The H3C WX6000 Series Access Controllers (hereinafter referred to as the WX6000 series) are wireless access controller (AC) products. The WX6000 series feature large capacity, high reliability and rich services and offer strong wired and wireless data processing capacity. The WX6000 series provides refined user control and management, comprehensive RF management and security mechanism, fast roaming, strong QoS and IPv4/IPv6 features, and powerful WLAN access control capability. Designed for WLAN access of enterprise networks and metropolitan area networks (MANs), the WX6000 series provide the most ideal access control solutions for WLAN access of large enterprise campus networks, wireless MAN coverage and hot spot coverage.
The WX6100 series access controllers include the standalone WX6103 access controller, the LSQM1WCMB0 access controller module for the S7500E series Ethernet switches, and the LSRM1WCM2A1 access controller module for the S9500E series Ethernet switches. Working with Fit AP (H3C WA2110/WA2200/WA2600) developed by H3C, the WX6000 series can well satisfy various wireless networking applications.
The WX6103 is composed of a chassis, a power supply system (AC or DC), one or two main control boards (EWPXM1WCMB0), and a switch interface board (EWPXM1G24XA0). The WX6103 supports two main control boards, each able to work as an independent wireless access controller. On a basic model wireless access controller, each main control board supports up to 128 access points (APs); after license upgrade, each main control board supports up to 640 APs plus 20K wireless users. With two main control boards working in parallel, the WX6103 supports a maximum of 1280 APs, able to satisfy the deployment of large-sized wireless networks.
The LSQM1WCMB0 is an access controller module for the H3C S7500E series Ethernet switches. It has the same processing capability as the WX6103. After license upgrade, the access controller module can support up to 640 APs. The LSQM1WCMB0 is applicable for five models of the S7500E series as below.
The LSRM1WCM2A1 is an access controller module for the H3C S9500E series Ethernet switches. It has the same processing capability as the WX6103. After license upgrade, the access controller module can support up to 640 APs. The LSRM1WCM2A1 is applicable for three models of the S9500E series as below.
Access controller module
H3C provides network services over an innovative, authentication-based networking structure. On the basis of user IDs instead of ports or devices, mobility and security are ensured over the whole network.
The ACs in a WLAN exchange user information to implement inter-AC roaming and consistent access and security policies on the whole network. According to WPA/WPA2, encryption algorithms such as AES, TKIP, and WEP are also used together with 802.1X authentication to enhance network security.
Working together with H3C fit APs, the WX6000 series can be simply deployed on Layer 2 or Layer 3 networks without affecting existing configurations. The WX6000 series are interconnected with the APs through the CAPWAP protocol issued by the IETF.
The following contents are relatively complicated, please use PC for browsing.
Pls enter c.h3c.com.cn in the PC browser and follow the instruction from the page, you will continue to sync to PC.
Continue mobile phone browsing.
In addition to 802.11a/b/g AP management, the WX6000 series can work together with the 802.11n-based WA2600 series APs to provide wireless access at a speed six times that of a traditional 802.11a/b/g network. 802.11n covers a wider range and provides real WLAN multimedia applications.
In a wireless network of centralized forwarding mode, all wireless traffic is sent to an AC for processing. Therefore, the forwarding capability of the AC may become the bottleneck. This is especially true on wireless networks where APs are deployed at branches, ACs are deployed at the headquarters, and APs and ACs are connected over a WAN.
However, distributed forwarding cannot provide traffic control as good as the centralized forwarding mode does.
The WX6000 series supports both forwarding modes. You can set SSID based forwarding type as needed.
User-based access control is a feature of the WX6000 series. The WX6000 series use a user profile as a configuration template to save predefined configurations. For different application scenarios, you can configure different items in a user profile, such as Committed Access Rate (CAR) and QoS policies.
A client that wants to access a device needs to pass authentication first. During authentication, an authentication server assigns a user profile to the device. If the user passes authentication, the device uses the configuration contents in the user profile to restrict the accessible resources of the user. When the user goes offline, the device disables the user profile. Thus, user profiles are applicable to online users rather than offline users and users that fail to pass authentication.
The WX6000 series support MAC-based access control, which allows you to configure and modify the access rights of a user group or a particular user. The refined user right control method enhances the availability of WLANs and facilitates access right assignment.
MAC-based VLAN is another strong feature of the WX6000 series. The administrator can assign users (or MAC addresses) with the same attribute into the same VLAN and configure a VLAN-based security policy on the AC. This simplifies system configuration and refines user management to the per-user granularity.
For security or accounting, the administrator may need to control the physical position of wireless clients. The WX6000 series can satisfy this requirement. During authentication, the AC gets a list of permitted APs from the authentication server and then selects an AP for the requesting wireless client. In this way, the wireless client can only associate with that AP and thus its position is controlled.
The high-end WX6100 series access controllers support replacement of key components. Each WX6100 series is configured with dual power modules to ensure high reliability.
u 1+1 Redundancy
The 1+1 redundancy configuration of the WX6000 series support 100 ms failover. Fit APs establish CAPWAP links with both ACs, but only the links to the active AC are active. When the active AC fails, the heartbeat mechanism between the two ACs ensures that the standby AC can sense the failure within 100 ms and then inform APs to use links to it, thus ensuring service continuity.
u N+1 Redundancy
N+1 redundancy is the best solution in terms of reliability and economy, in which, N WX6000 series ACs operate independently, and another AC operates as a standby AC. When one of the N ACs fails, the standby AC will replace it. When the active AC recovers, APs will associate with it again. The WX6000 series support up to 4 plus 1 redundancy.
u N+N Redundancy
When N WX6000 series ACs are deployed in a WLAN, the N+N redundancy feature allows an AP to choose an optimal AC for access. If the optimal AC fails, the AP will choose another optimal AC for access. This mechanism implements both AC redundancy and load sharing. You can configure the AP to select the optimal AC according to the loads or predefined priorities of ACs. To implement N+N redundancy, the N-1 ACs must be capable of managing all the deployed APs.
In a WLAN, adjacent wireless APs should work in different channels to avoid channel interference. However, channels are very rare resources for a WLAN. There are a small number of non-overlapping channels for APs. For example, there are only three non-overlapping channels for a 2.4G network. Therefore, the key to wireless applications is how to allocate channels for APs intelligently. Meanwhile, there are many possible interference sources that can affect the normal operation of APs in a WLAN, such as rogue APs, radars and microwave ovens. The intelligent channel switching technique can ensure the allocation of an optimal channel to each AP, and minimize adjacent channel interference. Besides, the real-time interference detection function can help keep APs away from interference sources such as rogue APs.
According to IEEE 802.11, wireless clients control wireless roaming in WLANs. Usually, a wireless client chooses an AP based on the Received Signal Strength Indication (RSSI). Therefore, many clients may choose the same AP for this AP has a high RSSI. As these clients share the same wireless medium, the throughput of each client is reduced greatly.
The intelligent AP load sharing function can analyze the locations of wireless clients in real time, dynamically determine which APs at the current location can share load with one another, and implement load sharing among these APs. In addition to load sharing based on the number of online sessions, the system also supports load sharing based on the traffic of online wireless users.
u Rogue AP detection
The WX6000 series can automatically detect rogue devices (such as rogue APs or Ad Hoc wireless terminals) and report to the network management center in real time.
u Whitelist function
The WX6000 series support the white list function. With this function enabled, only the wireless clients on the white list are considered legal. Packets from illegal clients are all dropped at the APs.
u Black list function
The WX6000 series support the static blacklist and dynamic blacklist functions. You can manually add specific devices into the blacklist or configure the AC to add devices into the blacklist through real-time detection. Packets from devices in the blacklist are all dropped at the APs to minimize impact of attack packets on the wireless network.
u Protection against wireless protocol attacks
The WX6000 series can detect many kinds of attacks, such as DOS attack, flooding attack, de-authentication and de-connection packet spoofing, and weak IV of wireless users. When an AC detects any of the above-mentioned attacks, it generates an alarm or log information to remind the administrator to deal with the attack accordingly. This function can work in conjunction with the dynamic blacklist function. That is, when the AC detects an attack, it adds the wireless client that initiated the attack into the blacklist so that the WLAN will not be attacked by that wireless client any more.
The WX6000 series support the following types of authentication:
u 802.1X authentication
The WX6000 series support multiple 802.1X authentication modes, such as TLS, PEAP, TTLS, MD5, and SIM card. The local 802.1X authentication mode supports MD5, TLS and PEAP and thus the user need not configure the AAA server. The WX6000 series also support dynamic VLAN and ACL assignment to wireless clients after they pass 802.1X authentication. You can predefine the access control policies so that the system can automatically configure user rights during user authentication.
u MAC address authentication
Authentication modes for computer users are not suitable for some hand-held terminals (such as WiFi phones and hand-held mobile terminals). By supporting MAC address authentication, the WX6000 series can easily solve this problem. On a wireless access controller or CAMS server, you can configure which MAC addresses are allowed to access the wireless network. MAC addresses not configured are considered illegal and cannot access the wireless network. This function facilitates some wireless applications such as the wireless medicine system, where MAC address authentication can ensure that only the PDA terminals of the hospital can access the wireless network while those of patients cannot.
u Portal authentication
For visitors who want to access the Internet through the wireless network of an enterprise but have no 802.1X client installed, portal authentication is a good solution.
u PPPoE authentication
Using the mature PPPoE authentication and accounting functions, the WX6000 series can conveniently implement advanced accounting for users, such as accounting by traffic, to satisfy certain carrier-level requirements.
The WX6000 series support access of IPv6 wireless users. As the gateway for IPv6 users is not on an access controller, a dedicated IPv6 gateway is needed. The access controller can recognize IPv6 packets on the tunnel start AP. Because the AP device can recognize IPv6 packets, it can map the IPv6 priority to the tunnel priority. The access controller side can also use ACLs to control and filter IPv6 packets.
The WX6000 series can be deployed in IPv6 networks, in which an AC automatically negotiates an IPv6 tunnel with each AP. Although the AC and AP are working in IPv6 mode, the AC can still correctly recognize and process IPv4 packets from wireless clients. The flexible IPv4/v6 adaptability enables the WX6000 series to satisfy various complicated applications in the process of IPv4 to IPv6 migration. When deployed on an IPv6 island, the AC can provide services for IPv4 wireless clients. When deployed on an IPv4 island, it can also allow wireless clients to log in to the network through IPv6.
Developed based on the Comware V5 platform, the WX6000 series support not only the Diff-Serv standard but also the IPv6 QoS.
The QoS Diff-Serv model includes traffic classification and traffic policing, completely implementing the six groups of services, EF, AF1 through AF4 and BE. This enables ISPs to provide differentiated services for users, making the Internet a true integrated network carrying data, voice and video services at the same time.
u Traffic classification: Classifies packets with different characteristics using certain match criteria. Traffic classification is the prerequisite for Diff-Serv implementation.
u Traffic policing: Polices specific incoming traffic. When the traffic flow exceeds the set limit, rate limiting or punishment measures can be taken to protect business interests and network resources.
Layer 3 roaming is hard to implement in a WLAN comprised of fat APs due to limited communication between APs. With the centralized forwarding and control architecture, the WX6000 series support Layer-2 and Layer-3 roaming and well solve the inter-subnet roaming problem. This excellent roaming feature allows you to plan a wireless network without worrying about the planning of the existing wired network. All you need to consider is wireless signal coverage. This greatly simplifies the early wireless network planning and reduces the network planning cost.
When a wireless terminal uses 802.1X for 802.11 access authentication and key exchange, there will be a great number of packets exchanged between the terminal and the AP. If the complete 802.1X authentication process is followed by a wireless terminal that roams from one AP to another, this will surely result in a very long handover time. This is unacceptable for delay sensitive services such as VoIP. The WX6000 series use Key Caching to implement fast handover of roaming wireless terminals. The Key Cache functionality allows wireless terminals to roam from one AP to another without following the complete 802.1X authentication process while it ensures user identification and the continuity of key use. With fast handover, the handover time is kept within 50 ms.
Dimensions (H × W × D), excluding the plastic panel width
176 × 436 × 420 mm
40.6 × 366.7 × 340 mm
< 25.2 kg
One console port
One out-of-band network management port
24 × GE electrical ports
Four GE SFP optical ports (a Combo port consists of a GE SFP optical port and a GE electrical port)
Two 10-GE XFP optical ports
Input voltage ranges
Input voltage range: 90 VAC to 264 VAC;50 Hz or 60 Hz
Max. power consumption
0°C to 45°C (32°F to 113°F)
Relative humidity (noncondensing)
10% to 90%
–40°C to 70°C
Storage humidity (noncondensing)
5% to 95%
l UL 60950-1,
l CAN/CSA C22.2 No 60950-1,
l IEC 60950-1,
l EN 60950-1/A11,
l AS/NZS 60950,
l EN 60825-1,
l EN 60825-2,
l FDA 21 CFR Subchapter J
l ETSI EN 300 386 V1.3.3:2005
l EN 55024: 1998+ A1: 2001 + A2: 2003
l EN 55022:2006
l VCCI V-3:2007
l EN 61000-3-2:2000+A1:2001+A2:2005
l EN 61000-3-3:1995+A1:2001+A2:2005
l AS/NZS CISPR 22:2004
l FCC PART 15:2005
l GB 9254:1998
l GB/T 17618:1998
≥ 40 years
Maximum number of managed APs
640 (by upgrading the license, each engine can manage 640 APs, and double engines can manage 1280 APs)
Size of each license
802.3 LAN protocols
ARP (gratuitous ARP)
VLAN (port/MAC-based VLANs)
802.11 LAN protocols
Layer 2/Layer 3 network topology between AP and AC
Automatic AC discovery by APs
AP software version upgrade through the AC
AP configuration file download from the AC
IPv4/IPv6 networks supported between AP and AC
Key cache fast roaming
TCPv6, UDPv6, ICMPv6
IPv6 static routing
MAC address authentication
802.1X authentication (EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-SIM, and EAP-MD5, where EAP-TLS, EAP-PEAP, and EAP-MD5 are supported by local authentication)
Portal authentication (both embedded portal server and external portal server supported)
Local portal server
Multi-domain configuration on the authentication server
Backup authentication server
ESS based authentication server selection
SSID to user account number binding
802.11 security and privacy
802.11i, (with 802.1X and PSK authentication)
Detection of and countermeasures against rogue wireless devices
Wireless attack prevention
Split MAC (Centralized forwarding modes)
Local MAC (Local forwarding modes)
AP based bandwidth/rate limit
Isolation of users with the same SSID
User-based bandwidth limit
User-based access control
Country code configuration
Manual transmit power configuration
Auto transmit power configuration
Manual operating channel configuration
Auto operating channel configuration
Auto transmit rate adjustment
Coverage hole correction
Traffic and user number based AP load sharing
Wireless RF interference detection and mitigation
Dual power supplies
100 ms failover between ACs
Multiple AC redundancy modes (1+1, N+1, N+N)
Layer 2 to Layer 4 packet filtering and traffic classification
User-based and SSID-based rate limit, with granularity of 64 kbps
AP-based output queues, supporting FIFQ, PQ, and CQ queue scheduling algorithms
Mapping between wired priority and wireless priority
Mapping between wireless user priority and CAPWAP tunnel priority
User access management
Login from the console port
Login through Telnet
Login through SSH
Upload through FTP
Number of VLANs
Number of ACLs
Number of wireless users
Jumbo frame size
Roaming switchover time
Less than 50 ms
H3C offers a unified wired and wireless access solution that takes network deployment, implementation, and maintenance into account. It is advanced in hardware, security and management and can improve the capacity, performance and reliability of the whole network. It enables the user to build a wireless network on a legacy network system to protect network investments. It provides access controller modules, which can be inserted to switches to build wireless networks without the need of installing standalone ACs, and thus effectively reduces hardware costs. Based on the interconnectivity of wired and wireless networks, the wireless network can be effectively integrated into the existing wired network to enable the legacy network to provide wireless services and protect user investments. In addition, the reliable, high-bandwidth links on the backplane of the core switch greatly improves network performance, and thus can ensure smooth and stable operation of wired and wireless applications and corporate services.
This solution adopts the centralized management architecture and a unified network management system to facilitate wireless network configurations and implement efficient management.
This OAA-based solution allows for the centralized configuration of security policies and facilitates maintenance and management. Integrated hardware fully exploits the processing capacity of the access controllers, and supports deployment of advanced security policies.
Currently, H3C unified wired and wireless access solutions have been successfully applied in fields such as digital medical treatment, education, traffic, finance, and energy sources.
Features of the unified wired and wireless access solution are as follows:
u Unified hardware
An access controller module can be inserted into a wired switch to provide wireless services. This saves hardware investment and improves network performance.
u Integrated management
The wireless network is maintained together with the wired network through iMC and CAMS. The management interfaces are unified and thus no new management platform needs to be built.
u Unified security
The wireless network uses the same endpoint admission defense (EAD) solution as the wired network; thus, unified security policies can be deployed. Special security cards can be inserted into switches to implement end-to-end deep packet inspection and monitoring.
The wireless access solution for subway is another typical application of wireless access controllers. In this application, the wireless network constructed with H3C’s WX6100 series access controllers and APs is responsible for reliable transmission of the control signals for the subway trains. The train control signals are transmitted through APs installed along the rail tracks to the in-vehicle AP, which then transmits the signals to the train control system connected with the wireless network on the train. The train control signals control the start, acceleration, and stop of the train. Therefore, it is required that the wireless network that transmits the signals must be of high reliability and has a rapid self-healing ability.
The subway application wireless access solution uses two access controllers to control the rail-side APs. These access controllers can be equipped with two main control boards, one working in active mode and the other in standby mode. The two access controllers form an access control group where one is the master access controller and the other is the backup access controller. The rail-side APs maintain a CAPWAP link with each of the two access controllers at the same time, but only the CAPWAP link with the master access controller is in the active state. When the master access controller breaks down, the heartbeat mechanism between the two access controllers is able to detect the failure of the master access controller within 100 ms and notify the rail-side APs for CAPWAP link switchover. This ensures interrupted transmission of the control signals.