This document can help you understand howthe firewall (FW) functions as an Access Controller (AC) to manage AccessPoints (APs). As a key device for network security, FW is mainly responsiblefor monitoring, filtering, and controlling network traffic. Using a FW as an ACto interoperate with APs has the following significant advantages:
·Unified management—Achieveunified management and configuration of enterprise wireless networks, improvingthe efficiency of network management. This allows administrators to monitor andmaintain wireless networks more easily, promptly identifying and resolvingissues.
·Security protection—The FWitself has powerful security protection functions, such as blocking externalattacks. Using a FW as an AC to connect with APs can effectively improve thesecurity of wireless networks and prevent them from becoming a weak link inenterprise network security.
·Unified policy—Using aFW as an AC to connect with APs, enterprises can achieve unified configurationand implementation of wired and wireless network policies. This helps simplifynetwork management and ensures consistency and effectiveness of various networkpolicies.
·Reduced cost—Using aFW as an AC to connect with APs can reduce the cost of enterprise networkconstruction and maintenance.
Scenario overview
Suitable for small and medium-sized officeareas (such as conference rooms and office areas), which are approximately 300to 500 square meters, with approximately 60 to 100 online endpoints. PoEswitches provide PoE power to multiple APs, and the firewall acts as the egressgateway to provide security protection.
Network topology
As shown in Figure 1, theAP operates in fit mode and is connected to the egress gateway firewall througha PoE switch. The firewall also acts as a DHCP server to assign IP addresses tothe AP and wireless clients, and provides security protection for internaldevices.
Device model selection
Table 1 Device model selection recommended
| Role | Recommended model |
| Egress gateway firewalls | F100-C-A1 and F100-C-A2 |
| PoE switches | Switches that support PoE power supply (such as S5120V3-10P-PWR-LI). |
| APs | WA6120, WA6120H, WA6120X, and WA6126 |
Firewall appearance introduction
The product appearance of F100-C-A1 andF100-C-A2 is briefly introduced below. For other specific parameters, see H3CSecPath F100-C-A Firewall Series Installation Guide.
F100-C-A1
The device front panel has two 1000BASE-XEthernet fiber ports, five 10/100/1000BASE-T adaptive Ethernet copper ports(including one management Ethernet port), one USB port, one console port, onereset button, and one Micro SD card slot. The specific structure is shown inthe figure below.
Figure 2 Front panel
| 1: 10/100/1000BASE-T Ethernet copper ports | 2: 1000BASE-X Ethernet fiber ports |
| 3: Console port | 4: USB port (host mode, Type A) |
| 5: Micro SD card slot | 6: Reset button (for device reboot) |
| 7: DC-input power receptacle | 8: Micro SD card, system status (SYS), and power status (PWR) LEDs |
| 9: 1000BASE-X Ethernet fiber port LED | 10: 10/100/1000BASE-T Ethernet copper port LED |
| 11: Management Ethernet port (MGMT) | |
| NOTE: The reset button restarts the firewall. It does not restore the factory defaults. |
Figure 3 Rear panel
1: Grounding screw
F100-C-A2
The device front panel has two 1000BASE-XEthernet fiber ports, ten 10/100/1000BASE-T adaptive Ethernet copper ports(including one management Ethernet port), one USB port, one console port, onereset button, and one Micro SD card slot. The specific structure is shown inthe figure below.
Figure 4 Front panel
| 1: 10/100/1000BASE-T Ethernet copper ports | 2: 1000BASE-X Ethernet fiber ports |
| 3: Console port | 4: USB port (host mode, Type A) |
| 5: Micro SD card slot | 6: Reset button (for device reboot) |
| 7: DC-input power receptacle | 8: Micro SD card, system status (SYS), and power status (PWR) LEDs |
| 9: 1000BASE-X Ethernet fiber port LED | 10: 10/100/1000BASE-T Ethernet copper port LED |
| 11: Management Ethernet port (0/MGMT) | |
| NOTE: The reset button restarts the firewall. It does not restore the factory defaults. |
Figure 5 Rear panel
1: Grounding screw
Factorydefaults of the firewalls
The following table shows the factorydefaults of the firewall devices. You can also obtain default username andpassword information from the nameplate on the device.
Table 2 Factory defaults of the firewalls
| Login information item | Default settings | Remarks |
| Username | admin | N/A |
| Password | admin | N/A |
| Login type | ·Log in to the device through the Web interface. ·Log in to the device through the Console port. | Other login types need to be configured by yourself. |
| IP address | ·VLAN-interface 1 ·IP address: 192.168.0.1/24 (The firewall device acts as the DHCP server to assign the IP address to the interface. It is assigned 2 or 3 minutes after the device starts.) | If another device on the network is the DHCP server, the IP address is depends on the DHCP server configuration. View the IP address assigned to the firewall device on the DHCP server. |
| Ethernet copper ports | ·GE1/0/1: Operates in Layer 3 mode. ·GE1/0/0, and GE1/0/2 through GE1/0/9: Operate in Layer 2 mode and join VLAN 1. | |
| Security zones | ·Local: Device itself ·Management: Zone for managing the device ·Trust: Trusted network zone ·Untrust: Untrusted network zone ·DMZ: Isolated network zone ·LAN: Local area network. Ethernet interfaces other than GE1/0/1 and VLAN-interface 1 belong to the LAN security zone. | N/A |
| Security policy | ·AUTONET_LOCAL2ANY_DONTMODIFY: Permits packets from Local to any security zone by default. ·AUTONET_LAN2LOCAL_DONTMODIFY: Permits packets from LAN to Local by default. ·AUTONET_LAN2LAN_DONTMODIFY: Permits packets from LAN to LAN by default. | N/A |
Network configuration
A company wants to provide better wirelessnetwork services to its employees and has high security requirements. It hopesto achieve full wireless network coverage within the company and uses afirewall as the egress gateway to ensure the security of the internal network.
As shown in Figure 6, theAPs are deployed in the internal network of the company in fit mode and areconnected to the gateway firewall through a PoE switch to access the Internet.The firewall also acts as a DHCP server to assign IP addresses to the APs andwireless clients, and provides security protection for internal devices.
Analysis
This example uses the following approachfor network configuration:
1.Configure the egress gateway firewall.
a.Log in to the local Web management interfaceof the firewall.
b.Configure the firewall to connect to the ISPnetwork and access the Internet.
c.Configure the internal network interfaces,create management and service VLAN interfaces, and assign IP addresses to theVLAN interfaces.
d.Configure DHCP address pools for themanagement VLAN and service VLANs.
e.Configure a security policy.
f.Configure NAT to ensure that internal userscan access the Internet.
g.Configure the AC function for the firewallto act as an AC to manage APs.
2.Configure the PoE access switch:
a.Configure the management IP address for thePoE access switch.
b.Log in to the local Web management interfaceof the PoE access switch.
c.Create service VLANs and permit all serviceVLANs.
d.Enable PoE to supply power to APs.
Deployment planning
Restrictions andguidelines
This configuration example was created andverified in a lab environment, and all the devices were started with the factorydefault configuration. When you are working on a live network, make sure youunderstand the potential impact of every command on your network.
Device modelselection
Table 3 Device model selection
| Role | Model | Software version |
| Egress gateway firewall | F100-C-A2 | F8590P09 |
| PoE switches | S5120V3-28P-PWR-LI | R6343P05 |
| AP | WA6120X | R2593P03 |
Network configurationplan
Table 4 Network configuration plan
| Item | Detailed planning data |
| Wireless endpoint network | ·Network segment: 192.168.20.0/24. The firewall acts as a DHCP server to assign IP addresses to endpoints. ·Gateway location: Firewall ·Gateway interface IP address: 192.168.20.1/24 ·Service VLAN: VLAN 20 ·Encryption method: PSK |
| Network segment for firewall, switch, and AP interconnection | ·Network segment: 192.168.10.0/24 ·Firewall interconnect IP address: 192.168.10.1/24 ·AP IP addresses: Obtained automatically from the firewall. ·Management VLAN: VLAN 10 |
| Firewall interfaces | ·Interface GE1/0/0: The management interface of firewall F100-C-A2, which uses the default factory configuration. Administrators can manage the firewall through this interface. With the factory configuration, interface GE1/0/0 operates in Layer 2 mode, joins the LAN security zone, and has a security policy that permits source security zone LAN to access destination security zone Local. The factory configuration for other firewalls varies with the firewall models. ·Interface GE1/0/1 operates in Layer 3 mode and joins the WAN security zone. It can be connected to the external network in the following methods: DHCP, PPPoE, and specified IP address. Select a method according to the actual network of the service provider. ·Interface GE1/0/2 is connected to the switch. It operates in Layer 2 mode and joins the LAN security zone. Create interfaces for management VLAN 10 and service VLAN 20, respectively, with the interface mode set to trunk, allowing only VLAN 10 and VLAN 20 to pass through. |
| Switch interfaces | ·Interface GE1/0/1 is connected to the firewall and configured as trunk port, allowing VLAN 10 and VLAN 20 to pass through. ·Multiple GE interfaces are connected to APs, with PVID set to 10 and interface type set to trunk, allowing VLAN 10 and VLAN 20 to pass through. |
| APs | Operating mode: Fit mode |
Procedures
Configuring the egress gatewayfirewall
Connecting a PC tothe firewall
1.Connect the PC to the GE1/0/0 interface onthe firewall by using an Ethernet cable.
2.Click on the 
icon in the lowerright corner of the computer, and then click Open Networkand Sharing Center.
3.In the Network andSharing Center dialog box that opens, click Local Area Connection.
Figure7 Network and Sharing Center window
4.In the Local AreaConnection Status dialog box, click Propertiesto open the Local Area Connection Properties dialogbox.
Figure8 Local Area Connection Status
5.In the Local AreaConnection Properties dialog box that opens, clickInternet Protocol Version 4 (TCP/IPv4), and then click OK.
Figure9 Local Area Connection Properties
6.In the InternetProtocol Version 4 (TCP/IPv4) dialog box that opens, configure the IPaddress for the PC to ensure communication with the firewall in either of thefollowing two methods:
¡SelectObtain an IP address automatically and Obtain DNS server address automatically to configure thePC to get IP settings automatically using DHCP.
Figure10 Configuring the PC to automatically obtain an IPaddress
¡Manuallychange the IP address of the PC to any address within the 192.168.0.0/24network segment (except 192.168.0.1), for example, 192.168.0.31. (Note: After modifying the default loginaddress of the firewall later, use the IP address within the modified networksegment to log in to the firewall again.)
Figure11 Manually configuring the IP address of the PC
Logging in to thefirewall
1.Enter https://192.168.0.1in the browser address bar on the PC and then press Enterto log in to the Web interface of the firewall.
2.Enter the default username admin and password admin, andthen click Login. Change the login password asprompted.
Figure12 Logging in to the firewall
Configuring theexternal network interface
1.On the top navigation bar, click Network. In the left navigation pane, select Security Zones. Click Createto create a security zone named WAN.
Figure13 Creating the WAN security zone
2.In the left navigation pane, select Interface Configuration > Interfaces.Click the Edit icon on the right side of interfaceGE1/0/1, and configure the interface as follows:
¡Configurethe interface to operate at Layer 3.
¡Addthe interface to security zone WAN.
¡Selectthe IPv4 address configuration method according to the service provider. DHCP is selected in this example.
-If you select PPPoE, enter the PPPoE account and password providedby the service provider.
-If you select DHCP, the DHCP server automatically assigns the publicIP addresses for accessing the WAN.
-If you select manual assignment, enter the IP address, subnet mask,and gateway address of the WAN.
¡ClickOK.
Figure14 Editing interface GE1/0/1
Configuring theinternal network interfaces
1.On the top navigation bar, click Network. In the left navigation pane, select Link > VLANs. Click Create to create VLAN 10 (management VLAN) and VLAN 20(service VLAN) as follows:
Figure15 Creating VLANs
2.In the left navigation pane, select Interface Configuration > Interfaces.Click Create interface, and then create a VLANinterface for VLAN 10, the management VLAN. The configuration is as follows:
¡Addthe interface to security zone LAN.
¡Configurethe IPv4 address/subnet mask as 192.168.10.1/255.255.255.0.
¡ClickOK.
Figure16 Creating a VLAN interface for VLAN 10
Figure17 Editing Vlan10 interface settings
3.In the left navigation pane, select Interface Configuration > Interfaces.Click Create interface, and then create a VLANinterface for VLAN 20, the service VLAN. The configuration is as follows:
¡Addthe interface to security zone LAN.
¡Configurethe IPv4 address/subnet mask as 192.168.20.1/255.255.255.0.
¡ClickOK.
Figure18 Creating Vlan20 interface
Figure19 Editing Vlan20 interface settings
4.Click the Editicon for GE1/0/2. Configure the interface as follows:
¡Addthe interface to security zone LAN.
¡SelectTrunk as the link type.
¡Configurethe permit VLANs as VLAN 10 and VLAN 20.
¡ClickOK.
Figure20 Editing interface GE1/0/2
Configuring theDHCP address pool
1.On the top navigation bar, click Network. In the left navigation pane, select DHCP > DHCP Address Pools.Click Create address pool to create a DHCP serveraddress pool named poolforap as follows:
¡Configurethe subnet for dynamic allocation as 192.168.10.0/24 and the excluded addressrange as 192.168.10.1.
¡Clickthe Address Pool Options tab, and then click Create to create a gateway. Configure the gateway addressas 192.168.10.1 and then click OK.
¡ClickOK.
Figure21 Creating a DHCP server address pool named poolforap
Figure22 Configuring the address pool subnet
Figure23 Configuring the gateway
2.Click Create addresspool to create a DHCP server address pool named poolforstaas follows:
¡Configurethe subnet for dynamic allocation as 192.168.20.0/24 and the excluded addressrange as 192.168.20.1.
¡Clickthe Address Pool Options tab, and then click Create in the Gateways area to create a gateway. Configure the gateway address as 192.168.20.1. Click Create in the DNS servers area to create a DNS server. Configure the DNS server address as 114.114.114.114 (specify the DNSserver address for wireless clients according to your actual networkconfiguration). Click OK.
¡ClickOK.
Figure24 Create a DHCP server address pool named poolforsta
Figure25 Configuring the address pool subnet
Figure26 Configuring the gateway
Configuring asecurity policy
# On the top navigation bar, click Policies. In the left navigation pane, select Security Policies. Select Create> Create a policy to create a security policynamed lan-wan with the following configuration:
·Security policy name: lan-wan
·Source security zone: LAN,destination security zone: WAN
·Action: Permit
·Use the default configuration for otherparameters and then click OK.
Figure27 Creating a security policy named lan-wan
# F100-C-A2 has a default security policyAUTONET_LAN2LOCAL_DONTMODIFY with the following default configuration:
·Source security zone: LAN
·Destination security zone: Local
·Action: Permit
# F100-C-A2 has a default security policyAUTONET_LOCAL2ANY_DONTMODIFY, which allows packets from security zone Local to any destination security zone to pass bydefault. The factory configuration is as follows:
·Source security zone: Local
·Destination security zone: Any
·Action: Permit
Figure28 Device factory default security policies
Configuring NAT
# On the top navigation bar, click Policies. In the left navigation pane, select Policy-based NAT. Click Createto create a NAT policy with the following configuration:
·The rule name is PolicyRule_1.
·The rule type is NAT44.
·The translation mode is source addresstranslation.
·The source security zone is LAN.
·The destination security zone is WAN.
·The translation mode is dynamic IP + port.
·Address type is Easy IP.
·Select Enable this rule.
·Click OK.
Figure29 Creating a NAT policy
Configuring thewireless AC functions
|
| CAUTION: If the factory default operating mode of an AP is Cloud mode, you need to switch the operating mode of the AP to fit mode. |
1.On the top navigation bar, click Network. In the left navigation pane, select WLAN AC.
2.Configure an AP by using at least one of thetwo methods, manual AP creation and automatic AP configuration.
¡Createa manual AP:
# In the left navigation pane, select Quick Start >Add New AP > Add New AP. Configure an AP as follows:
-Name—ap1.
-Model—WA6120X.
-Serial ID—219801A3WYP22A00000V.You can also add the AP by specifying the AP's MAC address.
-Use the default values for other parameters and then click OK.
Figure30 Creating a manual AP
# In the left navigation pane, select Wireless Configuration > AP Management > AP Global Settings. Turn off the software upgrade function for APs.
Figure31 Disabling software upgrade for APs
| NOTE: For more information about AP software upgrade, see “Automatic upgrade for APs.” |
¡Configureauto AP. The name of an auto AP is the MAC address of the AP.
# In the left navigation pane, select Wireless Configuration > AP Management > AP Global Settings.
-Turn off the software upgrade function for APs.
-Turn on auto AP.
-Turn on auto AP conversion.
Figure32 Configuring auto AP
3.In the left navigation pane, select Quick Start > Add New SSID> Add New SSID. Configure a wireless service(Wi-Fi) as follows:
-Configure the wireless service name as service1.
-Configure the SSID as WiFi_example.
-Enable the wireless service template.
-Set the default VLAN to service VLAN 20.
-Select static PSK authentication as the authentication mode, andselect WPA or WPA2 as the security mode, and enter the PSK key.
-Use the default values for other parameters and click Apply and Configure Advanced Settings to save theconfiguration.
Figure33 Adding a wireless network
4.Click the Bindingtab and bind the wireless service template to the 5GHz and 2.4GHz radiofrequencies.
Figure34 Binding service template service1 to RFs
Configuring the PoE access switch
Connecting a PC tothe PoE switch
1.Use a console cable to connect the serialport of the management PC with the console port of the PoE switch. Configurethe IP address of interface VLAN1, which is 192.168.1.2 in this example.
| NOTE: DHCP is enabled on F100-C-A2 by default. In this example, the PoE switch can be assigned an IP address in the 192.168.0.0/24 subnet. You can use the display interface brief command to view the IP address assigned to interface Vlan1. If there is no DHCP server in your network, you need to manually configure the IP address for the PoE switch. |
2.Change the IP address of the PC interface tobe in the same subnet as the switch. Change the IP address of the PC to anyaddress within the 192.168.1.0/24 subnet.
Note: Do not use an IP address that isalready configured on another device.
Logging in to thePoE access switch
1.Use an Ethernet cable to connect the PC andinterface GE1/0/3 on the PoE switch. On the PC, type https://192.168.1.2in the browser address bar and press Enter toaccess the Web login interface of the PoE access switch.
2.Enter the default username clouduser and password admin,and then click Login. Change the login password asprompted.
Figure35 Logging in to the PoE access switch
Creating VLANs
Create service VLAN 20 according to theplan.
1.Navigate to the Network> Links > VLANpage.
2.Click the Create VLANicon. The Create VLAN list dialog box opens.
¡CreateVLAN 10 (management VLAN) and VLAN 20 (service VLAN)
¡ClickOK.
Figure36 Creating the management VLAN 10 and service VLAN 20
Setting interfacetypes and assigning them to VLANs
Configure interface GE1/0/1 connected tothe firewall and the GE interfaces connected to APs as follows:
1.Navigate to the Network> Interfaces > Interfacespage.
2.Click the Detailsicon for interface GE1/0/1 to enter the page for editing interface settings.
¡Configurethe link type as Trunk, and enter 10,20 in the Permit VLAN Listfield.
¡Usethe default values for other parameters.
¡ClickOK.
Figure37 Configuring interface GE1/0/1
3.Click the Detailsicon for interface GE1/0/2 (interface connected to an AP) to edit the interfacesettings as follows:
¡Configurethe link type as Trunk, set the PVID to 1, and enter 10,20 in the Permit VLAN List field.
¡Usethe default values for other parameters.
¡ClickOK.
Figure38 Configuring interface GE1/0/2
Enabling PoE
PoE is enabled on the switch by default. IfPoE is already enabled on the switch’s interfaces connected to APs, you canskip this step.
# Enable PoE on the GE interfaces connectedto APs to supply power to the APs:
1.Navigate to the PoE> PoE page.
2.Click Select Allto select all interfaces.
3.Click PI to enable PoE for all selectedinterfaces.
Figure 39 Enabling PoE power supply
Verifying the configuration
1.After the wireless terminal is connected tothe wireless network, open the WLAN AC page, andthen select Dashboard > Dashboardin the left navigation pane to enter the dashboard page, where you can viewstatistics for all APs, clients, wireless services, and wireless traffic.
Figure40 View dashboard
2.Click the 
icon in the upperright corner of the AP widget to view statistics for all APs, including APmodel, status, AP serial number, client count, and other information.
Figure41 AP list
3.Click the Clientstab to view information about online clients, including the client's MACaddress, IP address, and speed.
Figure42 Client list
Network configuration
A company wants to provide better wirelessnetwork services to its employees and has high security requirements. It hopesto achieve full wireless network coverage within the company and uses afirewall as the egress gateway to ensure the security of the internal network.
As shown in Figure 43, theAPs are deployed in the internal network of the company in fit mode and areconnected to the gateway firewall through a PoE switch to access the Internet.The firewall also acts as a DHCP server to assign IP addresses to the AP andwireless clients, and provides security protection for internal devices.
Analysis
This example uses the following approachfor network configuration:
1.Configure the egress gateway firewall.
a.Login to the firewall through the consoleport.
b.Configure the firewall to connect to the ISPnetwork and access the Internet.
c.Configure the internal network interfaces,create management and service VLAN interfaces, and assign IP addresses to theVLAN interfaces.
d.Configure DHCP address pools for themanagement VLAN and service VLANs.
e.Configure a security policy.
f.Configure NAT to ensure that internal userscan access the Internet.
g.Configure the AC function for the firewallto act as an AC to manage APs.
2.Configure the PoE access switch:
a.Log in to the PoE access switch through theconsole port.
b.Create service VLANs and permit all serviceVLANs.
c.Enable PoE to supply power to APs.
Deployment planning
Restrictions andguidelines
This configuration example was created andverified in a lab environment, and all the devices were started with thefactory default configuration. When you are working on a live network, makesure you understand the potential impact of every command on your network.
Device modelselection
Table 5 Device model selection
| Role | Model | Software version |
| Egress gateway firewall | F100-C-A2 | F8590P09 |
| PoE switches | S5120V3-28P-PWR-LI | R6343P05 |
| AP | WA6120X | R2593P03 |
Network configurationplan
Table 6 Network configuration plan
| Item | Detailed planning data |
| Wireless endpoint network | ·Network segment: 192.168.20.0/24. The firewall acts as a DHCP server to assign IP addresses to endpoints. ·Gateway location: Firewall ·Gateway interface IP address: 192.168.20.1/24 ·Service VLAN: VLAN 20 ·Encryption method: PSK |
| Network segment for firewall, switch, and AP interconnection | ·Network segment: 192.168.10.0/24 ·Firewall interconnect IP address: 192.168.10.1/24 ·AP IP addresses: Obtained automatically from the firewall. ·Management VLAN: VLAN 10 |
| Firewall interfaces | ·GE1/0/0 interface: The management interface of firewall F100-C-A2, which uses the default factory configuration. Administrators can manage the firewall through this interface. With the factory configuration, interface GE1/0/0 operates in Layer 2 mode, joins the LAN security zone, and has a security policy that permits source security zone LAN to access destination security zone Local. The factory configuration for other firewalls varies with the firewall models. ·Interface GE1/0/1 operates in Layer 3 mode and joins the WAN security zone. It can be connected to the external network in the following methods: DHCP, PPPoE, and specified IP address. Select a method according to the actual network of the service provider. ·Interface GE1/0/2 is connected to the switch. It operates in Layer 2 mode and joins the LAN security zone. Create interfaces for management VLAN 10 and service VLAN 20, respectively, with the interface mode set to trunk, allowing only VLAN 10 and VLAN 20 to pass through. |
| Switch interfaces | ·Interface GE1/0/1 is connected to the firewall and set as a trunk port, allowing VLAN 10 and VLAN 20 to pass through. ·Multiple GE interfaces are connected to APs, with PVID set to 10 and interface type set to trunk, allowing VLAN 10 and VLAN 20 to pass through. |
| AP | Operating mode: Fit mode |
Procedure
Configuring the egress gateway firewall
Connecting thefirewall and PC
1.Connect the PC to the GE1/0/0 interface onthe firewall by using an Ethernet cable.
2.Click on the 
icon in the lowerright corner of the computer, and then click Open Networkand Sharing Center.
3.In the Network andSharing Center dialog box that opens, click LocalArea Connection.
Figure44 Network and Sharing Center window
4.In the Local AreaConnection Status dialog box that opens, click Properties.
Figure45 Local Area Connection Status
5.In the Local AreaConnection Properties dialog box that opens, click InternetProtocol Version 4 (TCP/IPv4).
Figure46 Local Area Connection Properties
6.In the InternetProtocol Version 4 (TCP/IPv4) dialog box that opens, configure the IPaddress for the PC to ensure communication with the firewall in either of thefollowing two methods:
¡SelectObtain an IP address automatically and Obtain DNS server address automatically to configure thePC to get IP settings automatically using DHCP.
Figure47 Configuring the PC to automatically obtain an IPaddress
¡Manuallychange the IP address of the PC to any address within the 192.168.0.0/24network segment (except 192.168.0.1), for example, 192.168.0.31. (Note: After modifying the default loginaddress of the firewall later, use the IP address within the modified networksegment to log in to the firewall again.)
Figure48 Manually configuring the IP address of the PC
Login to thefirewall through the console port
1.Connect the PC and firewall by using aconsole cable. First insert the DB-9 (female)/standard USB plug of the consolecable into the 9-pin (male) serial port/USB port of the PC, and then insert theRJ-45 plug end into the console port of the firewall.
2.When building a local configurationenvironment through the console port, it is necessary to establish a connectionwith the firewall through a terminal emulation program such as HyperTerminal orPuTTY. You can run these programs to connect network devices, Telnet or SSHsites. For detailed descriptions and usage instructions of these programs, seethe user guides for the programs. After opening the terminal emulation program,set the terminal parameters as follows.
¡Bits per second—9600
¡Data bits—8
¡Stop bits—1
¡Parity—None
¡Traffic control—None
3.Power on the firewall, the terminal displaysself-test information. After the self-test is completed, enter the defaultusername admin and password admin,and then press Enter. The command prompt willappear (such as <Sysname>).
(Optional) Loggingin to the firewall through Telnet
To manage the firewall through Telnet orSSH, you can enable the relevant services at the CLI. The following exampleillustrates how to enable the Telnet service.
1.After logging into the firewall through theconsole port, enter system view and enable the Telnet service.
<FW> system-view
[FW] telnet server enable
2.Log in via Telnet using the default IPaddress 192.168.0.1. A command prompt will appear after you press Enter.
<FW> telnet 192.168.0.1
Trying 192.168.0.1 ...
Press CTRL+K to abort
Connected to 192.168.0.1 ...
******************************************************************************
* Copyright (c) 2004-2023 NewH3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's priorwritten consent, *
* no decompiling orreverse-engineering shall be allowed. *
******************************************************************************
3.Enter the default username admin and password admin, andthen click Login. Change the login password asprompted.
Login: admin
Password:
The default password is notsecure. A qualified password must meet the following
requirements:
It must contain a minimum of 4characters.
It must contain a minimum of 1types, and a minimum of 1 characters for each typ
e.
Old password:
New password:
Confirm:
%Aug 12 10:59:34:501 2023 H3CPWDCTL/6/PWDCTL_CHANGE_PASSWORD: admin changed the
password because the passwordwas default password.
%Aug 12 10:59:34:501 2023 H3CLS/5/LS_PWD_CHGPWD: The password of local device-m
anagement user admin wasmodified.
<FW>%Aug 12 10:59:34:8132023 H3C SHELL/5/SHELL_LOGIN: admin logged in from 192
.168.0.1.
<FW>
Configuring theexternal network interface
1.Assign an IP address to interfaceGigabitEthernet 1/0/1.
Select the IPv4 address configurationmethod according to the service provider: DHCP is selected in this example.
¡Ifyou select PPPoE, enter the PPPoE account and password provided by the serviceprovider.
¡Ifyou select DHCP, the DHCP server automatically assigns the public IP addressesfor accessing the WAN.
¡Ifyou select manual assignment, enter the IP address, subnet mask, and gatewayaddress of the WAN.
# Assign an IP address to interfaceGigabitEthernet 1/0/1.
<FW> system-view
[FW] interface gigabitethernet1/0/1
[FW-GigabitEthernet1/0/1] ipaddress dhcp-alloc
[FW-GigabitEthernet1/0/1] quit
2.Add interface GigabitEthernet 1/0/1 tosecurity zone WAN.
[FW] security-zone name WAN
[FW-security-zone-WAN] import interface gigabitethernet1/0/1
[FW-security-zone-WAN] quit
Configuring theinternal network interfaces
1.Create management VLAN 10 and service VLAN20.
[FW] vlan 10
[FW-vlan10]
[FW-vlan10] quit
[FW] vlan 20
[FW-vlan20] quit
2.Configure the IP address and mask length ofVLAN-interface 10 as 192.168.10.1/24.
[FW] interface vlan-interface10
[FW-Vlan-interface10] ipaddress 192.168.10.1 24
[FW-Vlan-interface10] quit
3.Configure the IP address and mask length ofVLAN-interface 20 as 192.168.20.1/24.
[FW] interface Vlan-interface20
[FW-Vlan-interface20] ipaddress 192.168.20.1 24
[FW-Vlan-interface20] quit
4.Configure Layer 2 Ethernet interfaceGigabitEthernet 1/0/2 as a trunk port. Configure the trunk port to allow VLAN 10 and VLAN 20 and not allow VLAN1 to pass through.
[FW] interface GigabitEthernet1/0/2
[FW-GigabitEthernet1/0/2] portlink-type trunk
[FW-GigabitEthernet1/0/2] porttrunk permit vlan 10 20
[FW-GigabitEthernet1/0/2] undoport trunk permit vlan 1
[FW-GigabitEthernet1/0/2] quit
5.Add interface VLAN-interface 10,VLAN-interface 20, Layer 2 Ethernet interface GigabitEthernet 1/0/2 in VLAN 10,and Layer 2 Ethernet interface GigabitEthernet1/0/2 in VLAN 20 to the LAN security zone.
[FW] security-zone name LAN
[FW-security-zone-LAN] importinterface vlan-interface 10
[FW-security-zone-LAN] importinterface vlan-interface 20
[FW-security-zone-LAN] importinterface GigabitEthernet 1/0/2 vlan 10
[FW-security-zone-LAN] import interfaceGigabitEthernet 1/0/2 vlan 20
[FW-security-zone-LAN] quit
Configuring theDHCP address pool
1.Enable DHCP globally.
[FW] dhcp enable
2.Create a DHCP server address pool named poolforap for IP address allocation to APs.
# Configure the dynamical allocationaddress range as 192.168.10.0/24, the address that does not participate inautomatic allocation as 192.168.10.1, and the gateway address as 192.168.10.1.
[FW] dhcp server ip-pool poolforap
[FW-dhcp-pool-poolforap] network192.168.10.0 24
[FW-dhcp-pool-poolforap] forbidden-ip192.168.10.1
[FW-dhcp-pool-poolforap] gateway-list192.168.10.1
3.Create a DHCP server address pool named poolforsta for IP address allocation to access terminals.
Configure the dynamic allocation addressrange as 192.168.20.0/24, the address that does not participate in automaticallocation as 192.168.20.1, the gateway address as 192.168.20.1, and the DNS server address as 114.114.114.114. (Specify the DNS server address forwireless clients according to your actual network configuration.)
[FW] dhcp server ip-poolpoolforsta
[FW-dhcp-pool-poolforsta] network192.168.20.0 24
[FW-dhcp-pool-poolforsta] forbidden-ip192.168.20.1
[FW-dhcp-pool-poolforsta] gateway-list192.168.20.1
[FW-dhcp-pool-poolforsta]dns-list 114.114.114.114
[FW-dhcp-pool-poolforsta] quit
Configuring asecurity policy
# Configure a security policy rule named lan-wan to allow access from the LANsecurity zone to the WAN security zone.
[FW] security-policy ip
[FW-security-policy-ip] rule name lan-wan
[FW-security-policy-ip-3-lan-wan] source-zonelan
[FW-security-policy-ip-3-lan-wan] destination-zonewan
[FW-security-policy-ip-3-lan-wan] actionpass
[FW-security-policy-ip-3-lan-wan] quit
# Configure a security policy rule named lan-local to allow access from the LANsecurity zone to the Local security zone. TheF100-C-A firewall series is pre-configured with such a security policy rule.This step can be skipped.)
[FW-security-policy-ip] rule name lan-local
[FW-security-policy-ip-4-lan-local] source-zonelan
[FW-security-policy-ip-4-lan-local] destination-zonelocal
[FW-security-policy-ip-4-lan-local] actionpass
[FW-security-policy-ip-4-lan-local] quit
[FW-security-policy-ip] quit
# Configure a security policy rule named local-lan to allow access from the Localsecurity zone to the LAN security zone. TheF100-C-A firewall series is pre-configured with such a security policy rule.This step can be skipped.)
[FW-security-policy-ip] rule name local-lan
[FW-security-policy-ip-5-local-lan] source-zonelocal
[FW-security-policy-ip-5-local-lan] destination-zonelan
[FW-security-policy-ip-5-local-lan] actionpass
[FW-security-policy-ip-5-local-lan] quit
[FW-security-policy-ip] quit
Configuring NAT
# Create a global NAT rule named PolicyRule_1 to use Easy IP for source addresstranslation for packets from the LAN security zoneto the WAN security zone.
[FW] nat global-policy
[FW-nat-global-policy] rule namePolicyRule_1
[FW-nat-global-policy-rule-PolicyRule_1]source-zone lan
[FW-nat-global-policy-rule-PolicyRule_1]destination-zone wan
[FW-nat-global-policy-rule-PolicyRule_1]action snat easy-ip
[FW-nat-global-policy-rule-PolicyRule_1]quit
[FW-nat-global-policy] quit
Configuring thewireless AC functions
|
| CAUTION: If the factory default operating mode of the AP is Cloud mode, you need to switch the operating mode of the AP to fit mode. |
1.Configure an AP by using at least one of thetwo methods, manual AP creation and automatic AP configuration.
¡Createa manual AP:
# Create a manual AP named ap1, with APmodel WA6120X and AP serial number 219801A3WYP22A00000V.
[FW] wlan ap ap1 model WA6120X
[FW-wlan-ap-ap1] serial-id219801A3WYP22A00000V
[FW-wlan-ap-ap1] quit
¡Configureauto APs:
# Enable the auto AP feature. The name ofan auto AP is the MAC address of the AP.
[FW] wlan auto-ap enable
# Convert online auto APs to manual APs.Choose the options to configure as needed:
-Convert all APs to manual APs.
[FW]wlan auto-ap persistent all
-Enable automatic conversion from auto APs to manual APs. Thiscommand takes effect only on auto APs that come online after you execute thiscommand. For auto APs that are already online, use the wlanauto-ap persistent command to convert them to manual APs.
[FW]wlan auto-persistent enable
2.Disable the software upgrade featureglobally for APs.
[FW] wlan global-configuration
[FW-wlan-global-configuration]firmware-upgrade disable
[FW-wlan-global-configuration]quit
For more information about AP softwareupgrade, see “Automatic upgrade for APs.”
3.Configure service template service1:
# Configure SSID as WiFi_example andadd wireless clients to VLAN 20 after they come online from the servicetemplate.
[FW] wlan service-templateservice1
[FW-wlan-st-service1] ssidWiFi_example
[FW-wlan-st-service1] vlan 20
# Configure theidentity authentication and key management mode as PSK, use the plaintextstring User@1234 as the shared key. Set the CCMP cipher suite for frame encryptionand enable the CCMP IE in beacon and probe responses.
[FW-wlan-st-service1] akm modepsk
[FW-wlan-st-service1] preshared-keypass-phrase simple User@1234
[FW-wlan-st-service1] cipher-suiteccmp
[FW-wlan-st-service1] security-iewpa
# Enable the service template.
[FW-wlan-st-service1] service-templateenable
[FW-wlan-st-service1] quit
4.Bind the service template to the RF radios radio1 and radio2, and enablethe radios.
[FW] wlan ap ap1
[FW-wlan-ap-ap1] radio 1
[FW-wlan-ap-ap1-radio-1] service-template service1
[FW-wlan-ap-ap1-radio-1] radio enable
[FW-wlan-ap-ap1-radio-1] quit
[FW-wlan-ap-ap1] radio 2
[FW-wlan-ap-ap1-radio-2] service-templateservice1
[FW-wlan-ap-ap1-radio-2] radioenable
[FW-wlan-ap-ap1-radio-2]return
<FW>
Configuring the PoE access switch
Logging in to thePoE access switch through the console port
1.Connect the PC and firewall by using aconfiguration cable. First insert the DB-9 (female)/standard USB plug of theconsole cable into the 9-pin (male) serial port/USB port of the PC, and theninsert the RJ-45 plug end into the console port of the firewall.
2.When building a local configurationenvironment through the console port, it is necessary to establish a connectionwith the firewall through a terminal emulation program such as HyperTerminal orPuTTY. You can run these programs to connect network devices, Telnet or SSH sites.For detailed descriptions and usage instructions of these programs, see theuser guides for the programs. After opening the terminal emulation program, setthe terminal parameters as follows.
¡Bits per second—9600
¡Data bits—8
¡Stop bits—1
¡Parity—None
¡Traffic control—None
3.Power on the firewall. The terminal displaysself-test information. After the self-test is completed, enter Ctrl+C. The command prompt will appear (such as <Sysname>).
Creating VLANs
# Create VLAN 10 (management VLAN) and VLAN20 (service VLAN) as planned.
[PoE switch] vlan 10 20
Setting interfacetypes and assigning them to VLANs
# Configure Layer 2 Ethernet interfaceGigabitEthernet 1/0/1 connected to the firewall as a trunk port and allow VLAN10 and VLAN 20 to pass through the trunk port.
[PoE switch] interfaceGigabitEthernet 1/0/1
[PoE switch-GigabitEthernet1/0/1] portlink-type trunk
[PoE switch-GigabitEthernet1/0/1] porttrunk permit vlan 10 20
[PoE switch-GigabitEthernet1/0/1] quit
# Configure the Layer 2 Ethernet interfacesconnected to APs (this example uses only GE1/0/2) to be trunk ports, allow VLAN10 and VLAN 20 to pass through the trunk port, and set the default port VLAN IDto 10.
[PoE switch] interfaceGigabitEthernet 1/0/2
[PoE switch-GigabitEthernet1/0/2] portlink-type trunk
[PoE switch-GigabitEthernet1/0/2] porttrunk permit vlan 10 20
[PoE switch-GigabitEthernet1/0/2] porttrunk pvid vlan 10
[PoE switch-GigabitEthernet1/0/2] quit
Enabling PoE
PoE is enabled on the switch by default. IfPoE is already enabled on the switch’s interfaces connected to APs, you canskip this step.
# Enable PoE on the GE interfaces connectedto APs to supply power to the APs. (This example uses only GE1/0/2)
[PoE switch] interfaceGigabitEthernet 1/0/2
[PoE switch-GigabitEthernet1/0/2] poeenable
[PoE switch-GigabitEthernet1/0/2] quit
Verifying the configuration
# View AP information. You can see that theAP has successfully established a tunnel connection with the AC and entered theR/M state. (Using manual AP as an example)
<FW> display wlan ap all
Total number of APs: 1
Total number of connected APs: 1
Total number of connected manual APs:1
Total number of connected auto APs: 0
Total number of connected common APs:1
Total number of connected WTUs: 0
Total number of inside APs: 0
Maximum supported APs: 64
Remaining APs: 63
Total AP licenses: 1
Local AP licenses: 1
Server AP licenses: 0
Remaining local AP licenses: 0
Sync AP licenses: 0
APinformation
State : I = Idle, J =Join, JA = JoinAck, IL = ImageLoad
C = Config, DC =DataCheck, R = Run, M = Master, B = Backup
AP name APIDState Model Serial ID
ap1 1R/M WA6120X 219801A3WYP22A00000V
# You can also go to the WLAN AC page, and then select Dashboard> Dashboard in the left navigation pane. On thedashboard, you can view statistics for all APs, clients, wireless services, andwireless traffic.
Configuration files
Egress gateway firewall
#
wlan global-configuration
firmware-upgrade disable
#
telnet server enable
#
dhcp enable
dhcp server always-broadcast
#
vlan 10
#
vlan 20
#
dhcp server ip-pool lan1
gateway-list 192.168.0.1
network 192.168.0.0 mask255.255.255.0
address range 192.168.0.2192.168.0.254
dns-list 192.168.0.1
#
dhcp server ip-pool poolforap
gateway-list 192.168.10.1
network 192.168.10.0 mask255.255.255.0
forbidden-ip 192.168.10.1
#
dhcp server ip-pool poolforsta
gateway-list 192.168.20.1
network 192.168.20.0 mask255.255.255.0
dns-list 114.114.114.114
forbidden-ip 192.168.20.1
#
wlan service-template service1
ssid WiFi_example
vlan 20
akm mode psk
preshared-key pass-phrase cipher$c$3$3xnWZGP5DcEfTPTSeL3gaf+z41kdFbBgPV+NRA==
cipher-suite ccmp
security-ie wpa
service-template enable
#
interface Vlan-interface1
description LAN-interface
ip address dhcp-alloc
tcp mss 1280
#
interface Vlan-interface10
ip address 192.168.10.1255.255.255.0
#
interface Vlan-interface20
ip address 192.168.20.1255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
ip address dhcp-alloc
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20
undo port trunk permit vlan 1
#
security-zone name LAN
import interface Vlan-interface1
import interface Vlan-interface10
import interface Vlan-interface20
import interfaceGigabitEthernet1/0/0 vlan 1
import interfaceGigabitEthernet1/0/2 vlan 1 10 20
#
security-zone name WAN
import interfaceGigabitEthernet1/0/1
#
nat global-policy
rule name PolicyRule_1
source-zone LAN
destination-zone WAN
action snat easy-ip
#
wlan ap ap1 model WA6120X
serial-id 219801A3WYP22A00000V
vlan 1
radio 1
radio enable
service-template service1
radio 2
radio enable
service-template service1
gigabitethernet 1
gigabitethernet 2
#
rule 3 name lan-wan
action pass
source-zone lan
destination-zone wan
rule 4 name lan-local
action pass
source-zone lan
destination-zone local
rule 5 name local-lan
action pass
source-zone local
destination-zone lan
#
return
PoE switch
#
vlan 10
#
vlan 20
#
interface Vlan-interface1
ip address 192.168.1.2 255.255.255.0
dhcp client identifier ascii98204435f0f4-VLAN0001
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan all
poe enable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 10
poe enable
#
return
The device supports managing one AP bydefault. You need to purchase license keys for the device, then register andinstall the licenses to manage more APs.
For more information about licenseregistration, activation file installation, and license transfer, see H3C Security Products Licensing Configuration DemonstrationVideo, H3C Security Products LicensingConfiguration Demonstration, H3C SecurityProducts Licensing Configuration Examples, and H3CSecurity Products Licensing Guide.
Identifyinglicense information (Web interface)
After a license is successfully registeredand activated, you can identify that the status of the APMGR feature is In use on the System > License config page in the Web interface of the device.
Figure 49 Identifying license information
Click the Detailsicon in the Actions column for APMGR to viewdetailed license information.
Figure 50 License details
Identifyinglicense information (CLI)
After a license is successfully registeredand activated, you can use the display license feature command to check if the feature has been licensed. A value of Y means the feature has been licensed.
<FW> display license feature
Slot 1:
Total: 32 Usage: 1
FeatureLicensed State
ACGN -
APMGRY Trial
AVN -
IPRPTN -
IPSN -
SSLVPNY Pre-licensed
UFLTN -
View detailed information about thelicenses on the device by executing the display license command.
<FW> display license
Slot 1:
flash:/license/NGFirewall2023101215594179753.ak
Feature: APMGR
Product Description: Trial APMGRLicense, 90 Days, 4 Numbers
Registered at: 2023-10-1217:26:47
License Type: Trial (daterestricted)
Trial Validity Period: 2023-10-12 to 2024-01-10
Current State: In use
Pre-installed License
Feature: SSLVPN
Feature Description: SSLVPN License,15 Numbers
License Type: Permanent
Current State: In use
Automatic upgrade for APs
By default, the AP software upgrade featureis enabled on F100-C-A1/F100-C-A2. In this case, the version upgrade process ofan AP is as follows:
1.The AP sends version and model informationto the FW.
2.The FW compares the software version of theAP. By default, the FW compares the software version of the AP with themappings between AP model and software and hardware versions in the APDB.
3.If the software versions are the same, thePW allows the CAPWAP tunnel establishment. If the software versions aredifferent, inform the AP of this software version inconsistency. Afterreceiving a message about inconsistent versions, the AP will request theversion from the FW.
4.After the FW receives the version requestfrom the AP, it sends the software version file to the AP.
5.After receiving the version file, the APwill perform a firmware upgrade and reboot, then establish a CAPWAP tunnel withthe FW.
To automatically upgrade APs through thesoftware upgrade feature, you need to upload the version files of APs to the FWand ensure that the model and version in each AP version file are consistentwith those stored in the APDB.
Administrators can use the display wlanap-model command to view the version number ofthe specified model in the APDB.
<FW> display wlan ap-model nameWA6120X
APmodel : WA6120X
Alias : WA6120X
Vendor name : H3C
Vendor ID : 25506
License weight : 100
License type : 1
Radio count : 2
Radio 1:
Mode : 802.11a, 802.11an,802.11ac, 802.11ax
Default mode : 802.11ax
BSS count : 8
Radio 2:
Mode : 802.11b, 802.11g,802.11gn, 802.11gax
Default mode : 802.11gax
BSS count : 8
Version Support List:
Hardware Version Ver.A:
Software Version : R2593P03
Default Software Version : A2586
Image Name :wa6500a.ipe
……
When the software version used to upgradethe AP does not match the software version corresponding to the AP model storedin the APDB, you can use the wlan apdbcommand to specify the software version used when the AP goes online. For moreinformation about APDB, see the AP management configuration in WLANConfiguration Guide.
Manual upgrade for APs
After the successful establishment of theCAPWAP tunnel, you can enable the FW to deploy the version to the AP online byexecuting the wlan ap-image-deploycommand. After the AP obtains the version sent by the FW, you can manuallyrestart the AP to make the new version take effect. For more information aboutthe wlanap-image-deploy command, see AP managementcommands in WLAN Command Reference.
Before executing the wlanap-image-deploy command to distribute theversion to the AP, you must upload the AP version file to the FW through FTP orTFTP. The upload location is determined by the wlan image-loadfilepath { local | ram } command.
