实验拓扑
配置思路
-
配置AC、AR及交换机规划vlan及实现三层互通。
-
配置AP与用户的DHCP,AP采用option43发现AC,设置内网路由,确保AC、AP通信。
-
配置AP上线:
1、创建AP组,AP1、AP2划进work_ap,AP3划进boss_ap;
2、创建域管理模板(国家码),关联到相应的AP组中;
3、设置SSID模板、安全模板和VAP模板,进入AP组关联。 -
配置AR,通过NAT访问ISP,终端设备正常上网。
操作步骤
AR配置
#
acl number 2000 #配置ACL,匹配用户流量
rule 1 permit source 192.168.30.0 0.0.0.255
rule 2 permit source 192.168.40.0 0.0.0.255
#
interface Serial1/0/0
link-protocol ppp
ip address 10.12.1.1 255.255.255.0
nat outbound 2000 #接口NAT转换
#
interface GigabitEthernet0/0/1
ip address 172.16.60.1 255.255.255.0
ospf enable 10 area 0.0.0.0 #接口使能OSPF进程
#
interface GigabitEthernet0/0/2
ip address 172.16.50.1 255.255.255.0
ospf enable 10 area 0.0.0.0
#
ospf 10 router-id 1.1.1.1
default-route-advertise always #下放默认路由进入OSPF
area 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 10.12.1.2 #默认路由
#
SW配置
#
vlan batch 10 30 60 #批量创建vlan
#
ip pool work_pool #给Work_AP1、Work_AP2分配地址
gateway-list 172.16.10.254 #网关
network 172.16.10.0 mask 255.255.255.0 #地址网段
lease day 10 hour 0 minute 0 #租期10天
option 43 sub-option 3 ascii 1.1.1.1 #option43发现AC方式
#
ip pool work_user #给Work_AP1、Work_AP2用户分配地址
gateway-list 192.168.30.254
network 192.168.30.0 mask 255.255.255.0
lease day 0 hour 8 minute 0
dns-list 114.114.114.114
#
interface Vlanif10
ip address 172.16.10.254 255.255.255.0
ospf enable 10 area 0.0.0.0
dhcp select global #使能接口全局地址池DHCP功能
#
interface Vlanif30
ip address 192.168.30.254 255.255.255.0
ospf enable 10 area 0.0.0.0
dhcp select global
#
interface Vlanif60
ip address 172.16.60.2 255.255.255.0
ospf enable 10 area 0.0.0.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 60 #设置pvid给AR与SW之间通信
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 10 #设置pvid给让P获取地址
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 2 to 4094
#
ospf 10 router-id 3.3.3.3
area 0.0.0.0
#
AC配置
#
vlan batch 20 40 50
#
ip pool boss_pool
gateway-list 172.16.20.254
network 172.16.20.0 mask 255.255.255.0
lease day 10 hour 0 minute 0
option 43 sub-option 3 ascii 1.1.1.1
#
ip pool boss
gateway-list 192.168.40.254
network 192.168.40.0 mask 255.255.255.0
lease day 0 hour 6 minute 0
dns-list 114.114.114.114
#
interface Vlanif20
ip address 172.16.20.254 255.255.255.0
ospf enable 10 area 0.0.0.0
dhcp select global
#
interface Vlanif40
ip address 192.168.40.254 255.255.255.0
ospf enable 10 area 0.0.0.0
dhcp select global
#
interface Vlanif50
ip address 172.16.50.2 255.255.255.0
ospf enable 10 area 0.0.0.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 50
port trunk allow-pass vlan 2 to 4094
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
ospf enable 10 area 0.0.0.0
#
ospf 10 router-id 2.2.2.2
area 0.0.0.0
#
capwap source interface loopback0 #设置AC上隧道源地址为loopback
#
wlan #AP上线配置
regulatory-domain-profile name huaweido #创建域管理模板
ap-group name boss_ap
regulatory-domain-profile huaweido
ap-group name work_ap #创建AP组
regulatory-domain-profile huaweido #关联域管理模板到AP组中
[AC-wlan-view]dis ap unauthorized record #查看自动发现AP信息
[AC-wlan-view]ap-confirm all #确认所有AP上线
[AC-wlan-view]ap-id 0 #进入上线AP0
[AC-wlan-ap-0]ap-name xxxx #设置该AP名字
[AC-wlan-ap-0]ap-group xxxx #为该加入AP组
#display ap all #查看AP信息
security-profile name bosssec #创建安全模板
security wpa2 psk pass-phrase XXXXX aes #设置密码XXXXXX
security-profile name worksec
security wpa2 psk pass-phrase XXXX aes
ssid-profile name boss #创建SSID模板
ssid boss #设置wifi名称
ssid-profile name work
ssid work
vap-profile name boss #创建VAP模板
forward-mode tunnel #集中转发
service-vlan vlan-id 40 #用户vlan
ssid-profile boss #关联SSID模板
security-profile bosssec #关联安全模板
vap-profile name work
forward-mode direct-forward #本地转发
service-vlan vlan-id 30
ssid-profile work
security-profile worksec
[AC-wlan-ap-group-work_ap]dis th #进入AP组设置VAP射频卡
#
regulatory-domain-profile huaweido
radio 0
vap-profile work wlan 1
radio 1
vap-profile work wlan 1
radio 2
vap-profile work wlan 1
#
[AC-wlan-ap-group-boss_ap]dis th
#
regulatory-domain-profile huaweido
radio 0
vap-profile boss wlan 1
radio 1
vap-profile boss wlan 1
radio 2
vap-profile boss wlan 1
#
现象测试
最后出了点小插曲,SW挂了。。。。。。。
只能看看STA3现象了: