Example for Configuring Fast Roaming Between APs in the Same Service VLAN

Roaming Between APs in the Same Service VLAN Overview

WLAN roaming allows a STA to move from the coverage area of an AP to that of another AP with nonstop service transmission. Roaming between APs in the same service VLAN allows a STA to move between two APs that connect to the same AC without service interruption.

Roaming between APs in the same service VLAN is classified into fast roaming and non-fast roaming. Non-fast roaming technology is used when a STA uses a non-WPA2-802.1X security policy. If a STA uses WPA2-802.1X but does not support fast roaming, the STA still needs to complete 802.1X authentication before roaming between two APs. When the user uses the WPA2-802.1X security policy and supports fast roaming, the user does not need to perform 802.1X authentication again during roaming and only needs to perform key negotiation. Fast roaming reduces roaming delay and improves service experience.

Configuration Notes

The APs on which WLAN roaming is implemented must use the same SSID and security profiles, and the security profiles must have the same configurations.
In direct forwarding mode, if the ARP entry of a user is not aged out in time on the access device connected to the AP after the user roams, services of the user will be temporarily interrupted. You are advised to enable STA address learning on the AC. After the function is enabled, the AP will send a gratuitous ARP packet to the access device so that the access device can update ARP entries in a timely manner. This ensures nonstop service transmission during user roaming.
You can use either of the following methods to enable STA address learning according to the version of your product:
- Versions earlier than V200R007C20 and V200R008: run the learn client ip-address enable command in the service set view.
- V200R007C20: run the undo learn-client-address disable command in the VAP profile view.
In direct forwarding mode, configure port isolation on the interface directly connected to APs. If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.
How to configure the source interface:
- In V200R006, run the wlan ac source interface { loopback loopback-number | vlanif vlan-id } command in the WLAN view.
- In V200R007 and V200R008, run the capwap source interface { loopback loopback-number | vlanif vlan-id } command in the system view.
No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
- In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
- In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.

The following table lists applicable products and versions.

**Table 1** Applicable products and versions
Software Version	Product Model	AP Model and Version
V200R005C00	S7700, S9700	V200R005C00: AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN
V200R006C00	S5720-HI, S7700, S9700	V200R005C00: AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN
V200R007C00	S5720-HI, S7700, S9700	V200R005C10: AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN, AP8030DN, AP8130DN V200R005C20: AP7030DE, AP9330DN
V200R008C00	S5720-HI, S7700, S9700	V200R005C10: AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN, AP8030DN, AP8130DN V200R005C20: AP7030DE, AP9330DN V200R005C30: AP2030DN, AP4030DN, AP4130DN

For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

Networking Requirements

As shown in Figure 1, a department on a campus network deploys two APs that are managed and controlled by an AC, which dynamically assigns IP addresses to the APs and STAs. All users in the department belong to the same VLAN, that is, AP1 and AP2 use the same service VLAN. The security policy WPA2-802.1X is used. User data is forwarded through tunnels.

The department requires services to be uninterrupted when a STA moves from AP1 to AP2.

Figure 1 Networking diagram for configuring fast roaming between APs in the same service VLAN

Data Planning

**Table 2** Data planning
Item	Data	Description
IP address of the AC's source interface	192.168.10.1/24	None
WMM profile	Name: wmm	None
Radio profile	Name: radio	None
Security profile	Name: security Security and authentication policy: WPA2+802.1X Authentication key: hello Encryption mode: CCMP	None
Traffic profile	Name: traffic	None
Service set	Name: test SSID: test WLAN virtual interface: WLAN-ESS 1 Data forwarding mode: tunnel forwarding	None
DHCP server	The AC functions as a DHCP server to assign IP addresses to APs and STAs.	None
AP gateway and IP address pool range	VLANIF 100: 192.168.10.1/24 192.168.10.2 to 192.168.10.254/24	None
STA gateway and IP address pool range	VLANIF 101: 192.168.11.1/24 192.168.11.2 to 192.168.11.254/24	None

Configuration Roadmap

The configuration roadmap is as follows:

The security policy WPA2-802.1X is used and access authentication is required, which results in longer roaming switchover time. Configure fast roaming between APs in the same service VLAN to ensure nonstop service transmission during roaming.
Configure parameters used for communication between the AC and APs to transmit CAPWAP packets.
Configure the AC to function as a DHCP server to assign IP addresses to APs and STAs.
Configure basic WLAN services to enable the STAs to connect to the WLAN.
Configure key negotiation between STAs and APs to shorten the roaming switchover time.

Procedure

Set the NAC mode on AC to unified mode (default setting). Configure SwitchA and the AC to allow the APs and AC to transmit CAPWAP packets.

# Configure the SwitchA: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to the management VLAN 100.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit

# Add GE1/0/1 that connects the AC to SwitchA to VLAN 100.

<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet1/0/1] quit

Configure the AC to communicate with the upstream device.

# Add the AC's uplink interface GE1/0/3 to VLAN 101 and add GE1/0/4 of the AC connecting to the RADIUS server to VLAN 102.

[AC] vlan batch 101 102
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 101
[AC-GigabitEthernet1/0/3] quit
[AC] interface gigabitethernet 1/0/4
[AC-GigabitEthernet1/0/4] port link-type trunk
[AC-GigabitEthernet1/0/4] port trunk pvid vlan 102
[AC-GigabitEthernet1/0/4] port trunk allow-pass vlan 102
[AC-GigabitEthernet1/0/4] quit

Configure the AC as a DHCP server to assign IP addresses to STAs and APs, and configure VLANIF 102 to allow the AC to communicate with the RADIUS server.

# Configure a DHCP server to assign IP addresses to the APs from the IP address pool on VLANIF 100 and assign IP addresses to STAs from the IP address pool on VLANIF 101.

[AC] dhcp enable  //Enable the DHCP function.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface  //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit

# Configure VLANIF 102.

[AC] interface vlanif 102
[AC-Vlanif102] ip address 192.168.0.1 24
[AC-Vlanif102] quit

Configure an AAA domain to which a RADIUS server template is applied.

Configure a RADIUS server template, an AAA authentication scheme, and domain information.

Ensure that the AC and RADIUS server have the same shared key.

[AC] radius-server template radius_huawei  //Creates a RADIUS server template
[AC-radius-radius_huawei] radius-server authentication 192.168.0.2 1812  //Specify the IP address and the port number of a RADIUS authentication server.
[AC-radius-radius_huawei] radius-server shared-key cipher hello  //Configure the shared key of a RADIUS server
[AC-radius-radius_huawei] quit
[AC] aaa
[AC-aaa] authentication-scheme radius_huawei  //Create an authentication scheme
[AC-aaa-authen-radius_huawei] authentication-mode radius  //Set the authentication mode to radius.
[AC-aaa-authen-radius_huawei] quit
[AC-aaa] domain huawei.com  //Create a domain
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei  //Configure an authentication scheme in the domain.
[AC-aaa-domain-huawei.com] radius-server radius_huawei  //Configure a RADIUS server template for the domain.
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit

After domain huawei.com is configured, the domain name is added to the authentication user name.

Test whether a STA can be authenticated using RADIUS authentication. A user name test@huawei.com and password 123456 have been configured on the RADIUS server.
```
[AC] test-aaa test@huawei.com 123456 radius-template radius_huawei
Info: Account test succeed.
```

Configure AC system parameters.

# Configure the country code.

[AC] wlan ac-global country-code cn
Warning: Modify the country code may delete configuration on those AP which use 
the global country code and reset them, continue?[Y/N]:y

# Configure the AC ID and carrier ID.

[AC] wlan ac-global ac id 1 carrier id other  //The default AC ID is 0. Set the AC ID to 1.

# Configure the source interface.

[AC] wlan
[AC-wlan-view] wlan ac source interface vlanif 100

Manage APs on the AC.

# Check the AP type IDs after obtaining the MAC addresses of the APs.

[AC-wlan-view] display ap-type all
  All AP types information:     
  ------------------------------------------------------------------------------
  ID     Type                   
  ------------------------------------------------------------------------------
  17     AP6010SN-GN            
  19     AP6010DN-AGN           
  21     AP6310SN-GN            
  23     AP6510DN-AGN           
  25     AP6610DN-AGN           
  27     AP7110SN-GN            
  28     AP7110DN-AGN           
  29     AP5010SN-GN            
  30     AP5010DN-AGN           
  31     AP3010DN-AGN           
  33     AP6510DN-AGN-US        
  34     AP6610DN-AGN-US        
  35     AP5030DN               
  36     AP5130DN               
  37     AP7030DE                                                               
  38     AP2010DN                                                               
  39     AP8130DN                                                               
  40     AP8030DN                                                               
  42     AP9330DN                                                               
  43     AP4030DN                                                               
  44     AP4130DN                                                               
  45     AP3030DN                                                               
  46     AP2030DN                                                               
  ------------------------------------------------------------------------------
  Total number: 23

# Set the AP authentication mode to MAC address authentication (default setting). Add the APs offline based on the AP type ID. Assume that the type of AP1 and AP2 is AP6010DN-AGN, and their MAC addresses are 60de-4476-e360 and dcd2-fc04-b500, respectively.

[AC-wlan-view] ap id 1 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2 type-id 19 mac dcd2-fc04-b500
[AC-wlan-ap-2] quit

# Configure an AP region and add the APs to the AP region.

[AC-wlan-view] ap-region id 10  //Create AP region 10
[AC-wlan-ap-region-10] quit
[AC-wlan-view] ap id 1
[AC-wlan-ap-1] region-id 10  //Add AP1 to region 10
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2
[AC-wlan-ap-2] region-id 10  //Add AP2 to region 10
[AC-wlan-ap-2] quit

# Power on AP1 and AP2 and run the display ap all command on the AC to check the AP state. The command output shows that the APs are in normal state.

[AC-wlan-view] display ap all
  All AP information:           
  Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]       
  Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]            
  ------------------------------------------------------------------------------
  AP    AP               AP              Profile   AP              AP           
                                         /Region                                
  ID    Type             MAC             ID        State           Sysname      
  ------------------------------------------------------------------------------
  1     AP6010DN-AGN     60de-4476-e360  0/10      normal          ap-1         
  2     AP6010DN-AGN     dcd2-fc04-b500  0/10      normal          ap-2         
  ------------------------------------------------------------------------------
  Total number: 2,printed: 2

Configure WLAN service parameters.

# Create a WMM profile named wmm and retain the default parameter settings.

[AC-wlan-view] wmm-profile name wmm id 1
[AC-wlan-wmm-prof-wmm] quit

# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.

[AC-wlan-view] radio-profile name radio id 1 
[AC-wlan-radio-prof-radio] channel-mode fixed 
[AC-wlan-radio-prof-radio] wmm-profile name wmm 
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit

# Create WLAN-ESS interface 1.

[AC] interface wlan-ess 1
[AC-Wlan-Ess1]  port trunk allow-pass vlan 101 
[AC-Wlan-Ess1] authentication dot1x  //Enable 802.1X authentication.
[AC-Wlan-Ess1] dot1x authentication-method eap  //Configure EAP relay authentication for 802.1X users.
[AC-Wlan-Ess1] domain name huawei.com force  //Configure a forcible authentication domain.
[AC-Wlan-Ess1] permit-domain name huawei.com  //Configure a permitted domain for WLAN users.
[AC-Wlan-Ess1] quit

# Create a security profile named security and configure the security policy to WPA2-802.1X.

[AC] wlan
[AC-wlan-view] security-profile name security id 1
[AC-wlan-sec-prof-security] security-policy wpa2
[AC-wlan-sec-prof-security] wpa2 authentication-method dot1x encryption-method ccmp  //Configure WPA2 802.1X authentication and encryption.
[AC-wlan-sec-prof-security] quit

# Create a traffic profile named traffic and retain the default parameter settings.

[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit

# Create a service set named test and bind the WLAN-ESS interface, security profile, and traffic profile to the service set.

[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101
[AC-wlan-service-set-test] forward-mode tunnel
[AC-wlan-service-set-test] quit

# Configure a VAP.

[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] radio-profile name radio
[AC-wlan-radio-1/0] channel 20mhz 1
[AC-wlan-radio-1/0] service-set name test
[AC-wlan-radio-1/0] quit
[AC-wlan-view] ap 2 radio 0
[AC-wlan-radio-2/0] radio-profile name radio
[AC-wlan-radio-2/0] channel 20mhz 6
[AC-wlan-radio-2/0] service-set name test
[AC-wlan-radio-2/0] quit

# Commit the configuration.

[AC-wlan-view] commit ap 1
  Warning: Committing configuration may cause service interruption, continue?[Y/N]y
[AC-wlan-view] commit ap 2
  Warning: Committing configuration may cause service interruption, continue?[Y/N]y

Verify the configuration.
After the configuration is complete, the STA can connect to the WLAN with the SSID test in the coverage area of AP1. Use 802.1X authentication on the STA and enter the user name and password. If the authentication succeeds, the STA can connect to the Internet. Configure the STA according to the configured authentication mode PEAP.
- Configuration on the Windows 7 operating system:
  1. Access the Manage wireless networks page, click Add, and select Manually create a network profile. Add SSID test. Set the authentication mode to WPA2-Enterprise, the encryption mode to CCMP, and the algorithm to AES. Click Next.
  2. Scan SSIDs and double-click SSID test. On the Security tab page, set EAP type to PEAP and click Settings. In the displayed dialog box, deselect Validate server certificate and click Configure. In the displayed dialog box, deselect Automatically use my Windows logon name and password and click OK.
Assume that the STA MAC address is 0025-86aa-0d1c. When the STA connects to the WLAN with the SSID test in the coverage area of AP1, run the display station assoc-info ap 1 command on the AC to check the STA access information.
```
<HUAWEI> display station assoc-info ap 1
 ------------------------------------------------------------------------------
  STA MAC          AP ID   RADIO ID  SS ID   SSID
  ------------------------------------------------------------------------------
  0025-86aa-0d1c   1       0         0       test
  ------------------------------------------------------------------------------
Total stations: 1
```
When the STA moves from the coverage of AP1 to that of AP2, run the display station assoc-info ap 2 command on the AC to check the STA access information. The STA is associated with AP2.
```
<HUAWEI> display station assoc-info ap 2
 ------------------------------------------------------------------------------
  STA MAC          AP ID   RADIO ID  SS ID   SSID
  ------------------------------------------------------------------------------
  0025-86aa-0d1c   2       0         1       test
  ------------------------------------------------------------------------------
Total stations: 1
```
Run the display station roam-track sta 0025-86aa-0d1c command on the AC to check the STA roaming track.
```
<HUAWEI> display station roam-track sta 0025-86aa-0d1c
  ------------------------------------------------------------------------------
  AP ID  Radio ID  BSSID            TIME                                        
  ------------------------------------------------------------------------------
  1      0        60de-4476-e360   2012/12/23 14:40:37                          
  2      0        dcd2-fc04-b500   2012/12/23 14:40:39                          
  ------------------------------------------------------------------------------
  Number of roam track: 1
```

Configuration Files

SwitchA configuration file

#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 100
#
return

AC configuration file

#
sysname AC
#
vlan batch 100 to 102
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
radius-server template radius_huawei          
  radius-server shared-key cipher %@%@xI&d>!p~&X_GJ0~yU/z!,x,J%@%@
  radius-server authentication 192.168.0.2 1812 weight 80    
#       
aaa               
 authentication-scheme radius_huawei         
  authentication-mode radius       
 domain huawei.com     
  authentication-scheme radius_huawei 
  radius-server radius_huawei                
#
interface Vlanif100
 ip address 192.168.10.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 192.168.11.1 255.255.255.0
 dhcp select interface
#
interface Vlanif102
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk allow-pass vlan 101
#
interface GigabitEthernet1/0/4
 port link-type trunk
 port trunk pvid vlan 102
 port trunk allow-pass vlan 102
#
interface Wlan-Ess1
 port trunk allow-pass vlan 101 
 authentication dot1x       
 dot1x authentication-method eap   
 permit-domain name huawei.com
 domain name huawei.com force  
#
wlan
 wlan ac source interface vlanif100
 ap-region id 10
 ap id 1 type-id 19 mac 60de-4476-e360 sn 190901007618
  region-id 10
 ap id 2 type-id 19 mac dcd2-fc04-b500 sn 190901007619
  region-id 10
 wmm-profile name wmm id 1
 traffic-profile name traffic id 1
 security-profile name security id 1
  security-policy wpa2           
 service-set name test id 1
  forward-mode tunnel
  wlan-ess 1
  ssid test
  traffic-profile id 1
  security-profile id 1
  service-vlan 101
 radio-profile name radio id 1
  channel-mode fixed  
  wmm-profile id 1
 ap 1 radio 0
  radio-profile id 1
  service-set id 1 wlan 1
 ap 2 radio 0
  radio-profile id 1
  channel 20MHz 6  
  service-set id 1 wlan 1
#
return