需求:各个部门使用无线的用户,只能连接到部门所属的VLAN。
环境:
网络设备 :核心交换H3C S5500(192.168.10.254),接入层POE H3C S5130(192.168.10.253), AC为H3C WX2560H(192.168.10.252),AP为WA4320;
服务器:域/DHCP服务器(192.168.20.1),NPS服务器(192.168.20.2)
VLAN分为10、20、30、40、50、60,其中10为网络设备网段,20为Windows服务器网段,30为AP网段,40\50\60为用户所属生产网段;10\20\30由核心交换机分配地址,40\50\60由核心交换中继到Windows DHCP服务器进行分配IP地址。
一、交换机配置:
核心交换S5500:
<S5500>dis cur
# version 7.1.045, Release 3116
# sysname S5500
# clock timezone Lisbon add 00:00:00 clock protocol none
# telnet server enable
# irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1
# dhcp enable dhcp server forbidden-ip 192.168.10.1 192.168.10.10 dhcp server forbidden-ip 192.168.20.1 192.168.20.10
# lldp global enable
# password-recovery enable
#
vlan 1 #
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 50
#
vlan 60
#10 stp global enable
#
dhcp server ip-pool 10 gateway-list 192.168.10.254 network 192.168.10.0 mask 255.255.255.0 dns-list 192.168.20.1
#
dhcp server ip-pool 20 gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 dns-list 192.168.20.1
#
dhcp server ip-pool 30 gateway-list 192.168.30.254 network 192.168.30.0 mask 255.255.255.0 dns-list 192.168.20.1 option 43 hex 8007000001c0a80afc #AP网段为30,AC网段为10,AP跨网段注册时在DHCP上要配置optin43选项,即AC的16进制地址
#
interface NULL0
#
interface Vlan-interface1 ip address 192.168.0.233 255.255.255.0
#
interface Vlan-interface10 ip address 192.168.10.254 255.255.255.0
#
interface Vlan-interface20 ip address 192.168.20.254 255.255.255.0
#
interface Vlan-interface30 ip address 192.168.30.254 255.255.255.0
#
interface Vlan-interface40 ip address 192.168.40.254 255.255.255.0 dhcp select relay dhcp relay server-address 192.168.20.1
#
interface Vlan-interface50 ip address 192.168.50.254 255.255.255.0 dhcp select relay dhcp relay server-address 192.168.20.1
#
interface Vlan-interface60 ip address 192.168.60.254 255.255.255.0 dhcp select relay dhcp relay server-address 192.168.20.1
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/6
#
interface GigabitEthernet1/0/7
#
interface GigabitEthernet1/0/8
#
interface GigabitEthernet1/0/9
#
interface GigabitEthernet1/0/10
#
interface GigabitEthernet1/0/11
#
interface GigabitEthernet1/0/12
#
interface GigabitEthernet1/0/13
#
interface GigabitEthernet1/0/14
#
interface GigabitEthernet1/0/15
#
interface GigabitEthernet1/0/16
# interface GigabitEthernet1/0/17 #下联S5130 port link-type trunk port trunk permit vlan all combo enable copper
#
interface GigabitEthernet1/0/18 #下联AC WX2560H port link-type trunk port trunk permit vlan all combo enable copper
#
interface GigabitEthernet1/0/19 combo enable copper
#
interface GigabitEthernet1/0/20 combo enable copper
#
interface GigabitEthernet1/0/21 combo enable copper
#
interface GigabitEthernet1/0/22 combo enable copper
#
interface GigabitEthernet1/0/23 port access vlan 10 combo enable copper
#
interface GigabitEthernet1/0/24 port access vlan 20 combo enable copper
#
interface GigabitEthernet1/0/25
#
interface GigabitEthernet1/0/26
#
interface GigabitEthernet1/0/27
#
interface GigabitEthernet1/0/28
# scheduler logfile size 16
#
line class aux user-role network-admin
#
line class vty user-role network-operator
# line aux 0 user-role network-admin
#
line vty 0 63 authentication-mode scheme user-role network-admin user-role network-operator idle-timeout 0 0
# snmp-agent snmp-agent local-engineid 800063A2803CF5CC29A26100000001 snmp-agent community write private snmp-agent community read public snmp-agent sys-info version all #
domain system
# aaa session-limit http 6 aaa session-limit https 6 domain default enable system
#
role name level-0 description Predefined level-0 role
#
role name level-1 description Predefined level-1 role
#
role name level-2 description Predefined level-2 role
#
role name level-3 description Predefined level-3 role
#
role name level-4 de