AC hierarchy provides a centralized management method for ACs that run the Comware 7 software version. This simplifies WLAN maintenance and improves WLAN expandability.

AC hierarchy architecture

An AC hierarchy network contains a central AC, local ACs, and APs. The central AC manages all local ACs, and local ACs provide network access to APs and process client traffic.

AC hierarchy uses the following tunnels for local AC and AP management:

· Tunnels between the central AC and local ACs—The central AC sends AP configuration over this tunnel to the local ACs, and the local ACs report AP and client information to the central AC.

· CAPWAP tunnels between local ACs and APs—Local ACs send AP configuration to the APs over this tunnel.

Figure 1 AC hierarchy architecture

‌

AC hierarchy operating mechanism

Figure 2 AC hierarchy operating mechanism

‌

As shown in Figure 2, AC hierarchy operates as follows:

1. Each local AC establishes a management tunnel with the central AC.

2. The AP sends a discovery request to the central AC.

3. The central AC sends a discovery response to the AP. The response contains the IP address of the local AC that has the lowest workload.

4. The AP sends a discovery request to the assigned local AC to establish a CAPWAP tunnel with the local AC.

During tunnel establishment, the local AC requests for AP validity from the central AC and it establishes a tunnel with the AP only when the AP is valid. The AP is valid if the central AC has the manual AP setting for the AP or auto AP is enabled on the central AC. For more information, see AP management in the configuration guide.

5. The local AC reports the AP up event to the central AC.

Data forwarding

In an AC hierarchy network, you can configure APs to perform data forwarding.

For more information about data forwarding, see WLAN access configuration in the configuration guide.

Roaming

In an AC hierarchy network, if the central AC is the authenticator, roaming entries are generated on both the central AC and the local AC. Then, the client can perform intra-local AC roaming.

For more information about the client authenticator, see WLAN authentication in the configuration guide.For more information about roaming, see WLAN roaming configuration in the configuration guide.

Access right management

Access right management allows you to assign different rights to administrators for the central AC and local ACs by configuring location identifiers for service templates, AP groups, and RRM holddown groups.

An administrator can view and manage only service templates, AP groups, or RRM holddown groups whose location identifiers are accessible to his or her user role from both the CLI and the Web interface. The super user named admin can manage all service templates, AP groups, and RRM holddown groups. The default location identifier default-location is accessible to all user roles and cannot be deleted.

Configuring parameters for local AC and central AC communication on a local AC

About this task

Perform this task to configure an AC as a local AC to establish a management tunnel with the specified central AC.

Restrictions and guidelines

You can specify a maximum of three IPv4 addresses and three IPv6 addresses of central ACs.

Procedure

1. Enter system view.

system-view

2. Enable local AC.

wlan local-ac enable

By default, local AC is disabled.

3. Specify a central AC for the local AC.

wlan central-ac { ip ipv4-address | ipv6 ipv6-address }

By default, no central AC is specified for a local AC.

4. Specify a VLAN that the local AC uses to establish a tunnel with the central AC.

wlan local-ac capwap source-vlan vlan-id

By default, a local AC uses VLAN 1 to establish a tunnel with the central AC.

Configuring access right management

Creating a location identifier

About this task

By default, the system-defined location identifier default-location exists and the identifier is assigned to all newly-created AP groups, RRM holddown groups, and service templates. The default location identifier is accessible to all user roles and cannot be deleted.

Restrictions and guidelines

You can create a maximum of 512 location identifiers.

Procedure

1. Enter system view.

system-view

2. Create a location identifier.

wlan location location-name

By default, the system-defined location identifier default-location exists.

Configuring user roles

Restrictions and guidelines

The assigned user role takes effect only after the default user role is deleted.

Deny the access of the created user roles to the write commands of feature or feature group wlanglobalcfg.

Procedure

To configure user roles, first create user roles and specify location identifiers accessible to the user roles, and then assign user roles to users as the authorized user roles.

For more information about creating user roles and specifying location identifiers, see configuring RBAC in Fundamentals Configuration Guide for the switch. For more information about assigning user roles, see configuring AAA in Security Configuration Guide for the switch.

Assigning location identifiers

About this task

Perform this task to assign location identifiers to service templates, AP groups, or RRM holddown groups.

Procedure

1. Enter system view.

system-view

2. Enter service template view, AP group view, or RRM holddown group view.

¡ Enter service template view.

wlan service-template service-template-name

¡ Enter AP group view.

wlan ap-group group-name

By default, the default AP group default-group exists.

¡ Enter RRM holddown group view.

wlan rrm-calibration-group group-id

3. Assign a location identifier to the service template, AP group, or RRM holddown group.

location location-name

By default, the system-defined location identifier default-location is assigned to a service template, AP group, or RRM holddown group.

Display and maintenance commands for AC hierarchy

Execute display commands in any view.

Task	Command
Display the current AC role.	display wlan ac-role
Display client information.	display wlan client distributed-sys [ verbose ]
Display local AC information on the local AC.	display wlan local-ac

‌

AC hierarchy configuration examples

In an AC hierarchy network, the device can only act as a local AC.

Example: Configuring AC hierarchy

Network configuration

As shown in Figure 3, configure AC hierarchy to enable the central AC to perform client authentication and the local ACs to forward client traffic.

Figure 3 Network diagram

‌

Procedure

1. Configure DHCP on local ACs to assign the central AC's IP address and APs' IP addresses to APs. (Details not shown.)

2. Configure the central AC:

# Create local AC localac1.

<CentralAC> system-view

[CentralAC] wlan local-ac name localac1 model S6520X

[CentralAC-wlan-local-ac-localac1] serial-id 210302A66AC123000050

[CentralAC-wlan-local-ac-localac1] quit

# Create local AC localac2.

[CentralAC] wlan local-ac name localac2 model S6520X

[CentralAC-wlan-local-ac-localac2] serial-id 210302A66AC124000060

[CentralAC-wlan-local-ac-localac2] quit

# Create manual AP ap1, and specify the AP model and serial ID.

[CentralAC] wlan ap ap1 model WA6320

[CentralAC-wlan-ap-ap1] serial-id 219801A28N819CE0002T

# Enable AC rediscovery.

[CentralAC-wlan-ap-ap1] control-address enable

[CentralAC-wlan-ap-ap1] quit

# Create manual AP ap2, and specify the AP model and serial ID.

[CentralAC] wlan ap ap2 model WA4320H

[CentralAC-wlan-ap-ap2] serial-id 219801A0CNC125002328

# Enable AC rediscovery.

[CentralAC-wlan-ap-ap2] control-address enable

[CentralAC-wlan-ap-ap2] quit

# Create manual AP ap3, and specify the AP model and serial ID.

[CentralAC] wlan ap ap3 model WA4320H

[CentralAC-wlan-ap-ap3] serial-id 219801A0CNC125002327

# Enable AC rediscovery.

[CentralAC-wlan-ap-ap3] control-address enable

[CentralAC-wlan-ap-ap3] quit

# Create manual AP ap4, and specify the AP model and serial ID.

[CentralAC] wlan ap ap4 model WA4320H

[CentralAC-wlan-ap-ap4] serial-id 219801A0CNC125002326

# Enable AC rediscovery.

[CentralAC-wlan-ap-ap4] control-address enable

[CentralAC-wlan-ap-ap4] quit

# Create VLAN-interface 100 and assign an IP address to it.

[CentralAC] interface vlan-interface 100

[CentralAC-Vlan-interface100] ip address 1.1.1.1 24

[CentralAC-Vlan-interface100] quit

3. Configure local AC 1:

# Configure local AC 1 to use VLAN 100 to establish a tunnel with the central AC.

<LocalAC1> system-view

[LocalAC1] wlan local-ac capwap source-vlan 100

# Create VLAN-interface 100, and assign an IP address to it.

[LocalAC1] interface vlan-interface 100

[LocalAC1-Vlan-interface100] ip address 1.1.1.2 24

[LocalAC1-Vlan-interface100] quit

# Enable local AC.

[LocalAC1] wlan local-ac enable

# Specify a central AC for the local AC.

[LocalAC1] wlan central-ac ip 1.1.1.1

4. Configure local AC 2:

# Configure local AC 2 to use VLAN 100 to establish a tunnel with the central AC.

<LocalAC2>system-view

[LocalAC2] wlan local-ac capwap source-vlan 100

# Create VLAN-interface 100, and assign an IP address to it.

[LocalAC2] interface vlan-interface 100

[LocalAC2-Vlan-interface100] ip address 1.1.1.3 24

[LocalAC2-Vlan-interface100] quit

# Enable local AC.

[LocalAC2] wlan local-ac enable

# Specify a central AC for the local AC.

[LocalAC2] wlan central-ac ip 1.1.1.1

Verifying the configuration

# On the central AC, verify that each local AC has established a CAPWAP tunnel with the central AC.

[CentralAC] display wlan local-ac all

Total number of local ACs: 2

Total number of connected local ACs: 2

Local AC Information

State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad

C = Config, DC = DataCheck, R = Run

AC name ACID State Model Serial ID

localac1 1 R S6520X 210302A66AC123000050

localac2 2 R S6520X 210302A66AC124000060

# On local AC 1, verify that local AC 1 has established a CAPWAP tunnel with the central AC.

[LocalAC1] display wlan local-ac

Local AC Information:

Model : S6520X

Serial ID : 210302A66AC123000050

MAC address : 5866-BA20-6E60

Local AC address : 1.1.1.2

H/W version : Ver.A

S/W version : c5419

Static central AC IPv4 address: 1.1.1.1

Static central AC IPv6 address: Not configured

Central AC Information:

Central AC address : 1.1.1.1

State : Run

Sent control packets : 6088

Received control packets : 6092

# On local AC 2, verify that local AC 2 has established a CAPWAP tunnel with the central AC. (Details not shown.)

# Verify that AP 1, AP 2, AP 3, and AP 4 have come online.

[CentralAC] display wlan ap all

Total number of APs: 1

Total number of connected APs: 1

Total number of connected configured APs: 1

Total number of connected auto APs: 0

Total number of connected anchor APs: 0

Maximum supported APs: 3072

Remaining APs: 3071

Fit APs activated by license: 128

Remaining fit APs: 127

WTUs activated by license: 0

Remaining WTUs: 0

AP information

State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad

C = Config, DC = DataCheck, R = Run, M = Master, B = Backup

AP name APID State Model Serial ID

ap1 1 R/M WA6320 219801A28N819CE0002T

Example: Configuring access right management

Network configuration

As shown in Figure 4, configure access right management to meet the following requirements:

· The administrators for local AC B and local AC C can manage the APs in areas B and C, respectively.

· The administrator for the central AC can manage all APs.

Figure 4 Network diagram

‌

Procedure

1. Configure DHCP on the local ACs to assign the central AC's IP address and APs' IP addresses to the APs. (Details not shown.)

2. Configure the central AC:

# Enable the Telnet server and AAA authentication.

<CentralAC> system-view

[CentralAC] telnet server enable

[CentralAC] line vty 0 5

[CentralAC-line-vty0-5] authentication-mode scheme

[CentralAC-line-vty0-5] quit

# Create local AC localac-b, and specify the AC model and serial ID.

[CentralAC] wlan local-ac name localac-b model S6520X

[CentralAC-wlan-local-ac-localac-b] serial-id 210302A66AC123000050

[CentralAC-wlan-local-ac-localac-b] quit

# Create local AC localac-c, and specify the AC model and serial ID.

[CentralAC] wlan local-ac name localac-c model S6520X

[CentralAC-wlan-local-ac-localac-c] serial-id 210302A66AC123000051

[CentralAC-wlan-local-ac-localac-c] quit

# Create manual AP ap1, and specify the AP model and serial ID.

[CentralAC] wlan ap ap1 model WA6320

[CentralAC-wlan-ap-ap1] serial-id 219801A28N819CE0002T

# Enable AC rediscovery.

[CentralAC-wlan-ap-ap1] control-address enable

[CentralAC-wlan-ap-ap1] quit

# Configure AP 2, AP 3, and AP 4 in the same way AP 1 is configured. (Details not shown.)

# Create VLAN-interface 100 and assign an IP address to it.

[CentralAC] interface vlan-interface 100

[CentralAC-Vlan-interface100] ip address 10.0.0.1 24

[CentralAC-Vlan-interface100] quit

# Create location identifiers areab and areac.

[CentralAC] wlan location areab

[CentralAC] wlan location areac

# Create user role b.

[CentralAC] role name b

# Configure an XML element rule and a Web menu rule.

[CentralAC-role-b] rule 1 permit read write execute xml-element

[CentralAC-role-b] rule 2 permit read write execute web-menu

# Configure location identifier areab to be accessible to user role b.

[CentralAC-role-b] location policy deny

[CentralAC-role-b-locationpolicy] permit location areab

[CentralAC-role-b-locationpolicy] quit

[CentralAC-role-b] quit

# Create user role c.

[CentralAC] role name c

# Configure an XML element rule and a Web menu rule.

[CentralAC-role-c] rule 1 permit read write execute xml-element

[CentralAC-role-c] rule 2 permit read write execute web-menu

# Configure location identifier areac to be accessible to user role c.

[CentralAC-role-c] location policy deny

[CentralAC-role-c-locationpolicy] permit location areac

[CentralAC-role-c-locationpolicy] quit

[CentralAC-role-c] quit

# Add local user admin.

[CentralAC] local-user admin

# Authorize user admin to use HTTP and HTTPS services.

[CentralAC-luser-manage-admin] service-type http https

[CentralAC-luser-manage-admin] quit

# Add local user b-admin.

[CentralAC] local-user b-admin

# Authorize user b-admin to use HTTP and HTTPS services.

[CentralAC-luser-manage-b-admin] service-type http https

# Configure a password for the user.

[CentralAC-luser-manage-b-admin] password simple 123456TESTplat&!

# Assign user role b to user b-admin as the authorized user role.

[CentralAC-luser-manage-b-admin] authorization-attribute user-role b

# Delete the default user role.

[CentralAC-luser-manage-b-admin] undo authorization-attribute user-role network-operator

[CentralAC-luser-manage-b-admin] quit

# Add local user c-admin.

[CentralAC] local-user c-admin

# Authorize user c-admin to use HTTP and HTTPS services.

[CentralAC-luser-manage-c-admin] service-type http https

# Configure a password for the user.

[CentralAC-luser-manage-c-admin] password simple 1234567TESTplat&!

# Assign user role c to user c-admin.

[CentralAC-luser-manage-c-admin] authorization-attribute user-role c

# Delete the default user role.

[CentralAC-luser-manage-c-admin] undo authorization-attribute user-role network-operator

[CentralAC-luser-manage-c-admin] quit

# Create AP group groupb, and add AP 1 and AP 2 to the AP group.

[CentralAC] wlan ap-group groupb

[CentralAC-wlan-ap-group-groupb] ap ap1 ap2

# Specify location identifier areab for the AP group.

[CentralAC-wlan-ap-group-groupb] location areab

[CentralAC-wlan-ap-group-groupb] quit

# Create AP group groupc, and add AP 3 and AP 4 to the AP group.

[CentralAC] wlan ap-group groupc

[CentralAC-wlan-ap-group-groupc] ap ap3 ap4

# Specify location identifier areac for the AP group.

[CentralAC-wlan-ap-group-groupc] location areac

[CentralAC-wlan-ap-group-groupc] quit

3. Configure local AC B:

# Configure local AC B to use VLAN 100 to establish a tunnel with the central AC.

<LocalAC-B> system-view

[LocalAC-B] wlan local-ac capwap source-vlan 100

# Create VLAN-interface 100, and assign an IP address to it.

[LocalAC-B] interface vlan-interface 100

[LocalAC-B-Vlan-interface100] ip address 10.0.0.2 24

[LocalAC-B-Vlan-interface100] quit

# Enable local AC.

[LocalAC-B] wlan local-ac enable

# Specify a central AC for the local AC.

[LocalAC-B] wlan central-ac ip 10.0.0.1

4. Configure local AC C:

# Configure local AC C to use VLAN 100 to establish a tunnel with the central AC.

<LocalAC-C>system-view

[LocalAC-C] wlan local-ac capwap source-vlan 100

# Create VLAN-interface 100, and assign an IP address to it.

[LocalAC-C] interface vlan-interface 100

[LocalAC-C-Vlan-interface100] ip address 10.0.0.3 24

[LocalAC-C-Vlan-interface100] quit

# Enable local AC.

[LocalAC-C] wlan local-ac enable

# Specify a central AC for the local AC.

[LocalAC-C] wlan central-ac ip 10.0.0.1

Verifying the configuration

# Use super username admin to log in to the central AC from the Web interface through Telnet.

# Verify that you can view and manage all APs.

Figure 5 Super user page view

‌

# Use local username c-admin to log in to the central AC from the Web interface.

# Verify that you can view and manage only APs in area C.

Figure 6 User c-admin page view

‌

# Use local username b-admin to log in to the central AC from the Web interface.

# Verify that you can view and manage only APs in area B.

Figure 7 User b-admin page view

‌

03-WLAN Configuration Guides

Access right management

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

Restrictions and guidelines

Procedure

About this task

Procedure

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us