Today I will explain WLAN Enterprise Networks like Access points (AP), Access controllers (AC), Switches, and firewall configurations, as this is a complete enterprise project step by step with different traffic flow scenarios.
Below are the targets:
- · WLAN AC, AP working, and Different Modes
- · Initialization of Huawei Access controller
(AC6508)
- · All Configurations of AC to online all APs
toward the internet.
- · License activation on Huawei AC6508
- · Configuration on the switch side
- · Basic configurations of Huawei USG6500E
firewall
- · Below topology
The above topology is an enterprise Network design where one Huawei Switch S5735, USG 6500E firewall, and AC6508 are installed, here I just mentioned two APs only to understand, that there can be more.
First, let me explain the summary of communication between the Access point (AP) and access controller (AC) through the switch. There are two types of communication b/w AP, AC & end-user Station (STAs).
Control Channel
or Management Traffic:
one is for controlling/management traffic like Access point’s (AP) Version upgrades, Profile configuration, Wireless parameters setting, SSID, etc. & management on all APs through this Control channel.
Service Traffic:
The 2nd is for services/traffic like end-user mobile or Station (STAs) using the internet.
For the above two types of communication, b/w AP & AC need to configure two VLANs on switch & AC.
There are two types of modes on the basis of AC location in Network design like where to install/connect the Access Controller (AC), Below
- · Inline Mode
- · Bypass Mode
In inline mode, the actual service
traffic will pass through AC, and in bypass mode, the service traffic can be
carried without passing through AC, just keep reading I will elaborate in
detail in the below section
From the perspective of services
traffic forwarding, there are two modes below
- · Direct forwarding
- · Tunnel forwarding
As I explained above there are two
types of communication one is control CAPWAP tunnel & 2nd is
services internet traffic, in Tunnel mode both controlling & services
traffic pass in one channel & Direct forwarding mode the control traffic
b/w AP & AC is separate & service traffic carrying separate without
CAPWAM tunnel. Below diagram of the traffic flow
In the below diagram, the management
packet means controlling traffic and data is service traffic.
Now let me summarize & merge the
above four different modes concepts together for practical implementation.
Below are the different Desing of AC
& AP in Enterprise Network, it depends on actual requirements.
- Ø Direct Forwarding in Inline Mode
- Ø Tunnel Forwarding in Inline Mode
- Ø Direct Forwarding in Bypass Mode
- Ø Tunnel Forwarding in Bypass Mode
The below screenshots represent the above
four modes
Inline Mode:
Bypass Mode:
Further, let me elaborate on the practical
implementation of the topology that I did in my project was Tunnel forwarding in Bypass Mode.
Note that all
device configurations are mentioned in the last of the articles you can jump
there if you need only the Current configuration.
First how to
access AC6508
The default management IP Address of
Huawei AC6508 is 192.168.1.100/24,
assign any IP from the same subnet to your laptop then enter the AC IP in the Browser
as below
Enter the username & set the
password in the first login.
First Go-to Configurationsà Config Wizardà AC
Set the basic setting AC Name, Country,
region, Date, and Time as per actual then click next
Click on the interface on which you
want to configure in my case I will configure Port Gi0/0/1 (Ignore Port
8 Green it is not used in my case), then fill in the default VLAN for the Control
channel & in untagged both control & service vlan as discussed above in
details.
Then applyà Next
Create VLAN for the management/control
& service as in my case I already configured through CLI
In network Interconnection
configuration we can configure static route as well from GUI, but I already
configured through Cli as below
Next is the AC Backup Configuration,
as my scenario has only one AC6508 just click next, if you need support on
Backup write a comment we will support you remotely.
The next step is AC Source configuration, select the source Vlanif interface for that control channel communication b/w AC & APs,
In our project, VLAN5 is for the control channel & VLAN10 is for the service.
Next
These all the above 6 steps for the AC
configurations.
Next is AP configuration to go online all APs,
click on Continue with AP Online in the above screenshot, or from the config
Wizard option go to online AP config.
In the AP part, we need to configure the
AP group and add AP's Mac address & serial numbers,
We can add from Cli as well or it will
detect automatically.
To configure Wireless parameters like SSID,
Authentication, encryption algorithm, etc. Go-to Config-Wizard à Wireless services
In my case Forwarding mode is Tunnel
same as discussed above in detail and service VLAN is 10 for End-user STAs.
Put SSID Wi-Fi password in the Key
section
Bind AP Group created above &
finish
Go to AP Config & click refresh to
check AP status is online
Now
let me explain some important points about the DHCP server, switch, and
firewall side port configurations.
Here Switch is working as a DHCP
server & all Configurations of ports of the below topology are mentioned.
Huawei Switch:
Switch both ports configuration same
toward APs, important point is under the interface the pvid must be control VLAN 5.
Switch Interface
toward Access Controller AC6508
Uplink Interface
Connected with Firewall
DHCP
Configuration on Switch:
There are two types of DHCP: a global ip pool
& 2nd is under interface subnet. We configured the 2nd
method.
The static route
toward the Firewall
Huawei AC6508:
Physical port
configurations:
VLAN interface
& static route toward Switch:
Huawei USG6500E
Firewall:
For the firewall part here, I
mentioned only the required configurations below. The complete details like how
to log-in & initiate, the GUI of Huawei USG Firewall will be in the next
post step by step.
LAN Side
Interface:
Firewall Uplink interface & Gateway
IP toward Internet get from WIFI devices provided by ISP Provider.
You can check gateway IP by connecting
the Laptop with a Wi-Fi device installed by the service provider and then run
cmd: ipconfig
WAN Side Interface:
The static route toward Internet
gateway IP Address
Firewall Zone:
Security &
NAT Policy:
In the Next post will write about the License
activation of AC6508 & USG6500 Firewall, Enterprise redundancy Design
like how to configure & plan VRRP, HSRP & Stacking, and USG6500E
Firewall Graphical Interface (GUI).
If still
you have any confusion, ask a question in a comment or give us remote access we
will support you.
Interview Question:
- Ø What is the function of the PVID command under
the interface?
- Ø What’s the advantage of using the Tunnel and
direct mode of AC?
- Ø How Backup AC6508 is working?
- Ø Why are using AC6508 in Enterprise?
- Ø Functions of VAP profile?
- Ø What will be the reason if AP is not going to
online?
Keep Learning, Keep Reading, Keep Growing. IT & IP is
the future.
0 Comments