子网划分
1.由于公司IP地址为统一规划,原有无线网段IP地址为 172.16.0.0/22,为了避免地址浪费需要对ip地址进行重新分配;要求如下:未来公司预计部署ap 150台;办公无线用户vlan 10预计300人,来宾用户vlan20以及不超过50人
AC
interface vlan10
ipv6 address2001:da8:172:16:1::1/96
ipv6 router ospf area o
ip address172.16.1.254255.255.254.0
interface vlan20
ipv6 address2001:da8:172:16:2::1/96
ipv6 router ospf area o
ip address172.16.2.62255.255.255.192
SW
interface vlan100
ip address172.16.3.254255.255.255.0
流控
1.为了监控分公司到总公司网络流量信息,需要在AC上对网络流量信息进行采样分析,要求对5-6端口进行采样,采样速率为10000pps,采样间隔为30S,使用loopback地址作为代理源地址,分析器地址为:172.17.60.100
sflow agent-address 10.0.0.252
sflow destination 172.17.60.100
Interface Ethernet1/0/5
switchport mode trunk
switchport trunk allowed vlan 10;20;60
switchport trunk native vlan 60
sflow rate input 10000
sflow rate output 10000
sflow counter-interval 30
Interface Ethernet1/0/6
switchport mode trunk
switchport trunk allowed vlan 10;20;60
switchport trunk native vlan 60
sflow rate input 10000
sflow rate output 10000
sflow counter-interval 30
2.配置SSID GUEST每天早上0点到6点禁止终端接入; GUSET最多接入10个用户,并对GUEST网络进行流控,上行1M,下行2M;配置所有无线接入用户相互隔离
network 2
hide-ssid
client-qos enable
client-qos bandwidth-limit down 2048
client-qos bandwidth-limit up 1024
max-clients 10
ssid GUEST
vlan 20
time-limit from 00:00 to 06:00 weekday all
station-isolation
3.测试时限制最大接入人数为20人,开启QOS限速上行带宽和下行带宽设置为20M,
在AC上使用show run current检测并截图
wireless
ap authentication pass-phrase
discovery ip-list 10.1.16.99
static-ip
10.1.13.2
ap client-qos
network 100
client-qos enable
client-qos bandwidth-limit down 20480
client-qos bandwidth-limit up 20480
security mode wapi-psk
max-clients 20
DHCP + 中继
1.SW 上配置DHCP,管理VLAN 为VLAN100,为AP 下发管理地址,网段中第一个可用地址为AP 管理地址,最后一个可用地址为网关地址,AP通过DHCP opion 43注册,AC地址为loopback1地址;AC为无线用户VLAN10,20下发IP 地址,最后一个可用地址为网关;AP上线需要采用MAC地址认证。
SW
service dhcp
ip dhcp pool v100
network-address 172.16.3.0255.255.255.0
default-router 172.16.3.254
option 43 hex 0104140101FE
AC
service dhcp
ip forward-protocol udp bootps
ip dhcp pool v10
network-address 172.16.0.0255.255.254.0
default-router 172.16.1.254
ip dhcp pool v20
network-address 172.16.2.0255.255.255.192
default-router 172.16.2.62
wireless
ap auto-upgrade
agetime ap-failure 2
agetime detected-clients 2
ap authentication mac
static-1p 10.0.0.252
wids-security unknown-ap-managed-ssid
AC#show wi ap status
2.AC配置dhcpv4和dhcpv6,分别为总公司产品段vlan50分配地址;ipv4地址池名称分别为POOLv4-50,ipv6 地址池名称分别为 POOLv6-50;ipv6地址池用网络前缀表示;排除网关;DNS分别为 114.114.114.114 和 2400:3200::1;为 PC1 保留地址 172.16.150.9 和 2001:da8:172:16:50::9, SW上中继地址为AC loopback1 地址
AC:
ip dhcp pool POOLV4-50
network-address 172.17.50.0255.255.255.0
default-router 172.17.50.1
dns-server 114.114.114.114
p dhcp pool POOLV4-50-PC1
host172.17.50.9255.255.255.0
hardware-address 00-00-00-00-01-01
default-router 172.17.50.1
dns-server 114.114.114.114
service dhcpv6
ipv6 dhcp pool POOLV6-50
network-address 2001:da8:172:17:50:96
static-binding 2001:da8:172:17:50::900-00-00-00-01-01
excluded-address 2001:da8:172:17:50:1
dns-server 2400:3200:1
SW
interface vlan50
ipv6 address 2001:da8:172:16:150::1/96
ipv6 router ospf area 0
ip address 172.16.150.1255.255.255.0
forward protocol udp 67Cactive)
ip helper-address 10.0.0.252
ipv6 dhcp relay destination 2001:da8:192:168:60::2
3.在 NETWORK2 下配置一个 SSID 2022skills_IPv6,属于 VLAN21
用于 IPv6 无线测试,用户接入无线网络时需要采用基于 WPA-
personal 加密方式,其口令为“skills01”,该网络中的用户从 WS
DHCP 获取 IPv6 地址,地址范围为:2001:10:81::/112,第一个可
用地址作为网关地址;
interface Vlan21
ipv6 address 2001:10:80::/112
no ipv6 nd suppress-ra
ipv6 nd managed-config-flag
ipv6 dhcp server vlan21
service dhcpv6
ipv6 dhcp pool vlan21
network-address 2001:10:81::1 2001:10:81::ffff
network 2
security mode wpa-personal
ssid 2022skills_IPv6
wpa key encrypted #密钥#
vlan 21
ap profile 1
36
radio 1
vap 1
enable
radio 2
vap 1
enable
4.无线控制器 DCWS 上配置 DHCP 服务,前十个地址为保留地址,无
线用户 VLAN10,20, 有线用户 VLAN 30,40 从 DCWS 上动态获取 IP
地址;
service dhcp
!
ip dhcp excluded-address 172.16.10.1 172.16.10.10
ip dhcp excluded-address 172.16.20.1 172.16.20.10
ip dhcp excluded-address 172.16.30.1 172.16.30.10
ip dhcp excluded-address 172.16.40.1 172.16.40.10
ip dhcp pool vlan10
network-address 172.16.10.0 255.255.255.0
default-router 172.16.10.1
!
ip dhcp pool vlan20
network-address 172.16.20.0 255.255.255.128
default-router 172.16.20.1
!
ip dhcp pool vlan30
network-address 172.16.30.0 255.255.255.192
default-router 172.16.30.1
ip dhcp pool vlan40
network-address 192.168.40.0 255.255.255.0
default-router 192.168.40.1
DCRS:
interface Vlan10
ip address 172.16.10.1 255.255.255.0
!forward protocol udp 67(active)!
ip helper-address 192.168.100.254
!
interface Vlan20
ip address 172.16.20.1 255.255.255.128
!forward protocol udp
67(active)!
ip helper-address 192.168.100.254
!
interface Vlan30
ip address 172.16.30.1 255.255.255.192
!forward protocol udp 67(active)!
ip helper-address 192.168.100.254
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
!forward protocol udp 67(active)!
ip helper-address 192.168.100.254
加密方式
1.在NETWORK下配置SSID,需求如下:
NETWORK 1下设置SSID SKILLS2023,VLAN10,加密模式为wpa-personal,其口令为20232023;
network 1
security mode wpa-personal
ssid SKILLS2023
vlan 10
wpa key encrypted a2a3d37bb6fcf0148c7cb49fda263baca3cde883fa9094el
29aad7171aab4490bd52
device-finger enable
2.Network100下设置网络SSID:Wireless_TEST,VLAN101,使用WAPI加密认证,Length
为8,type为asci码,密码自定义,与倒数第6个可用VAP关联,仅使用5G信号,
在AC上使用show run current检测并截图
network 100
security mode wapi-psk
ssid wireless_TEST
vlan 101
Wapi psk type ascii
Wapl psk pass-phrase KEY-1122
device-finger enable
radio 2
vap 0
vap 10
enable
network 100
AP上线+认证
1.配置当AP上线,如果AC中储存的Image版本和AP的Image版本号不同时,会触发AP自动升级;配置AP发送向无线终端表明AP存在的帧时间间隔为2秒;配置AP失败状态超时时间及探测到的客户端状态超时时间都为2小时;
wireless
ap auto-upgrade
agetime ap-failure 2
agetime detected-clients 2
ap authentication mac
static-ip 20.1.1.254
ap profile 1
hwtype 59
channel-plan an time 05:00
channel-plan bgn time 05:00
air-match template 1
radio 1
beacon-interval 2000
client-reject rssi-threshold 50
vap 0
vap 1
enable
radio 2
beacon-interval 2000
dotllac channel-bandwidth 20
client-reject rssi-threshold 50
vap 0
vap 1
enable
Ap相关命令
1.通过配置防止多AP和AC相连时过多的安全认证连接而消耗CPU资源,检测到AP与AC在10分钟内建立连接5次就不再允许继续连接,两小时后恢复正常。
wireless ap anti-flood interval 10
wireless ap anti-flood max-conn-count 5
wireless ap anti-flood agetime 120
2.配置所有无线接入用户相互隔离,Network 模式下限制每天 0点到 6 点禁止终端接入,开启ARP 抑制功能
e
AC(config-network)#show run cu
network 20
hide-ssid
arp-suppression
security mode wpa-personal
ssid 21
vlan 20
time-limit from 00:00 to 06:00 weekday a11
station-isolation
AC (confia-network)#
3.配置所有 Radio 接口:AP 在收到错误帧时,将不再发送 ACK
帧;打开 AP 组播广播突发限制功能;开启 Radio 的自动信道调整,每天上午 10:00 触发信道调整功能
ap profile 1
channel-plan an time 10:00
channel-plan bgn time 10:00
channel-plan
radio 1
rate-limit
incorrect-frame-no-ack
radio 2
rate-limit
incorrect-frame-no-ack
4.开启白名单,目前仅允许管理员与测试人员访问AP完成无线测试,MAC地址如下:
00-03-0f-8a-d9-01
00-03-0f-8a-d9-02
00-03-0f-8a-d9-03
00-03-0f-8a-d9-a2
00-03-0f-8a-d9-b3
00-03-0f-8a-d9-c4
network 100
mac authentication local
mac-authentication-mode white-list
known-client 00-03-0f-8a-d9-01
known-client 00-03-0f-8a-d9-02
known-client 00-03-0f-8a-d9-03
known-client 00-03-0f-8a-d9-a2
known-client 00-03-0f-8a-d9-b3
known-client 00-03-0f-8a-d9-c4
5.ap flood表老化时间10分钟,反制间隔10分钟,反制间隔内最大连接次数20,AP失 败状态超时时间及探测客户端超时3小时,为RF扫描状态设置入口时间3小时,向无
线终端表明AP存在的帧间隔4小时
wireless
agetime ap-failure 3
agetime rf-scan 3
agetime detected-clients 4
ap authentication pass-phrase
discovery ip-list 10.1.16.99
static-ip 10.1.13.2
ap client-qos
wids=security unknown-ap-managed-ssid
wireless ap anti-flood interval 10
wireless ap anti-flood max-conn-count 20
wireless ap anti-flood agetime 10
6.开启 ARP 抑制功能,开启自动强制漫游功能、动态黑名单功能;
dynamic-blacklist
force-roaming mode auto
调频 + 功率
1.为优化无线网络,现需对AP做相关调整。把2.4G信号工作频段调整到6,信号发射功率调整到80%,把5.0G信号工作频段调整到161,信号发射功率调整90%;
ap database 00-03-0f-ea-eb-70
radio 1 channel 6
radio 1 power 80
radio 2 channel 161
radio 2 power 90
关于内置/外置protal +本地认证的题型,可以看我上一篇文章
内置/外置protal +本地认证
结语:写这篇文章,是希望更好的帮助大家比赛,我总结了最近几年出现的题型,希望这些内容对你有所帮助。如果有任何疏漏或不足之处,欢迎大家提出意见和建议,我会尽快改正。
并且感谢你花时间阅读这篇文章。你的支持和反馈对我来说非常重要,帮助我不断改进和提升内容质量。我会继续努力,为大家带来更多有价值的内容。谢谢!
434
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
