一、无线基础知识
- 无线控制器AC(Access Controller):在无线网络中,AC的作用是对无线局域网中的所有AP进行控制和管理。
- 接入点AP(Access Point):为STA提供基于802.11标准的无线接入服务,起到有线网络和无线网络的桥接作用。
- 工作站STA(Station):支持802.11标准的终端设备。例如带无线网卡的电脑、支持WLAN的手机等。
- AC与AP之间通过CAPWAP隧道对AP进行控制和管理,其中部分AP的数据也会通过CAPWAP与AC进行交互。
- 无线接入点的控制与规范,CAPWAP(Control And Provisioning of Wireless Access Points)
(1)AC管理地址
- AC管理地址,即指的是与AP建立CAPWAP所使用到的地址。
- Discovery阶段(即在AP发现AC的阶段):AP通过发送Discovery Request报文,找到可用的AC。AC判断是否允许该AP接入,对于不允许接入的AP发送的Discovery Request报文,AC不会回应。
- AP发现AC的方式有两种,静态发现与动态发现。
- 静态方式采用在AP上提前指定AC的管理地址,从而使得AP启动之后向指定AC发起Request请求。
- 动态方式则是采用DHCP服务器向AP下发option43、DNS、广播等方式,使得AP获取到AC的管理地址。
- CAPWAP隧道建立,包括数据隧道和控制隧道:
- 数据隧道:AP接收的业务数据报文经过CAPWAP数据隧道集中到AC上转发。同时还可以选择对数据隧道进行数据传输层安全DTLS(Datagram Transport Layer Security)加密,使能DTLS加密功能后,CAPWAP数据报文都会经过DTLS加解密。
- 控制隧道:通过CAPWAP控制隧道实现AP与AC之间的控制报文的交互。同时还可以选择对控制隧道进行数据传输层安全DTLS(Datagram Transport Layer Security)加密,使能DTLS加密功能后,CAPWAP控制报文都会经过DTLS加解密。
- 设置AC的管理地址为VLAN100:
[AC6605]vlan 100
[AC6605-vlan100]int vlan 100
[AC6605-Vlanif100]ip add 192.168.100.254 24
[AC6605-Vlanif100]quit
[AC6605]capwap source int vlan 100
(2)SSID模板
SSID用来指定不同的无线网络。
在STA上搜索可接入的无线网络时,显示出来的网络名称就是SSID。
- 设置SSID的名称为“Temp”:
[AC6605]wlan
[AC6605-wlan-view]ssid name Temp
[AC6605-wlan-ssid-prof-Temp]ssid Temp
Info: This operation may take a few seconds, please wait.done.
(3)Security模板
配置WLAN安全策略,可以对无线终端进行身份验证,对用户的报文进行加密,保护WLAN网络和用户的安全。
- 设置安全模板,使用WPA2-PSK认证,AES加密,密码Huawei@123:
[AC6605]wlan
[AC6605-wlan-view]security name Temp
[AC6605-wlan-sec-prof-Temp]security wpa2 psk pass-phrase Huawei@123 aes
(4)VAP模板
通过配置VAP模板下的参数,使AP实现为STA提供不同无线业务服务的能力。
不同的VAP模板提供不同的无线业务,我们所连接的某一个无线都类似连接着一个VAP。
- 基础无线的VAP模板通常绑定以下模板:
- SSID模板
- 安全模板
[AC6605]wlan
# 创建VAP模板
[AC6605-wlan-view]vap-profile name Temp
# 绑定SSID模板
[AC6605-wlan-vap-prof-Temp]ssid Temp
# 绑定安全模板
[AC6605-wlan-vap-prof-Temp]security Temp
- 基础无线的VAP模板通常补充以下操作:
- 指定无线业务转发模式(本地转发/隧道转发)
- 指定无线业务所属VLAN
# 本地转发
[AC6605-wlan-vap-prof-Temp]forward-mode direct-forward
# 隧道转发
[AC6605-wlan-vap-prof-Temp]forward-mode tunnel
# 指定所属VLAN 10
[AC6605-wlan-vap-prof-Temp]service-vlan vlan-id 10
- 本地转发与隧道转发的区别
- 本地转发表示STA在转发数据时,直接在AP所属网络进行数据转发。
- 隧道转发表示STA在转发数据时,先将流量通过CAPWAP隧道转发到AC上,再由AC进行数据转发。
- 无线业务所属VLAN
- 当STA接入该无线网络之后,其数据将属于相应的VLAN,不同VLAN之间相互隔离。
(5)AP上线认证
当AP获取到IP地址且知晓AC管理地址后,AP与AC交互完Display Request/Response报文之后,成功建立起CAPWAP隧道。
隧道建立后,AP发送 Join Request请求,AC收到后会判断是否允许该AP接入,并响应Join Response报文。
其中,AC还会对AP默认进行MAC认证,只要登记过MAC地址的AP才能够接入到AC并上线。
(6)AP组
WLAN网络中存在着大量的AP,为了简化AP的配置操作步骤,可以将AP加入到AP组中,在AP组中统一对AP进行同样的配置。
但是每个AP也有着不同于其它AP的参数配置,不便于通过AP组来进行统一配置,这类个性化的参数可以直接在每个AP下配置。
使用AP组实现对大量相同配置的AP进行配置,而对于部分AP需要单独修改配置的话,可以进入AP进程下单独修改。
- 创建AP组“Temp”,绑定VAP模板”Temp“发布在WLAN 1中,同时发布2.4G、5.8G无线信号。
[AC6605]wlan
[AC6605-wlan-view]ap-group name Temp
[AC6605-wlan-ap-group-Temp]vap-profile Temp wlan 1 radio all
- 将”已经上线“的AP设备加入AP组”Temp“:
# 进入到已经上线的AP
[AC6605-wlan-view]ap-id 0 ap-mac 00E0-FC8B-4C40
[AC6605-wlan-ap-0]ap-name AP1
[AC6605-wlan-ap-0]ap-group Temp
二、基础无线上线
AP的上线过程,大致可以分为以下步骤:
1.AP获取IP地址
2.AP与AC建立CAPWAP隧道
3.AP接入AC并进入受控制阶段
4.AP版本升级检查阶段
5.CAPWAP持续维护阶段
6.AC业务下发阶段
1、二层无线上线
(1)AC与AP同处于同一网络且同VLAN
- AP1通过二层MAC认证上线,无线业务名称为“AP1-wifi”,无认证密码,数据转发采用“直接转发”方式,无需创建AP组。
- 因采用“直接转发”方式,故AC1应配置G0/0/2接口为Trunk模式,同时放行VLAN100与VLAN10,且设置VLAN100为Trunk PVID。
- AP1默认通信IP地址,故需要AC1通过DHCP下发,或手动给AP1配置静态IP地址。为了管理,此处在AC1上创建VLAN100的地址池,给二层上线的AP1下发地址。
# 配置基础,创建VLANif
[AC6605]vlan 100
[AC6605-vlan100]vlan 10
[AC6605-vlan10]int vl 100
[AC6605-Vlanif100]ip add 192.168.100.254 24
[AC6605-Vlanif100]int vl 10
[AC6605-Vlanif10]ip add 192.168.10.254 24
# 接口放行VLAN
[AC6605-Vlanif10]int g0/0/2
[AC6605-GigabitEthernet0/0/2]
[AC6605-GigabitEthernet0/0/2]port link trunk
[AC6605-GigabitEthernet0/0/2]port trunk allow vlan 100 10
[AC6605-GigabitEthernet0/0/2]port trunk pvid vlan 100
# 配置DHCP
[AC6605-GigabitEthernet0/0/2]dhcp enable
# 管理地址池
[AC6605]ip pool vlan100
[AC6605-ip-pool-vlan100]network 192.168.100.0 mask 24
[AC6605-ip-pool-vlan100]gateway 192.168.100.254
[AC6605-ip-pool-vlan100]quit
# 无线客户端地址池
[AC6605]ip pool vlan10
[AC6605-ip-pool-vlan10]network 192.168.10.0 mask 24
[AC6605-ip-pool-vlan10]gateway 192.168.10.254
[AC6605-ip-pool-vlan10]quit
# 接口应用地址池
[AC6605]int vlan 100
[AC6605-Vlanif100]dhcp select global
[AC6605-Vlanif100]int vlan 10
[AC6605-Vlanif10]dhcp select global
- 解决基础通信之后,配置无线相关配置:
# 指定AC管理地址
[AC6605]capwap source interface Vlanif 100
# 配置SSID模板
[AC6605]wlan
[AC6605-wlan-view]ssid name AP1-wifi
[AC6605-wlan-ssid-prof-AP1-wifi]ssid AP1-wifi
[AC6605-wlan-ssid-prof-AP1-wifi]quit
# 配置安全模板
[AC6605-wlan-view]security-profile name AP1-wifi
[AC6605-wlan-sec-prof-AP1-wifi]security open
[AC6605-wlan-sec-prof-AP1-wifi]quit
# 配置VAP模板
[AC6605-wlan-view]vap-profile name AP1-wifi
[AC6605-wlan-vap-prof-AP1-wifi]forward-mode direct-forward
[AC6605-wlan-vap-prof-AP1-wifi]ssid AP1-wifi
[AC6605-wlan-vap-prof-AP1-wifi]security AP1-wifi
[AC6605-wlan-vap-prof-AP1-wifi]service-vlan vlan-id 10
[AC6605-wlan-vap-prof-AP1-wifi]quit
# 配置AP上线认证,绑定VAP并发布无线信号
[AC6605-wlan-view]ap-id 0 ap-mac 00E0-FC8B-4C40
[AC6605-wlan-ap-0]ap-name AP1
[AC6605-wlan-ap-0]vap-profile AP1-wifi wlan 1 radio all
[AC6605-wlan-ap-0]quit
- 查看上线情况
# State状态为nor表示无线成功上线
[AC6605-wlan-view]dis ap all
-----------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-----------------------------------------------------------------------------
0 00e0-fc8b-4c40 AP1 default 192.168.100.48 AP4030TN nor 0 1M:29S
-----------------------------------------------------------------------------
Total: 1
2、三层无线上线
- 当需要进行跨三层网络上线,就需要先保证网络之间能够正常通信。
(1)三层DHCP自动上线
- 当AC和AP不在同一个网段时,AP发现AC可以通过配置Option 43字段指定AC的CAPWAP源IP地址。
- 或通过DNS方式指定AC的域名地址,否则AP无法发现AC,最终AP无法在AC上正常上线。
- DHCP的Option43存在3个主要的子选项用于指定AC的管理地址(CAPWAP地址)
- 1-hex,通过16进制方式
- 2-ip-address,通过IP地址方式
- 3-ascii,通过ASCII码方式(与IP相似)
•执行命令option 43 sub-option 1 hex C0A80001C0A80002
配置设备为AP指定AC的IP地址为192.168.0.1和192.168.0.2;
“C0A80001”表示IP地址192.168.0.1的十六进制格式;
“C0A80002”表示IP地址192.168.0.2的十六进制格式。
•执行命令option 43 sub-option 2 ip-address 192.168.0.1 192.168.0.2
配置设备为AP指定AC的IP地址为192.168.0.1和192.168.0.2。
•执行命令option 43 sub-option 3 ascii 192.168.0.1,192.168.0.2
配置设备为AP指定AC的IP地址为192.168.0.1和192.168.0.2。
- 注意事项:
- 需要注意sub-option与类型的对应
- 如:sub-option 1 对应hex,sub-option 2对应ip-address。
- 例如:sub-option 1 ip-address,该方式配置的Option43,AP无法获取识别出AC管理地址。
- 配置案例,通过DHCP option43方式,实现AP3上线。
- SSID:ap3-wifi,认证密码:Huawei@123,只发布Radio 0即2.4G信号。
- 由于AP3与AC1不在同一网络,故推荐转发模式为隧道转发。
- 无线业务所属VLAN与AP1一样使用vlan10。
- 创建AP组:AP_NEW,将该无线配置绑定入组中,AP3也加入该组。
- 1、配置LSW2交换机
[LSW2]vlan b 1000 200 300
[LSW2]int vl 1000
[LSW2-Vlanif1000]ip add 10.1.0.2 30
[LSW2-Vlanif1000]int vl 200
[LSW2-Vlanif200]ip add 192.168.200.254 24
[LSW2-Vlanif200]int vl 300
[LSW2-Vlanif300]ip add 192.168.255.254 24
[LSW2-Vlanif300]quit
[LSW2]int g0/0/1
[LSW2-GigabitEthernet0/0/1]port link-type access
[LSW2-GigabitEthernet0/0/1]port default vlan 1000
[LSW2-GigabitEthernet0/0/1]int g0/0/2
[LSW2-GigabitEthernet0/0/2]port link-type access
[LSW2-GigabitEthernet0/0/2]port default vlan 300
[LSW2-GigabitEthernet0/0/2]int g0/0/3
[LSW2-GigabitEthernet0/0/3]port link-type access
[LSW2-GigabitEthernet0/0/3]port default vlan 200
[LSW2-GigabitEthernet0/0/3]quit
[LSW2]ip pool vlan200
Info:It's successful to create an IP address pool.
[LSW2-ip-pool-vlan200]network 192.168.200.0 mask 24
[LSW2-ip-pool-vlan200]gateway 192.168.200.254
# 通过option43 子项2 ip-address指定AC管理地址
[LSW2-ip-pool-vlan200]option 43 sub-option 2 ip-address 192.168.100.254
[LSW2-ip-pool-vlan200]quit
[LSW2]int vl 200
[LSW2-Vlanif200]dhcp select global
- 2、LSW2与AC1之间配置OSPF并将相应的网络宣告入OSPF中,实现互通。
[LSW2]dis ip routing-table protocol ospf
192.168.10.0/24 OSPF 10 2 D 10.1.0.1 Vlanif1000
192.168.100.0/24 OSPF 10 2 D 10.1.0.1 Vlanif1000
[AC6605]dis ip routing-table protocol ospf
192.168.200.0/24 OSPF 10 2 D 10.1.0.2 Vlanif1000
192.168.255.0/24 OSPF 10 2 D 10.1.0.2 Vlanif1000
- 接着二层上线时AC配置的命令
- AC管理地址(vlan100)
- AP上线认证模式(MAC)
- 3、继续配置AC,实现AP3上线以及无线功能:
[AC6605]wlan
# 配置SSID
[AC6605-wlan-view]ssid name ap3-wifi
[AC6605-wlan-ssid-prof-ap3-wifi]ssid ap3-wifi
[AC6605-wlan-ssid-prof-ap3-wifi]quit
# 配置安全模板/认证密码
[AC6605-wlan-view]security name ap3-wifi
[AC6605-wlan-sec-prof-ap3-wifi]security wpa2 psk pass-phrase Huawei@123 aes
[AC6605-wlan-sec-prof-ap3-wifi]quit
# 配置VAP,绑定模板
[AC6605-wlan-view]vap name ap3-wifi
[AC6605-wlan-vap-prof-ap3-wifi]ssid ap3-wifi
[AC6605-wlan-vap-prof-ap3-wifi]security ap3-wifi
[AC6605-wlan-vap-prof-ap3-wifi]service-vlan vlan-id 10
# 转发模式为隧道转发
[AC6605-wlan-vap-prof-ap3-wifi]forward-mode tunnel
# 创建AP组,绑定VAP
[AC6605-wlan-view]ap-group name AP_NEW
[AC6605-wlan-ap-group-AP_NEW]vap ap3-wifi wlan 1 radio 0
[AC6605-wlan-ap-group-AP_NEW]quit
# 将AP3加入AP组中,AP3的MAC地址:00e0-fc08-7a40
[AC6605-wlan-view]ap-id 1 ap-mac 00e0-fc08-7a40
[AC6605-wlan-ap-1]ap-name AP3
[AC6605-wlan-ap-1]ap-group AP_NEW
[AC6605-wlan-ap-1]quit
- 4、查看无线状态
<AC6605>dis ap all
---------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
---------------------------------------------------------------------------
0 00e0-fc8b-4c40 AP1 default 192.168.100.14 AP4030TN nor 0 34M:15S
1 00e0-fc08-7a40 AP3 AP_NEW 192.168.200.253 AP4030TN nor 1 3M:7S
---------------------------------------------------------------------------
(2)三层手动上线
- 配置案例:AP2通过手动指定AC管理地址方式实现无线上线。
- AP2上线之后,加入AP_NEW组中,发布与AP3相同的无线信号。
- 由于AP4030默认通过DHCP获取地址,故配置DHCP 地址池vlan300下发AP所需IP地址及网关。
- 1、LSW2上配置DHCP地址池
[LSW2]ip pool vlan300
[LSW2-ip-pool-vlan300]network 192.168.255.0 mask 24
[LSW2-ip-pool-vlan300]gateway 192.168.255.254
[LSW2-ip-pool-vlan300]quit
[LSW2]int vlan300
[LSW2-Vlanif300]dhcp select global
- 2、将Console口连接到AP2上手动配置AC管理地址,或者在LSW2上通过telnet连接到设备上。
- 通过命令
dis ip pool name vlan300 used可以查看到AP2使用到的IP地址是253。
- 通过命令
[LSW2]dis ip pool name vlan300 use
Network section :
--------------------------------------------------------------------------
Index IP MAC Lease Status
--------------------------------------------------------------------------
252 192.168.255.253 00e0-fce1-77b0 7 Used
--------------------------------------------------------------------------
- 3、通过Telnet方式,默认账号
admin,默认密码admin@huawei.com。- 通过命令
ap-address static ac-list AC管理地址进行指定AC管理地址。
- 通过命令
<LSW2>telnet 192.168.255.253
Trying 192.168.255.253 ...
Press CTRL+K to abort
Connected to 192.168.255.253 ...
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.
Login authentication
Username:admin
Password:
Info: You are advised to change the password to ensure security.
<Huawei>
<Huawei>system
[Huawei]ap-address static ac-list 192.168.100.254
Info: The configuration takes effect after the AP is restarted.
- 3.1、AP手动配置之后,需要重启才能生效,可通过以下命令查看配置:
<Huawei>dis ap-address-info
==============================================================
Active AP Address Info
AP Mode : dhcp
Ip Address : -
Ip Version : -
Mask : -
Gateway : -
AC 0 ip : -
AC 1 ip : -
AC 2 ip : -
AC 3 ip : -
--------------------------------------------------------------
Reboot Active AP Address Info # 重启后生效的配置
AP Mode : dhcp
Ip Address : -
Ip Version : -
Mask : -
Gateway : -
AC 0 ip : 192.168.100.254
AC 1 ip : -
AC 2 ip : -
AC 3 ip : -
==============================================================
- 3.1、通过Console口方式:
- 4、回到AC1上配置AP2无线上线加入AP组中
[AC6605]wlan
[AC6605-wlan-view]ap-id 2 ap-mac 00e0-fce1-77b0
[AC6605-wlan-ap-2]ap-name AP2
[AC6605-wlan-ap-2]ap-group AP_NEW
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
- 5、查看AP状态
<AC6605>dis ap all
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
--------------------------------------------------------------------------------
0 00e0-fc8b-4c40 AP1 default 192.168.100.14 AP4030TN nor 0 7H:40M:4S
1 00e0-fc08-7a40 AP3 AP_NEW 192.168.200.253 AP4030TN nor 1 7H:8M:56S
2 00e0-fce1-77b0 AP2 AP_NEW 192.168.255.253 AP4030TN nor 0 1H:7M:40S
--------------------------------------------------------------------------------
三、无线用户漫游
单AC漫游
- 默认情况下单AC下的相同无线信号客户端可以自主实现漫游。
AC间漫游
- 从旧AC移动至新AC处时,由于新AC缺少无线客户端相关信息,故漫游失败。
- 所以需要建立起”漫游组“将允许漫游的AC加入至组中,从而实现组中AC可以在客户端漫游过程中实现信息无线客户端信息同步。
- 为了支持AC间漫游,漫游组内的所有AC需要同步每个AC管理的STA和AP设备的信息,因此在AC间建立一条隧道作为数据同步和报文转发的通道。AC间隧道也是利用CAPWAP协议创建的。
- 实现AC间漫游,只需要通过以下命令将AC加入漫游组中即可。
[AC6605]wlan
[AC6605-wlan-view]mobility-group name xxx
[AC6605-mc-mg-xxx]member ip-address 192.168.100.1
[AC6605-mc-mg-xxx]member ip-address 192.168.100.2
四、无线设备可靠性
(1) VRRP双机热备
啥是VRRP双机热备?
通过VRRP和HSB实现的双机热备份称为VRRP热备份。
HSB(Hot-Standby Backup)热备份
HSB提供两种公共服务:HSB主备服务( HSB service)和HSB备份组(HSB group)。
HSB主备服务
HSB主备服务负责在两个互为备份的设备间建立主备备份通道,维护主备通道的链路状态,为其他业务提供报文的收发服务,并在备份链路发生故障时通知主备业务备份组进行相应的处理。
HSB备份组
HSB备份组负责通知各个业务模块进行批量备份、实时备份和状态同步。
VRRP热备份组网中,HSB备份组绑定VRRP备份组,通过VRRP协议协商出主备AC角色。
AC1和AC2加入VRRP组,两台AC通过HSB主备通道分别发送携带优先级信息的VRRP报文。
协商出AC1为Master角色,AC2为Backup角色,也就是AC1为主,处于工作状态,AC2为备,处于备份状态。
确认主备AC后,主AC通过发送免费ARP报文,将虚拟MAC地址通知给与它连接的设备或者主机,从而承担报文转发任务。
并且周期性地向备AC发送VRRP通告报文,以公布其配置信息(优先级等)和工作状况。
AP和VRRP虚拟IP地址建立一条CAPWAP链路,此时AP由主AC管理。同时AP与备AC也会预建立一条隧道,在备AC上查看AP状态的时候,其AP状态为”“。
配置案例
- AC1作为VRRP的Master,AC2作为Slave。
- AC与LSW2互联接口继续使用Access,AC1-AC2通过心跳线互传VRRP报文即可。
- VLAN100与VLAN10地址均需要修改,254作为虚拟地址。
VRRP配置
- 1、完善LSW2的配置
[LSW2]vlan 1001
[LSW2-vlan1001]int vl 1001
[LSW2-Vlanif1001]ip add 10.1.0.6 30
# 将接口宣告入OSPF中
[LSW2-Vlanif1001]ospf enable 1 area 0
- 2、完善下AC1的无线及VRRP配置
[AC6605]sysname AC1
# 由于作为vlan10、vlan100心跳线,故放行Trunk
[AC1]int g0/0/3
[AC1-GigabitEthernet0/0/3]port link-type trunk
[AC1-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 100
[AC1-GigabitEthernet0/0/3]quit
[AC1]int vlan 10
[AC1-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.252
[AC1-Vlanif10]vrrp vrid 10 priority 120
[AC1-Vlanif10]ip add 192.168.10.252 24
[AC1-Vlanif10]int vlan 100
[AC1-Vlanif100]vrrp vrid 100 virtual-ip 192.168.100.254
[AC1-Vlanif100]vrrp vrid 100 priority 120
[AC1-Vlanif100]ip address 192.168.100.252 24
Error: The ip cannot be changed because the interface has been used by wlan.
# 提示该接口为AC管理地址,需要先取消管理地址(该操作会让AP下线)
[AC1]undo capwap source interface Vlanif 100
Warning: This operation will disconnect the device on the source interface. Cont
inue? [Y/N]:y
[AC1]int vl 100
[AC1-Vlanif100]ip add 192.168.100.252 24
[AC1-Vlanif100]quit
# 修改AC管理地址为虚拟地址
[AC2]capwap source ip-address 192.168.100.254
3、完善AC2的基础配置及VRRP配置
[AC2]vlan batch 10 100 1001
[AC2]int g0/0/1
[AC2-GigabitEthernet0/0/1]port link access
[AC2-GigabitEthernet0/0/1]port default vlan 1001
[AC2-GigabitEthernet0/0/1]int g0/0/2
[AC2-GigabitEthernet0/0/2]port link-type trunk
[AC2-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 100
[AC2-GigabitEthernet0/0/2]quit
# 配置OSPF
[AC2]ospf 1 router-id 3.3.3.3
[AC2-ospf-1]a 0
# 配置VRRP及绑定OSPF
[AC2-ospf-1-area-0.0.0.0]int vlan10
[AC2-Vlanif10]ip add 192.168.10.253 24
[AC2-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[AC2-Vlanif10]ospf enable 1 area 0
[AC2-Vlanif10]int vlan 100
[AC2-Vlanif100]ip add 192.168.100.253 24
[AC2-Vlanif100]vrrp vrid 100 virtual-ip 192.168.100.254
[AC2-Vlanif100]ospf enable 1 area 0
[AC2-Vlanif100]int vlan 1001
[AC2-Vlanif1001]ip add 10.1.0.5 30
[AC2-Vlanif1001]ospf enable 1 area 0
[AC2-Vlanif1001]quit
4、当以上配置完成之后,即可实现网络之间的正常通信,以及VRRP主备状态也完成选举。
[AC1]display vrrp brief
Total:2 Master:2 Backup:0 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
10 Master Vlanif10 Normal 192.168.10.254
100 Master Vlanif100 Normal 192.168.100.254
[AC2]display vrrp brief
Total:2 Master:0 Backup:2 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
10 Backup Vlanif10 Normal 192.168.10.254
100 Backup Vlanif100 Normal 192.168.100.254
AC配置同步
5、由于ENSP无法实现AC间设备配置同步,所以需要自行手动补全无线的相关配置。
- 补全AC2无线配置:
# 补全DHCP
[AC2]dhcp enable
[AC2]ip pool vlan100
[AC2-ip-pool-vlan100] gateway-list 192.168.100.254
[AC2-ip-pool-vlan100] network 192.168.100.0 mask 255.255.255.0
[AC2-ip-pool-vlan100]ip pool vlan10
[AC2-ip-pool-vlan10] gateway-list 192.168.10.254
[AC2-ip-pool-vlan10] network 192.168.10.0 mask 255.255.255.0
[AC2-ip-pool-vlan10]quit
# 补全无线配置
[AC2]capwap source ip-address 192.168.100.254
[AC2]wlan
# 安全模板配置
[AC2-wlan-view] security-profile name Temp
[AC2-wlan-sec-prof-Temp] security wpa2 psk pass-phrase Huawei@123 aes
[AC2-wlan-sec-prof-Temp] security-profile name AP1-wifi
[AC2-wlan-sec-prof-AP1-wifi] security-profile name ap3-wifi
[AC2-wlan-sec-prof-ap3-wifi] security wpa2 psk pass-phrase Huawei@123 aes
# SSID配置
[AC2-wlan-sec-prof-ap3-wifi] ssid-profile name Temp
[AC2-wlan-ssid-prof-Temp] ssid Temp
[AC2-wlan-ssid-prof-Temp] ssid-profile name AP1-wifi
[AC2-wlan-ssid-prof-AP1-wifi] ssid AP1-wifi
[AC2-wlan-ssid-prof-AP1-wifi] ssid-profile name ap3-wifi
[AC2-wlan-ssid-prof-ap3-wifi] ssid ap3-wifi
# VAP配置
[AC2-wlan-ssid-prof-ap3-wifi] vap-profile name Temp
[AC2-wlan-vap-prof-Temp] service-vlan vlan-id 10
[AC2-wlan-vap-prof-Temp] ssid-profile Temp
[AC2-wlan-vap-prof-Temp] security-profile Temp
[AC2-wlan-vap-prof-Temp] vap-profile name AP1-wifi
[AC2-wlan-vap-prof-AP1-wifi] service-vlan vlan-id 10
[AC2-wlan-vap-prof-AP1-wifi] ssid-profile AP1-wifi
[AC2-wlan-vap-prof-AP1-wifi] security-profile AP1-wifi
[AC2-wlan-vap-prof-AP1-wifi] vap-profile name ap3-wifi
[AC2-wlan-vap-prof-ap3-wifi] forward-mode tunnel
[AC2-wlan-vap-prof-ap3-wifi] service-vlan vlan-id 10
[AC2-wlan-vap-prof-ap3-wifi] ssid-profile ap3-wifi
[AC2-wlan-vap-prof-ap3-wifi] security-profile ap3-wifi
# AP组配置
[AC2-wlan-vap-prof-ap3-wifi] ap-group name Temp
[AC2-wlan-ap-group-Temp] radio 0
[AC2-wlan-group-radio-Temp/0] vap-profile Temp wlan 1
[AC2-wlan-group-radio-Temp/0] radio 1
[AC2-wlan-group-radio-Temp/1] vap-profile Temp wlan 1
[AC2-wlan-group-radio-Temp/1] radio 2
[AC2-wlan-group-radio-Temp/2] vap-profile Temp wlan 1
[AC2-wlan-group-radio-Temp/2] ap-group name AP_NEW
[AC2-wlan-ap-group-AP_NEW] radio 0
[AC2-wlan-group-radio-AP_NEW/0] vap-profile ap3-wifi wlan 1
# AP MAC信息
#《AP1》
[AC2-wlan-group-radio-AP_NEW/0] ap-id 0 type-id 60 ap-mac 00e0-fc8b-4c40 ap-sn 210235448310EB20CD46
[AC2-wlan-ap-0] ap-name AP1
[AC2-wlan-ap-0] radio 0
[AC2-wlan-radio-0/0] vap-profile AP1-wifi wlan 1
[AC2-wlan-radio-0/0] radio 1
[AC2-wlan-radio-0/1] vap-profile AP1-wifi wlan 1
[AC2-wlan-radio-0/1] radio 2
[AC2-wlan-radio-0/2] vap-profile AP1-wifi wlan 1
#《AP3》
[AC2-wlan-radio-0/2] ap-id 1 type-id 60 ap-mac 00e0-fc08-7a40 ap-sn 210235448310E615B914
[AC2-wlan-ap-1] ap-name AP3
[AC2-wlan-ap-1] ap-group AP_NEW
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:Y
#《AP2》
[AC2-wlan-ap-1] ap-id 2 type-id 60 ap-mac 00e0-fce1-77b0 ap-sn 210235448310B05E8C3A
[AC2-wlan-ap-2] ap-name AP2
[AC2-wlan-ap-2] ap-group AP_NEW
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
5.1、如果在真机中,可尝试使用以下命令实现配置同步:
# 配置同步操作
[AC1-wlan-view] master controller
[AC1-master-controller] master-redundancy peer-ip ip-address 192.168.100.253 local-ip ip-address 192.168.100.252 psk Huawei@123
[AC1-master-controller] master-redundancy track-vrrp vrid 100 interface vlanif 100
[AC1-master-controller] quit
[AC1-wlan-view] quit
# 配置同步操作
[AC2-wlan-view] master controller
[AC2-master-controller] master-redundancy peer-ip ip-address 192.168.100.252 local-ip ip-address 192.168.100.253 psk Huawei@123
[AC2-master-controller] master-redundancy track-vrrp vrid 100 interface vlanif 100
[AC2-wlan-view] quit
# 配置备AC自动同步配置(早上1点起,间隔1440秒/24小时)
[AC1-wlan-view] synchronize-configuration auto interval 1440 start-time 01:00:00
# 手动进行配置同步
[AC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its configurations. Whether to continue? [Y/N]:y
# 查看配置同步状态
[AC1] display sync-configuration status
Controller role:Master/Backup/Local
------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
------------------------------------------------------------------------------------
192.168.100.252 Master AC6605 V200R021C00 cfg-mismatch(config check fail) -
-----------------------------------------------------------------------------------
Total: 1
VRRP热备配置
6、AC配置同步之后,配置HSB服务与绑定VRRP实现VRRP热备
命令前瞻参考
- HSB信息交互,指的是HSB组同步哪些会话信息?
- access-user,NAC业务用户会话同步。
- dhcp,DHCP地址绑定信息同步,AC1、AC2上均有相同的地址池,可以防止地址重下发。
- ap,AP会话信息同步。
- AC1 热备配置
[AC1]hsb-service 0
[AC1-hsb-service-0]service-ip-port local-ip 192.168.100.252 peer-ip 192.168.100.253 local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0]quit
[AC1]
[AC1]hsb-group 0
[AC1-hsb-group-0]bind-service 0
[AC1-hsb-group-0]track vrrp vrid 100 int vlan100
[AC1-hsb-group-0]quit
[AC1]
[AC1]hsb-service-type access-user hsb-group 0
[AC1]hsb-service-type dhcp hsb-group 0
[AC1]hsb-service-type ap hsb-group 0
[AC1]hsb-group 0
[AC1-hsb-group-0]hsb enable
- AC2 热备配置
[AC2]hsb-service 0
[AC2-hsb-service-0]service-ip-port local-ip 192.168.100.253 peer-ip 192.168.100.252 local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0]quit
[AC2]
[AC2]hsb-group 0
[AC2-hsb-group-0]bind-service 0
[AC2-hsb-group-0]track vrrp vrid 100 int vlan100
[AC2-hsb-group-0]quit
[AC2]
[AC2]hsb-service-type access-user hsb-group 0
[AC2]hsb-service-type dhcp hsb-group 0
[AC2]hsb-service-type ap hsb-group 0
[AC2]hsb-group 0
[AC2-hsb-group-0]hsb enable
检查配置情况
7、检查热备状态,AP上线状态
[AC1]display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 192.168.100.252
Peer IP Address : 192.168.100.253
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 5
Keep Alive Interval : 3
Service State : Connected # 与对端连接成功
Service Batch Modules :
----------------------------------------------------------
[AC1]
[AC1]display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 100
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Master # 成为主热备
Group Status : Active #主热备为激活
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R007C10SPC300B220
Group Backup Modules : Access-user
DHCP
AP
----------------------------------------------------------
[AC1]dis ap all
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
--------------------------------------------------------------------------------
0 00e0-fc8b-4c40 AP1 default 192.168.100.228 AP4030TN nor 0 -
1 00e0-fc08-7a40 AP3 AP_NEW 192.168.200.253 AP4030TN nor 0 -
2 00e0-fce1-77b0 AP2 AP_NEW 192.168.255.253 AP4030TN nor 0 -
--------------------------------------------------------------------------------
[AC2]display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 192.168.100.253
Peer IP Address : 192.168.100.252
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 5
Keep Alive Interval : 3
Service State : Connected # 连接成功
Service Batch Modules :
----------------------------------------------------------
[AC2]display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 100
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Backup # 备用热备
Group Status : Inactive # 备用热备状态为未激活
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R007C10SPC300B220
Group Backup Modules : Access-user
DHCP
AP
----------------------------------------------------------
[AC2]dis ap all
# 主用设备无线状态为nor,备用设备无线状态为Stdby。
# 待主用AC故障后,备用AC可以马上与AP建立起CAPWAP隧道并进行通信。
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
--------------------------------------------------------------------------------
0 00e0-fc8b-4c40 AP1 default 192.168.100.228 AP4030TN stdby 0 -
1 00e0-fc08-7a40 AP3 AP_NEW 192.168.200.253 AP4030TN stdby 0 -
2 00e0-fce1-77b0 AP2 AP_NEW 192.168.255.253 AP4030TN stdby 0 -
--------------------------------------------------------------------------------
(2) 双机双链路冷备
双机双链路冷备:通过手动配置ap-system-profile模板给每个AP指定主备AC的方式,实现AC冗余。
冷备:指AC之间不会同步业务信息(如:无线客户端的MAC信息等),故在主AC故障后,AP客户端需要重新连接wifi才能正常通信。
配置命令介绍:
- 创建两个
ap-system-profile模板,主模板以AC1为主,备模板以AC2为主。
# 创建主模板
wlan
ap-system-profile name master
primary-access ip-address 192.168.100.252
backup-access ip-address 192.168.100.253
ap-system-profile name slave
primary-access ip-address 192.168.100.253
backup-access ip-address 192.168.100.252
- 绑定模板
# 将模板绑定于AP组,或某个AP中
wlan
ap-group name AP_NEW
ap-system-profile ap-system1
ap-id 1
ap-system-profile ap-system2
- 启用双机双链路冷备
wlan
ac protect enable
配置案例
- 按照图中要求,配置AP2与AP3的双机双链路热备功能。
- 业务VLAN10的网关在LSW2交换机上,故采用直接转发方式。
基础网络配置(AC1为例)
- 直接转发,无线客户端流量不需要经过AC,直接到网关转发即可。
- 所以AC上不需要配置VLAN10的IP地址了,也不需要放行vlan10。
[AC1]vlan batch 10 100
[AC1]int vlan 100
[AC1-Vlanif100]ip add 192.168.100.252 24
[AC1-Vlanif100]quit
[AC1]int g0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/1]quit
基础无线配置(AC1为例)
- 指定AC管理地址,配置无线业务,离线添加AP的MAC信息等。
[AC1]capwap source int vlan 100
[AC1]wlan
[AC1-wlan-view]ssid name temp
[AC1-wlan-ssid-prof-temp]ssid temp
[AC1-wlan-ssid-prof-temp]security name temp
[AC1-wlan-sec-prof-temp]security open
[AC1-wlan-sec-prof-temp]vap-profile name temp
[AC1-wlan-vap-prof-temp]ssid temp
[AC1-wlan-vap-prof-temp]security temp
[AC1-wlan-vap-prof-temp]service-vlan vlan-id 10
[AC1-wlan-vap-prof-temp]forward-mode direct-forward
[AC1-wlan-vap-prof-temp]quit
[AC1-wlan-view]ap-group name temp
[AC1-wlan-ap-group-temp]vap-profile temp wlan 1 radio 0
[AC1-wlan-ap-group-temp]quit
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fc38-8020
[AC1-wlan-ap-1]ap-name AP1
[AC1-wlan-ap-1]ap-group temp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
[AC1-wlan-ap-1]ap-id 2 ap-mac 00e0-fc64-6290
[AC1-wlan-ap-2]ap-name AP2
[AC1-wlan-ap-2]ap-group temp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
双机双链路操作配置
- AC1与AC2配置一致,以AC1为例。
[AC1]wlan
[AC1-wlan-view]ap-system-profile name master
[AC1-wlan-ap-system-prof-master]primary-access ip-address 192.168.100.252
[AC1-wlan-ap-system-prof-master]backup-access ip-address 192.168.100.253
[AC1-wlan-ap-system-prof-master] ap-system-profile name slave
[AC1-wlan-ap-system-prof-slave] primary-access ip-address 192.168.100.253
[AC1-wlan-ap-system-prof-slave] backup-access ip-address 192.168.100.252
[AC1-wlan-ap-system-prof-slave]quit
[AC1-wlan-view]ap-id 1
[AC1-wlan-ap-2]ap-system-profile master
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ap-2]ap-id 2
[AC1-wlan-ap-1]ap-system-profile slave
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-view]ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
- 等待一段时间之后,AP重新上线,再次查看AP状态
- 如果跟以下情况一致,说明配置成功。
- AC1作为AP1的主(nor),作为AP2的备(stdby)。
[AC1-wlan-view]dis ap all
-------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-------------------------------------------------------------------------
1 00e0-fc38-8020 AP1 temp 192.168.100.251 AP4030TN nor 1 2M:4S
2 00e0-fc64-6290 AP2 temp 192.168.100.250 AP4030TN stdby 0 -
[AC2-wlan-view]dis ap all
------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
------------------------------------------------------------------------
1 00e0-fc38-8020 AP1 temp 192.168.100.251 AP4030TN stdby 0 -
2 00e0-fc64-6290 AP2 temp 192.168.100.250 AP4030TN nor 0 1M:55S
注意:ENSP中,可能需要手动重启AP设备,因为Ac protect enable让AP重启时可能会无法成功。
如果仍然不行的话,可以尝试重启AC,因为ENSP的BUG较多。
以下情况,就是需要手动重启AP:
(3) 双机双链路热备
热备与冷备最大的区别就是:热备使用HSB服务进行同步业务信息,从而实现主AC故障后备用AC可以使得正常通信中的业务不中断。
- 基本命令与冷备一致,唯独需要多配置以下HSB服务:
# 配置hsb服务
hsb-service 0
service-ip-port local-ip 本端IP peer-ip 对端IP local-data-port 10241 peer-data-port 10241
# 同步业务信息,选择hsb-service
hsb-service-type access-user hsb-service 0
hsb-service-type ap hsb-service 0
# ENSP中无法通过hsb服务同步DHCP,只能通过hsb-group
hsb-service-type dhcp hsb-group 0
配置案例(续)
紧接着双机双链路冷备环境,配置成为热备:
AC1 上操作:
[AC1]hsb-service 0
[AC1-hsb-service-0]service-ip-port local-ip 192.168.100.252 peer-ip 192.168.100.
253 local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0]quit
# 热备同步NAC登录用户及AP信息
[AC1]hsb-service-type access-user hsb-service 0
[AC1]hsb-service-type ap hsb-service 0
AC2 上操作:
[AC2]hsb-service 0
[AC2-hsb-service-0]service-ip-port local-ip 192.168.100.252 peer-ip 192.168.100.
253 local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0]quit
[AC2]hsb-service-type access-user hsb-service 0
[AC2]hsb-service-type ap hsb-service 0
查看HSB服务状态:
- State为Connected为正常,Disconnected为异常。
[AC1]dis hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 192.168.100.252
Peer IP Address : 192.168.100.253
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules : Access-user
AP
----------------------------------------------------------
[AC2]dis hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 192.168.100.253
Peer IP Address : 192.168.100.252
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules : Access-user
AP
----------------------------------------------------------
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
