WLAN Access controller (AC6508) Huawei & AP Configuration | Switch & USG6500E Firewall | Enterprise Network Design

Today I will explain WLAN Enterprise Networks like Access points (AP), Access controllers (AC), Switches, and firewall configurations, as this is a complete enterprise project step by step with different traffic flow scenarios.
Below are the targets:

The above topology is an enterprise Network design where one Huawei Switch S5735, USG 6500E firewall, and AC6508 are installed, here I just mentioned two APs only to understand, that there can be more.
First, let me explain the summary of communication between the Access point (AP) and access controller (AC) through the switch. There are two types of communication b/w AP, AC & end-user Station (STAs).
Control Channel or Management Traffic:
one is for controlling/management traffic like Access point’s (AP) Version upgrades, Profile configuration, Wireless parameters setting, SSID, etc. & management on all APs through this Control channel.
Service Traffic:
The 2nd is for services/traffic like end-user mobile or Station (STAs) using the internet.
For the above two types of communication, b/w AP & AC need to configure two VLANs on switch & AC.

There are two types of modes on the basis of AC location in Network design like where to install/connect the Access Controller (AC), Below
- Inline Mode
- Bypass Mode
In inline mode, the actual service traffic will pass through AC, and in bypass mode, the service traffic can be carried without passing through AC, just keep reading I will elaborate in detail in the below section

From the perspective of services traffic forwarding, there are two modes below
- Direct forwarding
- Tunnel forwarding
As I explained above there are two types of communication one is control CAPWAP tunnel & 2nd is services internet traffic, in Tunnel mode both controlling & services traffic pass in one channel & Direct forwarding mode the control traffic b/w AP & AC is separate & service traffic carrying separate without CAPWAM tunnel. Below diagram of the traffic flow
In the below diagram, the management packet means controlling traffic and data is service traffic.

Now let me summarize & merge the above four different modes concepts together for practical implementation.
Below are the different Desing of AC & AP in Enterprise Network, it depends on actual requirements.
The below screenshots represent the above four modes
Inline Mode:

Bypass Mode:

Further, let me elaborate on the practical implementation of the topology that I did in my project was Tunnel forwarding in Bypass Mode.
Note that all device configurations are mentioned in the last of the articles you can jump there if you need only the Current configuration.
First how to access AC6508
The default management IP Address of Huawei AC6508 is 192.168.1.100/24, assign any IP from the same subnet to your laptop then enter the AC IP in the Browser as below
Enter the username & set the password in the first login.

First Go-to ConfigurationsàConfig WizardàAC

Click on the interface on which you want to configure in my case I will configure Port Gi0/0/1 (Ignore Port 8 Green it is not used in my case), then fill in the default VLAN for the Control channel & in untagged both control & service vlan as discussed above in details.
Then applyà Next

Create VLAN for the management/control & service as in my case I already configured through CLI

In network Interconnection configuration we can configure static route as well from GUI, but I already configured through Cli as below

Next is the AC Backup Configuration, as my scenario has only one AC6508 just click next, if you need support on Backup write a comment we will support you remotely.

The next step is AC Source configuration, select the source Vlanif interface for that control channel communication b/w AC & APs,
In our project, VLAN5 is for the control channel & VLAN10 is for the service.

Next

These all the above 6 steps for the AC configurations.
Next is AP configuration to go online all APs, click on Continue with AP Online in the above screenshot, or from the config Wizard option go to online AP config.
In the AP part, we need to configure the AP group and add AP’s Mac address & serial numbers,
We can add from Cli as well or it will detect automatically.


To configure Wireless parameters like SSID, Authentication, encryption algorithm, etc. Go-to Config-Wizard à Wireless services

In my case Forwarding mode is Tunnel same as discussed above in detail and service VLAN is 10 for End-user STAs.

Put SSID Wi-Fi password in the Key section

Bind AP Group created above & finish

Go to AP Config & click refresh to check AP status is online

Now let me explain some important points about the DHCP server, switch, and firewall side port configurations.
Here Switch is working as a DHCP server & all Configurations of ports of the below topology are mentioned.

Huawei Switch:
Switch both ports configuration same toward APs, important point is under the interface the pvid must be control VLAN 5.

Switch Interface toward Access Controller AC6508

Uplink Interface Connected with Firewall

DHCP Configuration on Switch:
There are two types of DHCP: a global ip pool & 2nd is under interface subnet. We configured the 2nd method.

The static route toward the Firewall

Huawei AC6508:
Physical port configurations:

VLAN interface & static route toward Switch:


Huawei USG6500E Firewall:
For the firewall part here, I mentioned only the required configurations below. The complete details like how to log-in & initiate, the GUI of Huawei USG Firewall will be in the next post step by step.
LAN Side Interface:

Firewall Uplink interface & Gateway IP toward Internet get from WIFI devices provided by ISP Provider.
You can check gateway IP by connecting the Laptop with a Wi-Fi device installed by the service provider and then run
cmd: ipconfig

WAN Side Interface:

The static route toward Internet gateway IP Address

Firewall Zone:

Security & NAT Policy:

In the Next post will write about the License activation of AC6508 & USG6500 Firewall, Enterprise redundancy Design like how to configure & plan VRRP, HSRP & Stacking, and USG6500E Firewall Graphical Interface (GUI).
If still you have any confusion, ask a question in a comment or give us remote access we will support you
Interview Question:
Keep Learning, Keep Reading, Keep Growing. IT & IP is the future.