wlan旁挂式组网的基本配置

 基本说明

先看拓扑图

AC作为ap的服务器，将核心交换机lsw1的地址池使用dhcp分配给ap。

交换机lsw1

vlan 10 为lsw1分配给ap的vlan ，地址为192.168.1.1

vlan 100 是AC 与lsw1相连接的网段 ，地址为192.168.100.1

vlan 101 102 是sta的业务vlan，192.168.101.1 192.168.102.1

ap的上线

网络的基本配置

将lsw2，lsw3和lsw1之间的网络配通，利用vlan做三层交换

lsw2和lsw3的配置

<Huawei>sys
[Huawei]vlan 10
[Huawei-vlan10]int g0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk pvid vlan 10
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk pvid vlan 10
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 10
[Huawei-GigabitEthernet0/0/2]int g0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type trunk
[Huawei-GigabitEthernet0/0/3]port trunk pvid vlan 10
[Huawei-GigabitEthernet0/0/3]port trunk allow-pass vlan 10

此接口lsw3没有，该pc仅仅测试连通性
[Huawei-GigabitEthernet0/0/3]int g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type trunk
[Huawei-GigabitEthernet0/0/4]port trunk pvid vlan 10
[Huawei-GigabitEthernet0/0/4]port trunk allow-pass vlan 10

lsw1的配置

[lsw1]vlan batch 10 100 101 102

[lsw1]int vlanif 10
[lsw1-Vlanif10]ip add 192.168.1.1 24
[lsw1-Vlanif10]int vlanif 100
[lsw1-Vlanif100]ip add 192.168.100.1 24
[lsw1-Vlanif100]int vlanif 101
[lsw1-Vlanif101]ip add 192.168.101.1 24
[lsw1-Vlanif101]int vlanif 102
[lsw1-Vlanif102]ip add 192.168.102.1 24
[lsw1-Vlanif102]int g0/0/3
[lsw1-GigabitEthernet0/0/3]port link-type trunk
[lsw1-GigabitEthernet0/0/3]port trunk pvid vlan 10
[lsw1-GigabitEthernet0/0/3]port trunk allow-pass vlan 10
[lsw1-GigabitEthernet0/0/3]int g0/0/4
[lsw1-GigabitEthernet0/0/4]port link-type trunk
[lsw1-GigabitEthernet0/0/4]port trunk pvid vlan 10
[lsw1-GigabitEthernet0/0/4]port trunk allow-pass vlan 10
[lsw1-GigabitEthernet0/0/4]int g0/0/2
[lsw1-GigabitEthernet0/0/2]port link-type trunk
[lsw1-GigabitEthernet0/0/2]port trunk pvid vlan 100
[lsw1-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 101 102

ac的配置

[ac1]
[ac1]vlan batch 100 101 102
[ac1]int vlanif 100
[ac1-Vlanif100]ip add 192.168.100.254 24
[ac1-Vlanif100]int g0/0/1    
[ac1-GigabitEthernet0/0/1]port link-type t
[ac1-GigabitEthernet0/0/1]p t a v 100 101 102
[ac1-GigabitEthernet0/0/1]p t p v 100

[ac1]ip route-static 0.0.0.0 0 192.168.100.1忘记了这一步导致后面dhcp无法获取，为什么一定要配置，缺省路由呢？因为dhcp服务，后续抓包看看

使用PC ping 192.168.1.1 ,使用AC1ping 192.168.100.1 ，检测连通性

DHCP的配置

现在进行dhcp的配置

AC作为服务器，在AC上创建地址池，利用lsw1作为中继
[ac1]dhcp enable 
[ac1]ip pool ap
[ac1-ip-pool-AP]network 192.168.1.0 mask 24 
[ac1-ip-pool-AP]gateway-list 192.168.1.1
[ac1-ip-pool-AP]option 43 sub-option 3 ascii 192.168.100.254  告诉ap服务器192.168.100.1
[ac1]int vlanif 100
[ac1-Vlanif100]dhcp select global

#########################################################################

 
[lsw1]dhcp enable 
[lsw1]int vlanif 10
[lsw1-Vlanif10]dhcp select relay 
[lsw1-Vlanif10]dhcp relay server-ip 192.168.100.254

再创建vlan101 102两个地址池作为业务vlan的地址池

[lsw1]ip pool sta1
[lsw1-ip-pool-sta1]network 192.168.101.0 mask 24
[lsw1-ip-pool-sta1]gateway-list 192.168.101.1
[lsw1-ip-pool-sta1]ip pool sta2
[lsw1-ip-pool-sta2]network 192.168.102.0 mask 24
[lsw1-ip-pool-sta2]gateway-list 192.168.102.1

[lsw1-ip-pool-sta2]qu
[lsw1]int vlanif 101
[lsw1-Vlanif101]dhcp select g
[lsw1-Vlanif101]int vlanif 102
[lsw1-Vlanif102]dhcp select g
 

在ap上查看dhcp是否建立成功

已经分配成功。

重启ap，我们抓包看看为什么ac一定要有缺省地址

因为ac1不知道vlan 10 的网关地址，要想把dhcp offer给vlan 10，必须配一条指向vlan 10 网络的路由。

无线AC WLAN部分的配置

创建vlan组

[AC6005]vlan pool sta-pool
[AC6005-vlan-pool-sta-pool]vlan 101 102
[AC6005-vlan-pool-sta-pool]assignment hash 采用哈希的方式分配

创建ap组

[AC6005]wlan
[AC6005-wlan-view]ap-group name apgroup1
[AC6005-wlan-ap-group-apgroup1]q

创建域管理模块

[AC6005-wlan-view]regulatory-domain-profile name default
[AC6005-wlan-regulate-domain-default]country-code Cn

将ap组与与管理模块绑定

[AC6005-wlan-view]ap-group name apgrpup1
[AC6005-wlan-ap-group-apgrpup1]regulatory-domain-profile default  这里要按y确定

配置ac的源接口

[AC6005]capwap source interface vlan 100

选择认证模式认证ap

[AC6005-wlan-view]ap auth-mode mac 认证模式改为mac地址认证

每个人的mac地址不一样，需要在lsw3查询后再做配置
[AC6005-wlan-view]ap-id 1 ap-mac 00e0-fcf1-1470
[AC6005-wlan-ap-1]ap-id 2 ap-mac 00e0-fc21-15f0
[AC6005-wlan-ap-2]ap-id 3 ap-mac 00e0-fc81-5620
[AC6005-wlan-ap-3]ap-id 4 ap-mac 00e0-fce6-7620

将ap划入ap组

[AC6005-wlan-ap-1]ap-g    
[AC6005-wlan-ap-1]ap-group ap gr    
[AC6005-wlan-ap-1]ap-group apgroup1
Warning: This operation may cause AP reset. If the country code changes, it will
 clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
[AC6005-wlan-ap-1]ap-id 2
[AC6005-wlan-ap-2]ap-g    
[AC6005-wlan-ap-2]ap-group apgroup1
Warning: This operation may cause AP reset. If the country code changes, it will
 clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y

ap3和ap4和前两个ap配置一样

检查ap是否上线

[AC6005]dis ap all

已成功上线

wlan业务的配置

创建安全模块配置安全策略

wlan-net只是安全模板的名字

[AC6005-wlan-view]security-profile name wlan-net
[AC6005-wlan-sec-prof-wlan-net]security wpa-wpa2 psk pass-phrase a1234567 aes

创建ssid模板，创建ssidwlan-net

ssid模板的名字为wlan-net，ssid的名字也为wlan-net

[AC6005-wlan-view]ssid-profile name wlan-net
[AC6005-wlan-ssid-prof-wlan-net]ssid    
[AC6005-wlan-ssid-prof-wlan-net]ssid wlan-net

创建vap模板，名字为wlan-net

[AC6005-wlan-view]vap-profile name wlan-net
[AC6005-wlan-vap-prof-wlan-net]security-profile wlan-net  vap绑定安全模板
[AC6005-wlan-vap-prof-wlan-net]ssid-profile wlan-net        vap绑定ssid模板
[AC6005-wlan-vap-prof-wlan-net]forward-mode tunnel       转发方式为隧道模式
[AC6005-wlan-vap-prof-wlan-net]service-vlan vlan-pool sta-pool   vap绑定vlan组

进入ap组绑定vap，射频0 1都用vap wlan-net

[AC6005-wlan-view]ap-group name apgroup1
[AC6005-wlan-ap-group-apgroup1]vap-profile wlan-net wlan 1 radio 0
[AC6005-wlan-ap-group-apgroup1]vap-profile wlan-net wlan 1 radio 1

此时效果已经出现

输入密码就可以连接成功