-time logging to flash, so when we configure the file we can not immediately see the file in flash, because the file has not been generated, in addition we use more flash: mylog.txt may see the log is not the latest content, all This is because of the above reasons. b. There are trigger conditions for the device to write logs from memory cache to flash: When the logs cached in memory reach the defined maximum, the old logs will be written to flash; A certain amount of time is reached, usually 30 minutes, and a comparison of the contents of the memory cache with the logs stored in flash is done, and the incremental logs are written to flash; The device hot reboot and execution of the reload command will trigger the device to actively write the logs in memory to flash immediately, but if the device suddenly loses power, it will not trigger the logs to be written to flash. How to write logs to flash quickly --- hit logging flash flush after typing a few logs. 4. When telnet remote management, I can't view the log printed in real time? After remotely telnetting to the device, enter the following command in privileged mode: FS#terminal monitor Close command: FS#terminal no monitor 5. The console displays log log information in a timestamp format that is inconsistent with the switch show clock time format. If the "service timestamps log uptime//" timestamp format is configured in the form of device startup time. The logg record displayed is as follows: Log Buffer (Total 4096 Bytes): have written 1738, 16:21:39:43: %LINK-5-CHANGED: Interface GigabitEthernet 0/3, changed state to administratively down 16:21:39:43: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet 0/3, changed state to down 16:21:39:48: %LINK-5-CHANGED: Interface GigabitEthernet 0/3, changed state to up 16:21:39:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet 0/3, changed state to up If set to "service timestamps log datetime//", the timestamp format of the log messages will be in date format. The logg record displayed is the normal date log of the switch system *Jul 3 15:21:48: %LINK-5-CHANGED: Interface FastEthernet 0/16, changed state to down *Jul 3 15:21:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet 0/16, changed state to down If the user logs are displayed inconsistently, try adjusting the timestamp format of the device log information to a date format. service timestamps log datetime 6. How can the device record user information and the commands executed when users log in to the device via console or VTY? FS(config)#logging userinfo command-log // Enables the logging of user information, including executed commands Apr 2 2011 03:24:31.779: %LOGIN-5-LOGIN_SUCCESS: User login from vty0(192.168.51.64) OK. *Aug 9 10:59:17: %SYS-5-CONFIG_I: Configured from console by console *Aug 9 10:59:46: %CLI-5-EXEC_CMD: Configured from console command: router ospf 1 *Aug 9 10:59:47: %CLI-5-EXEC_CMD: Configured from console command: exit //Once the user has logged in, you can see that the CLI screen prints a message about the user's VTY/console link login and which commands were executed. "show logging" will also show that the logging has been saved to the log file In addition, starting from version b9, show cli record can see the configuration done by the client, so it is easy to see the configuration operation done on the device. 7. Does your device support sending syslog to multiple servers? Support FS(config)#logging 1.1.1.1 FS(config)#logging 1.1.1.2 FS(config)#logging 1.1.1.3 AC can support up to 5 syslog servers. 8. How to configure the log information on the AP to be automatically synchronized to the AC? a. In AC configuration mode, initiate the sending of relevant information to the AC on the specified AP, configured as follows: FS(config-ac)# tran-data-start ap-name {exception | memory} Initiates the fetching of relevant information from the specified AP. exception: Specifies that the AP sends dead log messages; memory: Specify the AP to send device status information, including: CPU information. Memory information, general log information (such as port UP/DOWN information). b. In AC configuration mode, view the relevant information obtained from the specified AP, and the corresponding view command is as follows: FS(config-ac)# tran-data-show ap-name {exception| cpuinfo| memory| syslog} View the relevant information obtained from the specified AP. exception: the dead log information of AP; cpuinfo: the CPU information of AP; memory: the memory information of AP; syslog: the general log information of AP. 9. The log server can't receive the syslog logs sent by the device, the routine troubleshooting ideas. a. Firstly, ensure that the configuration on the device regarding the syslog service is normal, especially the log source IP and the IP of the syslog server, and that the route is reachable; b. Secondly, to send the log information to Syslog Server, you must turn on the timestamp switch or serial number switch of the log information, otherwise the log information will not be sent to Syslog Server. c. In addition, syslog log messages are usually sent in UDP port 514 encapsulation, and it is necessary to ensure that there is no corresponding security policy or firewall blocking the packet on the data transmission path as well as on the syslog server side, and that the UDP port 514 of the syslog server is open; d. If the above still cannot locate the problem, please do both mirroring on the outgoing port of the device to the server to capture the message in order to confirm whether the device has sent the syslog message to the server. 10. How can wireless AC selectively turn off the log, for example, turn off sta up and down roaming log and turn on AP up and down log? The logging level of AP up and down is level 5, sta up and down, roaming is level 6. Configure "logging console notifications" and "logging monitor notifications" to display only logs of level 5 or higher. Showing logs of level 5 or higher, i.e. 5, 4, 3, 2, 1, can be seen. 11. What are the conditions for log storage flash? Syslog determines that if the space is less than 30%, no more logs will be written to flash. 12. Is it normal to change AC log format to rfc5424 after log time is 8 less than AC system time? service log-format rfc5424 It is normal. The rfc5424 uses UTC0 by default and cannot be modified, while the AC time uses UTC +8, resulting in a time difference of 8. 13. How to view web authentication live log information on AC? For example:USER_AUTH_PASSED - User authenticated. Username: xxx. Logging for web authentication requires the configuration command: web-auth logging enable x ----- x is the number of logs per second 14. Is it possible to block the up/down logs of terminals on AC? You can block the logging information of terminal up and down by typing test-stamg syslog disable in global mode, the command only takes effect once, it will be gone after reboot. 15. How to turn off logging for fit mode APs and specify log servers? FS(config)#ap-config AP1 (AP1 is the name of the ap) FS(config-ap)#no logging on FS(config-ap)#logging server 1.1.1.1 (Configure the log server ip address to 1.1.1.1) FS(config-ap)#end FS#write 16. Can AC output only some specific logs? Not supported; only log level filtering is available. 17. How to limit the number of STA logs up and down when wireless STA goes up and down frequently? AC# configure terminal Enter configuration commands, one per line. End with CNTL/Z. AC(config)# ac-controller AC(config-ac)# sta-logging rate-limit 50 ---Value range: 0~10000, the default value is 5 bars per second. AC(config-ac)#end AC#write 18. Is there a limit to the number of roaming logs that can be printed by wireless AC? The default is 5 bars per second, which can be modified by the following command: FS(config)#roaming logging rate-limit ? <1-10000> Messages per second 19. How to turn off debug debugging information on AC? How to turn off the log popup screen in ssh and telnet login ? ter no mo undebug all 20. AC configuration log write flash, wait for half an hour or after the log cache space is full, dir still do not see a syslog.txt file. a. Check the configuration is correct. b. dir to check the memory and 72M available. c. clear log, and reconfigure the log write flash, adjust the log cache space to 4096 failure still. d. check the current software version for AC_FSOS 11.9 (6) W1S7. The current AC software version limit: the branch did not introduce the 5M limit, the remaining free partition less than 30% can not be written to (failed to confirm whether all current AC versions have this limit). e. delete the useless bin file in the client device side dir, check the partition free more than 30% after successfully writing flash syslog.tex. 5. Wireless universal function configuration guide 5.1 Wireless Network Selection and Device Default Login Configuration 5.1.1 How to Change IP Address Note: In wireless deployment, when configuring the FS wireless device for the first time, you need to manually configure the IP address of the same network segment as the default management IP of the wireless device in order to log in to the wireless device. Procedure (Windows 10 as an example) ① Right-click the network icon at the bottom corner of your computer desktop and select "Open "Network and Internet" settings". ② Click "Change adapter options". ③ Find "Ethernet" and right-click it, select "Properties" (some computers are "Local Connection", varies from computer to computer). ④ In the pop-up dialog box, double-click and select "Internet Protocol Version 4 (TCP/IPV4)". ⑤ Select "Use the following IP address", and configure the corresponding IP (wireless devices are generally 192.168.1.0 network segment). image.png ⑥ After clicking Confirm in step 5, the dialog box for configuring the IP disappears and you need to click Confirm again. 5.1.2 Device Default Login Configuration 1. Login IP AC: Default Address 192.168.1.1 Ceiling AP: Default Address 192.168.1.1 Wall-Plate AP: In fit mode, the IP address of both LAN port and Uplink port is 192.168.1.1 /24 In fat mode, the LAN port IP address is 192.168.2.1 /24; Uplink port IP address is 192.168.1.1 /24 2. Login Password AC: WEB interface: username & password are admin Telnet: No password by default so you can't log in CONSOLOE: no password by default but can log in Fit AP: WEB interface: username & password are admin Telnet: default password admin, no need to enable password Console: default password admin, enable password admin Fat AP: WEB interface: username & password are admin Telnet: default password admin, no need to enable password Console: default password admin, enable password admin Reasons for not requiring enable password: line vty 0 4 privilege level 15 # Grant privilege level 15, login and enter privilege mode directly login password admin 3. FAQ a. Login to the device using the user prompt is rejected. The user is denied for logging in to the device with the correct user name, but can log in normally again after a while. If the user fails to log in three times by default, the user will be locked out for 15 minutes and will not be able to log in; TELNET/SSH users who are locked out can check and unbind. FS# show aaa user lockout # View locked out users FS# clear aaa local user lockout { all / user-name } # Use this command to clear the locked user and then you can log in normally b. When Telnet logging into AC, you can still log into the device with the wrong user name. Failure Phenomenon: When users log into AC through Telnet, they can enter privileged mode normally by entering the wrong username; Cause of Failure: The device is configured with aaa authentication login default local none command, after adding none, any user name other than the correct user name can directly enter privileged mode, and there is not a username admin password xxxx means that all the If you enter a username that exists, such as admin, you must use the correct password. If you enter a username that does not exist, and there is no corresponding username in the configuration, you do not need a password to enter the device. 5.2 Fit AP Deployment 5.2.1 Capwap Tunnel Principle and Failure 5.2.1.1 Principle of Capwap Tunneling Technology 1. Overview In a fit AP + wireless controller (AC) solution, all APs are unified and controlled by the AC. As fit AP solutions are rapidly gaining popularity, compatibility between vendors is becoming more and more important, which is the main reason why the CAPWAP protocol was developed so that ACs could control APs from different vendors, but this is not yet possible. AC controls APs through CAPWAP. In centralized forwarding mode, all messages from STAs are encapsulated into CAPWAP messages by APs and then decapsulated and forwarded by ACs. In local forwarding mode, although the user data is not sent to the AC through the CAPWAP tunnel, the AP is still controlled by the AC through CAPWAP messages. Therefore, CAPWAP can be considered as one of the most important technologies in the fit AP solution. The CAPWAP function is currently implemented in a three-layer network transport mode, i.e. all CAPWAP messages are encapsulated in UDP message format and transmitted in the IP network, and the CAPWAP tunnel is maintained by the interface IP address of the AC and the IP address of the WTP (corresponding to the Loopback 0 address of our wireless controller and the IP address of the AP). Therefore, it is a prerequisite for the CAPWAP tunnel to function properly that the route between the Loopback 0 address of the wireless controller and the IP address of the AP is reachable. 2. CAPWAP Creation Process The CAPWAP state machine is fully described in the CAPWAP protocol, and the process includes: Discovery → Join → Image Data → Configuration → Data check → Run CAPWAP is established through the following 7 processes: The AP obtains the IP address of the AC through DNS, DHCP, static configuration of IP address, broadcast, etc. The AP discovers the AC The AP requests to join the AC The AP automatically upgrades The AP configuration is sent down AP configuration confirmation Data forwarding through CAPWAP tunnel ① The AP obtains the IP address of the AC There are various ways for the AP to obtain the IP address of the AC, such as DNS resolution. The option option of DHCP, configuration of static IP address, broadcast, multicast, etc. In the actual deployment of FS wireless products, the IP addresses of AP and AC are assigned through DHCP + Option138, where Option138 is configured as an IP array type, and multiple IP addresses of AC can be configured. As shown in the figure below, the AP needs to obtain its own IP address and that of the AC after it starts for the first time. image.png ★ When the AP gets the IP address of the AC for the first time, then the address is stored in flash, not in the config.text configuration file. So when the AP starts up again, it can establish a CAPWAP tunnel with the previously configured AC as long as it can get its own IP address, even if it does not get the IP address of the AC ★ AP default version starts supporting Option 43 on line ② AP Discover AC After the AP obtains the IP address of the AC, the AP sends the CAPWAP [Discovery Request message] and the CAPWAP state machine enters the state. a. Message Analysis The Discovery frame structure of the CAPWAP control message is the only non-encrypted data message among all control messages because it completes the process of finding the existing ACs, when the control tunnel is not yet established. The following figure shows the message format of the [Discovery Request message] and [Discovery Response message] of the control message image.png In a wireless fit AP scenario, the AP sends multiple [Discovery Request messages] messages as soon as it acquires the IP address of the AC, the messages include - Broadcast [Discovery Request message] - Multicast [Discovery Request message] (destination address is 224.0.1.140) - Unicast [Discovery Request message] (destination address is the IP address of the AC), the IP address of the AC can be multiple, so there may be multiple messages of this type Because the data in [Discovery Request message] is non-encrypted, we can visually see the information of [Discovery Request message] in the message, as shown in the figure below, which includes the AP model: AP-W6T6817C, and the hardware and software information of the AP. At50b8iAsoqjRjxdjDnc1jcEnue.png The data in the [Discovery Response message] responded by the AC is also non-encrypted. As shown in the figure below, the AC with IP address 1.1.1.1 responds to the [Discovery Request message] sent by the AP. The response message includes the software and hardware version of the AC, the name of the AC, etc. image.png Note: The name of the AC here is not the hostname of the AC, but the name used in the configuration for cluster redundancy. The configuration is as follows: FS(config)# ac-controller FS(config-ac)# ac-name FS-ac b. Processing Flow In the CAPWAP state machine flowchart, the process of AP discovery of AC consists of the following 4 steps: - After the AP starts, the AP is in state, and when the AP sends a [Discovery Request message], then the CAPWAP state machine on the AP is updated to state - AC receives [Discovery Request message] and responds with [Discovery Response message], and the state machine state does not change - After the AP sends the Discovery Request message, no Discovery Response message is received and the CAPWAP state machine on the AP is updated to . - After the state on the AP lasts for 30 seconds, it switches to the state and starts sending [Discovery Request messages] again. Note: [Discovery Request message] and [Discovery Response message] are sent in UDP clear text. Therefore, in the third step, if the network condition is very poor or the number of APs is large, even if the AC responds, the AP may keep switching back and forth between and states. ③ AP request to join AC If the AP sends a [Discovery Request message] and gets a response, it starts to prepare to join the AC, and if the AP sends a [Discovery Request message] and gets responses from multiple ACs with different priority levels defined on the AC, the AP will apply to join the AC with the highest priority level first The following is a Configuration Case: the priority of AP0001 is defined on both AC1 and AC2, and if a response is received from both AC1 and AC2, then AP0001 requests AC1 to join. FS(config)# ap-config AP0001 FS(config-ap)# primary-base AC1 FS(config-ap)# secondary-base AC2 Before the AP joins the AC, DTLS verification is performed first. When the DTLS handshake between the AP and the AC is successful, the AP sends a Join request to start requesting to join. All the messages in this process are encrypted messages. The following is the message format (extracted from RFC5418): image.png All messages are encrypted throughout the process of the AP request to join the AC. The following are the 6 steps of the AP request to join the AC: a. The AP updates its state to and the AC creates a new state machine with the initial value of state b. Start DTLS handshake between AP and AC. If DTLS handshake is still unsuccessful within 60 seconds, update its state to . c. After the successful DTLS handshake between AP and AC, update its state to state and send a Join Request message d. AC receives [Join Request message] and responds with [Join Response message], if AC does not receive [Join Request message] within 60 seconds from the start of DTLS handshake, the status is updated to . e. The AP receives the [Join Response message], if the Result Code is Success, the AP joins the AC successfully. If the Result Code is not Success, the state machine status is updated to . If the AP does not receive the [Join Response message] and the AP has not received the [Join Response message] after retransmitting the Join Request message 4 times, the status is updated to . f. The AP enters the state after 5 seconds in the state, and then waits 30 seconds to return to the state, and the AC deletes the state machine after 5 seconds. ④ AP Auto Upgrade The state is the process by which the AC upgrades the AP so that the version of the AP can be properly associated with the AC. Here are the 7 steps for automatic AP upgrade: a. After receiving the [Join Response message], the AP compares the current software version with the software version requested by the AC, and if not, sends the [Image Data Request message] to request an automatic upgrade. b. After the AP sends the [Image Data Request message], the AP updates the state machine to . If the AP's [Image Data Request message] is lost during transmission and does not reach the AC after several retransmissions, the state machine of the AP and AC should be updated to . c. The AC receives the [Image Data Request message] message and enters the state and responds to the [Image Data Response message]. d. The AC sends the new master program to the AP via several [Image Data Request message] e. If the AP does not receive an Image Data Request message from the AC after 30 seconds after receiving the Image Data Response message, the status will change to . f. AP responds to [Image Data Response message] for each received master slice message g. After the AP upgrade succeeds or fails, the device reboots Note: The AC sends the upgraded version to the AP through the CAPWAP control message, not through the CAPWAP data message. As shown in the figure below, there will be a large number of control messages during the upgrade process of the AP. By filtering the messages, we can see that the file size of the control messages is slightly larger than that of the AP version. image.png ⑤ AP configuration downlink When the AP compares the versions and determines that the AP does not need to be upgraded, or when the AP has already been upgraded, the AC starts to issue the configuration to the AP. The following is the main process of configuration distribution: a. The AP receives the [Join Response message] from the AC with the Result Code of Success, and the AP's current running version is the same as the requested version, the AP sends the [Config Status Request message] and enters the state. b. The AC receives the [Config Status Request message] and enters the state. and responds to the [Config Status Response message] to notify the AP to configure as required. If the A C does not receive the Config Status Request message within 60 seconds after sending the Join Response message, the status changes to . c. The AP receives the [Config Status Response message] and the configuration synchronization is complete. If the AP does not receive the [Config Status Response message] within 51 seconds after sending the [Config Status Request message], the status will be changed to . ⑥ AP Configuration Confirmation After the AC has issued the configuration, it also needs to confirm that the configuration is executed successfully on the AP. The following is the main process of configuration confirmation: a. The AP receives the [Config Status Response message], the status goes to , and sends the [Change State Event Request message] to report the status of the configuration execution b. The AC receives the [Change State Event Request message], and if it is currently in state, the state goes to and responds to the [Change State Event Response message]. If the AC does not receive the Change State Event Request message within 25 seconds after sending the Config Status Response message, the status will be changed to . c. After the AP receives the Change State Event Response message, if the current state is , the state will be changed to and the CAPWAP data channel will be created to start data forwarding. d. When the AP enters the state, it means that the control and data channel between AP and AC has been established successfully, and the user can make configuration settings for the specified AP, such as creating WLAN, setting channel, adjusting transmit power, etc., and monitor the operation status of AP in real time. ⑦ Forwarding data through CAPWAP tunnels After the AP enters the state, the AP and AC start forwarding user data, and it is also necessary to periodically check whether the CAPWAP channel is working properly. The following is the main process of checking the CAPWAP channel: a. After the AP enters the state, it starts to create a data channel and sends 1 data channel keep-alive message every 30 seconds b. When the AC receives the first keep-alive message, if the current state is , it enters the state and responds with a keep-alive message. If the AC does not receive the first keep alive message within 30 seconds after sending the [Change State Event Response message], the status will change to . c. If the AP and AC do not receive the first Data Channel message within 60 seconds after receiving the event message, the Data Channel is considered broken and the status is changed to . d. When the AP or AC detects that the data channel is down, the CAPWAP state machine is updated to . Note: Now, a data channel break does not cause a tunnel break, but a control channel break causes a CAPWAP tunnel break, so steps 3 and 4 do not cause the state machine to change. In fact, Keepalive is transmitted on the data channel and is a live message for the data channel, while the control channel relies on Echo for live. The following data is forwarded for STA wireless end users, and the user data is transmitted through the CAPWAP data channel.CAPWAP data messages are in the following two formats: Non-encrypted format, where Wireless Payload is the user's data message. Since it is non-encrypted, this data message can only be used if the wireless data in Wireless Payload has been securely encrypted. For example, the wireless signal has been encrypted using WEP, WPA or WPA2 image.png Note: The wireless data encryption here refers to the encryption of the wireless signal, in order to make it difficult for others to decrypt the Wireless Payload's user data even if they get the message over the air. When the AP converts the wireless message (802.11 data message) to 802.3 wired Ethernet data message, the data in Wireless Payload is not encrypted. Therefore, through packet analysis, we can see the user's interaction data. The following diagram visualizes how the user's PING message is encapsulated into a CAPWAP data message. The content in the red box and the yellow background are the source and destination MAC address and IP address respectively. image.png Note: Encrypted format, Wireless Payload user data is encrypted and cannot be seen directly, this encapsulation format makes the user's data message transmission over the wire more secure, but also requires higher performance of the AC. FS products currently only support non-encrypted format data messages. In general, AP uplink is determined by matching the AP name with the AP configuration name to determine which configuration the AP uses. MAC address binding is a stronger binding relationship than name matching, and its priority is higher than name matching. Therefore, as long as the MAC address bound by the AP configuration is the same as the AP's MAC address, the AP goes online with that configuration Users can remove the specified offline AP configuration with the command "no ap-config ap-name" The user can delete all offline AP configurations on this AC with the command "no ap-config all" 5.2.1.2 Capwap Tunnel FAQ 1. Maintenance Commands a. Checking the AC to establish a tunnel with the AP FS#show capwap state index peer device state 1 192.168.1.1 : 10000 Run ------>"run" is the successful association status. If not the status, please refer to the wireless WLAN product fault book chapter b. Checking wapcap tunnel negotiation for incoming and outgoing packets FS#show capwap statistics index(0), ip:192.168.200.4 | index | msgtype | sended | receved | retrycnt | ------------------------------------------------------------------------------- | 1 | discovery request | 0 | 4 | 0 | | 2 | discovery response | 4 | 0 | 0 | ------------------------------------------------------------------------------- index(1), ip:192.168.200.4 ------>AP's address | index | msgtype | sended | receved | retrycnt | ------------------------------------------------------------------------------- | 1 | join request | 0 | 1 | 0 | ------>Number of messages statistics | 2 | join response | 1 | 0 | 0 | | 3 | configuration status request | 0 | 1 | 0 | | 4 | configuration status response | 1 | 0 | 0 | | 5 | configuration update request | 3 | 0 | 0 | | 6 | configuration update response | 0 | 3 | 0 | | 7 | wtp event request | 0 | 3 | 0 | | 8 | wtp event response | 3 | 0 | 0 | | 9 | change state event request | 0 | 1 | 0 | | 10 | change state event response | 1 | 0 | 0 | | 11 | data channel up | 0 | 1 | 0 | ------------------------------------------------------------------------------- c. AP How to view the ip address information obtained by the AP FS#show capwap client state 2. Common Inquiries For wireless device specifications, please refer to the FS.COM website. a. CAPWAP Tunnel Introduction The AC controls the AP through CAPWAP. In centralized forwarding mode, all messages from the STA are encapsulated into CAPWAP messages by the AP and then decapsulated by the AC for forwarding. Even in local forwarding mode, the AP is still controlled by the AC through CAPWAP messages. Therefore, CAPWAP can be said to be one of the most important technologies in the fit AP scheme. b. Does the AP need to reboot after the wireless AC reboot to establish capwap No. The AP will periodically initiate capwap discover packets and will establish a capwap tunnel with the AP when the AC reboot is complete and the discover is received. c. Whether the wireless capwap tunnel can support cross-NAT, that is, there is a NAT network between AC and AP supported, and local forwarding is recommended for deploying this type of network. If the AP is on a NAT intranet, then the AP does not need static address mapping or port mapping, just configure normal source address translation to ensure no connectivity problems between the AP and the AC. If the AC is on a NAT intranet, then You need to do port mapping on the egress router for the two ports of the AC address (option 138 ip): UDP protocol, 5246 (control channel), 5247 (data channel). The AC address (option 138 ip) on the AP is the public address after mapping outside the AC. If the AP and AC are on their respective NAT intranets, then the above three configurations need to be satisfied at the same time. d. Capwap tunnel creation process Once the tunnel is properly established, the states visible to the outside are: Disc, DTLS Setup, Join, Configure/Image Data, Data Check, Run AP sends Discovery Req: AP enters Disc state; AP receives Discovery Resp: AP decides which AC to choose to join and prepares to send Join Req message and enters DTLS handshake phase; AP sends Join Req message after successful DTLS handshake, and AP enters Join phase; AC receives Join Req message and enters Join phase, replying to Join Resp message; AP receives the Join Resp message, sends the Config Status Req message, and enters the Config phase; the AC receives the Status Req message, replies to the Status Resp message, and enters the Config phase; AP receives Status Resp, starts to create data channel, and enters Run state after data channel establishment is completed. e. What is the multicast address of capwap 224.0.1.140 f. Support weighted AP control Weighted APs are n APs on the AC that can be accessed by m APs. For normal APs, the weight n:m is 1:1; for WALL-APs, the weight n:m is 1:2. AC uses flexible access control for weighted APs, which corresponds to the formula AP+ 0.5 WALL AP<= the maximum number of APs supported by the license. g. What could be the reason for the failure of ap to establish a tunnel with result code 6? MAC binding is on and rejected Name conflict Offline configuration with deny-join option (hidden) Certificate, password authentication denied h. Does the AP support dhcp option 43 to get the address of the ACIP? Support, configure option 43 ip x.x.x.x inside the address pool (x.x.x.x is the address of the root ap suggested tunnel for ac) i. What is the meaning of "capwap ctrl-ip" on AC and the static configuration of AP, dynamic acip acquisition, priority of broadcast packets online, and how to switch between them? Meaning of "capwap ctrl-ip" The "ctrl-ip 1.1.1.1" in the AC means that the source IP address of the discovery response message sent by the AC to the AP is 1.1.1.1, but it does not mean that the destination address of the discovery request sent by the AP to the AC is also 1.1.1.1. Example: AP comes online via broadcast packet, no need to configure option 138 or acip. AP's gateway address 192.168.1.254 is on AC, AP does not configure acip (nor option 138), that is, AP only sends discoverrequest broadcast and multicast packets, broadcast packets AC can receive, reply to AP discover response source address is 1.1.1.1, the subsequent AP to AC's 1.1.1.1 send join packets, as follows: image.png There is no discovery request from AP 192.168.1.1 to AC 1.1.1.1, only 255.255.255.255 broadcast packets, and there is indeed a discovery response message from AC 1.1.1.1 to the AP. Priority If there is both statically configured acip, dhcp-acquired acip, and broadcast packet on the AP, the priority is 7 for statically configured acip > 8 for dynamically acquired acip > 9 for broadcast packet (the smaller the priority the better) Example: On the AP can be viewed by sh capwap client sta. You can view which way the AP is online by priority 7, 8, 9. Note: As long as the AP sends out broadcast packets or static acip and dynamic acip, as long as the ac receives the discover request, the AC will reply to the AP (even if the reply is that the acip is not reachable, such as through broadcast packets, but 1.1.1.1 is not reachable, it will also show 1.1.1.1, as shown in the figure below) then there is a corresponding acip in the capwap discovery ac will have the corresponding ac ip. image.png How to switch If there are statically configured acip, dhcp-acip, and broadcast packets on the AP at the same time, and the three correspond to different acip, that is, three ACs, three ACs are reachable, then the AP on the statically configured acip online, in the capwap discovery ac will also have three acip, online through echo Request to keep alive. When the statically configured acip is unreachable for a period of time greater than the time to keep alive (see the calculation in the configuration manual echo), the tunnel is considered broken and the discovery packet is resent to find the AC, then there are only two acip in the capwap discovery ac, then the AP is online on the dynamically acquired acip, and similarly, if the dynamic one is also unreachable, then the AP is online on the broadcast packet acip. If the dynamic one is also unreachable, the AP will be online on the acip of the broadcast packet. Note: If the AP is already online on the acip obtained through dhcp or on the statically configured acip, it will not resend the discovery requeset packet if it is kept alive through echoRequest, and if it wants to change the AP to be online on another acip by reconfiguring the AP with a new acip, the AP will still not switch because the AP will not re You need to reboot the AP to re-send the discovery request packet or close the acip interface that has been online before to make it unreachable. j. Do AC tunnel ports UDP 5246 and 5247 support custom modification? Not supported. k. After the CAPWAP tunnel between the AP and the AC is disconnected, how will the AP handle the wireless users who access it, and will it send messages to the terminal? The AP will send an unassociated frame to the terminal and kick the user offline when it is sent, and will not confirm whether the terminal receives the message, i.e., there is no confirmation mechanism. l. In a cross-public network deployment scenario between an AC and an AP, is the address of the AP seen on the AC a private or public address? "show ap-config sum" is the private address; "show capwap sta" is the public address. m. After the AP has unsuccessfully established a tunnel with the AC after automatically obtaining an IP, will the AP actively release the IP address to automatically obtain it again? In the capwap tunneling mechanism, if the AP automatically obtains the IP but has been unable to establish a tunnel with the AC, it will restart the AP's dhcp after waiting for 50 seconds. n. Whether the AP tunnel disconnection will still trigger the AP to reacquire IP after the RIPT function is turned on, (normally the AP tunnel disconnection will trigger the AP to reacquire IP after 50 seconds) When ript is on, disconnecting the tunnel, ap will not clear the ip. o. "show ap-con su | inc Quit" to view the status of the not online AP list resolution. Status 1: M2 192.168.10.1 649d.99d0.e796 1 N - - - 2 N - - - 1:00:32:38 Quit Ans: The AP had a line on the AC and the AC was not restarted Status 2: 649d.99d0.40f7 - 649d.99d0.40f7 1 N - - - 2 N - - - 0:23:31:36 Quit Ans: The AP is online on AC, and there is a wr save operation on AC, but AC has rebooted, so there is no IP address information of the AP dropped. Status 3: de - - 1 N - - - 2 N - - - 3:15:12:15 Quit Ans: The AP is configured by "ap-config de", there is no real AP, and it has been saved on the AC by wr. Status 4: ap dropped, reboot after no the AP is not online list Ans: AP normal online, but not wr saved on the AC, resulting in the AP online configuration situation after the drop, so no the AP is not online list 3. Parameter Adjustment a. How to control how many APs can be associated with the AC at the same time when the AP re-establishes the tunnel FS(config)#ac-controller FS(config-ac)#capwap max-concurrent X ------>The value range of X is from 1 to 200 FS(config-ac)#end FS#wr b. How to change the address used by AC to create a capwap tunnel FS(config)#ac-controller FS(config-ac)#capwap ctrl-ip 2.2.2.2 FS(config-ac)#end FS#wr c. How to configure the switch for AC to send trap messages ac-controller acctrl-trap acap-updown-ctrl d. CAPWAP tunnel data message encryption operation under centralized forwarding capwap data-tunnel encryption des FS Some products do not support, need to be different from the wireless air port message data encryption using encrypted signals can be. e. AC allows AP discovery method configuration The types of discovery request messages sent by APs to ACs are referral, DHCP, DNS, statically configured AC addresses and other types (e.g. broadcast, multicast), and ACs can be configured to answer only certain types of discovery messages, and only those APs that answer can sense that ACs are valid and that APs can select ACs to join to establish CAPWAP tunnels. In AC configuration mode (configured in ac-c mode) capwap discovery-type ac-referral { allow | forbidden}: Discovery request messages of the referral type discover AC capwap discovery-type dhcp { allow | forbidden}: AP sends DHCP-acquired AC address for AC discovery capwap discovery-type dns { allow | forbidden}: AP sends DNS-acquired AC address for AC discovery capwap discovery-type static-config { allow | forbidden}: AP sends statically configured AC address for AC discovery, such as acip configuration and cluster configuration capwap discovery-type unknown { allow | forbidden}: AP sends other types of (e.g. broadcast, multicast) discovery request messages to discover the AC capwap discovery-type all { allow | forbidden}: AP sends any type of discovery request message to discover the AC Parameter description: allow means allowed, forbidden means not allowed Default: Default AC allows any discovery request method to discover AC PS:The referral refers to the way to learn from other ACs, which is not supported by our equipment at the moment. f. How to specify the AP to be online in a certain AC when the wireless APs are all DHCP-acquired by the same network segment? Multiple AC loopback addresses can be configured in the DHCP settings, with AP MAC address verification used to assign the corresponding AC. AP compliance check is enabled on the AC: 代码块 FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#ac-controller FS(config-ac)#bind-ap-mac ------>Turn on ap mac binding detection Bind AP MAC function is on. ------>Tips after successful opening FS(config-ac)#exit FS(config)#ap-config AP-01 ------>The name of ap-config, AP-01, can be set according to demand, it is not recommended to use Chinese You are going to config AP(AP-01), which is not on line now. ------>Normal prompt FS(config-ap)#ap-mac 649d.99d0.e58e ------>Bind the AP's MAC address FS(config-ap)#end FS#write ------>Save configuration After specifying multiple loopback addresses, the AP will go ahead and initiate the request, but it can only go live on the AC that has a mac binding. 5.2.1.3 Common Faults in Capwap Tunnels 5.2.1.3.1 Tunnel between AP and AC cannot be established - AC looks at the reason for denial If the tunnel between AP and AC cannot be established, if the channel is normal and the AP message has been sent to AC, but the tunnel cannot be established, you can check the specific reason why the tunnel cannot be established by "show ap-config summary deny-ap" on AC or combined with the log message on AC. FS#show ap-config summary deny-ap Deny ap num: 1 Mac Address AP Name Reason -------------- ---------------------------------------- ----------------- 649d.99d0.2027 By conflict By bind-ap-mac //AP-MAC binding denied, MAC whitelist bind-ap-mac function is enabled on the AC, but the MAC of this AP is not in the ap-config By wtp-limit //The number of online APs reaches the upper limit, generally due to insufficient licenses, online AP capacity limit, and rarely may wtp-limit configuration limit out By conflict //AP name, MAC has a conflict, the AC side already has the AP name, MAC of other AP online or configured By deny-flag //AC on the active configuration to deny the AP to join, the general network debugging phase using deny-join restrictions By ap-auth //AP authentication restrictions, AC on the certificate, serial number, password form of authentication, and the AP does not carry authentication information By user-class //AP products in different industries, such as SMB-AP can only be docked with SMB-AC, not with ordinary AC By overdue-ap //There is an expired AP on the AC, usually in a temporary state, at this time the AC side will automatically clear the expired AP information, and the AP will apply to join again and succeed By master-ap-mac //Satellite AP does not carry the main AP mac, usually a temporary state, the satellite AP just joined too soon when the machine is powered on caused By unknown //Unknown reason By radio num //AP RF port too many do not support docking, such as B7 version AC does not support AM5528 By vendor id //Other vendor APs do not support docking By new-ap-limit //New AP Limit By local-limit //VAC scenario single AC device protection, limiting access to the number of local APs, possible switch load imbalance, too few working ACs, etc. By hot-backup //Hot standby limitation, for example, the AP uses AP virtualization technology, and AP virtualization does not support hot standby function, but the configuration will be classified as hot standby in the AP By total-ap-num //Total number of APs (online + offline) and AP tunnels reach the maximum number, delete unneeded offline AP configuration By none-radio //AP does not carry radio is denied, usually a temporary state, the AP just joined too soon when the machine was started to cause If the interaction between AP and AC is abnormal, intermediate line packet capture analysis is required to locate the packet loss point, as well as the troubleshooting of the wired ring network mentioned earlier. 5.2.1.3.2 Capwap Tunnel Creation Unsuccessful a. Communication abnormality between AP and AC ap did not get the ip address ap did not get the option 138 field ap can't ping through ac to establish tunnel address capwap udp 5246, 5247 ports are dropped or filtered by intermediate devices b. AC, AP status abnormal ac cpu can not handle AP online show cpu ac license is not sufficient show ac-config show license show ap-config summary Example of command display: FS#show ac-c AC Configuration info: max_wtp :224 // AC allows the maximum number of authorized access, if ac-c has done wtp limit under the limit, is the wtp limit configured to allow the number of AP online sta_limit :7168 license wtp max :224 license sta max :7168 single wtp max :224 virtual ac max :4 whole wtp max :224 serial auth :Disable password auth :Disable certificate auth :Disable Bind AP MAC :Disable AP Priority :Disable supp_psk_cer :Disable ac_name :FS_Ac ac location :AC_LOCATION AC State info: sta_num :0 act_wtp :1 localIpAddr :5.5.5.5 localIpAddr6 ::: current wtp max :224 used wtp :1.0(0 four 0 two 1 normal 0 half 0 zero) //The number of licenses used, here 1 license is used remain wtp :7 four 15 two 223 normal 62 half 639 zero //Number of licenses left, 223 licenses left here HW Ver :1.00 SW Ver :AC_FSOS 11.9(6)W1S7, Release(09230210) Mac address :649d.99d1.cc37 Product ID :AC-224AP NET ID :9876543210012345 NAS ID :649d.99d1.cc37 FS#show license // View current licenses Serial Number : G1Q92BF001971 No. Activation Key AP Number ----------------------------------------------------------------------- ----------------------------------------------------------------------- Total 224 access points are supported, old version 0, new version 0. //The device is not currently importing licenses and the default license is 224. FS#show ap-config summary ========= show ap status ========= Radio: E = enabled, D = disabled, N = Not exist Current Sta number Channel: * = Global Power Level = Percent Online AP number: 1 //Current number of live APs Offline AP number: 0 AP Name IP Address Mac Address Radio 1 Radio 2 Up/Off time State ---------------------------------------- --------------- -------------- ------------------- ------------------- ------------- ----- 649d.99d0.1870 192.168.100.3 649d.99d0.1870 E 0 11* 100 E 0 157* 100 0:03:09:17 Run ap name renaming 19 16:37:19: CD-AC4 %APMG-6-AP_ADD: Add AP( 649d.99d0.d59e) fail. Online-AP(649d.99d0.d58e) with same name(AP-1) has exist in this AC---Modify the name of the ap already online Collect the following information and contact +1 (888) 468 7419 The following information is collected on the AC: show version show running show ac-config show license show ap-config summary show capwap sta show cpu show memory show ip route show ip interface brief The following information is collected on the AP: show version show ap-mode show capwap sta show ip route show log show capwap client state (View ap to get option 138 address) 5.2.1.3.3 Troubleshooting ideas and fault information collection operation for AP failure unable to establish tunnel a. Check and confirm the model and version of APs and ACs, and determine the network topology and scheme situation; b. Verify that the AP and AC's loopback0 (or capwap ctrl-ip x.x.x.x) address communication is normal by testing as follows: ping x.x.x.x length 1500 ntimes 20 c. Check the logs on AP and AC, and collect relevant debug information on AP and AC Log in to AP: show log //Collect log information on AP more ap_down.txt //Check the cause of AP dropout show capwap statistic //Collect AP's tunnel establishment status information, several times more, up to 3 times in a row show capwap client state Related debug information collection terminal monitor debug capwap client fsm debug capwap packet debug efmp packet filter ipv4_sport range 5246 5247 count 30 Log in to AC: show log show ap-config summary deny-ap terminal monitor debug capwap [apip] packet debug apmg join debug efmp packet filter ipv4_sport eq 5247 ipv4_sip host [apip] count 10 d. If there is no log and debug information prompt at the device end, the intermediate line will be investigated; the AP traces the tunnel address record path: traceroute ip tunnel address source [apip] to confirm which devices the ap's messages pass through. e. Using the dichotomous method, segmented packet capture to confirm the ap and ac to establish the tunnel of sending and receiving packets, to confirm the packet loss point location. 5.2.1.3.4 AP and AC online across the public network, the same network AP, part can be online successfully, part can not be online successfully a. Failure phenomenon: The AP and AC are online across the public network, and some of the APs in the same network can be online successfully, but some cannot be online successfully. b. Exhaustion steps: Check and confirm the corresponding network topology, and the configuration and version of the corresponding wireless A. Cross public network AP and AC deployment, no master/standby scenario, single AC deployment. (If the hot standby scenario is involved, you need to verify that the primary and backup configurations are consistent), the configuration of normal APs and faulty APs are identical, excluding the problem of configuration differences, and there is no bind-ap-mac related configuration. B. Wireless user local forwarding, AP and wireless user gateway and dhcp address pool on the local aggregation switch, need to further local troubleshooting verification. C. The versions of AC and normal AP and abnormal AP are the latest version, and there is a normal AP on line with the same model, so the version factor and public network operator line problem are excluded. Login to the failed AP to check the AP mode and whether to obtain the address, test the AP ping AC tunnel address packet whether there is a communication problem. On-site inspection found that the faulty AP fit mode, address acquisition is normal and the tunnel address packet communication with AC is normal. Check the configuration on the access switch to compare the normal connection and abnormal AP interface configuration did not find differences, the switch status is normal. Collect the log information and related debug on the failed AP and AC. It was found that the faulty AP had been sending discovery request messages, but there was no corresponding increase in the received value of the discovery request by show capwap statistics on the AC, so it was suspected that the AP's discovery request messages were discarded on the intermediate link, as the As the point is on the public network, there are normal APs and abnormal APs, excluding the line problem on the public network operation, we suspect that there is a problem on the local equipment. Check the topology of local equipment, export SG ----- convergence ------ access ------AP, convergence uplink packet capture found that there is a corresponding fault AP's discovery request message, suspected that the message is discarded in the export SG equipment. Because the egress can not directly capture packet analysis, preliminary analysis suspected that there is a problem with application identification or the traffic of the relevant messages from the AP to the AC is too large to cause the messages to be discarded, resulting in the unsuccessful establishment of the AP and AC part of the tunnel. The test added the AP segment to the audit-free and flow-free control of the exit, and put the resources of the corresponding AP segment users into the critical channel of EG for priority forwarding, and the test used the faulty AP to go online normally. After removing the critical channel, it was found that the AP was dropped after a while and could not continue to be online. Cause of failure: The number of key channels of the egress flow control device is too much traffic, which causes the interaction messages between AP and AC to establish tunnel to be dropped. Solution: Add the traffic of the AP's address segment to the critical channel of the SG egress to ensure the priority forwarding of the AP's data messages. Other operation commands: AC can debug "debug apmg join" to see if the discovery message is received. AP can "debug capwap client fsm" to see if the message is sent successfully. "debug capwap packet" on the AP to see if there is an answer to the discovery (you need to wait for a while to see the prompt) If there is no answer, go to the ac and see: debug efmp packet filter ipv4_sport range 5246 5247 counter 30 The AP tunnel cannot be established successfully, you can check if there is a relevant prompt message by operating the following command on the AC: debug efmp packet filter ipv4_sip host APIP adress ipv4_sport eq 10000 counter 10 run-system-shell dmesg Check the following information by show capwap ap tunnel number id detail on AC: image.png If the data port changes frequently and there is a flow table aging problem, it is recommended to modify the channel keep alive time to change smaller. ap-config xxx echo-interval xx (Default 30s, min 5s, max 255s) 5.2.1.3.5 AC and AP versions are the same, but they can't go online properly on AC, stuck in join state Failure phenomenon: AC, AP version is the same, but can not be normal on AC on line; Failure Analysis: 1. check the capwap status of the AP through the log, and find that the AP has communicated with the AC, and the status changes to: DTLS Teardown; *Jan1 00:01:10: %CAPWAP-6-STATE_CHANGE: (peer - 1) [1.1.1.1] capwap state changed, from to *Jan1 00:01:10: %CAPWAP-6-STATE_CHANGE: (peer - 1) [1.1.1.1] capwap state changed, from to 2. After confirming that there is no problem with the ac/ap link, "show ap-config summary deny-ap" reveals that the corresponding reason is "By conflict", that is, the name of the ap has the same name as other ap in the system, resulting in the ap not being able to join the ac normally; image.png 3. restore the factory settings (or change the name) of the ap that failed to go online, and then the AP goes online normally. Fault Summary: Normal online AP, capwap status is divided into idle-->discover-->DTLS Setup-->Join-->config-->Data Check-->Run; when the capwap status reaches run, it means the ap has completed the online process and is online normally. Capwap status stuck in "Join" state can be viewed by "show ap-config summary deny-ap" to see the reason for denying access. The capwap tunnel state is disconnected after reaching Join, common reasons are: Ap name conflicts; Version inconsistency; license issues; line failure; Security restrictions made on the AC, such as bind-ap-mac, etc. 5.2.1.3.6 AC cannot send configuration to AP Failure phenomenon: AC cannot send configuration to AP. Failure environment: The AP is online to the AC across the public network. Possible causes of failure: AP is not online properly. Inconsistent software version. Restrictions of external network environment. Equipment software failure (large version span, etc.) Failure Analysis: Remotely check that the AP version is consistent with the AC version and is successfully online. Show ap-conf run to see if the faulty ap has successfully joined the corresponding group, and check if there is any problem with the configuration (whether the primary and backup configurations are consistent). Ping ac through ap, packet size is set to 1500Byte and found that it cannot ping through, the maximum packet size that can be passed through by dichotomy test is 1410Byte; after modifying the control tunnel mtu to 1410, the problem is solved as follows: ac-controller capwap ctrl-mtu 1410 Summary of faults and precautions Cross-NAT online environment, AC configuration cannot be sent down, repeatedly establish tunnel, tunnel is not established, terminal cannot be accessed normally, it is recommended to check whether the AP and AC tunnel address large packet communication is normal after basic troubleshooting, for repeatedly establishing tunnel, you can check whether the NAT table entry aging time of the egress device is too short, which can be tested by tunnel preservation time. 5.2.1.3.7 AP dropped in ac after a long time to show online Failure phenomenon: After the AP dropped, the AC shows that the ap is still online. Failure Analysis: 1. Check show run, show ap-config run configuration to confirm whether echo-interval is modified (the value is 30s by default). 2. Check the configuration and find that the parameter has not been modified to the default value; find that the value of keepalive has not changed in the output of "show capwap index detail" on the AC, and initially suspect that the ap status has not been updated on the AC because the keepalive has been turned off. The command "show capwap [ip addr] detail | inc Echo" shows that the echo-interval is 0. AC-branch(config-ap)#show capwap 10.121.121.129 detail | in Echo Echo interval is 0 secs, Dead interval is 0 secs Expire 4294967237 secs 3. Check the historical command record of AC by "show cli record" command and find that echo-interval disable is mistakenly configured in the ap-group of the corresponding AP, resulting in the occurrence of the failure, and the site observation is restored to normal after removing the configuration (no echo-interval) in the corresponding ap-group. Fault Summary: The fault is caused by the misconfiguration of the hidden command, echo-interval disable function to turn off the capwap tunnel keep alive, that is, after the configuration of the command, ap keep alive is turned off, ap dropped in the ac after the state or run. And echo-interval disable will not be shown in show run. Keep-alive time between AP and AC The default value of echo-interval between AP and AC is 30s, that is, if AC does not receive a live message within 30s, it is considered that AP is down. AP sends echo request to keep the tunnel alive, AP sends echo request every 30s, AC receives the echo request and replies with echo response, if AP does not receive the response message in a period of time, then the request is retransmitted. The retransmission time and the number of times for the AP to start retransmission from the 3rds to half of the echo interval that the tunnel is disconnected. If the default echo interval is 30s, the AP will retransmit five times, 3s,6s,12s,15s,15s respectively. The echo interval is configured to other values, the retransmission time and the number of times is still calculated in the same way. echo interval time is set between 5-255s. The configuration method is to use the echo-interval * command in AP configuration mode or AP group configuration mode. 5.2.1.3.8 Most APs cannot be online successfully, and the APs that are already online often have dropped connections, and the tunnel status is repeated Failure phenomenon: Most APs are unable to go online successfully, and those that are already online often have dropped connections and repeated tunnel status. Exhaustion steps: 1. Check and confirm the corresponding network topology, and the configuration and version and log of the corresponding wireless; The version configuration is consistent Oct 16 00:24:27: %CAPWAP-5-RETRANS_MAX: (*2) (peer - 47) [172.17.6.30 : 10000] reach maximum retransmit count [5], msg is [configuration update request], seq is [1], elem length is [34]. Oct 16 00:24:27: %CAPWAP-6-PEER_NOTIFY_DOWN: (*2) Peer <172.17.6.30 : 10000 : 649d.99d0.e5ee> DOWN, reason . Suspect a problem with the intermediate line. 2. Login to the faulty AP to check the AP mode and whether to obtain the address, test the AP ping AC's tunnel address large packet whether there is a communication problem. There is basically no packet loss on the AP ping AC, so it is suspected that there are loops or excessive broadcast traffic on the middle line. 3. After logging into AC and using clear counters to clear the interface traffic statistics, three consecutive times to collect show int counters summary information found that the following figure interconnection port broadcast growth is faster. image.png 4. After logging in to the interconnect core device and clearing the interface traffic statistics using clear counters, the show int counters summary information was collected three times in a row and found that: image.png image.png The corresponding Te1/3/20 interface has a large number of broadcast traffic messages growing, and it is suspected that there is a loop situation. 5. Confirm that the device connected to the Te1/3/20 interface is an AP hanging under the access switch, and after bringing down the Te1/3/20 interface, observe that all the APs under the Te1/3/20 port come online one after another, and the network returns to normal. 6. Login to the access switch to open RLDP operation, found that one of the corresponding interface interface down situation, verify the connection of the down-connected devices, found a private switch, and there is a loop situation. Cause of failure There is a single-port loop condition under the access switch to the incoming switch. Solution: Down the loop interface. 1. There is a situation that the tunnel of some APs is not established successfully, or the tunnel of some APs is established repeatedly, there may be a loop situation exists; even if there is a loop situation, but the ping AC address on the AP may not have packet loss; 2. After a similar failure situation, you need to verify the scope of the corresponding failure and the existence of the primary and secondary configurations (to ensure that the primary and secondary configurations are consistent); 3. VAC scenario, if not configured with the correct load balancing policy, there may also be repeated up and down or unable to online APs; 4. For loop situations, you can verify the faulty port of the loop by turning on spanning tree or RLDP and querying the log information of the corresponding switch. 5.2.1.3.9 A dozen AP access prompt dtls down status Failure phenomenon: A dozen AP access prompt dtls down status Failure Analysis: 1. Confirm that these failures AP software version and AC version consistent 2. Check that the AC license is sufficient 3. Login to the AP to view the tunnel establishment status for jion state directly into dtls 4. Check "show cap st" its not online mac, there is no information on "show ap-con su", but if the fault mac-1, "show ap-con su" has corresponding information. "show ap-con su deny-ap" to see the duplicate configuration, the problem was solved by changing the name after checking that it was caused by renaming. 5.2.1.3.10 VAC scenario-AP not online Failure phenomenon: Large volumes of APs cannot be brought online. image.png Fault confirmation: Login to AP, check CAPWAP status, no content, lots of CAPWAP logs on AP. Exclusion process: 1. Check whether the VAC load is balanced Show vir bal found that the VAC load is not balanced, further go to the switch to check the configuration, found that the switch aggregation port has been configured based on the source IP load balancing. 2. AP to AC tunnel address connectivity Telnet to the AP to perform a ping test on the AC tunnel address. 3. check the version show ver finds that the VAC primary and backup versions are not consistent. Solution: Solved after upgrading the version consistently. Fault summary: During the VAC upgrade process, there may be insufficient memory on the standby causing the AC to be unable to upload the version to flash for upgrade; Be sure to show vir resource on the host before upgrading to see if the VAC standby has enough memory resources. 5.2.1.3.11 AP can't get the ip address Fault phenomenon: The AP cannot obtain an IP address, resulting in abnormal communication between the AP and the AC, and cannot come online. image.png Fault confirmation: Login to the AP through the consol port to check the IP address as the initial IP address (192.168.1.1); No information was found in the ARP table (show arp | in H.H.H) or the address assignment table (show ip dhcp bin | in H.H.H) on the deployed dhcp service device. image.png Verification process: 1. Determine the layer 2 link failure point Check the MAC address table (show mac-address-table | in H.H.H) in the deployed dhcp service device finds that the VLAN tag in the MAC address table is inconsistent with the planned one; At this point, it is judged to be caused by an abnormal tag during Layer 2 forwarding. 2. Locate the faulty device step by step To troubleshoot downward from the device deploying DHCP service level by level; Find an idle interface on the aggregation, set the PVID of the interface to the same VLAN as the AP, and then directly connect to the computer to see if the IP address is obtained normally, and after testing, it is found that the IP address is obtained normally. The faulty device is located on the aggregation and access devices. Check the interface configuration on the aggregation device again and find that the native VLAN of the interface connected to the access switch is modified to VLAN 10. Solution: Modify the intrinsic VLAN of the aggregation switch downlink interface to the default VLAN1. Fault Summary: image.png As the interface of the aggregation switch down-linked access switch hits the intrinsic VLAN 10, and the AP also belongs to VLAN 10, the tag has been taken off when it arrives at the aggregation, and when the aggregation transmits the data to the core, the data frame has been changed to the traffic of VLAN 1. 5.2.1.3.12 AP repeatedly goes up and down the line Failure phenomenon: AP repeatedly goes up and down the line. Fault confirmation: two AP-7072s doing VAC, docked to core N5860-48SC, core doing VSU, AP and AC online across the public network, APs in different outlets, different outlets with different extranet exits; In the AC "show ap-con sum" to see the AP online time is very short, found in the log logs AP repeatedly up and down. Exclusion process: 1. Link stability testing Network topology in an environment where the AC and AP span the public network and large packet pings from the AP are normal for AC connectivity; image.png 2. Checking load balancing show vir balance-info, at that time, to see if the load is unbalanced; Check the load balancing configuration on the switch, configure load balancing based on source destination IP and turn off local priority forwarding load is still unbalanced. 3. Troubleshoot the cause of dropped connections Check the "more ap_down.txt" information on AP. image.png The information shows that the maximum number of retransmissions is the cause. After leaving only one link, there was still the problem of AP repeatedly going up and down, which was ruled out as a load balancing problem, and the internal discussion at that time speculated that the load balancing was a normal phenomenon, because the cross-public network scenario was normal because the IP address of the same point was the same after nat conversion, and the switch load was based on the source IP load, so there was no load balancing. The information of show capwap tunnel number detail is checked on the AC, once when the ap is online, and again when it is online again after being dropped, and it is found that the port of the same AP has changed (normally the port of the AP should be consistent and should not change). image.png Log message prompted on AC (change of address or port on the other side): image.png Check the show capwap tunnel port detail information on the AC before and after the same AP drops (the port is not the same before and after) and the log information on the AC (the tunnel address fails because the other party's IP or port has changed); Confirm that the failure is caused by the aging of the egress nat table entry. Solution: Reduce the hold time between AC and AP to: ap-config xxx echo-interval xx (default 30s, min 5s, max 255s) [ Note: echo-interval: control tunnel keepalive, keepalive-interval: data tunnel keepalive ] Fault Summary: Since it is a cross-public network environment, it is possible for load imbalance to occur in VAC scenarios; Reason: Within the same outlet because the outlet does nat, so the converted IP addresses of APs in the same outlet are the same, then even if the source destination IP-based load is configured on the switch, it is possible that the load is unbalanced when viewed on the AC; [ ps: even if the load is not balanced, the switch should still be sure to configure load balancing, otherwise it will still affect the AP online situation (frequent move) ] The aging nat table entry of the egress device causes the port on which the AP establishes a tunnel with the AC to change, causing the AP to go up and down frequently. Appendix: Quickly locating if a NAT table entry is causing the AP to drop: 1. On the ac "show capwap sta | in ap mac", check the corresponding index number (for example, 2) image.png 2.在ac上show capwap 2 detail CAPWAP process "capwap 2" with state [ Run ] Process uptime is 0 days 0 hours 51 minutes 45 seconds Echo interval is 30 secs, Dead interval is 81 secs Expire 71 secs Current timers EchoInterval Peer address 172.18.73.38 The MAC of AP is 649d.99d0.e3fe The Session ID of AP is 649d99d0.e3fead1a.8520721b.e02acb5d Capwap fragment is disable The Path MTU is 1500 Recent received request's sequence number 118 Recent received response's sequence number 124 Recent send request's sequence number 124 Retransmit Count 0, Failed DTLS Session Count 0 Max Retransmit Count 5 Config maxretransmit 5 Sending queue length 0, Receive queue length 0 Peer control port is 2496, data port is 59404 [ Check if the port has been consistent before and after the ap drop ] My address is 172.18.159.52 CTI ifx is 4. IPv4 control socket 4, data socket 5 Local IPv4 address is 192.168.126.130 UDP checksum is enable Peer notify in NAT: YES 5.2.2 Fit AP Mode; Web Configuration Mode 5.2.2.1 AC Device Login Description: AC default management IP address is: 192.168.1.1 The default user password for web login is: admin Step 1: Computer and AC connection diagram image.png Step 2: Device Login a. Computer wired network card configuration IP address 192.168.1.1 subnet mask: 255.255.255.0 default gateway: 192.168.1.1, the following figure: image.png b. Open the browser, website bar, enter the IP address 192.168.1.1 login device web interface, device login default user password is admin/admin, the following chart: image.png 5.2.2.2 AC Change Device Login Password a. Change the device web login password Click System Settings, Change Password to change the password for the device web login. image.png b. Configure or change the device Telnet login password Click System Settings, Change Password to configure or change the device Telnet password. image.png 5.2.2.3 Centralized Forwarding Mode 5.2.2.3.1 Centralized Forwarding Mode Description Description: In the WLAN network, AC controls and manages the down-connected APs through CAPWAP protocol. CAPWAP provides communication tunnel between AC and APs, and all traffic of wireless users under the centralized forwarding mode needs to pass through AC before it can be forwarded. Application Scenario: When there are a large number of APs in the wireless network and they need to be managed and configured in a unified manner. Advantages: unified configuration and management of APs through AC (AP controller), including configuration issuance, upgrade, restart, etc. Disadvantages: Need to increase the network equipment AC, increase the configuration of wired network, different manufacturers' equipment is not compatible. Scenario topology description: image.png Caution: If port isolation is enabled on the uplink/convergence/core of AP, the proxy ARP function needs to be enabled on the gateway of AP, otherwise the AP distributed upgrade will fail (upgrade AP time will increase significantly). If the VLAN of wireless users is larger (more than 8 C network segments), you need to open the proxy ARP function on the gateway of sta to reduce the flooding of ARP broadcast messages downlink (the ARP broadcast messages sent to sta will be copied and sent to each AP in the same sta network segment, which greatly increases the pressure of AC). 5.2.2.3.2 AC Bypass Unmanaged Switch Scenario Introduction: The AC is hooked up to a unmanaged switch, and the computer is connected to the unmanaged switch with a network cable to automatically obtain an IP address to access the Internet. Topology: image.png Device Login: Refer to fit AP Deployment => AC Device Login Device configuration: 1. after logging into the web interface, the Quick Configuration will automatically pop up, select the AC and AP directly connected topology, and then click Next (if not pop up, click the red font "Quick Setting" at the top right of the web page), as shown below: image.png 2. the interconnection configuration of AC and AP: a. Customize one interface of the AC to interconnect with the unmanaged switch, this topology is customized to interconnect 8 ports with the unmanaged switch. b. Configure the AP and AC interconnection tunnel IP, the IP is the tunnel address of the AC. c. No need to configure the network configuration of the AP, just click Next: image.png 3. Configure WiFi/WLAN as shown below: image.png 4. Wireless users of the Internet configuration, configuration, click Finish to complete the configuration, as shown below: image.png 5. Configure the interconnection IP address of AC and core image.png 6. computer configuration 192.168.1.2 address, use the AC new management IP 192.168.1.254 login, and then re-change the tunnel IP address to 192.168.1.254. and the egress router internal network port with the same network segment address, so that the AP through the layer 2 way to establish a tunnel with the AC Note: By default, AC uses loopback 0 address as the tunnel address, currently you can specify the tunnel IP address by capwap ctrl-ip, which must be the IP address configured on AC. Exit router configuration (It is recommended to contact the corresponding router vendor engineer to assist in the process) Need to ensure that after the router is configured, the computer can automatically obtain the address of 192.168.1.0/24 network segment when it receives the lan port of the router, and can access the external network normally. Switch Configuration The switch is an unmanaged switch, no configuration is required. AP configuration The AP does not need any configuration, you need to ensure that the AP is fit mode (the default is fit mode when the device is just unpacked), and can be powered normally after accessing the switch. Configuration Verification 1. Check the AP is online on the AC. image.png 2. The terminal normally searches for the signal and successfully accesses it. 3. The terminal normally obtains the address from the router and accesses the external network. 5.2.2.3.3 AC Bypass Layer 2 Switch Scenario Description: AC bypass Layer 2 switch, wireless user address pool gateway in the egress router, AP management segment address pool gateway in AC. Topology: image.png Device Login: Refer to fit AP Deployment => AC Device Login Device configuration: AC configuration 1. Select the Quick Settings in the upper right corner for quick configuration, as follows: image.png 2. Configure the interconnection configuration of AC and AP, as follows: a. Configure the tunnel IP of AC and AP interconnection and VLAN of core interconnection. In addition, you need to create the DHCP and VLAN gateway of AP. image.png b. Create DHCP for AP: image.png c. Configure the VLAN gateway of the AP: image.png d. Configure the network configuration of the AP: image.png 3. Create WiFi name and password: image.png 4. Configure the wireless user Internet configuration, click Finish: image.png 5. Change the address of VLAN 1 on AC to 192.168.1.254/24: image.png 6. Change the management IP of the computer to 192.168.1.2/24, and then reuse the IP address 192.168.1.254 after the AC change to log in, and configure the default route to point to the exit router. The following figure: image.png 7. Configure the interconnection port of AC and core as trunk port, as follows: image.png Configuration of the egress router (It is recommended to find the corresponding switch vendor's engineer to assist in the configuration according to the following requirements). Egress router and layer 2 switch interconnection port configuration 192.168.1.1, and to ensure that the computer with network cable access to automatically obtain 192.168.1.0/24 network segment address and can be normal external network access Layer 2 switch switch configuration (It is recommended to find the corresponding switch vendor's engineer to assist in the configuration according to the following requirements). 1. Create VLAN 1, VLAN 20 on the Layer 2 switch: image.png 2. Layer 2 switch and AC interconnection port configuration for trunk port (the following figure indicates that the switch 2 port and AC interconnection): image.png 3. Layer 2 switch and AP interconnection port configured as access port, associated AP management VLAN 20 (The following figure indicates that the switch's port 6 is interconnected with the AP): image.png 4. Save the configuration: image.png AP configuration The AP does not need any configuration, you need to ensure that the AP is Fit mode (the default is fit mode when the device is just unpacked), and can be powered normally after accessing the switch. Configuration verification: 1. Check the AP on the AC normal online: image.png 2. The terminal can normally search for wireless signals and access them 3. The terminal gets the correct address and communicates with the external network 5.2.2.3.4 AC Bypass Core Switch Scenario Description: AC side hung core switch, wireless user address pool gateway in the core, AP management segment address pool gateway in AC. Topology: image.png Device Login: Refer to fit AP Deployment => AC Device Login Device configuration: AC configuration 1. select the Qiuick Setting in the upper right corner for quick configuration, as follows: image.png 2. configure the interconnection configuration of AC and AP, as follows: a. configure the tunnel IP of AC and AP interconnection and VLAN of core interconnection. in addition, you need to create the DHCP and VLAN gateway of AP: image.png b. Create DHCP for AP: image.png c. Configure the VLAN gateway of the AP: image.png d. Configure the network configuration of the AP: image.png 3. create WiFi name and password: image.png 4. configure the wireless user Internet configuration, click Finish Configuration: image.png 5. configure the interconnection port of AC and core as trunk port, as follows: image.png The configuration of the core switch (It is recommended to find the engineers of the docking switch vendor to assist in the configuration in accordance with the following requirements). 1. the core switch to create a wireless user VLAN 10 and DHCP, gateway: 192.168.10.1/24, to ensure that the computer access to the core switch to obtain the VLAN10 address to access the external network. image.png 2. Create the management VLAN 20 of the AP on the core and configure the IP address as an interconnection with the AC. The interconnection port of the core and AC is configured as trunk port, put through VLAN 10 and VLAN 20 (The figure below indicates that the 2 ports of the core switch are interconnected with AC). image.png 3. Core switch and access switch interconnection port configuration for trunk port, put through the AP management VLAN 20 (The following figure indicates that the core switch 3 port and access switch interconnection). image.png 4. Save the configuration. image.png Access switch configuration (It is recommended to find the docking switch manufacturer's engineers to assist in the configuration in accordance with the following requirements). 1. Create VLAN 20 on the access switch. image.png 2. Access switch and core switch interconnection port configuration for trunk port (The following figure indicates that the access switch 3 port interconnection with the core switch). image.png 3. Access switch and AP interconnection port configuration for access port associated VLAN 20 (The following figure indicates that the access switch's 6 ports interconnected with the AP). image.png 4. Save the configuration. image.png AP configuration AP does not need any configuration, you need to ensure that the AP is fit mode (the default is fit mode when the device is just unpacked), and can be powered normally after accessing the switch Configuration verification: 1. Check that the AP is normally online on the AC: image.png 2. The terminal can normally search for wireless signals and access them. 3. The terminal gets the correct address and communicates with the external network. 5.2.2.4 Local Forwarding Mode 5.2.2.4.1 Local Forwarding Mode Description Description: In a WLAN network, the AC controls and manages the down-connected APs through the CAPWAP protocol. CAPWAP provides a communication tunnel between the AC and the APs, and normally all traffic of wireless users needs to go through the AC first before it can be forwarded. This centralized forwarding model has the potential to change the customer's traffic model, and users want wireless user traffic to be forwarded directly through the AP without going through the AC, which is the local forwarding function. Application Scenario Description: The number of wireless users is large, and the data traffic of wireless users needs not to be forwarded through AC, so as to reduce the burden of AC. Advantages: reduce the data forwarding burden of wireless AC and AP, reduce data traffic. Disadvantages: add extra configuration, the switch connected to AP needs to support multi-VLAN forwarding. Scenario topology description: image.png Caution 1. Enable port isolation on the uplink switch, aggregation switch, and gateway ports to prevent broadcast flooding to wireless APs. 2. Enable Proxy ARP on both the AP gateway and STA gateway. This ensures that APs can still communicate with each other after port isolation is enabled. Otherwise, STAs may lose network connectivity after Layer 3 roaming, and distributed AP upgrades may fail or experience significantly increased upgrade time. 3. Do not enable features such as arp-check, ip verify source, or port-security address binding on access or aggregation switches. Reason: During STA roaming, the terminal may not reapply for a DHCP address. If the binding table entry is not updated after switching APs, network disconnection may occur. 4. Do not enable DHCP Snooping on access or aggregation switches. Reason: Due to the mobility of STAs, terminals may associate and obtain IP addresses whenever they pass by. However, the address table size on access and aggregation switches is typically limited, and the default aging time is 24 hours. This may easily lead to table overflow, preventing new users from obtaining IP addresses. If DHCP Snooping cannot be disabled, the DHCP lease time for wireless users must be shortened to less than 2 hours to accelerate aging and reduce table entry consumption. 5.2.2.4.2 AC Bypass Unmanaged Switch Scenario Introduction: The AC is hooked up to a unmanaged switch, and the computer is connected to the unmanaged switch with a network cable to automatically obtain an IP address to access the Internet. Topology: image.png Device Login: Refer to fit AP Deployment => AC Device Login Device configuration: 1. After logging into the web interface, the Quick Configuration will automatically pop up, select the AC and AP directly connected topology, and then click Next (If not pop up, click the red font "Quick Setting" at the top right of the web page), as shown below: image.png 2. the interconnection configuration of AC and AP: a. Customize one interface of the AC to interconnect with the unmanaged switch, this topology is customized to interconnect 1 ports with the unmanaged switch. b. Configure the AP and AC interconnection tunnel IP, the IP is the tunnel address of the AC. c. No need to configure the network configuration of the AP, just click Next. image.png 3. Configure WiFi/WLAN as shown below: image.png 4. Wireless users of the Internet configuration, configuration, click Finish to complete the configuration, as shown below: image.png 5. Configure the interconnection IP address of AC and core. image.png 6. computer configuration 192.168.1.2 address, use the AC new management IP 192.168.1.254 login, and then re-change the tunnel IP address to 192.168.1.254. and the egress router internal network port with the same network segment address, so that the AP through the layer 2 way to establish a tunnel with the AC. Note: By default, AC uses loopback 0 address as the tunnel address, currently you can specify the tunnel IP address by capwap ctrl-ip, which must be the IP address configured on AC. Exit router configuration: Ensure that after the router is configured, the computer can automatically obtain the address of 192.168.1.0/24 network segment when it receives the lan port of the router, and can access the external network normally. Switch Configuration: The switch is an unmanaged switch, no configuration is required. AP Configuration: The AP does not need any configuration, you need to ensure that the AP is fit mode (the default is fit mode when the device is just unpacked), and can be powered normally after accessing the switch. Configuration Verification 1. Check the AP is online on the AC. image.png 2. The terminal normally searches for the signal and successfully accesses it. 3. The terminal normally obtains the address from the router and accesses the external network. 5.2.2.4.3 AC Bypass Layer 2 Switch Scenario Description: AC bypass Layer 2 switch, wireless user address pool gateway in the egress router, AP management segment address pool gateway in AC. Topology: image.png Device Login: Refer to fit AP Deployment => AC Device Login Device configuration: AC configuration 1. Select the Quick Settings in the upper right corner for quick configuration, as follows: image.png 2. configure the interconnection configuration of AC and AP, as follows: a. Configure the tunnel IP of AC and AP interconnection and VLAN of core interconnection. In addition, you need to create the DHCP and VLAN gateway of AP. image.png b. Create DHCP for AP: image.png c. Configure the VLAN gateway of the AP: image.png d. Configure the network configuration of the AP: image.png 3. Create WiFi name and password. image.png 4. Configure the wireless user Internet configuration, click Finish. image.png 5. Configure the interconnection port of AC and core as trunk port, as follows: image.png Configuration of the egress router (It is recommended to find the corresponding switch vendor's engineer to assist in the configuration according to the following requirements). Egress router and layer 2 switch interconnection port configuration 192.168.1.1, and to ensure that the computer with network cable access to automatically obtain 192.168.1.0/24 network segment address and can be normal external network access. Layer 2 switch switch configuration (It is recommended to find the corresponding switch vendor's engineer to assist in the configuration according to the following requirements). 1. Create VLAN 1, VLAN 20 on the Layer 2 switch. image.png 2. Layer 2 switch and AC interconnection port configuration for trunk port (The following figure indicates that the switch 2 port and AC interconnection). image.png 3. Layer 2 switch and AP interconnection port configured as trunk port, put through VLAN 1 and VLAN 20, and change the native VLAN setting to VLAN 20 (The figure below shows the switch's 6 ports and AP interconnection). image.png 4. Save the configuration. image.png AP configuration The AP does not need any configuration, you need to ensure that the AP is Fit mode (The default is fit mode when the device is just unpacked), and can be powered normally after accessing the switch. Configuration verification: 1. Check the AP on the AC normal online. image.png 2. The terminal can normally search for wireless signals and access them. 3. The terminal gets the correct address and communicates with the external network. 5.2.2.4.4 AC Bypass Core Switch Scenario Description: AC side hung core switch, wireless user address pool gateway in the core, AP management segment address pool gateway in AC. Topology: image.png Device Login: Refer to fit AP Deployment => AC Device Login Device configuration: AC configuration 1. Select the Qiuick Setting in the upper right corner for quick configuration, as follows: image.png 2. Configure the interconnection configuration of AC and AP, as follows a. Configure the tunnel IP of AC and AP interconnection and VLAN of core interconnection. in addition, you need to create the DHCP and VLAN gateway of AP. image.png b. Create DHCP for AP. image.png c. Configure the VLAN gateway of the AP. image.png d. Configure the network configuration of the AP. image.png 3. Create Wi-Fi name and password. image.png 4. Configure the wireless user Internet configuration, click Finish Configuration. image.png 5. Configure the interconnection port of AC and core as trunk port, as follows: image.png The configuration of the core switch (It is recommended to find the engineers of the docking switch vendor to assist in the configuration in accordance with the following requirements). 1. The core switch to create a wireless user VLAN 10 and DHCP, gateway: 192.168.10.1/24, to ensure that the computer access to the core switch to obtain the VLAN10 address to access the external network. image.png 2. Create the management VLAN 20 of the AP on the core and configure the IP address as an interconnection with the AC. The interconnection port of the core and AC is configured as trunk port, put through VLAN 10 and VLAN 20 (The figure below indicates that the 2 ports of the core switch are interconnected with AC). image.png 3. Core switch and access switch interconnection port configuration for trunk port, put through the AP management VLAN 20 (The following figure indicates that the core switch 3 port and access switch interconnection). image.png 4. Save the configuration. image.png Access switch configuration (It is recommended to find the docking switch manufacturer's engineers to assist in the configuration in accordance with the following requirements). 1. Create VLAN 20 on the access switch. image.png 2. Access switch and core switch interconnection port configuration for trunk port (The following figure indicates that the access switch 3 port interconnection with the core switch). image.png 3. Access switch and AP interconnection port configuration for access port associated VLAN 20 (The following figure indicates that the access switch's 6 ports interconnected with the AP). image.png 4. Save the configuration. image.png AP configuration AP does not need any configuration, you need to ensure that the AP is fit mode (The default is fit mode when the device is just unpacked), and can be powered normally after accessing the switch. Configuration verification: 1. Check that the AP is normally online on the AC. image.png 2. The terminal can normally search for wireless signals and access them. 3. The terminal gets the correct address and communicates with the external network. 5.2.2.4.5 AC and AP Cross-public NAT Online Scenario Description: AC is deployed in the headquarters, APs are installed in each division, requiring the AC in the headquarters to be able to manage the APs in each division. Topology: image.png Device Login: Refer to fit AP Deployment => AC Device Login Device configuration: AC configuration 1. Select the Qiuick Setting in the upper right corner for quick configuration, as follows: image.png 2. Configure the tunnel IP of the AC and AP interconnection and the VLAN of the core interconnection, as follows: image.png 3. Create Wi-Fi name and password. image.png 4. Configure the wireless user Internet access configuration, click Finish Configuration. image.png 5. Create VLAN30 and configure the IP address to interconnect with the core, as follows: image.png 6. Configure the default route from the AC to the core. image.png 7. Configure the interconnection port between AC and core as trunk port, as follows: image.png Headquarters core switch configuration (It is recommended to find the corresponding switch vendor's engineers to assist in the configuration in accordance with the following requirements). 1. The core switch to create interconnection with AC VLAN 30 192.168.30.1, and configure the core and AC interconnection port for trunk port, put through all VLAN (The following figure shows the core of the 2 ports and AC interconnection). image.png image.png 2. Configure a return route on the core switch with the destination network as the AC tunnel address and the next hop as the VLAN 30 address on the AC. 3. The core on the routing configuration, to ensure that the tunnel address 1.1.1.1 on the AC can properly ping through the egress router address. 4. Save configuration. image.png Headquarters egress router configuration (It is recommended to find an engineer from the corresponding router vendor to assist in the configuration according to the following requirements). Port mapping of the AC tunnel address 1.1.1.1 on the egress router to the external network, with UD P5246 and UDP 5247. Branch core switch configuration (It is recommended to find the corresponding switch vendor's engineer to assist in the configuration according to the following requirements). 1. Create gateway and address pool for wireless user VLAN 10. image.png 2. Create the gateway and address pool for AP management VLAN 20, and add option 138 to the VLAN 20 address pool for the public address 58.64.254.253 after mapping the headquarters AC tunnel address 1.1.1.1. image.png 3. Enable dhcp function. image.png 4. Configure routing to ensure that the core of VLAN 10 and VLAN 20 two segments can be normal external network communication. 5. Configure the interconnection port with the access switch as trunk port, and put through VLAN 10 and VLAN 20 (The figure below shows that the division core switch and access switch are interconnected through 3 ports). image.png 6. Save configuration. image.png Branch access switch configuration (It is recommended to find the corresponding switch vendor's engineer to assist in the configuration according to the following requirements). 1. Create VLAN 10 and VLAN 20 on the access switch. image.png 2. The interconnection port between the access switch and the core switch is configured as trunk port, put through VLAN 10 and VLAN 20 (The figure below shows the interconnection between the 3 ports of the branch access switch and the branch core switch). image.png 3. The interconnection port of the access switch and the AP is configured as trunk port, put through VLAN 10 and 20, and configure nativeVLAN 20 (The figure below shows the interconnection of port 6 of the division access switch with the AP). image.png 4. Save configuration. image.png Branch exit router configuration (It is recommended to find the corresponding router vendor's engineer to assist in the configuration according to the following requirements). 1. Ensure that the internal network segment VLAN 10 and VLAN 20 can be normal external network communication. 2. Put through UDP 5246 5247 port. AP configuration The AP does not need any configuration, you need to ensure that the AP is Fit mode (The default is fit mode when the device is just unpacked), and can be powered normally after accessing the switch. Configuration verification: 1. Check the AP on the AC normal online. image.png 2. The terminal can normally search for wireless signals and access them. 3. The terminal obtains the correct address and communicates with the external network. 5.2.3 Fit AP Configuration - Command Line Method 5.2.3.1 Wireless Signal Settings 5.2.3.1.1 Fit AP single wireless signal configuration 1. Application scenario description When there are a large number of APs in the wireless network and they need to be managed and configured in a unified manner. Advantages: Enable centralized configuration and management of APs through the AC (Access Controller), including configuration deployment, firmware upgrades, and device reboot. Disadvantages: Require the addition of an AC device and extra wired network configuration; devices from different vendors are not compatible. 2. Configuration cases Networking requirements All wireless APs are configured and managed through AC downlink. All wireless APs can send signals and access wireless clients. a. Network topology image.png b. Configuration points Make sure the AC wireless switch and AP are the same software version, use FS>show verison to check. Make sure the AP is working in concealed mode, use FS>show ap-mode to verify that the fit is in concealed mode. If it shows fat mode then the following command is required to change it: FS>ap-mode fit ------> Modify to fit mode AP mode switch will automatically reboot the device to take effect after the switch, the device is factory defaulted to fit mode. c. Configuration steps AC configuration VLAN configuration, create user VLAN and interconnect VLAN: FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#VLAN 20------>User's VLAN FS(config-VLAN)#exit FS(config)#VLAN 30------>AC and core switch (SW1) interconnected VLAN FS(config-VLAN)#exit Configure the user's VLAN for the purpose of associating with the WLAN: FS(config)#interface VLAN 20 ------>The user's SVI interface, the user gateway is recommended to be configured on the core switch, this interface can be configured without the address FS(config-int-VLAN)#ip add 192.168.20.2 255.255.255.0 ----->(optional configuration), you can test the connectivity of the wireless user's VLAN to the gateway FS(config-int-VLAN)#exit WLAN-config configuration, create SSID FS(config)#WLAN-config 1 FS_WIFI ------->Configure WLAN-config , id is 1, SSID (wireless signal) is FS_WIFI, and broadcast SSID is allowed by default. FS(config-WLAN)#exit ap-group configuration, associated WLAN-config and user VLAN FS(config)#ap-group default------->The default group is associated with all APs by default FS(config-ap-group)#interface-mapping 1 20 ------->Associate WLAN-config 1 with VLAN 20, with "1" being WLAN-config and "20" being VLAN FS(config-ap-group)#exit Note: By default all APs are associated to the ap-group default group, if you want to invoke the newly defined ap-group, then you need to configure ap-group xx in the corresponding ap-config. The ap-config name of each AP on first deployment is by default the MAC address of the AP (The sticker mac on the back, not the Ethernet interface mac). Configure routing and AC interface addresses: FS(config)#ip route 0.0.0.0 0.0.0.0 192.168.30.1 ------->Default route , 192.168.30.1 is the address of the core switch FS(config)#interface VLAN 30------->The VLAN used to connect to the core switch FS(config-int-VLAN)#ip address 192.168.30.2 255.255.255.0 FS(config-int-VLAN)#exit FS(config)#interface loopback 0 FS(config-int-loopback)#ip address 1.1.1.1 255.255.255.0 ------->The default is loopback 0, used for ap to find the address of ac, option138 field in DHCP FS(config-int-loopback)#exit FS(config)#interface GigabitEthernet 0/1 FS(config-int-GigabitEthernet 0/1)#switchport mode trunk ------->Interface to the core switch Save configuration: FS(config-int-GigabitEthernet 0/1)#end------>Exit to privileged mode FS#write------>Confirm that the configuration is correct and save it Configuration of core switch SW1 VLAN configuration, create user VLAN and interconnect VLAN: FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#VLAN 10 ------>ap's VLAN FS(config-VLAN)#exit FS(config)#VLAN 20------>User's VLAN FS(config-VLAN)#exit FS(config)#VLAN 30------>The VLAN of the core switch (SW1) interconnected with AC FS(config-VLAN)#exit Configure the interface and interface address: FS(config)# interface GigabitEthernet 0/1 FS(config-int-GigabitEthernet 0/1)#switchport mode trunk ------->Interface to AC wireless controller FS(config-int-GigabitEthernet 0/1)#exit FS(config)#interface GigabitEthernet 0/2 FS(config-int-GigabitEthernet 0/2)#switchport mode trunk------->Interface to the access switch (SW2) FS(config-int-GigabitEthernet 0/2)#exit FS(config)#interface VLAN 10 ------>The gateway for the ap to establish the tunnel is used for DHCP addressing of the AP. If the address is not configured then the AP will not get the IP FS(config-int-VLAN)#ip address 192.168.10.1 255.255.255.0 FS(config-int-VLAN)#interface VLAN 20 ------->The gateway address of the wireless user. If the address is not configured then the wireless user will not get the IP FS(config-int-VLAN)#ip address 192.168.20.1 255.255.255.0 FS(config-int-VLAN)#interface VLAN 30 ------->Interconnection address with AC wireless switch FS(config-int-VLAN)#ip address 192.168.30.1 255.255.255.0 FS(config-int-VLAN)#exit Configuring DCHP for APs: FS(config)#service dhcp ------->Turn on DHCP service FS(config)#ip dhcp pool ap_fs ------->Create a DHCP address pool with the name ap_fs FS(config-dhcp)#option 138 ip 1.1.1.1 ------->Configure the option field to specify the address of the AC, which is the loopback 0 address of the AC FS(config-dhcp)#network 192.168.10.0 255.255.255.0 ------->Address assigned to ap FS(config-dhcp)#default-route 192.168.10.1 ------->The gateway address assigned to the ap FS(config-dhcp)#exit Note: The option field and network segment and gateway in the DHCP of the AP should be configured correctly, otherwise the AP will not get the DHCP information and cannot establish the tunnel. Configure DHCP for wireless users: FS(config)#ip dhcp pool user_fs ------->Configure the DHCP address pool with the name user_fs FS(config-dhcp)#network 192.168.20.0 255.255.255.0 ------->Addresses assigned to wireless users FS(config-dhcp)#default-route 192.168.20.1 ------->Gateway distributed to wireless users FS(config-dhcp)#dns-server 8.8.8.8 ------->The DNS assigned to the wireless user FS(config-dhcp)#exit Configure static routes: FS(config)#ip route 1.1.1.1 255.255.255.255 192.168.30.2 ------->Configure a static route that specifies the path to loopback 0 of the AC Save configuration: FS(config)#exit------>Exit to privileged mode FS#write------>Confirm that the configuration is correct and save it Access switch SW2 configuration VLAN configuration, create ap VLAN, access the switch to configure only the AP VLAN can be: FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#VLAN 10 ------>ap's VLAN FS(config-VLAN)#exit Configuration Interface: FS(config)#interface GigabitEthernet 0/1 FS(config-int-GigabitEthernet 0/1)#switchport access VLAN 10 ------->The interface connected to the AP is assigned to the VLAN of the AP. FS(config-int-GigabitEthernet 0/1)#exit FS(config)#interface GigabitEthernet 0/2 FS(config-int-GigabitEthernet 0/2)#switchport mode trunk ------->Interface to the core switch Save configuration: FS(config-int-GigabitEthernet 0/2)#end------>Exit to privileged mode FS#write------>Confirm that the configuration is correct and save it Authentication command Use the wireless client to connect to the wireless. Use the following command on the wireless switch to view the AP configuration: FS#show ap-config summary ========= show ap status ========= Radio: E = enabled, D = disabled, N = Not exist Current Sta number Channel: * = Global Power Level = Percent Online AP number: 1 Offline AP number: 0 AP NameIP AddressMac AddressRadio 1Radio 2Up/Off time State ---------------------------------------- --------------- -------------- ------------------- ------------------- ------------- ----- 649d.99d0.1f5f 192.168.10.2 649d.99d0.1f5f E 1 6* 100 E 0 153* 100 0:09:04:28 Run View the wireless clients associated to the wireless: FS#show ac-config client by-ap-name ========= show sta status ========= AP: ap name/radio id Status: Speed/Power Save/Work Mode, E = enable power save, D = disable power save Total Sta Num : 1 STA MAC IPV4 Address APWLAN VLAN StatusAsso Auth Net Auth Up time -------------- --------------- ---------------------------------------- ---- ---- -------------- --------- --------- ------------- 6809.27b0.169f 192.168.20.2 649d.99d0.1f5f/11 20 58.0M/D/bn WPA2_PSK0:00:11:21 5.2.3.1.2 Fit AP multiple wireless signal configuration 1. Application scenario description When there are a large number of APs in the wireless network and they need to be managed and configured in a unified manner. Advantages: unified configuration and management of APs through AC (AP controller), including configuration issuance, upgrade, restart, etc. Disadvantages: need to increase the network equipment AC, increase the configuration of the wired network, different vendors equipment is not compatible. 2. Configuration cases Networking requirements All wireless APs are configured and managed through AC downlink. All wireless APs can send multiple signals and access wireless clients. a. Network topology image.png b. Configuration points Make sure the AC wireless switch and AP are the same software version, use FS>show verison to view A wireless signal associated with a VLAN, that is, a VLAN can only send a signal, different signals are different VLAN. Make sure the AP is working in concealed mode, use FS>show ap-mode to verify that the fit is concealed mode. If it shows fat mode then the following command is needed to change it: FS>ap-mode fit Modify to fit mode, the device will automatically reboot to take effect after the AP mode switch, and the device is factory defaulted to fit mode. c. Configuration steps AC configuration VLAN configuration, create user VLAN and interconnect VLAN: FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#VLAN 20------>User's VLAN FS(config-VLAN)#exit FS(config)#VLAN 30------>VLAN of user 2 FS(config-VLAN)#exit FS(config)#VLAN 40------>AC and core switch (SW1) interconnected VLAN FS(config-VLAN)#exit Configure the user's VLAN for the purpose of associating with the WLAN: FS(config)#interface VLAN 20 ------>The user's SVI interface, the user gateway is recommended to be configured on the core switch, this interface can be configured without the address FS(config-int-VLAN)#ip add 192.168.20.2 255.255.255.0 ----->(optional configuration), you can test the connectivity of the wireless user's VLAN to the gateway FS(config-int-VLAN)#exit FS(config)#interface VLAN 30 ------>The user's SVI interface, the user gateway is recommended to be configured on the core switch, this interface can be configured without the address FS(config-int-VLAN)#ip add 192.168.30.2 255.255.255.0 ----->(optional configuration), you can test the connectivity of wireless user 2's VLAN to the gateway FS(config-int-VLAN)#exit WLAN-config configuration, create SSID: FS(config)#WLAN-config 1 FS_WIFI ------->Configure WLAN-config , id is 1, SSID (wireless signal) is FS_WIFI, and broadcast SSID is allowed by default. FS(config-WLAN)#exit FS(config)#WLAN-config 2 FS_WIFI2 ------->Configure WLAN-config , id is 2, SSID (wireless signal) is FS_WIFI2 , broadcast SSID is allowed by default. FS(config-WLAN)#exit ap-group configuration, associated WLAN-config and user VLAN (If there are multiple WLAN-config, then they can be associated in one ap-group. Different WLAN-config can be associated with the same VLAN): FS(config)#ap-group default FS(config-ap-group)#interface-mapping 1 20 ------->Associate WLAN-config 1 with VLAN 20, with "1" being WLAN-config and "20" being VLAN FS(config-ap-group)#interface-mapping 2 30 ------->Associate WLAN-config 2 with VLAN 30, with "2" being WLAN-config and "30" being VLAN FS(config-ap-group)#exit Note: By default all APs are associated to the ap-group default group, if you want to invoke the newly defined ap-group, then you need to configure ap-group xx in the corresponding ap-config. The ap-config name of each AP on first deployment is by default the MAC address of the AP (The sticker mac on the back, not the Ethernet interface mac). Configure routing and AC interface addresses: FS(config)#ip route 0.0.0.0 0.0.0.0 192.168.40.1 ------->Default route , 192.168.40.1 is the address of the core switch VLAN40 FS(config)#interface VLAN 40 ------->The VLAN used to connect to the core switch FS(config-int-VLAN)#ip address 192.168.40.2 255.255.255.0 FS(config-int-VLAN)#exit Configure the loopback 0 address of the AC and the user connects to the AP FS(config)#interface loopback 0 FS(config-int-loopback)#ip address 1.1.1.1 255.255.255.0 ------->The default is loopback 0, used for the AP needs to find the address of the AC, option138 field in DHCP Configure the interface with the core switch: FS(config-int-loopback)#exit FS(config)#interface GigabitEthernet 0/1 FS(config-int-GigabitEthernet 0/1)#switchport mode trunk ------->Interfaces to the core switch Save configuration: FS(config-int-GigabitEthernet 0/1)# end ------>Exit to privileged mode FS#write------>Confirm that the configuration is correct and save it Configuration of core switch SW1 VLAN configuration, create user VLAN and interconnect VLAN: FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#VLAN 10 ------>ap's VLAN FS(config-VLAN)#exit FS(config)#VLAN 20------>VLAN of user 1 FS(config-VLAN)#exit FS(config)#VLAN 30------>VLAN of user 2 FS(config-VLAN)#exit FS(config)#VLAN 40------>VLAN for interconnection between the core switch (SW1) and the AC FS(config-VLAN)#exit Configure the interface and interface address: FS(config)# interface GigabitEthernet 0/1 FS(config-int-GigabitEthernet 0/1)#switchport mode trunk ------->Interface to AC wireless controller FS(config-int-GigabitEthernet 0/1)#exit FS(config)#interface GigabitEthernet 0/2 FS(config-int-GigabitEthernet 0/2)#switchport mode trunk------->Interface to the access switch FS(config-int-GigabitEthernet 0/2)#exit FS(config)#interface VLAN 10 ------>The gateway for the ap to establish the tunnel is used for DHCP addressing of the AP. If the address is not configured then the AP will not get the IP FS(config-int-VLAN)#ip address 192.168.10.1 255.255.255.0 FS(config-int-VLAN)#exit FS(config)#interface VLAN 20 ------->Gateway address of VLAN20 wireless user1 FS(config-int-VLAN)#ip address 192.168.20.1 255.255.255.0 FS(config-int-VLAN)#exit FS(config)#interface VLAN 30 ------->Gateway address of VLAN30 wireless user2 FS(config-int-VLAN)#ip address 192.168.30.1 255.255.255.0 FS(config-int-VLAN)#exit FS(config)#interface VLAN 40 ------->Interconnection address with AC wireless switch FS(config-int-VLAN)#ip address 192.168.40.1 255.255.255.0 FS(config-int-VLAN)#exit Configuring DCHP for APs: FS(config)#service dhcp ------->Turn on DHCP service FS(config)#ip dhcp pool ap_fs ------->Create a DHCP address pool with the name ap_fs FS(config-dhcp)#option 138 ip 1.1.1.1 ------->Configure the option field to specify the address of the AC, which is the loopback 0 address of the AC FS(config-dhcp)#network 192.168.10.0 255.255.255.0 ------->Address assigned to ap FS(config-dhcp)#default-route 192.168.10.1 ------->The gateway address assigned to the ap FS(config-dhcp)#exit Note: The option field and network segment and gateway in the DHCP of the AP should be configured correctly, otherwise the AP will not get the DHCP information and cannot establish the tunnel. Configure DHCP for wireless users: FS(config)#ip dhcp pool user_fs ------->Configure the DHCP address pool with the name user_fs FS(config-dhcp)#network 192.168.20.0 255.255.255.0 ------->Addresses assigned to wireless users FS(config-dhcp)#default-route 192.168.20.1 ------->Gateway distributed to wireless users FS(config-dhcp)#dns-server 8.8.8.8 ------->The DNS assigned to the wireless user FS(config-dhcp)#exit FS(config)#ip dhcp pool user_fs2 ------->Configure the DHCP address pool with the name user_fs2 FS(config-dhcp)#network 192.168.30.0 255.255.255.0 ------->Addresses assigned to wireless users FS(config-dhcp)#default-route 192.168.30.1 ------->Gateway distributed to wireless users FS(config-dhcp)#dns-server 8.8.8.8 ------->The DNS assigned to the wireless user FS(config-dhcp)#exit Configure a static route: FS(config)#ip route 1.1.1.1 255.255.255.0 192.168.40.2 -------> Configure a static route that specifies the path to loopback 0 of the AC Save configuration: FS(config)#exit------>Exit to privileged mode FS#write------>Confirm that the configuration is correct and save it Access switch SW2 configuration VLAN configuration, create ap VLAN, access the switch to configure only the AP VLAN can be: FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#VLAN 10 ------>ap's VLAN FS(config-VLAN)#exit Configuration Interface: FS(config)#interface GigabitEthernet 0/1 FS(config-int-GigabitEthernet 0/1)#switchport access VLAN 10 ------->The interface connected to the AP is assigned to the VLAN of the AP. FS(config-int-GigabitEthernet 0/1)#exit FS(config)#interface GigabitEthernet 0/2 FS(config-int-GigabitEthernet 0/2)#switchport mode trunk ------->Interface to the core switch Save configuration: FS(config-int-GigabitEthernet 0/2)#end------>Exit to privileged mode FS#write------>Confirm that the configuration is correct and save it d. Authentication command Use the wireless client to connect to the wireless. Use the following command on the wireless switch to view the AP configuration: FS#show ap-config summary ========= show ap status ========= Radio: E = enabled, D = disabled, N = Not exist Current Sta number Channel: * = Global Power Level = Percent Online AP number: 1 Offline AP number: 0 AP NameIP AddressMac AddressRadio 1Radio 2Up/Off time State ---------------------------------------- --------------- -------------- ------------------- ------------------- ------------- ----- 649d.99d0.2c2a 192.168.10.2 649d.99d0.2c2a E16* 100 E 0 153* 1000:19:24:38 Run View the wireless clients associated to the wireless: FS#show ac-config client by-ap-name ========= show sta status ========= AP: ap name/radio id Status: Speed/Power Save/Work Mode, E = enable power save, D = disable power save Total Sta Num : 1 STA MAC IPV4 Address APWLAN VLAN StatusAsso Auth Net Auth Up time -------------- --------------- ---------------------------------------- ---- ---- -------------- --------- --------- ------------- 6809.27b0.169f 192.168.20.2 649d.99d0.2c2a/11 20 58.0M/D/bn WPA2_PSK0:03:21:41 8ca9.829a.b1ea 192.168.30.2 649d.99d0.2c2a/12 30 58.0M/D/bn WPA2_PSK0:03:22:31 The AC has a wireless signal, but the AP fails to broadcast it. After checking the ap is supported by 14 SSID, but the associated ap-WLAN-id under the ap group to which it belongs is already 15. Before the ap group has other associations deleted by the customer, resulting in ap-WLAN-id exceeds the ap support range, so it is not sent down. The example is as follows: ap-group default interface-mapping 1 20 ap-WLAN-id 1 interface-mapping2 20 ap-WLAN-id 14 interface-mapping3 20 ap-WLAN-id 15 The one that is not sent is the third one, which corresponds to ap-WLAN-id 15,15 exceeds the number of SSIDs supported by ap, so this one will not be sent. After removing the association and re-interf WLAN-id VLAN-id, the number of ap-WLAN-id automatically generated becomes 2, and the signal is successfully transmitted within the ap support range. In addition, generally a single ap should not put so many signals, it will occupy the empty port resources. 5.2.3.1.3 AC Direct Connect AP Deployment Configuration 1. Application scenario description When there are a large number of APs in the wireless network and they need to be managed and configured in a unified manner. Advantages: unified configuration and management of APs through AC (AP controller), including configuration issuance, upgrade, restart, etc. Disadvantages: need to increase the network equipment AC, increase the configuration of the wired network, different vendors equipment is not compatible. 2. Configuration cases Networking requirements AP directly connects to AC or AP connects to unmanaged switch and then connects to AC. This solution is generally used in the test environment. a. Network topology image.png AC loopback 0 address 1.1.1.1 Wireless user VLAN: VLAN 1 172.16.1.0 255.255.255.0 Gateway address 172.16.1.1 AP VLAN: VLAN 2 172.16.2.0 255.255.255.0 Gateway address 172.16.2.1 b. Configuration points Make sure the AC wireless switch and AP are the same software version, use FS>show verison to check. Make sure the AP is working in concealed mode, use FS>show ap-mode to verify that the fit is in concealed mode. If it shows fat mode then the following command is required to change it: FS>ap-mode fit ------> Modify to fit mode AP mode switch will automatically reboot the device to take effect after the switch, the device is factory defaulted to fit mode. c. Configuration steps AC configuration VLAN configuration, create user VLAN and interconnect VLAN: FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#VLAN 20------>User's VLAN FS(config-VLAN)#exit FS(config)#VLAN 2------>AP的VLAN FS(config-VLAN)#exit Configure AP, wireless user gateway and loopback 0 address: FS(config)#interface VLAN 1 ------>SVI interface for users FS(config-int-VLAN)#ip address 172.16.1.1 255.255.255.0 FS(config-int-VLAN)#exit FS(config)#interface VLAN 2 ------>AP's Gateway FS(config-int-VLAN)#ip address172.16.2.1 255.255.255.0 FS(config-int-VLAN)#exit FS(config)#interface loopback 0 FS(config-int-loopback)#ip address 1.1.1.1 255.255.255.0 ------->The default is loopback 0, used for ap to find the address of ac, option138 field in DHCP FS(config-int-loopback)#exit Configure the wireless signal WLAN-config configuration, create SSID: FS(config)#WLAN-config 1 FS-test -------> Configure WLAN-config with id 1, SSID (wireless signal) is FS-test, and broadcast SSID is allowed by default. FS(config-WLAN)#exit ap-group configuration, associate WLAN-config and user VLAN FS(config)#ap-group default FS(config-ap-group)#interface-mapping 1 1 -------> associate WLAN-config 1 with VLAN 1 FS(config-ap-group)#exit Note: By default all APs are associated to the ap-group default group, if you want to invoke the newly defined ap-group, then you need to configure ap-group xx in the corresponding ap-config. The ap-config name of each AP on first deployment is by default the MAC address of the AP (The sticker mac on the back, not the Ethernet interface mac). Configure the VLAN of the interface to which the AC connects to the AP: FS(config-int-loopback)#interface GigabitEthernet 0/1 FS(config-int-GigabitEthernet 0/1)#switchport access VLAN 2 -------> interface connected to the AP, assign the interface to the AP's VLAN FS(config-int-GigabitEthernet 0/1)#exit Configure the DCHP of the AP: FS(config)#service dhcp ------->Enable DHCP service FS(config)#ip dhcp pool ap_fs ------->Create a DHCP address pool with the name ap_fs FS(config-dhcp)#option 138 ip 1.1.1.1 ------->Configure the option field to specify the address of the AC, which is the loopback 0 address of the AC FS(config-dhcp)#network 172.16.2.0 255.255.255.0 ------->address assigned to ap FS(config-dhcp)#default-route 172.16.2.1 ------->Gateway address assigned to ap FS(config-dhcp)#exit Note: The option field and network segment and gateway in the DHCP of the AP should be configured correctly, otherwise the AP will not get the DHCP information and cannot establish the tunnel. Configure DHCP for wireless users: FS(config)#ip dhcp pool user_fs-----> Configure a DHCP address pool with the name user_fs FS(config-dhcp)#network 172.16.1.0 255.255.255.0 ------->Address assigned to wireless user FS(config-dhcp)#default-route 172.16.1.1 ------->Gateway assigned to the wireless user FS(config-dhcp)#dns-server 8.8.8.8 ------->dns assigned to wireless user FS(config-dhcp)#exit Save the configuration: FS(config)#exit------>Exit to privileged mode FS#write------>Confirm that the configuration is correct and save it Note: AC needs to be configured according to the network environment on the management address and default route and other information with the higher level interconnection, the higher level network needs to do the relevant configuration to ensure that the wireless user network segment outside the network can pass. d. Authentication command Use the wireless client to connect to the wireless. Use the following command on the wireless switch to view the AP configuration: FS#show ap-config summary ========= show ap status ========= Radio: E = enabled, D = disabled, N = Not exist Current Sta number Channel: * = Global Power Level = Percent Online AP number: 1 Offline AP number: 0 AP NameIP AddressMac AddressRadio 1Radio 2Up/Off time State ---------------------------------------- --------------- -------------- ------------------- ------------------- ------------- ----- 649d.99d0.2c2a 172.16.2.2 649d.99d0.2c2a E 1 6* 100 E 0 153* 100 0:06:03:00 Run View wireless clients associated with the WLAN: FS#show ac-config client by-ap-name ========= show sta status ========= AP: ap name/radio id Status: Speed/Power Save/Work Mode, E = enable power save, D = disable power save Total Sta Num : 1 STA MAC IPV4 Address APWLAN VLAN StatusAsso Auth Net Auth Up time -------------- --------------- ---------------------------------------- ---- ---- -------------- --------- --------- ------------- 6809.27b0.169f 172.16.1.2 649d.99d0.2c2a/112 30 0.0M/D/bn WPA2_PSK0:00:01:01 5.2.3.1.4 AC and AP deployment configuration on different NAT intranets 1. Application Scenario Description When there are many APs in the wireless network and they need to be managed and configured in a unified way. Advantages: unified configuration and management of APs through AC (AP controller), including configuration issuance, upgrade, restart, etc. Disadvantages: need to increase the network equipment AC, increase the configuration of the wired network, different vendors equipment is not compatible. 2. Configuration cases Networking requirements All wireless APs are configured and managed through AC downlink. All wireless APs can send signals and access wireless clients. a. Network topology image.png b. Configuration points Make sure the AC wireless switch and AP are the same software version, use FS>show verison to check. Make sure the AP is working in concealed mode, use FS>show ap-mode to verify that the fit is in concealed mode. If it shows fat mode then the following command is required to change it: FS>ap-mode fit ------>modify to fit mode, the device will reboot automatically after the AP mode switch to take effect, the device is fit mode by factory default. Recommended configuration process: Configure the network at the AC so that the network connectivity of the AC is normal; Map the capwap address of the AC to the egress router so that the AP can establish a tunnel through the mapped address; Configure the network where the AP is located (including interfaces, VLAN, addresses and dhcp, etc.) so that the AP's network connectivity is normal; Configure the egress router where the AP is located to do NAT on the data of the wireless user and the AP so that the AP can normally access the public network address after the AC is mapped to establish a tunnel, while the wireless user can also communicate with other addresses. c. Configuration steps Wireless controller AC configuration VLAN configuration, create user VLAN and interconnect VLAN: FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#VLAN 1 ------>ac interconnects with the uplink device VLAN FS(config-VLAN)#exit FS(config)#VLAN 200 ------>VLAN of the user FS(config-VLAN)# WLAN-config configuration, create SSID FS(config)#WLAN-config 1 NAT -------> configure WLAN-config , id is 1, SSID (wireless signal) is NAT, broadcast SSID is allowed by default. FS(config-WLAN)#tunnel local ------->Enable local forwarding (optional configuration), local forwarding is recommended for environments with NAT FS(config-WLAN)#exit ap-group configuration, associate WLAN-config and user VLAN: FS(config)#ap-group default FS(config-ap-group)#interface-mapping 1 200 -------> associate WLAN-config 1 with VLAN 200, "1" is the WLAN-config, " 200" is the VLAN of the wireless user FS(config-ap-group)#exit Note: By default all APs are associated to the ap-group default group, if you want to invoke the newly defined ap-group, then you need to configure ap-group xx in the corresponding ap-config. The ap-config name of each AP on first deployment is by default the MAC address of the AP (The sticker mac on the back, not the Ethernet interface mac). Configure the AC uplink interface address and capwap tunnel address: FS(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254 ------->default route , 192.168.1.254 is the address of the uplink device FS(config)#interface VLAN 1 ------->VLAN used to interconnect with the uplink FS(config-if-VLAN)#ip address 192.168.1.253 255.255.255.0 FS(config-if-VLAN)#exit FS(config)#interface loopback 0 ------->capwap address is loopback0 address by default FS(config-if-loopback)#ip address 1.1.1.1 255.255.255.255 ------->The egress router needs to map the IP address to establish the tunnel FS(config-if-loopback)#exit FS(config)#interface GigabitEthernet 0/1 FS(config-if-GigabitEthernet 0/1)#switchport mode trunk ------->Interface to interconnect with the uplink device Save configuration: FS(config-if-GigabitEthernet 0/1)#end ------>Exit to privileged mode FS#write------>Confirm that the configuration is correct and save it Other configurations of the network where the AC is located Configure the network between the AC and the egress router, so that the AC capwap address (loopback 0 address) can be converted and forwarded out through the router NAT Configuration points: Configure routing, VLAN, interface and other information to allow normal connectivity between intranet devices; Configure port mapping on the egress router. Mapping the udp 5246 and 5247 ports of the AC's capwap address (loopback 0 address) to the public address, so that the AP can establish capwap through the public address. Access the configuration of switch SW1: FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#VLAN 100 ------>Create AP VLAN FS(config-VLAN)#VLAN 200 ------>Create wireless user VLAN FS(config-VLAN)#exit FS(config)#interface gigabitEthernet 0/1 ------>Interface to the AP FS(config-if-GigabitEthernet 0/1)#poe enable ------->Optional configuration, enable POE function (requires switch to support POE function) FS(config-if-GigabitEthernet 0/1)#switchport mode trunk ------> configured as trunk to allow this interface to pass through AP and wireless user VLAN FS(config-if-GigabitEthernet 0/1)#switchport trunk native VLAN 100 ------> Configure the VLAN to which the AP belongs as native VLAN FS(config-if-GigabitEthernet 0/1)#exit FS(config)#interface gigabitEthernet 0/2 ------>Interface to the uplink core switch FS(config-if-GigabitEthernet 0/2)#switchport mode trunk ------>Configure as trunk to allow this interface to pass through to AP and wireless user VLAN FS(config-if-GigabitEthernet 0/2)#end------>Exit to privileged mode FS#write------>Confirm that the configuration is correct and save it Configuration of core switch SW2 VLAN configuration, create user VLAN, interconnect VLAN with router and AP VLAN: FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#VLAN 10 ------>Interconnect VLAN of core switch and uplink router for Layer 3 forwarding FS(config-VLAN)#exit FS(config)#VLAN 100 ------>VLAN of the ap for establishing tunnels FS(config-VLAN)#exit FS(config)#VLAN 200 ------>VLAN to which the wireless user belongs FS(config-VLAN)#exit Configure the gateway address and interconnection address of the VLAN: FS(config)#interface VLAN 10-------> and the interconnection address of the egress router FS(config-if-VLAN)#ip address 192.168.10.254 255.255.255.0 FS(config-if-VLAN)#exit FS(config)#interface VLAN 100 -------> Gateway address of the AP FS(config-if-VLAN)#ip address 192.168.100.254 255.255.255.0 FS(config-if-VLAN)#exit FS(config)#interface VLAN 200 -------> Gateway address of wireless user FS(config-if-VLAN)#ip address 192.168.200.254 255.255.255.0 FS(config-if-VLAN)#exit Configure the interface: FS(config)# interface GigabitEthernet 0/1 -------> Interface connected to the router, VLAN1 is used by default FS(config-if-GigabitEthernet 0/1)#switchport access VLAN 10 -------> the uplink interface belongs to VLAN FS(config-if-GigabitEthernet 0/1)#exit FS(config)#interface GigabitEthernet 0/2 FS(config-if-GigabitEthernet 0/2)#switchport mode trunk -------> Interconnect interface between core and access switch for pass-through wireless users and AP VLAN FS(config-if-GigabitEthernet 0/2)#exit Configure DHCP for the AP: FS(config)#service dhcp------->Enable DHCP service FS(config)#ip dhcp pool AP_VLAN ------->Configure the DHCP address pool with the name AP_VLAN FS(dhcp-config)# option 138 ip 192.168.51.97 ---- specifies the address of the AP to establish the tunnel, which is the public address after the AC address is mapped FS(dhcp-config)# network 192.168.100.0 255.255.255.0 -------> address assigned to the AP FS(dhcp-config)# default-router 192.168.100.254 -------> Gateway assigned to the AP FS(dhcp-config)#exit Note: The option field and network segment and gateway in the DHCP of the AP should be configured correctly, otherwise the AP will not get the DHCP information and cannot establish the tunnel. Configure DHCP for wireless users: FS(config)#ip dhcp pool user_fs -------> Configure the DHCP address pool with the name user_fs FS(config-dhcp)#network 192.168.200.0 255.255.255.0 ------->Address assigned to wireless user FS(config-dhcp)#default-route 192.168.200.254 ------->Gateway assigned to wireless users FS(config-dhcp)#dns-server 218.85.157.99 218.85.152.99 ------->dns assigned to wireless users FS(config-dhcp)#exit Configure static routes: FS(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.1 ------->Configure a static route that specifies the path to the AP exit router. 192.168.10.1 is the router's intranet interface address. Save configuration: FS(config)#exit------>Exit to privileged mode FS#write------>Confirm that the configuration is correct and save it Configure the AP side exit router Configuration points: Configure the route, including the default route. AP and wireless users back to the static route. Configure NAT, so that the AP address segment can be NAT and forwarded to the exit of R2; at the same time, let the wireless user's data can be NAT and forwarded out of the external network normally. d. Authentication commands Use wireless client to connect to wireless: FS#sh ac-config client by-ap-name ========= show sta status ========= AP: ap name/radio id Status: Speed/Power Save/Work Mode, E = enable power save, D = disable power save Total Sta Num : 1 STA MACIPV4 AddressAPWLANVLANStatusAsso Auth Net AuthUp time User MAC User-acquired IP User-connected AP Corresponding WLAN Corresponding VLAN Connection status Authentication method Terminal connection time -------------- ----------------------------------- ---------------- ----------- --------- ------------------------------- 6809.27b0.169f 192.168.200.1 649d.99d0.2c2a/1120065.0M/D/bnWPA2_PSK0:00:02:06 Use the following command on the wireless switch to view the configuration of the AP: FS#sh ap-config summary ========= show ap status ========= Radio: E = enabled, D = disabled, N = Not exist Current Sta number Channel: * = Global Power Level = Percent Online AP number: 1 Offline AP number: 0 AP NameIP AddressMac Address Radio 1Radio 2Up/Off timeState AP's name AP's acquired address AP's MAC 2.4G band 5.8G band AP's connection time AP's operating status ---------------------------------------- --------------- -------------- ------------------- ------------------- ----------------- 649d.99d0.2c2a 192.168.100.1 649d.99d0.2c2a E11* 100 E 0 149* 100 0:01:05:50Run 5.2.3.2 Local Forwarding Function 5.2.3.2.1 Function Introduction In a WLAN network, the AC controls and manages the down-linked APs through the CAPWAP protocol. CAPWAP provides a communication tunnel between the AC and the APs, and normally all traffic of wireless users needs to go through the AC before it can be forwarded. This centralized forwarding model has the potential to change the customer's traffic model, and the customer wants wireless user traffic to be forwarded directly through the AP without going through the AC, which is the local forwarding function. 5.2.3.2.2 Local Forwarding Configuration 1. Application Scenario The number of wireless users is large, and the data traffic of wireless users is not forwarded by AC, so as to reduce the burden of AC. Advantages: Reduce the data forwarding burden of wireless AC and AP, reduce data traffic. Disadvantages: Add extra configuration, the switch connected to AP needs to support multi-VLAN forwarding. 2. Configuration Case a. Network requirements The wireless user traffic is forwarded to the wired network directly on the AP without going through the AC, and the AC only does control and does not participate in user data forwarding. Note: If there is a roaming requirement, then it is required that all APs can communicate with each other. Please see the wireless signal settings for signal configuration, only the key part of local forwarding configuration is written here. b. Network topology image.png c. Configuration points access to the switch and AP interconnection interface needs to be configured as trunk and AP VLAN is native. SSID mode will be adjusted to local forwarding. ap-group mapping WLAN id and VLAN id reconfiguration. d. Configuration steps Access switch and AP interconnect interface configured as trunk, native for AP VLAN, only put through wireless user VLAN and AP VLAN: FS(config)#interface gigabitEthernet 0/2 FS(config-GigabitEthernet 0/2)#switchport mode trunk FS(config-GigabitEthernet 0/2)#switchport trunk native VLAN 20 ----->The VLAN to which the AP belongs must be configured as a native VLAN FS(config-GigabitEthernet 0/2)#switchport trunk allowed VLAN remove 1-9,11-19,21-4094----->Need to put through user VLAN and AP VLAN FS(config-GigabitEthernet 0/2)#end FS#write Adjust the SSID mode to local forwarding: AC(config)#WLAN-config 1 fs AC(config-WLAN)#tunnel local ----->Enable local forwarding for WLAN-id 1 AC(config-WLAN)#exit Check the configuration and save it: AC(config-ap)#end AC#write d. Verify the configuration Log on to the AP FS#debug fwd dump-mode WLAN 1 tunnel local 5.2.3.2.3 FAQ Please refer to the FS.com for wireless device index parameters. 1. Introduction of local forwarding function: In the WLAN network, the AC controls and manages the down-linked APs through the CAPWAP protocol. CAPWAP provides a communication tunnel between the AC and the APs, and usually all the traffic of wireless users needs to go through the AC first before it can be forwarded. This centralized forwarding model may change the customer's traffic model, and the customer wants wireless user traffic to be forwarded directly through the AP without going through the AC, which is the local forwarding function. 2. Whether web authentication and 802.1x authentication are supported under local forwarding? Supported. 3. Whether roaming is supported under local forwarding? Roaming is supported. 4. Can AP VLAN and user VLAN be the same VLAN in fit mode local forwarding? Supported. The following configuration is required: FS(config)# ap-config ap-name FS(config-ap)# ap-VLAN VLAN-id (VLAN-id is the VLAN of the ap and the wireless user, and must be configured, otherwise the wireless user cannot get the address) Explanation of ap-VLAN command: In local forwarding, if the VLAN-id configured by this command is the same as the VLAN-id assigned by STA, the real VLAN of STA will be determined by the access switch of AP instead of the VLAN configured by this command or the VLAN assigned by VLAN-group mode. note that if the ap-VLAN command is not configured, the default is VLAN 1. Note: For local forwarding deployment, when the wireless user is VLAN1 and the ap is non-valn1, you also need to enter the ap to configure ap-VLAN x (x is the VLAN-id of the ap), otherwise the wireless user will get the address of the ap segment and cannot get the address of the required VLAN1. 5. Does AC support edge intelligence awareness (RIPT) under local forwarding? Supported. 6. Can AC see user's IP address under local forwarding? Yes, the AP will upload the ip obtained by the user to the AC. 7. When wireless users use VLAN1 and AP uses other VLANs, setting local forwarding wireless users will get APVLAN address when connected? When wireless users use VLAN1 to set local forwarding, you need to set ap-VLAN on the AP on AC in order to be normal: FS(config)#ap-VLAN FS(config)#ap-config 649d.99d0.d506 --- where 649d.99d0.d506 is the name of the ap FS(config-ap)#ap-VLAN 11 --- where 11 is the VLAN-id of the ap FS(config-ap)#end FS#write 8. How to confirm whether it is local forwarding on AP? Supported for viewing on the AP: FS#debug fwd dump-mode WLAN 1 tunnel local Or check the mac address table of the connected ap interface on the access switch connected to the ap. If it is local forwarding you will see the mac address table information of the wireless user. 9. Local forwarding, can the data associated with the terminal be processed locally in AP? Yes, the command must be used in RIPT scenario, otherwise it will cause the WLAN configuration to be unavailable. The effect is local authentication forwarding mode, where the AP forwards the received wireless data directly locally, while the STA completes the authentication process at the AP side. Configure in WLAN-config mode: tunnel local-auth 5.2.3.3 Wall-Plate AP Modifies Front Panel Interface VLAN Configuration 1. Usage Scenario The wireless users of WALL-AP such as AP-N515H and the down-linked user of Ethernet port on the front panel are required to use different network segments or VLAN. 2. Configuration cases Network requirements: WALL-AP can provide wireless network service normally. a. Network Topology image.png b. Configuration Points Verify that the AC wireless switch and AP are the same software version number. Use FS>show verison on the AC to view the versions of the AC and AP. Verify that the AP is working in concealed mode, use FS>show ap-mode to verify that the fit is concealed mode. If it shows fat mode then the following command is required to change it: FS>ap-mode fit ------> to change it to fit mode, and the device will reboot automatically after the AP mode switch. c. Configuration Steps Interface number, take AP-N515H as an example: image.png Refer to the Fit AP Configuration section to complete the wireless base configuration. Modify the VLAN to which the wall-ap front panel Ethernet interface (LAN 2) belongs on the AC (The same VLAN as LAN 1 by default): FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#ap-config 649d.99d0.2027 ------>Enter the AP's ap-config, assuming the AP's name is 649d.99d0.2027 FS(config-ap)#wired-VLAN 100 ------>Modify the F0/2 interface VLAN to 100 Add: The VLAN of the wall ap front panel can be saved inside the fit ap, even if the ap offline configuration is also saved. FS(config-ap)# wired-VLAN100 port 1 auto-save, 11x supported 10x not supported FS(config-ap)#end FS#write ------>Confirm that the configuration is correct and save it Modify the access switch configuration: FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#VLAN 100 ------>Create a VLAN for wired F0/2 port FS(config-VLAN)#exit FS(config)#interface GigabitEthernet 0/2 ------->Interface connected to AP110-W FS(config-int-GigabitEthernet 0/2)#switchport mode trunk ------->Configured as trunk interface FS(config-int-GigabitEthernet 0/2)#switchport trunk native VLAN 10 ------->the native VLAN of the trunk interface is configured to be the VLAN to which the AP belongs FS(config-int-GigabitEthernet 0/2)#end FS#write Create VLAN 100 and the gateway address of VLAN 100 in the wired network so that it can transmit the VLAN data. d. Configuration verification Log in to the AP and you can see the configuration generated under both interfaces of wall-ap: interface GigabitEthernet 0/1.100 encapsulation dot1Q 100 ! interface GigabitEthernet 0/2 encapsulation dot1Q 100 5.2.3.4 Not live Fit AP pre-configuration 1. Function introduction Configure the APs that are not online in advance, and then automatically call the configured information when the APs are online. 2. Application scenario Configure the AP before it comes online, and then automatically recall the configured commands after the AP comes online. 3. Configuration cases a. Network Topology image.png b. Configuration Points Register the device mac address of the AP that is not yet online (on the sticker on the back of the device, not the physical interface mac address). Pre-configure the AP on the AC. After the AP is online, the AC will issue the configuration based on the AP's mac address. c. Configuration Steps Record the mac address of each AP to be online, and put the sticker on the back of the device. 2. Refer to "Fit AP Configuration" chapter for wireless basic configuration Configure the AP on AC, take the mac address of 649d.99d0.18e3 as an example: FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#ap-config AP-01 ------>Name the AP as AP-01 FS(config-ap)#ap-mac 649d.99d0.18e3 ------>Bind the AP's mac address (device sticker mac) and specify that this ap-config is the configuration for the AP with device mac 649d.99d0.18e3 FS(config-ap)#channel 1 radio 1 FS(config-ap)#channel 149 radio 2 FS(config-ap)#ap-group fs ------> call the ap-group named fs, default is default FS(config-ap)#acip ipv4 1.1.1.1 ------>Optional configuration: specify the address to establish the tunnel FS(config-ap)#ip add 12.12.12.3 255.255.255.0 12.12.12.1 ------>Optional configuration: Specify the address, mask, and gateway address of the AP FS(config-ap)#end FS#write ------>Save the configuration Configure the AC and other devices so that the AP can automatically obtain an IP address to come online. Note: The first time the AP comes online or through the automatic acquisition of IP address, the AP comes online and then according to the configuration on the AC AP will automatically modify the address and other information. Log of the go-live process: *Sep 9 19:42:10: %DHCPD-6-ADDRESS_ASSIGN: Interface VLAN 1 assigned DHCP address 12.12.12.2, mask 255.255.255.0, Mac 649d.99d0.18e3 *Sep 9 19:42:24: %APMG-6-RX_CTRL_UP_MSG: AP(AP-01:649d.99d0.18e3) attach to AC. ------>Obtain IP address automatically and establish tunnel *Sep 9 19:42:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface CAPWAP-Tunnel 1, changed state to up *Sep 9 19:42:26: %CAPWAP-3-DOWN: The tunnel is down for DTLS peer 12.12.12.2 : 10000 disconnect. ------>AC downlink configuration to change the address and disconnect the previous tunnel *Sep 9 19:42:26: %CAPWAP-7-TUNNEL: Tunnel deleted : source ip is 1.1.1.1 , dest ip is 12.12.12.2. *Sep 9 19:42:27: %DHCPD-6-ADDRESS_RELEASE: DHCP released lease 12.12.12.2, mask 255.255.255.0, Mac 649d.99d0.18e3 *Sep 9 19:42:27: %APMG-6-RX_CTRL_MSG: AP(AP-01:649d.99d0.18e3) leave AC. *Sep 9 19:42:36: %APMG-6-RX_CTRL_UP_MSG: AP(AP-01:649d.99d0.18e3) attach to AC. ------>Create a tunnel using a pre-configured address *Sep 9 19:42:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface CAPWAP-Tunnel 1, changed state to up------>Successful tunnel creation d. Configuration verification Check AP information: FS#show ap-config summary ========= show ap status ========= Radio: E = enabled, D = disabled, N = Not exist Current Sta number Channel: * = Global Power Level = Percent Online AP number: 1 Offline AP number: 0 AP Name IP Address Mac Address Radio 1Radio 2Up/Off time State ---------------------------------------- --------------- -------------- ------------------- ------------------- ------------- ----- AP-01 12.12.12.3 649d.99d0.18e3 E 0 1 100 E 0 149 100 0:00:00:43 Run Check the AP configuration: FS#show ap-config running AP-01 ! ap-config AP-01 no 11acsupport enable radio 1 11acsupport enable radio 2 802.11n mcs support 23 radio 1 802.11n mcs support 23 radio 2 802.11ac mcs support 29 radio 1 802.11ac mcs support 29 radio 2 antenna receive 7 radio 1 antenna receive 7 radio 2 antenna transmit 7 radio 1 antenna transmit 7 radio 2 acip ipv4 1.1.1.1 channel 1 radio 1 channel 149 radio 2 ip address 12.12.12.3 255.255.255.0 12.12.12.1 ap-group fs ! 5.2.3.5 Fit AP Access Management Configuration-AP Online Verification 5.2.3.5.1 Introduction to MAC Address Verification Access Control Function In a wireless network, the mac address of the AP is bound on the AC and the AC will check the MAC address of the AP when the AP comes online. If the AP's mac address is not bound on the AC, then the AP will not be able to go online normally. 1. Applicable Scenario Description Restrict the AP with bound mac on AC to establish tunnel with AC. Advantages: increase wireless security and control the number of AP accesses. Disadvantage: additional configuration is required. 2. Network requirements AP access authentication control through AP-based MAC authentication. 3. Network topology image.png 4. Configuration points a. register the device mac address of the AP that is not yet online (on the sticker on the back of the device, not the physical interface mac address). b. Configure that only APs with bound MAC addresses can associate AC 5. Configuration steps a. Configure the basic configuration of the AC, AP and switch so that the capwap tunnel between the AP and AC can be established properly, see "Fit AP Configuration" for the configuration. b. Record the device MAC address of the APs that are allowed to establish capwap tunnels. (On the sticker on the back of the device, not the physical interface mac address) When recording the device MAC addresses of APs, you can first bring all APs online, and then bring all APs offline (e.g. no interfere loopback 0) by showing version. Example: FS#show version AP(649d.99d0.18e3)'s version: Product ID: AP-W6D2400C System uptime : 7:20:14:35 Hardware version : 1.00 Software version : AP_FSOS 11.9(6)W1S7, Release(09221414) Serial number : G1PHAAH001884 MAC address: 649d.99d0.18e3 ------>Device MAC Address FS#show version all | in address ------>Show only mac address MAC address: 649d.99d0.18e3 c. Enable AP device compliance check FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#ac-controller FS(config-ac)#bind-ap-mac ------>Enable ap mac bind detection Bind AP MAC function is on. ------> Prompt after successfully enabling FS(config)#ap-config AP-01 ------>The name of ap-config, AP-01, can be set according to your needs, Chinese is not recommended You are going to config AP(AP-01), which is not online now. ------>Normal prompt FS(config-ap)#ap-mac 649d.99d0.18e3 ------>Bind the MAC address of the AP, the command only takes effect for offline AP, the online AP command cannot be configured. ap online, the following commands will be automatically generated for ap-mac ap layer 2 mac. FS(config-ap)#end FS#write ------>Save configuration Note: If the AP is online, this configuration reports an error. FS(config)#ap-config 649d.99d0.187a FS(config-ap)#ap-mac 649d.99d0.187a This cli only support offline ap.------>Report an error: The command only supports offline ap, at this time you can let the AP offline, capwap disconnect and then set d. Connect to the AP and let the AP get the address online automatically. 6. Configuration verification Show capwap status on AC Only bound MAC APs can establish the tunnel, unbound MAC APs cannot establish the tunnel: FS#show capwap status CAPWAP tunnel state, 1 peers, 1 is run: Index Peer IP Port State Mac Address 1 192.168.10.1 10000 Run 649d.99d0.18e3 5.2.3.5.2 Password Authentication Configuration Function Introduction Wireless fit AP access management password verification configuration function introduction In a wireless network, access to the AP is filtered by setting the password authentication of the AP, so that wireless control of the wireless AP and the AC to establish a tunnel is achieved. 1. Applicable Scenario Description Only want to be specified AP and AC to establish a tunnel Advantages: increase the security of wireless, you can control the number of AP access. Disadvantages: need to add additional configuration. 2. Network requirements: AP access authentication control through AP-based password authentication. 3. Network topology image.png 4. Configuration points a. AP and AC establish tunnel normally. b. Enable password check. Note: The command only takes effect for online APs. 5. Configuration steps a. Configure the basic configuration of AC, AP and switch, so that the capwap tunnel between AP and AC can be established normally, see "Thin AP Configuration". b. Ensure that the ap has already established a tunnel with the ac, and then configure the password on the AC for the AP devices that are already online. FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#ap-config AP-01 ------>The name of ap-config AP-01 can be set according to your needs You are going to config AP(AP-01), which is on line now. ------>Normal prompt, means AP is online FS(config-ap)#ap-auth password 123456 ------>Configure ap's access password to 123456 FS(config-ap)#exit c. Enable the AP device password check: FS(config)#ac-controller FS(config-ac)#ap-auth password enable ------>Enable AP device password checking FS(config-aC)#end FS#write ------>Save the configuration 6. Configure authentication: a. Show capwap status on AC Only APs configured with password authentication can establish a tunnel, APs not configured with password authentication cannot establish a tunnel. CAPWAP tunnel state, 1 peers, 1 is run: Index Peer IP Port State Mac Address 1 192.168.10.2 10000 Run 649d.99d3.2725 b. newly connected AP, can not establish the tunnel, even in the AC offline pre-configuration, and configured the ap-auth password can not establish the tunnel, because the AC configuration has not been issued to the AP, the AP can not pass the password authentication. The log will keep popping up on the AC as follows: *Sep 17 16:25:07: %CAPWAP-3-DOWN: The tunnel is down for DTLS peer 192.168.10.3 : 10000 disconnect. *Sep 17 16:25:07: %CAPWAP-7-TUNNEL: Tunnel deleted : source ip is 1.1.1.1 , dest ip is 192.168.10.3. 5.2.3.5.3 Serial Number Verification Configuration Function Introduction Wireless fit AP access management serial number verification configuration function introduction In wireless networks, access to APs can be filtered by AP-based serial number authentication, which enables wireless control of wireless APs to establish tunnels with ACs. 1. Applicable Scenario Description Only want to be specified by the AP and AC to establish a tunnel. Advantages: increase the security of wireless, you can control the number of AP access. Disadvantages: need to add additional configuration. 2. Network requirements AP access authentication control through AP-based serial number authentication. 3. Network topology image.png 4. Configuration points Record the device serial number of the AP Note: The effect is only effective for online APs. 5. Configuration steps a. Configure the basic configuration of AC, AP and switch so that the capwap tunnel between AP and AC can be established normally, see "Thin AP Configuration" for the configuration. b. Record the device serial numbers of the APs that are allowed to establish capwap tunnels. (On the sticker on the back of the device). When recording the device serial number of the AP, you can see the device serial number of all APs by show version. Example: FS#show version\ AP(649d.99d0.18e3)'s version: Product ID: AP-W6D2400C System uptime : 7:20:14:35 Hardware version : 1.00 Software version : AP_FSOS 11.9(6)W1S7, Release(09221414) Serial number : G1PHAAH001884 MAC address: 649d.99d0.18e3 ------>Device MAC Address c. Configure the AP device serial number FS>enable ------>Enter privileged mode FS#configure terminal ------>Enter global configuration mode FS(config)#ap-config 649d.99d0.18e3 ------>The name of ap-config 649d.99d0.18e3, the default is the mac address of the device. You can set it according to your needs You are going to config AP(649d.99d0.18e3), which is online now. ------>Normal prompt, indicating that the AP is normally online FS(config-ap)#ap-auth serial 9059FM6070520 ------>Configure the serial number of the AP FS(config-ap)#exit d. Enable the AP device serial number verification function FS(config)#ac-controller FS(config-ac)#ap-auth serial enable ------>Enables AP device serial number checking FS(config-ac)#end FS#write ------>Save the configuration 6. Configuration Verification Show capwap status on AC Only APs with bound serial numbers can establish tunnels, APs without bound serial numbers cannot establish tunnels. FS#show capwap status CAPWAP tunnel state, 1 peers, 1 is run: Index Peer IP Port State Mac Address 1 192.168.10.1 10000 Run 649d.99d0.18e3 5.2.4 FAQ 1. How do I check if an AP is online? show ap-config summary ------ Check if the AP is in Run status image.png 2. How to check the model and version of AP/AC? Show version //AC model and version Show version //AP model and version image.png image.png 3. How to view AC license? Show ac-config image.png 4. How to check the information of connected terminals? image.png 5. To check the previous connection history of the terminal: show WLAN diag sta sta-mac + the mac address of the terminal. image.png 6. How to change WiFi name and password? a. Click on Config==WLAN to add a wireless network, find the list of WiFi names that need to be changed, and click Edit. image.png b. Edit the WiFi name and password you need to change, click Next. image.png c. The new jump to the configuration interface directly click to complete the configuration image.png 5.3 Fat AP Deployment 5.3.1 Fat AP Deployment - Web Configuration Method 5.3.1.1 AP Device Login The same AP chooses different power supply methods, and its computer is connected to the AP in different ways, as follows: Step 1: the computer and the device connection method 1. Ceiling AP and wall-plate AP and equipment connection is divided into the following three cases: a. DC adapter power supply image.png b. POE module power supply (FS POE module): image.png c. POE switch power supply: image.png Note: Create an unused VLAN in the POE switch, above VLAN 2, and then configure the ports connecting the computer and AP as access ports and assign them to the VLAN. Step 2: Device login via WEB interface 1. Computer ip address setting (Set to the same network segment as the AP default address): Configure the ip address of the computer's local network card to the same network segment as the AC, for example: 192.168.1.2 Mask: 255.255.255.0 Gateway, DNS do not need to be configured. 2. Login to the AP's web interface: a. Enter 192.168.1.1 in the browser (Google or IE browser is recommended). Note: If 192.168.1.1 can not login, you can try to set the computer ip address to 192.168.1.2, enter 192.168.1.1 b. Enter the user name and password are admin, click login. image.png Note: If the above connection, the computer is directly connected to the LAN2 port of the non-panel AP, or the computer is directly connected to the interface of the front panel of the panel AP, with 192.168.1.1 login AP modify the mode of the AP to fat mode, the lan 2 port of the non-panel AP and the front panel port interface of the panel AP ip address changed to 192.168.2.1, you need to change the IP address of the computer to 192.168.2.2, login to the device through 192.168.2.1. 5.3.1.2 Access Mode Deployment Scenario Introduction Access to the AP's Internet cable, if access to the computer, the computer can automatically obtain an IP address to access the Internet. Topology: image.png Or image.png Description: AP broadcast signal, wireless terminal access to obtain the IP from the AP's uplink device (router or switch) to obtain. Device Login (refer to Fat AP==> Device Login section) Device configuration 1. Login to the device web interface as shown below, the default management IP of the device: 192.168.1.1, the default user name password: admin. image.png 2. Enter the configuration interface as follows: the default AP is Fit mode, you need to switch to fat mode. image.png After clicking to switch the fat mode, the device will prompt to reboot and log back into the device after the reboot, as shown below: image.png 3. reboot the device and re-login with 192.168.1.1, as follows: automatic pop-up configuration wizard (If not automatically pop-up, you can click the wizard in the upper right corner of the web page). image.png Instructions: Click AP only supports access mode. Management VLAN default is 1, no need to change this side. Networking type, select the use of static IP (independent IP), you can also choose to use DHCP, but in order to ensure better access to the device for maintenance, it is not recommended to use DHCP method. Management IP address, it is recommended to configure the IP address of the same network segment issued by the uplink device, so as to facilitate the subsequent direct access to the AP for maintenance (Multiple APs must be configured as different IPs when accessing the router at the same time, to prevent IP conflicts). Management IP mask, it is recommended to configure the IP subnet mask of the same network segment issued by the uplink device. Default gateway, you can choose not to configure. 4. Click Next, as follows: Configure WiFi name and WiFi password, click Finish after configuration. image.png Notes: Wi-Fi name is not recommended to be configured as Chinese name, if configured as Chinese name, it may cause the WiFi name to be garbled or the signal cannot be searched due to the terminal encoding format. Wi-Fi password should be >= 8 bits. 5. the Internet network cable into the AP (AP using different power supply, its access to the network situation) a. AP using POE module power supply: POE module data in port access to the network cable capable of Internet access. b. AP using switch power supply: the switch is connected to the network cable capable of accessing the Internet, and the AP is interconnected with the switch. c. AP powered by power adapter: the LAN/PoE port of the AP is connected to the network cable capable of accessing the Internet. Configuration verification: 1. The terminal can connect to the wireless and get the address. 2. It can ping through the dns and can access the Internet. Common problems 1. The AP has signal broadcast, but the terminal cannot access the signal. Checking ideas: Suspected that the terminal does not obtain an IP address caused by the computer wireless network card can be recommended to manually configure the IP to test whether access to wireless, if you can, it is determined that the terminal can not obtain the IP address. In this way, the following troubleshooting is recommended: a. Check whether the Internet cable is correctly connected to the network cable in accordance with step 5 of the device configuration b. The Internet cable to determine whether the computer can automatically or address the Internet when directly connected to the computer c. If the above is correct, it is recommended to restore the device to the factory and reconfigure it in the way provided above. If the terminal manually configured IP address can not access the wireless signal, it is recommended to restore the device to the factory to reconfigure in accordance with the above provided. If the fault still exists after the above steps, it is recommended to call in +1 (888) 468 7419 for assistance. 2. The terminal can access the signal, but cannot access the external network. Checking ideas: First, confirm whether the computer wireless network card obtains the address after the terminal is connected, and if it does not obtain the address, follow the troubleshooting ideas of the terminal cannot access the signal in FAQ 1) to deal with it. If the address can be obtained, it is recommended that the computer ping test to obtain the IP address of the gateway IP can be pinged through. a. If you can not ping through, we recommend calling +1 (888) 468 7419 for assistance in troubleshooting. b. If you can ping through, it is recommended to identify the device configured by the gateway IP and seek the assistance of the technical staff of the corresponding manufacturer of the device. 5.3.1.3 Routing Mode Deployment Scenario Introduction 1. When the external cable is connected to the AP, the computer needs to manually configure the IP address, subnet mask, gateway and DNS in order to access the Internet. 2. When you connect to the external network cable of the AP, if you connect to the computer, the computer needs to do PPPOE dial-up to access the Internet. Topology: image.png Description: The AP broadcasts the wireless signal, and the terminal gets the IP address from the AP to access the Internet after accessing the wireless. Device login (refer to Fat AP==> Device login section). Device Configuration 1. Login to the device web interface as shown below, the default management IP of the device: 192.168.1.1, the default user name password: admin. image.png 2. Enter the configuration interface as follows: the default AP is Fit mode, you need to switch to fat mode. image.png After clicking to switch the fat mode, the device will prompt to reboot and log back into the device after the reboot, as shown below: image.png 3. Reboot the device and reuse 192.168.1.1 login, the following figure: automatic pop-up Config Wizard (If not automatically pop-up, you can click the upper right corner of the web page Config Wizard). Instructions: a. Select the wireless routing mode. b. WAN port: the default use of Gi0/1, do not recommend changing. c. Networking type, currently divided into three types, using static IP (independent IP), using PPPOE dial-up (ADLS line), using DHCP (dynamic IP), configuration as follows: image.png Networking type: Use static IP (independent IP), as follows: image.png Networking type: use pppoe dial-up (ADSL link), as follows: image.png Use DHCP (Dynamic IP), as follows: image.png d. To open the NAT function, the function is ticked by default, and must not remove the tick. 4. Click Next to configure the following image, configure the WiFi name password and the address pool of the IP address that the user accesses wirelessly and click Finish. image.png If after clicking next to configure only the wifi name, password of the device, there is no user dhcp address pool, the following figure: image.png Completing the configuration directly after configuring the WiFi name and password at this point will result in the user not being able to obtain an IP address after accessing. If this page appears, please click Close in the upper right corner and configure as follows: Click the button on the left of the menu ----Network ----dhcp configuration; turn on the dhcp address pool function and add the operation of dhcp. a. Turn on the dhcp function. image.png b. Set the user's dhcp address pool. image.png Click the button on the left of the menu ----Network ----VLAN configuration, the default gateway address of the dhcp address pool in the previous step to fill in the VLAN 1. image.png Re-click the wizard on the top right of the page and follow the steps to click Next, then the dhcp address pool will appear inside the wizard—WiFi configuration, and then click Finish to configure it. image.png Connect the network cable to the AP (AP uses different power supply modes, and its access to the network). AP using PoE module power supply: PoE module data in port access to the network cable. AP using switch power supply: the switch is connected to the network cable, and the AP is interconnected with the switch. AP powered by power adapter: the LAN/PoE port of the AP is connected to the network cable. Configuration verification: The terminal can connect to the wireless and get the address. It can ping through the dns and can access the Internet. Common problems 1. The AP has signal broadcast, but the terminal can not access the signal. Troubleshooting ideas: Suspect that the terminal does not obtain an IP address caused by the computer wireless network card can be recommended to manually configure the IP after testing whether access to wireless, if you can, it is determined that the terminal can not obtain the IP address caused. In this way, the following troubleshooting is recommended: a. Check whether the Internet cable is correctly connected to the network cable in accordance with step 6 of the device configuration b. The Internet cable to determine whether the computer can automatically or address the Internet when directly connected to the computer c. If the above is correct, it is recommended to restore the device to the factory and reconfigure it in the way provided above If the terminal manually configured IP address can not access the wireless signal, it is recommended to restore the device to the factory to reconfigure in accordance with the above provided. If the fault still exists after the above steps, it is recommended to call in +1 (888) 468 7419 for assistance. 2. After the AP is configured and connected to the network, the wireless can be used normally, but cannot log into the AP. Troubleshooting ideas: a. It is necessary to confirm whether the network type selected when the AP is configured in Wireless Router mode is DHCP (dynamic IP acquisition) or PPPoE (dial-up). If so, it is recommended to connect a computer to the wireless network and check the default gateway IP address obtained from the assigned IP information, then log in using that default gateway IP. b. If the configuration of the wireless mode, the networking type selected is a static IP address, try to manually configure the computer with the IP address of the network segment and then try to log in. c. If the above methods are unable to log into the AP, you need to prepare the FS configuration line, and then call into the +1 (888) 468 7419 service hotline to find a wireless engineer to assist in troubleshooting. 3. The terminal cannot access the external network after accessing wireless. Troubleshooting ideas: First, verify whether the wireless network adapter on the computer obtains an IP address after the terminal connects. If no address is obtained, follow the troubleshooting steps outlined in "Common Issues – Terminal Unable to Connect to Signal (Step 1)" for further handling. If the address can be obtained, it is recommended that the computer ping test to obtain the IP address of the gateway IP can be pinged through. a. If you can not ping through, you need to log into the AP to check whether the corresponding gateway IP is correctly configured, and whether the subnet mask is correctly configured b. If you can ping through, you need to log into the AP to see if the current AP Gi0/1 port is up properly, and check whether the Internet cable accessing the AP is normal for external network communication. If the fault still exists after the above steps, it is recommended to call into +1 (888) 468 7419 for assistance in a timely manner. 5.3.1.4 AP broadcasts 2.4G and 5.8G WiFi signals respectively Scenario requirements: One AP, which requires 2.4G network to broadcast FS_2.4 signal and 5.8G network to broadcast FS_5.8 signal. Equipment configuration: 1. refer to the fat AP configuration = " access mode deployment or wirless mode deployment, first configure a need to broadcast the signal FS_2.4. 2. Configure the signal to be broadcast only by the 2.4G network, as follows: image.png 3. Create a new signal FS_5.8 and configure it to have only 5.8G network broadcast. As shown below: a. Click the + sign to create a new WiFi signal FS_5.8 image.png b. Configure the new WiFi signal and manage the 5.8G network image.png 4. Click Finish to complete the configuration that the configuration is complete, the current phone scan to the AP 2.4G network broadcast FS_2.4, 5.8G network broadcast FS_5.8. 5.3.1.5 AP broadcasts two different WiFi signals Scenario requirements: An AP needs to broadcast two different signals at the same time, FS1 and FS2 respectively. Device configuration: 1. Refer to the fat AP configuration, access mode deployment or wireless router mode deployment, first configure a signal that needs to be broadcast FS_wifi. 2. Click the left menu and select Wireless, add wireless network, click the plus sign, as follows: image.png 3. Perform the new WiFi nomenclature and password configuration, as follows: image.png 4. Click Save Configuration to complete the configuration. 5.3.2 Fat AP Configuration - Command Line Method 5.3.2.1 Fat AP Single Wireless Signal Configuration 1. Application Scenario Description The number of APs in the wireless network is small, and it does not need much time and effort to manage and configure the APs. At this time, the fat AP works like a Layer-2 switch, serving as a wired and wireless data conversion role, without routing and NAT functions. Advantages: No need to change the existing wired network structure, and the configuration is also simple. Disadvantage: Unable to manage and configure uniformly. 2. Configuration Cases There is no manageable switch in the access layer of the network, and an AP is added to the wired network to achieve wireless coverage. a. Network topology image.png b. Configuration points Connect the network topology to ensure that the AP can be powered and turned on normally. Ensure that the network cable to be connected to the AP is connected to the computer, and the computer can use the network and ping test. After completing the basic AP configuration, verify whether the wireless SSID can be found by the normal search of the wireless client. Configure the IP address of the wireless client as a static IP and verify network connectivity. AP other optional configurations (DHCP service, wireless authentication and encryption methods). Note: When logging into the AP configuration for the first time, you need to switch the AP to work in fat mode, switch command: FS>ap-mode fat. c. Configuration steps It is recommended to configure AP via WEB, especially WALL-AP. Please refer to Fat AP Configuration--Web Configuration Method. AP only supports access mode: Step 1: Configure wireless users VLAN and DHCP server (Assign addresses to connected PCs. If there is already a DHCP server in the network, this configuration can be skipped). FS>enable FS#configure terminal FS(config)#VLAN 1 ------>Create a wireless user VLAN FS(config-VLAN)#exit FS(config)#service dhcp ------>Enable DHCP service FS(config)#ip dhcp excluded-address 172.16.1.253 172.16.1.254 ------>Enable DHCP service excluding address range FS(config)#ip dhcp pool test ------>Configure the DHCP address pool with the name "test" FS(dhcp-config)#network 172.16.1.0 255.255.255.0 ------>Issue the 172.16.1.0 address segment FS(dhcp-config)#dns-server 218.85.157.99 ------>Issue the DNS address FS(dhcp-config)#default-router 172.16.1.254 ------>Issue the gateway FS(dhcp-config)#exit Note: If the DHCP server is done on the uplink device, please configure the wireless broadcast forwarding function globally, otherwise the DHCP acquisition will be unstable. FS(config)#data-plane wireless-broadcast enable Step 2: Configure the Ethernet interface of AP to allow data transmission for wireless users. FS(config)#interface GigabitEthernet 0/1 FS(config-if-GigabitEthernet 0/1)#encapsulation dot1Q 1 ------>Specify the AP wired port VLAN Note: The corresponding VLAN must be encapsulated, otherwise communication will not be possible. FS(config-if-GigabitEthernet 0/1)#exit Step 3: Create a WLAN with a specific SSID and bind it to a designated wireless subinterface to enable wireless signal transmission. FS(config)#dot11 WLAN 1 FS(dot11-WLAN-config)#SSID AP ------>The SSID name is AP FS(dot11-WLAN-config)#exit FS(config)#interface Dot11radio 1/0.1 FS(config-if-Dot11radio 1/0.1)#encapsulation dot1Q 1 ------>Specify AP RF sub-interface VLAN FS(config-if-Dot11radio 1/0.1)#WLAN-id 1 ------>Enable WLAN in AP RF sub-interface FS(config-if-Dot11radio 1/0.1)#exit FS(config)#interface Dot11radio 2/0.1 FS(config-if-Dot11radio 2/0.1)#encapsulation dot1Q 1 ------>Specify AP RF sub-interface VLAN FS(config-if-Dot11radio 2/0.1)#WLAN-id 1 ------>Enable WLAN in AP RF sub-interface FS(config-if-Dot11radio 2/0.1)#exit Step 4: Configure the interface VLAN address and static route. FS(config)#interface BVI 1 ------>Configure management address interface FS(config-if-BVI 1)#ip address 172.16.1.253 255.255.255.0 ------>This address can only be used for management and can not be used as a wireless user gateway address FS(config-if-BVI 1)#exit FS(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.254 FS(config)#end FS#write ------>Confirm that the configuration is correct and save it. AP supports routing mode: Step 1: Configure wireless user VLAN and DHCP server (assign address to connected PC; NAT mode, wireless user's gateway and dhcp are done on AP). FS>enable FS#configure terminal FS(config)#VLAN 1 ------>Create a wireless user VLAN FS(config-VLAN)#exit FS(config)#service dhcp ------>Enable DHCP service FS(config)#ip dhcp excluded-address 172.16.1.253 172.16.1.254 ------>Enable DHCP service excluding address range FS(config)#ip dhcp pool test ------>Configure the DHCP address pool with the name "test" FS(dhcp-config)#network 172.16.1.0 255.255.255.0 ------>Issue 172.16.1.0 address segment FS(dhcp-config)#dns-server 8.8.8.8 ------>Issue the DNS address FS(dhcp-config)#default-router 172.16.1.254 ------>Issue the gateway FS(dhcp-config)#exit Step 2: Create a WLAN with a specific SSID and bind it to a designated wireless subinterface to enable wireless signal transmission. FS(config)#dot11 WLAN 1 FS(dot11-WLAN-config)#SSID AP ------>The SSID name is AP FS(dot11-WLAN-config)#exit FS(config)#interface Dot11radio 1/0.1 FS(config-if-Dot11radio 1/0.1)#encapsulation dot1Q 1 ------>Specify AP RF sub-interface VLAN FS(config-if-Dot11radio 1/0.1)#WLAN-id 1 ------>Enable WLAN in AP RF sub-interface FS(config-if-Dot11radio 1/0.1)#exit FS(config)#interface Dot11radio 2/0.1 FS(config-if-Dot11radio 2/0.1)#encapsulation dot1Q 1 ------>Specify AP RF sub-interface VLAN FS(config-if-Dot11radio 2/0.1)#WLAN-id 1 ------>Enable WLAN in AP RF sub-interface FS(config-if-Dot11radio 2/0.1)#exit Step 3: Configure acl to allow intranet users to do NAT conversion. FS(config)#access-list 1 permit any Step 4: Configure the Ethernet interface of the AP, and specify the g0/1 port as the uplink port. Configure the public network address on the interface and set it to the outside direction. FS(config)#interface GigabitEthernet 0/1 FS(config-if-GigabitEthernet 0/1)#ip address 100.168.12.200 255.255.255.0 FS(config-if-GigabitEthernet 0/1)#ip nat outside FS(config-if-GigabitEthernet 0/1)#exit Step 5: Configure the BVI 1 address as the gateway for intranet users and set it to the inside direction. FS(config)#interface VLAN 1 FS(config-if-BVI 1)#ip address 172.16.2.1 255.255.255.0 FS(config-if-BVI 1)#ip nat inside FS(config-if-BVI 1)#exit Step 6: Configure nat conversion list. FS(config)#ip nat inside source list 1 interface GigabitEthernet 0/1 overload Step 7: Configure the default route to point to the egress gateway. FS(config)#ip route 0.0.0.0 0.0.0.0 100.168.12.1 FS(config)#end FS#write ------>Confirm that the configuration is correct and save it. d. Configuration verification Show run View configuration information. Users can obtain IP through wireless and access the Internet normally. 5.3.2.2 Fat AP Multiple Wireless Signal Configuration 1. Applicable Scenario Description The number of APs in the wireless network is small, and it does not need much time and effort to manage and configure the APs. At this time, the fat AP works like a Layer 2 switch, serving as a wired and wireless data conversion role, without routing and NAT functions. Advantages: No need to change the existing wired network structure, and the configuration is also simple. Disadvantage: Unable to manage and configure uniformly. 2. Configuration Cases a. Networking requirements On the basis of wired networks, add a wireless AP to achieve network coverage. Wireless AP broadcasts 2 SSIDs, corresponding to two VLANs. The AP is connected to an access device that can be managed by the network (the interface is configured as trunk). The switch has been divided into VLAN1, VLAN10, and VLAN20. The AP acts as a transparent device to achieve wireless coverage. Users can access VLAN1, VLAN10, and VLAN20 wirelessly through different SSIDs to obtain IP addresses to access the Internet. The VLAN10 segment is: 172.16.10.0; the VLAN20 segment is: 172.16.20.0. b. Network topology image.png c. Configuration points Connect the network topology to ensure that the AP can be powered and turned on normally. Ensure that the network cable to be connected to the AP is connected to the computer, and the computer can use the network and ping test. After completing the basic AP configuration, verify whether the wireless SSID can be found by the normal search of the wireless client. Configure the IP address of the wireless client as a static IP and verify network connectivity. AP other optional configurations (DHCP service, wireless authentication and encryption methods). Note: When logging in to the AP configuration for the first time, you need to switch the AP to work in fat mode. Switch command: FS > ap-mode fat. d. Configuration steps Configuration guidance It is recommended to configure AP via WEB, especially WALL-AP. Please refer to Fat AP Configuration--Web Configuration Method. Step1: Create the relevant VLAN. FS>enable ----->Enter privileged mode FS#configure terminal ----->Enter global configuration mode FS(config)#VLAN 1 ----->Create VLAN1 FS(config-VLAN)#exit FS(config)#VLAN 10 ----->Create wireless user VLAN10 FS(config-VLAN)#exit FS(config)#VLAN 20 ----->Create wireless user VLAN20 FS(config-VLAN)#exit Step2: Enable DHCP server (If there is already a DHCP server in the network, this configuration can be skipped). FS(config)#service dhcp Configure DHCP server to exclude address segments: FS(config)#ip dhcp excluded-address 172.16.10.253 172.16.10.254----->Address that DHCP cannot issue: 192.168.10.253~ 192.168.10.254 FS(config)#ip dhcp excluded-address 172.16.20.253 172.16.20.254 Configure VLAN10 address pool test_10, test_20; FS(config)#ip dhcp pool test_10 ----->Adress pool name FS(dhcp-config)#network 172.16.10.0 255.255.255.0 ----->DHCP issue 172.16.10.0/24 network segment FS(dhcp-config)#dns-server 8.8.8.8 ----->Issue the DNS address FS(dhcp-config)#default-router 172.16.10.254----->Issue the gateway FS(dhcp-config)#exit FS(config)#ip dhcp pool test_20 ----->Adress pool name FS(dhcp-config)#network 172.16.20.0 255.255.255.0 ----->DHCP issue 172.16.20.0/24 network segment FS(dhcp-config)#dns-server 8.8.8.8 ----->Issue the DNS address FS(dhcp-config)#default-router 172.16.20.254 ----->Issue the gateway FS(dhcp-config)#exit Note: If the DHCP server is done on the uplink device, please configure the wireless broadcast forwarding function globally, otherwise the DHCP acquisition will be unstable. FS(config)#data-plane wireless-broadcast enable Step3: Configure the interface gig 0/1.10 sub-interface and encapsulate the relevant VLAN 10, configure the interface gig 0/1.20 sub-interface and encapsulate the relevant VLAN 20. FS(config)#interface GigabitEthernet 0/1 FS(config-if-GigabitEthernet 0/1)#encapsulation dot1Q 1 ----->Encapsulate VLAN FS(config-if-GigabitEthernet 0/1)#interface GigabitEthernet 0/1.10 ----->Configure interface gig 0/1.10 sub-interface FS(config-subif-GigabitEthernet 0/1.10)#encapsulation dot1Q 10 ----->Encapsulate VLAN FS(config-subif-GigabitEthernet 0/1.10)#interface GigabitEthernet 0/1.20 ----->Configure interface gig 0/1.20 sub-interface FS(config-subif-GigabitEthernet 0/1.20)#encapsulation dot1Q 20 ----->Encapsulate VLAN FS(config-subif-GigabitEthernet 0/1.20)#exit Step4: Create a WLAN with a specific SSID and bind it to a designated wireless subinterface to enable wireless signal transmission. Create WLAN with specified SSID: FS(config)#dot11 WLAN 10 ----->Create WLAN10 interface FS(dot11-WLAN-config)#SSID AP1 ----->Broadcast SSID as AP1 FS(dot11-WLAN-config)#exit FS(config)#dot11 WLAN 11 ----->Create WLAN11 interface FS(dot11-WLAN-config)#SSID AP2 ----->Broadcast SSID as AP2 FS(dot11-WLAN-config)#exit Configure RF port 1, encapsulate VLAN, and associate with WLAN: FS(config)#interface Dot11radio 1/0.10 FS(config-if-Dot11radio 1/0.10)#encapsulation dot1Q 10 ----->Specify VLAN for AP RF sub-interface 1/0.10 FS(config-if-Dot11radio 1/0.10)#WLAN-id 1 ----->Associate with WLAN1 FS(config-if-Dot11radio 1/0.10)#exit FS(config)#interface Dot11radio 1/0.20 FS(config-if-Dot11radio 1/0.20)#encapsulation dot1Q 20 ----->Specify VLAN for AP RF sub-interface 1/0.20 FS(config-if-Dot11radio 1/0.20)#WLAN-id 2 ----->Associate with WLAN2 FS(config-if-Dot11radio 1/0.20)#exit Configure RF port 2, encapsulate VLAN, and associate with WLAN: FS(config)#interface Dot11radio 2/0.10 FS(config-if-Dot11radio 2/0.10)#encapsulation dot1Q 10 ----->Specify VLAN for AP RF sub-interface 2/0.10 FS(config-if-Dot11radio 2/0.10)#WLAN-id 1 ----->Associate with WLAN1 FS(config-if-Dot11radio 2/0.10)#exit FS(config)#iinterface Dot11radio 2/0.20 FS(config-if-Dot11radio 2/0.20)#encapsulation dot1Q 20 ----->Specify VLAN for AP RF sub-interface 2/0.20 FS(config-if-Dot11radio 2/0.20)#WLAN-id 2 ----->Associate with WLAN2 FS(config-if-Dot11radio 2/0.20)#exit Step5: Configure the management address (Since the AP acts as a DHCP server, BVI10 and BVI20 must be configured with corresponding IP addresses to ensure proper address allocation. If the AP is not serving as a DHCP server, the address pools and the IP addresses of BVI10 and BVI20 do not need to be configured.). FS(config)#interface BVI 1 FS(config-if-BVI 1)#ip address 172.16.1.253 255.255.255.0 FS(config-if-BVI 1)#exit FS(config)#interface BVI 10 FS(config-if-BVI 10)#ip address 172.16.10.253 255.255.255.0 FS(config-if-BVI 10)#exit FS(config)#interface BVI 20 FS(config-if-BVI 20)#ip address 172.16.20.253 255.255.255.0 FS(config-if-BVI 20)#exit Step6: Configure the AP default route: FS(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.254 Step7: Save the configuration: FS(config)#end ----->Exit to privileged mode FS#write ----->Confirm that the configuration is correct and save it Note: VLAN 10, "10" for VLAN-id 10; dot11 WLAN 1, "1" for WLAN-id 1. VLAN 20, "20" for VLAN-id 20; dot11 WLAN 2, "2" for WLAN-id 2. Access switch configuration: The interface connected to the AP and core switch must be configured as trunk. Configure an internet interface: FS>enable FS#configure terminal FS(config)#interface GigabitEthernet 0/1 FS(config-if-GigabitEthernet 0/1)#switchport mode trunk FS(config-if-GigabitEthernet 0/1)#interface GigabitEthernet 0/2 FS(config-if-GigabitEthernet 0/2)#switchport mode trunk FS(config-if-GigabitEthernet 0/2)#exit Create a VLAN------>Must be configured, otherwise AP data cannot pass: FS(config)#VLAN 1 FS(config-VLAN)#VLAN 10 FS(config-VLAN)#VLAN 20 FS(config-VLAN)#exit Save the configuration: FS(config)#end FS#write Core switch configuration: Configure an internet interface: FS>enable FS#configure terminal FS(config)#interface GigabitEthernet 0/2 FS(config-if-GigabitEthernet 0/2)#switchport mode trunk FS(config-if-GigabitEthernet 0/2)#exit Create a VLAN: FS(config)#VLAN 1 FS(config-VLAN)#VLAN 10 FS(config-VLAN)#VLAN 20 FS(config-VLAN)#exit Configure VLAN gateway address: FS(config)#interface VLAN 1 FS(config-if-VLAN 1)#ip address 172.16.1.254 255.255.255.0 FS(config-if-VLAN 1)#interface VLAN 10 FS(config-if-VLAN 20)#ip address 172.16.10.254 255.255.255.0 FS(config-if-VLAN 20)#interface VLAN 20 FS(config-if-VLAN 30)#ip address 172.16.20.254 255.255.255.0 FS(config-if-VLAN 30)#exit DHCP function (optional configuration). Note: Select one of the devices on the AP or gateway device to configure DHCP. Refer to step2 of AP configuration. Save the configuration: FS(config)#end FS#write e. Configuration verification Wireless users can search for SSIDs AP1 and AP2. Users can obtain IP addresses wirelessly and access the internet normally. Note: Early AP versions have compatibility issues with some network interface cards and need to be upgraded to the latest stable version. 5.3.2.3 Fat AP NAT Routing Mode Configuration Applicable Scenario Description The AP in the wireless network is used for routing and NAT conversion is configured. At this time, the gateway and dhcp of the wireless user are obtained from the AP, and the higher-level network does not need to make configuration changes. 1. Network topology image.png 2. Configuration points a. Connect the network topology to ensure that the AP can be powered and turned on normally. b. Ensure that the network cable to be connected to the AP is connected to the computer, and the computer can use the network and ping test. c. After completing the basic AP configuration, verify whether the wireless SSID can be found by the normal search of the wireless client. d. AP other optional configurations (wireless authentication and encryption methods). Note: When logging in to the AP configuration for the first time, you need to switch the AP to work in fat mode. Switch command: FS > ap-mode fat, and the mode switching device will automatically restart. AP supports routing mode (NAT mode, only some APs support): Step1: Configure wireless user VLAN and DHCP server (Assign address to connected PC; NAT mode, wireless user's gateway and dhcp are done on AP .) FS>enable FS#configure terminal FS(config)#VLAN 1 ------>Create a wireless user VLAN FS(config-VLAN)#exit FS(config)#service dhcp ------>Enable DHCP service FS(config)#ip dhcp excluded-address 172.16.1.253 172.16.1.254 ------>Enable DHCP service excluding address range FS(config)#ip dhcp pool test ------>Configure the DHCP address pool with the name "test" FS(dhcp-config)#network 172.16.1.0 255.255.255.0 ------>Issue the 172.16.1.0 address segment FS(dhcp-config)#dns-server 8.8.8.8 ------>Issue the DNS address FS(dhcp-config)#default-router 172.16.1.254 ------>Issue the gateway FS(dhcp-config)#exit Step2: Create a WLAN with a specific SSID and bind it to a designated wireless subinterface to enable wireless signal transmission. FS(config)#dot11 WLAN 1 FS(dot11-WLAN-config)#SSID AP ------>The SSID name is AP FS(dot11-WLAN-config)#exit FS(config)#interface Dot11radio 1/0.1 FS(config-if-Dot11radio 1/0.1)#encapsulation dot1Q 1 ------>Specify AP RF sub-interface VLAN FS(config-if-Dot11radio 1/0.1)#WLAN-id 1 ------>Enable WLAN in AP RF sub-interface FS(config-if-Dot11radio 1/0.1)#exit FS(config)#interface Dot11radio 2/0.1 FS(config-if-Dot11radio 2/0.1)#encapsulation dot1Q 1 ------>Specify AP RF sub-interface VLAN FS(config-if-Dot11radio 2/0.1)#WLAN-id 1 ------>Enable WLAN in AP RF sub-interface FS(config-if-Dot11radio 2/0.1)#exit Step3: Configure acl to allow intranet users to do NAT conversion. FS(config)#access-list 1 permit any Step4: Configure the Ethernet interface of the AP, and specify the g0/1 port as the uplink port. Configure the public network address on the interface and set it to the outside direction. FS(config)#interface GigabitEthernet 0/1 FS(config-if-GigabitEthernet 0/1)#ip address 100.168.12.200 255.255.255.0 FS(config-if-GigabitEthernet 0/1)#ip nat outside FS(config-if-GigabitEthernet 0/1)#exit Step5: Configure the BVI 1 address as the gateway for intranet users and set it to the inside direction. FS(config)#interface bvi 1 FS(config-if-BVI 1)#ip address 172.16.1.254 255.255.255.0 FS(config-if-BVI 1)#ip nat inside FS(config-if-BVI 1)#exit Step6: Configure nat conversion list. FS(config)#ip nat inside source list 1 interface GigabitEthernet 0/1 overload Step7; Configure the default route to point to the egress gateway. FS(config)#ip route 0.0.0.0 0.0.0.0 100.168.12.1 FS(config)#end FS#write ------>Confirm that the configuration is correct and save it. 5.3.2.4 WALL AP Front Panel Interface VLAN Configuration WALL AP - Default management address and password A series of Wall-AP such as AP-N515H In fit mode, LAN port and Uplink port IP addresses are 192.168.1.1 /24. In fat mode, LAN port IP address is 192.168.2.1 /24; Uplink port IP address is 192.168.1.1 /24. Default username for web administration: admin, password: admin. Please refer to the FAT AP deployment - Web configuration method. Configure the wireless signal first, assuming that the wireless user is using VLAN1. 1. The front panel and wireless users share the same VLAN Under the premise that the wireless signal configuration is completed, assuming that the wireless user uses VLAN1, the front panel needs to have a VLAN with the wireless user, and also uses VLAN1. FS#config terminal FS(config)#interface GigabitEthernet 0/2 (Here you need to enter the corresponding interface according to the actual situation) FS(config-if- GigabitEthernet 0/2)#encapsulation dot1Q 1 FS(config-if- GigabitEthernet 0/2)#end FS#write For wall-ap with multiple front panels, it supports putting different front panels into different VLANs. The configuration method refers to the example above. 2. Front panel and wireless users use different VLANs Under the premise of the wireless signal configuration is completed, assuming that the wireless user uses VLAN1, the front panel needs to use VLAN10, which is different from the wireless user VLAN. Configuration on WALL-AP: FS#config terminal FS(config)#VLAN 10 ------>Create front panel VLAN FS(config-VLAN)#exit FS(config)#interface GigabitEthernet 0/2 (Here you need to enter the corresponding interface according to the actual situation) FS(config-if- GigabitEthernet 0/2)#encapsulation dot1Q 10 FS(config-if- GigabitEthernet 0/2)#end FS#write For wall-ap with multiple front panels, it supports putting different front panels into different VLANs. The configuration method refers to the example above. Access switch configuration: The interface connected to the AP and core switch must be configured as trunk. a. Configure an internet interface FS>enable FS#configure terminal FS(config)#interface GigabitEthernet 0/1 FS(config-if-GigabitEthernet 0/1)#switchport mode trunk FS(config-if-GigabitEthernet 0/1)#interface GigabitEthernet 0/2 FS(config-if-GigabitEthernet 0/2)#switchport mode trunk FS(config-if-GigabitEthernet 0/2)#exit b. Create a VLAN ----->Must be configured, otherwise AP data can not pass. And all the VLANs involved in the AP need to be configured. FS(config)#VLAN 1 FS(config-VLAN)#VLAN 10 FS(config-VLAN)#exit c. Save the configuration FS(config)#end FS#write Core switch configuration: a. Configure an internet interface FS>enable FS#configure terminal FS(config)#interface GigabitEthernet 0/2 FS(config-if-GigabitEthernet 0/2)#switchport mode trunk FS(config-if-GigabitEthernet 0/2)#exit b. Create a VLAN FS(config)#VLAN 1 FS(config-VLAN)#VLAN 10 FS(config-VLAN)#exit c. Configure VLAN gateway address(Configuration omitted here). d. DHCP function (optional configuration). Note: Select one of the devices on the AP or gateway device to configure DHCP. e. Save the configuration: FS(config)#end FS#write 5.3.3 AP Fat Mode Commonly Used Checking Commands 1. How to check the current working mode of AP Log in to the ap command line through the console port. FS>show ap-mode current mode: fit ------>Fit is fit mode; fat is fat mode. 2. Check wireless user signal strength, association rate and time. show dot11 associations all-client image.png FS#show dot11 associations all-client INTF-IDX ADDR AID CHAN RATE RSSI IDLE TXSEQ RXSEQ ERP STATE CAPS HTCAPS 0 00:1f:3b:3b:b4:35 2 11 48.0M 70 120 15 6416 0x0 0x37 ES Q 0 00:24:d6:94:11:44 1 11 130.0M 55 120 38 31488 0x0 0x2f RSSI represents the signal strength of the wireless client, generally reaching more than 40 signals are no problem. RATE represents the connection rate of the wireless client. 3. Check if the AP has a signal: show dot mbSSID image.png 4. Check AP version, device serial number: show version image.png 5. Check AP channel utilization: debug sdk link_quality 1 (Check channel utilization in 2.4G band) debug sdk link_quality 2 (Check channel utilization in 5.8G band) 6. Check device ip address: show ip interface brief image.png 7. Check physical interface status: show int state image.png 8. Check RF card power, background noise: show dot11 wireless 1/0 --Check background noise for 2.g on AP image.png 9. Check all configurations of AP: show run 10. Check terminal connection log information: show log 5.4 Wireless Security Functions 5.4.1 Wireless Encryption Function 5.4.1.1 Function Introduction and Application Scenarios 1. Function introduction: WEP encryption: WEP encryption mode can use open-system or shared-key link authentication methods respectively. The main differences between them are: a. With open-system, the WEP key is only used for data encryption. Even if the key is inconsistent, the user can go online, but the data transmitted after the go-online will be discarded by the receiver due to the inconsistent key; b. With shared-key, the WEP key is used for link authentication and data encryption. If the keys are inconsistent, the Client link authentication fails and can not be launched. PSK access authentication Use pre-shared key authentication (WPA-PSK and WPA2-PSK, respectively). In this case, WPA is used in a similar way to WEP, but can obtain higher security brought by WPA and 802.11i, including stronger authentication and better encryption algorithms. PSK authentication only needs to configure the same pre-shared key for the STA and access device to establish connection and communication without additional authentication servers. 802.1X access authentication The 802.1x protocol is a port-based network access control protocol. This authentication method authenticates and controls the accessed user device at the port level of the WLAN access device. If the user device connected to the interface can pass authentication, it can access the resources in the WLAN; if it can not, it fails to access the resources in the WLAN. 802.1X authentication requires the installation of authentication Client software at the terminal. But in some cases, this condition can not be met, such as some wireless printers. For network management and security reasons, even if these terminal do not have 802.1X authenticated Clients, network administrators still need to control the legitimacy of these access devices. 2. Application scenarios: Since wireless networks use open media and public electromagnetic waves as carriers to transmit data signals, there is no cable connection between the two parties. If the transmission link is not properly encrypted, the risk of data transmission will greatly increase. Therefore, wireless security is particularly important in WLAN. In order to enhance wireless cyber security, wireless devices need to provide two security mechanisms of authentication and encryption at the wireless level: a. Authentication mechanism: It is used to verify the identity of users to restrict specific users (authorized users) to use network resources. b. Encryption mechanism: It is used to encrypt the data of the wireless link to ensure that the wireless network data is only received and understood by the desired user. Before IEEE 802.11i was proposed, there was only WEP (Wired Equivalent Privacy) authentication encryption method. WEP encryption uses a static secret key, and each WLAN terminal uses the same key to access the wireless network. It has been proven to be cracked. In order to solve the security problem of wireless access, the Wi-Fi Alliance has formulated the WPA (Wi-Fi Protected Access) standard, which is a transitional solution to replace WEP. There are two modes of WPA authentication to choose from: 802.1x protocol authentication mode and PSK (Pre-Shared Key) mode. After IEEE 802.11i defined the concept of RSN (Robust Security Network) and released it, the Wi-Fi Alliance revised WPA and re-introduced WPA2 with the same functions as the IEEE 802.11i standard. Based on the different authentication methods, there are currently WEP encryption, PSK access authentication, and 802.1x access authentication. The three methods can not be configured at the same time. In actual use, the corresponding method can be selected according to the application scenario. Typical applications Application scenario description WEP encryption In WLANS that are relatively small and do not require high security,wireless data communication is protected using static WEP encryption mode. PSK access authentication For some small and medium-sized enterprise networks or home users, access authentication based on pre-shared keys should be used to strengthen wireless cyber security. 802.1X access authentication In scenarios with high security or unified management requirements, port-based network access control is used. 5.4.1.2 Configuration Cases 1. Network requirements Wireless users need to enter a password to connect to the wireless network. 2. Network topology image.png 3. Configuration points a. Enable wireless encryption. b. Configure wireless encryption type. c. Configure wireless password. 4. Configuration steps a. WPA Shared Key Authentication FS(config)#WLANsec 1 FS(config-WLANsec)#security wpa enable ---->Enable wireless encryption FS(config-WLANsec)#security wpa ciphers aes enable ---->Wirelessly enable AES encryption FS(config-WLANsec)#security wpa akm psk enable ---->Wirelessly enable shared key authentication method FS(config-WLANsec)#security wpa akm psk set-key ascii 1234567890 ---->The number of wireless password bits cannot be less than 8 FS(config-WLANsec)#exit b. WPA2 Shared Key Authentication【Recommended configuration】 FS(config)#WLANsec 1 FS(config-WLANsec)#security rsn enable ---->Enable wireless encryption FS(config-WLANsec)#security rsn ciphers aes enable ---->Wirelessly enable AES encryption FS(config-WLANsec)#security rsn akm psk enable ---->Wirelessly enable shared key authentication method FS(config-WLANsec)#security rsn akm psk set-key ascii 12345678 ---->The number of wireless password bits cannot be less than 8 FS(config-WLANsec)#exit c. Save the configuration FS(config)#end FS#write 5. Configuration verification a. You can check the FS wireless signal, and the window of entering the network key will pop up when associated. b. After entering the wireless password, the link is successful. image.png 5.4.1.3 FAQ 1. Notes on Configuring Wireless TKIP. 802.11n must be turned off when configuring TKIP. The maximum rate of TKIP can only reach 54M, so 802.11n is not supported. And the key cache occupied by TKIP is twice that of AES, so the number of machines is 1/2 that of AES. If 802.11n is not turned off, the following error message will appear: FS(config-WLANsec)#sec wpa ciphers tkip enable Config TKIP cipher fail, check AP's radio mode(can not be HT). Note: HT High throughput uses the modulation and coding method introduced by 11n to transmit, which improves the transmission rate. The default is ht20, and ht40 can be configured to increase the rate by 1 time. Command to turn off 802.11n: Fit mode: FS(config)# ap-config AP0001 ---->Enter the configuration of the specific ap FS(config-ap)#no 11ngsupport enables radio 1 ---->Turn off radio 1 to support 802.11n function under 2.4G FS(config-ap)#no 11nasupport enables radio 1 ---->Turn off radio 2 to support 802.11n function under 5.8G FS(config-ap)#end FS#write Fat mode: FS(config)#int dot11radio 1/0 ---->Enter the RF card FS(config-if-Dot11radio 1/0)#no 11nsupport enable ---->Turn off the 802.11n function of radio 1 FS(config-if-Dot11radio 1/0)#end FS#write 2. Correspondence between wireless security types and wireless device configurations on windows systems. FS(config-WLANsec)#security rsn akm ? 802.1x Setup RSN 802.1x AKM ---->WPA2 Enterprise psk Setup WLAN RSN PSK ---->WPA2 Individuals FS(config-WLANsec)#security wpa akm ? 802.1x Setup RSN 802.1x AKM ---->WPA Enterprise psk Setup WLAN RSN PSK ---->WPA Individuals 3. How many passwords does the wireless wep support? FS(config-WLANsec)#security static-wep-key encryption key-length {ascii|hex} key-index key In ascii mode, 5 bytes and 13 bytes of data can be used as keys according to the key-length parameter. The key-length parameter is 40, 104. In hex mode, 10 bytes and 26 bytes of data can be used as keys according to the key-length parameter. The key-length parameter is 40, 104. (If the key-length is 40 bits, the 64-bit algorithm is used; if it is 104 bits, the 128-bit algorithm is used) 4. Can wpa and wpa2 be configured at the same time under a WLANsec? Yes, but the password must be the same. 5. Can AC/AP configure WEP encryption on both WLANs? No, currently AC/AP chips have limitations. Only one WLAN on an AC can use WEP encryption at a time. Other encryption methods do not have this restriction. 5.4.2 Wireless Anti-ARP Spoofing Function 1. Function introduction and application scenarios a. Function introduction: In a wireless network, due to the diversity and uncertainty of users accessing the wireless network, it is very likely that the private IP address is set on the wireless end or an ARP virus in the client initiates an ARP attack. Deployment of anti-ARP attacks on wireless devices features can effectively solve these problems. b. Application scenarios: Wireless clients are highly mobile and uncertain, such as in places with many outsiders: squares, halls, conference rooms, reception rooms, etc. Using this solution can effectively avoid address conflicts caused by privately set IP addresses at the wireless end or ARP attacks initiated by ARP viruses in the client. Advantages: Increase wireless security and prevent wireless clients from setting private IP Addresses and wireless networks from being paralyzed by ARP attacks. Disadvantages: The performance requirements of wireless devices are high, which consumes the operating resources of wireless devices and requires additional configuration. 2. Configuration Cases a. Network requirements Prevent wireless users from configuring IP Addresses privately, resulting in IP Address conflicts or using ARP attack software to cause network paralysis. b. Network topology image.png 3. Configuration points a. Make AC enable dhcp snooping and configure trust port b. Configure ARP protection function c. Clear arp and proxy_arp tables 4. Configuration steps a. Make AC enable dhcp snooping and configure trust port AC(config)#ip dhcp snooping ----->Enable dhcp snooping globally AC(config)#interface gigabitEthernet 0/1 AC(config-if-GigabitEthernet 0/1)#ip dhcp snooping trust ----->The uplink interface is configured as a trusted port. If the DHCP server is on AC, there is no need to configure this command AC(config-if-GigabitEthernet 0/1)#exit b. Configure ARP protection function (To enable arp protection, it needs to take the terminal that are already online offline and then connect them to wireless). When the WEB authentication function is not enabled? AC(config)#WLANsec 1 AC(config-WLANsec)#ip verify source port-security ----->Enable IP protection function AC(config-WLANsec)#arp-check ----->Enable ARP detection function AC(config-WLANsec)#end AC#write When the WEB authentication function is enabled? AC(config)#WLANsec 1 AC(config-WLANsec)#ip verify source port-security ----->Enable IP protection function AC(config-WLANsec)#arp-check ----->Enable ARP detection function AC(config-WLANsec)#end AC#write Note: In the WEB authentication environment, the configuration can not support anti-gateway arp spoofing. It needs to add other operations in the configuration to support: Configure the anti-gateway arp spoofing command on the WLANsec port on the AC to filter arp packets impersonating the gateway from the downlink port. Command: anti-arp-spoofing ip x.x.x.x under WLANsec (x.x.x.x stands for gateway address), limit the number of entries to 64. Clear arp and proxy_arp tables AC#clear arp-cache AC#clear proxy_arp 5. Configuration verification a. Wireless users connect to wireless networks through dhcp to obtain IP Addresses that are added to the dhcp snooping database. image.png b. Manually configure wireless network interface card IP Address, unable to ping gateway. c. Statically configure the wireless network interface card IP as the IP Address of other normal users, and other normal users will not prompt for address conflicts. 5.4.3 Wireless Associated Control Function 1. Principle of associated control a. Associated control overview Associated control is a method to control the association behavior of wireless STAs. By grouping STAs, define one of the STAs as the master STA and the other STAs as slave STAs, and control how the slave STAs can only follow the master STA, so that the wireless network associated with the slave STA must be the same as the master STA, so as to achieve the associated behavior of controlling the wireless terminal. b. Related concepts of associated control Associated control domain: It can be understood as a wireless network composed of one or a group of APs. A STA group can only be successfully associated with an AP in an associated control domain at a certain time. Terminal package: Consists of a group of STAs, including master STA and slave STA. The slave STA cannot independently associate with an AP in the control domain without the master STA, but can only follow the master STA. Which control domain the primary STA is associated with, the slave STA can only be associated with a certain AP in this control domain. c. Principle of associated control Divide the range that the wireless network needs to cover into several associated control domains, deploy one or more APs in each associated control domain, and then group the wireless terminals to strictly control the control domains that the terminals can associate with. For example, the school's e-schoolbag application. There are many classrooms in a school, all of which are equipped with wireless APs, and the wireless signal is propagated in space. When two adjacent classrooms are using e-schoolbags for class, the ideal situation is that both the teacher's and student's devices are connected to the AP of the corresponding classroom, so that each classroom does not interfere with each other. This requires that a classroom is an associated control domain, and all student and teacher devices in this classroom are associated with the wireless AP. Fit AP network architecture As shown in the figure below, it is the fit AP architecture of the associated control application. image.png Fit AP network topology Premise The purpose of associated control is to prevent the terminal from random association when there are multiple wireless network options. There are certain premises for network configuration, mainly including the following: Each associated control domain is a WLAN subnet, and a VLAN is assigned to each WLAN subnet. The purpose is to limit the scope of broadcast or multicast messages to this control domain, so as to ensure the smooth application of the associated control domain business. All WLAN subnets use different SSIDs. For example, the name of the associated control domain can be used as the SSID for easy identification. The purpose is to facilitate the association of the master STA and slave STA in the terminal name to the AP in the specified associated control domain through the SSID name. d. Working principle According to the pre-configured associated control domain and terminal package information, the AC will deliver the master STA information in all terminal packets to all APs in the associated control domain, and generate the whitelist information of the master STA on these APs. Since the master STA information in all terminal packets is already in the AP whitelist, when using the associated control function, the master STA needs to first associate with the SSID corresponding to the specified control domain. After the master STA completes the association, the AC will send all the corresponding slave STAs to all APs in the associated control domain according to the terminal package configuration of the master STA and generate a whitelist list, thus allowing the slave STAs to associate with this control domain. When the master STA disassociates and goes offline, all corresponding slave STAs will also go offline and be deleted from the whitelist on the AP associated with the control domain. The above process can be simply summarized as the slave STA follows the master STA, which AP in the associated control domain the master STA associates with, and the slave STA should do the same.Because only the AP in the associated control domain has a whitelist corresponding to the secondary STA, while AP in other associated control domains. This ensures that STAs will not associate indiscriminately. Note: Under the fit AP architecture, the master STA and slave STA may be distributed and associated to multiple APs in a certain control domain. 2. Configuration Cases a. Function introduction: Associated control is a method to control the association behavior of wireless STAs. By grouping STAs, define one of the STAs as the master STA, and the other STAs as slave STAs, and control how the slave STAs can only follow the master STA. It makes the wireless network associated with the slave STA must be the same as the master STA. In this way, the associated behavior of the wireless terminal can be controlled. This function is commonly used in the scene of e-schoolbags. b. Application scenarios: Only one wireless client accesses the wireless network, and other wireless terminals can access the wireless network. Then this solution can be used. It is generally used in the school teaching environment. For example, only when the teacher's device is connected to the wireless, the student's client can access the wireless. Advantages: Increase wireless security and ensure the use of wireless networks. Disadvantages: it wastes wireless resources, requires additional configuration and can only be used in fit mode. Implementation guidance Networking requirements Only when the master user is connected to the wireless network does the slave user access it. Network topology image.png Configuration points Configure terminal package Configure the control domain Enable associated control Configuration steps Configure terminal package AC(config)#package 5-2 ----->Configure the terminal package, named 5-2 AC(config-package)#primary-sta 64a7.69e1.75d0 ----->Configure the master STA AC(config-package)#secondary-sta 0811.9692.244c -----> Configure all slave STAs AC(config-package)#exit Configure the control domain AC(config)#control-zone js1----->The control domain name is called js1 AC(config-czone)#ap AP-W6D2400C ----->The AP belongs to the control domain AC(config-czone)#ap AP-N515 ----->The AP belongs to the control domain AC(config-czone)#exit AC(config)#control-zone js2 AC(config-czone)#ap AP-N505 AC(config-czone)#ap AP-W6T3267C AC(config-czone)#exit Enable associated control AC#(config)#assoc-control Save the configuration AC(config)#end AC#write Configuration verification After the master STA associates with the wireless network, the slave STA can associate. Log in to the AC and show ac-config client to confirm the online status of wireless users. image.png Log in to the AP and check the AP whitelist configuration through show run. image.png 6. FAQ 1. Is there any conflict between associated control and blacklist and whitelist? Although the principle of whitelist is used in associated control, there is no conflict. It can be understood that the Blacklist and Whitelist is the first gate, and then consider the issue of associated control. 5.4.4 Wireless User Isolation Function 5.4.4.1 Wireless User Isolation Configuration in Fit AP Scenarios Fit AP scenarios: Command line configuration method: 1. Network requirements Due to security considerations, the customer hopes that wireless users can not access each other. 2. Network topology image.png 3. Configuration points Confirm wireless user isolation type Configure wireless user isolation Configure permit list 4 . Configuration steps a. There are five types of wireless user isolation: AC-based user isolation, AP-based user isolation, SSID-AC-based user isolation, SSID-AP-based user isolation, and WLAN-id num intercommunication Layer-2 user isolation. (Enable the Layer-2 user isolation function for intercommunication with a specified WLAN-id (SSID)) : Based on AC user isolation, users between different APs under the AC can not access each other. AC(config)#wids AC(config-wids)#user-isolation ac enable AC(config-wids)#exit Based on AP user isolation, the same AP user can not access each other. AC(config)#wids AC(config-wids)#user-isolation ap enable AC(config-wids)#exit Based on SSID-AC user isolation, users of the same WLAN between different APs under the AC can not access each other. AC(config)#wids AC(config-wids)#user-isolation SSID-ac enable AC(config-wids)#exit Based on SSID-AP user isolation, users in the same WLAN on the AP cannot access each other. AC(config)#wids AC(config-wids)#user-isolation SSID-ap enable AC(config-wids)#exit Based on WLAN-id num intercommunication Layer-2 user isolation, user isolation under a specific WLAN is enabled, and users in this WLAN cannot access each other after it is enabled. AC(config)#wids AC(config-wids)#user-isolation WLAN-id num enable (num is the number of WLAN-id) AC(config-wids)#exit b. Configure the permit list, users in it are not restricted by user isolation AC(config)#wids AC(config-wids)#user-isolation permit-mac 0811.9692.244c AC(config-wids)#exit c. Save the configuration AC(config)#end AC#write Note: The user isolation function is only for Layer-2 users. Under centralized forwarding (user isolation takes effect on the AC side): Based on the AP/AC/WLAN-ID isolation method, it can isolate Layer-2 unicast, multicast, and broadcast (the arp broadcast needs to be supported after closing the proxy arp); Based on the SSID-AP/SSID-AC isolation method, only Layer-2 unicast can be isolated, but broadcast and multicast cannot be isolated. Under local forwarding (user isolation takes effect on the AP side): Support AP/WLAN-ID-based isolation mode, which can only isolate Layer-2 unicast, multicast, and broadcast of users under the same AP (note: if it is smart split + micro AP, only users under the same micro AP can be isolated unicast, multicast, broadcast); Support the isolation method based on SSID-AP, which can only isolate Layer-2 unicast, but cannot isolate broadcast and multicast; AC/SSID-AC-based isolation is not supported (local forwarding of user data does not go through the AC, so it is not supported). The fit AP web configuration method is as follows: 1. Based on AC user isolation, users between different APs under the AC can not access each other Click Config==Security》User lsolation, click the prohibition of intranet user mutual access to ON state, check the users connected to different APs, as follows: image.png 2. Based on AP user isolation, the same AP user can not access each other Click Config==Security》User lsolation, click the prohibition of intranet user mutual access to ON state, check the users connected to the same AP, as follows: image.png 3. Based on SSID-AC user isolation, users of the same WLAN between different APs under the AC can not access each other Click Config==Security》User lsolation, click the prohibition of intranet user mutual access to ON state, check the users connected to the same WiFi, as follows: image.png 4. Based on SSID-AP user isolation, users in the same WLAN on the AP cannot access each other Click on Config==Security》User lsolation, click the prohibition of intranet user mutual access to ON state, check the users connected to the same AP and the same Wifi, as follows: image.png 5.4.4.2 Wireless User Isolation Configuration in Fat AP Scenarios Fat AP scenarios Command line configuration method: 1. Network requirements Due to security considerations, the customer hopes that wireless users can not access each other. 2. Network topology image.png 3. Configuration points a. Confirm wireless user isolation type b. Configure wireless user isolation c. Configure permit list 4. Configuration steps a. There are two types of wireless user isolation: AP-based user isolation and AP-SSID-based user isolation Based on AP user isolation, users in the same AP cannot access each other. FS(config)#wids FS(config-wids)#user-isolation ap enable FS(config-wids)#exit Based on AP-SSID user isolation, users in the same WLAN on the AP cannot access each other. FS(config)#wids FS(config-wids)#user-isolation SSID-ap enable FS(config-wids)#exit b. Configure the permit list, users in it are not restricted by user isolation FS(config)#wids FS(config-wids)#user-isolation permit-mac 0811.9692.244c FS(config-wids)#exit c. Save the configuration FS(config)#end FS#write 5. Configuration verification a. After user isolation is enabled, other users in the same wireless network can not be pinged, but Internet access is normal. b. After adding the user to the permit list, it can ping other users in the same wireless network. Note: The user isolation function is only for Layer-2 users The SSID-based user isolation function under the AP only supports the isolation of unicast data packets, and can not isolate broadcast and multicast packets. The fat AP web configuration method is as follows: Click Security ==》Prohibit intranet mutual access, enable the function of prohibiting intranet mutual access, as follows: image.png 5.4.4.3 Wireless User Isolation Function Function introduction and application scenarios 1. Function introduction: Due to the mobility and uncertainty of wireless users, in some occasions (especially in public places), the privacy of user information is particularly important, and direct access between users needs to be restricted.User isolation can control unsafe access between wireless terminals in the wireless network coverage area (for example, accessing between wireless Internet users through network neighbors), and prevent private information from being stolen by others.The user isolation function isolates users without affecting their normal Internet access, so that they can not communicate with each other, ensuring the security of user services. 2. Application scenarios: This function is used to control the wireless users under the same AP or the same wireless signal that can not access each other. Advantages: increase the stability of the wireless network. Disadvantages: need to add additional configuration. FAQ 1. In the minimalist network solution, does wireless user isolation take effect? No. User isolation is a Layer 2 environment, but the simplified network is a Layer 3 environment. So it does not take effect. 5.4.5 Wireless Blacklist and Whitelist Function 5.4.5.1 Function Introduction and Application Scenarios 1. Function introduction: In a wireless network, the blacklist and whitelist function can filter frames of wireless clients, realizing the access control of wireless terminal users. Whitelist The whitelist contains the MAC addresses of the wireless clients that are allowed to access, and the user can configure it through the command line. If the whitelist function is enabled, only the wireless users specified in the whitelist can access the WLAN network, and all packets of other wireless users will be directly discarded by the AP, reducing the impact of illegal packets on the wireless network. Static Blacklist The static blacklist contains the MAC addresses of wireless clients that are denied access, and users can configure it through the command line. If the static blacklist function is enabled, all packets of wireless users specified in the blacklist will be discarded by the AP. SSID-based Whitelist The SSID-based Whitelist contains the MAC addresses of wireless clients that are allowed to access the specified SSID, and users can configure it through the command line.If the SSID-based whitelist function is enabled, only wireless users specified in the whitelist can access the SSID subset, and all packets of other wireless users will be directly discarded by the AP, reducing the impact of illegal packets on the wireless network. SSID-based Blacklist The SSID-based blacklist contains the MAC addresses of wireless clients that are denied to access the specified SSID, and users can configure it through the command line. If the SSID-based blacklist function is enabled, all packets of wireless users specified in the blacklist in the SSID subset will be discarded by the AP. 2. Application scenarios: The wireless network is only used by designated users or not used by some specific users. Advantage: increase wireless security, can control the access of wireless users. Disadvantages: need to add additional configuration. 5.4.5.2 Global Blacklist and Whitelist Configuration Global-based blacklist and whitelist command-line configuration 1. Network requirements The network controls wireless user access through blacklist and whitelist. 2. Network topology image.png 3. Configuration points Configure the whitelist (after completing the whitelist configuration, wireless users who are not in the whitelist cannot access the wireless network). Configure the blacklist (after completing the blacklist configuration, wireless users who are not in the blacklist cannot access the wireless network). 4. Configuration steps Configure whitelist and test MAC: (6809.27b0.169f、 8ca9.829a.b1ea) FS(config)#wids FS(config-wids)#whitelist mac-address 6809.27b0.169f -----> 6809.27b0.169f allows access to wireless networks, and those not in the whitelist are denied by default. FS(config-wids)#whitelist max 1024 ----->Adjust the whitelist capacity FS(config-wids)#exit Configure blacklist and test MAC: (6809.27b0.169f、 8ca9.829a.b1ea) FS(config)#wids FS(config-wids)#static-blacklist mac-address 6809.27b0.169f ----->6809.27b0.169f does not allow access to the wireless network, sta not in the blacklist is allowed by default. FS(config-wids)#static-blacklist max 1024 ----->Adjust the blacklist capacity FS(config-wids)#exit Save the configuration FS(config)#end FS#write 5. Configuration verification a. Wireless users not in the white list cannot access the wireless network, but those in the white list can access, test MAC:(6809.27b0.169f、 8ca9.829a.b1ea) FS#show wids whitelist ------------------ Whitelist Information------------------ num Mac-address 1 6809.27b0.169f FS#show ac-config client by-ap-name ========= show sta status ========= AP : ap name/radio id Status: Speed/Power Save/Work Mode, E = enable power save, D = disable power save Total Sta Num : 1 STA MAC IPV4 Address APWLAN VLAN StatusAsso Auth Net Auth Up time -------------- --------------- ---------------------------------------- ---- ---- -------------- --------- --------- ------------- 6809.27b0.169f 192.168.20.1 649d.99d0.d95e/11 20 52.0M/E/bn WPA2_PSK0:00:10:02 b. Wireless users in the blacklist cannot access the wireless network, and those not in the list can access, test MAC: (6809.27b0.169f, 8ca9.829a.b1ea) Test SSID: wireless (blacklist: WLAN1), non-blacklist (fstest: WLAN2) FS#show wids blacklist static ------------------ Static Blacklist Information ------------------ num Mac-address 1 6809.27b0.169f FS#show ac-config client by-ap-name ========= show sta status ========= AP : ap name/radio id Status: Speed/Power Save/Work Mode, E = enable power save, D = disable power save Total Sta Num : 1 STA MAC IPV4 Address APWLAN VLAN StatusAsso AuthNet Auth Up time -------------- --------------- ---------------------------------------- ---- ---- -------------- --------- --------- ------------- 8ca9.829a.b1ea 192.168.20.2 649d.99d0.d95e/11 2058.5M/D/bnWPA2_PSK 0:00:00:24 Fit AP, AC web configuration based on the global blacklist and whitelist: Based on the global blacklist and whitelist (blacklist as an example): Click Security ==》Blacklist and Whitelist, as follows: image.png Fat AP web configuration based on the global whitelist Click Security ==》Blacklist and Whitelist, then click to permit MAC addresses to access the WiFi Internet, as follows: image.png Add user list, MAC address format is: 0000.0000.0000, as follows: image.png Configuration verification: Terminals that are not in the whitelist try to access the wireless system and prompt that they cannot access, while terminals not added in the blacklist normally access the signal. Fat AP web configuration based on the global blacklist: Customers need to prohibit certain terminals from accessing wireless Device Configuration: Click Security ==》Blacklist and Whitelist, then click to deny MAC addresses from accessing the WiFi Internet, as follows: image.png Add user list, MAC address format is: 0000.0000.0000, as follows: image.png Configuration verification: Terminals that are in the blacklist try to access the wireless system and prompt that they cannot access, while terminals added in the whitelist normally access the signal. 5.4.5.3 SSID-based Blacklist and Whitelist Configuration SSID-based blacklist and whitelist 1. Network requirements The network controls wireless user access through SSID-based blacklist and whitelist 2. Network topology image.png 3. Configuration points Configure an SSID-based whitelist (After completing the whitelist configuration, wireless users who are not in the whitelist cannot access the SSID, and can only connect to SSIDs without the whitelist). Configure an SSID-based blacklist (After completing the blacklist configuration, wireless users in the blacklist cannot access SSIDs, and can only connect to SSIDs without the blacklist). 4. Configuration steps 11.X version command: Configure an SSID-based whitelist: FS(config)#wids ----->Enter wids configuration mode FS(config-wids)#SSID-filter whitelist mac-address 1234.1234.1234 in-SSID test ----->Configure 1234.1234.1234 to the whitelist entry whose SSID is test FS(config-wids)#SSID-filter whitelist max 100 ----->Adjust the capacity of STAs included in the whitelist of each SSID. Different versions and models support different numbers. Please refer to the actual configuration on the device. FS(config-wids)#exit Configure an SSID-based blacklist: FS(config)#wids ----->Enter wids configuration mode FS(config-wids)#SSID-filter blacklist mac-address 1234.1234.1236 in-SSID test ----->Configure 1234.1234.1236 to the blacklist entry whose SSID is test FS(config-wids)#SSID-filter blacklist max 100 ----->Adjust the capacity of STAs included in the blacklist of each SSID.Different versions and models support different numbers. Please refer to the actual configuration on the device. FS(config-wids)#exit Save the configuration: FS(config)#end FS#write 5. Configuration verification Test SSID: wireless (whitelist: WLAN1), fstest (blacklist and whitelist not configured: WLAN2) a. Wireless users not in the whitelist cannot access SSID:wireless, but those in the whitelist can access, test MAC: (6809.27b0.169f、 8ca9.829a.b1ea) FS#show wids filter white-mac-in wireless ---Check the MAC under the whitelist ------------------ filter white-mac List Information ------------------ num macSSID 1 6809.27b0.169fwireless FS#show ac-config client by-ap-name ========= show sta status ========= AP : ap name/radio id Status: Speed/Power Save/Work Mode, E = enable power save, D = disable power save Total Sta Num : 2 STA MAC IPV4 Address APWLAN VLAN StatusAsso Auth Net Auth Up time -------------- --------------- --------------------------- ----- ----- ---- ---- -------------- --------- --------- ------------- 6809.27b0.169f 192.168.20.1 649d.99d0.e6fe/1 1 20 58.5M/E/bn WPA2_PSK0:01:42:11 --SSIDs to which whitelist users connect 8ca9.829a.b1ea 192.168.30.1 649d.99d0.e6fe/12 30 0.0M/D/bn WPA2_PSK0:00:00:19 ---SSIDs that other users connect b. Wireless users in the blacklist cannot access the wireless network, and those not in the list can access, test MAC: (6809.27b0.169f、 8ca9.829a.b1ea) FS#show wids filter black-mac-in wireless ---Check the MAC under the blacklist ------------------ filter black-mac List Information ------------------ num macSSID 1 6809.27b0.169fwireless FS#show ac-config client by-ap-name ========= show sta status ========= AP : ap name/radio id Status: Speed/Power Save/Work Mode, E = enable power save, D = disable power save Total Sta Num : 2 STA MAC IPV4 Address APWLAN VLAN StatusAsso Auth Net Auth Up time -------------- --------------- ---------------------------------------- ---- ---- -------------- --------- --------- ------------- 6809.27b0.169f 192.168.30.2 649d.99d0.e6fe/1 2 30 58.5M/E/bn WPA2_PSK0:01:42:11 ---Can only connect to the SSID: fstest 8ca9.829a.b1ea 192.168.20.2 649d.99d0.e6fe/11 20 58.5M/D/bn WPA2_PSK0:00:10:24 ----Unlimited users In fit AP mode, configure SSID-based blacklist and whitelist in AC web page SSID-based blacklist as an example: Click to control the wireless user's Internet access based on WiFi, as follows: image.png Select the corresponding WiFi name and add it to the blacklist, as follows: image.png Configuration verification Users added to the blacklist can find wireless signals, but cannot connect to wireless Note: The function of the global whitelist or SSID-based whitelist is the same as that of the global blacklist or SSID-based blacklist, the only differences are as follows: image.png 5.4.5.4 FAQ about Wireless Blacklist and Whitelist maintenance order 1. How to check the existing whitelist on the AC? show wids whitelist image.png 2. How to check the existing blacklist on the AC: show wids blacklist static image.png 3. How to check the whitelist under a certain signal? show wids filter white-mac-in wireless ----> wireless为SSID image.png 4. How to check the blacklist under a certain signal? show wids filter black-mac-in wireless ----> wireless为SSID image.png FAQ 1. Which priority is higher between the wireless SSID-based whitelist and the global whitelist? They take effect at the same time. If the terminal has joined the SSID-based whitelist, the terminal can access the signal regardless of whether the terminal is added to the global whitelist; If the SSID-based whitelist is configured but the terminal is not added, but the global whitelist is added, then this SSID cannot be accessed, but other signals that have not been added to the SSID whitelist can be accessed;If neither the global nor the SSID is added to the whitelist of a certain terminal, the terminal cannot be accessed. Suppose there are three wireless signals whitelist1, whitelist2 and whitelist3, and four wireless users a, b, c, and d. If the whitelist for user a is configured globally, whitelist1 is configured for user b, whitelist2 is configured for user c, and whitelist3 is not deployed. Then user a can only connect to whitelist3, user b can only connect to whitelist1, user c can only connect to whitelist2, and user d cannot. 2. When a wireless user is online, will it go offline if it is added to the blacklist or enabled on the whitelist but not in the whitelist? The wifi will not be disconnected, and the wireless connection is normal. But it will not be able to access the Internet, the gateway can not be pinged, and the connection can not be made after the wifi is disconnected. 3. Does the wireless device support adding notes to the MAC addresses in the blacklist and whitelist? It is not supported on the command line, but it is supported on the WEB management page. image.png 4. How to display the configured blacklist and whitelist? Display the configured blacklist and whitelist: FS#show wids whitelist ---------- Whitelist Information ------------- num Mac-address 1 0000.0000.0002 Display the configured blacklist and whitelist: FS#show wids blacklist static ------------ Static Blacklist Information ------------- num Mac-address 1 0000.0000.0001 5. How to configure dynamic blacklist? Enable the dynamic blacklist function in WIDS configuration mode. When WIDS detects a Flooding attack, the entry will be dynamically added to the dynamic blacklist. For entries in the dynamic blacklist, users can set the lifetime through the command line. After the lifetime expires, if the device is not detected again, the entry is cleared from the dynamic list. FS# configure terminal Enter global configuration mode. FS(config)# wids Enter WIDS configuration. FS(config-wids)# dynamic-blacklist enable (Required) Enable the dynamic blacklist function, which is disabled by default. FS(config-wids)# [no] dynamic-blacklist max NUM (Optional) Configure the length of the dynamic blacklist. The default is 512. FS(config-wids)# dynamic-blacklist lifetime lifetime (Optional) Configure the lifetime of the dynamic blacklist. The default is 300s. 6. After the whitelist is deployed, how to delete it in batches? Enter wids mode Global whitelist delete command: reset whitelist all SSID-based whitelist delete command: reset SSID-filter whitelist all 7. What is the number of wireless SSID-based blacklist and whitelist? SSID-based is limited to 256; Office network software version based on SSID is 2048 (requires both AC and AP to use office network and above). 5.4.6 Wireless AP Countermeasure Function 5.4.6.1 Function Introduction and Application Scenarios 1. Function introduction: Generally, devices in a wireless network are divided into two types: illegal devices (Rogue devices) and legitimate devices. Rogue devices may have security vulnerabilities or be manipulated by attackers, thus posing a serious threat or harm to the security of the user network. Enabling the countermeasure function on the AP can attack these devices so that other wireless terminals can not associate with the Rogue device. 2. Application scenarios: When there are other APs working in the wireless environment, this function can prevent other unknown wireless APs from affecting the security and stability of the wireless network. Other wireless devices may have security loopholes or be manipulated by attackers, thus posing a serious threat or harm to the security of the user network. After using this function, those unknown APs can not use the wireless network. Advantages: Enhances the security and stability of the wireless network. Disadvantages: Consumes device operating resources and requires additional configuration. 5.4.6.2 Configuration Cases 1. Network requirements A rogue AP appears in the wireless device environment, and the wireless countermeasure function is enabled so that the rogue AP can not use the wireless network. 2. Network topology image.png 3. Configuration points a. Configure AP working mode b. Enable countermeasure function 4. Configuration steps a. Configure the AP working mode as monitor or hybrid AC(config)#ap-config AP-N505 AC(ap-config)#device mode hybrid or AC(ap-config)# device mode monitor AC(ap-config)#exit Note: The monitor mode does not provide the wireless hotspot function for the AP, it is only used for detection; the hybrid mode provides both the detection function and the wireless hotspot function, and the performance will be affected according to the detection interval. b. Configure Countermeasures and Static Attack List 【Must be associated with an SSID】 AC(config)#WLAN-config 5 monitor ----->Configure WLAN to counter AP from sending BSSID AC(config-WLAN)#no enable-broad-SSID ----->Hidden SSID, only used for countermeasures AC(config-WLAN)#exit AC(config)#ap-group fanzhi ----->Configure ap-group to counter AP calls AC(config-group)#interface-mapping 5 1 ----->Configure SSID to associate with VLAN. This SSID is only used for AP to send out BSSID. Therefore, VLAN can be selected at will AC(config-group)#exit AC (config)#ap-config AP-N505 ----->Enter AP mode AC(config-ap)#device mode monitor --->Adjust the AP to monitor mode. Only APs in the monitor and hybrid} states support countermeasures, and the default is normal AC(config-ap)#scan-channels 802.11b channels 1 2 3 4 5 6 7 8 9 10 11 12 13 --->channel that needs to be countered AC(config-ap)#scan-channels 802.11a channels 149 153 157 161 165 --->channel that needs to be countered AC(config-ap)#ap-group fanzhi --->The radio frequency card of the device must call ap-group to let the AP send out signals. This signal can be configured to hide the SSID AC(config-ap)#exit AC (config)#wids ----->enter wids mode AC (config-wids)#countermeasure enable ----->Enable countermeasure AC(config-wids)#countermeasures channel-match ----->The configuration is based on the channel countermeasure mode. The AP can countermeasure on each channel. It needs to configure countermeasures enable first. AC (config-wids)#countermeasures mode config ----->Countermeasures mode is config, AC (config-wids)#device attack mac-address 061b.b120.700c ----->Add a static attack list, 061b.b120.700c is the BSSID of the illegal AP, it can get the BSSID of the rogue AP through wireless scanning such as wirelessMon AC(config-wids)#exit c. Save the configuration AC(config)#end AC#write Explanation of countermeasures mode: SSID Countermeasures mode SSID information. Counter the AP that sends out the same SSID as the AC, and counter the detected SSID that is not under the same AC. adhoc Countermeasures mode adhoc information. Counter hotspot network (Adhoc needs to be created with a mobile phone, and one created by a computer can be detected but cannot be countered), only detected adhoc devices will be countered. config Countermeasures mode config information. Counter the APs in the manually configured attack list, and only the devices configured in the static attack list will be countered. rogue Countermeasures mode rogue information. Counter all detected APs that are not in the legal AP list (show wids detected rogue ap view), only detected rogue devices will be countered. When there are many third-party APs in the environment, it is recommended to use SSID mode. The configuration methods of several countermeasures mode are as follows: FS(config-wids)#countermeasure mode { config | SSID | adhoc | rogue} Configure countermeasures mode, the default is none. Optional configuration: (can be set for testing when the countermeasure is ineffective or performs poorly) a. Unknown STA detection function (unicast countermeasure). FS#configure terminal FS(config)#wids FS(config-wids)#device unknown-sta dynamic-enable ----->The unknown STA detection function is enabled, you need to enable the countermeasure function and configure the countermeasure mode first FS(config-wids)#device unknown-sta mac-address 1234.1234.1234----->Manually configure the list of unknown STAs FS(config-wids)#exit b. Configure the permit device FS#configure terminal FS(config)#wids FS(config-wids)# device permit mac-address 1234.1234.1236----->Configure 1234.1234.1236 to permit MAC entries FS(config-wids)# device permit mac-address 1234.1234.1236----->Configure 1234.1234.1236 to permit MAC entries FS(config-wids)# device permit SSID test----->Configure test to permit SSID entries FS(config-wids)# device permit vendor bSSID 1234.1234.1236----->Configure 1234.1234.1236 to permit manufacturer entries, the first three addresses of the permit manufacturer entries are valid FS(config-wids)#exit c. Configure Rogue device countermeasure parameters FS#configure terminal FS(config)#wids FS(config-wids)#countermeasures interval 2000-----> Configure the Rogue device countermeasure period as 2000ms FS(config-wids)#countermeasures ap-max 256--->Configure the maximum number of devices countered in each countermeasure cycle, the default is 30, and the configurable range is 1~256 FS(config-wids)#countermeasures rssi-min 20 --->The countermeasure threshold is very low, basically it will counteract other non-our equipment around. It is recommended not to set this value too small, the default is 25 FS(config-wids)#device detected-ap-max 100 --->Configure the maximum number of scanning AP detection linked lists, and the default is 2048. The smaller the configuration value will result in too little data detected on the AP, the countermeasure function of the device may not be effective due to too little detection data. The larger the configuration value, the more memory is required. FS(config-wids)#device aging duration 1000 --->Configure the detection device timeout, and the default is 1200s. Configurable range is 500~5000s FS(config-wids)#exit d. Save the configuration FS(config)#end FS#write e. Configuration verification The wireless user connects to the rogue AP, and checks whether there will be disconnection or packet loss. 5.4.6.3 FAQ maintenance order 1. After the countermeasure is enabled, will our AP's own signal be countered? How to check the countermeasures? The AC in our company's fit mode will not be countered. The AC in our company's thin mode will not be countered. There is a friendly flag in the beacon frame (if the APs are all associated with our company's AC, this flag is the same by default and will not counter each other; modify it to not In the same situation, it can control and implement own AC to counter.) to judge whether it is a friendly ap. By default, the flag bits of our company's AP are the same, and will not be considered as a rogue AP. Fat mode will be countered. The friendly flag configuration method is as follows: image.png The signal of your own device will not be countered. Among them, show wids detected all will display all the detected signals, including rogue APs and friendly APs. It does not mean that this signal is countered; it can use the following command to check the corresponding countermeasure AP information: FS#sh wids detected rogue ? adhoc-ap WLAN WIDS detected rogue adhoc-ap information ap WLAN WIDS detected rogue ap information client WLAN WIDS detected rogue client information config-ap WLAN WIDS detected rogue config-ap information SSID-ap WLAN WIDS detected rogue SSID-ap information It is right to filter the counters you want to check according to the type. 2. Check rogue AP Through show wids detected rogue ap image.png 3. Check the SSID in the wireless environment Through show wids detected all image.png FAQ 1. How often does the AP-N505 in hybrid mode perform Rogue device detection by default? 3s for Rogue device detection. 2. How to optimize the effect of wireless countermeasures which is not obvious? a. Confirm co-channel counter or specified channel counter When the countermeasure effect is not obvious, confirm whether the illegal AP and the legitimate AP use the same channel. If the channels are different, you can configure the same channel, or specify the scan-channel (scan-channels 802.11b channels NUM1 NUM2 in ap-config mode) , and enable countermeasures channel-match in the specified channel (countermeasures channel-match in wids mode). b. Countermeasure interval The countermeasure interval can also be shortened (one countermeasure is 1s by default), and you can configure countermeasures interval 100 in wids mode, that is, countermeasures once every 100ms. c. Unicast countermeasure If the effect is still not obvious, you can enable unicast countermeasures: configure device unknown-sta dynamic-enable in wids mode, and use show wids unknown-sta to confirm whether there is STA-MAC to be countermeasured, or manually configure it STA-MAC to counter (device unknown-sta mac-address H.H.H)【When the unknown STA learning is enabled, the AP will learn the nearby terminals, and use the bSSID of the rogue AP to send counter packets to these STAs during countermeasures. Since some STAs will process the countermeasure packets sent by non-associated bSSIDs, resulting in packet loss or disconnection, please use with caution.】 d. Maximum number of countermeasures By default, the device can countermeasure up to 30 Rouge APs. If more than 30 Rouge APs are countermeasured, the maximum number of countermeasures APs must be increased: in wids mode, configure countermeasures ap-max NUM (the value of NUM is 1~256). e. Minimum signal strength of countermeasures When the countermeasure mode is configured as Rogue mode, the default countermeasures are Rogue APs whose signal strength is greater than 25dBm. At this time, if you want to countermeasures APs whose RSSI is less than 25dBm, you need to configure countermeasures rssi-min NUM in wids mode (the value of NUM is between 0~75, corresponding to negative RSSI value -95 ~ -20)【Because in rogue mode, AP will counter all scanned APs that are not in the friendly list. Please use it with caution.】 3. How to achieve the best effect when testing illegal AP countermeasures? Recommended solution for AP illegal countermeasure test--AP uses monitor mode. The countermeasure cycle is adjusted to the minimum, and the channel of the countermeasure AP is the same as that of the illegal AP. Add the bSSID of the illegal AP to the static attack list, and try the test results of several terminals at the same time, because different network cards have different countermeasures. Configure the duration of the countermeasure cycle: (config)# wids (config-wids)#countermeasures interval XXX Configure static attack list: (config-wids)#device attack mac-address H.H.H 4. Does the wireless AC AP support countermeasures based on Chinese SSID? Not supported in all currently released versions. 5.4.6.4 Fault Case Fault case: 1. Fault phenomenon Building 12 in the old campus can not be associated with WLAN12 SSID. Users associated with this SSIDd on China Unicom will often get disconnected and cannot access the Internet normally; On-site problem finding: After going to the dormitory with poor customer experience, It can find that after we connected to the SSID of China Unicom, the SSID displayed on the computer often disappeared from time to time, and the ping packets were severely lost, and the connection was often dropped; 2. Possible cause of fault Disconnects caused by AP countermeasures 3. Processing steps On-site, we used a professional tool (ominpeek) to capture packets in the corridor on the second floor, and found a large number of Deauth packets (as shown in Figure 1). Through positioning, find the AP (MAC: 649d.99d0.203b) of the broadcast (Deauth) message, and find that the AP is from China Unicom. After searching on the AC, it is found that the AP smart split is deployed at this location, covering 6 surrounding rooms. However, by checking the log information on the AP, the AP did not send any de-authentication packets, so it can be ruled out that the AP sent illegal de-authentication packets to the user. After the above analysis, it is preliminarily judged that there are rogue APs pretending to be Unicom APs and sending illegal disassociation and deauthentication packets to normally associated users (as shown in Figure 2).And by comparing the signal strength of the data packet transmitted by the AP (as shown in Figure 3), the signal strength of the normal data packet is about 26%, while the deauthentication packet is 100%. Confirm that a rogue AP pretends to be a Unicom AP and broadcasts a deauthentication message to the Unicom client;And according to the signal strength, it can be judged that the rogue AP is relatively close to the test location, resulting in frequent disconnection of users within the coverage area of the AP and the inability to use WLAN services normally. Figure 1: A large number of Deauth packets image.png Figure 2: Rogue AP pretends to be a Unicom MAC address and broadcasts deauthentication packets image.png Figure 3: The signal strength of normal data packets is lower than that of Deauth packets image.png 4. Fault information collection The specific location of the rogue AP By checking the on-site wireless environment, it is found that there is an AP of another operator near the test point, and the data light of this AP flashes very fast, indicating that a large amount of data is being sent. Preliminary suspicion that this AP is a rogue AP; For further verification, coordinating relevant personnel to power off the AP and then capture packets on the on-site wireless air interface, it was found that the proportion of disassociated packets dropped immediately (as shown in Figure 4) from the original 0.239% to 0.031%. Figure 4: few disassociation packets after powering off rogue AP image.png At this time, the user association is normal, the ping packet is not lost, and the WLAN service can be performed normally; Restore the operator's equipment again, and the Unicom user reproduces the previous fault. Therefore, it can be determined that the operator's AP is a rogue AP. Through the above analysis, it can be determined that the operator's AP has enabled the AP countermeasure function. 5.4.7 Wireless Hidden SSID Function 1. Function introduction and application scenarios a. Function introduction: In a wireless network, the AP periodically broadcasts SSID information to announce the existence of the wireless network, and wireless users can use the wireless network card to search for the wireless network.To prevent the wireless network from being searched by illegal users through the SSID and establishing an illegal connection, you can disable the AP from broadcasting the SSID and hide the wireless SSID. b. Application scenarios This function can be used to only allow some clients to use the wireless network, and prevent other users from searching for wireless information. Advantage: high concealment and security of wireless networks. Disadvantage: Need to manually enter the wireless SSID. 2. Configuration cases a. Network requirements Hide the SSID of the wireless network, it needs to manually add the SSID to associate successfully. b. Network topology image.png c. Configuration points Adjust SSID mode to non-broadcast mode d. Configuration steps Fit mode (configured on AC): Adjust SSID mode to non-broadcast mode FS(config)#WLAN-config 1 FS.COM FS(config-WLAN)#no enable-broad-SSID ----->Turn off broadcast SSID FS(config-WLAN)#exit Save the configuration FS(config)#end FS#write Fat mode: Adjust SSID mode to non-broadcast mode FS(config)#dot11 WLAN 1 FS(dot11-WLAN-config)#no broadcast-SSID ----->Turn off broadcast SSID FS(config-WLAN)#exit Save the configuration FS(config)#end FS#write e. Configuration verification SSID cannot be found on the client. Log in to the AP and confirm the BSSID used by the RF card through show dot11 mbSSID, and use WirelessMon software to check whether the SSID whose MAC is the BSSID of the AP is empty. image.png image.png 5.5 Speed Limit Function 5.5.1 Fat Mode Speed Limit Function introduction Users can restrict a flow to only the portion of resources promised to it based on actual network conditions, preventing network congestion caused by excessive bursts of traffic. Configuration Cases 1. Network requirements Speed limit for wireless clients. 2. Network topology image.png 3. Configuration Steps: Based on the entire AP speed limit command FS(config)#WLAN-qos ap-based { per-user-limit | total-user-limit } { down-streams | up-streams } average-data-rate average-data-rate burst-data-rate burst-data-rate per-user-limit Limit the rate of each user on the AP total-user-limit Limit the speed of the total AP down-streams Indicates setting the downlink flow rate limit parameters of the AP up-streams Indicates setting the uplink flow rate limit parameters of the AP average-data-rate Indicates setting the average rate limit, the unit is 8Kbps, and the range is 8-261120 burst-data-rate Indicates setting the burst rate limit, the unit is 8Kbps, and the range is 8-261120 Example: Set the average downlink rate of each user on the AP to 800KB/s, and the burst rate to 1600KB/s. FS(config)#WLAN-qos ap-based per-user-limit down-streams average-data-rate 800 burst-data-rate 1600 Speed limit command based on SSID FS(config)#WLAN-qos WLAN-based {WLAN-id |SSID } { per-user-limit | total-user-limit }{down-streams | up-streams } average-data-rate average-data-rate burst-data-rate burst-data-rate per-user-limit Rate limit for each user on WLAN/SSID total-user-limit Speed limit the total WLAN/SSID down-streams Indicates setting the downlink flow rate limit parameter of WLAN/SSID up-streams Indicates setting the uplink flow rate limit parameter of WLAN/SSID average-data-rate Indicates setting the average rate limit, the unit is 8Kbps, and the range is 8-261120 burst-data-rate Indicates setting the burst rate limit, the unit is 8Kbps, and the range is 8-261120 Example: Set the average downlink rate of each user on the WLAN/SSID to 800KB/s, and the burst rate to 1600KB/s. FS(config)#WLAN-qos WLAN-based per-user-limit down-streams average-data-rate 800 burst-data-rate 1600 Based on individual user speed limit command FS(config)#WLAN-qos netuser mac-address { inbound | outbound } average-data-rateaverage-data-rate burst-data-rate burst-data-rate mac-address Indicates the user MAC address that needs to be set inbound Indicates setting the user's uplink flow rate limit parameters outbound Indicates setting the user's downlink flow rate limit parameters average-data-rate Indicates setting the average rate limit, the unit is 8Kbps, and the range is 8-261120 burst-data-rate Indicates setting the burst rate limit, the unit is 8Kbps, and the range is 8-261120 Example: Set the average uplink rate of user 0000.0000.0001 to 800KB/s, and the burst rate to 1600KB/s FS(config)#WLAN-qos netuser 0000.0000.0001 inbound average-data-rate 800 burst-data-rate 1600 Save the configuration FS(config)#end FS#write 4. Configuration verification a. Use the terminal to connect to the wireless test download b. FS#show dot11 ratelimit Display related QoS information FS#show dot11 ratelimit WLAN---->Indicates to display the speed limit information of all WLANs. WLAN Id TT_up-a-rt TT_up-b-rt TT_dw-a-rt TT_dw-b-rt PU-up-a-rt PU-up-b-rt PU-dw-a-rt PU-dw-b-rt PA_up-a-rt PA_up-b-rt PA_dw-a-rt PA_dw-b-rt ------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- 1000000800 1600 00 00 FS#show dot11 ratelimit user---->Indicates to display the speed limit information of all users MAC Addressup-a-rateup-b-ratedown-a-rate down-b-rate -------------- ------------ ------------ ------------ ------------ 0000.0000.0001 8001600 00 FS#show dot11 ratelimit ap---->Indicates to display the speed limit information of all APs AP name :test123, ratelimit info(unit :8kbps): Uplink : average rate - 0 , burst rate - 0 Downlink: average rate - 800 , burst rate - 1600 Total-user-limit: Uplink : average rate - 0 , burst rate - 0 Downlink: average rate - 0 , burst rate - 0 Web configuration method: Click Config==Wireless》to add a wireless network, and find the WiFi that needs speed limit. Click advanced settings, as follows: image.png After clicking the advanced settings, the page will expand. Find the rate limit option, and click to set the maximum speed of this WiFi, as follows: image.png After clicking to set the maximum rate of this WiFi, a configuration box will pop up. Enter the maximum downlink and uplink rate that needs to be limited for each terminal, as follows: image.png After clicking Save settings, the speed limit configuration is successful, as follows: image.png Note: When performing WiFi speed limit configuration, the numerical unit is B (the download rate displayed when the actual terminal downloads). The speed limit unit displayed on the device is b, and the conversion between B and b is as follows: 800kB/s * 8 = 6400kb/s. 5.5.2 Fit Mode Speed Limit 1. Function introduction and application scenarios Application scenarios: The main function of wireless speed limit is to limit the bandwidth occupied by wireless users to achieve reasonable bandwidth. In actual application scenarios, bandwidth control can be used to prevent individual users from preempting too much bandwidth and affecting the normal network use of other users. For example, in campus network applications, individual users will use the P2P protocol to download. By limiting speed, it can prevent the user from occupying too much bandwidth and causing other users to be unable to access the Internet normally. At the same time, bandwidth control can be used to give priority to the bandwidth usage of advanced users. Take the bank scenario as an example. In the bank, different WLANs can be divided, one for internal employees and one for bank customers. Different speed limit values are configured according to priority, so as to ensure that in the scenario of bandwidth congestion, internal employees will not be affected by wireless work. Function introduction: According to the scope of bandwidth control, wireless speed limit can be divided into: WLAN-based speed limit (also called SSID-based speed limit, configured in WLAN-config): WLAN-based speed limit means that the speed limit range is based on WLAN. There are three strategies for WLAN speed limit: a. WLAN-based total-user: You can configure the total uplink and downlink bandwidth of a specified VLAN. When this strategy takes effect, the total bandwidth of all users belonging to this WLAN on the AC can not exceed the configured rated rate. b. WLAN-based per-user: You can configure the uplink and downlink bandwidths of all users of a specified WLAN. When this strategy takes effect, the bandwidth of each user associated with this WLAN on all APs can not exceed the configured rated rate. c. WLAN-based per-ap: You can configure the total uplink and downlink bandwidth of a specified WLAN for each AP. When this strategy takes effect, the total bandwidth of all users associated with this WLAN on each AP cannot exceed the configured rated rate in units of APs. AP-based speed limit (configured in AP-config): AP-based speed limit refers to the range of speed limit in units of APs. There are two strategies for AP speed limit: a. ap-based total-user: You can configure the total uplink and downlink bandwidth of a specified AP. When this strategy takes effect, the total bandwidth of all users associated with the AP can not exceed the configured rated rate. b. ap-based per-user: You can configure the uplink and downlink bandwidths of all users of the specified AP. When this strategy takes effect, the bandwidth of each user associated with the AP can not exceed the configured rated rate. Peruser-based speed limit (configured in ac-controller mode): User-based can specify a rated rate for individual users. Unlike WLAN-based and ap-based perusers, the rated rate only takes effect for this user. At the same time, in order to facilitate the use of network management, the speed limit also has adaptive bandwidth control. 2. Configuration example of command line speed limit a. Network requirements Speed limit can be applied to wireless centralized forwarding, local forwarding and fat AP scenarios to control the user's uplink and downlink bandwidth. b. Network topology image.png c. Configuration points a. Configure the rate limit for each user of WLAN1 on the AC as the average uplink and downlink rate of 100KB, and the burst rate of 200KB b. Configure WLAN2's perap uplink and downlink average speed limit on AC to 1000KB, and burst rate to 1000KB c. Configure the average uplink and downlink speed limit of STA3 on the AC to be 300 KB, and the burst rate to be 400 KB d. Configure the average uplink and downlink rate of the AP's total bandwidth to be 2000 KB on the AC, and the burst rate to be 2000 KB d. Configuration steps Configure on the AC Configure the rate limit for each user of WLAN1 on the AC so that the average uplink and downlink flow is 100KB FS#configure terminal FS(config)#WLAN-config 1 FS(config-WLAN)# WLAN-based per-user-limit up-streams average-data-rate 100 burst-data-rate 200 ----->configure uplink FS(config-WLAN)# WLAN-based per-user-limit down-streams average-data-rate 100 burst-data-rate 200 ----->configure downlink FS(config-WLAN)#end Configure the perap uplink and downlink speed limit of WLAN2 on the AC to be 1000 KB FS#configure terminal FS(config)#WLAN-config 1 FS(config-WLAN)# WLAN-based per-ap-limit up-streams average-data-rate 1000 burst-data-rate 1000 FS(config-WLAN)# WLAN-based per-ap-limit down-streams average-data-rate 1000 burst-data-rate 1000 FS(config-WLAN)#end Configure the average uplink and downlink speed limit of STA3 on the AC to be 300 KB, and the burst rate to be 400 KB FS#configure terminal FS(config)#ac-controller FS(config-ac)#netuser 3333.3333.3333 inbound average-data-rate 300 burst-data-rate 400----->Suppose the mac address of the STA is 3333.3333.3333. Configure uplink FS(config-ac)#netuser 3333.3333.3333 outbound average-data-rate 300 burst-data-rate 400 ----->configure downlink FS(config-ac)#end Configure the average uplink and downlink rate of the total bandwidth of AP1 on the AC to be 2000 KB, and the burst rate to be 2000 KB FS#configure terminal FS(config)#ap-config AP1 FS(config-ap)#ap-based total-user-limit up-streams average-data-rate 2000 burst-data-rate 2000 FS(config-ap)#ap-based total-user-limit down-streams average-data-rate 2000 burst-data-rate 2000 FS(config-ap)#end Save the configuration FS#write -----> Confirm that the configuration is correct and save the configuration 3. Precautions a. WLAN-based per-user rate limit, ap-based per-user rate limit and netuser rate limit are all for STA. If rate limit is configured for the same direction, the effective priority is as follows: Netuser speed limit takes effect, if not configured, select 2) WLAN-based peruser speed limit takes effect, if not configured, select 3) ap-based peruser speed limit takes effect When WLAN-based per-ap, ap-based total-user, and netuser rate limits are configured at the same time, the final rate limit result is the effect of these three rate limits taking effect at the same time. For example, taking the above topology as an example, the configuration is as follows. At the same time, configure the ap-based peruser uplink speed limit of AP1, the WLAN-based uplink speed limit of WLAN1, and the netuser uplink speed limit of STA1 (assuming the mac address is 1111.1111.1111). Then STA1 only uses netuser's uplink speed limit, the average speed is 300KB, and the burst speed is 300KB. FS#configure terminal FS(config)#WLAN-config 1 FS(config-WLAN)# WLAN-based per-user-limit upstreams average-data-rate 100 burst-data-rate 100 ----->configure uplink FS(config-WLAN)#exit FS(config)#ap-config AP1 FS(config-ap)#ap-based per-user-limit up-streams average-data-rate 200 burst-data-rate 200 FS(config-ap)#exit FS(config)#ac-controller FS(config-ac)#netuser 1111.1111.1111 inbound average-data-rate 300 burst-data-rate 300----->configure uplink FS(config-ap)#exit b. WLAN-based total-user rate limit, ap-based total-user rate limit, and netuser rate limit have different scopes and can take effect separately. 4. Save the configuration Taking the configuration in step 5 as an example, in actual application, the average rate of STA1 and STA2 will not exceed 100 KBps, and the average rate of STA3 will not exceed 300 KBps for file download. The combined total bandwidth of STA3 and STA4 will not exceed 1000KBps. a. Web rate limit configuration case Click config==WLAN》Add WiFi. Find the wireless signal that needs speed limit, click the rate limit option on the right side of the corresponding list, and configure it in the pop-up configuration box, as follows: image.png Note: When WiFi speed limit is configured, the value unit is B (the download rate displayed when the actual terminal downloads). For example, after the computer is connected to the wireless network, the maximum download speed needs to be limited to 800KBp/s, and the upload speed is 400KBp/s. It means entering a value of 800 in the limit download, and a value of 400 in the limit upload. 5.5.3 FAQ about Wireless Speed Limit maintenance order 1. How to Check the Speed Limit Configuration of WLAN? Assume that the configuration of the AC is as follows: WLAN-config 1 fs WLAN-based per-user-limit down-streams average-data-rate 10 burst-data-rate 10 Checking method (AC is the same as AP) FS#show dot11 ratelimit WLAN WLAN Id total_up-a-rate total_up-b-rate total_down-a-rate total_down-b-rate all_up-a-rate all_up-b-rate all_down-a-rate all_down-b-rate ---------- ---------- ------------ ------------ ------------ ------------ ------------ ------------ ------------ 1 0 0 0 0 0 0 10 10 Command description: show dot11 ratelimit {WLAN | ap | user } WLAN: Indicates to display the speed limit information of all WLANs. ap: Indicates to display the speed limit information of all APs. user: Indicates to display the speed limit information of all users. 2. How to check the speed limit information of all users: FS#show dot11 ratelimit user MAC Addressup-a-rateup-b-ratedown-a-rate down-b-rate -------------- ------------ ------------ ------------ ------------ 0000.0000.0001 8001600 00 3. How to check the speed limit information of all APs: FS#show dot11 ratelimit ap AP name :test123, ratelimit info(unit :8kbps): Uplink : average rate - 0 , burst rate - 0 Downlink: average rate - 800 , burst rate - 1600 Total-user-limit: Uplink : average rate - 0 , burst rate - 0 Downlink: average rate - 0 , burst rate - 0 FAQ 1. What is the unit of the speed value in the speed limit command? For example, to configure a download rate of 80 Kbps (each unit represents 8 Kbps): FS(config-wlan)#wlan-based per-user-limit down-streams average-data-rate 10 burst-data-rate 10 2. Does the wireless speed limit need to be enabled with a command? It is enabled by default and does not need to be configured repeatedly. Fit mode close command: FS(config)# WLAN-config 1 FS(config-WLAN)# no enable-qos 3. User speed limit priority ranking. For the same user, the priorities of the three speed limit configurations in the same direction (uplink or downlink) from low to high are: ap-based, WLAN-based, user-based. 4. Notes on speed limit in local forwarding mode. In the local forwarding mode, the traffic from STA to STA can only be limited in the download direction, but not in the upload direction. The reason is that in the local forwarding mode, the fast-forwarding path of STA-to-STA flow only travels once, and can only be limited to one direction. 5. Is it possible to implement WLAN-based rate limiting for all users in local forwarding? No. The WLAN-based rate limit for all users, that is, the rate limit configured by the WLAN-based total-user-limit command is implemented on the AC, so it can only be applied to WLANs that use centralized forwarding. 6. There are multiple WLANs configured with the same SSID on the AC, so what are the precautions for WLAN-based per-user rate limit? WLAN-based per-user rate limit, that is, the rate limit configured by the command WLAN-based per-user-limit. It is delivered to the AP based on the SSID. Therefore, when multiple WLANs with the same SSID are configured on the AC, if different WLAN-based per-user rate limits are configured for these WLANs, these different rate limit configurations may overwrite each other on an AP, and only one of them will take effect in the end (the one delivered later will take effect). Since it is common practice to configure multiple WLANs with the same SSID, if you want to configure WLAN-based per-user rate limiting for these WLANs, it is best to configure the same direction and rate limit configuration. 7. Does the AP support multiple speed limits? Multiple speed limits are supported. When WLAN-based per-ap, ap-based total-user, and netuser speed limits are configured at the same time, the final speed limit result will be the effect of these three speed limits taking effect at the same time. 8. Limitation of ap-based rate limit on the AC. The ap-based rate limit on the AC supports ap-config all mode and ap-config ap-name single ap mode. Here it is considered that the ap-based rate limit of ap-config name has higher priority than ap-config all. If the ap-based rate limit of ap-config name is not configured, the ap-based rate limit of ap-config all will be applied to the ap.Therefore, when configuring the ap-based rate limit of ap-config all, it will not overwrite the ap-based rate limit that has been configured with ap-config ap-name, and will only be delivered to all online APs that have not configured ap-based rate limit separately. At the same time, the ap-based rate limit configuration will only be saved in the ap-config all mode, and will not be saved in the respective ap-config ap-name modes. When the no command is deleted, the ap-based speed limit no operation of ap-config all will only be sent to all online ap-based speed limit configurations. At the same time, only the ap-based speed limit configuration in ap-config all mode will be removed, and the ap-based configuration in ap-config ap-name mode will not be affected. 9. Which speed limit mode has the higher priority when configuring speed limit on the AC? There are multiple speed limit modes based on AP, STA and WLAN on the AC. The details are as follows: a. WLAN-based per-user-limit、WLAN-based per-ap-limit intellgent、ap-based per-user-limit、ap-based total-limit intelligent、netuser. These five rate limits are all applied to STAs, but only one of the STA rate limits can be active at a time. The priorities are as follows: netuser is higher than WLAN-based per-ap-limit intelligent is higher than WLAN-based per-user-limit is higher than ap-based total-limit intelligent is higher than ap-based per-user-limit. b. WLAN-based total-limit, WLAN-based per-ap-limit, ap-based total-limit and STA speed limit can take effect at the same time because they act on different objects, and there is no priority. 10. Is there a limit to the number of wireless STA-based speed limits? Unlimited, same as the number of users that can be connected. Parameter adjustment 1. Does the AP support intelligent rate limiting? Supports intelligent speed limit. After WLAN-based perap or ap total-user intelligent speed limit is configured, the AP will intelligently distribute the total speed limit to all online users according to the situation of online users. Related commands: WLAN-based per-ap-limit { down-streams | up-streams } intelligent ap-based total-user-limit{ down-streams | up-streams } intelligent Configuration method: When configuring intelligent speed limit in a certain range, it needs to configure the total speed limit in this range first. Currently, there are two ranges that support intelligent speed limit: WLAN-based per-ap-limit It refers to the WLAN total speed limit for the WLAN of all APs under the AC. If the WLAN-based per-ap-limit speed limit is configured in this range, and the intelligent speed limit is enabled at the same time, all APs will intelligently distribute the total bandwidth of the speed limit to all the STAs under the WLAN according to the number of STAs under the WLAN. ap-based total-user-limit It refers to the total speed limit for the specified AP. If the ap-based total-user-limit is configured in this range and the smart speed limit is enabled at the same time, the AP will intelligently distribute the total speed limit bandwidth of the AP to all the STAs under the AP according to the number of it. Configuration cases: a. Configure a per-ap-limit downlink speed limit of 1000 KBps on WLAN 1 on the AC, and then enable smart speed limit for this range. Then all APs associated with this WLAN will distribute 1000 KBps to all STAs under WLAN 1 according to the number of STAs associated with this WLAN. For example, if 5 users on the AP are associated to WLAN 1, the downlink speed limit for each user is 200KBps. FS(config)#WLAN-config 1 FS(config-WLAN)#WLAN-based per-ap-limit down-streams average-data-rate 1000 burst-data-rate 1000 FS(config-WLAN)#WLAN-based per-ap-limit down-streams intelligent b. Configure the ap-based total-user-limit uplink speed limit of 500KBps on the AC on the ap320. Then enable intelligent speed limit for this range, then ap320 will distribute 500KBps to all STAs under the AP according to the number of STAs associated with the AP. For example, there are 5 users on the AP, then the uplink rate of each user is limited to 100KBps. FS(config)#ap-config AP-N505 FS(config-ap)#ap-based total-user-limit up-streams average-data-rate 500 burst-data-rate 500 FS(config-ap)#ap-based total-user-limit up-streams intelligent 5.6 Wireless Bridge Function 5.6.1 Fat AP Bridge Deployment Scenario 5.6.1.1 Wireless Fat AP (1 to 1 and multi-hop) open mode bridge configuration 1. Network requirements It is required that the two APs at both ends of the bridge be in the same network segment, and the APs must be of the same model. APs with different chips, such as Atheros and BCM, cannot be bridged and communicated. Multi-hop refers to AP1 root bridge))))) wireless bridge non-root bridge AP2 wired interface----wired interface AP3 root bridge))))) wireless bridge non-root bridge AP4 For the bridge version, it is recommended to use the latest software version on the current official website. 2. Network topology The network topology of the WDS bridge of the fat AP is as follows: image.png 3. Configuration points Configure the bridge network segment and radio frequency port of the root bridge. Configure the bridge network segment and radio frequency port of the non-root bridge. Configure the covered WLAN signal (omitted here, please refer to the fat AP configuration chapter). 4. Precautions Fat AP bridge can support SSID bridge and BSSID bridge. a. In order to ensure bridge performance and balance, 1-to-many scenarios must be configured with speed limits for each bridge AP. The recommended configuration method is based on the average configuration of the total bridge performance. The total performance of 1-to-many bridge is generally about 60-70% of the total performance of 1-to-1. b. If SSID bridge is used in the fat mode 1-to-many bridge scenario, each root bridge should be configured with a different bridge SSID to avoid roaming in the NONROOT segment. c. In the long-distance bridge deployment of more than 1000 meters, both the root bridge and the non-root bridge need to add a command: interface Dot11radio 2/0 peer-distance 4000 The value after èpeer-distance is configured as 1-2 times of the actual bridge distance. For example, in the current environment, the bridge distance is 2000 meters, and the peer-distance is configured as 4000! d. In a 1-to-many bridging scenario, it is recommended to configure the rate limit on the root bridge (only the root bridge configuration is required, and the non-root bridge does not need to be configured). Assume that the uplink rate limit in the actual network is 24Kbps; the downlink rate is 20Kbsp, and the configuration is as follows: Root bridge configuration ! WLAN-qos ap-based per-user-limit up-streams average-data-rate 3000 burst-data-rate 3000 WLAN-qos ap-based per-user-limit down-streams average-data-rate 2500 burst-data-rate 2500 ! e. The bridge distance of the AP-T567 built-in antenna is up to 3 kilometers [open environment]. There should be no obstructions in the middle when bridging, and the panel or antenna of the AP-T567 bridge needs to be aligned. f. In order to ensure the bridge effect, it is necessary to reserve enough difference in the attenuation value caused by the environment change of the air interface. Please ensure that the associated RSSI of the non-root bridge on the root bridge is greater than 25. 5. Configuration steps Before configuration, please switch the AP to fat AP mode, FS>ap-mode fat, After switching, the AP will automatically restart, and the configuration can be performed after the restart is complete. Root bridge configuration(Root-AP): a. Configure and enable the wds-mode command (execute step 2 after the device restarts) AP-1(config)#wds-mode enable ----->Switch to bridge mode, and the device will automatically restart after switching(Need to switch to ap-mode fat first, and then configure bridge mode) b. Create bridge VLAN AP-1(config)#VLAN 10 AP-1(config-VLAN)#exit c. Configure bridge WLAN-ID AP-1(config)#dot11 WLAN 1 AP-1(dot11-WLAN-config)#SSID FS_wifi AP-1(dot11-WLAN-config)#exit d. RF card configuration AP-1(config)#interface dot11radio 2/0 AP-1(config-if-Dot11radio 2/0)#encapsulation dot1Q 10 ----->encapsulate VLAN AP-1(config-if-Dot11radio 2/0)#channel 149 ----->Adjust the channel to 149. If the channel configuration is 165, the bandwidth cannot be configured as 40HMz. The root bridge and the non-root bridge need to be consistent, and the channel with the least interference should be selected. AP-1(config-if-Dot11radio 2/0)#chan-width 40 ----->The bandwidth configuration is 40HMz. The root bridge and the non-root bridge are consistent, the default is 20, and can be set to 20, 40 and 80 as needed AP-1(config-if-Dot11radio 2/0)#station-role root-bridge bridge-WLAN 1 ----->Switch the RF card mode to the root bridge, and bind the WLANid created in step 3 AP-1(config-if-Dot11radio 2/0)#WLAN-id 1 ----->map SSID AP-1(config-if-Dot11radio 2/0)#exit e. Confirm the BSSID issued by the root bridge AP-1#show dot11 mbSSID image.png f. Configure the device management address on the AP Layer 3 interface AP-1(config)#interface bvI 10 AP-1(config-if-BVI 10)#ip address 192.168.1.254 255.255.255.0 AP-1(config-if-BVI 10)#exit g. show dot1 wds-bridge-info 2/0 Check bridge configuration 代码块 AP-1#show dot1 wds-bridge-info 2/0 WDS-MODE: ROOT-BRIDGE BRIDGE-WLAN: Status: OK ----->OK indicates that the configuration is correct, and Warning indicates that the configuration is abnormal WLANID 1, SSID FS_wifi, BSSID a69d.99d0.114b h. Encapsulation of VLAN on wired physical interface AP-1(config)#interface gigabitEthernet 0/1 AP-1(config-if-GigabitEthernet 0/1)#encapsulation dot1Q 10 ----->Encapsulate relevant VLANs according to the actual situation AP-1(config-if-GigabitEthernet 0/1)#exit i. Save the configuration AP-1(config)#end AP-1#write Non-Root Bridge Configuration(Non-Root): a. Configure and enable the wds-mode command (execute step 2 after the device restarts) AP-2(config)#wds-mode enable ----->Switch to bridge mode, and the device will automatically restart after switching(Need to switch to ap-mode fat first, and then configure bridge mode) b. Create bridge VLAN AP-2(config)#VLAN 10 AP-2(config-VLAN)#exit c. RF card configuration AP-2(config)#interface dot11radio 2/0 AP-2(config-if-Dot11radio 2/0)#encapsulation dot1Q 10 ----->encapsulate VLAN AP-2(config-if-Dot11radio 2/0)#channel 149 ----->Adjust the channel to 149. If the channel configuration is 165, the bandwidth cannot be configured as 40HMz. The root bridge and the non-root bridge need to be consistent, and the channel with the least interference should be selected. AP-2(config-if-Dot11radio 2/0)#chan-width 40 ----->The bandwidth configuration is 40HMz. The root bridge and the non-root bridge are consistent, the default is 20, and can be set to 20, 40 and 80 as needed. AP-2(config-if-Dot11radio 2/0)#station-role non-root-bridge ----->Switch the RF card mode to the non-root bridge AP-2(config-if-Dot11radio 2/0)#parent mac-address a69d.99d0.114b ----->Bind the root bridge BSSID (a69d.99d0.114b is the bSSID of step 5 of AP-1) or AP-2(config-if-Dot11radio 2/0)#parent SSID FS_wifi-----> Bind to the root bridge (FS_wifi is the SSID of step 5 of AP-1) AP-2(config-if-Dot11radio 2/0)#exit d. AP layer 3 interface configuration AP-2(config)#interface bvI 10 AP-2(config-if-BVI 10)#ip address 192.168.1.253 255.255.255.0 AP-2(config-if-BVI 10)#exit e. Encapsulation of VLAN on wired physical interface AP-2(config)#interface gigabitEthernet 0/1 AP-2(config-if-GigabitEthernet 0/1)#encapsulation dot1Q 10 ----->Encapsulate relevant VLANs according to the actual situation AP-2(config-if-GigabitEthernet 0/1)#exit f. Save the configuration AP-2(config)#end AP-2#write 6. Functional verification Check root bridge status: AP-1#show dot11 wds-bridge-info 2/0 WDS-MODE: ROOT-BRIDGE BRIDGE-WLAN: Status: OK WLANID 1, SSID FS_wifi, BSSID a69d.99d0.114b WBI 2/0 NONROOT 649d.99d0.20d1 ----->MAC address of AP-2 LinkTime 0:00:47 SendRate 130.5M Mbps, RecvRate 133.5M Mbps, RSSI 60 Check the bridge status on the Non-Root side: AP-2#sh dot wds-bridge-info 2/0 WDS-MODE: NONROOT-BRIDGE MAC: 649d.99d0.20d1 CONFIG-MAC: CONFIG-SSID:wds-test-root WBI 2/0 ROOT a69d.99d0.114b ----->BSSID of AP-1 LinkTime 0:00:47 SendRate 58.5M Mbps, RecvRate 195.0M Mbps, RSSI 54 PING test AP-1#ping 192.168.1.253 -----> BVI port of non-root bridge AP-2 Sending 5, 100-byte ICMP Echoes to 192.168.1.10, timeout is 2 seconds: < press Ctrl+C to break > !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/11/28 ms. AP-2#ping 192.168.1.254 -----> Wired connection to the BVI port of AP-1 Sending 5, 100-byte ICMP Echoes to 192.168.1.254, timeout is 2 seconds: < press Ctrl+C to break > !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/31 ms. 5.6.1.2 Wireless Fat AP (1-to-many) Bridge Configuration 1. Network requirements It is required that the two APs at both ends of the bridge are in the same network segment, and the APs must be of the same model. It is recommended to use the latest software version from the official website. 2. Network topology The network topology of the WDS bridging of the fat AP is as follows: Non-root AP2 — Root AP — Non-root AP1 192.168.1.253 255.255.255.0 192.168.1.254 255.255.255.0 192.168.1.252 255.255.255.0 AP-2 (((( AP-1 )))) AP-3 3. Configuration points Configure the bridge network segment and radio frequency port of the root bridge. Configure the bridge network segment and radio frequency port of the non-root bridge. Configure the covered WLAN signal (omitted here, please refer to the fat AP configuration chapter). 4、Precautions a. Fat AP bridge can support SSID bridge and BSSID bridge. b. In order to ensure bridge performance and balance, 1-to-many scenarios must be configured with speed limits for each bridge AP. The recommended configuration method is based on the average configuration of the total bridge performance. The total performance of 1-to-many bridge is generally about 60-70% of the total performance of 1-to-1. c. If SSID bridge is used in the fat mode 1-to-many bridge scenario, each root bridge should be configured with a different bridge SSID to avoid roaming in the NONROOT segment. d. In the long-distance bridge deployment of more than 1000 meters, both the root bridge and the non-root bridge need to add a command: interface Dot11radio 2/0 peer-distance 4000 The value after èpeer-distance is configured as 1-2 times of the actual bridge distance. For example, in the current environment, the bridge distance is 2000 meters, and the peer-distance is configured as 4000! e. In a 1-to-many bridging scenario, it is recommended to configure the rate limit on the root bridge (only the root bridge configuration is required, and the non-root bridge does not need to be configured). Assume that the uplink rate limit in the actual network is 24Kbps; the downlink rate is 20Kbsp, and the configuration is as follows: root bridge configuration ! WLAN-qos ap-based per-user-limit up-streams average-data-rate 3000 burst-data-rate 3000 WLAN-qos ap-based per-user-limit down-streams average-data-rate 2500 burst-data-rate 2500 ! f. The bridge distance of the AP-T567 built-in antenna is up to 3 kilometers [open environment]. There should be no obstructions in the middle when bridging, and the panel or antenna of the AP-T567 bridge needs to be aligned. g. In order to ensure the bridge effect, it is necessary to reserve enough difference in the attenuation value caused by the environment change of the air interface. Please ensure that the associated RSSI of the non-root bridge on the root bridge is greater than 25. 5. Configuration steps Before configuration, please switch the AP to fat AP mode, FS>ap-mode fat, After switching, the AP will automatically restart, and the configuration can be performed after the restart is complete. Root bridge configuration(Root-AP): a. Configure and enable the wds-mode command (execute step 2 after the device restarts) AP-1(config)#wds-mode enable ----->Switch to bridge mode, and the device will automatically restart after switching(Need to switch to ap-mode fat first, and then configure bridge mode) b. Create bridge VLAN AP-1(config)#VLAN 10 AP-1(config-VLAN)#exit c. Configure bridge WLAN-ID AP-1(config)#dot11 WLAN 1 AP-1(dot11-WLAN-config)#SSID FS_wifi AP-1(dot11-WLAN-config)#exit d. RF card configuration AP-1(config)#interface dot11radio 2/0 AP-1(config-if-Dot11radio 2/0)#encapsulation dot1Q 10 ----->encapsulate VLAN AP-1(config-if-Dot11radio 2/0)#channel 149 ----->Adjust the channel to 149. If the channel configuration is 165, the bandwidth cannot be configured as 40HMz. The root bridge and the non-root bridge need to be consistent, and the channel with the least interference should be selected. AP-1(config-if-Dot11radio 2/0)#chan-width 40 ----->The bandwidth configuration is 40HMz. The root bridge and the non-root bridge are consistent, the default is 20, and can be set to 20, 40 and 80 as needed AP-1(config-if-Dot11radio 2/0)#station-role root-bridge bridge-WLAN 1 ----->Switch the RF card mode to the root bridge, and bind the WLANid created in step 3 AP-1(config-if-Dot11radio 2/0)#WLAN-id 1 ----->map SSID AP-1(config-if-Dot11radio 2/0)#exit e. Confirm the BSSID issued by the root bridge AP-1#show dot11 mbSSID image.png f. Configure the device management address on the AP Layer 3 interface AP-1(config)#interface bvI 10 AP-1(config-if-BVI 10)#ip address 192.168.1.254 255.255.255.0 AP-1(config-if-BVI 10)#end g. Use the command show dot1 wds-bridge-info 2/0 to check the bridge configuration. 代码块 AP-1#show dot1 wds-bridge-info 2/0 WDS-MODE: ROOT-BRIDGE BRIDGE-WLAN: Status: OK ----->OK indicates that the configuration is correct, and Warning indicates that the configuration is abnormal WLANID 1, SSID FS_wifi, BSSID a69d.99d0.114b h. Encapsulation of VLAN on wired physical interface AP-1(config)#interface gigabitEthernet 0/1 AP-1(config-if-GigabitEthernet 0/1)#encapsulation dot1Q 10 ----->Encapsulate relevant VLANs according to the actual situation AP-1(config-if-GigabitEthernet 0/1)#exit i. Save the configuration AP-1(config)#end AP-1#write Non-Root Bridge Configuration(Non-Root): a. Configure and enable the wds-mode command (execute step 2 after the device restarts) AP-2(config)#wds-mode enable ----->Switch to bridge mode, and the device will automatically restart after switching(Need to switch to ap-mode fat first, and then configure bridge mode) b. Create bridge VLAN AP-2(config)#VLAN 10 AP-2(config-VLAN)#exit c. RF card configuration AP-2(config)#interface dot11radio 2/0 AP-2(config-if-Dot11radio 2/0)#encapsulation dot1Q 10 ----->encapsulate VLAN AP-2(config-if-Dot11radio 2/0)#channel 149 ----->Adjust the channel to 149. If the channel configuration is 165, the bandwidth cannot be configured as 40HMz. The root bridge and the non-root bridge need to be consistent, and the channel with the least interference should be selected. AP-2(config-if-Dot11radio 2/0)#chan-width 40 ----->The bandwidth configuration is 40HMz. The root bridge and the non-root bridge are consistent, the default is 20, and can be set to 20, 40 and 80 as needed. AP-2(config-if-Dot11radio 2/0)#station-role non-root-bridge ----->Switch the RF card mode to the non-root bridge AP-2(config-if-Dot11radio 2/0)#parent mac-address a69d.99d0.114b ----->Bind to the root bridge BSSID(a69d.99d0.114b is the bSSID of step 5 of AP-1) or AP-2(config-if-Dot11radio 2/0)#parent SSID FS_wifi -----> Bind to the root bridge (FS_wifi is the SSID of step 5 of AP-1) AP-2(config-if-Dot11radio 2/0)#exit d. AP layer 3 interface configuration AP-2(config)#interface bvI 10 AP-2(config-if-BVI 10)#ip address 192.168.1.253 255.255.255.0 AP-2(config-if-BVI 10)#exit e. Encapsulation of VLAN on wired physical interface AP-2(config)#interface gigabitEthernet 0/1 AP-2(config-if-GigabitEthernet 0/1)#encapsulation dot1Q 10 f. Save the configuration AP-2(config-if-GigabitEthernet 0/1)#end AP-2#write Non-Root Bridge Configuration(Non-Root): a. Configure and enable the wds-mode command (execute step 2 after the device restarts) AP-3(config)#wds-mode enable ----->Switch to bridge mode, and the device will automatically restart after switching(Need to switch to ap-mode fat first, and then configure bridge mode) b. Create bridge VLAN AP-3(config)#VLAN 10 AP-3(config-VLAN)#exit c. RF card configuration AP-3(config)#interface dot11radio 2/0 AP-3(config-if-Dot11radio 2/0)#encapsulation dot1Q 10 ----->encapsulate VLAN AP-3(config-if-Dot11radio 2/0)#channel 149 ----->Adjust the channel to 149. If the channel configuration is 165, the bandwidth cannot be configured as 40HMz. The root bridge and the non-root bridge need to be consistent, and the channel with the least interference should be selected. AP-3(config-if-Dot11radio 2/0)#chan-width 40 ----->The bandwidth configuration is 40HMz. The root bridge and the non-root bridge are consistent, the default is 20, and can be set to 20, 40 and 80 as needed. AP-3(config-if-Dot11radio 2/0)#station-role non-root-bridge ----->Switch the RF card mode to the non-root bridge AP-3(config-if-Dot11radio 2/0)#parent mac-address a69d.99d0.114b ----->Bind the root bridge BSSID (a69d.99d0.114b is the bSSID of step 5 of AP-1) or AP-3(config-if-Dot11radio 2/0)#parent SSID FS_wifi -----> Bind to the root bridge (FS_wifi is the SSID of step 5 of AP-1) AP-3(config-if-Dot11radio 2/0)#exit d. AP layer 3 interface configuration AP-3(config)#interface bvI 10 AP-3(config-if-BVI 10)#ip address 192.168.1.252 255.255.255.0 AP-3(config-if-BVI 10)#exit e. Encapsulation of VLAN on wired physical interface AP-3(config)#interface gigabitEthernet 0/1 AP-3(config-if-GigabitEthernet 0/1)#encapsulation dot1Q 10 f. Save the configuration AP-3(config-if-GigabitEthernet 0/1)#end AP-3#write 6. Functional verification Check root bridge status: AP-1#show dot11 wds-bridge-info 2/0 WDS-MODE: ROOT-BRIDGE BRIDGE-WLAN: Status: OK WLANID 1,SSID FS_wifi, BSSID a69d.99d0.114b ----->BSSID of AP-1 WBI 2/0 NONROOT 649d.99d0.20d1 ----->MAC address of AP-2 LinkTime 0:00:47 SendRate 130.5M Mbps,RecvRate 133.5M Mbps, RSSI 60 WBI 2/1 NONROOT 649d.99d0.1f5f ----->MAC address of AP-3 LinkTime 0:00:47 SendRate 130.5M Mbps,RecvRate 133.5M Mbps, RSSI 60 Check non-root bridge status: FS#sh dot wds-bridge-info 2/0 WDS-MODE: NONROOT-BRIDGE MAC: 649d.99d0.20d1 ----->MAC address of AP-2 CONFIG-MAC: CONFIG-SSID:wds-test-root WBI 2/0 ROOT a69d.99d0.114b ----->BSSID of AP-1 LinkTime 0:00:47 SendRate 58.5M Mbps, RecvRate 195.0M Mbps, RSSI 54 PING test AP-1#ping 192.168.1.253 -----> BVI port of non-root bridge AP-2 Sending 5, 100-byte ICMP Echoes to 192.168.1.10, timeout is 2 seconds: < press Ctrl+C to break > !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/11/28 ms. AP-1#ping 192.168.1.252 -----> BVI port of non-root bridge AP-3 Sending 5, 100-byte ICMP Echoes to 192.168.1.252, timeout is 2 seconds: < press Ctrl+C to break > !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/31 ms. 5.6.1.3 Fat AP WEB Page Bridge Configuration 1. Network requirements The distance between buildings is long, often exceeding 100 meters, and fiber optic cables are generally required to connect them. For some buildings that have already been built, excavating roads or erecting overhead lines will lead to difficult construction and high consumption costs, such as between the upper floors of two buildings, two buildings separated by rivers, etc. In this environment, the use of wireless bridges to realize network interconnection is economical and convenient to implement. 2. Network topology image.png 3. Precautions a. Fat AP bridge can support SSID bridge and BSSID bridge. b. In order to ensure bridge performance and balance, 1-to-many scenarios must be configured with speed limits for each bridge AP. The recommended configuration method is based on the average configuration of the total bridge performance. The total performance of 1-to-many bridge is generally about 60-70% of the total performance of 1-to-1. c. If SSID bridge is used in the fat mode 1-to-many bridge scenario, each root bridge should be configured with a different bridge SSID to avoid roaming in the NONROOT segment. d. In the long-distance bridge deployment of more than 1000 meters, both the root bridge and the non-root bridge need to add a command: interface Dot11radio 2/0 peer-distance 4000 The value after èpeer-distance is configured as 1-2 times of the actual bridge distance. For example, in the current environment, the bridge distance is 2000 meters, and the peer-distance is configured as 4000! e. In a 1-to-many bridging scenario, it is recommended to configure the rate limit on the root bridge (only the root bridge configuration is required, and the non-root bridge does not need to be configured). Assume that the uplink rate limit in the actual network is 24Kbps; the downlink rate is 20Kbsp, and the configuration is as follows: root bridge configuration ! WLAN-qos ap-based per-user-limit up-streams average-data-rate 3000 burst-data-rate 3000 WLAN-qos ap-based per-user-limit down-streams average-data-rate 2500 burst-data-rate 2500 ! f. The bridge distance of the AP-T567 built-in antenna is up to 3 kilometers [open environment]. There should be no obstructions in the middle when bridging, and the panel or antenna of the AP-T567 bridge needs to be aligned. g. In order to ensure the bridge effect, it is necessary to reserve enough difference in the attenuation value caused by the environment change of the air interface. Please ensure that the associated RSSI of the non-root bridge on the root bridge is greater than 25. 4. Configuration steps a. Root bridge configuration Create a bridge signal Create bridge VLAN as VLAN 2, In Advanced----VLAN Management, click "Add VLAN". image.png Configure the VLAN ID, ip address, submask, and click to complete the configuration. image.png Wireless---Add wireless network, click the "+" icon to create new SSID. image.png Configure the SSID, select "Open" for the encryption type, and click "Advanced Settings". Select the corresponding bridge VLAN for 5G, and click to save the settings. image.png In Config---WDS, set the 5G network bridge function from OFF to ON. image.png Select "Root Bridge" as the operating mode, and select the bridge SSID. image.png b. Configure non-root bridge In Network---Wireless Bridge, set the 5G bridge function from OFF to ON, and select "Non-root Bridge" image.png 5. Configuration verification a. Show dot wds-bridge-info 2/0 on the root bridge, it shows some parameters of successful bridge: FS#show dot wds-bridge-info 2/0 WDS-MODE: ROOT-BRIDGE BRIDGE-WLAN: Status: OK WLANID 2, SSID Eweb_ceshi, BSSID 0a14.4b70.3586 WBI 2/0 NONROOT 0069.6c1d.24b1 LinkTime 0:08:50 SendRate 144.5M Mbps, RecvRate 144.5M Mbps, RSSI 58 5.6.1.4 Wireless Hidden SSID&WDS Bridge Encryption Configuration 1. Network requirements It is required that the two APs at both ends of the bridge are in the same network segment, and the APs must be of the same model. It is recommended to use the latest software version from the official website. Currently, only AP-T567 and AP-T565 support it. 2. Network topology Root AP — Non-root AP — Root AP 192.168.1.254 255.255.255.0 192.168.1.253 255.255.255.0 192.168.1.252 255.255.255.0 AP-1 )))) AP-2(gi 0/1)------(gi 0/1)AP-3 3. Configuration points Configure the bridge network segment and radio frequency port of the root bridge. Configure the bridge network segment and radio frequency port of the non-root bridge. Configure the covered WLAN signal (omitted here, please refer to the fat AP configuration chapter). Configure root bridge encryption. Configure non-root bridge key. 4. Precautions a. Fat AP bridge can support SSID bridge and BSSID bridge. b. In order to ensure bridge performance and balance, 1-to-many scenarios must be configured with speed limits for each bridge AP. The recommended configuration method is based on the average configuration of the total bridge performance. The total performance of 1-to-many bridge is generally about 60-70% of the total performance of 1-to-1. c. If SSID bridge is used in the fat mode 1-to-many bridge scenario, each root bridge should be configured with a different bridge SSID to avoid roaming in the NONROOT segment. d. In the long-distance bridge deployment of more than 1000 meters, both the root bridge and the non-root bridge need to add a command: interface Dot11radio 2/0 peer-distance 4000 The value after èpeer-distance is configured as 1-2 times of the actual bridge distance. For example, in the current environment, the bridge distance is 2000 meters, and the peer-distance is configured as 4000! e. In a 1-to-many bridging scenario, it is recommended to configure the rate limit on the root bridge (only the root bridge configuration is required, and the non-root bridge does not need to be configured). Assume that the uplink rate limit in the actual network is 24Kbps; the downlink rate is 20Kbsp, and the configuration is as follows: root bridge configuration ! WLAN-qos ap-based per-user-limit up-streams average-data-rate 3000 burst-data-rate 3000 WLAN-qos ap-based per-user-limit down-streams average-data-rate 2500 burst-data-rate 2500 ! f. The bridge distance of the AP-N565 built-in antenna is up to 3 kilometers [open environment]. There should be no obstructions in the middle when bridging, and the panel or antenna of the AP-N565 bridge needs to be aligned. g. In order to ensure the bridge effect, it is necessary to reserve enough difference in the attenuation value caused by the environment change of the air interface. Please ensure that the associated RSSI of the non-root bridge on the root bridge is greater than 25. 5. Configuration steps Root bridge configuration(Root-AP): a. Configure and enable the wds-mode command (execute step 2 after the device restarts) AP-1(config)#wds-mode enable ----->Switch to bridge mode, and the device will automatically restart after switching(Need to switch to ap-mode fat first, and then configure bridge mode) b. Create bridge VLAN AP-1(config)#VLAN 10 AP-1(config-VLAN)#exit c. Configure bridge WLAN-ID and hide AP-1(config)#dot11 WLAN 1 AP-1(dot11-WLAN-config)#SSID FS-wifi AP-1(dot11-WLAN-config)#no broadcast-SSID AP-1(dot11-WLAN-config)#exit d. RF card configuration AP-1(config)#interface dot11radio 2/0 AP-1(config-if-Dot11radio 2/0)#encapsulation dot1Q 10 ----->encapsulate VLAN AP-1(config-if-Dot11radio 2/0)#channel 149 ----->Adjust the channel to 149. If the channel configuration is 165, the bandwidth cannot be configured as 40HMz. The root bridge and the non-root bridge need to be consistent, and the channel with the least interference should be selected. AP-1(config-if-Dot11radio 2/0)#chan-width 40 ----->The bandwidth configuration is 40HMz. The root bridge and the non-root bridge are consistent, the default is 20, and can be set to 20, 40 and 80 as needed AP-1(config-if-Dot11radio 2/0)#station-role root-bridge bridge-WLAN 1 ----->Switch the RF card mode to the root bridge, and bind the WLANid created in step 3 AP-1(config-if-Dot11radio 2/0)#WLAN-id 1 ----->map SSID AP-1(config-if-Dot11radio 2/0)#exit e. Confirm the BSSID issued by the root bridge AP-1#show dot11 mbSSID image.png f. Configure the encryption method AP-1(config)# WLANsec 1 -----> 1 is the bridge-bound WLANid, and the encryption method is exactly the same as that of normal AP AP-1 (config-WLANsec)#security rsn enable AP-1 (config-WLANsec)#security rsn ciphers aes enable AP-1 (config-WLANsec)#security rsn akm psk enable AP-1 (config-WLANsec)#security rsn akm psk set-key ascii 12345678 AP-1 (config-WLANsec)#exit 7)Configure the device management address on the AP Layer 3 interface AP-1(config)#interface bvI 10 AP-1(config-if-BVI 10)#ip address 192.168.1.254 255.255.255.0 AP-1(config-if-BVI 10)#end g. show dot1 wds-bridge-info 2/0 Check bridge configuration 代码块 AP-1#show dot1 wds-bridge-info 2/0 WDS-MODE: ROOT-BRIDGE BRIDGE-WLAN: Status: OK ----->OK indicates that the configuration is correct, and Warning indicates that the configuration is abnormal WLANID 1, SSID FS_wifi, BSSID a69d.99d0.114b h. Encapsulation of VLAN on wired physical interface AP-1(config)#interface gigabitEthernet 0/1 AP-1(config-if-GigabitEthernet 0/1)#encapsulation dot1Q 10 ----->Encapsulate relevant VLANs according to the actual situation AP-1(config-if-GigabitEthernet 0/1)#exit i. Save the configuration AP-1(config)#end AP-1#write Non-Root Bridge Configuration(Non-Root): a. Configure and enable the wds-mode command (execute step 2 after the device restarts) AP-2(config)#wds-mode enable ----->Switch to bridge mode, and the device will automatically restart after switching(Need to switch to ap-mode fat first, and then configure bridge mode) b. Create bridge VLAN AP-2(config)#VLAN 10 AP-2(config-VLAN)#exit c. RF card configuration AP-2(config)#interface dot11radio 2/0 AP-2(config-if-Dot11radio 2/0)#encapsulation dot1Q 10 ----->encapsulate VLAN AP-2(config-if-Dot11radio 2/0)#channel 149 ----->Adjust the channel to 149. If the channel configuration is 165, the bandwidth cannot be configured as 40HMz. The root bridge and the non-root bridge need to be consistent, and the channel with the least interference should be selected. AP-3(config-if-Dot11radio 2/0)#chan-width 40 ----->The bandwidth configuration is 40HMz. The root bridge and the non-root bridge are consistent, the default is 20, and can be set to 20, 40 and 80 as needed. AP-2(config-if-Dot11radio 2/0)#station-role non-root-bridge ----->Switch the RF card mode to the non-root bridge AP-2(config-if-Dot11radio 2/0)#parent mac-address a69d.99d0.114b ----->Bind to the root bridge BSSID(a69d.99d0.114b is the bSSID of step 5 of AP-1) or AP-2(config-if-Dot11radio 2/0)#parent SSID FS_wifi -----> Bind to the root bridge (FS_wifi is the SSID of step 5 of AP-1) AP-2(config-if-Dot11radio 2/0)# bridge security rsn ciphers aes akm psk key ascii 12345678-----> Configure the non-root bridge key and encryption method. Security, ciphers, akm, and key must be consistent with those configured on the root bridge. AP-2(config-if-Dot11radio 2/0)#exit d. AP layer 3 interface configuration AP-2(config)#interface bvI 10 AP-2(config-if-BVI 10)#ip address 192.168.1.253 255.255.255.0 AP-2(config-if-BVI 10)#exit e. Encapsulation of VLAN on wired physical interface AP-2(config)#interface gigabitEthernet 0/1 AP-2(config-if-GigabitEthernet 0/1)#encapsulation dot1Q 10 6)Save the configuration AP-2(config-if-GigabitEthernet 0/1)#end AP-2#write 6. Functional verification Check root bridge status: AP-1#show dot11 wds-bridge-info 2/0 WDS-MODE: ROOT-BRIDGE BRIDGE-WLAN: Status: OK WLANID 1,SSID FS_wifi, BSSID a69d.99d0.114b ----->BSSID of AP-1 WBI 2/0 NONROOT 649d.99d0.20d1 ----->MAC address of AP-2 LinkTime 0:00:47 SendRate 130.5M Mbps,RecvRate 133.5M Mbps, RSSI 60 Check non-root bridge status: FS#sh dot wds-bridge-info 2/0 WDS-MODE: NONROOT-BRIDGE MAC: 649d.99d0.20d1 ----->MAC address of AP-2 CONFIG-MAC: CONFIG-SSID:wds-test-root WBI 2/0 ROOT a69d.99d0.114b ----->BSSID of AP-1 LinkTime 0:00:47 SendRate 58.5M Mbps, RecvRate 195.0M Mbps, RSSI 54 PING test AP-1#ping 192.168.1.253 ----->BVI port of non-root bridge AP-2 Sending 5, 100-byte ICMP Echoes to 192.168.1.10, timeout is 2 seconds: < press Ctrl+C to break > !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/11/28 ms. AP-2#ping 192.168.1.254 -----> BVI port of root bridge AP-1 Sending 5, 100-byte ICMP Echoes to 192.168.1.254, timeout is 2 seconds: < press Ctrl+C to break > !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/31 ms. 5.6.2 Fit AP Bridge Deployment Scenario AP-T567 Fit AP bridge deployment scenario 1. Network requirements It is required that the two APs at both ends of the bridge be in the same network segment, and the APs must be of the same model. APs with different chips such as Atheros and BCM cannot be bridged and communicated. 2. Network topology The entire network topology in the fit AP deployment scenario is as follows: image.png 3. Configuration points Configure Root-AP and AC to establish a Capwap tunnel. Issue WLAN and Wds bridge configurations to the Root-AP on the AC. Pre-configure the WDS bridge on the Non-Root side. Issue WLAN configuration to the non-root on the AC. 4. Precautions a. The bridge of fit APs is currently only supported by outdoor AP series, and other APs do not. b. It is recommended that the forwarding mode of WLAN be configured as local forwarding mode; --- Multi-hop delay; Delay field difference and capwap keep-alive bridge data are forwarded locally, and local forwarding is used as much as possible. c. The VLAN network segment on the Root side needs to be consistent with the IP address network segment obtained after bridge and association on the Non-Root side. d. If WDS needs to work in FIT mode, the AP needs to support the establishment of CAPWAP through BVI by default. e. The non-root bridge AP establishes a capwap tunnel with the AC through the bridge, and the bridge must be connected first. f. In the long-distance bridge deployment of more than 1000 meters, both the root bridge and the non-root bridge need to add a command: ap-config xx peer-distance 4000 radio 2 ----->The value after peer-distance is configured as 1-2 times of the actual bridge distance. For example, in the current environment, the bridge distance is 2000 meters, and the peer-distance is configured as 4000! g. In a 1-to-many bridging scenario, it is recommended to configure the rate limit on the root bridge (only the root bridge configuration is required, and the non-root bridge does not need to be configured). Assume that the uplink rate limit in the actual network is 24Kbps; the downlink rate is 20Kbsp, and the configuration is as follows: root bridge configuration ! ap-config xx ap-based per-user-limit up-streams average-data-rate 3000 burst-data-rate 3000 ap-based per-user-limit down-streams average-data-rate 2500 burst-data-rate 2500 ! 5. Configuration steps Configuration on AC: a. Bridge AP configuration wds-mode enable----root bridge and non-root bridge will restart. FS(config)#ap-config ****(It can specify a specific bridge AP, or configure it in ap-config all mode) b. Configure the AP and AC to establish a Capwap tunnel Ensure that the AP can communicate with the Ctrl-ip of the AC, and the AP can obtain the Ctrl-ip address of the AC, and then a Capwap tunnel can be established. For configuration commands, please refer to the CAPWAP chapter. FS#sh capwap stat CAPWAP tunnel state, 1 peers, 1 is run: Index Peer IP Port State 1 10.10.10.10 5246 Run FS# c. Create a WLAN configured for bridge and coverage on the AC. FS(config)#wlan-config 100 wds-test-root ----->Create a WLAN for bridge FS(config-wlan)#tunnel local FS(config-WLAN)#exit FS(config)#WLAN-config 200 wds-test-2.4G ----->Create a WLAN for coverage FS(config-WLAN)#exit FS(config)#VLAN 100 ----->Create a VLAN for bridge APs FS(config-VLAN)#exit FS(config)#VLAN 200 ----->Create a VLAN covering STA FS(config-VLAN)#exit FS(config)#int VLAN 100----->Create a VLAN segment for bridge APs FS(config-if-VLAN 100)#ip address 90.0.100.254 255.255.255.0 FS(config-if-VLAN 100)#exit FS(config)#int VLAN 200----->Create the VLAN network segment associated with the covered STA FS(config-if-VLAN 200)#ip address 90.0.200.254 255.255.255.0 FS(config-if-VLAN 200)#exit FS(config)#ip dhcp pool AP ----->Create an address pool for bridge APs FS(dhcp-config)#network 90.0.100.0 255.255.255.0 FS(dhcp-config)#default-router 90.0.100.254 FS(dhcp-config)#option 138 ip 10.10.10.10 FS(dhcp-config)#exit FS(config)#ip dhcp pool STA ----->Create an address pool covering STA FS(dhcp-config)#network 90.0.200.0 255.255.255.0 FS(dhcp-config)#default-router 90.0.200.254 FS(dhcp-config)#dns-server 192.168.58.110 FS(dhcp-config)#exit FS(config)#service dhcp ----->Enable DHCP service FS(config)#ap-group wds ----->Create ap-group and map two WLANs FS(config-group)#interface-mapping 100 100 radio 2 ----->The first mapping relationship under the corresponding AP group(Check the number of ap-WLAN-id behind this association through show run) FS(config-group)#interface-mapping 200 200 radio 1 FS(config-group)#exit FS(config)#ap-config AP-T567 ----->Add the root bridge AP to the corresponding ap-group FS(config-ap)#ap-group wds FS(config-ap)#station-role root-bridge bridge-WLAN 1 radio 2 ----->Configure AP's Radio 2 for bridge(Note: the number x in bridge-WLAN x refers to the mapping of the bridge WLAN under the AP group to which the AP belongs. The mapping here is interface-mapping 100 100 radio 2. Show run shows that the ap-WLAN-id behind this association is 1, which is the first entry under the AP group wds, so the number here is 1. ) FS(config-ap)#end FS#write d. Pre-configure bridge in fit AP mode on the Non-Root side (It is recommended to use the latest software version from the official website): FS#conf FS(config)#int dot11radio 2/0 FS(config-if-Dot11radio 2/0)#station-role non-root-bridge ----->Configure the interface mode as Non-Root FS(config-if-Dot11radio 2/0)#parent SSID wds-test-root ----->Configure bridge SSID(It can also be BSSID, bSSID of parent mac-address root-ap) FS(config-if-Dot11radio 2/0)#wds pre-config create ----->Create Wds preconfiguration file FS(config-if-Dot11radio 2/0)#end FS#write e. Configure the WLAN to be delivered to the non-root as an overlay on the AC: It is consistent with the common WLAN and ap-group configuration. After configuration, add Non-Root to the corresponding ap-group. The detailed configuration is omitted. f. Configure 1-to-many bridge, and repeat the fourth step; configure Noon-root ap. 6. Functional verification Check the Wds bridgeing status of the AP on the AC: FS#sh ap-config wds-bridge-info summary Ap NameMac Address Radio Station-Role -------------- -------------- ----- ------------- FS#sh ap-config wds-bridge-info 0669.6c20.2094 radio 2 ----->bSSID of root-ap WDS-MODE: ROOT-BRIDGE BRIDGE-WLAN: Status: OK WLANID 1, SSID wds-test-root, BSSID 0669.6c20.2094 WBI 2/0 NONROOT 00d0.f822.33b9 ----->MAC address of the NONROOT AP FS# Check the Wds bridge status on the AP side Check the bridge status on the Root side: FS#sh dot wds-bridge-info 2/0 WDS-MODE: ROOT-BRIDGE BRIDGE-WLAN: Status: OK WLANID 1, SSID wds-test-root, BSSID 0669.6c20.2094 WBI 2/0 NONROOT 00d0.f822.33b9 ----->MAC address of the NONROOT AP LinkTime 0:22:05 SendRate 195.0M Mbps, RecvRate 58.5M Mbps, RSSI 55 FS# FS#ping 10.10.10.10 Sending 5, 100-byte ICMP Echoes to 10.10.10.10, timeout is 2 seconds: < press Ctrl+C to break > !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms. FS# Check the bridge status on the Non-Root side: FS#sh dot wds-bridge-info 2/0 WDS-MODE: NONROOT-BRIDGE MAC: 00d0.f822.33b9 CONFIG-MAC: CONFIG-SSID:wds-test-root WBI 2/0 ROOT 0669.6c20.2094 ----->bSSID of root-ap LinkTime 0:22:17 SendRate 58.5M Mbps,RecvRate 195.0M Mbps,RSSI 54 FS# FS#ping 10.10.10.10 Sending 5, 100-byte ICMP Echoes to 10.10.10.10, timeout is 2 seconds: < press Ctrl+C to break > !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/11 ms. FS# 5.6.3 Pre-configuration of Wireless Non-root Bridge AP Bridging 1. Network requirements It is required that the two APs at both ends of the bridge are in the same network segment, and the APs must be of the same model. 2. Network configuration Assume that the configuration in the actual network is as follows: Root bridge configuration: ! interface Dot11radio 2/0 no ampdu-rts country-code US no short-preamble radio-type 802.11a channel 149 peer-distance 4000 rate-set 11a mandatory 6 12 24 rate-set 11a support 9 18 36 48 54 rate-set 11n mcs-support 23 rate-set 11ac mcs-support 29 11acsupport enable chan-width 80 station-role root-bridge bridge-WLAN 1 ! interface Dot11radio 2/0.1 WLAN-id 1 ! Non-Root bridge configuration: ! interface Dot11radio 2/0 no ampdu-rts country-code US Configure country code(Optional. If the root bridge is US, there is no need to configure) no short-preamble radio-type 802.11a channel 149 rate-set 11a mandatory 6 12 24 rate-set 11a support 9 18 36 48 54 rate-set 11n mcs-support 23 rate-set 11ac mcs-support 29 11acsupport enable chan-width 80 station-role non-root-bridge Configure bridge mode (required) parent SSID AP-T567 Configure the associated root bridge SSID or MAC (required) ! Obtain root bridge information: FS#show dot mb name: Dot11radio 2/0.1 WLAN id: 1 SSID: AP-T567 Root bridge SSID (non-root bridge configuration parent SSID is consistent with this SSID) bSSID: 0669.6c20.218e Root bridge SSID (non-root bridge configuration parent SSID is consistent with this SSID) 3. Detailed pre-configuration Pre-configuration is to import the required AP configuration into the AP in advance in the form of file. After the AP restarts, the pre-configuration information will be used for networking. Preconfiguration file name: wds_dot11radio_config Format: ! interface Dot11radio 1/0 station-role root-ap ! interface Dot11radio 2/0 country-code US Configure country code (Optional. Required when root bridge country code is US) channel 149 Configure the channel (Optional. Consistent with the configuration of the root bridge) chan-width 80 Configure bandwidth(Optional. Consistent with the configuration of the root bridge) station-role non-root-bridge Configure bridge mode (Required) parent SSID AP-T567 Configure associated root bridge SSID (Required) bridge security rsn ciphers aes akm psk key ascii 123456789 Configure the encryption key (Optional. Required for encryption) ! 5.6.4 FAQ About Bridge Note: In the wireless bridge scenario, it is necessary to ensure that the bandwidth and channel configuration of all root bridge APs and non-root bridge APs are exactly the same. Otherwise, problems such as bridge failure or unreachable bridge link may occur due to packet parsing errors.Our company's AP only recommends bridging with our company's, and does not support bridging other manufacturers' devices. FAQ about bridge 1. The number of bridges that AP-T567 can support. Maximum support for 1-to-4 bridge 2. How to check whether the AP is in WDS bridge mode? Fat AP: config mode wds-mode enable enable wds mode wds-mode disable disable wds mode check wds mode show wds-mode image.png Fit AP: ap-config mode wds-mode enable enable wds mode wds-mode disable disable wds mode check wds mode show ap-config wds-mode summary image.png 3. How to check whether the bridge is established? On AC: show ap-config wds-bridge-info summary FS#show ap-config wds-bridge-info summary Ap Name Mac Address Radio Station-Role ---------------------------------------- -------------- ----- -------------- AP-T567 649d.99d0.e34e 2 ROOT-BRIDGE 649d.99d0.e3ee 649d.99d0.e3ee 2 NONROOT-BRIDGE On AP: show dot11 wds-bridge-info 2/0 image.png image.png 4. Configure a bandwidth of 40 that does not take effect for 802.11a If the bandwidth is configured as 40MHZ and does not take effect, it may be caused by interference from other channels or channel configuration errors. a. When the AP starts up, it detects that channel interference is in the protection mechanism, and it is possible to automatically adjust the bandwidth to 20MHz. b. Channel configuration error. 11a bandwidth is configured so that the 40MHz channel can use 149 and 157. In the US country code configuration with 40M bandwidth, there are two channels that can be used, 149 and 157. The actual usage effect is 149+153 and 157+161. If working on channel 165, the handover is unsuccessful because there is no higher frequency band for expansion. Therefore, when configuring the 40M bandwidth, first configure the channels to 149 or 157. 5. AP-T567 IDA fit mode bridge deployment. If bridge is not done, how to clear the bridge configuration of the non-root bridge? When the AP is online ap-config xx station-role root-ap radio 2 or ap-config xx wds pre-config delete It needs to be operated when the AP is online. 6. Can the AP-T567 bridge transparently transmit bpdu packets? When the bridge is deployed, STP is not supported, and BPDU packets are prohibited from being forwarded. Same as the switch default, not forwarding BPDU packets is the default behavior of the reference switch chip. For the switch, there was a command set before, which can be forwarded by software after it is turned on, but the efficiency will be reduced. For the bridging scenario, STP is not supported, and the use of this scenario will not be considered. The function of enabling software forwarding through commands is also not done. 7. Can APs of different models be interconnected for bridge? No. The bridge must require the same type of AP to ensure smooth progress. For example, AP-T567 can only be bridged with AP-T567. 8. What precautions should be taken when multiple hops bridge? In the wireless multi-hop bridge scenario to ensure the quality of the bridge line, the channels between the hops need to be staggered as much as possible. For example, the first hop is configured with 60 channels; the second hop is configured with 100 channels; the third hop is configured with 149 channels, and so on. 9. In the wireless bridge video backhaul project, in order to ensure the bridge link and video transmission quality, how much should the bridge signal strength be maintained? Take the multi-hop + 1-to-many complex bridge scenario of AP-T567 series products as an example. The bridge link connected to the root bridge is called the main link, and it is necessary to ensure stable uplink RSSI ≥ 30. The bridge link between the root bridge and the non-root bridge is called a single link, which needs to ensure stable uplink RSSI≥25. If the signal strength cannot reach the above value, it is necessary to adjust or replace the point as soon as possible to avoid the bridge performance being too low due to insufficient signal strength and unable to meet the video transmission requirements. 10. Does the modified configuration of the non-root bridge AP on the AC not take effect? When modifying the configuration under NONROOT on the AC, the modification of the command will not take effect immediately. It will only take effect after wds config commit. Configure in ap-config mode: wds config [ clear | commit ] radio radio-id, the description of each parameter is as follows: clear: Clear the invalid wds configuration. commit: Submit the ineffective wds configuration. The bridge will be disconnected and re-established after the commit. radio-id: The radio ID specified on the AC. If the AP is configured in non-root mode on the AC or is synchronized from the AP to non-root mode, the corresponding radio will enter wds edit mode. At this time, configuring most of the wds commands will not take effect immediately, and it can check the configuration through show ap-config wds-config. After confirming that the configuration is correct, submit it with this command to take effect. 11. Does the bridge between AP-T567 and AP-T567 fit mode support local forwarding? Can multiple VLANs be transparently transmitted? Support local forwarding, and can transparently transmit multiple VLANs. The transparent transmission VLAN needs to be placed on the root bridge and the non-root bridge AP (configure bridge VLAN x in ap-config mode). Assuming that VLANx and VLANy are VLANs required on the non-root bridge, the configuration is as follows: ap-config root bridge ap name bridge VLAN x bridge VLAN y exit ap-config non-root bridge ap name bridge VLAN x bridge VLAN y exit 5.6.5 Common Faults of Bridge Note: In the wireless bridge scenario, it is necessary to ensure that the bandwidth and channel configuration of all root bridge APs and non-root bridge APs are exactly the same. Otherwise, problems such as bridge failure or unreachable bridge links may occur due to packet parsing errors. Our company's AP only recommends bridging with our company's and does not support bridging other manufacturers' devices. Common faults of bridge The throughput of AP-T567/AP-T567 fat AP mode using the bridge function (WDS) is very low Analytical method: Analyze whether the antenna interface is consistent with the corresponding radio connection; Confirm whether the antenna directions on both sides are aligned; Check whether the signal (RSSI) is above 50; Check whether the bridge bandwidth is 40MHz; Check whether the connection rate is 300M; Whether the MIMO antenna is placed correctly. Solution: Use the latest version confirmed; Check whether the antenna is connected to the correct antenna port corresponding to the radio port. It needs to be judged by whether the signal strength increases after connecting the antenna; Run show dot11 ass all on the root-bridge to check whether the RSSI value increases. While testing the throughput, adjust the antenna direction slowly, and find an antenna direction with the best throughput; If there is interference on the same channel and the channel needs to be changed. The channels used by na are: 149、153、157、161 Use 40MHz bandwidth of 802.11na; Configure the corresponding radio on the non-root-bridge: interface dot11radio 1/0 radio-mode 11na_ht40plus chan-width 40 channel 149 Show dot11 wireless 1/0 on non-root-bridge to check if the bandwidth is 40MHz: non-root#show dot11 wireless 1/0 Sample output: WLAN ID : 0 Network Name (SSID): Interface.................... Dot11radio 1/0(intfcb 0x8fae800, WLAN 0x8faec00) VID.......................... 1 Mac Address.................. 649d.99d0.d59e Operation Mode............... Access Point 802.11 State................. Associated Beacon Period................ 100 RTS Threshold................ 2347 Fragement Threshold.......... 2346 Radio Mode................... 11na_ht40minus Channel...................... 5765(153) Noise Floor.................. -101 dBm Channel width................ 40Mhz Maximum Regulatory Tx Power.. 30 dBm Maximum Tx Power............. 15 dBm Minimum Tx Power............. 15 dBm Tx power limit............... 60 dBm Current Tx Power Level....... 17 dBm(Auto) Protection Mode.............. 1(1-CTS/S, 2-RTS/CTS) A-MPDU Max Length............ 0 Subframe Max Length.......... 0 A-MSDU Max Length............ 0 Show dot11 ass all on the root-bridge to check if the RSSI and RATE are within the normal range: root#show dot11 associations all Sample output: INTF-IDX ADDR AID CHAN RATE RSSI IDLE TXSEQ RXSEQ ERP STATE CAPS HTCAPS 0 00:1b:b1:20:3d:0e 1 153 300M 66 120 10 27824 0x0 0x22b Es WPS The placement direction of the antenna on the same AP should be opposite to the polarization direction of the antenna, otherwise, there will be interference between MIMO antennas. And keep a distance of 20 cm between the three antennas of the AP. For example, the general outdoor cauldron antenna is vertically polarized, and the antenna should be placed horizontally. 5.7 AC Virtualization Solution Implementation Guide - AC-224AP/AC-7072 Support 5.7.1 Preparation for Implementation AC virtualization is a technology that combines multiple ACs into a single virtual AC. This article mainly introduces how the AC virtualization scheme is specifically implemented and provides actual cases. List of Terms: Abbreviations/Terms Explanation VAC Virtual-AC VSL Virtual Switching Link BFD Bidirectional Forwarding Detection GR Graceful Restart ISSU In-Service Software Upgrade MSTP Multiple Spanning Tree Protocol NLB Network Load Balance NMM Network Monitoring Module VRRP Virtual Router Redundancy Protocol The formation of the VAC requires consistency in the model and software versions of the AC. The following are the models and quantities of AC that support the deployment of VAC: AC Model Number of AC Member AC-224AP 4 AC-7072 4 AC-1004 Not support VAC FS-AC32 Not support VAC 1. Preparation for Implementation Outline The VAC networking topology is roughly as shown in the figure below. The uplink switch used in the following description refers to the SW device in the figure. image.png Requirements a. All member ACs are required to have the same device type. For example, multiple AC-7072 can make up VAC, but AC-224AP and AC-7072 can not make up VAC. b. If more than 2 cassette AC constitute VAC, then the switch needs to have remaining ports and AC to establish VSL links. The number of ports depends on how many VSL links are planned for each AC. If there are enough ports, it is recommended to plan 2 VSL links for each AC. Note: if the VAC is composed of two cassette AC, the directly connected line between the AC can be used as the VSL link. Each AC can plan multiple VSL links to back up each other. c. The port used by the connected switch to establish the VSL link needs to support ultra-long frame forwarding, and the mtu is configured as 9216. Note: VSL messages are encapsulated with a layer of headers, but fragmentation is not supported for sending and receiving messages on VSL links (for example, when a message is an Ethernet message with 1500 bytes, when it is forwarded through VSL, it will encapsulate a layer of VSL headers, causing the message to exceed 1500 bytes and cannot be forwarded). Therefore, it is necessary to increase the mtu, which can be satisfied with a normal 2000. To avoid unsatisfied situations (such as the uplink mtu itself is adjusted), a unified external configuration of 9216 is recommended. d. The connected switch should support the configuration of the aggregation port, and the load balancing mode of the aggregation port should support the source IP or the source IP+ destination IP. Plug-in AC (including VSU scenarios) also needs to be configured in the inline port. Note: at present, most of the low, medium and high-end switches support the load balancing strategy of configuring ultra-long frame forwarding and aggregation ports. VAC is distributed and can be processed by any AC, in which messages before and after data forwarding do not need to be associated. Two messages before and after a STA visiting the same website can be forwarded through different AC, but the control plane is related. VAC requires that AP control messages must be sent to the same AC for processing. AP migration occurs when AP control messages are sent to different AC (AP migration also comes from this), so the aggregation port needs to adopt source-destination IP equalization mode to ensure that AP control messages are stably sent to the same AC for processing. e. The service link of AC needs to be connected to the same connected switch or VSU switch. The uplink switch of the cassette AC must be the same or VSU networking, and the Plug-in AC needs to be in the same frame or in the VSU composed of different frames. f. Check the features customers need, which are supported in the current VAC version. For unsupported features, please see Chapter 6-Business deployment Guide-[businesses that do not support VAC]. g. Check whether cross-WLAN roaming in centralized forwarding mode is required. Currently, it is not supported, and you need to communicate with customers in advance. 5.7.2 Quick Implementation Guide 1. Preparation image.png Before implementation, the IP address of the AC needs to be set. VAC is equivalent to an AC and only needs a control IP address for CAPWAP. Comparing with a single AC, the VAC has an additional VSL link, and it is necessary to program which ports of the uplink switch are used to connect the VSL link. In the case of network reconstruction, it is necessary to merge the wireless configurations on multiple ACs, including WLAN, AP group, AP configuration, etc. The wireless configuration of the VAC and the standalone congiguration are not reused. The configuration of the VAC needs to be performed after the AC switches to the VAC mode. Configuration can be saved when switching modes, but it is advised to manually back up a set of configurations. When deploying a wireless network for the first time or transforming the existing network into a VAC, you should program which ports are used for VSL and which ports are used for service. 2. Configuration Implementation This chapter describes how to deploy VAC, excluding the deployment of wireless services. VAC Configuration Reference Please refer to Appendix 1: VAC Configuration Reference In the following configuration steps, the 0/1 and 0/2 ports of AC are used as service ports, and the 0/4 and 0/5 are used as VSL ports (both interfaces use electrical port properties). Step 1: Check the boot version of the AC Method to check the Boot version: System Boot Version in Show Version. Method to get the Boot version: Contact +1 (888) 468 7419 to obtain it. Step 2: Upgrade the AC version to a version that supports VAC. Execute the upgrade/download command on each AC device via TFTP.:The commands will upgrade each AC version to a version that supports VAC. After the upgrade is complete, begin setting up the VAC configuration. Step 3: Configuring the VAC on each AC. Include specifying the device ID for each AC, starting from 1; designate the ports to be used as VSL ports, with two ports per AC recommended for VSL configuration. The configuration of VAC and the single machine AC are not reused. Before deploying the VAC, export the configuration and save it. After the VAC is deployed, import the configuration (Before importing, you need to modify the configuration related to the interface, such as the original te0/1 is a business port, you need to change the configuration to the aggregateport, and te1/0/1 needs to join the aggregate port; for wireless related configurations, if the configuration on multiple ACs is not the same, it needs to be consolidated before importing). Configuration on the first AC: 代码块 AC(config)# virtual-ac domain 90 # The domain ID can be set to other values, but it must be identical on all ACs. AC(config-vac-domain)# device 1 # Specify the device ID for the AC. AC(config-vac-domain)# device 1 description switch1-slot3 # Add a description to identify the AC's physical location. AC(config-vac-domain)# exit AC(config)# vac-port AC(config-vac-port)# port-member interface gigabitEthernet 0/4 AC(config-vac-port)# port-member interface gigabitEthernet 0/5 # Specify VSL ports. For Gigabit combo interfaces (supporting both copper and fiber), # if the medium type is not specified, the interface defaults to copper. # This command can be executed either in VAC mode or in standalone mode. # When the VSL link uses a combo Gigabit interface and operates as a fiber port, # you must specify the fiber medium type. For combo ports used as optical interfaces, # the fiber attribute must be explicitly declared. AC(config-vac-port)# port-member interface gigabitEthernet 0/5 fiber Configuration on the first AC: AC(config)# virtual-ac domain 90 AC(config-vac-domain)# device 2 # Specify the device ID for the AC. AC(config-vac-domain)# device 2 description switch1-slot4 AC(config-vac-domain)# exit AC(config)# vac-port AC(config-vac-port)# port-member interface gigabitEthernet 0/4 AC(config-vac-port)# port-member interface gigabitEthernet 0/5 # Specify the VSL ports. You can append either "copper" or "fiber" after the interface number. # For Gigabit Ethernet combo ports (optical-electrical multiplexing), if the medium type is not specified, # the interface defaults to a Gigabit electrical port. # This command can be executed in both VAC mode and standalone mode. # When the VSL link uses a Gigabit combo interface configured as an optical port, # you must specify the "fiber" medium type. For combo ports operating as optical ports, # their optical attributes must be explicitly declared. AC(config-vac-port)# port-member interface gigabitEthernet 0/5 fiber AC(config-vac-port)# exit # Apply a similar configuration on other ACs, specifying the respective device IDs and VSL ports. # The domain ID is used to identify a VAC and can range from 1 to 255. # All ACs within the same VAC must use the same domain ID. # The device ID identifies each AC within a VAC, and the ACs should be numbered sequentially (e.g., 1, 2, 3, 4, 5). Step 4: Configure the aggregation port on the uplink switch The service ports connected to the uplink switch and the AC need to be added to the aggregation port, and the load balancing mode needs to be configured as source IP+destination IP. The uplink switch may not be an FS switch and needs to be configured according to the actual command. FS(config)#interface aggregateport 1 # The numbering of the aggregation port is configured according to the actual situation on the switch FS(config-if-AggregatePort 1) # switchport mode trunk # switchport mode trunk # Configuration of the aggregate port is configured according to the actual requirements of the network deployment FS(config-if-AggregatePort 1) #exit FS(config)#interface gigabitEthernet 0/5 FS(config-if- GigabitEthernet 0/5)#port-group 1 #Service port added to aggregate port FS(config-if- GigabitEthernet 0/5)#interface gigabitEthernet 0/6 FS(config-if- GigabitEthernet 0/6)#port-group 1 FS(config-if- GigabitEthernet 0/6)#exit # Add all service ports on the switch to the aggregation ports in the same way. FS(config)#aggregateport load-balance src-dst-ip#Configuring Load Balancing Policies Step 5: Configure the MTU value of the VSL port to 9216 on the uplinked switch and configure a separate VLAN FS(config-if-xxx)#mtu 9216 FS(config-if-xxx)#switchport access vlan 2024 # Find an unused VLAN according to the actual situation The VSL ports of all member ACs should belong to the same Layer 2 LAN and be configured with the same VLAN. it is recommended that the non-VSL ports remove this VLAN, that is, plan a VLAN for VSL link forwarding only. Interfaces on the switch that are used for VSL links do not need to do port aggregation. Note: If two cassette ACs form a VAC, you can directly connect lines between the ACs as VSL links, and you do not need to configure step 5 on the switch at this time. If there are more than 2 cassette ACs, and if it is a board-type AC, you need to follow step 5. Step 6: Switch each AC to VAC mode If it is a cassette AC, connect the VSL port of the AC to the VSL port of the uplink switch. Then switch the mode on the AC: AC#write #Save VAC configuration before reboot AC#device convert mode virtual Convert mode will backup and delete config file, and reload the switch. Are you sure to continue[yes/no]:yes Do you want to recover config file from backup file in virtual mode (press 'ctrl + c' to cancel) [yes/no]:yes The configurations of standalone mode and VAC mode are not multiplexed. after switching to VAC mode, the configuration of AC is empty and the configuration of standalone has been backed up. The backup file is: standalone.text ap-standalone.text. The wireless configuration of VAC needs to be configured after switching to VAC mode. Step 7: Configure the service port on the master AC After the AC is up, you can find the member ACs of the VAC through showing virtual-ac. after the ACs have formed the VAC normally, AC(config)#interface aggregateport 1 AC(config-if-AggregatePort 1)#switchport mode trunk # Configure the aggregate port according to the actual situation AC(config-if-AggregatePort 1)#exit AC(config)#interface gigabitEthernet 1/0/1 AC(config-if-GigabitEthernet 1/0/1)#port-group 1 AC(config-if-GigabitEthernet 1/0/1)# interface gigabitEthernet 1/0/2 AC(config-if-GigabitEthernet 1/0/2)# port-group 1 # Add other ports to the aggregation port in the same way After the service port configuration is completed, if it is a cassette device, connect the AC and the service port of the uplink switch. At this point, the VAC environment is completed. 3. Acceptance See Chapter 3: 03 Common Commands for VAC Acceptance 5.7.3 Common Commands for VAC Acceptance 1. show virtual-ac config Check the VAC mode configuration for each AC, for example: VAC#show virtual-ac config device_id: 1 (mac: 649d.99d0.d58e) ! device virtual domain 90 ! device 1 device 1 priority 100 device 1 description switch1-slot3 ! port-member interface GigabitEthernet 0/4 copper port-member interface GigabitEthernet 0/5 copper device convert mode virtual ! device_id: 2 (mac: 649d.99d0.40d4) ! device virtual domain 90 ! device 2 device 2 priority 100 device 2 description switch1-slot4 ! port-member interface GigabitEthernet 0/4 copper port-member interface GigabitEthernet 0/5 copper device convert mode virtual ! device_id: 3 (mac: 649d.99d0.d5a6) ! device virtual domain 90 ! device 3 device 3 priority 100 device 3 description switch1-slot5 ! port-member interface GigabitEthernet 0/4 copper port-member interface GigabitEthernet 0/5 copper device convert mode virtual ! VAC# 2. show virtual-ac Check the Device ID, Priority, and Role information for each AC. If the AC is not shown here, it means that the AC is not added to the VAC. Device_id Domain_id Priority Position StatusRole Description --------------------------------------------------------------------- 1(1) 90(90) 100(100) LOCAL OK ACTIVE switch1-slot3 2(2) 90(90) 100(100) REMOTE OK STANDBY switch1-slot4 3(3) 90(90) 100(100) REMOTE OK CANDIDATE switch1-slot5 3. show virtual-ac topology Check the role of each AC, the MAC address of each AC (this MAC address is not the actual MAC used). Switch[1]: ACTIVE, MAC: 003a.b64e.2500, Description: switch1-slot3 Switch[2]: STANDBY, MAC: 5869.6c75.0002, Description: switch1-slot4 Switch[3]: CANDIDATE, MAC: 5869.6c1c.43f7, Description: switch1-slot5 4. show virtual-ac resource CPU utilization, memory utilization, and flash utilization of each member AC can be indicated. Device_id CPU(5s) CPU(1m) CPU(5m) Memory Flash --------------------------------------------------------------------- 1 2.80% 4.00% 3.10% 48% 87% (34963KB free) 2 2.40% 4.60% 3.70% 48% 95% (12111KB free) 3 10.40% 7.40% 6.00% 52% 81% (52776KB free) 5. Show virtual-ac role Check VAC Role Prioritization FS#show virtual-ac role Device_id Domian_id Priority Position Status Role Conn_swid Desription 2 10 120 Local OK ACTIVE 1 Switch-2 1 10 100 Remote OK STANDBY 1 Switch-1 6. show interface status Check the interface status, if normal, the interface status of VSL port and service port are UP. Interface Status Vlan Duplex Speed Type ----------------------- -------- ---- --------- ------- ----- GigabitEthernet 1/0/1 up 201 Full 100M copper GigabitEthernet 1/0/2 up 201 Full 100M copper GigabitEthernet 1/0/4 up Full 100M copper GigabitEthernet 1/0/5 up Full 100M copper GigabitEthernet 2/0/1 up 201 Full 100M copper GigabitEthernet 2/0/2 up 201 Full 100M copper GigabitEthernet 2/0/4 up Full 100M copper GigabitEthernet 2/0/5 up Full 100M copper GigabitEthernet 3/0/1 up 201 Full 100M copper GigabitEthernet 3/0/2 up 201 Full 100M copper GigabitEthernet 3/0/4 up Full 100M copper GigabitEthernet 3/0/5 up Full 100M copper AggregatePort 1 up 201 Full 100M copper 7. show virtual-ac balance-info After the APs start coming online, you can use this command to check the AP and STA associations on each AC. Dev ID AP Num AP License STA Num -------- -------- ---------- ---------- 1 14 17.0 125 2 13 12.5 84 3 14 13.0 83 The number of APs should be roughly equalized across member ACs. If imbalance occurs, the possible reasons are as follows: a. Incorrect load balancing method of aggregation port, check the balancing policy of aggregation port in the uplink switch. Take our switch products as an example. For friendly products, please consult the configuration manual of the corresponding products. FS# show aggregatePort summary # View aggregate port information AggregatePort MaxPorts SwitchPort Mode Load Balance Ports Ag1 32 Enabled TRUNK enhanced profile Gi1/2/1 , Gi2/1/2 Ag2 32 Enabled TRUNK enhanced profile Gi1/2/19, Gi1/2/20, Gi1/2/21, Gi1/2/22, Gi2/1/6 Ag3 32 Disabled — enhanced profile Gi1/2/23, Gi1/2/24, Gi2/1/4 Ag4 32 Enabled TRUNK enhanced profile Gi1/2/2 , Gi2/1/1 Ag5 32 Enabled TRUNK enhanced profile Gi1/2/3 , Gi2/1/3 Ag11 32 Enabled TRUNK enhanced profile Te1/2/47 Ag12 32 Enabled TRUNK src-dst-ip Gi1/2/12, Gi2/1/12 Ag23 32 Enabled TRUNK enhanced profile — Ag24 32 Enabled ACCESS enhanced profile — Ag63 32 Enabled TRUNK enhanced profile — Ag64 32 Enabled TRUNK enhanced profile Te1/4/3 , Te1/4/4 , Te1/6/3 , Te1/6/4 , Te2/5/3 , Te2/5/4 , Te2/6/3 , Te2/6/4 FS# show load-balance-profile #Check Enhanced Strategies Load-balance-profile: Vac-base-port Packet Hash Field: IPV4: src-ip IPV6: src-ip dst-ip L2: src-mac dst-mac vlan MPLS: top-label 2nd-label TRILL: src-mac dst-mac vlan FCOE: src-id dst-id ox-id FS# FS# show aggregatePort load-balance # Check the Global Equalization Policy Load-balance: Source IP and Destination IP Change the aggregation port load balancing policy to Source IP + Destination IP: Enhanced Balancing Policy is recommended. FS(config)# load-balance-profile vac-load-balance-profile FS(config-load-balance-profile)# ipv4 field src-ip dst-ip FS (config)#interface aggregateport 1 # The numbering of the aggregation port is configured according to the actual conditions on the switch FS(config-if-AggregatePort 1)# aggregateport load-balance enhanced profile vac-load-balance-profile#Configuring Enhanced Load Balancing Policies If the enhanced equalization policy is not supported, the normal equalization policy can also be used FS(config)#aggregateport load-balance src-dst-ip b. Local Priority Forwarding exists, check at the uplink switch to confirm it If the switch to which the VAC is connected also deploys VSU virtualization, you can try to turn off local priority forwarding. Take our switch products as an example. For friendly products, please check the configuration manual of the corresponding products. 代码块 FS#show switch virtual balance Aggregate port LFF: disable # If enable, needs to be turned off ECMP LFF: enable FS# Turn off local priority forwarding for VSUs: FS# conf t FS(config)# switch virtual domain 1 # The specific domain-id is the domain-id of the VSU FS(config-vs-domain)# no switch virtual aggregateport-lff enable # Turn off local priority forwarding for VSUs 8. show interface counters rate After the AP starts to come online, you can use this command to check the traffic values of each interface. Under normal circumstances, there is uplink and downlink traffic on each service port. 5.7.4 Capacity Expansion Implementation Guide 1. Preparation Check the maximum number of member ACs that the VAC can support. AC model Number of member ACs AC-224AP 4 AC-7072 4 AC-1004 Not support VAC FS-AC32 Not support VAC Upgrade the version of the new AC to the same version of the current VAC. 2. Configuration Implementation AC switching to VAC mode Cassette AC, connect the VSL port of the AC to the VSL port of the uplink switch. Then the mode is switched on the AC: AC#write #Save VAC configuration before rebooting AC#device convert mode virtual Convert mode will backup and delete config file, and reload the switch. Are you sure to continue[yes/no]:yes Do you want to recover config file from backup file in virtual mode (press 'ctrl + c' to cancel) [yes/no]:yes At this point, the new AC will automatically join the VAC upon reboot. 3. Acceptance Show virtual-ac on the master AC to see if the new AC joins the VAC. the master AC can see the new AC joining during the normal new AC startup process. show virtual-ac can see the corresponding device ID. show virtual-ac Device_id Domain_id Priority Position StatusRole Description --------------------------------------------------------------------- 1(1) 90(90) 100(100) LOCAL OK ACTIVE 2(2) 90(90) 90(90) REMOTE OK STANDBY 4(4) 90(90) 50(50) REMOTE OK CANDIDATE show interface status Check the status of the interface. If normal, when the new AC has just joined, the service port is down and the VSL port is UP. You need to wait until the table entries are synchronized to the new AC before the interface becomes UP and starts working. Interface Status Vlan Duplex Speed Type -------------------------------------------------------------- GigabitEthernet1/0/1 up 1 Full 100M copper GigabitEthernet1/0/2 up 1 Full 100M copper GigabitEthernet1/0/3 down 1 Unknown Unknown copper GigabitEthernet1/0/4 down 1 Unknown Unknown copper GigabitEthernet1/0/5 up 1 Full 100M copper GigabitEthernet1/0/6 down 1 Unknown Unknown copper GigabitEthernet1/0/7 down 1 Unknown Unknown copper GigabitEthernet1/0/8 down 1 Unknown Unknown copper GigabitEthernet2/0/1 up 1 Full 100M copper GigabitEthernet2/0/2 up 1 Full 100M copper GigabitEthernet2/0/3 down 1 Unknown Unknown copper GigabitEthernet2/0/4 down 1 Unknown Unknown copper GigabitEthernet2/0/5 up 1 Full 100M copper GigabitEthernet2/0/6 down 1 Unknown Unknown copper GigabitEthernet2/0/7 down 1 Unknown Unknown copper GigabitEthernet2/0/8 down 1 Unknown Unknown copper GigabitEthernet4/0/1 up 1 Full 100M copper GigabitEthernet4/0/2 up 1 Full 100M copper GigabitEthernet4/0/3 down 1 Unknown Unknown copper GigabitEthernet4/0/4 down 1 Unknown Unknown copper GigabitEthernet4/0/5 up 1 Full 100M copper GigabitEthernet4/0/6 down 1 Unknown Unknown copper GigabitEthernet4/0/7 down 1 Unknown Unknown copper GigabitEthernet4/0/8 down 1 Unknown Unknown copper After the new AC is up, the table item synchronization is completed and the interface is UP. After that, a large number of APs will be migrated, which can be confirmed by syslog. For other common commands for acceptance, please refer to the Chapter 03 Common Commands for VAC Acceptance. 5.7.5 Operational Support Scenarios and Deployment Guide 1. Services that do not support VAC AC virtualization currently does not support the following features: IPv6, NAT (NAT enabled on AC, not cross-NAT between AC and AP), WEB 1st generation authentication, built-in portal authentication, GSN, VAC and VAC group hot standby, roaming between VACs, associated control domain functionality, same-frequency networking, RPCAP, RF Ping, RRM, WIDS, wireless positioning, MESH, cloud AC, STA load balancing, spanning tree protocols (STP, RSTP, MSTP), and AC forwarding mode. AP load balancing is not supported for active load balancing on the AC, as it relies on load balancing through aggregation ports on the uplink switch. This affects deployment scenarios where AC/AP cross-NAT is involved, where APs with the same source IP may be load balanced to the same member AC, resulting in suboptimal AP load balancing effects. Port mirroring is not supported. When port mirroring is enabled, packets are transmitted through VSL, which may cause VAC splitting. 2. Configuration AC virtualization can only be configured on the primary AC. When the connected AC via serial port is not the primary AC, configuration can be done by connecting to the primary AC through session master. Each AC can also check its own configuration by show run. It is normal that the IP configuration of interfaces cannot be seen when using show running-config on non-primary ACs. It should be noted that for offline AP configuration, if a configuration like 11acsupport enable radio 2 is set when the AP is offline, when the AP comes online and associates with a non-primary AC, the configuration will be changed to no 11acsupport enable radio 2. However, the configuration on the primary AC will still be 11acsupport enable radio 2. There are other similar commands that may change when the AP comes online, but these changes only affect the AC the AP is associated with. This does not affect the normal usage of the AP. 3. Station Management Class The current version of VAC does not support the functionality of associating control domains: the association control domain has not yet been implemented based on the overall effectiveness of VAC. The current version of VAC does not support centralized forwarding roaming across WLANs: cross-WLAN refers to the configuration of two WLANs with the same SSID and encryption/authentication methods. Different APs map to different WLANs, and the STA roams between these two WLANs. Currently, VAC's centralized forwarding roaming does not support roaming across WLANs. It is necessary to communicate the requirements in advance before deploying or renovating the network. 4. AC/AP Upgrade a. AC Upgrade Upgrading the software version of the virtual AC is exactly the same as upgrading a single AC, execute the command upgrade download tftp: on the master AC. When upgrading the software version of a virtual AC, all the member ACs of the virtual AC will be upgraded at the same time. However, if one of the member ACs does not have enough flash space or for other reasons the AC can not be upgraded, the whole virtual AC will not be upgraded successfully. You can check whether there is enough flash on each AC by showing virtual-ac resource, and if there is a .bin.up.tmp file in the flash, this is the upgrade file used for the previous AC version upgrade, you can delete it. VAC# show virtual-ac resource Device_id CPU(5s) CPU(1m) CPU(5m) Memory Flash -------------------------------------------------- 1 2.50%3.60% 2.80% 48%87% (34922KB free) 2 3.80%4.80% 3.50% 48%95% (12140KB free) 3 4.90%6.80% 5.40% 52%81% (50823KB free) Add a new member AC. If the software version of this member AC does not match the software version of other member ACs in the virtual ACs that have been formed, it is currently allowed to be added to the VAC, but it will not be automatically upgraded for this member AC, and there will be a syslog prompt. *Jan 1 00:00:23: %VSU-3-VSL_SOFTWARE_VERSION_ERROR: VSL member port [GigabitEthernet1/0/5]: Peer software version is incompatible, must upgrade software as soon as possible. In this case, it is recommended to take out the old version of AC and upgrade it individually before adding it to the VAC. The current version doesn't support upgrading a specific AC. You can also upgrade the entire VAC via upgrade download tftp: but all member ACs will be rebooted, and ACs of different versions will be upgraded to the corresponding version, while ACs of the same version will only follow the entire VAC to reboot without upgrading. b. AP Upgrade The operation of upgrading AP under VAC is exactly the same as in single-AC scenario. It should be noted that the software will synchronize the AP upgrade file to each member AC, then there may be insufficient flash space on other member ACs, resulting in the upgrade file not being synchronized successfully, and the AP associated with that AC will not be upgraded automatically. You can check the file transfer failure situation through the command show ac-config active-file status. If there is a file transfer failure, you can delete the unused files on the device through the commands dir dev2_flash: and delete dev2_flash:xxx in privileged mode, and then reconfigure the active-bin configuration by using the command dir dev2_flash: and delete dev2_flash:xxx, and then reconfigure the active-bin configuration. reconfigure active-bin-file. show ac-config active-file status Check if there is an anomaly in the synchronization of the upgrade file to an AC device. The following list shows only the transfer of upgrade files to non-primary AC devices File Name Software number Device File Tx Description ---- -------------------- ------ ------- -------------------------- ap.bin M02211607122016 2100% Success ap.bin M02211607122016 3100% Success am.bin M06162807052016 2 0% Flash space not enough am .bin M06162807052016 3 100% Success AC# dir dev2_flash: Check the flash status of the AC with the specified device ID -rwxrwxrwx 1 anonymous ftp 130973 Jul 25 17:16 syslog_3.txt drwxrwxrwx 2 anonymous ftp 160 Dec 04 2015 dev drwxrwxrwx 2 anonymous ftp 160 Dec 04 2015 rep drwxrwxrwx 3 anonymous ftp 224 Dec 04 2015 var -rw-r--r-- 1 anonymous ftp 25017 Aug 23 10:21 virtual_switch.text -rwxrwxrwx 1 anonymous ftp 15254656 Jun 07 10:54 ap515.bin -rwxrwxrwx 1 anonymous ftp 1329 Jun 06 19:56 getnext_mib_register.text -rwxrwxrwx 1 anonymous ftp 126 Aug 23 16:24 config_vac.dat -rwxrwxrwx 1 anonymous ftp 23643197 May 19 17:39 ap505.bin ... (many files omitted) ... -rwxr-xr-x 1 anonymous ftp 83091668 Aug 23 14:48 ac.bin.up.tmp -rwxrwxrwx 1 anonymous ftp 130989 Jul 25 17:16 syslog_10.txt -rwxrwxrwx 1 anonymous ftp 131009 Jul 25 17:16 syslog_11.txt -rwxrwxrwx 1 anonymous ftp 887 Dec 04 2015 httpd_key.pem -rwxrwxrwx 1 anonymous ftp 2811 Aug 15 17:44 standalone.text -rwxrwxrwx 1 anonymous ftp 4997 Mar 22 18:02 card_5708_10.xml -rwxrwxrwx 1 anonymous ftp 130968 Jul 25 17:16 syslog_1.txt -rwxrwxrwx 1 anonymous ftp 130915 Jul 25 17:16 syslog_2.txt 66 files, 11 directories 281,903,104 bytes data total (68,780,032 bytes free) 536,870,912 bytes flash total (68,780,032 bytes free) For example, a515.bin is an unneeded file, delete it and reactivate it after deletion. AC# delete dev2_flash:ap515.bin AC#configure AC(config)#ac-controller AC(config-ac)#active-bin-file am.bin Please use the ap-image auto-upgrade command for AP upgrade. Configuring this command will automatically match the corresponding upgrade file to the AP model for upgrade. Use the ap-serial command to execute no active-bin-file after active-bin-file when the upgrade file is being synchronized with the standby, there may be a phenomenon that the file is activated on the main AC but not on the standby AC, you can check the activation status on each AC by show ac-config active-file status. You can check the activation status on each AC by show ac-config active-file status, if it is inconsistent, re-activate it on the primary AC. If the AC is sending the upgrade file to the APs, configure no active-bin-file to stop sending it immediately, and the APs that have not finished sending the upgrade file will restart after a period of time, and after the APs restart, they will still use the version before the upgrade. c. AP-GROUP Mode for AP Upgrade It is different from the configuration of AP upgrade in ac-controller mode. The upgrade through ap-image under ap-group is one-time, only checking whether the AP needs to be upgraded when configuring ap-image, and it will not save the configuration, and you need to configure the active-bin-file successfully before configuring ap-image, and the upgrade file is synchronized to the backup slave AC only after the active-bin-file is configured. The upgrade file is synchronized to the backup slave AC only after the active-bin-file is configured, which makes it possible that when the ap-image command is executed on the backup slave, the file is not yet synchronized, resulting in no successful configuration. Therefore, to configure the upgrade command under ap-group, the following steps are required: First, configure active-bin-file under the ap-group; then confirm that the file has been synchronized to the member ACs by showing ac-config active-file status; and finally configure ap-image to trigger each AC to upgrade the APs under the ap-group. It is highly recommended to configure AP upgrade in ac-controller mode. d. AP-CONFIG Mode for AP Upgrade Configuring ap-image in ap-config mode also requires that you configure active-bin-file first, and then confirm that the file has been synchronized to the member ACs by showing ac-config active-file status, and then configure ap-image in ap-config mode. When upgrading an AP through the ap-config mode, if the AP is being upgraded and the AP is not associated with the primary AC, no error will be prompted when you notify no ap-image, but the AP continues to be upgraded. In this case, you need to execute no ap-image one more time during the period when the AP is not being upgraded, which to prevent that the ap-image command is still on the non-primary AC. AP upgrade is strongly recommended to be configured in ac-controller mode. 5. SNMP Management Class Under virtualization, when obtaining AC information through SNMP, you need to collect it on each member AC, and the return speed may be slow. For this reason, SNMP in AC virtualization adds a caching function to periodically cache SNMP data from other member ACs to the main AC to improve the efficiency of reading the table. Note that after configuring SNMP caching, the default host will update the cache every 5 minutes, so the data obtained by the server by sending down the SNMP-GET operation may be from 5 minutes ago. Depending on how often the network management software performs GET operations, you can adjust the update period. snmp-server flow-control pps #Configure SNMP flow control, adjust the General Assembly CPU high, adjust the small will read slow, depending on the actual device operation to adjust; different devices have different default values, for the default value of 300, if the number of APs is greater than 1,500 and the network management software needs to read the table entries related to AP, it is recommended that the adjustment to 600 or more, the operation of the first adjusted to 600, and then adjusted according to the CPU of the device discretionary situation snmp-server cache update-timer #Configure the interval between cache updates, short time will be high CPU, long time update is not timely snmp-server cache enable #Enable SNMP caching ### The following OID nodes are supported by SNMP cache, and it is recommended that they be turned on as needed according to the content read by the network management software. snmp-server cache oid 1.3.6.1.2.1.145.1.2.2.1 snmp-server cache oid 1.3.6.1.2.1.145.1.2.3.1 snmp-server cache oid 1.3.6.1.2.1.145.1.2.6.1 snmp-server cache oid 1.3.6.1.2.1.145.1.2.7.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.1.1.39.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.1.1.48.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.1.1.49.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.10.1.12.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.10.1.13.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.19.1.1.10.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.19.1.1.11.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.35.1.3.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.36.1.3.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.40.1.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.40.1.5.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.56.2.1.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.56.2.1.2.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.56.2.1.3.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.56.2.1.6.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.56.2.1.7.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.56.5.1.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.64.1.1.38.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.64.1.1.39.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.73.1.3.1.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.1.3.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.10.2.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.10.4.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.10.5.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.10.5.2.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.10.7.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.14.2.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.15.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.16.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.16.2.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.2.1.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.2.3.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.3.1.1 snmp-server cache oid 1.3.6.1.4.1.4881.1.1.10.2.81.6.1.1 The cache update time can refer to the software query period of the network management server (SNC, RILL, etc.). If SNC is used as the network management software and the number of APs is greater than 1000 in the scenario, it is recommended to configure the flow control of SNMP to be 600, and configure all the cache OIDs at the same time. 6. Dual Host Detection The VAC itself has topology convergence over the VSL link, and the dual-host scenario negotiates a new host and retains the VAC equipment to which the host belongs, restarting all the VAC equipment at the opposite end. The dual-host detection here is to add another layer of protection in case of VSL link anomalies to improve VAC reliability. Therefore, dual-host detection requires the use of a non-VSL link for detection, which is supposed to be turned on in all scenarios. When cassette ACs form a VAC, because cassette ACs are connected to each other with network cables, the possibility of intermediate link abnormality is greater than that of cassette ACs, and it is even more recommended to turn on dual-host detection. If there are two cassette ACs, it is recommended to use BFD to detect them through the direct link. When there are more than two ACs, it is recommended to use aggregate port detection, and aggregate port detection requires the switch to support DAD forwarding. For example, use port 0/3 of two ACs for direct connection and configure BFD with the following configuration steps: AC(config)#interface gigabitEthernet 1/0/3 AC(config-if-GigabitEthernet 1/0/3)#no switchport AC(config-if-GigabitEthernet 1/0/3)# interface gigabitEthernet 2/0/3 AC(config-if-GigabitEthernet 2/0/3)#no switchport AC(config-if-GigabitEthernet 2/0/3)#exit AC(config)#virtual-ac domain 100 # domain id is the ID specified by the VAC in the previous deployment. AC(config-vac-domain)# dual-active detection bfd AC(config-vac-domain)# dual-active bfd interface GigabitEthernet 1/0/3 AC(config-vac-domain)# dual-active bfd interface GigabitEthernet 2/0/3 Check if the BFD detection port is UP AC(config)# show virtual-ac dual-active bfd BFD dual-active detection enabled: Yes BFD dual-active interface configured: GigabitEthernet 1/0/3: UP GigabitEthernet 2/0/3: UP Configure aggregate port dual-host detection with the following configuration steps: AC(config)#virtual-ac domain 100 # domain id is the ID specified by the VAC in the previous deployment. AC(config-vac-domain)# dual-active detection aggregateport AC(config-vac-domain)# dual-active interface aggregateport 1 FS(config)# interface aggregateport 1 #Enable DAD forwarding on the uplink switch FS(config-if-AggregatePort 1)#dad relay enable Check if the ports of the aggregation port dual master detection are UP show virtual-ac dual-active aggregateport Aggregateport dual-active detection enabled: Yes Aggregateport dual-active interface configured: AggregatePort 1: DOWN GigabitEthernet 1/0/8: DOWN GigabitEthernet 2/0/8: DOWN 7. VAC Multi-VSL Scenario Deployment Configuration In some VAC scenarios, multiple VSL links need to be deployed to each member AC to further improve the high reliability of the whole network, in order to prevent one of the VSL links from hanging up and affecting the services on the member AC. If VSLs between different ACs are interconnected through the core switch, it is required that the VSL ports of each member AC of each VAC must be aggregated on the core switch, and the VSL ports of different member ACs need to be added to different aggregation ports. If the VSL link does not pass through the core but is directly connected between the ACs in the scenario, there is no need to do aggregation on the AC side. If you do not do the configuration of VSL aggregation, when the corresponding VSL interface on the core switch is oscillated, it will cause the MAC address table entry of the corresponding interface to oscillate. If the MAC table entries on the core switch are aged or full, it will cause the VSL link interaction messages between ACs to flood on the core switch, increasing the VSL link burden on the ACs and affecting the stability of equipment operation. If two ACs are virtualized and each AC has two VSL links, two aggregation ports need to be configured on the core switch; aggregation port 1 needs to be added to the two corresponding VSL interfaces of AC1, and aggregation port 2 needs to be added to the two corresponding VSL interfaces of AC2. Similarly, if four ACs are virtualized, four aggregation ports need to be configured on the core switch for VSL aggregation, as follows: FS (config)#interface aggregateport 3 # The numbering of the aggregation port is configured according to the actual conditions on the switch FS(config-if-AggregatePort 3)#mtu 9216 FS(config-if-AggregatePort 3)#switchport access vlan 2024 # Find a VLAN that is not in use as appropriate. FS (config-if-AggregatePort 3) #exit FS (config)# interface TenGigabitEthernet 1/9/7 FS(config-if-TenGigabitEthernet 1/9/7)#port-group 3 #Add the first VSL corresponding to AC1 to aggregation port 3 FS (config-if-TenGigabitEthernet 1/9/7)# interface TenGigabitEthernet 1/9/8 FS(config-if-TenGigabitEthernet 1/9/8)#port-group 3 #Add the second VSL corresponding to AC1 to aggregation port 3 FS(config-if-TenGigabitEthernet 1/9/8)#exit FS (config)#interface aggregateport 4 # The numbering of the aggregation port is configured according to the actual conditions on the switch FS(config-if-AggregatePort 4)#mtu 9216 FS(config-if-AggregatePort 4)#switchport access vlan 2024 #Find a VLAN that is not in use as appropriate, different from the VLAN used by the FS VSL. FS (config-if-AggregatePort 4) #exit FS (config)# interface TenGigabitEthernet 1/9/9 FS(config-if-TenGigabitEthernet 1/9/9)#port-group 4 #Add the first VSL corresponding to AC2 to aggregation port 4 FS (config-if-TenGigabitEthernet 1/9/9)# interface TenGigabitEthernet 1/9/10 FS(config-if-TenGigabitEthernet 1/9/10)#port-group 4 #Add the second VSL corresponding to AC2 to aggregation port 4 FS(config-if-TenGigabitEthernet 1/9/10)#exit #adding the VSL ports of other ACs to the new aggregated port and so forth. 5.7.6 Critical Configuration Checks VAC critical configuration checklist 1. Is mtu 9216 configured on the port on the switch used for VSL links? 2. Is a separate VLAN configured on the switch for VSL links? 3. Whether the switch is configured with a load balancing policy based on source IP and destination IP. 4. Whether the versions of ACs are consistent, which can be checked by show version. Whether SNMP CACHE is enabled when SNMP is turned on, and whether OIDs are added to the cache. 5.7.7 VAC Frequently Asked Questions 1. What ACs currently support VAC deployment and what is the number of supported member ACs? AC Model Number of member ACs AC-224AP 4 AC-7072 4 AC-1004 Not support VAC FS-AC32 Not support VAC 2. Can I group virtualization between devices of different models? At present, it does not support different models of AC devices to form VAC, and the models of AC devices to form VAC must be the same. 3. What are the functional limitations of VAC deployment what are the functional limitations? a. VAC does not support IPV6, NAT (NAT is enabled on AC, not AC/AP across NAT), GSN, RPCAP, RF ping, RRM, WIDS, MESH, Spanning Tree Protocol (STP, RSTP, and MSTP), and port mirroring (when port mirroring is enabled, the packets will be transmitted through VSL, which may result in the splitting of VAC). b. VAC does not support built-in web authentication, generation web authentication. c. VAC does not support inter-AC deployment of VAC across NAT scenarios, centralized forwarding roaming across WLANs, hot standby between VACs and VACs, and roaming between VACs and VACs. d. VAC does not support associated control domains, same frequency networking, STA load balancing, wireless localization, cloud AC management, and AC forwarding mode. e. AP load balancing does not support active load balancing on the AC, and relies on the load balancing of the aggregation port of the uplink switch. This affects the deployment scenario of AC/AP across NAT. In this scenario, the source IPs of APs may be the same, and those with the same source IPs will be loaded to the same member AC, resulting in poor AP load balancing. 4. Can multiple devices across WAN be virtualized? Currently, we do not support VACs composed of ACs across WAN, and the uplink switch of the ACs is required to be the same switch. 5. Can I enable hot standby between two virtual ACs? At present, VAC does not support the formation of wireless hot standby. 6. Does the virtual AC and a single AC support inter-AC roaming? Currently, virtual ACs do not support roaming, and virtual ACs and individual ACs do not support inter-AC roaming, and there will be no subsequent versions to support it. 7. Does it support port mirroring in VAC mode? Port mirroring on AC devices is not supported in VAC scenarios. When port mirroring is enabled, if the mirrored message will be forwarded to another AC through VSL, it may lead to VAC splitting. Splitting and then merging will cause some ACs to reboot, affecting the whole network service. Port mirroring of the same AC is not through the VSL link, but in the VAC scenario, port mirroring of the same AC is not significant, and it is common to mirror aggregated ports, which will inevitably go through the VSL link and cause the VAC to split. 8. Does VAC mode support spanning trees? Spanning Tree (STP) and RSTP and MSTP functions are not supported in VAC mode. Enabling STP on the VAC may cause the service port to be accidentally switched to the DISCARDING state, resulting in network interruption. 9. Does VAC mode support ript? Supported. 10. Does the AC-7072 comprise a VAC that supports the insertion of expansion cards? No, it doesn't. 11. When AC is directly connected in a VAC deployment, does the vsl link need to be divided into vlan? No, it is not necessary to divide vlan, after deploying as vsl link, it is distinguished from communication vlan. 12. Can a VSL link be realized by multiple ACs' direct connection? When there are only two ACs, the VSL link may be directly connected; when there are more than two, the ACs need to be connected to the switch to form a star-structured topology; VSL link is not supported to connect multiple ACs into a string, or into a circle. 13. How is the license registered when the VAC is deployed? It is recommended to bind different authorizations on PA with different member AC serial numbers; after that, you can wait for the VAC component to be successful and register it directly on the main AC or import the lic file for registration. 14. How does the license binding of VAC work? a. VAC is recommended to bind different authorizations using the serial numbers of the main and backup ACs respectively when binding on the PA. After the VAC formation is completed, the binding can be registered on the VAC (operation on the host). The CD authorization code can be automatically recognized by the set license command operating on the main AC; after the configuration is completed, the corresponding binding relationship will be automatically recognized by the main AC. AC(config)#set license xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx When paper authorizations use authorization files, the authorization files need to be imported into the master AC, and the auto-load operation can also be achieved by using the following specific commands on the master AC: AC#license auto-install flash: xxxxxx .lic If you are operating on the backup AC, you will be prompted to% Can't execute this command in redundancy slave. b. AC#license install This command indicates a local installation only. 15. How is the license calculated after VAC deployment? After VAC deployment, license means the current member of each AC authorization superposition. For example: two AC-7072 deployment of VAC, each license authorization were 32, 64, VAC deployment, the current support authorization 96. Note: If it is a VAC scenario, after one of the ACs hangs up, the number of its license authorizations will remain as the sum of the license authorizations of each member AC by default in 7 days. While after 7 days, if the dead AC fails to be restored, its license authorization will be subtracted from the number of the dead AC's authorizations. 16. How long will the AP drop when the AC quits with insufficient license? If an AC quits, the license installed on the device will be retained for a period of time, which is called license aging time, and the support can be configured. after the license aging time expires, and the AC hasn't rejoined, the remaining ACs will have insufficient license, and the APs that have exceeded the license will be kicked off the line. If the AC has hardware failure and cannot join in time, it can be covered by temporary license first. License aging time is 168 hours (7 days) by default, adjustable range 1 hour~336 hours (14 days). Methods of License aging time adjustment: VAC(config)# ac-controller VAC(config-ac)# license-idle-timeout 336 # Unit: Hour VAC(config-ac)# exit Note: If you start with two AC-7072 to form a VAC, assuming that the license has been fully loaded at this time, the VAC can manage a maximum of 2304 licenses. And a single AC supports a maximum of 1152 licenses. When one AC hangs up, the whole VAC may remain only one AC-7072, although lic is still stacked, but more than a single AC performance number of 1152 AP will fall off the line; no more than 1152 is not affected. 17. How is data forwarded and processed in VAC scenarios? AC virtualization, dhcp, arp, ping belongs to centralized services, only in the main AC to provide services, debugging operations can be collected in the main AC; AP management, STA management, 1x authentication, web authentication belongs to distributed services, generally associated with AP, STA, only in the AP associated AC debugging can be collected. 18. Why is the interface down when joining from AC? When you join from AC, you can see that the interface status is still DOWN in show interface status even though you have already joined through show virtual-ac. The main reason is that when the AC first joins, it needs to synchronize the table information and wireless configuration, and the slave AC enters the ready state and the interface is UP only after they are completed, so the software mechanism purposely keeps the interface in the DOWN state to prevent the AP from associating with the slave AC device that is not fully ready. This process may last several minutes, or even ten minutes, when the configuration of a lot of time, the time will be longer, up to 30 minutes. 19. How to deal with different versions of AC joining VAC? Currently, different versions of ACs can also form a VAC, when this happens, it is recommended to take out the old version of ACs and upgrade them individually before joining the VAC. the current version doesn't support upgrading for specific ACs. You can also upgrade the entire VAC via upgrade download tftp:, but all member ACs will be rebooted, and ACs of different versions will be upgraded to the corresponding version, while ACs of the same version will only follow the entire VAC to do the reboot without any upgrade action. 20. How long does it take to preempt the backup AC? The function of preempting the backup machine is used in the VSU+VAC scenario to avoid both the primary AC and the backup AC being in the same chassis, which would cause the VAC to restart. When a new AC joins, if its priority is higher than that of the backup AC, it will be checked again after 30 minutes to see if there is a candidate AC with a higher priority than the backup AC. If there is, the backup AC will be restarted, and then the AC with the highest priority among the candidates will be selected as the backup AC. 21. How to conduct ping testing for VAC switchover during acceptance testing? To improve the effectiveness of ping testing for VAC switchover, the following methods can be used: a. Perform a power-off restart of the host instead of a reload, as a reload may result in packet loss due to the soft restart. Avoid using interface down methods. b. Ping the devices across ACs from associated STAs, or perform mutual ping testing between the two associated STAs. Make sure the destination address for the ping is not the AC itself, as the control plane switchover time for ACs may be slightly longer (10 seconds+). 22. How to modify device id? In standalone mode, enter domain mode to execute device for reconfiguration override, which takes effect after switching to VAC mode. FS-VAC(config)#virtual-ac domain 90 FS-VAC(config-vac-domain)#device 2 # New device id In VAC mode, enter domain mode to execute device renumber to make changes, which take effect after the device reboots. FS-VAC(config)#virtual-ac domain 90 FS-VAC(config-vac-domain)#device 1 renumber 2 # The former is the current device ID and the latter is the new device ID. 23. How to switch from VAC mode to stand-alone mode. The configuration of stand-alone mode and VAC mode is not reused. After switching to stand-alone mode, the configuration of AC is empty, and the configuration of VAC has been backed up. The backup file is:virtual_switch.text ap-virtual_switch.text. VAC# device convert mode standalone Convert mode will backup and delete config file, and reload the switch. Are you sure to continue[yes/no]:yes Do you want to recover config file from backup file in standalone mode (press 'ctrl + c' to cancel) [yes/no]:yes 24. How to calculate the number of concurrent devices after virtual AC? For expamle, AC-7072: The number of concurrency (concurrent uptime) for a single AC is 64 users/S, which will increase by a factor of 1.5-1.8 with virtual AC. 25. What is the serial number of the VAC device after AC virtualization? It is the serial number of the master device. If the master/backup relationship changes, the device serial number will change. 26. When deploying VAC, it does not support the server kicking authenticated users offline through the SNMP mechanism. In VAC scenarios, it is not possible to use the SNMP mechanism on the authentication server to kick authenticated users offline. Instead, the DM (Device Management) mechanism can be employed to kick users offline. In a standalone scenario, the authentication user entries are stored in the process memory. When the authentication server needs to force a user offline, it directly searches for the user in memory. If the user is found, the server can successfully kick the user offline and return a success status. In a VAC scenarios, the authentication user entries are stored in a database, not directly in the memory. Thus, attempting to search for users directly in memory will not yield results, and the server will return a user-not-found error. As a result, kicking the user offline will not be successful. 27. There are counterparts similar to the rill network management software slow information reading in the VAC scenario. VAC scenarios correspond to similar rill network management software information reading slow situation, need to pay attention to SNMP flow control optimization configuration and open SNMP cache function; which for SNMP flow control optimization configuration, need to pay attention to the following points: snmp-server flow-control pps xxx //Adjustments to xxx values require close attention to the cpu. Additionally, you can confirm the rate of growth of the number of requested variables field (which is a cumulative value) by running a continuous 1s information collection via show snmp.SNMP flow control is set according to the corresponding number of increases per second. If you run into a similar situation where the oid node cannot be read, confirm the following two points: Verify that the oid node is normal; Verify the node read test using the mib browser. 28. When Cisco Dual Core VPC is deployed, can it be docked to our AC Deployment VAC solution? Cisco's VPC scenarios do not support the deployment of wireless VAC solutions. The main reason is that the Cisco VPC solution does not support the source IP load balancing, the business port can not be realized, and the AP will appear to be constantly migrating. 5.7.8 Positioning of Frequently Asked Questions 1. When connecting to the VAC by telnet, sometimes may have connection problems, but by reconnecting the problem can be solved. Especially when the result of executing the show command is more, it is easier to hang up. telnet disconnect and reconnect is normal again, this situation is usually because the MTU of some VSL ports on the switch is not configured to 9216, check the configuration of the VSL ports on the switch. 2. AP can't get online, and it always prints DataCheckTimer Expire. *Jun 27 15:18:52: %CAPWAP-6-PEER_NOTIFY_DOWN: Peer <100.0.0.14 : 10000 : 649d.99d0.40e3> DOWN, reason . If a large number of APs print this LOG and fail to get online, the load balancing policy of the uplink switch may not be based on the source IP or based on the source IP+destination IP, which loads the CAPWAP messages of the same AP to multiple ACs, resulting in the APs failing to go online. You need to check the load balancing policy of the uplink switch. 5.7.9 Legacy Statement 1. Occasional lag of Show command. When exiting from config mode, it triggers AC to perform configuration collection, and there is a brief CLI lag. 2. Execute ap-image under Ap-group / ap-config to upgrade AP. The function of upgrading AP under Ap-group / ap-config is not perfect yet, it is recommended to use ap-image auto-upgrade under ac-controller for auto-matching upgrade as much as possible. 3. After VAC is running, configuring the command to seize the backup machine will not trigger the seizure. The function of "spare machine seize" is used in VSU+VAC scenario to avoid that the main AC and the backup AC are in the same frame, and the restart of this frame will lead to the restart of the whole VAC machine. If the VAC is already running stably, configure the standby preemption command, even if the candidate AC has a higher priority than the standby AC, it will not be preempted. When a new AC joins, if the priority is higher than that of the standby AC, it will reboot the standby AC and then select an AC with the highest priority from the candidate ACs to become the standby AC. 4. The value read immediately after turning on spectrum analysis via mib is still off. When spectrum analysis is turned on for AP, it is turned on immediately, but when mib reads it, it reads the cache table, and the cache table is updated periodically, so it may appear that it is normal to turn on spectrum analysis, and then when it goes to read it again, spectrum analysis is not yet turned on, and it is usually normal after a few seconds of re-reading. If the spectrum analysis is turned on by snc/mib software, it will be like this. 5. The AP capacity of a single AC is equivalent to the capacity of the VAC machine. For example, 2 sets of 7072 VAC, up to 2304 APs can be online. In this case, one of the 7072 business port shutdowns, 2304K APs will be migrated to the same AC, if the amount of STA is also very large, there may be a lack of memory problems. However, if one of the 7072 is taken away and only one AC is left, only 1152 APs will be online, and other APs will be kicked offline. 6. VAC does not support the upgrade group to upgrade APs. In the scenario of bandwidth limitation between AC and AP, upgrade group is used for upgrading, and bandwidth is used reasonably. Under VAC, APs are scattered on different ACs, and the current upgrade group does not support unified scheduling of AP upgrades on multiple ACs, resulting in the failure of the upgrade group function. 7. show ap-config eth-statistic does not support viewing the entire VAC. Show ap-config eth-statistic in VAC only supports viewing the APs on the AC, for example, show on the main AC can only see the APs on the main AC, and show on the backup AC can only view the APs on the backup AC. Appendix 1: VAC Configuration Reference VAC Configuration on AC ###### VAC#show virtual-ac config device_id: 1 (mac: 649d.99d0.d506) ! device virtual domain 90 ! device 1 device 1 priority 100 device 1 description switch1-slot3 ! port-member interface GigabitEthernet 0/4 copper port-member interface GigabitEthernet 0/5 copper device convert mode virtual ! device_id: 2 (mac: 649d.99d0.40f7) ! device virtual domain 90 ! device 2 device 2 priority 100 device 2 description switch1-slot4 ! port-member interface GigabitEthernet 0/4 copper port-member interface GigabitEthernet 0/5 copper device convert mode virtual ! device_id: 3 (mac: 649d.99d0.d5a6) ! device virtual domain 90 ! device 3 device 3 priority 100 device 3 description switch1-slot5 ! port-member interface GigabitEthernet 0/4 copper port-member interface GigabitEthernet 0/5 copper device convert mode virtual ! VAC#show vir dual-active bfd BFD dual-active detection enabled: Yes BFD dual-active interface configured: GigabitEthernet 1/0/3: UP GigabitEthernet 2/0/3: UP GigabitEthernet 3/0/3: UP Interface Configuration on the AC ###### interface GigabitEthernet 1/0/1 port-group 1 ! interface GigabitEthernet 1/0/2 port-group 1 ! interface GigabitEthernet 1/0/3 no switchport ! interface GigabitEthernet 1/0/4 ! interface GigabitEthernet 1/0/5 ! interface GigabitEthernet 1/0/6 ! interface GigabitEthernet 1/0/7 ! interface GigabitEthernet 1/0/8 ! interface GigabitEthernet 2/0/1 port-group 1 ! interface GigabitEthernet 2/0/2 port-group 1 ! interface GigabitEthernet 2/0/3 no switchport ! interface GigabitEthernet 2/0/4 ! interface GigabitEthernet 2/0/5 ! interface GigabitEthernet 2/0/6 ! interface GigabitEthernet 2/0/7 ! interface GigabitEthernet 2/0/8 ! interface GigabitEthernet 3/0/1 port-group 1 ! interface GigabitEthernet 3/0/2 port-group 1 ! interface GigabitEthernet 3/0/3 no switchport ! interface GigabitEthernet 3/0/4 ! interface GigabitEthernet 3/0/5 ! interface GigabitEthernet 3/0/6 ! interface GigabitEthernet 3/0/7 ! interface GigabitEthernet 3/0/8 ! interface AggregatePort 1 switchport mode trunk switchport trunk native vlan 201 ! virtual-ac domain 90 dual-active detection aggregateport dual-active detection bfd dual-active bfd interface GigabitEthernet 1/0/3 dual-active bfd interface GigabitEthernet 2/0/3 dual-active bfd interface GigabitEthernet 3/0/3 Uplink switch ########## The service port is aggregation port 1 ###### interface GigabitEthernet 0/5 port-group 1 ! interface GigabitEthernet 0/6 port-group 1 ! interface GigabitEthernet 0/7 port-group 1 ! interface GigabitEthernet 0/8 port-group 1 ! interface GigabitEthernet 0/9 port-group 1 ! interface GigabitEthernet 0/10 port-group 1 ! The VSL port is an ACCESS port, and uses a separate VLAN ###### interface GigabitEthernet 0/17 poe enable switchport access vlan 2024 mtu 9216 ! interface GigabitEthernet 0/18 poe enable switchport access vlan 2024 mtu 9216 ! interface GigabitEthernet 0/19 poe enable switchport access vlan 2024 mtu 9216 ! interface GigabitEthernet 0/20 poe enable switchport access vlan 2024 mtu 9216 ! interface GigabitEthernet 0/21 poe enable switchport access vlan 2024 mtu 9216 ! interface GigabitEthernet 0/22 poe enable switchport access vlan 2024 mtu 9216 ! Service Aggregation Port, Remove VLAN from VSL ###### interface AggregatePort 1 switchport mode trunk switchport trunk native vlan 201 switchport trunk allowed vlan remove 2024 ! As above is the VAC configuration reference. 5.8 Wireless Load Balancing Function 5.8.1 Wireless Load Balancing Principles and Configuration Examples Principle Introduction 1. Function Introduction In a wireless network, if there are multiple APs and the signals cover each other. Since wireless user access is random, it is possible that a certain AP is heavily loaded and the network utilization is poor. By assigning all APs in the same area to the same load balancing group and collaboratively controlling the access of wireless users, it can play the role of load balancing. 2. Application Scenario The same area has more than one AP belonging to the same group to send out the same wireless signal can be used to avoid wireless clients are accessed to the same AP or a few APs, resulting in a heavy load of a certain AP, the network utilization rate is poor. Advantages: Effective use of wireless network resources, reasonable distribution of traffic. Disadvantages: can only be used in fit mode, need to add additional configuration. Configuration Case 1. Network Requirements AP-1 and AP-2 need to achieve load balancing to avoid a single AP carrying too many users. The following two conditions need to be met simultaneously when using a load balancing group: All wireless users can receive signals from each AP in the balanced group. Each AP in the load balancing group should send out the same signal. 2. Network topology image.png 3. Configuration Points Create a load balancing group. Configure the load balancing threshold. Add APs to the load balancing group. 4. Configuration Steps a. Based on the number of users load balancing Create a load balancing group with the name test1 FS(config)#ac-controller FS(config-ac)#num-balance-group create test1 Configure load balancing thresholds FS(config-ac)#num-balance-group num test1 10 ---->When there is a difference of 10 users in APs, the AP with more users does not respond to user access requests Add APs to the load-balanced group FS(config-ac)#num-balance-group add test1 ap505-1 ---->Add the ap with the name ap505-1 to the load balancing group FS(config-ac)#num-balance-group add test1 ap505-2 Configure sta to automatically stop load balancing after multiple association failures (optional) FS(config-ac)#sta-balance num-limit enable FS(config-ac)#end FS#write b. Based on traffic load balancing Create a load balancing group with the name of flow_huiyi FS(config)#ac-controller FS(config-ac)#flow-balance-group create flow_huiyi Configuring Load Balancing Thresholds FS(config-ac)#flow-balance-group flow flow_huiyi 4 ---->Indicates 4%*10Mbps, the default is 5%, the range is 0-1000, where 0 means that the equalization group does not enable the traffic equalization function. Adding APs to a load balanced group FS(config-ac)#flow-balance-group add flow_huiyi apN505-1---->Add the ap with the name apN505-1 to the load balancing group FS(config-ac)#flow-balance-group add flow_huiyi apN505-2 FS(config-ac)#end FS#write 5. Precautions Load balancing is only done between radios of the same type (2.4G or 5G) 6. Functional verification a. Confirm load balancing based on the number of users Log in to the AC and confirm the load balancing group status by showing ac-config num-balance summary. FS#show ac-config num-balance summary Group State Enable Threshold mode AP NAME test1 UP 3 3 ap-mode apN505-1,apN505-2 Confirm the number of users per AP on the AC by showing ap-config sum b. Confirmation based on traffic load balancing Log in the AC and verify the load balancing group status by show ac-config flow-balance summary. image.png 5.8.2 Wireless Load Balancing FAQs 1. View Traffic Balancing Group. show ac-config flow-balance summary Confirm traffic balancing group image.png 2. Restrictions on Traffic Balancing Groups. In the local forwarding scenario, if you need to implement traffic load balancing, you can use the following configuration: FS(config-ac)#flow-balance-group radio-flow ? //Specifies that the traffic load balancing group uses the traffic information uploaded by the APs WORD Flow balance group name Under local forwarding, because the data packets do not pass through the AC, the traffic information is not available on the AC, and the traffic information reported by the AP must be used for load balancing judgment. 3. The maximum number of load balancing groups that the AC can currently support. The AC currently supports the creation of up to 80 quantity equalization groups and 80 traffic equalization groups. 4. Maximum number of APs supported per load balancing group. Ten APs. 5. How does the wireless AC enable load balancing between AP radio? AP mode configuration: inter-radio-balance flow-balance enable flow-based inter-radio-balance num-balance enable users-based Adjusts the inter-radio load balancing parameters, configured on the AC, with optional configuration. You can adjust each parameter according to actual requirements when performing network optimization. Use inter-radio-balance flow-balance dual-band enable-load en-num threshold thrs-num to configure startup thresholds and thresholds for load balancing different frequency radio traffic. The lower the threshold value, the easier the load balancing starts, and the lower the threshold value, the more balanced it is. Use inter-radio-balance flow-balance same-band enable-load en-num threshold thrs-num to configure the startup threshold and threshold value for load balancing of cochannel radio traffic. The lower the threshold, the easier the load balancing starts, and the lower the threshold, the more balanced it is. Use inter-radio-balance num-balance dual-band enable-load en-num threshold thrs-num to configure startup thresholds and thresholds for load balancing with different number of frequency radios. The lower the threshold value, the easier the load balancing starts, and the lower the threshold value, the more balanced it is. Use inter-radio-balance num-balance same-band enable-load en-num threshold thrs-num to configure the startup threshold and threshold value for load balancing the number of coaxial radios. The lower the threshold, the easier the load balancing starts, and the lower the threshold, the more balanced it is. 6. Does it support load balancing between radios? Yes, it supports load balancing between radios. Load balancing between radios is the balancing of the load between different radios within an access point (AP), with the aim of avoiding excessive load on a single radio. The load can refer to either traffic or the number of associated stations (STAs). Notes: - This feature is not applicable in Smart Split scenarios. Due to the different signal coverage areas of different radios, a STA may only receive signals from one or a few radios, so load balancing between radios cannot be enabled in such cases. - Load balancing only handles the process of STA association. It does not handle the process of STA disconnection. Therefore, there may be differences in traffic or STA numbers between APs after a STA disconnects. - If the radio that a STA intends to associate with is of a different type from the radio with the lowest load, load balancing will only be performed when the AP reports dual-band capability for the STA. Otherwise, users who support only 2.4 GHz may not be able to associate with a 2.4 GHz radio when there are no users on the 5 GHz radio. - Load balancing between radios will reject association with the same STA at most two times within a 5-minute period. If the STA still associates with a radio with higher load on the third attempt, it will be allowed to associate. Therefore, the actual effect of load balancing between radios depends on the specific behavior of the STA. 5.9 Wireless Network Optimization 5.9.1 Fit AP Wireless Network Optimization 5.9.1.1 Function Introduction Fit AP Wireless Optimization Function Introduction: The main communication band of IEEE802.11 is divided into two bands: 2.4GHz (2.412 to 2.4835 GHz) (IEEE 802.11b/g operates in this frequency range) 5GHz (5.15 to 5.35 and 5.725 to 5.825 GHz) (IEEE 802.11a operates in this frequency range) The dual-frequency STA supports both the 2.4GHz and 5GHz frequency bands. However, due to the limited knowledge of users in this field and the lack of effective guidance from most wireless access service providers, combined with the wider application of 802.11b/g compared to 802.11a, many dual-frequency STAs end up using the 2.4GHz frequency band, resulting in congestion in the 2.4GHz band and waste of the 5GHz band. In reality, the 5GHz band has a higher access capacity: the 2.4GHz band can only have a maximum of 3 non-overlapping communication channels, while the 5GHz band can provide more non-overlapping communication channels. Band Select guides the dual-frequency STAs to connect to the higher-capacity 5GHz frequency band, thereby reducing the pressure on the 2.4GHz band and enhancing user experience. Speed limit for wireless users: In order to make the limited network resources work better and serve more users better, the device needs to support the traffic rate limiting function. When the data traffic meets the committed rate, the packet is allowed to pass; when the data traffic does not meet the committed rate, the packet is discarded. Reducing weak signal terminals: Wireless users search for APs mainly through active or passive scanning. Active Scanning: i.e., the wireless user sends a Probe Request frame to request access to the AP, and the AP confirms and sends a Probe Response frame in response. Passive scanning: i.e., the AP periodically broadcasts beacon frames outward, and the wireless user listens to the beacon frames and tries to connect. In order to control the network coverage range of the AP and improve the quality of wireless signal transmission, it can be done by restricting the accessed wireless users. Firstly, it can reduce the access of wireless users at a long distance by controlling the range of AP broadcasting Beacon frames; secondly, it can reduce the access of wireless users by limiting the minimum value of RSSI (Received Signal Strength Indication) of a wireless user, so that when the RSSI of a received request frame of a wireless user is less than this value, the access of the wireless user is not allowed. Turn off low-rate applications: Turn off low-rate applications by configuring the rate set. Limit the number of STA accesses under the AP: In a WLAN network, an AP can access multiple numbers of wireless users, and the administrator can configure the maximum number of users that can be connected to the specified AP. By limiting the number of STA accesses under the AP, it can play a certain load sharing function to avoid uneven distribution of AP access users. Layer 2 isolation in wireless user VLANs: Be sure to configure this feature for networks that do not have Layer 2 interworking requirements to reduce network attacks and multicast message bandwidth consumption. Increase the Beacon frame interval: Increasing the Beacon frame period reduces the frequency of sending Beacon frames, reduces the channel occupancy of management messages, and increases the channel bandwidth available to wireless users. Establish a pure 11n network: By configuring a pure 11n network, non-11n devices are prohibited from connecting, ensuring that all 11n devices in the network use pure HT header transmission and reducing the size of the packet headers. This increases the available channel bandwidth for wireless users. One-click network optimization: After running a wireless network for some time, there may be issues such as slow internet speed, signal/interference problems, authentication page not loading, 2.4G/5G capable network cards preferentially connecting to 2.4G, a high volume of low-speed packets, multicast packet loss/retransmission, and more. In such cases, further network optimization is required. 1. Slow internet speed could be due to a lack of rate limiting, resulting in some users consuming excessive bandwidth for downloading or video streaming, thus slowing down the network for other users. It could also be a case where rate limiting is already configured, but the rate is too high or too low, not achieving the desired effect. To address this issue, you can choose a rate limiting solution as part of network optimization: WLAN-based rate limiting for all users, with an average uplink and downlink speed of 256KB and a burst speed of 300KB. 2. Signal/interference issues may include weak signals, frequent roaming, same-frequency/adjacent-frequency interference, and more. You can choose to enable the RRM (Radio Resource Management) functionality for network optimization, allowing online or newly added APs to perform channel and power adjustments to achieve signal coverage and avoid interference with neighboring APs. If there are no issues with weak signals or same-frequency/adjacent-frequency interference, you can disable RRM to improve device performance. 3. If the authentication page does not load, it is often due to having too few configured sessions. You can choose to restore the default session count using network optimization, enabling 255 sessions for individual terminals and up to 1000 sessions per port. 4. If 2.4G/5G capable network cards frequently connect to the 2.4G band, you can enable the 5G prioritization feature in network optimization. If there are only a few 5G terminals in the environment, it is recommended to disable 5G prioritization. 5. In cases where there is a high volume of low-speed packets in the environment, you can use the network optimization feature to disable low speeds below 11Mbps for 802.11b, 802.11g, and 802.11a. 6. When experiencing multicast packet loss/retransmission issues, it could be due to a high multicast rate setting. You can use the network optimization feature to restore the default multicast rate, ensuring a better user experience. 5.9.1.2 Networking Requirements and Configuration Points 1. Networking Requirements In general fit AP scenarios, the AP supports dual-band. image.png 2. Configuration Points a. When there are more dual-frequency STAs in the network, it is recommended to turn on spectrum navigation to guide the dual-frequency STAs to connect to the 5G band with higher access capacity, so as to alleviate the pressure on the 2.4G band and improve the user experience; turning on spectrum navigation will lead to a small increase in the access time of the 2.4G STA and the dual-frequency STA, which is about 2 seconds, and the user experience will be slightly worse. There is a conflict between spectrum navigation and load balancing, so it is recommended that load balancing and spectrum navigation not be configured at the same time. b. When there are certain wireless users on the network who continuously occupy the network resources, resulting in other wireless users not being used, by configuring the wireless user speed limit function, the limited network resources can be better utilized to better serve more users. c. When the terminal accesses the wireless network, if the distance between the terminal and the AP to be accessed is relatively far, the wireless signal transmitted by the terminal to the AP will be weak; at this time, the communication performance of the terminal is relatively poor, which is reflected in the low rate and high retransmission rate, and it will lower the performance of the whole network; at this time, it is recommended to turn on the function of reducing the weak-signal terminal to restrict the weak-signal terminal from accessing the AP; however, the function of reducing the weak-signal terminal will result in the weak-signal terminal not being able to access the network until the number of restrictions has reached the maximum number of restrictions. However, the function of reducing weak signal terminals will cause the weak signal terminals to be unable to access the network, and they will not be allowed to access the network until the number of restrictions reaches the maximum number of restrictions. d. Management messages are generally sent at the lowest available rate. When management messages occupy more air interface resources in the wireless network, it is recommended to close the low-rate application to reduce the occupation of air interface resources and improve the channel utilization. Turning off low rate applications may cause low speed users to be unable to access the network. e. When there is a serious imbalance in the number of AP or radio access users in the network, it is recommended to configure a limit on the number of STA accesses under the AP or radio, which plays a certain load-sharing function and avoids uneven distribution of AP or radio access users. Limiting the number of STA accesses under AP or radio is in conflict with load balancing, so it is recommended not to configure them at the same time. f. Configure this feature for networks that do not have the need for Layer 2 interworking, and configure Layer 2 isolation within the wireless user's VLAN to reduce network attacks and multicast message bandwidth consumption. Do not configure this feature for networks with Layer 2 access requirements, as it will result in Layer 2 networks not being able to access each other. g. When APs are densely deployed, increase the Beacon frame period to reduce the frequency of sending Beacon frames, reduce the channel occupancy of management messages, and increase the channel bandwidth available to wireless users. Configuring a Beacon frame period that is too large may result in frequent user drops or probes. h. When there are only 11n clients in the network, it is recommended to establish a pure 11n network and prohibit non-11n devices from accessing it, which can make all the 11n devices in the network use pure HT header transmission, reduce the header size of the message, and increase the channel bandwidth available to wireless users. After a pure 11n network is established, non-11n devices cannot access it. i. When the wireless network has been running for a period of time, there may be problems such as slow network speed, signal/interference problems, authentication page not coming out, NICs supporting 2.4G/5G are often associated with 2.4G, there are a large number of low-speed messages, packet loss/retransmission of multicast messages, and so on, you can optimize the network in one click by configuring a one-click network optimization command. The optimization of this command may conflict with the user's previous optimization configuration. After configuring the one-key network optimization, check whether there are still problems, and if there are still problems, then configure for the points that need to be optimized. 5.9.1.3 Configuration Steps Configuration Steps 1. Wireless channel adjustment a. Adjust the AP channel according to the previous channel plan. If no manual channel adjustment is performed, the AP uses RRM automatic channel adjustment by default. Frequent RRM channel adjustment will lead to network instability, and the use of RRM is not recommended. AC(config)#ap-config ap-1 AC(config-ap)#channel 1 radio 1 b. Check if the configuration is in effect AC#show ap-config summary image.png Note: The principle of channel planning is that adjacent APs and APs on different floors should use different channels. The three non-interfering channels for 2.4GHz are channel 1, 6, and 11 (for high-density deployments, consider using channels 1, 5, 9, and 13). The five non-interfering channels for 5.8GHz are channels 149, 153, 157, 161, and 165 (if there is severe interference on the 5.8GHz channels in the network, modify the encoding method to US in ac-c mode and ap-config mode and use channels 36, 40, etc.). 6.jpg Wireless Channel Adjustment-Web Page Configuration Methods Channel setup for 2.4G networks Click Config==>>AP Management, find the corresponding AP list, click the right channel button, as follows: image.png After clicking on the signal, a channel setting dialog box will pop up to allow for the configuration of relevant parameters. The specific steps are as follows: image.png Click to complete the configuration. Channel settings for 5.8G networks Click Config==>>AP Management, find the corresponding AP list, click the right channel button, as follows: image.png After clicking on the signal, a channel setting dialog box will pop up to allow for the configuration of relevant parameters. The specific steps are as follows: image.png Click to complete the configuration. 2. Wireless Power Adjustments a. Based on the previously obtained experience values of AP power adjustment, perform power adjustment on the AP. In order to ensure that wireless users have a signal strength equal to the signal strength indicator plus 10dB at the farthest end of the AP. The default transmit power of the AP is 100%. AC(config)#ap-config ap-1 AC(config-ap)#power local 50 radio 1 //Adjust transmit power to 50% b. Check that the configuration is in effect AC#show ap-config summary image.png The web adjustment method is on the same adjustment page as the channel adjustment method. 3. Speed limiting for wireless users a. Based on the previously obtained experience values of wireless user bandwidth limitation, perform bandwidth limitation on wireless users. The purpose of the limitation is to ensure that each user can access wireless traffic and to prevent individual users from taking up all the wireless bandwidth through excessive downloads. AC(config)#wlan-config 1 AC(config-wlan)#wlan-based per-user-limit down-streams average-data-rate 200 burst-data-rate 200 //----->Configure WLAN-based speed limiting by setting a downstream speed limit of 200 KB/s. AC(config-wlan)#wlan-based per-user-limit up-streams average-data-rate 100 burst-data-rate 100 //----->Configure WLAN-based speed limiting by setting a downstream speed limit of 100 KB/s. AC(config)#ap-config AP1 AC(config-ap)#ap-based per-user-limit up-streams average-data-rate 256 burst-data-rate 256----->AP-based bandwidth throttling AC(config-ap)#exit AC(config)#ac-controller AC(config-ac)#netuser 14cf.920b.bfce inbound average-data-rate 256 burst-data-rate 1024 ----->Client-based bandwidth throttling AC(config-ap)#exit b. Check if the configuration takes effect Wireless users connect to the wireless network and use Thunderbolt or FTP to download to check if the speed limit is effective. 4. Wireless disabling of low-rate set a. It is recommended that 11b/g 1M, 2M, 5M, 11a 6M, 9M and other low rate sets be turned off to avoid individual users sending too many low-speed messages affecting the overall wireless performance. AC(config)#ac-controller AC(config-ac)# 802.11b network rate 1 disabled ----->Disable the corresponding rate of 11b, the recovery method is to modify disabled to support AC(config-ac)# 802.11b network rate 2 disabled AC(config-ac)# 802.11b network rate 5 disabled AC(config-ac)# 802.11g network rate 1 disabled ----->Disable the corresponding rates for 11g, the recovery method is to modify disabled to support. AC(config-ac)# 802.11g network rate 2 disabled AC(config-ac)# 802.11g network rate 5 disabled AC(config-ac)# 802.11a network rate 6 disabled ----->Disable the corresponding rates for 11a, the recovery method is to modify disabled to support. AC(config-ac)# 802.11a network rate 9 disabled b. Check if the configuration is effective Use the command "show ac-config client" on the AC to verify if there are still associated users with low speeds. image.png 5. Adjustment to the number of AP users a. Adjust the limitation to number of AP users to avoid the AP with too many users affecting the overall performance. How many users are limited to a single AP needs to be determined according to customer demand. AC(config)#ap-config ap-1 AC(config-ap)#sta-limit 40 //Limit on the number of users for the whole AP AC(config-ap)#sta-limit 20 radio 1 //Limitations on the number of users of a single RF card for the AP, the number can not be greater than the number of the whole machine b. Check that the configuration takes effect. Multiple wireless terminals connect to the test, and check the number of wireless users on the AC through show ap-config summary, and the number of wireless users does not exceed the limits image.png 6. Wireless RSSI access threshold adjustment, management frame power adjustment, reducing weak signal terminals: a. Adjusting the RSSI access threshold can prevent wireless users with poor signals from associating and prevent them from associating with APs with poor signals. It can also prevent frequent roaming of wireless users to some extent, which can reduce the decrease in user experience. Note: This optimization parameter is only applicable to scenarios with good wireless signal coverage and is not applicable to environments with poor signal coverage. The RSSI value needs to be determined based on the actual environment. It is recommended for wireless users to associate in the farthest area covered by the AP. Then, on the AP, use "show dot11 associations all-client" to check the RSSI, which is the access threshold that needs to be configured. image.png AC(config)#ap-config ap-1 AC(config-ap)#response-rssi 28 radio 1 ----->Configure the minimum RSSI value for wireless user access (minimum rssi for terminal access to wireless) AC(config-ap)#response-rssi 28 radio 2 AC(config-ap)#coverage-area-control 20 radio 1 ----->Configure the transmission power of the management frame (this parameter is in db). A management frame that is too small may result in insufficient coverage and a management frame that is too large may result in too wide a coverage and lead to far-end correlation. it is recommended that the management frame of 5G be 6-8 db more than that of 2.4G to guide the dual-band terminals to prioritize the access to 5G. AC(config-ap)#assoc-rssi 28 radio 1 ----->Configure the RSSI value associated with a wireless user (if the average value is lower than this value for a period of time after the terminal is connected to the wireless, the terminal will be kicked offline. The same terminal, after being kicked once, will not be kicked a second time within 10 minutes) b. Check that the configuration is in effect Check for low signal strength user associations by show dot11 associations all-client on the AP. 7. Set up a pure 11n network a. Force all wireless devices on the wireless network to use 11n in order to enhance wireless network performance. Note: This configuration is only suitable for customer scenarios where wireless devices are relatively uniform. If there is a wide variety of wireless devices, it may not be possible to control the risks, and further customer investigation is needed before configuring. AC#configure terminal AC(config)#ap-config AP1 AC(config-ap)#no 11bsupport enable radio 1 ----->Configuring Disabled 11b Networks AC(config-ap)#no 11gsupport enable radio 1 ----->Configure to disable the 11g network AC(config-ap)#11ngsupport enable radio 1 ----->Configure to enable the 2.4G 11n network AC(config-ap)#no 11asupport enable radio 2 ----->Configure to disable the 11a network AC(config-ap)#11nasupport enable radio 2 ----->Configuring Enabling 5G 11n Networks b. Configuration Verification Using wireless network cards that support 11n and those that do not support 11n, the wireless network can be accessed by the 11n-supported network cards, while the 11n-unsupported wireless network cards cannot connect to the wireless network. 8. Set spectrum navigation (5G priority) If there are many 2.4G terminals in the network then it is not recommended to turn it on to avoid slow wireless access of 2.4G terminals, it is recommended to use cover-area-control management frame optimization to guide the terminal to access 5G, and the management frame of 5G is recommended to be 6-8db more than that of 2.4G (see point 6). AC# configure terminal AC(config)# wlan-config 1 AC(config-wlan)# band-select enable ----->Configuration to enable spectrum navigation 9. Layer 2 isolation within VLAN for wireless users Set up Layer 2 isolation within the wireless user VLAN. AC(config)#wids ----->Enter the wids configuration mode AC(config-wids)#user-isolation ssid-ap enable----->Configure WLAN-based user isolation under Ap AC(config-wids)#user-isolation ap enable ----->Configure user isolation under Ap AC(config-wids)#user-isolation ssid-ac enable ----->Configuring WLAN-based user isolation under Ac AC(config-wids)#user-isolation ac enable ----->Configure user isolation under Ac 10. Increase Beacon frame period AC#configure terminal AC(config)#ap-config AP1 AC(config-ap)#beacon period 300 radio 1 ----->Configure the Beacon frame period, default is 100ms 5.9.1.4 Notice Notice: For wireless network optimization, it is recommended that the AC access the Airware wis, use the Airware for wireless network optimization, and then manually optimize for bad experience. 1. Spectrum navigation Turning on spectrum navigation affects user access time. It cannot be turned on at the same time with load balancing. 2. Wireless user speed limit Discard packets when the data traffic does not meet the committed rate. 3.Reduce weak signal terminal The minimum RSSI for wireless user access cannot be too large, or it may cause a large number of wireless users to be unable to access. Management frame sending power can not be too small, otherwise it may lead to a large number of distant wireless users not discovering the network. 4. Disable low rate application Disabling a rate will make this rate unavailable. Disabling all rates will make wireless users unable to access. Disabling all 11b rates will make 11b wireless users unable to access. 5. Limit the number of STA accesses under AP Cannot be enabled at the same time with load balancin 6. Two-layer isolation in VLAN for wireless users Networks with Layer 2 access requirements must not be configured with this feature. 7. Increase the Beacon frame period Beacon frame period should not be too large, otherwise it may lead to frequent user drops or detection. 8. The establishment of a pure 11n network Pure 11n network, non-11n devices can not access. 9. One-key network optimization It may conflict with the network optimization commands originally configured by the user. 5.9.1.5 Functional Verification Fit AP Wireless Optimization Functional verification 1. Configuration Spectrum Navigation FS# show running ! wlan-config 1 open-wlan band-select enable ----->Enable WLAN's spectrum navigation function to guide the dual-band STA into the 5G band ! 2. Configure wireless user speed limits FS#show ap-config running AP1 ! ap-config AP1 ap-based per-user-limit up-streams average-data-rate 256 burst-data-rate 1024 ----->For each user on the AP, the uplink traffic is limited to an average rate of 256 * 8Kbps, and the burst rate is limited to 1024 * 8Kbps. ! FS#show running ! wlan-config 12 wlan_opt wlan-based per-user-limit up-streams average-data-rate 256 burst-data-rate 1024 ----->Specify that for each user on the WLAN, the average uplink traffic limit is 256 * 8Kbps, and the burst rate is 1024 * 8Kbps. enable-broad-ssid ! ! ac-controller netuser 14cf.920b.bfce inbound average-data-rate 256 burst-data-rate 1024 ----->Specify the user, the average rate of uplink traffic limitation is limited to 256 * 8Kbps, and the burst rate is limited to 1024 * 8Kbps. ! 3. Configure the allowed access signal strength FS#show ap-config running AP1 ! ap-config AP1 no 11acsupport enable radio 1 no 11acsupport enable radio 2 802.11n mcs support 15 radio 1 802.11n mcs support 15 radio 2 coverage-area-control 30 ----->Configure the management frame sending power, the distance is far less than this value of the wireless user can not access the network response-rssi 20 radio 1 ----->Configure the RSSI value of wireless users allowed to access, wireless users whose distance is far less than the RSSI value cannot access the network. antenna receive 3 radio 1 antenna receive 3 radio 2 antenna transmit 3 radio 1 antenna transmit 3 radio 2 ap-mac 649d.99d0.e29e ! 4. Configuring Rate Sets FS#show running ! ac-controller country CN country US 802.11g network rate 1 disabled ----->Disabled rates are not available 802.11g network rate 2 disabled 802.11g network rate 5 disabled 802.11g network rate 11 mandatory 802.11g network rate 6 supported 802.11g network rate 9 supported 802.11g network rate 12 supported 802.11g network rate 18 supported 802.11g network rate 24 supported 802.11g network rate 36 supported 802.11g network rate 48 supported 802.11g network rate 54 supported 802.11b network rate 1 disabled ----->Disabled rates are not available 802.11b network rate 2 disabled 802.11b network rate 5 mandatory 802.11b network rate 11 mandatory 802.11a network rate 6 disabled ----->Disabled rates are not available 802.11a network rate 9 supported 802.11a network rate 12 mandatory 802.11a network rate 18 supported 802.11a network rate 24 mandatory 802.11a network rate 36 supported 802.11a network rate 48 supported 802.11a network rate 54 supported ! 5. Configure the number of users allowed to access the AP FS#show ap-config running AP1 ! ap-config AP1 no 11acsupport enable radio 1 no 11acsupport enable radio 2 802.11n mcs support 15 radio 1 802.11n mcs support 15 radio 2 antenna receive 3 radio 1 antenna receive 3 radio 2 antenna transmit 3 radio 1 antenna transmit 3 radio 2 sta-limit 12 ----->Configure the number of AP-based STAs that can be accessed; STAs with more than this value are denied access ap-mac 649d.99d0.e29e ! 6. Configuring Layer 2 Isolation within a Wireless User VLAN FS#show running ! wids user-isolation ap enable ----->Wireless users on this AP cannot access each other at Layer 2 user-isolation ac enable ----->Wireless users on this AP cannot access each other at Layer 2 user-isolation ssid-ac enable ----->Wireless users belonging to the same WLAN on this AC cannot access each other at Layer 2 user-isolation ssid-ap enable -----> Wireless users belonging to the same WLAN on this AC cannot access each other at Layer 2 ! 7. Configure the Beacon frame period FS#show ap-config running AP1 ! ap-config AP1 no 11acsupport enable radio 1 no 11acsupport enable radio 2 802.11n mcs support 15 radio 1 802.11n mcs support 15 radio 2 antenna receive 3 radio 1 antenna receive 3 radio 2 antenna transmit 3 radio 1 antenna transmit 3 radio 2 beacon period 300 radio 1----->Capture packets to check beacon cycle changes ap-mac 001a.a9c5.3f49 ! 8. Configure a pure 11n network FS#show ap-config running AP1 ! ap-config AP1 no 11asupport enable radio 2----->Non-11n devices cannot access the 5G network no 11bsupport enable radio 1 ----->Non-11n devices cannot access the 2.4G network no 11gsupport enable radio 1 ----->Non-11n devices cannot access the 2.4G network no 11acsupport enable radio 1 no 11acsupport enable radio 2 802.11n mcs support 15 radio 1 802.11n mcs support 15 radio 2 antenna receive 3 radio 1 antenna receive 3 radio 2 antenna transmit 3 radio 1 antenna transmit 3 radio 2 ap-mac 001a.a9c5.3f49 ! 5.9.1.6 AC One-Click Network Optimization Method 1 : Web One-Click Network Optimization EWEB2.0 One-Click Network Optimization Guidance Notes Background 1. New deployment project, the terminal accesses the wireless slow Internet access, watching video, playing games lagging 2. The more the wireless is used, the slower it is, the delay of ping test fluctuates greatly, and even packet loss occurs. 3. The cell phone or computer connects to wireless, the signal is automatically disconnected in the process of using, and then automatically connects to it after a while. 4. From an AP to another AP below, found that the signal of the phone is getting weaker and weaker, is not automatically switch to the signal broadcast by the nearest AP. Reason Wireless is through the air transfer rate, wireless in data transmission, wireless access points and terminals will be established between a virtual channel for data transmission, and this channel is what we call the channel. And at the beginning of our feedback on the use of wireless in a variety of problems, in fact, most of them are due to wireless same-frequency interference. Therefore, the next step will guide you from the wireless device side of the fast wireless channel power optimization, so as to reduce interference problems, in order to enhance the wireless experience! Restrictions 1. WEB2.0 one-key network optimization function is recommended to be used in the scale of less than 500 APs. 2. WEB2.0 one-click network optimization function does not support the Smart Score+ scenario. 3. A key network optimization process, will affect the use of wireless access, the duration of about 12 minutes, it is recommended to operate during the peak period of the business 4. If the background is undergoing channel dynamic adjustment or the new online AP radio frequency automatic adjustment, you can not carry out one-key network optimization, you need to try again later. Configuration steps 1. Log in to the AC eweb interface, click Configuration > Network Optimization > One-Click Network Optimization. image.png 2. Check the checkbox: I have read the above notes, and then click One-Click Optimization. image.png 3. Alarm message pops up, click OK. 4. The device automatically start one-click optimization, waiting for automatic optimization. image.png 5. Optimization is complete, click back. image.png 6. If the current peak business period, can not be optimized, you can also make an appointment to optimize, but the appointment to optimize the time to the equipment system time shall prevail, not the customer's computer time shall prevail. image.png Conclusion Wireless network optimization, is the most important part of the wireless project deployment, a wireless network is good, the main thing is to look at the wireless deployment of wireless optimization in place. Therefore, you must pay more attention to the wireless optimization link in the subsequent deployment of wireless process. 5.9.1.7 AC One-Click Network Optimization Method 2: Airware AC One-Click Network Optimization 1. Register account: Airware login to register a domain name :https://airware.fs.com(You can log in directly through your mall account). image.png 2. Deployment region Choose your own region for Airware deployment: US, Europe or Singapore. image.png 3. Create project image.png 4. Add site image.png 5. Access device a. AC device operation: Configuring DNS servers FS(config)#ip name-server 8.8.8.8 Configure CWMP domain name pointing FS#configure FS(config)#cwmp FS(config-cwmp)#acs url http://airware.fs.com/acs FS(config-cwmp)#end FS#write b. Airware operation: Enter the SN number of the device, click OK, wait 3-5 minutes for the device to come online automatically. image.png 6. AC One-Click Network Optimization a. Click Optimizztion, enter the optimization settings image.png b. Select the AP group to be optimized and the optimization scenario (automatic network optimization is provided for 7 scenarios) image.png c. Start optimization image.png d. During Optimization img_v2_42121b9d-0056-4353-80e2-43d149c5d68g.jpg e. Optimization completed img_v2_dcd92c5b-fc7a-43c4-b6da-3c2daeaffcbg.jpg 5.9.1.8 Fit AP wireless optimization application scenarios Application Scenario The main function of network optimization is to optimize the wireless network and enhance the wireless user experience by adjusting the WLAN configuration parameters. The application occasions of each WLAN optimization means are not exactly the same, see the following table. Optimization Method Applicable Scenario Channel Planning and Adjustment Determined based on actual conditions Power Planning and Adjustment Determined based on actual conditions Disable Low Data Rates Applicable to high-density deployments (e.g., schools and buildings) Create a Pure 11n Wireless Network Configured according to actual network requirements Adjust Beacon Transmission Interval Effective in high-density deployments with multiple SSIDs configured on APs Enable Layer 2 Isolation Within Wireless User VLANs Should be configured for networks without Layer 2 inter-access requirements Reduce the Impact of Weak Signal Terminals Applicable to high-density deployments (e.g., schools and buildings) Band Select Applicable to high-density deployments where APs support dual-band operation Power-Saving Client Optimization Generally applicable to all deployment scenarios Limit the Number of STAs per AP Suitable for high-density deployments (e.g., schools and buildings) with many wireless users 5.9.2 Optimization of Fat AP Wireless Networks 5.9.2.1 Function Profile 1. When there are more dual-band STAs in the network, it is recommended to turn on spectrum navigation to guide the dual-band STAs to connect to the 5G band with higher access capacity, so as to reduce the pressure on the 2.4G band and improve user experience; turning on spectrum navigation will lead to a small increase in the access time between the 2.4G STA and the dual-band STA, about 2 seconds, and the user experience will be slightly worse. There is a conflict between spectrum navigation and load balancing, so it is recommended that load balancing and spectrum navigation not be configured at the same time. 2. When there are some wireless users in the network who continuously occupy the network resources, resulting in other wireless users not being able to use, by configuring the wireless user speed limit function, the limited network resources can be better utilized to better serve more users. 3. When the terminal accesses the wireless network, if the distance between the terminal and the AP to be accessed is relatively far, the wireless signal emitted by the terminal will be relatively weak to the AP side; at this time, the communication performance of the terminal is relatively poor, which is reflected in the low rate and high re-transmission rate, and will lower the performance of the whole network; at this time, it is recommended to enable the function of reducing the weak signal terminal to restrict the weak signal terminal from accessing the AP; however, the function of reducing the weak signal terminal will lead to However, the function of reducing weak signal terminals will cause the weak signal terminals to be unable to access the network, and they will not be allowed to access the network until the restricted number of times reaches the maximum number of times. 4. Management messages are generally sent using the lowest available rate. When the management message occupies more air port resources in the wireless network, it is recommended to close the low-rate application to reduce the occupation of air port resources and improve the channel utilization rate. Closing the low-rate application may cause low-speed users to be unable to access the network. 5. When there is a serious imbalance in the number of AP or radio access users in the network, it is recommended to configure a limit on the number of STA accesses under the AP or radio, which plays a certain load-sharing function to avoid uneven distribution of AP or radio access users. Limiting the number of STA accesses under AP or radio is in conflict with load balancing, so it is recommended not to configure them at the same time. 6. For networks without Layer 2 access requirements, they must be configured with this feature. Configuring Layer 2 isolation within the VLAN of wireless users can reduce network attacks and multicast message bandwidth consumption. Do not configure this feature for networks with Layer 2 access requirements, as it will result in Layer 2 networks not being able to access each other. 7. When APs are densely deployed, increase the Beacon frame period to reduce the frequency of sending Beacon frames, reduce the channel occupancy of management messages, and increase the channel bandwidth available to wireless users. Configuring a Beacon frame period that is too large may result in frequent user drops or probes. 8. When there are only 11n clients in the network, it is recommended that a pure 11n network be established and non-11n devices are prohibited from accessing it, which can make the 11n devices in the network all use pure HT header transmission, reduce the message header size, and increase the channel bandwidth available to wireless users. After a pure 11n network is established, non-11n devices cannot access it. 5.9.2.2 Networking Requirements and Configuration Points 1. Networking Requirements General Fat AP scenarios where the AP supports dual-band. image.png 2. Configuration Points a. When there are many dual-band STAs in the network, it is recommended to enable spectrum navigation to guide dual-band STAs to connect to the higher-capacity 5G band, thereby reducing the pressure on the 2.4G band and improving user experience. Enabling spectrum navigation will slightly increase the connection time for 2.4G STAs and dual-band STAs, about 2 seconds, resulting in a slight degradation of user experience. Spectrum navigation conflicts with load balancing, so it is suggested not to configure both at the same time. b. When certain wireless users continuously occupy network resources, causing other wireless users unable to use them, configuring the wireless user speed limit function can better utilize limited network resources and serve more users effectively. c. When a terminal connects to a wireless network and the distance between the terminal and the AP to be connected is relatively far, the wireless signal emitted by the terminal will be weak at the AP end. In this case, the communication performance of the terminal will be poor, reflected in low rate and high retransmission rate, which will lower the overall network performance. Therefore, it is recommended to enable the function of reducing weak signal terminals and restrict the access of these weak signal terminals to the AP. However, enabling the function of reducing weak signal terminals will result in the inability of weak signal terminals to connect to the network until the maximum number of restrictions is reached. d. Management frames are generally sent using the lowest available rate. When management frames occupy a lot of air interface resources in a wireless network, it is recommended to disable low-speed applications to reduce air interface resource usage and improve channel utilization. Disabling low-speed applications may prevent low-speed users from accessing the network. e. When the number of access users of an AP or radio in the network is severely imbalanced, it is recommended to configure a limit on the number of STA accesses under the AP or radio to distribute the load to some extent and avoid unequal allocation of AP or radio access users. Limiting the number of STA accesses under the AP or radio conflicts with load balancing, so it is recommended not to configure both at the same time. f. For networks without Layer 2 intercommunication requirements, it is necessary to configure the function of wireless user VLAN-level isolation to reduce network attacks and multicast bandwidth consumption. For networks with Layer 2 intercommunication requirements, do not configure this function, as it will result in the inability of Layer 2 networks to communicate with each other. g. In densely deployed AP scenarios, increasing the Beacon frame period can reduce the frequency of Beacon frame transmission, reduce the channel utilization of management frames, and increase the available channel bandwidth for wireless users. Configuring a too large Beacon frame period may cause frequent disconnections or detections by users. h. When there are only 11n clients in the network, establishing a pure 11n network and prohibiting non-11n devices from accessing can make all 11n devices in the network use pure HT header transmission, reduce the size of packet headers, and increase the available channel bandwidth for wireless users. After establishing a pure 11n network, non-11n devices cannot access the network. 5.9.2.3 Fat AP wireless optimization application scenarios Applicated scenario The main function of network optimization is to optimize the wireless network and enhance the wireless user experience by adjusting the WLAN configuration parameters. The application occasions of each WLAN optimization means are not exactly the same, see the following table. WLAN Optimization Methods Applications Channel Planning Adjustments Optimization Specific to the actual situation Power Planning Adjustment Optimization Specific to the actual situation Disable low rate applications Suitable for both high deployment (schools and buildings) Create a pure 11n wireless network Set up according to actual network requirements Adjust the interval between Beacon transmissions Useful for highly deployed and when APs are configured with many service sets (SSIDs) Enable Layer 2 isolation within wireless user VLANs Be sure to configure this feature for networks that do not require Layer 2 interconnections Reduce th weak signal termination effects Suitable for both high deployment (schools and buildings) Band Select For highly deployed and dual-band AP support can be applied Power Saving Client Processing Optimization Generalizable for all scenarios Limit the number of STA accesses under the AP Suitable for highly deployed (schools and buildings) scenarios with a large number of wireless users 5.9.2.4 Configuration steps Configuration steps 1. Wireless Channel Tuning Adjust the AP channel according to the previous channel plan. If no manual channel adjustment is performed, the AP 2.4G generally uses channel 1 by default and 5.8G uses channel 149 by default. FS#configure terminal FS(config)#interface dot11radio 1/0 FS(config-if-Dot11radio 1/0)#channel 6 FS(config-if-Dot11radio 1/0)#exit FS(config)#interface dot11radio 2/0 FS(config-if-Dot11radio 2/0)#channel 153 FS(config-if-Dot11radio 2/0)#end FS#write Note: The principle of channel planning is that neighboring APs, upstairs and downstairs APs need to use different channels. 2.4g channels that will not interfere are the three channels 1, 6, and 11 (if it is a high-density deployment, you can consider using the 1/5/9/13 channel deployment), and 5.8g channels that will not interfere are the 149, 153, 157, 161, and 165 channels (if the network 5.8g channel interference is serious, you can modify the coding method to US in ac-c mode and ap-config mode to use channels 36, 40, etc.). 6.jpg Wireless channel tuning-web configuration method: a. The channel settings for the 2.4G network are described in the following figure: image.png b. The channel settings for the 5.8G network are described in the following figure: image.png 2. Wireless Power Adjustment Adjust the AP power according to the previously obtained AP power adjustment experience value to ensure that the signal strength of wireless users at the farthest end of the AP is equal to the signal strength indicator +10dB. The default AP transmit power is 100%. FS#configure terminal FS(config)#interface dot11radio 1/0 FS(config-if-Dot11radio 1/0)#power local 50 ----->Transmit power is adjusted to fifty percent, RF card 2 can also be set according to the actual environment of the corresponding parameters FS(config-if-Dot11radio 1/0)#end FS#write The web adjustment method is on the same adjustment page as the channel adjustment method. 3. Speed limiting for wireless users a. The speed limit for wireless users is based on the previously acquired experience of wireless user speed limit. The speed limit is designed to ensure that every user can access the wireless traffic and avoid individual users to turn on the download to occupy all the wireless bandwidth. FS#configure terminal FS(config)#wlan-qos ap-based per-user-limit up-streams average-data-rate 100 burst-data-rate 1024 ----->Configure AP-based speed limit, 100KB/s upstream speed limit FS(config)#wlan-qos ap-based per-user-limit down-streams average-data-rate 200 burst-data-rate 1024 ----->Configure AP-based speed limiting with a downstream speed limit of 200KB/s FS(config)#wlan-qos netuser 14cf.920b.bfce inbound average-data-rate 256 burst-data-rate 1024 ----->Configure client-based speed limits FS(config)#wlan-qos wlan-based 1 per-user-limit up-streams average-data-rate 256 burst-data-rate 1024----->Configure WLAN-based speed limits FS(config)#end FS#write b. Check that the configuration has taken effect Wireless users connect to the wireless network and use Thunderbolt or FTP to download and confirm whether the speed limit is effective. 4. Wireless off low rate set a. It is recommended that 11b/g 1M, 2M, 5M, 11a 6M, 9M and other low rate sets be turned off to avoid individual users sending too many low-speed messages affecting the overall wireless performance. FS#configure terminal FS(config)#interface dot11radio 1/0 FS(config-if-Dot11radio 1/0)#rate-set 11b disable 1 ----->Disable the corresponding rate of 11b, the recovery method is to modify disabled to support FS(config-if-Dot11radio 1/0)#rate-set 11b disable 2 FS(config-if-Dot11radio 1/0)#rate-set 11b disable 5 FS(config-if-Dot11radio 1/0)#rate-set 11g disable 1 ----->Disable the corresponding rate of 11g, the recovery method is to modify disabled to support FS(config-if-Dot11radio 1/0)#rate-set 11g disable 2 FS(config-if-Dot11radio 1/0)#rate-set 11g disable 5 FS(config-if-Dot11radio 1/0)#exit FS(config)#interface dot11radio 2/0 FS(config-if-Dot11radio 2/0)#rate-set 11a disable 6 ----->Disable the corresponding rate of 11a, the recovery method is to modify disabled to support FS(config-if-Dot11radio 2/0)#rate-set 11a disable 9 FS(config-if-Dot11radio 2/0)#end FS#write b. Check that the configuration has taken effect On the AC, check if there are still low-speed associated users on the AC by show ac-config client. image.png 5. AP user number adjustment a. Adjust the AP user limit to avoid the AP with too many users affecting the overall performance. How many users are limited to a single AP needs to be determined according to customer demand. FS#configure terminal FS(config)#interface dot11radio 1/0 FS(config-if-Dot11radio 1/0)#sta-limit 30 ----->Configure the number of users allowed to access AP RF card 1 FS(config-if-Dot11radio 1/0)#exit FS(config)#interface dot11radio 2/0 FS(config-if-Dot11radio 2/0)#sta-limit 35 ----->Configure the number of users allowed to access AP RF card 2 FS(config-if-Dot11radio 2/0)#end FS#write b. Check that the configuration has taken effect. Multiple wireless terminals are tested for connectivity, and the number of wireless users is viewed on the AP by show dot11 ass all, and the number of wireless users does not exceed the limit. 6. Wireless RSSI Access Threshold Adjustment to Reduce Weak Signal Terminal a. Adjusting the RSSI access threshold can prevent wireless users with poor signals from associating, prevent wireless users from associating with APs with poor signals, and to a certain extent avoid frequent roaming of wireless users resulting in lower user experience. Note: This optimization parameter is only applicable to scenarios with good wireless signal coverage, and is not applicable to environments with poor signal coverage. The RSSI value needs to be determined according to the actual environment, and it is recommended that wireless users associate with the farthest place in the AP coverage. Then check the RSSI by show dot11 associations all-client on the AP, and this RSSI is the access threshold value that needs to be configured. image.png FS#configure terminal FS(config)#interface dot11radio 1/0 FS(config-if-Dot11radio 1/0)#response-rssi 20 ----->Configure the minimum RSSI value for wireless user access (the lowest rssi for a terminal to access the wireless) FS(config-if-Dot11radio 1/0)#coverage-area-control 20 ----->Configure the transmission power of the management frame (this parameter is in db). a management frame that is too small may result in insufficient coverage and a management frame that is too large may result in too wide a coverage and lead to far-end correlation. it is recommended that the management frame of 5G be 6-8 db more than that of 2.4G to guide the dual-band terminals to prioritize the access to 5G. FS(config-if-Dot11radio 1/0)#assoc-rssi 28 ----->Configure the RSSI value associated with a wireless user (if the average value is lower than this value for a period of time after the terminal is connected to the wireless, the terminal will be kicked offline. The same terminal, after being kicked once, will not be kicked a second time within 10 minutes) FS(config-if-Dot11radio 1/0)#exit FS(config)#interface dot11radio 2/0 FS(config-if-Dot11radio 2/0)#response-rssi 20 FS(config-if-Dot11radio 2/0)#coverage-area-control 20 FS(config-if-Dot11radio 2/0)#assoc-rssi 28 FS(config-if-Dot11radio 2/0)#end FS#write b. Check that the configuration has taken effect Check for low signal strength user associations by show dot11 associations all-client on the AP. 7. Setting up a pure 11n network a. Force all wireless terminals in the wireless network to use 11n to improve wireless network performance. Note: Allow only 11n NIC access only applies to customer site scenarios where the wireless terminals are more uniform, if the wireless terminals are more diverse then the risk will not be able to control, and customer surveys need to be conducted to configure. FS#configure terminal FS(config)#interface dot11radio 1/0 FS(config-if-Dot11radio 1/0)#no 11bsupport enable ----->Configuration to disable 11b networking FS(config-if-Dot11radio 1/0)#no 11gsupport enable ----->Configuration to disable 11g networking FS(config-if-Dot11radio 1/0)#11nsupport enable ----->Configure to enable 2.4G 11n networks FS(config-if-Dot11radio 1/0)#exit FS(config)#interface dot11radio 2/0 FS(config-if-Dot11radio 2/0)#no 11asupport enable ----->Configuration to disable 11a networking FS(config-if-Dot11radio 2/0)#11nsupport enable ----->Configure to enable 5G 11n networks FS(config-if-Dot11radio 2/0)#end FS#write b. Configuration Verification Access the wireless network using 11n-supporting and non-11n-supporting wireless NICs respectively. 11n-supporting NICs can access the wireless network, and non-11n-supporting wireless NICs cannot access the wireless network. 8. Set spectrum navigation (5G priority, only some APs support 5G priority when in fat mode again) FS# configure terminal FS(config)#dot11 wlan 1 FS(dot11-wlan-config)#band-select enable ----->Configuration to enable spectrum navigation FS(dot11-wlan-config)#end FS# write 9. Layer 2 isolation within wireless user VLANs FS# configure terminal FS(config)#wids ----->Enter wids configuration mode FS(config-wids)#user-isolation ssid-ap enable ----->Configure WLAN-based user isolation under Ap FS(config-wids)#user-isolation ap enable ----->Configure user isolation under Ap FS(config-wids)#end FS#write 10. Increase the Beacon frame period FS#configure terminal FS(config)#interface dot11radio 1/0 FS(config-if-Dot11radio 1/0)#beacon period 300 ----->Configure the RF card1 Beacon frame period, the default is 100ms, after the parameter is adjusted, it may cause the terminal to discover the signal slowly, this parameter is generally seldom adjusted. FS(config-if-Dot11radio 1/0)#end FS#write 5.9.2.5 Notice Notice 1. Spectrum navigation Turning on spectrum navigation affects user access time. It cannot be turned on at the same time with load balancing. 2. Wireless user speed limit Discard packets when the data traffic does not meet the committed rate. 3. Reduce weak signal terminal The minimum RSSI for wireless user access cannot be too large, or it may cause a large number of wireless users to be unable to access. Management frame sending power can not be too large, otherwise it may lead to a large number of distant wireless users can not discover the network. 4. Disable low rate application Disabling a rate will make this rate unavailable. Disabling all rates will make wireless users unable to access. Disabling all 11b rates will make 11b wireless users unable to access. 5. Limit the number of STA accesses under AP. Cannot be enabled at the same time with load balancing. 6. Two-layer isolation in VLAN for wireless users Networks with Layer 2 access requirements must not be configured with this feature. 7. Increase the Beacon frame period Beacon frame period should not be too large, otherwise it may lead to frequent user drops or detection. 8. The establishment of a pure 11n network Pure 11n network, non-11n devices can not access. 5.9.2.6 Functional verification Functional verification 1. Configuration of spectrum navigation FS# show running ! dot11 wlan 1 band-select enable ----->Enable WLAN's spectrum navigation function to guide the dual-band STA into the 5G band ! 2. Configure wireless user speed limit FS#show running ! wlan-qos ap-based per-user-limit up-streams average-data-rate 256 burst-data-rate 1024 ----->For each user on the AP, the uplink traffic is limited to an average rate of 256 * 8Kbps, and the burst rate is limited to 1024 * 8Kbps. wlan-qos wlan-based 1 per-user-limit up-streams average-data-rate 256 burst-data-rate 1024 ----->Specify that for each user on the WLAN, the average uplink traffic limit is 256 * 8Kbps, and the burst rate is 1024 * 8Kbps. wlan-qos netuser 14CF.920B.BFCE inbound average-data-rate 256 burst-data-rate 1024 ----->Specify the user, the average rate of uplink traffic limitation is limited to 256 * 8Kbps, and the burst rate is limited to 1024 * 8Kbps. ! 3. Configure the allowed access signal strength FS#show running ! interface Dot11radio 1/0 chan-width 20 country-code US radio-type 802.11b channel 1 antenna receive 3 antenna transmit 3 rate-set 11b mandatory 1 2 5 11 rate-set 11g mandatory 1 2 5 11 rate-set 11g support 6 9 12 18 24 36 48 54 rate-set 11n mcs-support 15 no ampdu-rts response-rssi 20----->Configure the RSSI value of wireless users allowed to access, wireless users whose distance is far less than the RSSI value cannot access the network. coverage-area-control 30----->Configure the management frame sending power, the distance is far less than this value of the wireless user can not access the network station-role root-ap ! 4. Configure the rate set FS#show running ! interface Dot11radio 1/0 chan-width 20 country-code US radio-type 802.11b channel 1 antenna receive 3 antenna transmit 3 rate-set 11b mandatory 2 5 11 rate-set 11b disable 1 ----->Disabled rates are not available rate-set 11g mandatory 2 5 11 rate-set 11g support 6 9 12 18 24 36 48 54 rate-set 11g disable 1 ----->Disabled rates are not available rate-set 11n mcs-support 15 no ampdu-rts station-role root-ap ! interface Dot11radio 2/0 chan-width 20 country-code US no short-preamble radio-type 802.11a channel 149 antenna receive 3 antenna transmit 3 rate-set 11a mandatory 12 24 rate-set 11a support 9 18 36 48 54 rate-set 11a disable 6 ----->Disabled rates are not available rate-set 11n mcs-support 15 no ampdu-rts station-role root-ap ! 5. Configure the number of users allowed to access the AP FS#show running ! interface Dot11radio 1/0 chan-width 20 country-code US radio-type 802.11b channel 1 antenna receive 3 antenna transmit 3 rate-set 11b mandatory 1 2 5 11 rate-set 11g mandatory 1 2 5 11 rate-set 11g support 6 9 12 18 24 36 48 54 rate-set 11n mcs-support 15 no ampdu-rts sta-limit 12 ----->Configure the number of AP-based STAs that can be accessed; STAs with more than this value are denied access station-role root-ap ! 6. Configuring Layer 2 Isolation within a Wireless User VLAN FS#show running ! wids user-isolation ap enable ----->Wireless users on this AP cannot access each other at Layer 2 user-isolation ssid-ap enable -----> Wireless users belonging to the same WLAN on this AP cannot access each other at layer 2 ! 7. Configuring the Beacon frame period FS#show running ! interface Dot11radio 1/0 chan-width 20 country-code US beacon period 300 ----->Capture packets to see beacon cycle changes radio-type 802.11b channel 1 antenna receive 3 antenna transmit 3 rate-set 11b mandatory 1 2 5 11 rate-set 11g mandatory 1 2 5 11 rate-set 11g support 6 9 12 18 24 36 48 54 rate-set 11n mcs-support 15 no ampdu-rts station-role root-ap ! 8. Configure a pure 11n network FS#show running ! interface Dot11radio 1/0 chan-width 20 country-code US radio-type 802.11b channel 1 antenna receive 3 antenna transmit 3 rate-set 11b mandatory 1 2 5 11 rate-set 11g mandatory 1 2 5 11 rate-set 11g support 6 9 12 18 24 36 48 54 rate-set 11n mcs-support 15 no ampdu-rts no 11bsupport enable ----->Non-11n devices cannot access 2.4G networks no 11gsupport enable ----->Non-11n devices cannot access 2.4G networks station-role root-ap ! interface Dot11radio 2/0 chan-width 20 country-code US no short-preamble radio-type 802.11a channel 149 antenna receive 3 antenna transmit 3 rate-set 11a mandatory 6 12 24 rate-set 11a support 9 18 36 48 54 rate-set 11n mcs-support 15 no ampdu-rts no 11asupport enable ----->Non-11n devices cannot access 5G networks station-role root-ap ! 5.9.3 Wireless Network Optimization FAQ 1. How is the RSSI displayed on the device converted? RSSI stands for Received Signal Strength Indicator, ranging from 0 to 100 (corresponding to the wireless user signal strength on this basis -95, for example, the configuration value is 25, and the corresponding wireless user signal strength is 25-95 = -70dBm). 2. Which is better, automatic channel adjustment or manual adjustment on the AC? Automatic channel adjustment on the AC is inaccurate and can consume device resources. It is recommended to connect to Airware for optimization and improve network optimization efficiency. If it is not convenient to connect, manual adjustment is needed. Manual adjustment command: FS(config)#advanced 802.11b channel dca anchor-time 0 4 ---> Adjust the channel automatically from 0 to 4. 3. What are the limitations of scanning wireless networks on Android 2.1 operating system? The Android 2.1 operating system has a limit of 30 wireless network listings for scanning. When there are more than 30, some AP SSIDs will not be displayed. 4. What are the limitations of associating wireless networks on the Win7 operating system? It is difficult for the Win7 operating system client to associate with the strongest AP signal, while the WinXP system always associates with the strongest AP signal. This is because the association algorithm of Win7 system is different from that of WinXP system. Win7 system uses the disconnection frequency as the basis for connecting to AP. Based on current test results, Win7 system will automatically associate with another AP after 6-7 consecutive disconnections. 5. What are the limitations of using Apple AirPlay? The device discovery function of AirPlay uses Bonjour (also known as MDNS, using UDP multicast technology), so wireless users must be on the same subnet. The AP needs to enable wireless broadcast forwarding data-plane wireless-broadcast enable (configured under global mode). If the broadcast is not effective after it is enabled, multicast can be enabled. 6. What are the usage limitations of RRM channel adjustment function? After the RRM DCA algorithm is running, it will select the optimal channel based on the surrounding neighbor channel conditions and distribute it to the AP. When the AP changes channels, it will cause a temporary disconnection for STAs. Since the RRM function needs to switch to other channels to receive and transmit neighbor messages, the communication on this channel will be completely interrupted during the time of switching to other channels. When users are using it, it will result in increased ping packet delay, and various packet loss will occur in case of poor wireless signal quality. By default, RRM's DCA function runs only from 02:00 to 04:00. If the running cycle of DCA is changed to 20 minutes or frequent running during the day, it will seriously affect the usage and experience of customers. It is recommended not to modify the default configuration of RRM and turn off RRM during business hours. Only use channel adjustment when no one is using the network. Deployment limitations: In a dual AC hot backup environment, there are some issues with the channel and power automatic adjustment function of RRM after AC hot backup switch, including: a. The actual working channel of the AP is inconsistent with the AP working channel displayed on the AC, and it will produce channel conflict log prompts; b. The group leader election of AC in A/A hot backup mode cannot work, affecting the DCA algorithm work between multiple ACs. In a dual AC hot backup deployment, it is recommended to disable the automatic channel and power adjustment function of RRM and manually set the channel and power of the AP. 7. What are the limitations of deploying multiple WLANs on an AP? If the AP associates with too many WLANs, such as configuring 32 WLANs, it may cause management packets to be unable to be transmitted and become stuck in the sending queue, making it difficult for some network card users to associate. Network reasons: The number of WLANs, when the number of WLANs is 32, the AP needs to send out 32 beacons in one Beacon cycle (i.e., it needs to send out 320 beacons within 1s). If an STA sends a broadcast probe request frame, it needs to reply with 32 probe response frames. Assuming that the beacon and probe response frames are 240 bytes (the actual frame size is larger than 240 bytes) and they are all sent at a rate of 1Mbps, the AP needs to occupy 675ms to send these management frames, which is nearly 70% of the channel. If the probe response frames from other APs are added, the management frames will occupy nearly 80% of the channel. AP queue packet length problem, when the AP replies with probe response frames, probe response frames and authentication frames belong to management frames and are sent in the same priority queue. In the case of poor channel environment, the probe response frames may not be sent in time, resulting in Authentication frames being blocked in the hardware queue and causing delays. Different STAs have different definitions of Authentication timeout, resulting in some network cards unable to associate, such as D-Link DWA125 network cards. Therefore, in a poor network environment, it is difficult to associate. The problem exists in theory analysis and is not within the scope of software improvement. It needs to be optimized through network optimization. Several points can be optimized: Rate set: Limit low-speed packets to increase the transmission rate of management frames; Disable broadcast probe response: Reduce the number of management frames to improve the efficiency of sending Authentication frames; In a relatively clean environment: Test whether users can associate in a shielded room or in a 5G environment. Increase QoS competitive parameters: Improve the channel competition ability of management frames. 8. What are the effects of local forwarding when STA and AP share VLAN? In the deployment of local forwarding, when STA and AP share VLAN, they are within the same broadcast domain. If many APs are deployed in the same VLAN, an AP and its STA's ARP broadcast packets will be sent to another AP, causing the AP to receive a large number of ARP broadcast packets and impacting the CPU of the AP. This setting may cause the AP gateway's ARP packets to be overwhelmed by other AP's ARP packets, resulting in ARP aging and abnormal communication of the AP. Therefore, when deploying this function, care should be taken not to deploy a large number of APs in the same VLAN. 9. After configuring the response RSSI value, will the terminal still be able to associate if the RSSI is lower than the threshold? It allows association after being rejected twice. If you want to permanently disallow association, you can configure strict-limit response-rssi on the AC controller (hidden command, save through write). 10. How to achieve automatic association of wireless signals for terminals? a. Manually disconnected SSIDs will not automatically associate, and this is normal; b. Laptops need to be checked for automatic association. 11. What are the signal attenuation values for different materials? The empirical values for 2.4GHz electromagnetic wave penetration loss through various obstacles are as follows: a. Obstruction of walls (assuming wall thickness of 100-300mm): 20-40dB; b. Obstruction of floors (reinforced concrete structure): 30dB or more; c. Obstruction of wooden furniture, doors, and other wooden partitions: 2-15dB; d. Thick glass (12mm): 10dB. 5.9.4 Common Troubleshooting for Wireless Network Optimization 5.9.4.1 Common Troubleshooting of User Wireless Associations Frequent unlinking occurs in the office 1. Failure phenomenon After STA association on AP in the corridor, walked to the workstation and found poor experience - unassociation or dropout 2. Network Environment Simplified: AP-N505-----FS core switch------- intermediate device------AC-7072 3. Processing steps a. Omnipeek software captures packets and analyzes the process of STA association to AP. b. In the process of packet capture, it is found that the STA of the corresponding MAC has been unassociated. c. WirelessMon software shows that the RSSI is less than -68 and fluctuates after entering the teacher's workstation. img_v2_a93b7f97-bf9e-4e51-99c2-505c7bfc8d6g.jpg d. Turn on log on on the AP FS(config)#logging on FS#terminal monitor e. On the AP, it keeps prompting that the RSSI is less than 20, and the user can't correlate it successfully --More-- *Nov 18 00:34:53: %WLAN-6-80211N: STA(0003.7faa.bb05) fails to active in BSSID(d69d.99d0.187e): RSSI(19) too low than threshold(20) to join. *Nov 18 00:34:54: AC1-ACTIVE %APMG-6-STA_ADD: Client(0003.7faa.bb05) notify: attach to AP (649d.99d0.e3fe). *Nov 18 00:34:54: %WLAN-6-80211N: STA(0003.7faa.bb05) fails to active in BSSID(d69d.99d0.187e): RSSI(19) too low than threshold(20) to join. f. Unreasonable configuration of RSSI prevents users from joining the AP 4. Troubleshooting Tweak response-rssi to 10 to solve poor web center experience problem 5. Troubleshooting Summary and Notes RSSI is a "double-edged sword". a. If the setting is too low, the negotiation rate between STA and AP will be reduced, and there will be a large number of low rate empty port messages being retransmitted repeatedly, resulting in the degradation of other users' experience; b. If the setting is too high, other user experience improves, but some rooms, especially through two walls, there is a problem of poor experience as described above c. In summary, it is recommended that RSSI be set to 10, and other APs be adjusted according to different floors and deployments. Feedback on User Association Difficulty 1. Malfunction Phenomenon Western Classroom 5, student feedback on poor user experience, slow internet access, difficulty in correlation 2. Networking Environment Simplification: AP-N505-----PoE switch------- intermediate device------AC-7072 3. Processing Steps a. Field experience, found that the AP light is normal b. Using wirelessMon software to view, found that the signal strength under the AP is good RSSI in -56 or so, after entering the room RSSI less than -70 c. In general, under the AP, the signal strength RSSI is higher than -30, can be initially judged to have received a signal from non-AP d.to the AC to view, found that the corresponding 415 room AP non-run state #show ap-config summary ========= show ap status ========= Radio: Radio ID E = Enabled, D = Disabled, N = Not Exist Current Sta number Channel: * = Global Power Level = Percent Online AP number: 297 Offline AP number: 19 AP Name IP Address MAC Address Radio Radio Up/Off Time State 00d0.f822.3320 — 00d0.f822.3320 1 E 1 9 100 2 E 0 149* 100 0:01:03:11 Run XI5-zl-415 — 001a.a938.000d 1 N - - - 2 N - - - 0:11:47:21 Quit Note: The "Quit" status indicates that AP tunnels on the corresponding floor are disconnected. e. Such as the above judgment of a single AP and AC "lost", that is, the failure occurred between a single AP and AC f. Reference to the "lost" AP's IP address, from the remote ping this AP can ping through, it can be seen that the state of the AP normal g. Through the AP address to log on to the AP device to check the AP status, found that the AP is set to fat mode, resulting in a single AP "lost connection". 代码块 #telnet 88.0.3.251 (Corresponding APIP address) Trying 88.0.3.251, 23... User Access Verification Password:(Password: FS) FS>en Password:(Password: apdebug) FS#show ap-mode -----------------Check to show that the AP is set to fat mode current mode: fat h. Find the reason why AP "lost connection" as above steps. i: Force the AP to convert to fit mode on the AP, and the AP will resume working immediately. FS(config)#ap-mode fit 4. Troubleshooting a. The AP is forced to convert to fit mode, the AP immediately establishes a tunnel, and the problem is solved. 5. Troubleshooting Summary and Points to Note a. The AP running online is forced into fat mode for generally two reasons: - Human operational error - Password leakage on the AP After multiple checks by various parties, it cannot be verified why the AP was switched to FAT mode. Further observation is needed. 5.9.4.2 Poor experience due to wireless signal anomaly User feedback of poor wireless signal experience on half of the floors 1. Failure phenomenon Feedback from Western 5 teachers about poor wireless signal experience on half of the floors 2. Network environment AP-N505-----POE switch------- intermediate device------AC-7072 3. Processing steps a. The scene using wirelessMon software to view, found that the corridor direction signal strength is good RSSI in -41 or so, into the room RSSI is less than -68 img_v2_a93b7f97-bf9e-4e51-99c2-505c7bfc8d6g.jpg b. Checking the APs online on the AC reveals that the APs are all offline #show ap-config summary ========= show ap status ========= Radio: Radio ID E = Enabled, D = Disabled, N = Not Exist Current Sta number Channel: * = Global Power Level = Percent Online AP number: 187 Offline AP number: 11 AP Name IP Address MAC Address Radio Radio Up/Off Time State ------------------------------------- ------------- -------------- ------------------ ------------------ -------------- ----- XI5 88.0.3.251 00d0.f822.3320 1 E 1 9 100 2 E 0 149* 100 0:01:03:11 Run 001a.a938.000d - 001a.a938.000d 1 N - - - 2 N - - - 0:11:47:21 Quit 001a.a938.0013 - 001a.a938.0013 1 N - - - 2 N - - - 0:11:47:21 Quit 001a.a94a.82b1 - 001a.a94a.82b1 1 N - - - 2 N - - - 0:11:47:21 Quit Note: The "Quit" status indicates that AP tunnels on the corresponding floors are disconnected. c. Check the AP, the display lights are not lit, suspected of being powered down d. Check the POE power supply in the computer room, and found that all the equipment inside the room was powered down. e. After multiple communications with the teacher to re-power, the fault is restored! 4. Fault solution The POE switch in the computer room was powered down. 5. Fault summary and points to note a. There are beds and quilts in the room where POE switches are placed in Western 5, and someone are sleeping in it; b. From the AP online time to see, there have been three times disconnected, subsequent problems may continue to occur; c. If there is a situation where half of the floor is unable to access the Internet, the general probability of being powered down is higher. Inspection found that 70-room signal is in the weak coverage area 1. Fault phenomenon a. Unsatisfactory signal quality in some areas Due to various reasons, there are user terminals inside the room that cannot search the FS signal, association failure, successful association but IP acquisition failure through DHCP, authentication timeout, slow network speed, online but unstable signal, and even roaming of stationary users; b. Weak coverage in some areas As each room is located on both sides of the building, plus the short period of ground investigation, ground investigation using AP330, and the deployment of AP during the real construction is not strictly in accordance with the ground investigation, plus an AP needs to be responsible for 4~8 rooms. Through the on-site signal acquisition, it is found that in the penetration of the two walls, there are some areas of weak coverage (less than -75dBm); taking into account most of the handheld terminal antennae are smaller for the sake of the higher signal requirements, the need to increase the signal strength of 10-20dBm, so the signal strength of less than -65dBm area is also a weak coverage of the area of the handheld terminal. 2. Network environment Simplified: AP-N505-----POE switch------- intermediate device------AC-7072 3. Possible causes of failure a. AP deployment location problem b. AP facing problem 4. Processing steps a. Status light does not light up after power on PoE power supply: Please check to make sure the other end of the connecting cable at least meets the 802.11af power supply mode, and then check whether the cable is connected normally. Adapter power supply: Detect whether there is utility power input to the adapter, and then check whether the adapter is working normally and whether the output voltage is around 48V. b. After connecting the Ethernet cable, the LED flashes red quickly Please check whether the device at the other end of the Ethernet is working normally, and then test whether the Ethernet cable meets the ability of the current working rate, and make sure whether the cable is connected normally. c. Users can't discover AP Check the above two steps first. Check if the AP is configured correctly. Adjust the antenna angle of AP device. Move the user client and adjust the distance between the client and the AP. 5. Troubleshooting a. The back is a metal heat-conducting sheet, the signal can't pass through, the red box inside is a metal plate, the wireless signal can't pass through the metal. It is usually reflected or diffracted to the back area, so the signal behind it is worse. image.png b. It is recommended that the AP panel be wall-mounted with the front facing the user's room, as shown below for the front AP orientation: image.png 6. Fault summary and points to note Due to the AP installation point of view, from the inspection data there are several buildings in the installation process deviation, especially the AP panel facing the wrong way, the back is a metal heat-conducting sheet, the signal can not go through, directly leading to the whole room signal poor. 5.9.4.3 Poor wireless user experience Unusual wireless user drops and instability 1. Fault Phenomenon In the process of using the wireless network, the wireless users experience abnormal dropouts and unstable communications. 2. Possible causes of the malfunction a. Closing the live page b. Weak wireless signal c. Rogue AP enabled countermeasure function d. Severe wireless co-channel interference e. ARP attack on the wireless network f. Wireless network card problems g. Version instability 3. Troubleshooting Process Step 1: Confirm whether the terminal closes the live page Step 2: Check the signal strength of wireless users Step 3: Check whether the rogue AP has enabled the countermeasure function. Step 4: Check whether there is wireless same-frequency interference Step 5: Confirm the existence of ARP attacks Step 6: Troubleshooting individual wireless network card problems Step 7: Troubleshoot whether the AC/AP version is the latest version Step 8: After gathering information, please contact +1 (888) 468 7419 for assistance. Collecting AC/AP log information Collect wireless terminal operating system Collect wireless card drivers Collect RF environment screenshots Collect AP positioning deployment diagrams 4. Troubleshooting Steps Step 1: Confirm whether the terminal closes the alive page (for Web generation authentication) Confirm whether AC uses Web generation authentication. At present, most of the cellular terminals do not support multi-processing, and the live page will be closed automatically when accessing other web pages. If this happens, you can turn off the page live function of the eportal server or change the Web Generation 1 authentication to Web Generation 2 authentication. eportal turn off the traffic alive operation: open mode: pop-up live Don't change the way to keep alive the page easily/frequently, it is recommended to use the jump to keep alive, so that the living page can be prevented from being intercepted. Timeout detection: Close Tip: Users manually close the eportal window will not go offline, you need the traffic monitoring function to detect whether the user is offline or not. If the problem still cannot be solved by turning off the eportal traffic monitoring function, then go to the next step of investigation. Step 2: check the signal strength of wireless users In the AP show dot11 associations all-client view RSSI, if less than or equal to 20, the AP received sta signal has been lower than the default threshold, you can improve the stability of user access by lowering the rssi threshold, if you modify the rssi after the user access to the wireless stability, the problem is positioned as a wireless user signal strength is too weak, the root cause of the problem is too weak signal coverage. The root cause of the problem is too weak signal coverage, if you want to completely solve the problem, you need to enhance the signal coverage, such as the addition of new AP, the omni-directional antenna to replace the directional antenna, replace the location of the AP so that the AP is closer to the STA, will be put on the type of deployment changed to the wisdom of the sub-deployment; can also be used to adjust the RSSI way to temporarily solve the problem, if you modify the RSSI is still access is unstable, then go to the next step of the troubleshooting. FS(config)#ap-config AP-N515 FS(config-ap)#response-rssi 10 radio 1 //Adjust the RSSI to 10 (-95+10=-85dB), i.e., signal strengths with an STA of -85dB may also be allowed to access. Step 3: Check whether there are rogue APs with countermeasures enabled. If the AP receives a strong signal from the STA, but the wireless connection is still abnormally disconnected, and the STA appears to be online on the AP, it is highly likely that it is being countered by a rogue AP (except for authorized APs, we consider all other APs as rogue APs, such as students' privately set up D-Link or TP-Link wireless APs). If you have a wireless packet capture card (Cisco Linksys AE1000), you can also perform wireless packet capture. A rogue AP that initiates countermeasures will typically broadcast a large number of deauthentication or disassociation packets as shown in the diagram below. These rogue APs will cause the wireless RF environment to be uncontrollable, and it is necessary to negotiate with the customer to shut down the rogue APs. If the wireless connection becomes stable after shutting down the rogue APs, then the problem is identified as the countermeasure function of the rogue AP affecting user usage. In this case, the rogue AP can be turned off or the countermeasure function can be disabled. If the wireless connection remains unstable after shutting down the rogue APs, proceed to the next step for further investigation. Decertification: image.png Disassociation: image.png Step 4: Check whether there is wireless co-channel interference. Use WirelessMon and other wireless scanning software to scan the current RF environment and check whether there is same-frequency interference (the channels of multiple aps are 1 or 6 or 11 at the same time, and the signal is higher than -75dB), if there is same-frequency interference, then adjust the current wireless channel so that it works on a non-same-frequency channel. The command example is as follows, the following is to adjust the channel of radio 1 to channel 1, if the wireless access is stable after adjusting the channel, then the problem is localized to the wireless co-frequency interference, and avoid co-frequency interference by reasonably dividing the channel, if the adjustment is still unstable, then go to the next step of the troubleshooting. AC(config)#ap-config 649d.99d0.20d1 You are going to config AP(649d.99d0.20d1), which is not online now. AC(config-ap)#channel 6 radio 1 (Range of values 1, 6, 11; if 2.4G requires channels not to overlap, you can try three parameters to achieve optimal results) 1 Channel co-channel interference is serious: img_v2_3b6fdff1-c027-4c44-84bb-ae8945a9b7ag.jpg Step 5: Confirm the existence of ARP attack Log on to the gateway device to confirm the MAC address of the gateway, when there is a drop in the PC DOS interface, type "arp -a" to confirm whether the gateway MAC address has been changed. If it has been changed, then there is an ARP attack in the network, you can statically bind the gateway MAC address on the DOC "arp -s 192.168.33.1 xx-xx-xx-xx-xx-xx-xx-xx" or deploy anti-ARP attack in the network. If the network does not have APR attacks but still experiences dropouts, proceed to the next step of troubleshooting. The gateway is confirmed by the switch in the following way: SW#show interfaces vlan 10 Index(dec):4106 (hex):100a VLAN 10 is UP , line protocol is UP Hardware is VLAN, address is 0000.5e00.0185 (bia 0000.5e00.0185) //Confirm the gateway MAC address Interface address is: 192.168.33.1/24 ARP type: ARPA, ARP Timeout: 3600 seconds MTU 1500 bytes, BW 1000000 Kbit Step 6: troubleshooting individual wireless card problems If the above troubleshooting methods are invalid, then consider whether it is an individual wireless card problems, this time using the replacement method, one is to replace the laptop to test, the second is to upgrade the wireless card driver to the latest version of the official test, the latest wireless card driver can be downloaded from the official website of the wireless card or driver download software such as Driver Wizard, if the replacement of the laptop or upgrade the driver to solve the problem, then the problem is localized for the Individual wireless card problems, followed by upgrading the card driver to solve the problem, if the replacement of the laptop after updating the driver still can not be solved, then enter the next step of investigation. Step 7: Check whether the AC/AP version is the latest version. Login to www.fs.com to check whether the latest version of AC/AP version of the release notes to solve such problems, if there is a solution to such problems, try to upgrade to the latest version of the observation and testing, after upgrading the problem is solved, then the problem is localized to the software version of the problem, if it still can not be solved, then go to the next step of the troubleshooting. Step 8: After gathering information, please contact +1 (888) 468 7419 for assistance. Call +1 (888) 468 7419 for technical support to collect the following fault information for further troubleshooting: - Information to be collected: a. Collect the following information on the AC: show version show version all show running show ap-config run show ap-config sum show logging b. Collect the following information on the AP: show dot11 associations all-client show dot11 wireless 1/0 show dot11 wireless 2/0 show interface show logging c. Wireless terminal operating system: such as window xp, window 7, android, blackberry, iphone. d. wireless network card model and driver version number: such as Intel (R) Centrino (R) Advanced-N 6200 AGN driver version number: 14.2.0.10 e. On-site RF environment screenshots: with WirelessMon and other signal scanning software to scan the RF environment screenshots, channel distribution, field strength size f. AP deployment point map -Explanation of information to be collected: AC show version: AC's Version Information show version all: AP's Version Information show running: AC's Configuration Information show ap-config run: AP's Configuration Information show ap-config sum: AP Status show logging: AC Log information AP show dot11 associations all-client : Wireless User Status Information show dot11 wireless 1/0 : View RFID 1 information show dot11 wireless 2/0 : View RFID 2 information show interface : View physical interface and RF card traffic show logging: AP log information Wireless users have slow Internet access and network is very stuck. 1. Fault phenomenon Wireless users are slow in the process of surfing the Internet and the network is very laggy. 2. Possible causes of failure a. Wired network delay b. Weak signal of wireless users c. Wireless users associated with low speed d. Environmental interference e. Rogue AP enabled countermeasures f. Wireless software is turned on during the test g. Frequent power saving and roaming of terminal 3. Troubleshooting process Step 1: Confirm whether the terminal is closed to the live page Step 2: Check the signal strength of wireless users Step 3: Check whether there is a rogue AP that has enabled the countermeasure function. Step 4: Check whether there is wireless same-frequency interference Step 5: Confirm the existence of ARP attacks Step 6: Troubleshooting individual wireless network card problems Step 7: Troubleshoot whether the AC/AP version is the latest version Step 8: After gathering information, please contact +1 (888) 468 7419 for assistance. Collect AC/AP log information Collect wireless terminal operating system Collect wireless card drivers Collect RF environment screenshots Collect AP positioning deployment diagrams 4. Troubleshooting steps Step 1: Confirm whether the wired network is normal Ping the AP and wireless user gateway on the AC to confirm whether the delay is normal. If the wired network delay is not normal, you need to investigate the wired network problems. If the wired network delay is normal but the wireless terminal ping gateway delay is very large, then go to the next step of troubleshooting. Step 2: Check the signal strength of wireless users On the AP, show dot11 associations all-client to check the RSSI, and confirm whether the RSSI is above 30. Use wirelessmom on the computer to check whether the AP signal strength is above -65. If the signal is below the threshold then you need to solve the problem by enhancing the signal coverage, such as adding a new AP, replacing the omni-directional antenna with a directional antenna, replacing the location of the AP so that the AP is closer to the STA, and changing the put-and-take deployment to a smart-split deployment. If the signal is good and the network is still slow, go to the next step of troubleshooting. FS>show dot11 associations all-client INTF-IDX ADDR AID CHAN RATE RSSI_RT IDLE TXSEQ RXSEQ ERP STATE CAPS HTCAPS TYPE ASSOC_TIME GTOSS RSSI_AVG RSSI_RECORD 6 08:11:96:92:24:4c 1 6 1.0M 46 1 13 2000 0x0 0x3 ESs N 00:00:19 0 46 40 img_v2_3b6fdff1-c027-4c44-84bb-ae8945a9b7ag.jpg Step 3: Confirm the wireless user association rate On the AP "show dot11 associations all-client" to find the user MAC to confirm the association rate is low, if the user signal coverage is very good but low-speed associations are recommended for wireless optimization "off the low rate set". FS>show dot11 associations all-client INTF-IDX ADDR AID CHAN RATE RSSI_RT IDLE TXSEQ RXSEQ ERP STATE CAPS HTCAPS TYPE ASSOC_TIME GTOSS RSSI_AVG RSSI_RECORD 6 08:11:96:92:24:4c 1 6 1.0M 46 1 13 2000 0x0 0x3 ESs N 00:00:19 0 46 40 Turn off the low rate configuration: ac-controller 802.11g network rate 1 disable 802.11g network rate 2 disable 802.11g network rate 5 disable 802.11b network rate 1 disable 802.11b network rate 2 disable 802.11b network rate 5 disable If the user is still stuck without the low speed association, then go to the next step of troubleshooting. Step 4: Check whether there is environmental interference Use WirelessMon and other wireless scanning software to scan the current RF environment and check whether there is co-channel interference (the channels of multiple aps are 1 or 6 or 11 at the same time, and the signal is higher than -75dB), if there is co-channel interference, then adjust the current wireless channel so that it works on a non-cochannel. The command example is as follows, the following is to adjust the channel of radio 1 to channel 1, if the wireless access is stable after adjusting the channel, then the problem is localized to the wireless co-frequency interference, and avoid co-frequency interference by reasonably dividing the channel, if the adjustment is still unstable, then go to the next step of the troubleshooting. FS(config)#ap-config AP-1 FS(config-ap)#channel 1 radio 1 (Values range 1, 6, 11; if 2.4G requires channels to be non-overlapping, try three parameters for optimal results) 1 Severe channel cochannel interference img_v2_3b6fdff1-c027-4c44-84bb-ae8945a9b7ag.jpg Step 5: Troubleshoot whether there is a rogue AP with the countermeasure function enabled If the AP receives a good signal from the STA, the STA wireless connection is still abnormally disconnected, and you see the STA is still online on the AP, the possibility of being countered by a rogue AP is very high (in addition to the customer side of the legitimate AP, other APs we consider rogue APs, such as students privately set up D-Link or TP-Link wireless AP). If you have a wireless packet-catching card (Cisco Linksys AE1000), you can also do wireless packet-catching. The AP that initiates countermeasures usually broadcasts a large number of de-association or de-authentication messages as shown in the figure below. These rogue AP will lead to the wireless RF environment is not controllable, need to negotiate with the customer will be rogue AP off, if the rogue AP off after the wireless connection is stable, then the problem is positioned as a rogue AP countermeasures affecting the use of the user, at this time you can turn off the rogue AP off, or turn off the countermeasures, if you turn off the rogue AP is still unstable, then enter the next step of the troubleshooting. Decertification: image.png Diassociation: image.png Step 6: Confirm whether wireless scanning software is enabled on the terminal Confirm whether wirelessmom, inSSIDer, third-party wireless scanning software is turned on on the terminal, these software will take up a lot of resources of the wireless card, which is very likely to lead to slow Internet access on the terminal, if there is any of these software, please turn off or uninstall these software. If there is no similar software but the ping delay is still very large, then go to the next step. Step 7: Confirm whether the terminal turns on power saving and roaming Wireless terminal will turn off the wireless card from time to time after power saving function is turned on, and the wireless card will not receive any data during this period, at this time, AP will cache the data to be sent to the terminal, and when the terminal wakes up, AP will carry out frame aggregation to send large packets to the terminal, which will lead to a large data delay and packet loss rate. Wireless terminals frequently roam between APs and the wired Layer 2 needs to converge frequently, which will lead to a larger packet loss rate for users. On the terminal to confirm whether the wireless card has turned on the power saving function and roaming initiative adjusted to the highest, these two features greatly affect the user experience, it is recommended to turn off the power saving and lower roaming initiative, due to the slightly different settings of different cards, the following is only an example. If you adjust the power saving and roaming, the user is still very difficult to access the Internet, then go to the next step of the investigation. Disable the power saving mode of the wireless card, and remove the checkbox "Allow the computer to turn off this device to save power"; Adjust roaming initiative to the lowest value. Step 8: After gathering information, contact +1 (888) 468 7419 for assistance Call +1 (888) 468 7419 for technical support to collect the following troubleshooting information for further troubleshooting. - Information to be collected: a. Collect the following information on the AC: show version show version all show running show ap-config run show ap-config sum show cpu show memory show log b. Collect the following information on the AP: show dot11 associations all-client show dot11 wireless 1/0 show dot11 wireless 2/0 show interface show cpu show memory show log show run c. Wireless terminal operating system: such as window xp, window 7, android, blackberry, iphone d. Wireless network card model and driver version number: such as Intel (R) Centrino (R) Advanced-N 6200 AGN driver version number: 14.2.0.10 e. Screenshots of the RF environment at the site: Screenshots of the RF environment scanned with signal scanning software such as WirelessMon, channel distribution, field strength size - Explanation of information to be collected: AC show version: AC version information show version all: AP version information show running: AC configuration information show ap-config run: AP configuration information show ap-config sum: AP status show cpu : View AC CPU utilization show memory : View AC RAM utilization AP show dot11 associations all-client : Wireless user status information show dot11 wireless 1/0 : View RFID 1 information show dot11 wireless 2/0 : View RFID 2 information show interface : View physical interface and RF card traffic. show cpu : View AP CPU utilization rate. show memory : View AP memory utilization 5.9.5 Wireless Environment Detection Software Wirelessmon Instructions for Use Wirelessmon User Manual 1. Product Introduction Wirelessmon is PC-based wireless detection software, can effectively detect the client around the wireless signal related parameters, such as wireless SSID, BSSID, RSSI, etc., so that you can accurately and quickly view the current wireless environment of the number of co-channel interference. The following figure: img_v2_a93b7f97-bf9e-4e51-99c2-505c7bfc8d6g.jpg 2. Precautions for use a. After running wirelessmon, it will consume the performance of the wireless card because it has to use the wireless card to detect the surrounding wireless signals, which will lead to the delay and instability or even packet loss of the wireless ping gateway on the PC side. Therefore, if customers need to conduct wireless ping test to check the stability of wireless network, customers are required to close the program before conducting ping test. b. Wirelessmon needs to load the wireless card to run, so the installed client needs to have a wireless card (external card is also supported). In addition, if you need to detect a 5G environment, you need the client to support a 5G band wireless card. 3. Pay attention to the interference a. The following chart: click channel, find the need to view the corresponding channel, first view the RSSI value of -75dB to the corresponding signal ssid, and then view the ssid corresponding to the MAC Address, and then through the AP on the sho dot mbs to see if it is the same AP, the same RF card MAC. If it is not the same AP and the MAC of the same RF card, and the RSSI is greater than -75dB, then it can be determined that there is co-channel interference. image.png b. For example, the current need to view the interference situation of channel 1, as follows: image.png Description: a. When the status indicator is red, it indicates that the corresponding signal is unavailable in the client environment, meaning no interference is present. Note: this condition may fluctuate and should be monitored over a longer period. b. The signals test, FS.COM, and portal are all currently operating on Channel 1. c. Checking the available SSIDs on Channel 1, all corresponding RSSI values are within -75 dB. (Signal strength may vary; if the fluctuation consistently remains below -75 dB, it can be considered that these signals do not cause interference.) d. Upon checking the FS and FS2 signals, their MAC addresses follow a clear pattern, indicating that both signals are likely broadcast from the same AP and the same radio interface. In this case, these two SSIDs do not cause co-channel interference. You can log in to the AP and run the following command to confirm whether the wirelessmon MAC address is broadcast by the same radio card: show dot11 mbs See the example in the figure below: image.png e. In summary, the number of co-channel interference present in channel 1 of the current screenshot is 4 5.10 Wireless Common Function Description Applicable scene description: 1. Fit AP Mode When the number of APs in the wireless network is large, and unified management and configuration is required. Advantages: APs can be centrally configured and managed through the AC (Access Controller), including configuration deployment, firmware upgrades, and device reboots. Disadvantages: Require the addition of an AC device, which increases wired network configuration complexity. Interoperability issues may occur between devices from different vendors. 2. Fat AP Mode The number of APs in the wireless network is small, do not need to spend too much time and effort to manage and configure APs. at this time, the fat AP work mode is similar to a layer 2 switch, as a wired and wireless data conversion role, no routing and NAT functions. Advantages: No need to modify the existing wired network structure, and configuration is simple. Disadvantages: Centralized management and configuration are not supported. 3. Fat AP Bridging The distance between buildings is long, often more than 100 meters, usually need to lay fiber optic cable to connect. For some of the buildings have been built, digging roads or overhead lines will lead to construction difficulties, high consumption costs such as between the two high-rise buildings, two buildings are separated by a river and so on. In this environment, the use of wireless bridges to realize the network interconnection is both economic, the implementation is also simple and convenient. Advantages: Easy to implement with no cabling required. Disadvantages: Wireless signals are susceptible to interference, leading to unstable data transmission and limited communication range. 4. Web Authentication Web authentication is a user access to the network to control the authority of the authentication method, this authentication method does not require the user to install special client authentication software, the use of ordinary browser software can be authenticated. It is suitable for wireless terminals that do not want to or cannot install authentication clients (especially cell phones, tablet PCs, etc.) but want to do access control for clients in the network. Advantages: Wireless clients do not need to install any software; access can be achieved directly through a web browser. Disadvantages: Require the addition of a Portal (a web interface for authentication) and a RADIUS server (a device used to store client usernames and passwords). Note: Using the built-in web authentication does not require a portal server. 5. 802.1X Authentication In the network, as long as the user can be connected to a network device, it can be used directly without authentication and authorization. In this way, an unauthorized user, he can enter the network without any obstacles through the equipment connected to the LAN, a huge impact on network security. Advantages: Enhance wireless network security. Disadvantages: Require the addition of a RADIUS server (used to store client usernames and passwords), and wireless devices must install additional client software. 6. MAC Bypass Authentication In the network, as long as the user can be connected to the network equipment, do not need to go through the authentication and authorization can be used directly. In this way, an unauthorized user, he can enter the network without any obstacles through the equipment connected to the LAN, a huge impact on network security. General authentication requires a client, but some clients do not support the authentication function (such as printers, cell phones, etc.), customers want to control their access, you can use MAB authentication, that is, MAC Authentication Bypass (MAC Authentication Bypass), which is based on the authentication of the MAC address of the client free of 1X way. Advantages: Enable access control for clients that do not support authentication. Disadvantages: Require the addition of a RADIUS server (used to store client usernames and passwords). 7. 5G Priority Most clients support 802.11b (2.4G), but some wireless clients also support 802.11a (5.4G), then you can use this feature. Advantages: Help alleviate congestion in the 2.4 GHz band caused by all wireless clients operating on it, while reducing underutilization of the 5 GHz band. Disadvantages: Clients that only support the 2.4 GHz band cannot connect to the wireless network quickly. 8. AC Hot Standby The program can be used in the case of high requirements for wireless network stability and disaster prevention capability. FS network wireless controller (AC) hot backup function, is in the AC is not reachable (failure), for the AC <-> AP to provide milliseconds CAPWAP tunnel switching capability, to ensure that the user has been associated with the maximum degree of uninterrupted business. Advantages: Significantly enhance the stability and resilience of the wireless network. Disadvantages: Require additional wireless controller (AC) equipment and extra configuration. 9. Wireless Cluster (Cold Standby) This program can be used in one of the following cases: - The wireless network stability and disaster prevention ability require high, allowing short communication interruptions (several seconds) between AP and AC. - Load balancing and mutual backup of wireless data, i.e., the wireless traffic of clients under one AP is sent to one AC, and the wireless traffic of clients under another AP is sent to another AC, while the ACs are mutual backups. Advantages: Enhance wireless network stability and resilience, and provides load balancing for wireless data. Disadvantages: Require additional ACs, has longer service switchover time compared to AC hot standby solutions, and needs extra configuration. 10. Hidden SSID The wireless network only allows some clients to use or do not want other users to search for wireless information, then you can use this program. Advantages: Offer high concealment and security for the wireless network. Disadvantages: Require clients to manually enter and add the wireless SSID. 11. Timed Switching Off the Wireless Function Wireless networks need to be used at a particular time, for example: a college building only in the daytime classes to provide wireless access services; an office building to leave the wireless network for visitors only in the working hours of the weekday to open and so on. Advantages: Reduce network traffic and conserves limited network resources, preventing waste and misuse; minimizes RF interference, saves energy, and is more environmentally friendly; disables access services during "high-risk" periods to reduce potential security threats. Disadvantage: Wireless access cannot be used at all times. 12. Anti-ARP Attack Function Wireless client mobility is very large and uncertain, such as in the place where there are a lot of outsiders: plaza, hall, conference room and reception room and so on. The use of this program can effectively avoid the wireless side of the private IP address caused by address conflicts or the client ARP virus launched ARP attacks. Advantages: Enhance wireless network security by preventing wireless clients from assigning private IP addresses and protecting the network from ARP attacks that could cause outages. Disadvantages: Require higher device performance, consumes additional system resources, and involves extra configuration. 13. AP Countermeasures There are other APs working in the wireless environment, and do not want to affect the security and stability of the wireless network because of other unknown wireless APs, then you can use the program. Other wireless devices may have security vulnerabilities or be manipulated by attackers, and therefore can cause serious threats or harm to the security of the user's network. By using this solution, those unknown APs can not use the wireless network. Advantages: Improve the security and stability of the wireless network. Disadvantages: Consume device operating resources and requires additional configuration. 14. Black and White List Only want the wireless to be used by the specified users or do not want to be used by some specific users of the wireless network. Advantages: increase the security of wireless, can control the access of wireless users Disadvantages: need to add additional configuration 15. Wireless Multicast Function Wireless users need to accept multicast traffic, such as video on demand, video teaching and other functions. Advantages: Increase the utilization of the wireless network. Disadvantages: Excessive multicast traffic can consume wireless network resources, and the stability of multicast traffic cannot be guaranteed. 16. AP Load Balancing Function The same area has more than one AP belonging to the same group of the same wireless signal can be used when the program, to avoid wireless clients are accessed to the same or a few AP, resulting in a heavy AP load, the network utilization rate is poor. Advantages: Effectively utilize wireless network resources and allocates traffic reasonably. Disadvantages: Can only be used in thin AP mode and requires additional configuration. 17. Association Control Only a wireless client access to the wireless network, other wireless terminals can access the wireless, then you can use this program. Generally used in the school teaching environment, for example, only when the teacher's device access to the wireless, the student's client can access the wireless. Advantages: Enhance wireless security and ensures proper use of the wireless network. Disadvantages: Waste wireless resources, requires additional configuration, and can only be used in thin AP mode. 18. User Isolation To control the same AP or the same wireless signal under the wireless users can not access each other, then you can use this program. Advantages: Improve the stability of the wireless network. Disadvantages: Require additional configuration. 19. Local Forwarding The number of wireless users, the need for wireless users of the data traffic does not go through the AC forwarding, reduce the burden on the AC. Advantages: Reduce the data forwarding load on the wireless AC and AP, and decreases overall data traffic. Disadvantages: Require additional configuration, and the switches connected to the APs must support multi-VLAN forwarding. 6. Configuration Guide for Wireless Version 11.X Proprietary Features 6.1 Wireless RIPT Technology 6.1.1 Function Introduction and Application Scenarios 6.1.1.1 Function Introduction RIPT: When the link between an AP and the AC becomes unstable, the tunnel between the AP and AC may be disconnected. During this period, the AP can still provide wireless services. For WLANs using local forwarding, STAs can continue to access the network and reach local resources. Once the tunnel between the AP and AC is re-established, online users remain connected and can continue accessing the network without interruption. 6.1.1.2 Application Scenarios RIPT (Real-time Intelligent Perception Technology) allows for continued service provision by AP even during unstable links or disconnections with AC. Additionally, STA can still access the network and local resources for locally forwarded WLAN. 6.1.2 Case Configuration 1. Network Requirements When the connection between the AC and AP is unstable, the wireless network can still be used even if the AC is unavailable. 2. Configuration Highlights a. Enable the RIPT function of the AP. b. Configure the forwarding mode of WLAN as local forwarding. 3. Configuration Steps AC Wireless Switch Configuration Create a wlan and configure the forwarding mode as local forwarding. FS#configure terminal FS(config)#wlan-config 1 ssid FS(config-wlan)#tunnel local----->Configure local forwarding to maintain uninterrupted STA communication after disconnecting the AP from the AC FS(config-wlan)#exit ap-group map wlan id and vlan id configuration FS(config)#ap-group group1 ----->Create AP Group FS(config-ap-group)#interface-mapping 1 10 ----->Map the wlan to be deployed to the vlan FS(config-ap-group)#exit Configure the ap-group to which the AP belongs, and enable RIPT FS(config)#ap-config ap1 FS(config-ap)#ap-group group1----->Join AP groups (APs join AP groups in order to deploy wlan configurations) FS(config-ap)#ript enable ----->Turn on RIPT function Save configuration FS(config-ap)#end FS#write 4. Cautions If the WLAN forwarding mode is not set to local forwarding, the STA will lose access once the AP-AC tunnel disconnects. This will also cause the STA to go offline. 5. Functional Verification Check if the AP is RIPT enabled FS#show ap-config summary ript-enable AP Name IP Address Mac Address ript-enable State -------------------------- --------------- -------------- ----------- ----- ap1 172.18.55.73 1414.4b54.0000YY Run If the AC is removed from the network and the tunnel between the AP and AC is disconnected, the STA can still access and come online on the network. 6.1.3 FAQ 1. What does "ac#ript-ap-write" do on the wireless controller? This command deploys RIPT in the local forwarding environment. Currently, it is only supported by the Metro, serving to ensure that the AP signal remains intact when the AC pair disconnects during local forwarding. After a power failure or restart, the AP can still work normally. 2. What precautions should be taken when configuring RIPT on the wireless controller? It can only be used for local forwarding. Configuring RIPT will result in tunnel disconnection and re-establishment, so it should be deployed during low service peak periods. Note that RIPT conflicts with the arp-check function, but not with snooping, so careful consideration is necessary during deployment. a. When the tunnel is disconnected, the path between the AC and AP is also disconnected, preventing data messages from reaching the AC and being centrally forwarded. Therefore, RIPT only supports local forwarding. b. Local forwarding. arp-check is necessary to participate in the access control. The AC will send the table entry to the AP, and the policy will take effect on the AP side. After opening ript, the old users who accessed before the tunnel was disconnected are not affected. However, new users who access them will experience abnormal network usage because AC cannot issue policies to AP for these users. c. Since RIPT primarily operates after the tunnel has disconnected, new users can not use it if arp-check is turned on. Therefore, it can not be configured simultaneously. 3. Can local forwarding allow the endpoint's associated data to be processed locally at the AP? Yes. The command should only be used in a RIPT scenario to ensure the availability of WLAN configuration. This command enables the local authentication forwarding mode. In this mode, the AP forwards wireless data received directly to the local system, while STA completes the authentication process at the AP side. Configure in wlan-config mode: tunnel local-auth 4. What is the behavior of previously associated users and new users when the tunnel between AP and AC is disconnected with RIPT turned on? a. If the WLAN forwarding mode is not set locally, a disconnected tunnel between the AP and the AC will result in the STA being inaccessible and any online STAs going offline. b. Open. In the encryption scenario, RIPT is enabled. Once the access point detects a disconnection in the tunnel, the original user remains connected, and the new user can access it without any issues. c. To allow web-authenticated users to connect to the wifi without the need for re-authentication, configure (config-wlan)# free-webauth at-capwap-down. This function enables free-webauth after disconnection and requires normal web-authentication before the tunnel disconnection. When the AP detects a disconnected tunnel, the original user remains connected, while new users can connect without authentication. (Refer to question 5 for details) d. After enabling RIPT, the AP detects that users who were originally connected can reconnect normally after the tunnel is disconnected. However, new users are unable to connect. This behavior corresponds to the 1X authentication signal. In order to ensure proper connectivity for new users, create a separate, non-authenticated backup SSID: FS(config)# wlan-config 20 staff-1x-esc FS(config-wlan)# enable-ssid at-capwap-down After detecting a broken tunnel, the access point sends out an SSID-backup signal for the new terminal to connect to. Once the tunnel is restored, the SSID-backup signal disappears, and the user can resume connecting to the original 1x authentication signal. (Refer to question 5 for details) 5. After the RIPT function takes effect, how to achieve web/1x authentication without authentication? Principle: For APs with the RIPT function enabled, it is important to verify whether the WLAN has the WEB-free authentication function enabled or not when the AP connection is disconnected. If it is enabled, user data messages are not intercepted, and the user can immediately access the network. Upon re-establishing the connection, the AP is restored to its normal working state, and only authenticated users can access the network. ript enable: Enables the RIPT function, must be configured. enable-ssid at-capwap-down: Enables SSID function after disconnection. free-webauth at-capwap-down: Enables free web authentication after AP disconnection. Effect: When the AP is connected to the network AC, users require WEB or MAB authentication to access the network. If the AP is disconnected from the AC, users can access the network without requiring WEB or MAB authentication once they go online. However, when the AP is reconnected to the AC, users must carry out WEB or MAB authentication again to access the network. Examples are as follows: FS# configure terminal FS(config)# vlan 106 FS(config-vlan)# exit FS(config)# vlan 107 FS(config-vlan)# exit FS(config)# wlan-config 1 Staff FS(config-wlan)# tunnel local FS(config-wlan)# exit FS(config)# wlan-config 2 Staff_local // Configure the wlan used for 1X authentication FS(config-wlan)# tunnel local FS(config-wlan)# exit FS(config)# wlan-config 3 guest // Configure the wlan used for web authentication FS(config-wlan)# tunnel local FS(config-waln)# free-webauth at-capwap-down // Enables free web authentication after AP disconnection FS(config-wlan)# exit FS(config)# wlan-config 20 Staff-1x-esc // Enables the SSID function after disconnection FS(config-wlan)# tunnel local FS(config-wlan)# enable-ssid at-capwap-down FS(config)# ap-group apg-test FS(config-ap-group)# interface-mapping 1 106 ap-wlan-id 1 FS(config-ap-group)# interface-mapping 2 106 ap-wlan-id 2 FS(config-ap-group)# interface-mapping 3 107 ap-wlan-id 3 FS(config-ap-group)# interface-mapping 20 107 ap-wlan-id 4 FS(config-ap-group)# exit FS(config)# ap-config AP1 FS(config-ap)# ap-group apg-test FS(config-ap)# ript enable FS(config-ap)# exit FS(config)# ap-config AP2 FS(config-ap)# ap-group apg-test FS(config-ap)# ript enable FS(config-ap)# end FS# write 6.1.4 Common Faults 1. In the case of AC-224AP local forwarding, the channels are changed to 1 after deployment as RIPT. Self-study wireless channel adjustment issues: a. Prefer manually configured channels with the highest priority, regardless of whether RRM is supported or RIPT is enabled. b. If there is no manually configured channel: AP's initial online environment: Access points that do not support RRM will select channels randomly from 1/6/11/1/6. Access points that support RRM will automatically adjust channels through RRM. Enable the RIPT environment: When transitioning from RIPT standalone mode to connected mode, the AP will not transmit on a random channel. Instead, it will utilize either the AC's configured channel or the default channel. If no channels are configured on the AC, all channels revert to their default settings. If the AC is not restarted and the AP and AC are disconnected and reconnected, the RRM adjusts the default channel. However, after the AC is restarted, all default channels are set to 1. The RRM typically adjusts the channels once a day in the early hours of the morning, so it takes one night for them to stagger from each other. APs that do not support RRM should not activate RITP if the channel is not manually configured. Otherwise, the channel will become the same, which is not desirable. To avoid this, it is recommended that APs without RRM support do not enable RITP. For this suspected failure, it seems that WIS was only accessed before without optimization. To verify, check the ap-config summary channel and note if it has a '*' sign, indicating it's the default channel, or if it has been configured. If there is no optimized channel, it will default to channel 1 when ript is turned on (refer to previous instructions for the reason to do so). If WIS is truly optimized, the channel without an asterisk is the optimized one. At this point, activating ript once more will not change it to 1, and it will still maintain the WIS optimized channel. 6.2 NAT Function 6.2.1 Function Introduction and Application Scenarios 6.2.1.1 Function Introduction NAT (Network Address Translation). When hosts on a private network have been assigned a local IP address, which is exclusively for use within the private network, and want to communicate with hosts online, NAT can convert the private IP address into a globally unique IP address. 6.2.1.2 Application Scenarios In the small business scenario, the user-assigned addresses generally come from the AP's own address pool, and these private addresses are invalid for external operators to come to the network. When the internal network needs to communicate with the external network, NAT needs to be configured to convert the internal private IP address into a globally unique IP address (generally the IP is obtained by PPPOE). 6.2.2 Case Configuration 1. Network Requirements Small networks lack an egress router, requiring the use of an access point to directly connect to the external network cable as an egress device. 2. Configuration Highlights a. Configure the intranet user address pool b. Configure alc to enable an intranet user to perform a NAT transition to the outside network c. Configure the public address on the interface and set it to the outside direction d. Configure the BVI 1 address as the gateway for intranet users and set it in the inside direction e. Configure nat conversion list f. Have a default route pointing to the egress gateway 3. Configuration Steps a. Configure the intranet user address pool FS(config)#ip dhcp pool sta FS(dhcp-config)#network 192.168.1.0 255.255.255.0 FS(dhcp-config)#dns-server 8.8.8.8 FS(dhcp-config)#default-router 192.168.1.1 FS(dhcp-config)#exit b. Configure alc to enable an intranet user to perform a NAT transition to the outside network FS(config)#ip access-list standard 1 FS(config-std-nacl)#10 permit any FS(config-std-nacl)#exit c. Configure the public address on the interface and set it in the outside direction FS(config)#interface GigabitEthernet 0/1 FS(config-if-GigabitEthernet 0/1)# ip address 100.168.12.200 255.255.255.0 FS(config-if-GigabitEthernet 0/1)#ip nat outside FS(config-if-GigabitEthernet 0/1)#exit d. Configure the BVI 1 address as the gateway for intranet users and set it in the inside direction FS(config)#interface BVI 1 FS(config-if-BVI 1)#ip address 192.168.1.1 255.255.255.0 FS(config-if-BVI 1)# ip nat inside FS(config-if-BVI 1)#exit e. Configure nat conversion list FS(config)#ip nat inside source list 1 interface GigabitEthernet 0/1 overload f. Have a default route pointing to the egress gateway FS(config)#ip route 0.0.0.0 0.0.0.0 100.168.12.1 FS(config)#end FS#write 5. Cautions When the external network is pppoe dial-up and the AP uses PPPOE dial-up, outside should be configured on the dialer port. 6. Functional Verification The intranet user can access the extranet after obtaining the address. 6.2.3 Common Problems For version 11.x, only certain APs provide nat capability. If nat support is present, the most recent web page version will contain a routing mode with the option to enable nat. 7. Wireless Full-Scene Delivery Treasure Trove 7.1 Office Network Wireless Deployment Scenarios 7.1.1 Introduction to the Office Network Scene Among all wireless scenarios, enterprise office Wi-Fi usage is the highest, with concurrency rates generally around 30%-40% for other scenarios and up to 90% for enterprise office. The challenges encountered by a good experience wireless office are: 1. A wide variety of access terminal (wireless router, cell phone, pad, laptop, desktop usb network card, wireless printer, etc.), bringing ultra-high density access, ultra-high bandwidth needs. 2. A variety of business types (web pages, videos, uploads and downloads, emails, live chat software, etc.), with extremely demanding requirements for delayed packet loss. Why are these challenges difficult to meet? 1. The change of personnel brings coverage blind spots, and rewiring is quite troublesome. 2. Terminal access is not controllable and often associated to more distant APs. 3. Complex network environment, wireless interference leads to low communication efficiency (same floor AP, upstairs and downstairs AP interference, etc.) 4. high-density scenarios, the load of the AP is close to the bottleneck, and the business requirements for the network is very different. FS wireless office good experience: Flexible coverage, optimal access, channel multiplexing, and service balancing. Create enterprise time, starting from efficient office. 7.1.2 Office Network Wireless Deployment Steps 7.1.2.1 Information Collection Information collection: Information collection is the basis of the whole program and directly affects the subsequent coverage, capacity assessment and program development. Collecting information should contain at least six categories as follows: 1. Wireless coverage areas (e.g., offices, corridors). Request the client to provide floor plans to identify areas requiring wireless coverage. 2. Number and type of wireless clients (e.g., laptops, desktops with USB wireless adapters, wireless printers, etc.). 3. Wireless network service requirements (e.g., web browsing, messaging apps like WeChat, live streaming, video, FTP downloads, multicast applications, or industry-specific applications) and the priority or service level for each type of application. 4. Current working style: Determine whether wireless access is the primary method or only supplementary. Check for requirements such as wireless meeting rooms or wireless printers. 5. Existing network applications and topology: Understand current network usage and deployment. 6. On-site cabling conditions and feasibility of future cabling: Assess challenges for additional cabling. Some areas may be finished for aesthetics and cannot accommodate new cabling; in other areas, APs may need to be installed inside ceilings due to installation constraints. This should be evaluated in advance. 7.1.2.2 Network Assessment Network assessment: three types of assessment (coverage, capacity, risk) After the basic information is collected, a network coverage and capacity assessment should be conducted immediately for the area in question, which should be done in conjunction with a ground survey. 1. Coverage Assessment a. Understanding the obstacles that affect the propagation of wireless signals. Obstacle Attenuation Level Attenuation Value Example/Location Wood Low 3–8 dB Interior walls, office partitions, doors, floors Plaster Low 3–8 dB Interior walls (new plaster has greater impact on wireless signals than old plaster) Synthetic Materials Low 3–8 dB Office partitions Asbestos Low 3–8 dB Ceilings Glass Low 3–8 dB Clear windows Tinted/Metallic Glass Low 3–8 dB Windows with coloring or metallic coating Human Body Low 3–8 dB Human presence Water Medium 8–10 dB Wet wood, glass containers, organic matter Brick Medium 10–12 dB Interior walls, exterior walls, floors Marble Medium 10–12 dB Interior walls, exterior walls, floors Ceramic Materials High 15–25 dB Ceramic tiles, ceilings, floors Concrete Very High 20–40 dB Floors, exterior walls, load-bearing beams Silver Coating Very High 20–40 dB Mirrors Metal Very High 20–45 dB Office desks, partitions, concrete, elevators, filing cabinets, ventilation equipment b. Survey the site according to the drawings provided by the customer to guarantee office coverage. Coverage problems will 100% lead to customer complaints and office wireless usage effect, so all must be solved in the evaluation stage. If it is not possible to judge based on experience, the signal strength needs to be measured practically (generally -65dbm or more is required). c. The coverage test area contains: office target area, its surrounding main activity area (corridor and front desk, etc.) 2. Capacity evaluation and selection Capacity assessment mainly solves two problems: A. Ensure that all terminals can be associated properly; B. Ensure the application of terminals a. User number assessment The risk of band point is mainly to evaluate whether the number of clients of AP carrying STA exceeds the requirement, and to confirm the distribution and density of clients with customers, not to take it for granted. The number of APs is evaluated based on the confirmed data and the number of users suggested by the AP. Application Type Number of suggested users for single radio Video, Live Stream, Download 32 Web, email, instant messaging 64 Evaluating the above reference values to ensure that all users can be associated properly is listed as our top priority. How to perform the relevant evaluation? Number of APs = total number of people / number of users carried by a single AP. Example: Conditions: 600 people in wireless office, applications on the web, ftp download, video, not high concurrency. Analysis: Wireless office number of 600 people, the number of AP = 600 / 60 (download, video concurrency is not much, the whole machine to take the value of 60 people for calculation). Conclusion: It is necessary to provide at least 10 AP-N505 for security. The number has a relationship with the actual business and AP installation points, the number is an estimate, the actual number will be some slight deviation. b. Application traffic assessment Ensure user applications: user ftp download, video traffic concurrency only exists in theory, if all users download or video at the same time, the bottleneck of general traffic will be at the egress bandwidth, egress bandwidth is coordinated by the host. In addition, the current mainstream ins, Twitter, video sharing, etc. will have more uplink concurrent situation, also need to ensure the export uplink bandwidth. c. Wireless office scenarios need to ensure full wireless coverage and meet business requirements in the terminal mobile roaming environment. 3. Risk assessment Classification of indicators Risk points Description Common solutions Coverage Coverage Risks What should be the field signal strength to meet customer needs Increase AP deployment density Risk of unknown STA The acceptability of the customer's STA must be considered. Performance Outlet Bandwidth Does the egress bandwidth meet the total upstream and downstream traffic needs of users Increase egress bandwidth Number of STAs The number of STAs carried by a single radio needs to be evaluated to ensure that the application is used effectively Configure the rate set, OOS, speed limit policy, and low-speed site removal policy Increase the number of AP, bend more construction points Number of co-channel APs Number of co-channel APs that can be allowed to hear each other in the design Reasonable configuration to improve network efficiency Interference threshold of -75dbm Change the AP point location or change the deployment environment Hidden Nodes Whether there are hidden nodes in the design and whether there are countermeasures Disable applications such as BitTorrent (BT) and Xunlei. Limit speed Change the AP point location or change the deployment environment RF Environment Can the RF environment in the deployment environment meet the deployment needs Disable interference devices Change the AP point location Applications meet Special Applications Can special applications be accommodated Depending on the situation 7.1.2.3 Wireless office network planning and construction Planning and construction: The main work in this phase includes: network planning, network construction 1. Network planning Wired end planning: according to the existing wired network situation, AC, POE switch wired deployment mode. You need to pay attention to whether the network cable is newly deployed or old. If it is old, you need to sort out clearly the connection of each device,and you need to sort out the detailed topology diagram. This is divided into two types: a. AC independent networking and existing network physical isolation; b. AC access to the existing network. a. For the first type of AC independent networking, you need to confirm the exit NAT device, user network segment, AP network segment. image.psd.png b. For the second type of AC access to the existing network, it is necessary to confirm whether it is a serial connection or a side connection. It is recommended that the AC is side-mounted to the core or aggregation. Pay attention to the existing network to do a good job of layer 2 isolation. image.psd.png Please organize a complete network topology diagram, and it is recommended that both ends of the network cable be labeled with the corresponding labels (the same sticky note on both ends of the cable to make it easy to find and install the AP). Wireless end planning: According to the planning of AP quantity in the previous chapter of network assessment, the site survey is conducted to confirm the AP installation points, and detailed markings are made on the drawings to facilitate construction. -Penetration For reinforced concrete wall, it is not recommended to cover through the wall. For ordinary brick walls, it is recommended that the AP cover no more than 2 walls of penetration. For glass walls, it is recommended that AP cover no more than 4 walls of penetration. For wooden walls, it is recommended that AP cover no more than 6 walls of penetration. For places with more compartments covered individually, it is recommended to place the AP at the ceiling of the doorway of the compartment. -Installation Location Wireless devices should be installed away from strong interference sources and choose a location with a good view in the communication direction. The location of the independently placed AP is better to be higher, so as to radiate downward in higher places, reduce the obstacle blockage and minimize the signal blind area. Wireless office scenes generally use put-in APs, ceiling-mounted (AP front panel facing down, not to be installed inside the ceiling). 2. Network construction The following principles should be followed: When the AP and the switch are connected by Category 5 wire/super Category 5 wire, the distance between the switch and the AP should meet the 100-meter transmission distance limit for Category 5 wire; The number of switch ports used should be calculated according to the power consumption of the AP, the power supply capacity of the switch, and the port requirements for expansion and maintenance should be reserved; The installation location of the AP should be convenient for cabling of network cables, power cables, feeders, and easy maintenance and replacement The coverage of APs and the spacing between APs should be determined according to the link budget and edge field strength requirements AP installation location should be reasonably selected: on the one hand, it should be as close as possible to the proposed coverage area to meet the coverage of the proposed coverage area; on the other hand, room partitions should be used to isolate the same frequency interference and improve the network capacity; key areas such as leadership offices can be appropriately increased to avoid poor wireless experience in this area. No large metal body should be blocked within 2 meters around the AP On-site guidance construction team for AP, AC and POE switch installation. Requirements: concealed and beautiful alignment, solid installation. Need to focus on the quality of network cable production. The quality of the network cable production should be focused on. It can be judged by testing with a line meter and checking the packet loss of the interface at the equipment end. Office network services according to demand, generally set up multiple ssid, commonly set up two (one for internal staff access, one for visitor access); for some areas that need to focus on protection, a separate ssid can be deployed (such as leadership offices, wireless conference rooms, etc.); Do a good job of address planning in advance, wired vlan, wireless user vlan, AP management vlan need to be distinguished and use different vlan; In order to have a stable network and avoid oversized broadcast domains, assess the need to use multiple vlan based on the number of wireless users (a broadcast domain should preferably not exceed 2 Cs, within 500 addresses); Office network security, more large networks are commonly AC combined with SMP deployment authentication, internal staff ssid using web + dot1x-mab perception-free authentication, visitors use two-dimensional code authentication; for small office networks, you can consider using EG2000SE and other integrated AC function of the exit gateway device to replace the traditional AC, by EG management of thin AP, the deployment of local forwarding networking, using simple wpa/wpa2 encryption or deployment of authentication in the eg module; In addition, because the office network wired network applications are also very large demand, you need to cut out the unneeded vlan on the AC and switch interconnection interface, it is recommended that the wireless user speed limit; if there are too many wireless users, it is recommended to deploy as local forwarding. 7.1.2.4 Wireless Optimization - airware network optimization and healthiness check Network optimization with airware tools: It is highly recommended to use airware for network optimization, which can improve the efficiency of network optimization by several times Step 1: Connect the project to airware Step 2: One-click physical examination & network optimization image.png 7.1.2.5 Wireless Optimization - Manual Optimization Manual network optimization: [Required]. Step 1: Channel Planning 2.4G channels are recommended to use 1, 5, 9, 13, a total of 4 non-overlapping channel planning scheme. 5G channels are recommended to use 36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, 161, 165, a total of 13 non-overlapping channels for planning; you can manually plan the channels according to the AP location first, if the channels sent by WIS are not very reasonable, it is easy to quickly adjust the AP channels. AP point planning adopts cellular deployment to make the same frequency spacing increase as much as possible, for example, a high-density environment AP point and channel planning as follows: 7.jpg image.png Step 2: Power Planning & 5G Priority In wireless devices, there are two types of power, one is Power Local, which refers to the transmission power of the AP data frame, usually optimizing the transmission rate and controlling the interference range. The other is Coverage area-control, also known as Beacon power, refers to the power used by the AP when sending Beacon and Probe rsp messages, mainly to control coverage coverage, optimize access and roaming. These two types of management messages are also sent with power local if the Beacon power is not configured, or with configured power if it is. We often use Beacon power to reduce the coverage of APs. In simple terms, too much power local will cause large interference, too little power local will lead to low downlink rate of AP, affecting AP throughput and STA experience, too much beacon power will lead to too much coverage area of AP, which will cause remote access and frequent roaming and deteriorate terminal experience, while too little beacon power will cause insufficient coverage. Coverage area-control power optimization: Firstly, identify the area to be covered by the AP, and then control the coverage area of the AP (i.e., the transmitting power of beacon frame) by using the coverage-area-control command, and when adjusting, ensure the edge signal strength of the AP coverage area >= -65dbm, so as to Access optimization is performed to ensure that terminals are connected to the most suitable AP at the near end, thus avoiding data transmission quality degradation due to distal association and roaming stickiness. In order to make more dual-band terminals actively access to the 5G band with sufficient channel resources, the channel Coverage power of 2.4G needs to be configured lower than 5G by 8db, which ensures that the 5G signal received by the terminal from the same AP is stronger than the 2.4G signal, and eventually the terminal will have priority access to the 5G signal. Power Local power optimization: The power local power of 2.4G & 5G is 3~5db higher than the coverage-area-control power respectively. Example of an environment AP on power planning: 2.4G Coverage-area-control Configuration: 10dbm 5G Coverage-area-control Configuration: 17dbm AC-224AP(config-ap)#coverage-area-control <0-32> 0 dBM--32 dBM AC-224AP(config-ap)#coverage-area-control 10 radio 1 AC-224AP(config-ap)#coverage-area-control 17 radio 2 AC-224AP(config-ap)# 2.4G Power Local Configuration: 20%(13dbm) 5G Power Local Configuration: 100%(20dbm) AC-224AP(config-ap)#power local ? <1-100>global Upper limit of tx power, units:percent. as global Set ap's tx power as global AC-224AP(config-ap)#powerlocal 100 radio 2 AC-224AP(config-ap)#power local 20 radio 1 AC-224AP(confiq-ap)# Step 3: Enable Layer 2 isolation in wireless user VLANs - reduce Layer 2 traffic in the network This feature must be configured for networks that do not have the need for Layer 2 inter-access to reduce network attacks and multicast messages sent to all APs in the same vlan, consuming wired and wireless airports resources. AC-224AP(config)#wids AC-224AP(config-wids)#user-isolation ac enable AC-224AP(config-wids)#user-isolation ap enable AC-224AP(config-wids)# AC-224AP(config-wids)#exit Step 4: All used wireless user vlan must be created on the AC If the wireless user vlan used on the AC must be manually created on the AC vlan, otherwise it may lead to serious problems such as authentication can not / can not get an IP address. AC-224AP#sh run interface-mapping 1 interface-mapping 1 2000 ap-wlan-id 1 interface-mapping 2 6 wlan-id 2 AC-224AP# AC-224AP# AC-224AP#sh run | in vlan wired-vlan 144 port 2 auto-save vlan 1 vlan 3 Vlan 6 Vlan 10 vlan 1000 Vlan 2000 vlan 3000 AC-224AP# Step 5: Disable Low Rate - Reduce Low Speed Nodes in the Network In the actual network, there will be more low-speed nodes, and low-speed node messages are sent at low rates, taking up more air port resources and lowering the user experience under the whole AP. In places where private wifi interference is not very serious, you can usually disable the rate rate set below 11M: AC-224AP(config)#ac-controller AC-224AP(config-ac)#802.11g network rate 1 disabled AC-224AP(config-ac)#802.11g network rate 2 disabled AC-224AP(config-ac)#802.11g network rate 5 disabled AC-224AP(config-ac)#802.11g network rate 6 diabled AC-224AP(config-ac)#802.11g network rate 9 disabled AC-224AP(config-ac)#802.11b network rate 1 disabled AC-224AP(config-ac)#802.11b network rate 2 disabled AC-224AP(config-ac)#802.11b network rate 5 disabled AC-224AP(config-ac)# Note: In places where private wifi interference is serious or coverage is insufficient, disabling all power below 11M may make the network experience worse. Due to the interference or transmission distance required, the probability of packet loss and misreporting of high-speed messages is higher, at this time the appropriate retention of part of the low speed (such as 5, 6 or even 2) can improve the experience to some extent. Step 6: Upstream and downstream QOS speed limit for users Avoid terminals with good NIC performance to keep occupying the channel, resulting in poor experience for terminals with poor NICs. AC-224AP(config)#wlan-config 1 ac-hotbackup AC-224AP(config-wlan)#wlan-based per-user-limit up-streams average-data-rate 300 burst-data-raate 350 AC-224AP(config-wlan)#wlan-based per-user-limit down-streams average-data-rate 400 burst-data-rate 500 AC-224AP(confio-wlan)# In the configuration, the unit is 8Kbps. burst value is recommended to be 1.2 times to 1.5 times the average value. In addition, if there is a wlan in the network that is transmitting only for 5.8Gradio, the speed limit value for that wlan can be higher than the average speed limit value for signals transmitting on 2.4G. Step 7: Limit the number of STA accesses under the AP Avoid too many single AP access users to affect the experience, most of the recommended number of dual-band AP users is 64, most of the terminals in the office environment are laptops, desktops and cell phones, the traffic is not large, you can appropriately increase the number of AP STA access to about 120-140; if the concurrent traffic is large, the number of users should not be set too large, preferably within the recommended number of users. LAB-AC(config-ap)#sta-limit 130 LAB-AC(config-ap)# Step 8: Wired ports on AC do vlan trimming - reduce unnecessary multicast messages affecting wireless performance Centralized forwarding sta gateway on AC only release interconnect vlan; centralized forwarding sta gateway not on AC, only release sta and interconnect vlan; local forwarding only release interconnect vlan. LAB-AC (config-if-Gigabitethernet0/1)#switchport trunk allowed vlan remove 10-20 LAB-AC (config-if-GigabitEthernet 0/1)#sh this Building configuration... switchport more trunk switchport trunk allowed vlan only 1-9,21-4094 end LAB-AC(config-if-GigabitEthernet 0/1)# Step 9: Adjust RRM (Radio Frequency Resource Management) related functions The DCA (Channel Auto Adjustment) and TPC (Power Auto Adjustment) in the RRM function of wireless devices will occupy a lot of CPU and memory resources when running, and frequent DCA and TPC will lead to unstable wireless network. And the power adjustment function may be too low in some scenarios resulting in poor user experience. Therefore, these two functions need to be turned off. Channel and power optimization are configured and optimized according to step 1 and step 2. 1. Do not enable RRM power adjustment (default off) LAB-AC(config)#advanced 802.11b txpower dtpc disable LAB-AC(config)#advanced 802.11a txpower dtpc disable 2. Turn off the RRM channel adjustment function (default on) LAB-AC(config)#advanced 802.11b channel global off LAB-AC(config)#advanced 802.11a channel global off LAB-AC(config)# [Optional] Step 1: Adjust the time interval of Beacon sending The default period of Beacon is 100ms once, and the beacon message is sent at the lowest forced rate. In private wifi with less interference, our AP transmits more signals (for example, one AP transmits 4~8 signals), the beacon messages will occupy a lot of air port resources and cause poor user experience. At this time, you can consider to adjust the beacon period to 150~300ms, note: adjusting too much will lead to the unstable signal received by users and cause experience problems. Step 2: It is not recommended to turn on the band-select enable function The Band Select feature may cause slow association for clients that only support 2.4 GHz, and some 5 GHz network cards may also experience compatibility issues, preventing them from connecting. Even if a client successfully associates with a 5 GHz band, frequent switching between the 2.4 GHz and 5 GHz radios can occur due to higher 2.4 GHz signal strength, negatively impacting user experience. Based on practical experience, the recommended method to encourage clients to connect to 5 GHz is to increase the transmit power of the 5 GHz radio as described in Step 2 of the [Mandatory Settings]. When the client receives a higher 5 GHz signal than 2.4 GHz, it will preferentially associate with the 5 GHz band. Even if Band Select is enabled, it is still necessary to perform the optimization described in Step 2 of the [Mandatory Settings]. Example Commands: LAB-AC(config-ap)#beacon period 200 radio 1 LAB-AC(config-ap)#beacon period 200 radio 2 7.1.3 Cautions Caution: Wireless office due to its size, office structure, some steps can also be deleted according to the actual situation, the length of time required for each step or the scope of implementation will also be significantly different, should be adjusted according to the actual situation. Key Points to Note: 1. Customer Requirements: Requirements must be communicated and confirmed in advance. Verify the needs and on-site cabling, including wireless applications and cable routing, to avoid last-minute changes that can consume significant time and impact overall project progress and wireless coverage. 2. Cable Length: Leave an extra 3–5 meters of network cable to allow flexibility in adjusting AP positions according to actual conditions. 3. Cable Protection: Network cables should be routed through PVC conduits. Any excess cable should be protected using metallic flexible conduits to prevent damage from rodents. 4. Cable End Protection: Protect cable ends with tape or similar materials during installation to prevent damage while threading through conduits. 5. Labeling: Both ends of the cable must be labeled appropriately. (In office environments, labels on device panels are generally not allowed for aesthetic reasons.) Proper labeling facilitates installation, AP identification, and future troubleshooting. 6. AP Placement: In some office scenarios, for aesthetic or psychological reasons, customers may install APs inside ceilings on metal frames. This deployment significantly reduces wireless signal strength and user experience. APs should always be installed outside the ceiling. (If LED indicators on the AP panel are undesired, schedule AP LED control to turn off the lights.) 7. AP Installation Height: Recommended installation height is no more than 5 meters (typical office ceilings are within this range). Ceiling-mounted installation is preferred, with the front panel facing downward. 8. Security Considerations for Smart Devices (e.g., Apple Devices): Devices have higher security requirements. When using web authentication or MAC-based transparent authentication without a configured password, the open air interface may cause: Devices alerting that the network is unsafe due to security validation. Devices disconnecting from the wireless network when locked and not automatically re-associating to web or MAC-based authentication SSIDs upon unlocking. Both scenarios are client-side behavior due to strict security validation. To mitigate, configure a WPA/WPA2 access password under wlansec to satisfy the device security requirements. 7.2 Intelligent Wireless Storage Scenarios 7.2.1 Scene Introduction Warehouse logistics scene solutions: With the popularization of intelligent terminals and the arrival of Internet socialization, the warehouse logistics scene involves warehouse managers and warehouse staff using handheld scanning terminals, intelligent tablet PCs, etc., to carry out operations such as product entry and exit, inventory, shifting, sorting, splitting and picking, etc. The wireless network extreme speed experience of intelligent terminals is increasingly valued by users. The storage scene has only simple goods storage large open room, there are shelves stand shelves like a wall of high attenuation scene, short or three to five meters, high or more than ten to twenty meters. Shelves stand scene, each shelf is like "a wall", the wireless signal caused a great barrier, the need for wireless solutions to solve the signal blocking shelves stand. Warehouse managers move in the shelf inventory goods, need wireless solutions can provide zero roaming ability. In addition to construction troubles, management is not easy, the use of a variety of problems will be encountered: Poor signal coverage, all kinds of interference, bad experience. Code gun roaming failure. Front-end personnel can not maintain, affecting work efficiency. What the warehouse needs is full coverage (no dead spots in the signal), no dropouts or lagging throughout, unified management and visualization of wireless solutions, and see how FS deploys them. 7.2.2 Warehouse Wireless Deployment Steps 7.2.2.1 Information Collection Information collection: Storage information collection is the basis of the entire program and directly affects the subsequent coverage, capacity assessment and program development. Collecting information should contain at least the following six categories: 1. Wireless Coverage Areas: Areas that require wireless coverage (e.g. Inside the warehouse, corridors). Request the client to provide floor plans. 2. Number and Type of Wireless Clients: Examples include barcode scanners, wireless display PCs, wireless robots, etc. 3. Wireless Network Service Requirements: Specific applications such as wireless inventory management, inbound/outbound scanning, wireless vehicle tracking, monitoring of critical assets, and other specialized business operations. Also define the priority or service level for each type of application. 4. Warehouse Purpose and Layout: Confirm the type of goods stored, presence of shelves, and shelf heights. 5. Existing Network Applications and Topology: Understand the current network usage and deployment in the warehouse. 6. Historical Deployment Models and Network Management Practices: Learn from previous deployments in similar scenarios, such as other warehouse sites within the enterprise and plans for adding new warehouse locations. 7.2.2.2 Network Evaluation Network assessment: three types of assessment (coverage, capacity, risk) After completing the basic information collection, network coverage and capacity assessment should be conducted for the relevant area immediately, and such assessment needs to be combined with ground survey to complete. 1. Coverage assessment a. Understand the obstacles affecting wireless signal propagation Obstacle/Material Attenuation Level Attenuation Value Example/Location Wood Low 3–8 dB Interior walls, office partitions, doors, floors Plaster Low 3–8 dB Interior walls (new plaster has greater impact on wireless signals than old plaster) Synthetic Materials Low 3–8 dB Office partitions Asbestos Low 3–8 dB Ceilings Glass Low 3–8 dB Clear windows Tinted/Metallic Glass Low 3–8 dB Windows with color or metallic coating Human Body Low 3–8 dB Human presence Water Medium 8–10 dB Wet wood, glass tanks, organic matter Brick Medium 10–12 dB Interior walls, exterior walls, floors Marble Medium 10–12 dB Interior walls, exterior walls, floors Ceramic Materials High 15–25 dB Ceramic tiles, ceilings, floors Concrete Very High 20–40 dB Floors, exterior walls, load-bearing beams Silver Coating Very High 20–40 dB Mirrors Metal Very High 20–45 dB Office desks, partitions, concrete, elevators, filing cabinets, ventilation equipment b. Survey the site according to the drawings provided by the customer to guarantee warehouse coverage. Coverage problems 100% will lead to customer complaints and warehouse wireless use effect, so all must be resolved in the evaluation phase. If you can't judge based on experience, you need to actually measure signal strength (generally require -65dbm or more). c. Coverage test area contains: warehouse target area, its surrounding main activity area 2. Capacity Assessment and Selection Capacity assessment mainly solves two problems: A. Ensure that all terminals can be normally associated on; B. Ensure the application of terminals. 1. The risk of carrying points mainly assesses whether the number of clients of AP carrying STA exceeds the requirement, and confirms the distribution and density of clients with customers, which cannot be taken for granted. According to the confirmed data and AP proposed number of users to assess the number of warehouse AP. In general, the warehouse scenario terminals will not be too many, the number of standby are sufficient. 2. warehousing general traffic requirements are not high, concurrent traffic will not be too large, the flow is generally sufficient. 3. the warehouse scene is mainly to ensure full wireless coverage, in a high fading environment to ensure that the terminal signal strength can meet business requirements. About AP selection: 1. For warehouses with a height of more than 4 meters, options can be considered to put installed AP deployment. Put installed AP height should not exceed 6 meters, if the height exceeds, you can consider the following methods: The ceiling under the welded shelves lowered to reduce the height after the installation of AP. If the shelf does not move, installed on the shelf. 2. For cold storage and other extreme conditions of storage, you need to consider low temperature resistant AP, such as AP-T565, AP-T567 outdoor series. 3. Risk assessment Metric Category Corresponding Risk Point Description Common Solutions Coverage Coverage Risk Determine the required on-site signal strength to meet customer needs. Increase AP Deployment Density Unknown STA Risk Must consider the receiving capability of customer STAs (clients). Performance Uplink/Downlink Bandwidth Verify whether the uplink and downlink bandwidth can satisfy the total traffic demand of users. Increase Uplink/Downlink Bandwidth Number of STAs Evaluate the number of STAs supported per radio to ensure application performance. Configure rate sets, OOS (Out-of-Service) policies, bandwidth limiting, and low-rate client rejection strategies. Add more APs and adjust installation points as needed. Co-channel AP Count Assess the number of co-channel APs that can hear each other in the design. Apply reasonable configurations to improve network efficiency. The interference threshold is -75 dBm. Adjust AP locations or modify the deployment environment. Hidden Nodes Check for the presence of hidden nodes and whether mitigation plans are in place. Disable applications such as BT and Thunder (download accelerators). Apply bandwidth limiting policies. Adjust AP locations or modify the deployment environment. RF Environment Determine whether the RF environment in the deployment area meets the requirements. Disable or remove interfering devices. Adjust AP installation points. Application Support Special Applications Verify whether special applications are supported. Determined based on the specific situation. 7.2.2.3 Network Planning and Construction Network planning and construction: The main work in this phase includes: network planning, network construction 1. Network Planning a. The wired end of the planning: according to the existing wired network situation in the warehouse, AC, POE switch wired deployment mode. The need to pay attention to the network cable is newly deployed or the old, if the old need to sort out the connection of the equipment clearly,they need to sort out the detailed topology diagram. For the total branch warehousing deployment scenario, may involve the distribution of AP in the headquarters AC online, you need to ensure that the AP to AC tunnel address udp5246 and udp5247 port path can be reached. Please organize the complete network topology diagram, both ends of the network cable is recommended to be labeled with the corresponding label. Both ends of the network cable connecting to the switch and connecting to the AP need to be labeled with the same sticky note to facilitate AP finding and installation, it is recommended to label with a combination of dots and numbers, AP command corresponding to the use of dotted English abbreviation and number combination, both remain consistent. b. Wireless end planning: according to the previous section of the network assessment of the number of AP planning, on-site ground survey to confirm the AP installation points, detailed markings on the drawings to facilitate construction. -Penetration For reinforced concrete walls it is not recommended to cover through walls; For ordinary brick walls, it is recommended that the AP cover no more than 2 walls of penetration; For glass walls, it is recommended that AP cover no more than 4 walls of penetration; For wooden walls, AP coverage of no more than 6 walls of penetrations is recommended; For metal shelves, considering the impact of stacking goods on shelves and different materials of goods, it is recommended that AP cover 2-3 shelves, adjusted according to the actual situation. -Installation Location Wireless devices should be installed far away from strong interference sources and choose a location with good view in the communication direction. The location of independently placed AP is better to be higher so as to radiate downward in higher places, reduce the obstacle blockage and minimize the signal blind area. For general storage environment, ceiling mounting (installed in ventilation ducts and fire ducts, etc.), wall mounting, rack mounting, etc. can be used. 2. Network Construction The following principles should be followed: When connecting APs to switches using Category 5 or Cat5e cables, the distance between the switch and the AP must comply with the 100-meter transmission limitation of Category 5 cabling. The number of switch ports in use should be determined based on the power consumption of the APs and the switch's PoE supply capacity, while also reserving additional ports for future expansion and maintenance. The AP installation location should facilitate the routing of network cables, power cables, and feeder cables, and allow easy maintenance and replacement. The AP coverage area and the spacing between APs should be determined according to the link budget and edge field strength requirements. The AP installation position should be properly selected: on one hand, as close as possible to the target coverage area to ensure adequate signal coverage; on the other hand, leveraging shelving, partitions, or other physical barriers to isolate co-channel interference and improve network capacity. In warehouse environments, if there are corridors along the boundaries or temporary storage areas outside the warehouse requiring wireless access, additional APs should be deployed in these locations to avoid poor wireless experience in uncovered zones. Provide on-site guidance to the construction team for the installation of APs, ACs, and PoE switches. Requirements: cabling must be concealed and neatly arranged, devices firmly installed, and both network and feeder cables must be protected with conduits. Excessively long network cables should be covered with metal flexible conduits for protection, as warehouses may have rodents that could damage unprotected cables. Pay special attention to the quality of network cable termination.Use a cable tester to verify performance, and check for packet loss through device-side interface monitoring to ensure reliability. For warehouse wireless networks, WPA/WPA2 encryption can be used for secure access authentication. 7.2.2.4 Network Optimization Access to airware: warehouse environment, access to airware is mainly to do wireless network monitoring, network optimization is recommended to manually adjust according to the actual situation. Connect this project to airware Manual network optimization (warehouse deployment environment is complex, scenarios are variable, it is recommended to manually adjust according to the actual situation): [Required] Step 1: Channel planning 2.4G channels are recommended to use 1, 5, 9, 13, a total of 4 non-overlapping channel planning scheme. 5G channels are recommended to use 36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, 161, 165, a total of 13 non-overlapping channels for planning; you can manually plan the channels according to the AP location first, if the channels sent by WIS are not very reasonable, it is easy to quickly adjust the AP channels. AP point planning adopts cellular deployment to make the same frequency spacing increase as much as possible, for example, a high-density environment AP point and channel planning as follows: 7.jpg image.png Step 2: Power Planning & 5G Priority In wireless devices, there are two types of power, one is Power Local, which refers to the transmission power of the AP data frame, usually optimizing the transmission rate and controlling the interference range. The other is Coverage area-control, also known as Beacon power, refers to the power used by the AP when sending Beacon and Probe rsp messages, mainly to control coverage coverage, optimize access and roaming. These two types of management messages are also sent with power local if the Beacon power is not configured, or with configured power if it is. We often use Beacon power to reduce the coverage of APs. In simple terms, too much power local will cause large interference, too little power local will lead to low downlink rate of AP, affecting AP throughput and STA experience, too much beacon power will lead to too much coverage area of AP, which will cause remote access and frequent roaming and deteriorate terminal experience, while too little beacon power will cause insufficient coverage. Coverage area-control power optimization: Firstly, identify the area to be covered by the AP, and then control the coverage area of the AP (i.e., the transmitting power of beacon frame) by using the coverage-area-control command, and when adjusting, ensure the edge signal strength of the AP coverage area >= -65dbm, so as to Access optimization is performed to ensure that terminals are connected to the most suitable AP at the near end, thus avoiding data transmission quality degradation due to distal association and roaming stickiness. In order to make more dual-band terminals actively access to the 5G band with sufficient channel resources, the channel Coverage power of 2.4G needs to be configured lower than 5G by 8db, which ensures that the 5G signal received by the terminal from the same AP is stronger than the 2.4G signal, and eventually the terminal will have priority access to the 5G signal. Power Local power optimization: The power local power of 2.4G & 5G is 3~5db higher than the coverage-area-control power respectively. Example of an AP in an environment regarding power planning: 2.4G Coverage-area-control Configuration: 10dbm 5G Coverage-area-control Configuration: 17dbm AC-224AP(config-ap)#coverage-area-control <0-32> 0 dBM--32 dBM AC-224AP(config-ap)#coverage-area-control 10 radio 1 AC-224AP(config-ap)#coverage-area-control 17 radio 2 AC-224AP(config-ap)# 2.4G Power Local Configuration: 20% (13dbm) 5G Power Local Configuration: 100% (20dbm) AC-224AP(config-ap)#power local ? <1-100>global Upper limit of tx power, units:percent. as global Set ap's tx power as global AC-224AP(config-ap)#powerlocal 100 radio 2 AC-224AP(config-ap)#power local 20 radio 1 AC-224AP(confiq-ap)# Step 3: Enable Layer 2 isolation in wireless user VLANs - reduce Layer 2 traffic in the network This feature must be configured for networks that do not have the need for Layer 2 inter-access to reduce network attacks and multicast messages sent to all APs in the same vlan, consuming wired and wireless airports resources. AC-224AP(config)#wids AC-224AP(config-wids)#user-isolation ac enable AC-224AP(config-wids)#user-isolation ap enable AC-224AP(config-wids)# AC-224AP(config-wids)#exit Step 4: All used wireless user vlan must be created on the AC If the wireless user vlan used on the AC must be manually created on the AC vlan, otherwise it may lead to serious problems such as authentication can not / can not get an IP address. AC-224AP#sh run interface-mapping 1 interface-mapping 1 2000 ap-wlan-id 1 interface-mapping 2 6 wlan-id 2 AC-224AP# AC-224AP# AC-224AP#sh run | in vlan wired-vlan 144 port 2 auto-save vlan 1 vlan 3 Vlan 6 Vlan 10 vlan 1000 Vlan 2000 vlan 3000 AC-224AP# Step 5: Disable Low Rate - Reduce Low Speed Nodes in the Network In the actual network, there will be more low-speed nodes, and low-speed node messages are sent at low rates, taking up more air port resources and lowering the user experience under the whole AP. In places where private wifi interference is not very serious, you can usually disable the rate rate set below 11M: AC-224AP(config)#ac-controller AC-224AP(config-ac)#802.11g network rate 1 disabled AC-224AP(config-ac)#802.11g network rate 2 disabled AC-224AP(config-ac)#802.11g network rate 5 disabled AC-224AP(config-ac)#802.11g network rate 6 diabled AC-224AP(config-ac)#802.11g network rate 9 disabled AC-224AP(config-ac)#802.11b network rate 1 disabled AC-224AP(config-ac)#802.11b network rate 2 disabled AC-224AP(config-ac)#802.11b network rate 5 disabled AC-224AP(config-ac)# Note: In places where private wifi interference is serious or coverage is insufficient, disabling all power below 11M may make the network experience worse. Due to the interference or transmission distance required, the probability of packet loss and misreporting of high-speed messages is higher, at this time the appropriate retention of part of the low speed (such as 5, 6 or even 2) can improve the experience to some extent. Step 6: Upstream and downstream QOS speed limit for users Avoid terminals with good NIC performance to keep occupying the channel resulting in poor experience for terminals with poor NICs. AC-224AP(config)#wlan-config 1 ac-hotbackup AC-224AP(config-wlan)#wlan-based per-user-limit up-streams average-data-rate 300 burst-data-raate 350 AC-224AP(config-wlan)#wlan-based per-user-limit down-streams average-data-rate 400 burst-data-rate 500 AC-224AP(confio-wlan)# In the configuration, the unit is 8Kbps. The burst value is recommended to be 1.2 times to 1.5 times the average value. In addition, if there is a wlan in the network that is transmitting only for 5.8Gradio, the speed limit value for that wlan can be higher than the average speed limit value for signals transmitting on 2.4G. Step 7: Limit the number of STA accesses under the AP Avoid too many single AP access users to affect the experience, most of the recommended number of dual-band AP users is 64, most of the terminals in the office environment are laptops, desktops and cell phones, the traffic is not large, you can appropriately increase the number of AP STA access to about 120-140; if the concurrent traffic is large, the number of users should not be set too large, preferably within the recommended number of users. LAB-AC(config-ap)#sta-limit 130 LAB-AC(config-ap)# Step 8: Wired ports on AC do vlan trimming - reduce unnecessary multicast messages affecting wireless performance Centralized forwarding sta gateway on AC only release interconnect vlan; centralized forwarding sta gateway not on AC, only release sta and interconnect vlan; local forwarding only release interconnect vlan. LAB-AC (config-if-Gigabitethernet0/1)#switchport trunk allowed vlan remove 10-20 LAB-AC (config-if-GigabitEthernet 0/1)#sh this Building configuration... switchport more trunk switchport trunk allowed vlan only 1-9,21-4094 end LAB-AC(config-if-GigabitEthernet 0/1)# Step 9: Adjust RRM (Radio Frequency Resource Management) related functions The DCA (Channel Auto Adjustment) and TPC (Power Auto Adjustment) in the RRM function of wireless devices will occupy a lot of CPU and memory resources when running, and frequent DCA and TPC will lead to unstable wireless network. And the power adjustment function may be too low in some scenarios resulting in poor user experience. Therefore, these two functions need to be turned off. Channel and power optimization are configured and optimized according to step 1 and step 2. 1. RRM power adjustment is not enabled (disabled by default). LAB-AC(config)#advanced 802.11b txpower dtpc disable LAB-AC(config)#advanced 802.11a txpower dtpc disable 2. Disable the RRM channel adjustment function (enabled by default). LAB-AC(config)#advanced 802.11b channel global off LAB-AC(config)#advanced 802.11a channel global off LAB-AC(config)# [Optional] Step 1: Adjust the time interval of Beacon sending The default period of Beacon is 100ms per time, and the beacon message is sent at the lowest forced rate. In private wifi with less interference, our AP transmits more signals (for example, one AP transmits 4~8 signals), the beacon messages will occupy a lot of airport resources and cause poor user experience. At this time, you can consider adjusting the beacon period to 150~300ms. Note: adjusting too much will lead to unstable signals received by users and cause experience problems. 7.2.2.5 Cautions Caution: Wireless storage due to its size, storage structure and different goods, some steps can also be deleted according to the actual situation, the length of time required for each step or the scope of implementation may also be significantly different, should be adjusted according to the actual situation. The following points please focus on: 1. Customer requirements must be discussed in advance, and all details such as cabling routes, shelf locations and heights, types of stored goods, wireless applications, and on-site wiring must be verified carefully. This helps prevent last-minute changes that could consume significant time, delay overall progress, and affect wireless coverage. 2. Network cables should have a reserve length of 3–5 meters to allow adjustments to AP locations based on actual on-site conditions. 3. Both network cables and feeder cables must be enclosed in PVC conduits. For any exposed sections, use metal flexible conduits to prevent damage from rodents. 4. The ends of network and feeder cables should be protected with tape or similar material to avoid damage during conduit installation. 5. For warehouses with extreme environments, such as cold storage facilities, use AP models capable of operating reliably under harsh conditions, such as AP-T565 or AP-T567. 6. The installation height of ceiling-mounted APs should not exceed 5 meters. For areas with tall or densely packed shelves, consider using outdoor AP models such as AP-T565 or AP-T567. 7. Typical warehouse wireless terminals include barcode scanners, wireless dashboards, and AGVs (automated guided vehicles). It is recommended to use a combination of WPA/WPA2 encryption and MAC bypass authentication. The MAC addresses of all wireless terminals should be pre-registered on the server. 7.2.3 Warehouse logistics scene check items If zero-roaming deployments are involved, in addition to this checklist, you also need to pay attention to the [2 Warehouse Wireless Zero Roaming Solution Installation checklist]. This inspection item is intended for wireless warehouse deployment scenarios. It is essential to complete the basic information verification before deployment. Please strictly follow the timeline specified in the table below to complete each task; otherwise, it will significantly impact the overall debugging and optimization schedule. Whether Executed (If executed, please enter "OK" and provide the corresponding tables and configurations; if not executed, please specify the reason.) Acceptance Module Inspection and Confirmation Points Deliverables and Detailed Description Verify Basic Information (the first step to be completed after confirming the wireless deployment) Wireless coverage area (e.g., warehouse interior, corridors, etc.) 1. Request the customer to provide the warehouse floor plan. 2. Organize a table summarizing the terminal types and business requirements for each area requiring wireless coverage. -Number and types of wireless terminals: such as barcode scanners, wireless display PCs, and wireless robots. -Business requirements: for example, barcode scanning, wireless robot operations for moving goods and shelves, and other industry-specific applications. -Service assurance levels: determine which types of services should receive priority support. -Warehouse purpose: for example, express delivery warehouse, cold-chain warehouse, building materials warehouse, or glass warehouse. Include details such as whether shelves are present, shelf height, and the stacking height of goods. Number and types of wireless terminals (e.g., barcode scanners, wireless display PCs, wireless robots, etc.) Wireless network service requirements and service-level priorities for different business applications Warehouse purpose confirmation, including shelf layout and height verification Understanding of the existing network applications and topology in the warehouse Existing network cabling and topology; new device cabling and topology. Reference to previous similar deployment models and network management practices For example, an enterprise that already has multiple warehouse locations and is adding new warehouse sites. Deployment Planning (see notes for details on each sub-item completion stage) Perform initial deployment and determine device models and quantities (to be completed during the planning phase). Determine the AP deployment method (ceiling-mounted, rack-mounted, etc.) and device selection (choose the access and core devices as needed, confirm the wireless controller and AP models). The AP model should be selected based on the wireless coverage area, site floor plan, and on-site survey. For example, if the shelves are over ten meters high or the warehouse has low temperatures, such as in a cold storage facility, outdoor AP models like AP-T565 or AP-T567 should be considered. Plan AP locations in advance based on the floor plan, actual site layout, shelving arrangement, and wireless coverage areas (to be completed before installation). Provide an AP placement diagram (annotations can be made on the floor plan) to facilitate the construction team in pre-laying cables. Prepare an AP name and MAC address mapping table (to be completed by the construction team after the devices arrive on-site. Before device arrival, communicate AP names to the construction team to facilitate record-keeping and labeling of devices and network cables. Using the WIS scanning tool can improve efficiency). When labeling the AP panel, please record the AP name and AP MAC address. (It is recommended that the AP name used when the AP goes online on the AC be a combination of letters and numbers in English, and avoid using Chinese characters.) Complete VLAN and IP address planning (this should be done before device installation). It is recommended to separate wireless and wired VLANs—for example, assign wireless VLANs starting from VLAN 200 and wired VLANs starting from VLAN 2000. Make sure to reserve VLANs properly. User count should also be considered; if the number of wireless users exceeds 500, multiple wireless VLANs should be created to avoid an excessively large broadcast domain on a single VLAN. An address planning table must be provided. Topology and AP-to-switch mapping tables (to be organized after the APs are brought online). Based on the AP Name and MAC mapping table above, further organize the management addresses and interface information of the switches to which the APs are connected. Produce an accurate topology diagram to facilitate quick troubleshooting in the future. Confirm the network topology (before the equipment arrives, organize the existing network topology and plan the deployment topology in advance; after the network setup is completed, document the actual topology — this is a continuous process). Output a detailed and accurate topology diagram, ensuring that device names, management addresses, and interconnection interfaces are properly configured. AP Installation (Before the APs arrive, coordinate with the construction team on requirements, including labeling, AP name and MAC address registration, cable reservation, network topology, and AP placement diagrams, to ensure proper preparation. After the APs arrive, supervise the construction team to complete the installation as required, and ensure any improper deployment is corrected promptly.) Label each AP according to its installation location. If the customer allows labeling, use large font, as APs are usually installed at a considerable height in warehouse environments, making small labels difficult to read from below. The network cable connected to each AP should also be labeled with the same name as the AP to ensure consistency. If there are many APs in a warehouse, you can label them sequentially using the warehouse name, such as WarehouseName-1, WarehouseName-2, etc. The label on the AP should match the label on the corresponding cable. The network cables connected to the APs should have an extra length of 3–5 meters to allow for AP position adjustments. Both the network cables and feeder cables connected to the APs must be routed through PVC conduits, and any excess cable should be protected with flexible metal conduits to prevent damage from rodents. -When using a zero-roaming solution, installation must strictly follow the zero-roaming deployment guidelines. The aesthetically mounted antenna should not exceed 4 meters in height, with a coverage radius of approximately 6 meters in open environments; the coverage will be smaller in warehouse environments. -During placement deployment, the height should not exceed 6 meters. Debugging Tools Please prepare a console cable, and you may also carry an extra Ethernet cable. Configuration Planning (to be completed before the equipment arrives) Wireless Signal and Forwarding Mode Select the forwarding mode according to the customer's requirements. Do not use Chinese characters for SSIDs, AP groups, or AP names—use English letters and numbers to avoid issues with encoding that could affect user experience and troubleshooting. Client Access Security For common barcode scanners, the wireless network can be deployed with WPA/WPA2 password access. At the same time, MAB (MAC Authentication Bypass) can be deployed via SMP for seamless authentication, with the terminal MAC addresses pre-added on the SMP as MAC-authenticated devices. Network Optimization Channel Planning It is recommended to manually plan AP locations in advance and prepare scripts beforehand, only manually adjusting parameters such as channels when necessary. Monitor Access via WIS In warehouse environments, manual RF optimization is advised; WIS should primarily be used for network monitoring. Power Planning Use coverage-area-control and power local for power optimization, adjusting based on actual measurements. Enable Layer 2 Isolation within Wireless User VLANs Configure user isolation to reduce Layer 2 broadcast traffic in the network (terminals that need access can be added to an exception list). Disable Low Data Rates Adjust according to the actual situation; do not disable low data rates if terminals rely on them. Apply Upstream/Downstream QoS Limits for Users Note that wireless rate limiting is in KB. Limit the Number of STA Connections per AP Adjust the number of users per AP based on AP locations and coverage areas. Perform VLAN Trimming on Wired Ports at the AC Reduce unnecessary multicast traffic to improve wireless performance; VLAN trimming should be applied on both AC-to-core links. Enable Roaming Stickiness and Optimize Remote Association Guide terminals to associate with the most appropriate AP. Adjust RRM (Radio Resource Management) Related Functions Disable automatic channel and power adjustment functions. Document Stub Configuration Retention It is necessary to retain the configurations of network edge devices, core devices, wireless controllers (the controller's config.text and ap-config.text files need to be backed up), access devices, and other relevant equipment. This ensures a record for future maintenance and reference in similar scenarios. Final Topology Retention The network topology should be documented and retained for subsequent network maintenance. Deployment Summary A deployment summary document should be produced to facilitate experience sharing and reference for future projects. 7.2.4 FAQ 1. Smart warehouse wireless product model recommendations? Recommend AP/AC products released in the past one to two years. AC model recommendation: AC-224AP/AC-7072 AP models recommended: AP-N505/AP-N515/AP-T565/AP-T567 series, etc. 2. What is the performance of the above recommended models, I have a project on my side, how should I choose? According to the appendix "Wireless Product Capacity" for equipment selection, the specific model is related to the standby number and coverage of the AP, and may involve the use of multiple models of APs together. If it involves low-temperature environment (such as fresh warehouses) and outdoor deployment, you need to increase the outdoor AP-T565 and AP-T567 selection. 3. What is the recommended location for AP installation? Recommended installation on fire, ventilation ducts, rack mounting, wall mounting, etc., need to choose the AP installation location according to the actual situation on site. 4. If the installation location can only use the ceiling method, what model AP is recommended? AP-N505 or AP-N515 series are recommended, with built-in directional antenna and optional multi-directional adjustment rack system, which can support multiple installation methods and coverage direction adjustment. 5. Some warehouses also need to meet outdoor coverage, so what model is recommended for outdoor coverage? AP-T565 and AP-T567 are recommended. The AP 60° directional antenna can be used for reasonable area coverage to avoid overlapping areas and blind areas; if it is a low-temperature warehouse environment such as fresh food warehouse, AP-T565 and AP-T567 series products are also recommended. 6. How to troubleshoot common problems after deployment? Some of the problems are as follows: AP presence dropout troubleshooting program According to the table corresponding to the AP connected to the switch, remotely log in to the switch connected to the AP to check whether the interface connected to the AP is up normally, whether the AP address can log in to the management, whether the pinging AP address is delayed and packet loss, etc. If the switch interface is down, you need to go to the AP installation site to check the site situation, whether the network cable is loose or the AP is faulty, etc. AP has more than the number of users risk identification program According to the previous AP connection switch correspondence table, remote configuration optimization of the problem AP; In addition, you can go to the site of the faulty AP to check the site situation, whether the number of people in the area is more, in addition to adjusting the number of access can increase the AP deployment as needed. AP channel utilization is too high (more than 70%) investigation program According to the previous AP connection switch correspondence table, remote to the problem AP to see if the power parameters are unreasonable, to optimize; In addition, you can go to the location of the faulty AP to view the site, using the wifi magic box to scan the fault area whether the interference is serious. The existence of terminals can not be associated, poor signal, repeatedly associated with the problem of investigation program According to the previous AP connection switch correspondence form, remote login equipment to view the relevant information, whether the large-scale failure, whether rssi is too weak, whether there is a remote association, whether the terminal is actively unassociated (pay attention to the address may not get the terminal to actively send unassociation), wireless optimization and equipment troubleshooting; in addition, you can now go to the location of the faulty AP actual measurement of the association, clear fault phenomenon. 7.2.5 Appendix Wireless Warehouse AC/AP Recommended Model Product Capacity: Product Model Base Managed APs Maximum Managed APs (Expandable via License) Maximum Managed STAs Recommended Managed STAs AC-1004 64 64 32 × Maximum Manageable APs = 2K 16 × Maximum Manageable APs = 1K AC-224AP 224 224 32 × Maximum Manageable APs = 7K 16 × Maximum Manageable APs = 3K AC-7072 128 1152 32 × Maximum Manageable APs = 36K 16 × Maximum Manageable APs = 18K Recommendation: Recommended management STA number, it is recommended to set aside 20 ~ 30%, otherwise, a higher level AC is recommended, such as a wireless warehouse is expected to need to support 200 terminals online at the same time, it is not recommended to use a single AC-224AP, it is recommended to stack dual AC-224AP. Product Model RF Features Single AP Access Rate Recommended Optimal Users Maximum Users per Device AP-W6D1775C Dual-radio dual-band design, supporting 802.11a/b/g/n, 11ac Wave2, and 802.11ax simultaneously 575+1200=1775Mbps 64 256 AP-W6D2400C Dual-radio dual-band design, supporting 802.11a/b/g/n, 11ac Wave2, and 802.11ax simultaneously 1200+1200=2400Mbps 64 256 AP-W6T3267C Triple-radio dual-band design, supporting 802.11a/b/g/n, 11ac Wave2, and 802.11ax simultaneously 1200+1200+867=3267Mbps 64 256 AP-W6T4134C Quad-radio dual-band design, supporting 802.11a/b/g/n, 11ac Wave2, and 802.11ax simultaneously 866+1200+1200+866=4134mbps 80 1552 AP-W6T6817C Triple-radio dual-band design, supporting 802.11a/b/g/n and 11ac Wave1 simultaneously 1150+867+4800=6817Mbps 120 1536 AP-W6T10000C Triple-radio dual-band design, supporting 802.11a/b/g/n and 11ac Wave1 simultaneously 400+4800+4800=10000mbps 150 1536 AP-N505 Dual-radio dual-band design, supporting 802.11a/b/g/n, 11ac Wave2, and 802.11ax simultaneously 575+2400=2975mbps 64 1024 AP-N515H Dual-radio dual-band design, supporting 802.11a/b/g/n, 11ac Wave2, and 802.11ax simultaneously 575+4800=5375mbps 32 256 AP-N515 Dual-radio dual-band design, supporting 802.11a/b/g/n, 11ac Wave2, and 802.11ax simultaneously +1200=2400Mbps 64 1024 AP-T565 Dual-radio dual-band design, supporting 802.11a/b/g/n, 11ac Wave2, and 802.11ax simultaneously 1200+1200=2400Mbps 64 1024 AP-T565 Dual-radio dual-band design, supporting 802.11a/b/g/n, 11ac Wave2, and 802.11ax simultaneously 1200+1200=2400Mbps 64 1024 7.3 Wireless Bridging Scenarios 7.3.1 Scene Introduction In many cases, it is not possible to deploy network cables due to environmental factors (e.g. between two buildings, on the shore and on a ship, in an elevator shaft, etc.), but it is necessary to ensure network connectivity, so wireless bridging technology can be used, where wired data is transmitted to a higher level network through a wireless bridging channel. WDS (Wireless Distribution System) is to connect multiple APs through wireless bridging or relay to connect the distribution network and expand the role of wireless signal, WDS has two modes of operation: ROOT-BRIDGE, NONROOT-BRIDGE. Bridging is used in many scenarios, different scenarios have different deployment methods, but the bridging configuration is the same. This document focuses on the following bridging scenarios: elevator bridging, ship bridging, street video back, wind farm bridging, oil plant bridging, and overhead bridging. 7.3.2 Wireless Bridging Deployment Steps 7.3.2.1 Information Collection Information Collection: Information collection is the foundation of the entire program and directly affects the subsequent coverage, capacity assessment and program development. Collecting information should contain at least six categories as follows: 1. Determine the wireless bridge distance. Request the customer to provide the locations of the root bridge and non-root bridge APs and calculate the distance between them. If the distance is too long, use latitude and longitude coordinates to estimate it. 2. Check whether there are obstacles between the root bridge AP and the non-root bridge AP, and whether they are in line-of-sight (LOS) range. 3. Confirm the network application type: whether the root and non-root bridges require wireless coverage, and whether the LAN2 port of the non-root bridge is connected to a switch to carry wired services. 4. Determine the type of traffic on the non-root bridge side—whether it is general internet access or video backhaul, and the expected traffic volume. 5. Identify whether the bridging requires a one-to-many setup or multi-hop bridging. 6. Decide whether to deploy the bridge in fat (standalone) mode or thin (controller-managed) mode, and whether multiple VLANs need to be transparently passed through. 7.3.2.2 Network Evaluation Network assessment: three types of assessment (coverage, capacity, risk) After completing the basic information collection, network coverage and capacity assessment should be conducted for the relevant area immediately, and to complete such assessment needs to be combined with ground survey. 1. Coverage and fading assessment a. Understanding the obstacles affecting wireless signal propagation Obstacle Attenuation Level Attenuation Value Example Wood products Low 3–8 dB Interior walls, office partitions, doors, floors Gypsum Low 3–8 dB Interior walls (new gypsum affects wireless signals more than old gypsum) Synthetic materials Low 3–8 dB Office partitions Asbestos Low 3–8 dB Ceilings Glass Low 3–8 dB Colorless windows Colored/metallic glass Low 3–8 dB Colored windows Human body Low 3–8 dB Human body Water Medium 8–10 dB Wet wood, glass tanks, living organisms Brick Medium 10–12 dB Interior walls, exterior walls, floors Marble Medium 10–12 dB Interior walls, exterior walls, floors Ceramic products High 15–25 dB Ceramic tiles, ceilings, floors Concrete Very high 20–40 dB Floors, exterior walls, load-bearing beams Silver plating Very high 20–40 dB Mirrors Metal Very high 20–45 dB Desks, office partitions, concrete, elevators, cabinets, ventilation equipment b. Survey the site according to the drawings provided by the customer. If there are coverage needs, they must be resolved in the evaluation phase. If you can't judge based on experience, you need to actually measure signal strength (generally require -65dbm or more). c. AP-T567 bridging can reach three kilometers or even farther, but the coverage is limited. 2. Capacity evaluation and sizing Generally for scenarios with wireless coverage requirements, capacity assessment is required (scenarios such as video backhaul generally do not involve wireless coverage, and this step can be ignored.) Capacity assessment mainly solves two problems: A. Ensure that all terminals can be normally associated on; B. Ensure the application of terminals. Band point risk mainly assesses whether the number of clients carrying STA in AP exceeds the requirement, and confirms the distribution and density of clients with customers, not taking it for granted. The number of APs is evaluated based on the confirmed data and the number of users proposed by the AP. About AP selection: For outdoor bridging, it is recommended to use directional antenna APs. The recommended model is AP-T567, which has a fixed built-in directional antenna and does not support external antenna expansion. 3. Risk Assessment Metric Category Corresponding Risk Points Description Common Solutions Coverage Coverage Risk The on-site signal strength required to meet customer needs Increase AP deployment density Unknown STA Risk Must consider the client STA's reception capability Performance Uplink Bandwidth Whether the uplink bandwidth meets the total upstream and downstream traffic requirements Increase uplink bandwidth Number of STAs The number of STAs per radio needs to be evaluated to ensure proper application performance Configure rate sets, OOS, rate-limiting policies, and strategies to exclude low-rate stations Increase the number of APs or adjust AP installation locations Co-channel AP Count The allowable number of co-channel APs that can hear each other in the design Optimize configuration to improve network efficiency Interference threshold is -75 dBm Adjust AP locations or change the deployment environment Hidden Nodes Whether there are hidden nodes in the design and if mitigation measures are in place Disable applications such as BT and Xunlei Apply rate limiting Adjust AP locations or change the deployment environment RF Environment Whether the RF environment at the deployment site can meet deployment requirements Disable interfering devices Adjust AP locations Application Fulfillment Special Applications Whether special applications can be supported Depending on the specific situation 7.3.2.3 Network Planning and Construction Network planning and construction: The main work in this phase includes: network planning, network construction 1. Network planning a. Wired-side Planning: Based on the existing wired network, determine the deployment method for ACs and PoE switches. It is important to note whether the network cables are newly deployed or reused. For reused cables, the connections of each device must be clearly documented, and a detailed topology diagram should be prepared. Please organize the complete network topology diagram, both ends of the network cable is recommended to be labeled with the corresponding label (Network cable connected to the switch and connected to both ends of the AP need to be labeled with the same sticky note, easy to find and install AP, it is recommended to label to point and number combination up, AP command corresponding to the use of point of the English abbreviation and number combination, the two remain consistent). b. Wireless-side Planning: Based on the AP model and quantity planning from the previous network assessment, conduct an on-site survey to confirm AP installation locations, and mark them in detail on the site drawings to facilitate subsequent installation. The AP-T567 series, with its built-in internal antennas, can meet most outdoor coverage scenarios. Wireless devices should be installed away from strong interference sources and positioned in locations with clear line-of-sight in the communication direction. Independently deployed APs should be placed higher whenever possible, allowing downward signal radiation to reduce obstruction and minimize coverage blind spots. For root and non-root bridges, the alignment angle must be precise, and ideally there should be no obstacles between them. If obstacles exist, external directional antennas should be considered for bridging. Misalignment or excessive signal attenuation due to obstacles can significantly affect bridge performance. In general outdoor environments, APs can be installed using wall mounts, pole mounts, or similar methods. 2. Network Construction The following principles should be followed: When connecting APs and switches using Cat5 or Cat5e cables, the distance between the switch and AP must comply with the 100-meter transmission limit of Cat5 cables. If this distance is exceeded, consider switching the AP interface to an optical port for data transmission while maintaining power over the electrical port. If using PoE switches to supply power, the number of switch ports in use should be calculated based on AP power consumption and the switch's PoE capacity, with additional ports reserved for future expansion and maintenance. AP installation locations should facilitate the routing of network cables, power cables, and feeders, and allow for easy maintenance and replacement. AP placement should be strategically selected to be as close as possible to the intended coverage area, ensuring sufficient coverage for the target region. Provide on-site guidance for the installation of APs, ACs, and PoE switches (or power modules). Requirements: network cables and feeders must be properly waterproofed; unused ports must be sealed with plugs; cables must be bent properly for waterproofing, and waterproof tape and putty must be applied to ensure effective water protection. Special attention must be paid to the quality of network cables and optical fibers. Use cable testers to verify cable integrity and check for packet loss at the device interface. Both root bridges and non-root bridges must be positioned within the reasonable signal coverage angle of the counterpart. Avoid obstacles in between, and plan the installation locations and heights of root and non-root APs appropriately. 7.3.3 Wireless Bridging Considerations Bridging considerations are as follows: 1. The built-in antenna of AP-T series products can meet most outdoor coverage scenarios. 2. Wireless devices should be installed far away from strong interference sources and chosen at locations with a good view in the communication direction. The location of the independently deployed AP is better to be higher so as to radiate downward in higher places, reduce the obstacle blockage and minimize the signal blind area. 3. The root bridge and non-root bridge must determine the angle alignment, the middle is best without obstacles, bridging principle is the sight distance visible; if there are obstacles need to consider using external directional antenna to do bridging, the angle is not allowed and obstacles attenuation is too large, will affect the bridging effect. 4. For tree blocking, you can try to raise the holding pole, or the bracket will be stretched out horizontally outside the tree method, to avoid the influence of trees on bridging. 5. For the hillside obstruction, you can consider increasing the bridging points for transit, the use of multi-hop bridging deployment. 6. Please follow the outdoor AP installation guide on the installation, pay attention to be sure to do a good job of grounding and waterproof operation. 7. For the distance of the bridge, please record the longitude and latitude of the root bridge to facilitate the adjustment angle of the non-root bridge. 8. Before the installation of equipment if possible, please first bridge configuration and pre-configuration, bridge test, test the success of the installation is completed after only use to adjust the angle, otherwise the device is installed and then debugged, the operation is not easy. 9. Multi-hop + a pair of multiple bridging environment is not recommended to use ssid bridging, environment sharing the same SSID easy to cause bridging to the remote AP or loop, it is recommended to use BSSID configuration bridging. 10. Bridging scenarios require all ROOT and NONROOT end configuration channel, bandwidth must be consistent; if inconsistent there will be packet parsing errors lead to packet loss or risk of message failure. 11. Multi-hop bridging scenario, the channel between the hops needs to be staggered, such as the first hop configuration 40 channels, the second hop configuration 60 channels. 12. Non-root bridge in the root bridge access rssi needs to ensure that the 25 and above, consider a portion of the reserved loss. Bridging site ground survey principles and considerations: Site ground survey necessary toolkit: 1. Cell phone (equipped with Google Maps), bridging site open, ground survey requires the use of cell phone maps to mark points and test the distance between the proximal and distal ends; 2. Binoculars, used to observe the environment at high and distant locations; 3. Laptop or cell phone with WiFi analyzer, used to detect the interference of the bridging signal on site. Preparation before going to the site ground survey: 1. Have a topographic map of the site (first draft a plan based on the topographic map), according to the plan targeted survey of the site (site survey helps to eliminate the risk points of the draft plan); 2. Understand the business needs of the customer site, and reduce the risk points of the program based on the understood business needs of the customer when going to the site ground survey; 3. Understand whether the program is a brand new project or a renovation project, and go to the site to understand whether the remote or near-end bridge is an equipment addition (in general, the point cannot be changed) or re-erecting the pole wiring (flexible choice of the site point). Ground survey site survey environment can be more targeted. Key Considerations for On-Site Survey: 1. Number and Placement of Bridges: Determine the number of wireless bridges, their locations, installation heights, and the distance from the remote end to the central end. Evaluate potential risks in preliminary design plans. 2. On-Site Business Requirements: Assess traffic requirements at the remote end. Are there any bandwidth limitations? Determine how many remote sites will be connected to the central end. Example: For a typical point-to-point link of 3 km, performance can reach 120 Mbps. If each remote site is limited to 8 Mbps and distributed within 3 km, after accounting for multi-user time slot overhead and potential signal attenuation due to environmental variations, it is recommended that no more than 8 remote sites be connected per central site, with an uplink RSSI greater than 25 for optimal performance. 3. Equipment Installation Conditions: Verify whether new poles are needed, pole diameter, and installation height. The mounting brackets included with bridge devices are suitable for poles with diameters of 50–80 mm. If outside this range, provide custom brackets. For new poles, a recommended diameter is 65 mm. 4. Maximum Distance Between Central and Remote Ends: This must be confirmed before equipment installation and configuration. Device pre-configuration requires accurate distance information. For distances greater than 3 km, external antennas are required. Commands to enable external antennas must be configured prior to deployment. 5. Line-of-Sight Verification: Ensure the central and remote ends are within line of sight. Recommended: both ends must have clear line of sight; otherwise, performance cannot be guaranteed. If obstructions exist, consider alternative deployment strategies, such as a two-hop configuration. 6. Existing Business Requirements: Confirm current operational demands on the network. 7. On-Site Power Supply: Verify the distance from the power supply box to the device (network cable < 100 m), input voltage range, and ensure the device is installed at least 25 m from transformers. When high-voltage lines are nearby, use plastic insulation between pole and device to prevent static discharge or other operational issues. 8. On-Site Interference: Assess existing interference, particularly from occupied Wi-Fi bands. 9. Environmental Considerations: Evaluate potential seasonal changes that could affect signal quality, such as vegetation growth in winter versus summer. Bridge ground investigation risk point validation: In principle, risk points should be verified in the geocan stage is completed, but certain risks may be implemented process commissioning section to confirm, in this case, the size of the risk must be assessed, be prepared for program failure, to avoid secondary construction. Risk Type Verification Stage Remarks Bridging Coverage Risk On-Site Survey Stage Maximum distance and maximum coverage angle at the near end. Number of Connected Nodes Risk Preferably at On-Site Survey Stage; if not possible, provide risk assessment After network deployment, it is necessary to consider whether additional remote nodes will be added or if the traffic at existing remote nodes will change. Co-Channel Interference Risk The risk should be assessed during the on-site survey stage. Near-end. Hidden Node Risk The risk should be assessed during the on-site survey stage. Hidden nodes at the remote end. RF Environment Risk Verify during the on-site survey stage. Remote node locations generally cannot be changed; interfering devices should be disabled. Application Risk Verify during the on-site survey stage; if verification is not possible, the risk should be mitigated during the trial operation phase. Verify whether traffic demand is met. 7.3.4 Bridging Scenario Breakdown 7.3.4.1 Port and ship bridging Ships cannot be connected to onshore equipment via network cables and must rely on wireless bridging to access the network. For example, when a ship docks, it bridges with the onshore root bridge AP to ensure wireless coverage on the ship and forward other services through the bridge link. Scene example: Cruise ship deck, outdoor open area, offshore platform, etc. Scene characteristics: Harsh conditions: lightning, rain, high temperature, low temperature Signal far: long-distance coverage, ship alongside wireless bridging Solution: Outdoor area equipment working environment is more severe, need to withstand the heat, extreme cold, heavy rain, lightning. In addition, if the equipment installation process is too complex, in the confusing environment and will not be installed firmly, poor handling of components articulation materials and other problems caused by the wireless network can not be used, and will increase the daily maintenance workload and troubleshooting difficulties. Therefore, we should use special outdoor high-power wireless products, using built-in antennas to reduce construction difficulties and daily maintenance difficulties, to ensure the 100-meter radius coverage without obstacles and the ability to penetrate multiple obstacles in close proximity, completely ensuring the quality of signal coverage in outdoor areas, using IP67 protection grade shell design to achieve a number of indicators such as lightning, rain, lake, high and low temperature resistance, flame retardant The wireless outdoor coverage is recommended to be deployed on the deck and the high point of the ship, while using omnidirectional or directional antenna for wireless coverage. At the same time, in the selection of outdoor AP to consider with wireless bridging function, when the cruise ship arrives at the port can be 5.8G bridge with the shore outdoor AP to obtain a higher Internet transmission rate to ensure that the crew communication effect. For the ship's non-root bridge LAN2 port and then connected to the following wired applications, set to the wiring construction, the ship's wiring construction needs to consider the aesthetics and concealment, it is recommended to use the casing method for the wiring construction in the corridor. 8. Post-implementation Work 8.1 Deployment Solution Testing Local APs are brought online and tested according to the deployment plan, and empirical values of deployment parameters are output, which are used in subsequent implementations for configuration. 1. Test wireless signal strength Conduct a signal strength test at the farthest location from the AP to confirm that the signal strength is not lower than the signal strength indicator. Signal strength is not the higher the better, the farthest end of the AP signal strength is equal to the signal strength indicator +10dB, if the farthest end of the AP signal strength is greater than the signal strength indicator +10dB, it is recommended to reduce the AP transmit power, so that the farthest end of the AP signal strength is equal to the signal strength indicator +10dB. 2. Single-user experience test According to the previously collected user application type to determine the speed limit value for wireless users, speed limit after the single-user application use test, if the use of smooth this limit value for the subsequent deployment of speed limit experience value, if the user use the phenomenon of slow card can be increased by 10% of the limit value, until the user feedback use smooth. 3. Common wireless optimization The wireless network usually needs to be optimized and adjusted, such as turning off the low-rate set and adjusting the access threshold, etc. For details of how to adjust, please refer to the chapter of network optimization case configuration and wireless optimization. 4. Multi-user experience testing According to the customer distribution and density to confirm the number of users needed to bring a single AP and the number of users to limit the AP (recommended number of users less than or equal to 5M / speed limit bandwidth). Coordinate with customers to conduct multi-user test to simulate the use experience, the number of users is as much as possible to reach the peak limit. If the user uses smoothly then this user number limit value for this wireless RF environment experience value. If the users appear to be stuck and slow, then lower the user limit until the users are using it smoothly. If only part of the network card is slow, some optimization adjustments can be made to the terminal itself (such as closing the power saving mode, lowering the roaming sensitivity, setting the transmission power to the maximum, etc.). 5. Customer wireless network trial test Promote customers to use wireless network as much as possible, and make targeted solutions and optimization for the problems collected during the trial. 8.2 Basic Information Check 1. Check AC/AP software version On the AC, use show version to check the AC version and show version all to check the AP versions. Ensure that the AC and AP versions are consistent. Version mismatches may cause issues such as wireless clients being unable to associate or authentication failures. Refer to the Software Version Upgrade section for upgrade procedures. image.png image.png 2. Check whether the number of APs online is consistent with the actual number On the AC, you can check the number of online APs using the show ap-config summary command. If the displayed number does not match the actual number of deployed APs, the cause of AP disconnections should be investigated. For troubleshooting steps, refer to 05 Wireless Unified Function Configuration Guide → 02 Wireless Lightweight AP Configuration → CAPWAP Tunnel Technology Principles and Common Issues & Faults. image.png 3. Check whether the AP is named correctly On the AC, you can view AP names using the show ap-config summary command. By default, APs are named using their MAC addresses. If an AP has not been correctly named, it needs to be renamed. The reference configuration is as follows: AC-1(config)#ap-config 649d.99d0.e226 AC-1(config-ap)#ap-name 1-AP-3 image.png 4. Check whether the AP channel is consistent with the planning On the AC, you can view the operating channel of APs using the show ap-config summary command. If an AP's channel does not match the planned configuration, it needs to be adjusted. The reference configuration is as follows: AC-1(config)#ap-config 1-AP-3 AC-1(config-ap)#channel 1 radio 11 image.png 5. Check whether VLAN pruning is performed on the switch and AC On the AC and switch, use the show interfaces switchport command to check whether the physical interfaces on the AC and switch are VLAN-trimmed. If VLAN trimming has not been configured on the switch or AC, configuration adjustments are required. The reference configuration is as follows: AC-1(config)# interface gigabitEthernet 0/7 AC-1(config-if-GigabitEthernet 0/7)# switchport mode trunk AC-1(config-if-GigabitEthernet 0/7)# switchport trunk allowed vlan remove 1-9,11-19,21-29,31-4094 // Only allow VLANs 10, 20, and 30 image.png 6. Check CPU utilization Use the show cpu command to check CPU utilization, based on the 5-minute average. CPU usage varies across different AC models under idle conditions. As long as CPU utilization remains below 80%, the device will operate normally. 45b616f5-3d75-44e7-a3dd-263bca99d307.jpeg 7. Check memory utilization Show memory on AC to check AC memory utilization. Memory utilization varies between AC models when they are idle, as long as the memory utilization is within 80% it will not affect the normal operation of the device. image.png 8. Check whether the time of AC is correct Check whether the time is accurate by "show clock" on AC. If the time is not accurate, you need to adjust it by the following command: FS# clock set 17:48:00 5 24 2023 // May 24, 2023, 17:48 image.png 8.3 RF Environmental Inspection 1. Check whether the signal meets the coverage Perform a wireless scan using WirelessMon at the farthest coverage point from the AP. The wireless signal strength must be greater than or equal to (signal strength threshold + 10 dB). If this value cannot be reached, it may affect the user experience, and power adjustments or AP deployment modifications (such as repositioning the AP) are required. image.png 2. Check if there is a rogue AP Use WirelessMon to perform a wireless scan and check for unauthorized wireless hotspots. If any are detected, it is recommended to coordinate with the customer to disable them. If they cannot be disabled, adjust the channels to avoid interference. image.png 3. Check whether there are external interference sources In addition to interference from WLANs, special attention should be paid to non-WLAN interference sources, such as microwave ovens, medical devices, and communication base stations. On-site inspection is recommended. For AP220-E 1.x or AP620H v1.x, you can log in to the AP and use the show dot11 wireless 1/0 command to check the low-noise level. Under normal conditions, the low-noise level should be below -87 dBm. If the low-noise level is high, as shown in the illustration, the interference source must be eliminated, for example, by turning it off or relocating it. image.png 4. Check whether there is interference with the same frequency Use WirelessMon to perform a wireless scan and check for co-channel interference. It is recommended that the signal strength between APs on the same channel should not exceed -75 dBm. Figure 1 illustrates a case of severe interference, where channel re-planning and disabling external APs are required. Note: If a single AP is broadcasting multiple signals, it can also cause interference. Log in to the AP and use the show dot11 mbssid command to confirm whether the signals are all coming from the same AP. Co-frequency interference, Figure I image.png Multiple signals from the same RF card, Figure 2 image.png 9. Common Show Commands and Attachments for Wireless Products 9.1 Show Commands 1. View basic information such as device model, version, serial number, MAC, SNC, runtime, etc. show version image.png 2. Check the device configuration Use show running-config on the AC to view the AC configuration. image.png Use show ap-config running on the AC to view the AP configuration. image.png 3. Check CPU utilization Check CPU usage using the show cpu command, based on the 5-minute average. CPU utilization varies across different AC models under idle conditions. As long as CPU usage remains below 80%, the device will operate normally. image.png 4. Check memory utilization Use show memory on the AC to check memory utilization. Memory usage varies across different AC models under idle conditions. As long as memory utilization remains below 80%, the device will operate normally. image.png 5. Check device online time On the AC, use show version to check whether the device uptime matches the actual duration. If it does not match, the device may have been restarted. image.png 6. Check AP working status and online quantity On the AC, use show ap-config summary to view the following AP information: number of online APs, AP names, AP IP addresses, AP MAC addresses, AP radio status, number of connected clients, AP radio operating channels, AP radio transmit power, and AP uptime. image.png 7. Check the online status of wireless users On the AC, use show ac-config client to view the following information for wireless clients: total number of online users, client MAC addresses, client IP addresses, the AP each client is associated with, the VLAN each client belongs to, the SSID each client is connected to, the current association rate of each client, the type of authentication used by each client, and the online duration of each client. image.png 8. View wireless user signal strength Log in to the AP and use show dot11 associations all-client to view wireless clients' signal strength, association rates, and association duration. image.png Note: RSSI refers to the received signal strength, ranging from 0 to 100. The actual wireless client signal strength is calculated as RSSI minus 95. For example, if the configured value is 25, the corresponding client signal strength is 25 – 95 = –70 dBm. 9. View wireless user authentication and encryption type Log in to the AC and use show wclient security to view the authentication and encryption types of wireless clients. 6ba71ce3-03cc-429a-a1e3-f7adcb754e7f.jpeg 10. Check if the AC time is consistent with the actual On the AC, use show clock to verify whether the time is accurate. image.png If the time is incorrect, adjust it using the following command: FS#clock set 11:31:51 5 24 2023 image.png 11. Check the device's IP address: show ip interface brief 12. Check the device interface status: show interfaces status image.png 13. Check interface traffic: show interfaces counters rate image.png 14. Check interface broadcast multicast traffic: show interfaces counters summary image.png 15. Check the DHCP distribution list: show ip dhcp binding 16. Check the DHCP snooping table entries: show ip dhcp snooping binding 17. Check the device's mac address table: sho mac-address-table image.png 18. Check the device ARP information: show arp After using show arp, you can append an IP address or MAC address to view ARP information for a specific IP or MAC. image.png 19. View log: show log 20. Check the flash file: FS#dir Use dir to view the files currently on the flash. To view the content of a file, use: FS# more xx.text (where xx.text is the file name and extension displayed by the dir command). 21. Check the status of the device web, snmp, telnet, ssh functions on: show service image.png 22. Check the routing table: show ip route

Startseite/
Dokumentation/
Wireless/
Wireless Steuerung/
AC-7072/
Konfigurationsleitfaden/

Airware, AC, AmpCon-Campus Management Platform Comparison

image

31-10-2025 - Airware, AC, AmpCon-Campus Management Platform Comparison 1. Product Introduction 1.1 AmpCon-Campus AmpCon-Campus is a management platform specifically designed for PicOS® enterprise-grade switches and wireless access points, providing automated zero-touch provisioning (ZTP), real-time telemetry monitoring, topology discovery, and lifecycle management. The platform is managed through a web interface and can be deployed on virtual machines (VMs) or Docker in data centers or on the cloud, supporting remote operations and large-scale expansion with the ability to manage thousands of devices simultaneously. Automated configuration and policy enforcement simplify routine operations, reduce manual intervention and downtime risks, enabling enterprises to efficiently and securely deploy, orchestrate, and manage highly available networks with ease of scalability. image.png Key Features: 1. Full Lifecycle Management From Day 0 deployment to Day 2+ operations, covering the complete lifecycle management of PicOS® switches and access points. Zero-Touch Provisioning (ZTP) combined with centralized automated operations reduces on-site configuration workload. 2. Automation and Large-Scale Deployment Achieve rapid bulk deployment through custom templates and configurations. Achieve agentless automation operations based on pre-configured Ansible playbooks and workflows. Support unified management of large-scale switches and access points across multiple regions. 3. Efficient Monitoring and Maintenance Precisely monitor network status through real-time telemetry and network topology visualization. Provide centralized operations and maintenance tools to enhance troubleshooting and maintenance efficiency. 4. Flexible Deployment Architecture Runs on multiple environments including Docker, KVM, VMware, and Nutanix AHV. Support on-premises private deployment to accommodate diverse scale and scenario requirements. 1.2 Wireless Controllers Wireless controller is a centralized WLAN management platform designed for campuses, branch offices, and enterprise scenarios, capable of centrally managing hundreds of access points and enabling integrated access for both wired and wireless users. It is suitable for building campus networks, enterprise office networks, wireless metropolitan area networks, and hotspot coverage networks. It supports seamless handover for wireless users during cross-region roaming, ensuring session security and integrity throughout mobility, and fully meeting the data interaction and smooth communication requirements of Wi-Fi voice services. image.png Key Features: 1. Smart Wireless Experience Smart Device Recognition: The built-in Portal automatically identifies terminal types, eliminating interface compatibility issues and enhancing user experience. Fair Scheduling: Multi-standard terminals receive equal access time, reducing high latency, low speeds, and performance degradation. Load Balancing: Distributes traffic based on user count and volume to balance AP load, enhancing QoS and overall availability. 2. High Performance and Reliability Flexible Architecture: Centralized or distributed intelligent switching without requiring modification to the existing network architecture. Intelligent RF Management: Automatically scans frequency bands and channels to identify unauthorized access points and interference sources. Seamless Roaming: Cluster technology synchronizes user information to enable L2/L3 roaming without interruption, ensuring uninterrupted voice and data services. Enhanced QoS Policies: Multi-dimensional bandwidth management and application priority control ensure critical business operations. IPv6 Support: Full IPv6 access and forwarding, compatible with IPv4/IPv6 dual-stack applications. DPI Application Identification: Application traffic identification and QoS mapping based on deep packet inspection, ensuring priority for core business traffic. 3. Safety and Protection Multi-factor authentication: Supports local users, web authentication, and 802.1X, combined with IP/MAC/WLAN binding to ensure legitimate access. Encryption and Isolation: Supports WPA/WPA2/WPA3, AES/TKIP, VLAN/SSID isolation, and virtual AP technology. Virtual AC: Multiple ACs can be virtually consolidated into a single logical AC, supporting millisecond-level failover for high availability without interruption. Rogue AP Defense: Real-time detection and isolation of unauthorized access points and radio frequency interference. Attack Protection: Defends against ARP spoofing, DHCP snooping, and virus attacks to enhance overall network security. Security Management: SSH and SNMPv3 encrypted management, access control based on source IP. 4. Unified Network Management Web Interface Management: Simplify configuration, provide a unified view of network-wide operational status, and centrally manage access points and users. Visualized Operations and Maintenance: Intuitive monitoring of traffic, bandwidth, and users to support network planning. Integrated Wired and Wireless: Unified bandwidth control and access restrictions simplify enterprise IT management. 1.3 Airware Airware Cloud Platform provides full lifecycle network management, delivering intelligent support from planning and deployment to operations and maintenance, with capabilities for remote rapid delivery and efficient O&M. The platform is compatible with protocols such as NetConf, TR069, and MQTT, enabling unified management of switches, APs, ACs, and gateways across wide-area networks. It supports configuration delivery, upgrades, backup and recovery, and automatically discovers topology, enabling comprehensive cloud connectivity across people, sites, networks, and endpoints. image.png Key Features: 1. Full Lifecycle Services Full-process management: From planning, deployment, and acceptance to operations and maintenance, we provide digital and intelligent tools to enhance efficiency and reduce costs. Unified Network Control: Supports multi-device and multi-protocol management, enabling remote configuration deployment, upgrades, reboots, and backups. 2. Architecture and Management Unified Management: Enables unified remote management across regions and centralized control across multiple sites, enhancing operational efficiency. Elastic Scaling: Cloud-native architecture supports managing millions of devices without hardware limitations. Anytime O&M: Remote operations across the Internet and mobile devices without the need for on-site IT support. 3. Intelligent Operations and Maintenance Proactive Prevention: Real-time monitoring of anomalies, early detection of risks, and minimization of fault impact. Data Intelligence: Optimizes access, authentication, traffic, and coverage strategies using big data to reduce human error. Closed-loop Experience: Analyze signals, connectivity, and data traffic from a user experience perspective to automatically optimize network performance. 4. Data Visualization and Failure Analysis 24/7 Real-time Monitoring: Visualize multi-dimensional terminal and network data to pinpoint faults with precision. Rapid Response: Comprehensive operational logs and expert mode support enhance troubleshooting efficiency and reduce operational costs. 2. Overall Comparison Summary of Management Approaches Features AmpCon-Campus AC(Wireless Controller) Airware Definition AmpCon-Campus is a locally deployed network management system operated by enterprises themselves, capable of managing both wired and wireless devices simultaneously. AC is a hardware-based wireless control device primarily used for centralized control and management of access points (APs). Airware is a network management platform based on the public cloud, enabling users to remotely manage devices centrally via the Internet. Deployment Location Enterprise local servers or private cloud Within the enterprise's local network environment, such as campus data centers and corporate headquarters data centers. Public cloud (maintained by FS, currently deployed on AWS public cloud) Management Method Access the network management system via the internal network for centralized management Configure access points, adjust wireless parameters, upgrade firmware, and manage terminal access control via AC Access the cloud platform via web login for centralized management Managed Devices PicOS® APs/Switches, etc APs APs/Switches/Gateways, etc Functionality Feature-rich Feature-rich Moderate Functionality Data Security High (Local Control) High (Local Control) Moderate Applicable Scenarios Suitable for high-security compliance industries such as government, finance, and healthcare, as well as large and medium-sized enterprise clients with robust IT teams and stringent requirements for network control, data security, and system autonomy and controllability. Single campuses, campus networks, corporate headquarters, and other environments with high requirements for data security and real-time control. Enterprises with extensive chains and branch networks, companies operating across multiple cities or countries, and small and medium-sized businesses with limited IT operations capabilities. Advantages Data and control are entirely managed locally, ensuring high security and controllability. Network management is more stable without reliance on public networks. Support simultaneous management of wired and wireless devices, offering comprehensive platform functionality. Control is entirely local, with no reliance on external networks for data. Policy deployment and configuration changes are highly responsive in real time. Deployment is simple and requires no additional hardware or local servers. Support unified management across regions and branches. 3. Function Comparison Features Instruction AmpCon-Campus AC-1004 AC-224AP AC-7072 Airware Full Lifecycle Equipment Management Automatic Discovery and Provisioning The system automatically scans new devices on the network, completing registration, management enrollment, and status monitoring without requiring manual configuration for each device, thereby enhancing deployment efficiency. ✅ ✅ ✅ ✅ - ZTP and Batch Configuration The device automatically obtains IP and platform addresses through zero-touch provisioning (ZTP), enabling bulk configuration deployment for rapid, unattended setup. This solution is ideal for multi-batch distributed network scenarios. ✅ ✅ ✅ ✅ ✅ Firmware Upgrade Management Support remote firmware upgrades for devices, automatically distributing update packages to ensure devices always run the latest stable version, thereby reducing manual maintenance costs. ✅ ✅ ✅ ✅ ✅ Wireless Access and Roaming Seamless Roaming Support cross-AP and cross-AC roaming, ensuring fast client handover and enhancing the connectivity experience for mobile terminals, making it suitable for high-density scenarios. ✅ ✅ ✅ ✅ ✅ Smart Recognition Terminal Automatically optimize the access experience based on terminal type, traffic demand, and performance characteristics to enhance network performance across different devices. ✅ ✅ ✅ ✅ ✅ Fair Scheduling Ensure equitable access for multi-protocol, multi-rate terminals and prevent low-speed devices from slowing down overall network performance. ✅ ✅ ✅ ✅ ✅ Load Balancing Intelligently allocate resources based on user count, traffic volume, and AP load to enhance QoS and ensure network stability in high-density scenarios. ✅ ✅ ✅ ✅ ✅ SSID Scheduled Switch RF or SSID can be scheduled to turn on or off to achieve energy savings, simplify management, or meet security policy requirements. ✅ ✅ - - - Radio Frequency Management Automatic Power/Channel Adjustment Dynamically optimize AP coverage and channel allocation to avoid interference and enhance wireless network quality. ✅ ✅ ✅ ✅ ✅ RF Optimization Analyze signal strength and interference conditions to optimize the user experience for weak signal access and enhance terminal connection stability. ✅ - ✅ ✅ ✅ Interference Detection and Avoidance Support spectrum scanning, interference detection, and DFS intelligent avoidance to minimize the impact of high-frequency interference on the network. ✅ ✅ ✅ ✅ ✅ QoS and Traffic Management Multi-dimensional Bandwidth Management Support AP and SSID rate limiting as well as user-level rate limiting, enabling tiered service assurance and granular traffic control. - ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ Safety Mechanism User Authentication Support multiple authentication methods including OWE, PSK, MPSK, 802.1X, and Portal, enabling tiered management for employees, visitors, and third-party devices. ✅ ✅ ✅ ✅ ✅ Encryption Method Provide WPA/WPA2/WPA3, AES/TKIP, and TLS encryption to ensure secure data transmission. ✅ ✅ ✅ ✅ ✅ Blacklist and Whitelist Support global or SSID-level blacklists and whitelists to implement access control policies. ✅ ✅ ✅ ✅ ✅ Rogue AP Protection Automatically detect and isolate unauthorized access points to prevent wireless attacks and potential security risks. - ✅ ✅ ✅ ✅ System Reliability AC Virtualization Multiple AC logics integrated into one, enabling centralized management and efficient resource utilization during large-scale deployments. - - ✅ ✅ - Redundancy and Clustering Support N:N or N:1 clustering with millisecond-level failover, enhancing network high availability and fault tolerance. ✅ - ✅ ✅ - Permissions and Compliance Fine-grained Permission Control Support hierarchical management of administrator and regular user permissions to ensure network configuration security. ✅ - - - ✅ Data Security and Compliance All logs and configurations can be stored locally, supporting offline scenarios and meeting compliance requirements. ✅ - - - - Offline Operation Support Capable of stable operation in closed-loop network environments, suitable for high-security scenarios such as government, energy, and industrial control. ✅ - - - -

Startseite/
Dokumentation/
Wireless/
Wi-Fi 6E & Wi-Fi 6 Zugangspunkte/
AP-N506/
Competitive Comparison/

Airware-Based Centralized Management of Enterprise Wireless Networks – Typical Scenario Deployment Manual

image

25-06-2025 - For details, please click the attachment icon below to view or download for a good reading experience or resources.html L3 Switch S5860-20SQ L3 Switch https://www.fs.com/products/108710.html L2 Switch S3410-24TS-P L2 Switch https://www.fs.com/products/108718.html AP AP-N505 AP https://www.fs.com/products/149656

Startseite/
Dokumentation/
Wireless/
Wireless Steuerung/
AC-7072/
Konfigurationsleitfaden/

AP-N505 Access Point Datasheet

31-03-2025 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

Startseite/
Dokumentation/
Wireless/
Wi-Fi 6E & Wi-Fi 6 Zugangspunkte/
AP-N505/
Datenblatt/

SMB Office Network Solution Typical Scenario Deployment Manual

31-03-2025 - For details, please click the attachment icon below to view or download for a good reading experience or resources.L3 Switch S3270-48TM L3 Switch https://www.fs.com/products/166610.html L2 Switch S3100-16TMS-P L2 Switch https://www.fs.com/products/160710.html AP AP-N505 AP https://www.fs.com/products/149656

Startseite/
Dokumentation/
Wireless/
Wireless Steuerung/
AC-1004/
User Manual/

AP FSOS Software Upgrade Guide

image

27-03-2025 - AP FSOS Software Upgrade Guide Models: AP-N755; AP-N635; AP-N515; AP-N505; AP-N515H; AP-T565; AP-T567 Upgrade Considerations: Before upgrading, prepare a console cable and ensure it is functioning properly. In case of an upgrade failure, the console must be used for recovery. The device will reboot during the upgrade, causing a temporary service interruption. Please schedule the upgrade during off-peak hours when the wireless network can be interrupted. 【Recommended】Web-Based Upgrade Method 1. Log in to the device's web management page and perform a configuration backup as a precaution. For APs, the config.text file needs to be backed up. Click Maintenance → Settings → Backup & Restore → Backup, select Export Current Settings, and save the file to your local computer. image.png 2. Click Maintenance → Settings → Local Upgrade. image.png 3. Click Browse and select the software version file stored on your computer. image.png 4. After selecting the file, click Upgrade. image.png 5. After that, a progress bar will appear along with a message indicating that the device is restarting. This process will take approximately 2-3 minutes, so please be patient. image.png image.png 6. After approximately 2-3 minutes, the device will display the message "Main program upgrade succeeded," and the page will automatically refresh. Click Monitoring → Dashboard to check the current version. image.png image.png Command-Line Upgrade Method 1. Use a console cable or other login methods to access the device and back up the configuration files. FS#copy flash:config.text tftp://192.168.1.100/config.text --->Back up the device configuration file to a computer with the IP address 192.168.100. 2. Ensure the computer and the device are connected. Place the .bin file and the TFTP tool in the same folder, then launch the TFTP tool. 3. Upgrade the AP. Once the .bin file is successfully imported, the device will automatically reboot. FS#upgrade download tftp://192.168.1.100/AP_FSOS11.9(6)W3S4T1_S1X2-03_11200218_install-AP-N505.bin ---> Use the file named "AP_FSOS11.9(6)W3S4T1_S1X2-03_11200218_install-AP-N505.bin" on the computer with IP 192.168.1.100 as the AP's main program. Upgrade the device must be auto-reset after finish, are you sure upgrading now?[Y/n]y % Copy to /tmp/vsd/0/AP_FSOS11.9(6)W3S4T1_S1X2-03_11200218_install-AP-N505.bin Please wait for a moment...... Press Ctrl+C to quit !!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!.!!! Begin to upgrade the install package AP_FSOS11.9(6)W3S4T1_S1X2-03_11200218_install-AP-N505.bin... --->The device will automatically reboot to prepare for the upgrade. 4. After a successful reboot, check if the device has been upgraded to the target version. FS#show version System description : FS AP-N505 (802.11a/n/ac/ax and 802.11b/g/n/ax) By FS.COM System start time : 1970-01-01 00:00:00 System uptime : 0:00:05:48 System hardware version : 1.00 System software version : AP_FSOS 11.9(6)W3S4T1, Release(11200218) System patch number : NA System serial number : ZARC0C6006375 System boot version : 1.0.4 5. If the upgrade fails, please check whether the .bin file is correct. You can refer to the release notes for guidance. Boot Upgrade Method The software version upgrade for wireless devices is generally performed when the main program of the device is lost, and it requires the use of a Console cable to operate. Operation Steps: 1. Ensure the computer and device are connected. Use a console cable to log in to the device and place the .bin file and TFTP tool in the same directory, then open the TFTP tool. 2. Restart the wireless device. Follow the prompts to press Ctrl and continuously press C to enter the ROM layer, then select "0". Press Ctrl+C to enter Boot Me 0 Entering simple UI.... ====== BootLoader Menu("Ctrl+Z" to upper level) ====== TOP menu items. 0.Tftp utilities. 1.XModem utilities. 2.Run main. 3.SetMac utilities. 4.Scattered utilities. Press a key to run the command: 0 3. Then select option "1" and follow the subsequent steps to complete the upgrade. ====== BootLoader Menu("Ctrl+Z" to upper level) ====== Tftp utilities. 0.Upgrade bootloader. 1.Upgrade kernel and rootfs by install package. 2.Down to memory and jump to run. Press a key to run the command: 1 Plz enter the Local IP:[]:192.168.1.1 ----->Assign a temporary IP address to the AP. Plz enter the Remote IP:[]: 192.168.1.100----->The IP address of the computer. Plz enter the Filename:[]: AP_FSOS11.9(6)W3S4T1_S1X2-03_11200218_install-AP-N505.bin ----->The filename of the .bin file on the computer. Erasing NAND... Erasing at 0x5e0000 -- 100% complete. Writing to NAND... OK Auto-update from TFTP: trying update file 'AP_FSOS11.9(6)W3S4T1_S1X2-03_11200218_install-AP-N505.bin' eth0 up Speed :1000 Full duplex Using eth0 device TFTP from server 192.168.1.100; our IP address is 192.168.1.1 Filename 'AP_FSOS11.9(6)W3S4T1_S1X2-03_11200218_install-AP-N505.bin'. Load address: 0x44000000 Loading: * Got TFTP_OACK: TFTP remote port: changes from 69 to 63135 ################################################################# ################################################################# ----->Start transferring the file, omitting intermediate steps. done----->File transfer successful. Bytes transferred = 32069264 (1e95690 hex) Uncompressing 0x1e94e23@0x4400086d to 0x2105c6c@0x45e95690 Uncompressed 0x2105c6c bytes Get boot addr 0x0,len 0x0; kernel addr 0x460164b4,len 0x242800; rootfs addr 0x46258d30, len 0x1b00000 Package information: kernel version:4.4.60.90deb5585c59ea kernel target :ap-n505 rootfs version:1.0.0.1630f57f rootfs target :ap-n505 package upgrade version:2.0 package upgrade support:2.0 Determined to upgrade? [Y/N]: y ----->Select y. Upgrading, keep power on and wait please ... Erasing SPI flash...Writing to SPI flash...done upgrade kernel... upgrade rootfs... ----->This status will last for about 1 minute. Please be patient. ----->The intermediate logs are omitted. UBIFS: reserved for root: 0 bytes (0 KiB) SUCCESS: UPGRADING OK.----->The upgrade is successful, and the boot menu will be returned. ====== BootLoader Menu("Ctrl+Z" to upper level) ====== Tftp utilities. 0.Upgrade bootloader. 1.Upgrade kernel and rootfs by install package. 2.Down to memory and jump to run. Press a key to run the command: ----->Press Ctrl + Z to return to the previous menu. ====== BootLoader Menu("Ctrl+Z" to upper level) ====== TOP menu items. 0.Tftp utilities. 1.XModem utilities. 2.Run main. 3.SetMac utilities. 4.Scattered utilities. Press a key to run the command: 2 ----->Select 2 to load the main program. ----->The intermediate logs are omitted. adding user rgosm... adding user guest... adding user sslvpn... adding user postgres... *Jan 1 00:00:11: %RG_SYSMON-5-WARMSTART: System warmstart. ----->Device started successfully. use software md5! FS> 4. Check if the device has been upgraded to the target version. FS#show version System description : FS AP-N505 (802.11a/n/ac/ax and 802.11b/g/n/ax) By FS.COM System start time : 1970-01-01 00:00:00 System uptime : 0:00:05:48 System hardware version : 1.00 System software version : AP_FSOS 11.9(6)W3S4T1, Release(11200218) System patch number : NA System serial number : ZARC0C6006375 System boot version : 1.0.4

Startseite/
Dokumentation/
Wireless/
Wi-Fi 7 Access Points/
AP-N755/
Upgrade-Anleitung/

Wi-Fi 6 Access Points Configuration Guide

29-10-2024 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

Startseite/
Dokumentation/
Wireless/
Wi-Fi 6E & Wi-Fi 6 Zugangspunkte/
AP-W6D2400C/
Konfigurationsleitfaden/

AP-N505 Access Point FSOS 11.9(6)W3S4T1_S1X2-03_11200218 Software

image

21-10-2024 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

Startseite/
Dokumentation/
Wireless/
Wi-Fi 6E & Wi-Fi 6 Zugangspunkte/
AP-N505/
Software/

Indoor & Outdoor Access Point FSOS 11.9(6)W3S4T1 Software Release Notes

image

21-10-2024 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

Startseite/
Dokumentation/
Wireless/
Wi-Fi 6E & Wi-Fi 6 Zugangspunkte/
AP-N505/
Versionshinweis/
  • 1
  • 2
  • 3