最近又学习了华为中大型网络设备的WLAN组网,刚开始觉得头大,其实只要静下心来掌握规律就很简单了。
背景案例:
某公司需要搭建大型WLAN组网,希望所有AP获取的地址都是从路由器上统一分配,然后AP分别设置为两个区域,guest和employee wifi.
这是拓补图和成品图一起的。
先说总体思路吧
1:按照配置,所有的内网都能互通,创建各种vlan,一定记得各个端口trunk的状态。
2:给各个需要配IP地址的vlanif创建IP地址,并配置互通的路由。(包括静态路由和默认路由)
3:在router上创建全局地址池,然后交换机以中继的方式获得地址。(三层AC组网时,要在地址池宣告去AC,命令:
ip pool ap #option 43 sub-option 3 ascii -acvlan的地址(本案例:192.168.30.1))
4:在交换机上用dhcp select relay来获取地址,验证是否能获取到地址。
5:创建vlan pool,guest和employee,里面各添加需要获得的地址池,(本文:guest11,12,employee13,14)AC上AP上线,
[记得不要让AP的地址和STA(工作站,无线设备)获取的地址一致(本文,AP对应vlan10)]
一:创建,guest和employee组,创建domain1域名模板,并且分别在组里调用这个模板(模板里面有country-code cn)
二:设置AP的上线方式为AP-MAC(本案例是这种方式),然后给此AP命名ID,name,所加的组。如法炮制,四个AP很快就上线,可以用dis ap all来查看,获取到IP地址,且状态时normal(正常)就OK了。
三:设置AP的原接口,capwas sorce interface vlan if 20 (本案例)
三:创建security(主要验证加密方式和密码,),ssid模板(主要设置WiFi名称)
四:创建VAP 模板(主要包含四小项,1:转发模式2:选择服务的地址池为,ip pool,此时选择刚才创建的3:引用security模板,4:引用SSID模板)
五,在组里,的射频上引用VAP模板,并设置射频(0,2.4Ghz 1 ,5Ghz)
然后验证配置
配置如下:
SA配置
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/6
port link-type access
port default vlan 10
#
#
port-group gaomin
group-member GigabitEthernet0/0/1
group-member GigabitEthernet0/0/2
group-member GigabitEthernet0/0/3
group-member GigabitEthernet0/0/4
#
CS
#
sysname cs
#
undo info-center enable
#
vlan batch 10 to 14 20 30
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.30.1
#
interface Vlanif11
ip address 192.168.11.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.30.1
#
interface Vlanif12
ip address 192.168.12.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.30.1
#
interface Vlanif13
ip address 192.168.13.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.30.1
#
interface Vlanif14
ip address 192.168.14.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.30.1
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.30.2 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 to 14 20
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 30
#
#
ip route-static 0.0.0.0 0.0.0.0 192.168.30.1
#
ROUTER
#
sysname router
#
undo info-center enable
#
vlan batch 30
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
drop-profile default
#
ip pool ap
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 192.168.20.1
#
ip pool employee1
gateway-list 192.168.13.1
network 192.168.13.0 mask 255.255.255.0
#
ip pool employee2
gateway-list 192.168.14.1
network 192.168.14.0 mask 255.255.255.0
#
ip pool guest1
gateway-list 192.168.11.1
network 192.168.11.0 mask 255.255.255.0
#
ip pool guest2
gateway-list 192.168.12.1
network 192.168.12.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif30
ip address 192.168.30.1 255.255.255.0
dhcp select global
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 30
#
#
ip route-static 192.168.10.0 255.255.255.0 192.168.30.2
ip route-static 192.168.11.0 255.255.255.0 192.168.30.2
ip route-static 192.168.12.0 255.255.255.0 192.168.30.2
ip route-static 192.168.13.0 255.255.255.0 192.168.30.2
ip route-static 192.168.14.0 255.255.255.0 192.168.30.2
ip route-static 192.168.20.0 255.255.255.0 192.168.30.2
#
AC
sysname AC
#
set memory-usage threshold 0
#
ssl renegotiation-rate 1
#
vlan batch 10 to 14 20
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
vlan pool guest
vlan 11 to 12
vlan pool employee
vlan 13 to 14
#
diffserv domain default
#
radius-server template default
#
pki realm default
rsa local-key-pair default
enrollment self-signed
#
ike proposal default
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme radius
radius-server default
domain default_admin
authentication-scheme default
local-user admin password irreversible-cipher $1a$9=68<>`<c-$%XU{GUtvl4k2DVLC'h
VC,u$=&[R.MAydqLPIf\#<$
local-user admin privilege level 15
local-user admin service-type http
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface MEth0/0/1
undo negotiation auto
duplex half
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 14 20
undo info-center enable
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.2
#
capwap source interface vlanif20
#
wlan
traffic-profile name default
security-profile name guest
security wpa2 psk pass-phrase %^%#5W3q!AJOVQs7eN6t9(>Yd{osQp<}z9'4yu'^yP+>%^%#
aes
security-profile name default
security-profile name employee
security wpa2 psk pass-phrase %^%#~y4gRdD)*Oh3!::AE@7$/bHq1D*h4RsHXn;)n#$8%^%#
aes
security-profile name default-wds
security-profile name default-mesh
ssid-profile name guest
ssid guest
ssid-profile name default
ssid-profile name employee
ssid employee
vap-profile name guest
forward-mode tunnel
service-vlan vlan-pool guest
ssid-profile guest
security-profile guest
vap-profile name default
vap-profile name employee
forward-mode tunnel
service-vlan vlan-pool employee
ssid-profile employee
security-profile employee
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
wireless-access-specification
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap-group name guest
regulatory-domain-profile domain1
radio 0
vap-profile guest wlan 1
radio 1
vap-profile guest wlan 1
radio 2
vap-profile guest wlan 1
ap-group name default
ap-group name employee
regulatory-domain-profile domain1
radio 0
vap-profile employee wlan 1
radio 1
vap-profile employee wlan 1
radio 2
vap-profile employee wlan 1
ap-id 0 type-id 35 ap-mac 00e0-fc53-6cd0 ap-sn 210235448310B0608E1D
ap-name area1
ap-group guest
ap-id 1 type-id 35 ap-mac 00e0-fcd7-3070 ap-sn 210235448310E860E719
ap-name area2
ap-group guest
ap-id 2 type-id 35 ap-mac 00e0-fc59-7f40 ap-sn 210235448310565F3D27
ap-name area3
ap-group employee
ap-id 3 type-id 35 ap-mac 00e0-fc44-0360 ap-sn 2102354483104F547041
ap-name area4
ap-group employee
provision-ap
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return