华为企业配置大型WLAN基本业务典型配置案例

最近又学习了华为中大型网络设备的WLAN组网，刚开始觉得头大，其实只要静下心来掌握规律就很简单了。

背景案例：

某公司需要搭建大型WLAN组网，希望所有AP获取的地址都是从路由器上统一分配，然后AP分别设置为两个区域，guest和employee wifi.

这是拓补图和成品图一起的。

 

先说总体思路吧

1：按照配置，所有的内网都能互通，创建各种vlan，一定记得各个端口trunk的状态。

2：给各个需要配IP地址的vlanif创建IP地址，并配置互通的路由。（包括静态路由和默认路由）

3：在router上创建全局地址池，然后交换机以中继的方式获得地址。（三层AC组网时，要在地址池宣告去AC，命令：

ip pool ap #option 43 sub-option 3 ascii -acvlan的地址（本案例：192.168.30.1））

4：在交换机上用dhcp select relay来获取地址，验证是否能获取到地址。

5：创建vlan pool,guest和employee,里面各添加需要获得的地址池，（本文：guest11,12,employee13,14）AC上AP上线，

[记得不要让AP的地址和STA（工作站，无线设备）获取的地址一致（本文，AP对应vlan10）]

一：创建，guest和employee组，创建domain1域名模板，并且分别在组里调用这个模板（模板里面有country-code cn）

二：设置AP的上线方式为AP-MAC（本案例是这种方式），然后给此AP命名ID,name，所加的组。如法炮制，四个AP很快就上线，可以用dis ap all来查看，获取到IP地址，且状态时normal(正常)就OK了。

三：设置AP的原接口，capwas sorce interface vlan if 20 (本案例)

三：创建security（主要验证加密方式和密码，）,ssid模板（主要设置WiFi名称）

四：创建VAP 模板（主要包含四小项，1：转发模式2：选择服务的地址池为，ip pool,此时选择刚才创建的3：引用security模板，4：引用SSID模板）

五，在组里，的射频上引用VAP模板，并设置射频（0，2.4Ghz  1 ,5Ghz）

然后验证配置

配置如下：

SA配置

interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 10
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk pvid vlan 10
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk pvid vlan 10
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk pvid vlan 10
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/5
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/6
 port link-type access
 port default vlan 10
#

#
port-group gaomin
 group-member GigabitEthernet0/0/1
 group-member GigabitEthernet0/0/2
 group-member GigabitEthernet0/0/3
 group-member GigabitEthernet0/0/4
#

CS

#
sysname cs
#
undo info-center enable
#
vlan batch 10 to 14 20 30
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
 ip address 192.168.10.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 192.168.30.1
#
interface Vlanif11
 ip address 192.168.11.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 192.168.30.1
#
interface Vlanif12
 ip address 192.168.12.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 192.168.30.1
#
interface Vlanif13
 ip address 192.168.13.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 192.168.30.1
#
interface Vlanif14
 ip address 192.168.14.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 192.168.30.1
#
interface Vlanif20
 ip address 192.168.20.2 255.255.255.0
#
interface Vlanif30
 ip address 192.168.30.2 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 to 14 20
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 30
#
#
ip route-static 0.0.0.0 0.0.0.0 192.168.30.1
#

ROUTER

#
sysname router
#
undo info-center enable
#
vlan batch 30
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
drop-profile default
#
ip pool ap
 gateway-list 192.168.10.1
 network 192.168.10.0 mask 255.255.255.0
 option 43 sub-option 3 ascii 192.168.20.1
#
ip pool employee1
 gateway-list 192.168.13.1
 network 192.168.13.0 mask 255.255.255.0
#
ip pool employee2
 gateway-list 192.168.14.1
 network 192.168.14.0 mask 255.255.255.0
#
ip pool guest1
 gateway-list 192.168.11.1
 network 192.168.11.0 mask 255.255.255.0
#
ip pool guest2
 gateway-list 192.168.12.1
 network 192.168.12.0 mask 255.255.255.0
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif30
 ip address 192.168.30.1 255.255.255.0
 dhcp select global
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 30
#

#
ip route-static 192.168.10.0 255.255.255.0 192.168.30.2
ip route-static 192.168.11.0 255.255.255.0 192.168.30.2
ip route-static 192.168.12.0 255.255.255.0 192.168.30.2
ip route-static 192.168.13.0 255.255.255.0 192.168.30.2
ip route-static 192.168.14.0 255.255.255.0 192.168.30.2
ip route-static 192.168.20.0 255.255.255.0 192.168.30.2
#

AC

 sysname AC
#
 set memory-usage threshold 0
#
ssl renegotiation-rate 1 
#
vlan batch 10 to 14 20
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
vlan pool guest
 vlan 11 to 12
vlan pool employee
 vlan 13 to 14
#
diffserv domain default
#
radius-server template default
#
pki realm default
 rsa local-key-pair default
 enrollment self-signed
#
ike proposal default
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
aaa
 authentication-scheme default
 authentication-scheme radius
  authentication-mode radius
 authorization-scheme default
 accounting-scheme default
 domain default
  authentication-scheme radius
  radius-server default
 domain default_admin
  authentication-scheme default
 local-user admin password irreversible-cipher $1a$9=68<>`<c-$%XU{GUtvl4k2DVLC'h
VC,u$=&[R.MAydqLPIf\#<$
 local-user admin privilege level 15
 local-user admin service-type http
#
interface Vlanif20
 ip address 192.168.20.1 255.255.255.0
#
interface MEth0/0/1
 undo negotiation auto
 duplex half
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 to 14 20

 undo info-center enable
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.2
#
capwap source interface vlanif20
#
wlan
 traffic-profile name default
 security-profile name guest
  security wpa2 psk pass-phrase %^%#5W3q!AJOVQs7eN6t9(>Yd{osQp<}z9'4yu'^yP+>%^%#
 aes
 security-profile name default
 security-profile name employee
  security wpa2 psk pass-phrase %^%#~y4gRdD)*Oh3!::AE@7$/bHq1D*h4RsHXn;)n#$8%^%#
 aes
 security-profile name default-wds
 security-profile name default-mesh
 ssid-profile name guest
  ssid guest
 ssid-profile name default
 ssid-profile name employee
  ssid employee
 vap-profile name guest
  forward-mode tunnel
  service-vlan vlan-pool guest
  ssid-profile guest
  security-profile guest
 vap-profile name default
 vap-profile name employee
  forward-mode tunnel
  service-vlan vlan-pool employee
  ssid-profile employee
  security-profile employee
 wds-profile name default
 mesh-handover-profile name default
 mesh-profile name default
 regulatory-domain-profile name default
 regulatory-domain-profile name domain1
 air-scan-profile name default
 rrm-profile name default
 radio-2g-profile name default
 radio-5g-profile name default
 wids-spoof-profile name default
 wids-profile name default
 wireless-access-specification
 ap-system-profile name default
 port-link-profile name default
 wired-port-profile name default
 serial-profile name preset-enjoyor-toeap 
 ap-group name guest
  regulatory-domain-profile domain1
  radio 0
   vap-profile guest wlan 1
  radio 1
   vap-profile guest wlan 1
  radio 2
   vap-profile guest wlan 1
 ap-group name default
 ap-group name employee
  regulatory-domain-profile domain1
  radio 0
   vap-profile employee wlan 1
  radio 1
   vap-profile employee wlan 1
  radio 2
   vap-profile employee wlan 1
 ap-id 0 type-id 35 ap-mac 00e0-fc53-6cd0 ap-sn 210235448310B0608E1D
  ap-name area1
  ap-group guest
 ap-id 1 type-id 35 ap-mac 00e0-fcd7-3070 ap-sn 210235448310E860E719
  ap-name area2
  ap-group guest
 ap-id 2 type-id 35 ap-mac 00e0-fc59-7f40 ap-sn 210235448310565F3D27
  ap-name area3
  ap-group employee
 ap-id 3 type-id 35 ap-mac 00e0-fc44-0360 ap-sn 2102354483104F547041
  ap-name area4
  ap-group employee
 provision-ap
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return