1.AC1 loopback1 ipv4和ipv6地址分别作为AC1的ipv4和ipv6管理地址。AP二层自动注册,AP采用MAC地址认证。配置2个ssid,分别为skills-2.4G和skills-5G。skills-2.4G对应vlan140,用network 140和radio1(模式为n-only-g),用户接入无线网络时需要采用基于WPA-personal加密方式,密码为Key-1122。skills-5G对应vlan150,用network 150和radio2(模式为n-only-a),不需要认证,隐藏ssid,skills-5G用倒数第一个可用VAP发送5G信号。
AC
int e1/0/1
switchport mode trunk
switchport trunk native vlan 130
exi
wireless
no auto-ip-assign
discovery vlan-list 130
static-ip 10.13.130.1
static-ipv6 2001:10:13:130::1
ap authentication mac
enable
ap database 00-03-0f-ef-6d-e0
exi
network 140
ssid skills-2.4G
vlan 140
wpa key Key-1122
security mode wpa-personal
exi
ap profile 1
radio 1
mode n-only-g
exi
exi
network 150
ssid skills-5G
vlan 150
hide-ssid
security mode none
exi
ap profile 1
radio 2
mode n-only-g
vap 15
network 150
enable
2.当AP上线,如果AC中储存的Image版本和AP的Image版本号不同时,会触发AP自动升级。AP失败状态超时时间及探测到的客户端状态超时时间都为2小时。
AC(config-wireless)#ap auto-upgrade
AC(config-wireless)#agetime ad-hoc 2
AC(config-wireless)#agetime ap-failure 2
AC(config-wireless)#ap profile 1
AC(config-ap-profile)#radio 1
AC(config-ap-profile-radio)#beacon-interval 1000
AC(config-ap-profile-radio)#exi
AC(config-ap-profile)#radio 2
AC(config-ap-profile-radio)#beacon-interval 1000
AC(config-ap-profile-radio)#exi
AC(config-ap-profile)#exi
3.防止多AP和AC相连时过多的安全认证连接而消耗CPU资源,检测到AP与AC 10分钟内建立连接5次就不再允许继续连接,2小时后恢复正常。
Wireless
wireless ap anti-flood interval 10 (间隔)
wireless ap anti-flood max-conn-count 5 (最大连接次数)
wireless ap anti-flood agetime 120 (两个小时回复正常)单位(分钟)
4.配置vlan110无线接入用户相互隔离,开启ARP抑制功能,限制每天早上0点到4点禁止终端接入。
Wireless
network 110
arp-suppression //(开启arp抑制功能)
time-limit from 00:00 to 04:00 weekday all //(禁止终端接入)
station-isolation //(用户相互隔离)
5.配置vlan110无线接入用户上下行最大带宽为800Mbps,arp上下行最大速率为6packets/s。
wireless
ap client-qos
network 110
client-qos enable
client-qos bandwidth-limit up 800000
client-qos bandwidth-limit down 800000
client-qos bandwidth-limit arp down 6
client-qos bandwidth-limit arp up 6
6.配置vlan110无线接入用户上班时间(工作日09:00-17:00)访问Internet https上下行CIR为1Mbps,CBS为20Mbps,PBS为30Mbps,exceed-action和violate-action均为drop。时间范围名称、控制列表名称、分类名称、策略名称均为Skills。
AC1
time-range Skills
periodic weekdays 09:00:00 to 17:00:00
Exit
ip access-list extended Skills
permit ip 10.17.110.0 0.0.0.255 any-destination time-range Skills
Exit
class-map Skills
match access-group Skills
exit
policy-map Skills
class Skills
policy 1000 20000 30000 exceed-action drop violate-action drop
exit
Wireless
network 110
client-qos diffserv-policy down Skills
client-qos diffserv-policy up Skills
7.AP发射功率为90%。
Wireless
Ap profile 1
radio 1
power default 90
Exit
radio 2
power default 90