< Home

Example for Configuring Preferential Access of VIP Users

Networking Requirements

A stadium wants to deploy a WLAN that allows users to access the Internet in wireless mode using 802.1X authentication after they enter the correct user name and password. The stadium also requires that user services not be affected when users roam within the WLAN's coverage area. For the WLAN access configuration, see Example for Configuring a WPA2-802.1X-AES Security Policy.

To improve network experience of VIP users, preferential access of VIP users is configured. When the number of access users reaches the specified threshold, VIP users can preferentially access the WLAN.

Figure 1 Networking diagram for configuring preferential access of VIP users

Context

Table 1 AC data plan

Item

Data

Service scheme
  • Name: vip_service-scheme
  • Priority: 1

RRM profile
  • Name: wlan-rrm
  • User CAC based on the number of users: enabled
  • User CAC threshold based on the number of users: 32

2G radio profile
  • Name: wlan-radio2g
  • Referenced profile: RRM profile wlan-rrm

5G radio profile
  • Name: wlan-radio5g
  • Referenced profile: RRM profile wlan-rrm

Configuration Roadmap

  1. Configure preferential access of VIP users.

Configuration Notes

  • No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
    • In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
    • In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
    For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.

  • Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.

  • In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only packets from the management VLAN are transmitted between the AC and APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure

  1. Check the basic configuration of the WLAN.

    Check Item

    Command

    Data

    Check the AP group to which an AP belongs.

    display ap all

    AP group: ap-group1

    Check all profiles referenced by the AP group.

    display ap-group name xxx

    VAP profile: wlan-vap

    Check all profiles referenced by the VAP profile.

    display vap-profile name xxx

    SSID profile: wlan-ssid

  2. Configure preferential access of VIP users.
    1. Configure the user priority in a service scheme.

      [AC] aaa
[AC-aaa] service-scheme vip_service-scheme
[AC-aaa-service-vip_service-scheme] priority 1
[AC-aaa-service-vip_service-scheme] quit
[AC-aaa] quit

    2. Configure preferential access of VIP users through user CAC (based on the number of users).

      # Create RRM profile wlan-rrm. Enable the user CAC function based on the number of users, set the maximum number of access users to 32, and set the access policy for new users to priority-based user replacement function when the number of access users reach the user CAC threshold.

      [AC] wlan
[AC-wlan-view] rrm-profile name wlan-rrm
[AC-wlan-rrm-prof-wlan-rrm] uac client-number enable
[AC-wlan-rrm-prof-wlan-rrm] uac client-number threshold access 32
[AC-wlan-rrm-prof-wlan-rrm] uac reach-access-threshold priority-replace
[AC-wlan-rrm-prof-wlan-rrm] quit

      # Create 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm to the 2G radio profile.

      [AC-wlan-view] radio-2g-profile name wlan-radio2g 
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-wlan-radio2g] quit

      # Create 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm to the 5G radio profile.

      [AC-wlan-view] radio-5g-profile name wlan-radio5g 
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
[AC-wlan-radio-5g-prof-wlan-radio5g] quit

      # Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group ap-group1.

      [AC-wlan-view] ap-group name ap-group1 
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit

    3. Configure preferential access of VIP users based on VAPs.

      # Set the maximum number of successfully associated users on a VAP to 40 and set the access policy for new users to priority-based user replacement when the number of access users on a VAP reaches the maximum.

      [AC-wlan-view] ssid-profile name wlan-ssid 
[AC-wlan-ssid-prof-wlan-ssid] max-sta-number 40 
[AC-wlan-ssid-prof-wlan-ssid] reach-max-sta priority-replace 
[AC-wlan-ssid-prof-wlan-ssid] quit

  3. Configure the service scheme and its network authorization and policy on the server. For details, see the related server document.
  4. Verify the configuration.

    # Run the display service-scheme name vip_service-scheme command to check the service scheme configuration. The priority is 1.

    [AC-wlan-view] display service-scheme name vip_service-scheme                                  
  service-scheme-name           : vip_service-scheme                            
  service-scheme-primary-dns    : -                                             
  service-scheme-secondary-dns  : -                                             
  service-scheme-adminlevel     : -                                             
  service-scheme-redirect-acl-id: -                                             
  service-scheme-priority       : 1                                             
  access-limit-username-maxnum  : -                                             
  ...

    # Run the display rrm-profile name wlan-rrm command to check configuration information about the RRM profile. The command output shows that the access policy for new users is priority-based user replacement when the number of access users reaches the user CAC threshold based on the number of users.

    [AC-wlan-view] display rrm-profile name wlan-rrm                                  
-------------------------------------------------------------------- 
...
UAC check client's SNR                                       : disable          
UAC client's SNR threshold(dB)                               : 20               
UAC check client number                                      : enable          
UAC client number access threshold                           : 32               
UAC client number roam threshold                             : 64               
...               
Action upon reaching the UAC threshold                       : priority-based STA replacement          
...
--------------------------------------------------------------------

    # Run the display ssid-profile name wlan-net command to check configuration information about the SSID profile. The command output shows that the access policy for new users is priority-based user replacement when the number of access users on a VAP reaches the maximum.

    [AC-wlan-view] display ssid-profile name wlan-net                                  
-------------------------------------------------------------------- 
Profile ID                                   : 0
SSID                                         : wlan-net
SSID hide                                    : disable
Association timeout(min)                     : 5
Max STA number                               : 40
Action upon reaching the max STA number      : priority-based STA replacement
...
--------------------------------------------------------------------

    When there is a large number of users in the stadium and the number of users on a radio or VAP reaches the specified threshold, new non-VIP users cannot access the network. Instead, VIP users can preferentially access the WLAN.

Configuration Files

  • AC configuration file

    #
 sysname AC
#
aaa
 service-scheme vip_service-scheme
  priority 1 
#
wlan
 ssid-profile name wlan-ssid
  max-sta-number 40                                                             
  reach-max-sta priority-replace  
 rrm-profile name wlan-rrm                                                      
  uac reach-access-threshold priority-replace                                   
  uac client-number enable                                                      
  uac client-number threshold access 32  
 radio-2g-profile name wlan-radio2g                                             
  rrm-profile wlan-rrm                                                          
 radio-5g-profile name wlan-radio5g                                             
  rrm-profile wlan-rrm  
 ap-group name ap-group1
  radio 0
   radio-2g-profile wlan-radio2g 
   vap-profile wlan-vap wlan 1
  radio 1
   radio-5g-profile wlan-radio5g     
   vap-profile wlan-vap wlan 1
#
return
Parent Topic: Configuration of Preferential Access of VIP Users
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic