信息安全与攻防 之 DCWS 配置
2019-05-30
0
1.无线控制器DCWS上配置管理VLAN为VLAN101,第二个地址作为AP的管理地址,配置AP二层手工注册并启用序列号认证,要求连接AP的接口禁止使用TRUNK
DCWS-6028(config-vlan10)#vlan 101
DCWS-6028(config-vlan101)#vlan 100
DCWS-6028(config-if-vlan101)#ip address 192.168.101.1 255.255.255.0
DCWS-6028(config-vlan100)#int e 1/0/3
DCWS-6028(config-if-ethernet1/0/3)#switchport mode hybrid
DCWS-6028(config-if-ethernet1/0/3)#switchport hybrid native vlan 101
DCWS-6028(config-if-ethernet1/0/3)#switchport hybrid allowed vlan 101 untag
DCWS-6028(config)#service dhcp
DCWS-6028(config)#ip dhcp pool vlan101
DCWS-6028(dhcp-vlan101-config)#network-address 192.168.101.0 255.255.255.0
DCWS-6028(dhcp-vlan101-config)#default-router 192.168.101.1
DCWS-6028(config)#ip dhcp pool vlan100
DCWS-6028(dhcp-vlan100-config)#network-address 192.168.100.0 255.255.255.0
DCWS-6028(dhcp-vlan100-config)#default-router 192.168.100.254
DCWS-6028(dhcp-vlan100-config)#exit
DCWS-6028(config)#int vlan 10
DCWS-6028(config-if-vlan100)#ip address 192.168.100.254 255.255.255.0
DCWS-6028#show ip dhcp binding #查看AC获取的ip和AP的mac地址
Total dhcp binding items: 1, the matched: 1
IP address Hardware address Lease expiration Type
192.168.101.2 00-03-0F-84-12-30 Mon Jan 02 00:15:00 2006 Dynamic
DCWS-6028(config-wireless)#ap authentication serial-num #序列号认证
DCWS-6028#telnet 192.168.101.2 #进入AP
WLAN-AP login: admin
Password:admin
WLAN-AP# get system #查看AP序列号
serial-number WL020420HC15000186 #AP序列号
DCWS-6028(config-wireless)#ap database 00-03-0F-84-12-30
DCWS-6028(config-ap)#serial-num WL020420HC15000186
2.无线控制器DCWS上配置DHCP服务,前十个地址为保留地址,无线用户VLAN10,20, 有线用户VLAN 30,40从DCWS上动态获取IP地址
DCWS-6028(config)#ip dhcp excluded-address 192.168.101.1 192.168.101.10
3.在NETWORK下配置SSID,需求如下:
1、设置SSID DCN2019,VLAN10,加密模式为wpa-personal,其口令为DCNE2011;
DCWS-6028(config)#wireless
DCWS-6028(config-wireless)#network 1
DCWS-6028(config-network)#ssid DCN2019
DCWS-6028(config-network)#vlan 10
DCWS-6028(config-network)#security mode wpa-personal
DCWS-6028(config-network)#wpa key DCNE2011
2、设置SSID GUEST,VLAN20不进行认证加密,做相应配置隐藏该SSID
DCWS-6028(config-wireless)#network 2
DCWS-6028(config-network)#ssid GUEST
DCWS-6028(config-network)#vlan 20
DCWS-6028(config-network)#hide-ssid
3.配置SSID GUEST每天早上0点到6点禁止终端接入
DCWS-6028(config-network)#time-limit from 0:0 to 6:0 weekday all
4.在SSID DCN2019下启动组播转单播功能, 当某一组播组的成员个数超过8个时组播M2U功能就会关闭
DCWS-6028(config-network)#m2u threshold 8
5.开启ARP抑制功能,开启自动强制漫游功能、动态黑名单功能
DCWS-6028(config-network)#arp-suppression
DCWS-6028(config-wireless)#force-roaming mode auto
DCWS-6028(config-wireless)#dynamic-blacklist