文章详细描述了如何在华为AC旁挂三层组网环境中配置DHCP、AP管理和无线业务,包括VLAN划分、AP上线、WLAN业务设置、NAT配置以及安全策略,确保AP能获取管理地址并与公网通信。
【华为】AC三层旁挂直接转发
实验需求
AC组网方式:旁挂三层组网。
业务数据转发方式:直接转发(缺省方式)。
DHCP部署方式:
汇聚交换机作为DHCP服务器为AP和STA分配IP地址
AC作为AP的DHCP服务器,分配管理地址
AP管理:VLAN 200,网段为192.168.200.0/24。网关为AC上的VLANIF200接口IP。
无线业务:
VLAN 100,SSID为IT,密码为a1234567,网段为192.168.100.0/24。网关为汇聚交换机上的VLANIF100接口IP。
VLAN 110,SSID为HR,密码为b1234567,网段为192.168.110.0/24。网关为汇聚交换机上的VLANIF110接口IP。
AC与AP建立管理隧道的源接口:AC上的VLANIF200。
AC与汇聚交换机三层互联的接口:VLANIF200。
汇聚交换机与出口网关三层互联的接口:VLANIF10。
实验拓扑
配置
AC和AP二层通信
AC
[AC6605]dhcp enable ## 开启DHCP 功能
Info: The operation may take a few seconds. Please wait for a moment.done.
[AC6605]vlan 200
[AC6605]int vlan 200 ## 配置SVI200 接口地址,使它能够与核心交换机通信
[AC6605-Vlanif200]dhcp select interface ## 选择接口下的DHCP
[AC6605-Vlanif200]dhcp server dns-list 8.8.8.8 ## 下发的DNS
[AC6605-Vlanif200]qu
## 把与LSW1相连接的接口配置成Trunk接口,并放行管理VLAN200
[AC6605]interface GigabitEthernet0/0/1
[AC6605-GigabitEthernet0/0/1]port link-type trunk
[AC6605-GigabitEthernet0/0/1]port trunk allow-pass vlan 200
[AC6605-GigabitEthernet0/0/1]quit
LSW1
[LSW1]vlan batch 100 110 200 ## 批量创建vlan 100 110 200
[LSW1]interface Vlanif200 ## 创建VLANif200
[LSW1-Vlanif200]ip address 192.168.200.100 255.255.255.0 ##配置IP地址,能让LSW1与AC实现通信
[LSW1-Vlanif200]quit
## 把与AC相连接的接口配置成Trunk接口,并放行管理VLAN200
[LSW1]interface GigabitEthernet0/0/2
[LSW1-GigabitEthernet0/0/2] port link-type trunk
[LSW1-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[LSW1-GigabitEthernet0/0/2]quit
## 把LSW1下端的接口配置成Trunk接口,并放行VLAN 100 110 200 流量
[LSW1]interface GigabitEthernet0/0/3
[LSW1-GigabitEthernet0/0/3] port link-type trunk
[LSW1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 110 200
[LSW1-GigabitEthernet0/0/3]quit
LSW2
[LSW2]vlan batch 100 110 200
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW2]interface Ethernet0/0/1
[LSW2-Ethernet0/0/1] port link-type trunk
[LSW2-Ethernet0/0/1] port trunk allow-pass vlan 100 110 200
[LSW2-Ethernet0/0/1]quit
[LSW2]interface Ethernet0/0/2
[LSW2-Ethernet0/0/2] port link-type trunk
[LSW2-Ethernet0/0/2] port trunk pvid vlan 200 ## 配置该接口的pvid为管理VLAN,使AP能够获取到管理IP地址
[LSW2-Ethernet0/0/2] port trunk allow-pass vlan 100 110 200 ## 放行vlan 100 110 200
[LSW2-Ethernet0/0/2]quit
[LSW2]interface Ethernet0/0/3
[LSW2-Ethernet0/0/3] port link-type trunk
[LSW2-Ethernet0/0/3] port trunk pvid vlan 200 ## 配置该接口的pvid为管理VLAN,使AP能够获取到管理IP地址
[LSW2-Ethernet0/0/3] port trunk allow-pass vlan 100 110 200 ## 放行vlan 100 110 200
[LSW2-Ethernet0/0/3]quit
AP2获取到的管理地址
dispaly ip int brief
AP3获取到的管理地址
dispaly ip int brief
AP上线
[AC6605]capwap source interface Vlanif 200 ## 指定capwap隧道源接口为VLANif200
[AC6605-wlan-view]regulatory-domain-profile name domain ## 创建管理域名为“domain”(缺省CN)
[AC6605-wlan-regulate-domain-domain]quit
[AC6605-wlan-view]ap-group name IT ## 创建AP组为“IT”
Info: This operation may take a few seconds. Please wait for a moment.done.
[AC6605-wlan-ap-group-IT]regulatory-domain-profile domain ## 关联管理域“domain”
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y ## 重启AP
[AC6605-wlan-ap-group-IT]quit
[AC6605-wlan-view]ap-group name HR ## 创建AP组为“HR”
Info: This operation may take a few seconds. Please wait for a moment.done.
[AC6605-wlan-ap-group-HR]regulatory-domain-profile domain ## 关联管理域“domain”
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y ## 重新上线该AP
[AC6605-wlan-ap-group-HR]quit
[AC6605-wlan-view]ap auth-mode mac-auth ## ap认证模式为MAC认证
[AC6605-wlan-view]ap-id 1 ap-mac 00e0-fce5-38e0 ## ap编号为1,mac地址为 00e0-fce5-38e0
[AC6605-wlan-ap-1]ap-name IT ## ap的名字为 “IT”
[AC6605-wlan-ap-1]ap-group IT ## 关联ap组“IT”
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y ## 重新上线该AP
[AC6605-wlan-ap-1]quit
[AC6605-wlan-view]ap-id 2 ap-mac 00e0-fc15-3860 ## ap编号为2,mac地址为 00e0-fc15-3860
[AC6605-wlan-ap-2]ap-name HR ## ap的名字为 “HR”
[AC6605-wlan-ap-2]ap-group HR ## 关联ap组“HR”
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y ## 重新上线该AP
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC6605-wlan-ap-2]quit
此时执行命令 display ap all 查看到AP的“State”字段为“nor”时,表示AP正常上线,示例如下。
配置WLAN业务
AC
[AC6605-wlan-view]security-profile name IT ## 创建安全模板名为“IT”
[AC6605-wlan-sec-prof-IT]security wpa-wpa2 psk pass-phrase a1234567 aes ## 设置无线密码,方式为psk认证,密码a1234567,用aes加密
[AC6605-wlan-sec-prof-IT]quit
[AC6605-wlan-view]ssid-profile name IT ## 创建SSID模板名为“IT”
[AC6605-wlan-ssid-prof-IT]ssid IT ## 设置SSID名为“IT”
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-ssid-prof-IT]quit
[AC6605-wlan-view]vap-profile name IT ## 创建VAP模板“IT”
[AC6605-wlan-vap-prof-IT]ssid-profile IT ## 关联SSID模板“IT”
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-vap-prof-IT]security-profile IT ## 关联安全模板“IT”
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-vap-prof-IT]forward-mode direct-forward ## 定义转发方式为直连转发(缺省)
[AC6605-wlan-vap-prof-IT]service-vlan vlan-id 100 ## 指定VAP模板“IT”的业务流量
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-vap-prof-IT]quit
[AC6605-wlan-view]security-profile name HR ## 创建安全模板名为“HR”
[AC6605-wlan-sec-prof-HR]security wpa-wpa2 psk pass-phrase b1234567 aes ## 设置无线密码,方式为psk认证,密码b1234567,用aes加密
[AC6605-wlan-sec-prof-HR]qu
[AC6605-wlan-view]ssid-profile name HR ## 创建SSID模板名为“HR”
[AC6605-wlan-ssid-prof-HR]ssid HR ## 设置SSID名为“HR”
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-ssid-prof-HR]qu
[AC6605-wlan-view]vap-profile name HR ## 创建VAP模板“HR”
[AC6605-wlan-vap-prof-HR]security-profile HR ## 关联安全模板“HR”
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-vap-prof-HR]ssid-profile HR ## 关联SSID模板“HR”
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-vap-prof-HR]forward-mode direct-forward ## 定义转发方式为直连转发(缺省)
[AC6605-wlan-vap-prof-HR]service-vlan vlan-id 110 ## 指定VAP模板“HR”的业务流量
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-vap-prof-HR]qu
[AC6605-wlan-view]ap-group name IT ## 进入AP组“IT”
[AC6605-wlan-ap-group-IT]vap-profile IT wlan 1 radio all ## 关联vap模板“IT”,wlan编号为1,射频为all(0,1,2)
Info: This operation may take a few seconds, please wait...done.
[AC6605-wlan-ap-group-IT]quit
[AC6605-wlan-view]ap-group name HR ## 进入AP组“HR”
[AC6605-wlan-ap-group-HR]vap-profile HR wlan 2 radio all ## 关联vap模板“HR”,wlan编号为1,射频为all(0,1,2)
Info: This operation may take a few seconds, please wait...done.
[AC6605-wlan-ap-group-HR]quit
LSW1(作DHCP地址池)
作为STA的业务DHCP服务器,下发业务流量
[LSW1]dhcp enable
[LSW1]int vlan 100
[LSW1-Vlanif100]ip address 192.168.100.254 24
[LSW1-Vlanif100]dhcp select interface
[LSW1-Vlanif100]quit
[LSW1]int vlan 110
[LSW1-Vlanif110]ip address 192.168.110.254 24
[LSW1-Vlanif110]dhcp select interface
[LSW1-Vlanif110]qu
业务成功下发
访问公网(NAT)
LSW1
[LSW1]interface Vlanif10
[LSW1-Vlanif10] ip address 192.168.10.2 255.255.255.0
[LSW1-Vlanif10]quit
## 指向AR1
[LSW1]ip route-static 0.0.0.0 0.0.0.0 192.168.10.1
AR1
## 匹配感兴趣流量(允许上网的流量)
[AR1]acl 2000
[AR1-acl-basic-2000]rule permit source 192.168.10.0 0.0.0.255
[AR1-acl-basic-2000]rule permit source 192.168.100.0 0.0.0.255
[AR1-acl-basic-2000]rule permit source 192.168.110.0 0.0.0.255
## 在外接口启用Easy IP
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip address 202.101.1.2 24
[AR1-GigabitEthernet0/0/0]nat outbound 2000
[AR1-GigabitEthernet0/0/0]quit
## 与LSW1实现互联
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip address 192.168.10.1 24
[AR1-GigabitEthernet0/0/1]quit
## 默认路由通往ISP
[AR1]ip route-static 0.0.0.0 0.0.0.0 202.101.1.1
## 静态路由指回内部
[AR1]ip route-static 192.168.100.0 255.255.255.0 192.168.10.2
[AR1]ip route-static 192.168.110.0 255.255.255.0 192.168.10.2
成功上网啦
配置文档
AC
dhcp enable
vlan 200
int vlan 200
ip address 192.168.200.254 24
dhcp select interface
dhcp server dns-list 8.8.8.8
qu
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 200
quit
capwap source interface Vlanif 200
wlan
regulatory-domain-profile name domain
quit
ap-group name IT
regulatory-domain-profile domain
yes
quit
ap-group name HR
regulatory-domain-profile domain
yes
quit
ap auth-mode mac-auth
ap-id 1 ap-mac 00e0-fce5-38e0(添加自己的AP MAC地址)
ap-name IT
ap-group IT
yes
quit
ap-id 2 ap-mac 00e0-fc15-3860(添加自己的AP MAC地址)
ap-name HR
ap-group HR
yes
quit
security-profile name IT
security wpa-wpa2 psk pass-phrase a1234567 aes
quit
ssid-profile name IT
ssid IT
quit
vap-profile name IT
ssid-profile IT
security-profile IT
forward-mode direct-forward
service-vlan vlan-id 100
quit
security-profile name HR
security wpa-wpa2 psk pass-phrase b1234567 aes
qu
ssid-profile name HR
ssid HR
qu
vap-profile name HR
security-profile HR
ssid-profile HR
forward-mode direct-forward
service-vlan vlan-id 110
qu
ap-group name IT
vap-profile IT wlan 1 radio all
quit
ap-group name HR
vap-profile HR wlan 2 radio all
quit
LSW1
#
sysname LSW1
#
undo info-center enable
#
vlan batch 10 100 110 200
#
dhcp enable
#
interface Vlanif10
ip address 192.168.10.2 255.255.255.0
#
interface Vlanif100
ip address 192.168.100.254 255.255.255.0
dhcp select interface
#
interface Vlanif110
ip address 192.168.110.254 255.255.255.0
dhcp select interface
#
interface Vlanif200
ip address 192.168.200.100 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 110 200
#
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1
#
LSW2
#
sysname LSW2
#
undo info-center enable
#
vlan batch 100 110 200
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 110 200
#
interface Ethernet0/0/2
port link-type trunk
port trunk pvid vlan 200
port trunk allow-pass vlan 100 110 200
#
interface Ethernet0/0/3
port link-type trunk
port trunk pvid vlan 200
port trunk allow-pass vlan 100 110 200
AR1
#
sysname AR1
#
undo info-center enable
#
acl number 2000
rule 5 permit source 192.168.100.0 0.0.0.255
rule 10 permit source 192.168.110.0 0.0.0.255
rule 15 permit source 192.168.10.0 0.0.0.255
#
interface GigabitEthernet0/0/0
ip address 202.101.1.2 255.255.255.0
nat outbound 2000
#
interface GigabitEthernet0/0/1
ip address 192.168.10.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 202.101.1.1
ip route-static 192.168.100.0 255.255.255.0 192.168.10.2
ip route-static 192.168.110.0 255.255.255.0 192.168.10.2
#
ISP
#
sysname ISP
#
undo info-center enable
#
interface GigabitEthernet0/0/0
ip address 202.101.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
扫一扫
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
