The H3C WX3500X-E is a new generation of high-performance wired and wireless integrated access controller (AC) product series independently developed by H3C Technologies Co., Ltd. (hereinafter referred to as H3C). Positioned for the domestic enterprise network market, the WX3500X-E series wireless controllers feature modularity, high scalability, large capacity, high reliability, and a wide range of service types. In terms of hardware, the WX3500X-E series is equipped with a high-performance multi-core CPU, significantly improving forwarding performance compared to the previous generation. On the software side, it adopts H3C's new generation Comware network operating system platform, supporting refined user control management, comprehensive RF resource management, 24/7 wireless security management, Layer 2 and 3 fast roaming, flexible QoS control, IPv4 & IPv6 dual-stack, and many other functions. It also supports multi-core control plane, intelligent operation and maintenance, edge computing, IoT, security, and other converged features.

1. Provides management of Wi-Fi 6 APs (802.11ax)

The WX3500X-E series wireless controller supports management of 802.11a/b/g/n/ac/ac wave2/ax APs. When used in conjunction with H3C APs based on the Wi-Fi 6 (802.11ax) protocol, it breaks through the traditional serial communication mechanism of wireless networks, resulting in a significant increase in the utilization rate of wireless spectrum resources, a substantial increase in the number of effective access users, a reduction in the deployment cost of wireless networks, and a significant improvement in the user experience in high-density user environments.

2. Based on a brand new operating system

The WX3500X-E series wireless controllers are developed using H3C's next-generation Comware system. This new operating system significantly improves product performance and reliability, enabling it to meet the increasingly complex network applications in the enterprise market. The Comware system offers numerous advantages:

Multi-core control: In the Comware system, the allocation ratio of CPU control cores and forwarding cores can be adjusted as needed to achieve an optimal balance, which can fully enhance the CPU's control and data computing capabilities, while providing powerful concurrent computing capabilities.

Supports user-mode multitasking: The Comware system adopts a brand-new software execution permission control method. The vast majority of network services run in user mode. Different network services occupy different tasks, and each task occupies independent resources. If a task fails, the error is limited to that task and does not affect other tasks, enabling the system to maintain safe and reliable operation.

User-mode task monitoring: The Comware system has a task monitoring function. The system specifically monitors the running status of each user-mode task. If an abnormal situation occurs in a user-mode task, the system will reload the task so that the business can be quickly restored.

A new approach to individual service upgrades is adopted: Comware systems support individual service upgrades, allowing only a single service module to be upgraded without updating the entire software. Compared to the company's previous operating system, this significantly reduces the number of restarts required for upgrades, ensures upgrade security, and effectively improves network stability.

3. Provides flexible data forwarding methods

The WX3500X-E series wireless controllers support centralized forwarding, distributed forwarding, and policy-based forwarding, allowing users to flexibly configure forwarding methods according to business needs and actual network conditions.

4. Supports carrier-grade wireless user access control and management

User-based access control is a key feature of the WX3500X-E series wireless controllers. The User Profile provides a configuration template that can save preset configurations (a collection of configurations). Users can configure different content for their User Profile according to different application scenarios, such as CAR (Committed Access Rate) policies and QoS (Quality of Service) policies.

When a user accesses a device, authentication is required. During authentication, the authentication server sends a User Profile name to the device, and the device immediately activates the specific settings configured in the User Profile. When a user successfully accesses the device, the device uses these settings to restrict the user's access behavior. When a user logs off, the system automatically disables the configuration items under the User Profile, thus removing the restrictions imposed by the User Profile on the user. Therefore, User Profiles are suitable for restricting the access behavior of online users. When no user is online (e.g., no user accesses the device, the user fails authentication, or the user logs off), the User Profile remains in its default configuration and is ineffective.

In addition, the WX3500X-E series wireless controllers also support MAC-based authentication access control. This method not only allows customers to configure and modify user group permissions on the AAA server, but also supports the configuration of permissions for specific users. This fine-grained user permission control greatly enhances the availability of the wireless network, and network administrators can easily assign access permissions to different levels of people or groups of people through this method.

MAC-based VLANs are also a major feature of the WX3500X-E series wireless controllers. In terms of control policies, administrators can group users with the same MAC address into the same VLAN and configure security policies on the controller based on VLANs. This simplifies system configuration and enables fine-grained management at the user level.

For security or billing reasons, system administrators may want to control where wireless users access the network. The WX3500X-E series wireless controllers support location-based user access control. When a wireless user accesses the network, the authentication server can send a list of allowed APs to the AC (Access Controller), allowing access control on the AC to restrict wireless users to access only designated APs.

5. Supports intelligent channel switching

In wireless LANs, channels are a very scarce resource. Each access point (AP) can only operate on a very limited number of non-overlapping channels. For example, in a 2.4G network, there are only three non-overlapping channels. Therefore, how to intelligently allocate channels to APs is the key to wireless applications.

The frequency bands in which wireless LANs operate contain numerous potential sources of interference, such as radar and microwave ovens. Their presence in the network can interfere with the normal operation of access points (APs). Intelligent channel switching ensures that each AP is assigned the optimal channel, minimizing and avoiding interference from adjacent channels. Furthermore, real-time channel interference detection allows APs to avoid interference sources such as radar and microwave ovens in real time.

6. Supports intelligent AP load balancing

The 802.11 protocol delegates wireless roaming decisions to the wireless client, which typically selects an access point (AP) based on its signal strength (RSSI). This can easily lead to a large number of clients connecting to the same AP simply because it has a strong signal. Since these clients share the wireless medium, the network throughput for each client is significantly reduced.

The intelligent load balancing method can analyze the location of wireless clients in real time and dynamically determine which access points (APs) can share the load with each other at the current time and location. Load balancing among these APs is achieved by controlling which APs the wireless clients connect to. The system supports load balancing not only based on the number of online user sessions but also based on user traffic load.

6. Supports 7-layer mobile security detection/defense (wIDS/wIPS)

The WX3500X-E series wireless controllers support mobile security defense modes including: blacklist, whitelist, rogue defense, malformed packet detection, unauthorized user disconnection, and attack detection and countermeasures based on the pre-set and upgradeable Signature MAC layer (e.g., DoS attacks, Flood attacks, man-in-the-middle attacks). Combined with the massive intelligent expert knowledge base built into the wireless application console, it provides flexible basis for wireless security policy judgments, enabling visible physical location tracking and monitoring, and removal of physical ports on switches for clearly identified unauthorized attack sources (APs or terminals, etc.).

By working in conjunction with H3C's professional core layer firewall/IPS equipment, it can achieve a 7-layer three-dimensional security defense for mobile campuses, meeting the true end-to-end security protection needs from wireless (802.11) to wired (802.3).

7. Supports 802.1x authentication, MAC address authentication, Portal authentication, etc.

The WX3500X-E series wireless controllers support multiple authentication methods:

802.1x Authentication: The WX3500X-E series wireless controllers support multiple 802.1x authentication methods, including TLS, PEAP, TTLS, MD5, and SIM card authentication. They also support local 802.1x authentication, providing support for mainstream authentication methods such as MD5, TLS, and PEAP, eliminating the need for users to configure an additional AAA server. The WX3500X-E series wireless controllers also support dynamic VLAN and ACL authorization after 802.1x authentication. User policies can be pre-configured, and the system automatically configures client permissions during authentication.

MAC Address Authentication: The WX3500X-E series wireless controller supports MAC address authentication. For some handheld terminals (such as Wi-Fi phones, handheld mobile terminals, etc.), it is inconvenient to use computer authentication methods. MAC address authentication can easily solve this problem. By configuring valid MAC addresses on the controller or AAA server, terminals corresponding to these MAC addresses can be allowed to access the network, while unauthorized terminals that have not been configured beforehand cannot access the wireless network. This function greatly facilitates applications such as wireless medical systems. MAC address authentication can ensure that only hospital PDA work terminals can access the wireless network, while denying patients' wireless PDAs the use of the dedicated wireless network.

Portal Authentication: The WX3500X-E series wireless controllers offer a built-in Portal authentication server. This authentication method requires no client cooperation, directly using the browser's web portal page as the authentication channel. Once the user is successfully authenticated, they can be flexibly redirected to a designated access homepage and the corresponding authorization and billing processes can be initiated. Customized portal pages can also be flexibly pushed according to policy requirements to achieve advertising and information dissemination purposes, making it widely used in wireless campuses, wireless cities, and visitor access applications.

8. Supports IPv4/IPv6 dual protocol stack (Native IPv6)

The WX3500X-E series wireless controllers support IPv6 access for wireless clients. At the tunnel origin AP, because the device is aware of IPv6, it can perform IPv6 priority mapping to tunnel priority, etc.; on the AC side, it can also perform complex control and filtering such as ACL filtering on IPv6 packets.

The WX3500X-E series wireless controllers can also be deployed in IPv6 networks, with the AC and AP automatically negotiating an IPv6 tunnel. Even when the AC and AP are fully operational in IPv6 mode, the wireless controller can still correctly perceive IPv4 and process IPv4 packets from wireless clients. The WX3500X-E series wireless controllers' flexible IPv4/6 adaptability can meet the various complex applications customers face during the migration from IPv4 to IPv6 networks. It can provide IPv4 services to customers in IPv6 silos while simultaneously allowing users in IPv4 silos to easily log in to the network via IPv6 protocols.

To address the rampant IPv6 packet spoofing attacks on campus networks, the WX3500X-E series wireless controllers support IPv6 SAVI (Source Address Validation) technology. By monitoring the address allocation protocol to obtain the user's IP address, it ensures that the correct address can be used to access the internet in subsequent applications, and prevents the spoofing of other people's IP addresses, thus guaranteeing the reliability of the source address. Furthermore, the combination of IPv6 SAVI and Portal technology further ensures the authenticity and security of all internet user packets.

9. Provide end-to-end QoS

The WX3500X-E series wireless controllers not only provide comprehensive support for the Diff-Serv standard but also add QoS support for the IPv6 protocol. The QoS Diff-Serv model mainly includes flow classification, traffic policing, queue management, and queue scheduling, fully implementing the six PHB groups and services defined in the standard (EF, AF1-AF4, BE, etc.). This allows network operators to provide users with service guarantees of different quality of service levels, making the Internet a truly integrated network that simultaneously carries data, voice, and video services.

10. Supports fast 2nd and 3rd layer roaming.

H3C's centralized wireless architecture not only facilitates Layer 2 roaming but also greatly benefits Layer 3 roaming. WLAN networks deployed with Fat APs face significant challenges in implementing Layer 3 roaming due to limited information exchange between APs. The centralized architecture easily solves this problem. The WX3500X-E series wireless controllers support both Layer 2 and Layer 3 roaming, with roaming domains unrestricted by subnets. This excellent roaming feature allows customers to focus on wireless signal coverage rather than extensively planning their existing networks, significantly simplifying initial network planning and reducing costs.

In traditional mode, when wireless user terminals use 802.1x as the means of 802.11 access authentication and key exchange, the number of communication messages between the wireless user terminal and the access point (AP) is very high. When a wireless user terminal roams between two APs, if the wireless user terminal completely follows the full 802.1x interaction process during the access process to a new AP, it will inevitably result in excessively long roaming handover times. For some services that are sensitive to roaming handover time (such as voice services), such long handover times are unacceptable. The WX3500X-E series wireless controller uses key caching technology to enable fast handover for users during roaming. Key caching technology strikes a good balance between secure user access and fast roaming, allowing wireless user terminals to avoid repeating the full 802.1x authentication interaction process when roaming between two APs, while ensuring the continuity of user identification and key usage. Wireless users use fast roaming, with a roaming time of no more than 50ms within a single AC, meeting the stringent requirements of voice services.

11. Supports remote access scenarios for various branch offices

When AC and AP are connected via WAN link, users can flexibly choose centralized forwarding or local forwarding mode to improve the performance of services such as LAN printing access and terminal mutual access in branch offices.

When a WAN link or AC fails, online users will not be disconnected and can continue to access local resources. The AC escape function is also supported.

When a branch office AP is deployed within a private network, the AC can communicate with the AP by traversing NAT.

*Please refer to the version manual for supported capabilities.

Hardware Specifications

Software Specifications