| 配置大型网络WLAN基本业务示例 | 您所在的位置:网站首页 › ff6凯夫卡语音 › 配置大型网络WLAN基本业务示例 |
|
在AC上配置NAC模式为统一模式,以保证用户能够正常接入网络 system-view
[HUAWEI] authentication unified-mode
如果当前NAC模式为传统模式,则配置NAC模式为统一模式后,需要保存配置并重启设备后生效。 配置网络互通# 配置接入交换机Switch_A。将接口GE0/0/1~GE0/0/5都加入VLAN100(管理VLAN)。GE0/0/1~GE0/0/2加入VLAN101~VLAN102(业务VLAN)、GE0/0/3~GE0/0/4加入VLAN103~VLAN104(业务VLAN)。 system-view [HUAWEI] sysname Switch_A [Switch_A] vlan batch 100 [Switch_A] interface gigabitethernet 0/0/1 [Switch_A-GigabitEthernet0/0/1] port link-type trunk [Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100 [Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 102 [Switch_A-GigabitEthernet0/0/1] port-isolate enable [Switch_A-GigabitEthernet0/0/1] quit [Switch_A] interface gigabitethernet 0/0/2 [Switch_A-GigabitEthernet0/0/2] port link-type trunk [Switch_A-GigabitEthernet0/0/2] port trunk pvid vlan 100 [Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 102 [Switch_A-GigabitEthernet0/0/2] port-isolate enable [Switch_A-GigabitEthernet0/0/2] quit [Switch_A] interface gigabitethernet 0/0/3 [Switch_A-GigabitEthernet0/0/3] port link-type trunk [Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 100 [Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 103 to 104 [Switch_A-GigabitEthernet0/0/3] port-isolate enable [Switch_A-GigabitEthernet0/0/3] quit [Switch_A] interface gigabitethernet 0/0/4 [Switch_A-GigabitEthernet0/0/4] port link-type trunk [Switch_A-GigabitEthernet0/0/4] port trunk pvid vlan 100 [Switch_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 103 to 104 [Switch_A-GigabitEthernet0/0/4] port-isolate enable [Switch_A-GigabitEthernet0/0/4] quit [Switch_A] interface gigabitethernet 0/0/5 [Switch_A-GigabitEthernet0/0/5] port link-type trunk [Switch_A-GigabitEthernet0/0/5] port trunk allow-pass vlan 100 to 105 [Switch_A-GigabitEthernet0/0/5] quit# 配置汇聚交换机Switch_B。配置接口GE1/0/1加入VLAN100~VLAN104,GE1/0/2加入VLAN200,GE1/0/3加入VLAN201。 system-view [HUAWEI] sysname Switch_B [Switch_B] vlan batch 100 to 104 200 201 [Switch_B] interface gigabitethernet 1/0/1 [Switch_B-GigabitEthernet1/0/1] port link-type trunk [Switch_B-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 to 104 [Switch_B-GigabitEthernet1/0/1] quit [Switch_B] interface gigabitethernet 1/0/2 [Switch_B-GigabitEthernet1/0/2] port link-type trunk [Switch_B-GigabitEthernet1/0/2] port trunk allow-pass vlan 200 [Switch_B-GigabitEthernet1/0/2] quit [Switch_B] interface gigabitethernet 1/0/3 [Switch_B-GigabitEthernet1/0/3] port link-type trunk [Switch_B-GigabitEthernet1/0/3] port trunk allow-pass vlan 201 [Switch_B-GigabitEthernet1/0/3] quit# 在汇聚交换机Switch_B上创建VLANIF100~VLANIF104、VLANIF200和VLANIF201并配置IP地址。其中VLANIF100为AP的网关,VLANIF101和VLANIF102为访客用户的网关,VLANIF103和VLANIF104为企业员工的网关,VLANIF200用于Switch_B与AC通信,VLANIF201用于Switch_B与Router通信。 [Switch_B] interface vlanif 100 [Switch_B-Vlanif100] ip address 10.23.100.1 24 [Switch_B-Vlanif100] quit [Switch_B] interface vlanif 101 [Switch_B-Vlanif101] ip address 10.23.101.1 24 [Switch_B-Vlanif101] quit [Switch_B] interface vlanif 102 [Switch_B-Vlanif102] ip address 10.23.102.1 24 [Switch_B-Vlanif102] quit [Switch_B] interface vlanif 103 [Switch_B-Vlanif103] ip address 10.23.103.1 24 [Switch_B-Vlanif103] quit [Switch_B] interface vlanif 104 [Switch_B-Vlanif104] ip address 10.23.104.1 24 [Switch_B-Vlanif104] quit [Switch_B] interface vlanif 200 [Switch_B-Vlanif200] ip address 10.45.200.2 24 [Switch_B-Vlanif200] quit [Switch_B] interface vlanif 201 [Switch_B-Vlanif201] ip address 10.67.201.2 24 [Switch_B-Vlanif201] quit# 配置AC连接汇聚交换机Switch_B的接口GE0/0/1加入VLAN200。 system-view [HUAWEI] sysname AC [AC] vlan batch 101 to 104 200 [AC] interface vlanif 200 [AC-Vlanif200] ip address 10.45.200.1 24 [AC-Vlanif200] quit [AC] interface gigabitethernet 0/0/1 [AC-GigabitEthernet0/0/1] port link-type trunk [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 200 [AC-GigabitEthernet0/0/1] quit# 配置Router的接口GE2/0/0加入VLAN201,并且配置IP地址使Router能与Switch_B通信。 system-view [Huawei] sysname Router [Router] vlan batch 201 [Router] interface vlanif 201 [Router-Vlanif201] ip address 10.67.201.1 24 [Router-Vlanif201] quit [Router] interface gigabitethernet 2/0/0 [Router-GigabitEthernet2/0/0] port link-type trunk [Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 201 [Router-GigabitEthernet2/0/0] quit # 配置Router到Switch_B的路由。[Router] ip route-static 10.23.100.0 24 10.67.201.2 [Router] ip route-static 10.23.101.0 24 10.67.201.2 [Router] ip route-static 10.23.102.0 24 10.67.201.2 [Router] ip route-static 10.23.103.0 24 10.67.201.2 [Router] ip route-static 10.23.104.0 24 10.67.201.2# 配置Switch_B的缺省路由,下一跳为Router的VLANIF201。 [Switch_B] ip route-static 0.0.0.0 0.0.0.0 10.67.201.1 # 配置AC到AP的路由,下一跳为Switch_B的VLANIF200。[AC] ip route-static 10.23.100.0 24 10.45.200.2 配置DHCP服务,为AP和STA分配IP地址# 配置Switch_B作为DHCP中继。 [Switch_B] dhcp enable [Switch_B] interface vlanif 100 [Switch_B-Vlanif100] dhcp select relay [Switch_B-Vlanif100] dhcp relay server-ip 10.67.201.1 [Switch_B-Vlanif100] quit [Switch_B] interface vlanif 101 [Switch_B-Vlanif101] dhcp select relay [Switch_B-Vlanif101] dhcp relay server-ip 10.67.201.1 [Switch_B-Vlanif101] quit [Switch_B] interface vlanif 102 [Switch_B-Vlanif102] dhcp select relay [Switch_B-Vlanif102] dhcp relay server-ip 10.67.201.1 [Switch_B-Vlanif102] quit [Switch_B] interface vlanif 103 [Switch_B-Vlanif103] dhcp select relay [Switch_B-Vlanif103] dhcp relay server-ip 10.67.201.1 [Switch_B-Vlanif103] quit [Switch_B] interface vlanif 104 [Switch_B-Vlanif104] dhcp select relay [Switch_B-Vlanif104] dhcp relay server-ip 10.67.201.1 [Switch_B-Vlanif104] quit# 配置由Router作为DHCP服务器给AP和STA分配IP地址。AP和AC间为三层网络时需要通过配置Option 43向AP通告AC的IP地址。 DNS服务器地址请根据实际需要配置。常用配置方法如下:接口地址池场景,需要在VLANIF接口视图下执行命令dhcp server dns-list ip-address &。全局地址池场景,需要在IP地址池视图下执行命令dns-list ip-address &。 [Router] dhcp enable [Router] ip pool ap [Router-ip-pool-ap] network 10.23.100.0 mask 24 [Router-ip-pool-ap] gateway-list 10.23.100.1 [Router-ip-pool-ap] option 43 sub-option 3 ascii 10.45.200.1 [Router-ip-pool-ap] quit [Router] ip pool sta1 [Router-ip-pool-sta1] network 10.23.101.0 mask 24 [Router-ip-pool-sta1] gateway-list 10.23.101.1 [Router-ip-pool-sta1] quit [Router] ip pool sta2 [Router-ip-pool-sta2] network 10.23.102.0 mask 24 [Router-ip-pool-sta2] gateway-list 10.23.102.1 [Router-ip-pool-sta2] quit [Router] ip pool sta3 [Router-ip-pool-sta3] network 10.23.103.0 mask 24 [Router-ip-pool-sta3] gateway-list 10.23.103.1 [Router-ip-pool-sta3] quit [Router] ip pool sta4 [Router-ip-pool-sta4] network 10.23.104.0 mask 24 [Router-ip-pool-sta4] gateway-list 10.23.104.1 [Router-ip-pool-sta4] quit [Router] interface vlanif 201 [Router-Vlanif201] dhcp select global [Router-Vlanif201] quit 配置VLAN pool,用于作为业务VLAN# 新建两个VLAN pool,sta-pool1和sta-pool2,将VLAN101和VLAN102加入sta-pool1,VLAN103和VLAN104加入sta-pool2,配置两个VLAN pool中的VLAN分配算法为“hash”。 本例VLAN pool中的VLAN分配算法配置为“hash”。分配算法缺省情况下为“hash”,如果之前没有修改其缺省配置,可以不用执行命令assignment hash。 本例VLAN pool仅以加入VLAN101和VLAN102两个VLAN为例,实际可以配置多个VLAN加入VLAN pool,配置方法与VLAN101和VLAN102一致,也需要在Switch_B上创建对应的VLANIF接口、配置IP地址,在Router上配置IP地址池。 [AC] vlan pool sta-pool1 [AC-vlan-pool-sta-pool1] vlan 101 102 [AC-vlan-pool-sta-pool1] assignment hash [AC-vlan-pool-sta-pool1] quit [AC] vlan pool sta-pool2 [AC-vlan-pool-sta-pool2] vlan 103 104 [AC-vlan-pool-sta-pool2] assignment hash [AC-vlan-pool-sta-pool2] quit 配置AP上线# 创建AP组“guest”和“employee”。 [AC] wlan [AC-wlan-view] ap-group name guest [AC-wlan-ap-group-guest] quit [AC-wlan-view] ap-group name employee [AC-wlan-ap-group-employee] quit# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。 [AC-wlan-view] regulatory-domain-profile name domain1 [AC-wlan-regulate-domain-domain1] country-code cn [AC-wlan-regulate-domain-domain1] quit [AC-wlan-view] ap-group name guest [AC-wlan-ap-group-guest] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AC-wlan-ap-group-guest] quit [AC-wlan-view] ap-group name employee [AC-wlan-ap-group-employee] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AC-wlan-ap-group-employee] quit [AC-wlan-view] quit# 配置AC的源接口。 [AC] capwap source interface vlanif 200 # 在AC上离线导入AP。将部署在前台大厅的AP都加入到AP组“guest”,部署在办公区域的AP都加入到AP组“employee”,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为00e0-fc74-9640的AP部署在办公区域2楼的1号房间,命名此AP为“office2-1”。ap auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap auth-mode mac-auth命令。 举例中使用的AP为AP5030DN,具有射频0和射频1两个射频。AP5030DN的射频0为2.4GHz射频,射频1为5GHz射频。 [AC] wlan [AC-wlan-view] ap auth-mode mac-auth [AC-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360 [AC-wlan-ap-0] ap-name lobby-1 Warning: This operation may cause AP reset. Continue? [Y/N]:y [AC-wlan-ap-0] ap-group guest Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y [AC-wlan-ap-0] quit [AC-wlan-view] ap-id 1 ap-mac 00e0-fc76-e380 [AC-wlan-ap-1] ap-name lobby-2 Warning: This operation may cause AP reset. Continue? [Y/N]:y [AC-wlan-ap-1] ap-group guest Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y [AC-wlan-ap-1] quit [AC-wlan-view] ap-id 2 ap-mac 00e0-fc74-9640 [AC-wlan-ap-2] ap-name office2-1 Warning: This operation may cause AP reset. Continue? [Y/N]:y [AC-wlan-ap-2] ap-group employee Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y [AC-wlan-ap-2] quit [AC-wlan-view] ap-id 3 ap-mac 00e0-fc74-9660 [AC-wlan-ap-3] ap-name office2-2 Warning: This operation may cause AP reset. Continue? [Y/N]:y [AC-wlan-ap-3] ap-group employee Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y [AC-wlan-ap-3] quit# 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。 [AC-wlan-view] display ap all Total AP information: nor : normal [4] Extrainfo : Extra information P : insufficient power supply ---------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ---------------------------------------------------------------------------------------------------- 0 00e0-fc76-e360 lobby-1 guest 10.23.100.254 AP5030DN nor 0 2H:29M:29S - 1 00e0-fc76-e380 lobby-2 guest 10.23.100.252 AP5030DN nor 0 2H:34M:11S - 2 00e0-fc74-9640 office2-1 employee 10.23.100.253 AP5030DN nor 0 2H:30M:1S - 3 00e0-fc74-9660 office2-2 employee 10.23.100.251 AP5030DN nor 0 2H:35M:2S - ---------------------------------------------------------------------------------------------------- Total: 4 配置WLAN业务参数# 创建名为“guest”和“employee”的安全模板,并配置安全策略。举例中以配置WPA2+PSK+AES的安全策略为例,密码分别为“a1234567”和“b1234567”,实际配置中请根据实际情况,配置符合实际要求的安全策略。 [AC-wlan-view] security-profile name guest [AC-wlan-sec-prof-guest] security wpa2 psk pass-phrase a1234567 aes [AC-wlan-sec-prof-guest] quit [AC-wlan-view] security-profile name employee [AC-wlan-sec-prof-employee] security wpa2 psk pass-phrase b1234567 aes [AC-wlan-sec-prof-employee] quit# 创建名为“guest”和“employee”的SSID模板,并分别配置SSID名称为“guest”和“employee”。 [AC-wlan-view] ssid-profile name guest [AC-wlan-ssid-prof-guest] ssid guest [AC-wlan-ssid-prof-guest] quit [AC-wlan-view] ssid-profile name employee [AC-wlan-ssid-prof-employee] ssid employee [AC-wlan-ssid-prof-employee] quit# 创建名为“guest”和“employee”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。 [AC-wlan-view] vap-profile name guest [AC-wlan-vap-prof-guest] forward-mode direct-forward [AC-wlan-vap-prof-guest] service-vlan vlan-pool sta-pool1 [AC-wlan-vap-prof-guest] security-profile guest [AC-wlan-vap-prof-guest] ssid-profile guest [AC-wlan-vap-prof-guest] quit [AC-wlan-view] vap-profile name employee [AC-wlan-vap-prof-employee] forward-mode direct-forward [AC-wlan-vap-prof-employee] service-vlan vlan-pool sta-pool2 [AC-wlan-vap-prof-employee] security-profile employee [AC-wlan-vap-prof-employee] ssid-profile employee [AC-wlan-vap-prof-employee] quit# 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板的配置。 [AC-wlan-view] ap-group name guest [AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio 0 [AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio 1 [AC-wlan-ap-group-guest] quit [AC-wlan-view] ap-group name employee [AC-wlan-ap-group-employee] vap-profile employee wlan 1 radio 0 [AC-wlan-ap-group-employee] vap-profile employee wlan 1 radio 1 [AC-wlan-ap-group-employee] quit 配置AP射频的信道和功率射频的信道和功率自动调优功能默认开启,如果不关闭此功能则会导致手动配置不生效。举例中AP射频的信道和功率仅为示例,实际配置中请根据AP的国家码和网规结果进行配置。 # 关闭AP射频0的信道和功率自动调优功能,并配置AP射频0的信道和功率。[AC-wlan-view] ap-id 0 [AC-wlan-ap-0] radio 0 [AC-wlan-radio-0/0] calibrate auto-channel-select disable [AC-wlan-radio-0/0] calibrate auto-txpower-select disable [AC-wlan-radio-0/0] channel 20mhz 6 Warning: This action may cause service interruption. Continue?[Y/N]y [AC-wlan-radio-0/0] eirp 127 [AC-wlan-radio-0/0] quit # 关闭AP射频1的信道和功率自动调优功能,并配置AP射频1的信道和功率。[AC-wlan-ap-0] radio 1 [AC-wlan-radio-0/1] calibrate auto-channel-select disable [AC-wlan-radio-0/1] calibrate auto-txpower-select disable [AC-wlan-radio-0/1] channel 20mhz 149 Warning: This action may cause service interruption. Continue?[Y/N]y [AC-wlan-radio-0/1] eirp 127 [AC-wlan-radio-0/1] quit [AC-wlan-ap-0] quit 验证配置结果配置完成后,通过执行命令display vap ssid guest和display vap ssid employee查看如下信息,当“Status”项显示为“ON”时,表示AP对应的射频上的VAP已创建成功。 [AC-wlan-view] display vap ssid guest WID : WLAN ID -------------------------------------------------------------------------------- AP ID AP name RfID WID BSSID Status Auth type STA SSID -------------------------------------------------------------------------------- 0 lobby-1 0 1 00e0-fc76-e360 ON WPA2-PSK 1 guest 0 lobby-1 1 1 00e0-fc76-e370 ON WPA2-PSK 0 guest 1 lobby-2 0 1 00e0-fc76-e380 ON WPA2-PSK 1 guest 1 lobby-2 1 1 00e0-fc76-e390 ON WPA2-PSK 0 guest ------------------------------------------------------------------------------- Total: 4 [AC-wlan-view] display vap ssid employee WID : WLAN ID -------------------------------------------------------------------------------- AP ID AP name RfID WID SSID BSSID Status Auth type STA -------------------------------------------------------------------------------- 2 office2-1 0 1 employee 00e0-fc74-9640 ON WPA2-PSK 0 2 office2-1 1 1 employee 00e0-fc74-9650 ON WPA2-PSK 1 3 office2-2 0 1 employee 00e0-fc74-9660 ON WPA2-PSK 0 3 office2-2 1 1 employee 00e0-fc74-9670 ON WPA2-PSK 1 ------------------------------------------------------------------------------- Total: 4STA搜索到名为“guest”和“employee”的无线网络,分别输入密码“a1234567”和“b1234567”并正常关联后,在AC上执行display station ssid guest和display station ssid employee命令,可以查看到用户已经分别接入到无线网络“guest”和“employee”中。 [AC-wlan-view] display station ssid guest Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ------------------------------------------------------------------------------ STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address ------------------------------------------------------------------------------ 00e0-fcfc-7ead 0 lobby-1 0/1 2.4G 11n 2/4 -53 101 10.23.101.254 ------------------------------------------------------------------------------ Total: 1 2.4G: 1 5G: 0 [AC-wlan-view] display station ssid employee Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ------------------------------------------------------------------------------ STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address ------------------------------------------------------------------------------ 00e0-fcc7-1e08 2 office2-1 1/1 5G 11n 26/51 -61 103 10.23.103.254 ------------------------------------------------------------------------------ Total: 1 2.4G: 0 5G: 1 |
| CopyRight 2018-2019 实验室设备网 版权所有 |