<
综合案例-配置有线无线用户统一接入示例
组网图形
图1 配置有线无线用户统一接入组网图
- 业务需求
- 组网需求
- 数据规划
- 配置思路
- 配置注意事项
- 操作步骤
- 配置文件
业务需求
在实际的使用场景中,有线网络和无线网络环境通常是共同存在的。例如在办公区内PC电脑、打印机等设备通常通过有线方式接入网络,而笔记本、手机终端等移动设备通常是通过无线方式接入网络。通过部署有线无线用户统一接入的网络环境,可以同时为有线用户和无线用户提供网络接入的服务,实现对有线用户和无线用户的统一管理。
某医院由于业务要求,需要在其医院大楼内同时部署有线和无线网络。为方便管理维护,管理员希望能够在AC上集中管理有线用户和无线用户,有线用户采取免认证方式,无线用户采用Portal认证方式,并且无线用户能够在AC内漫游。
组网需求
如图1所示,AC上行连接出口网关Router;下行通过接入交换机S5700-1和S5700-2连接和管理AP,其中,S5700-1部署在一楼,S5700-2部署在二楼。在每个房间内部署AP2030DN为房间内用户同时提供有线接入和无线接入,在楼道中部署AP5030DN提供无线网络覆盖。S5700-1和S5700-2均为PoE交换机,为连接的AP供电。
AC作为DHCP服务器为AP、STA和PC分配IP地址。
数据规划
表1 网络数据规划表
项目 | 接口号 | 所属VLAN | 说明 |
AC | GE1/0/1 | 100、201 | 连接S5700-1 |
GE1/0/2 | 100、202 | 连接S5700-2 | |
GE1/0/3 | 200 | 连接Agile Controller | |
GE1/0/4 | 300 | 连接出口网关 | |
S5700-1 | GE0/0/1 | 100、201 | 连接AC |
GE0/0/2 | 100、201 | 连接AP101 | |
GE0/0/3 | 100、201 | 连接AP102 | |
GE0/0/4 | 100、201 | 连接AP103 | |
S5700-2 | GE0/0/1 | 100、202 | 连接AC |
GE0/0/2 | 100、202 | 连接AP201 | |
GE0/0/3 | 100、202 | 连接AP202 | |
GE0/0/4 | 100、202 | 连接AP203 | |
AP101、AP102 | Eth0/0/0 Eth0/0/1 GE0/0/0 | 201 | GE0/0/0连接S5700-1 Eth0/0/0和Eth0/0/1连接下行有线用户 AP101和AP102为AP2030DN,部署在一楼房间内,同时提供有线和无线接入 |
AP103 | - | - | AP103为AP5030DN,部署在一楼楼道中,提供无线接入 |
AP201、AP202 | Eth0/0/0 Eth0/0/1 GE0/0/0 | 202 | GE0/0/0连接S5700-2 Eth0/0/0和Eth0/0/1连接下行有线用户 AP201和AP202为AP2030DN,部署在二楼房间内,同时提供有线和无线接入 |
AP203 | - | - | AP203为AP5030DN,部署在二楼楼道中,提供无线接入 |
表2 业务数据规划表
项目 | 数据 | 说明 |
AC的源接口IP地址 | 10.23.100.1/24 | - |
AP组 |
| - |
| ||
Portal接入模板 |
| - |
认证模板 |
| - |
域管理模板 |
| - |
AP有线口模板 | 名称:wired1、wired2、wired3、wired4 | - |
安全模板 |
| - |
SSID模板 |
| - |
流量模板 | 名称:traffic1 | - |
VAP模板 |
| 用于一楼的无线网络覆盖 |
| 用于二楼的无线网络覆盖 | |
DHCP服务器 | AC作为DHCP服务器,为AP、STA和PC分配地址 | - |
AP的网关及IP地址池范围 | VLANIF100:10.23.100.1/24 10.23.100.2~10.23.100.254/24 | - |
无线用户的网关及IP地址池范围 | VLANIF101:10.23.101.1/24 10.23.101.2~10.23.101.254/24 | - |
VLANIF102:10.23.102.1/24 10.23.102.2~10.23.102.254/24 | - | |
有线用户的网关及IP地址池范围 | VLANIF201:10.23.201.1/24 10.23.201.2~10.23.201.254/24 | - |
VLANIF202:10.23.202.1/24 10.23.202.2~10.23.202.254/24 | - | |
服务器参数 | 认证服务器:
|
|
计费服务器:
| ||
授权服务器:
| ||
Portal服务器:
|
表3 射频信道数据规划表
项目 | 数据 | 说明 |
AP101 | 射频0:信道1、功率等级10 | 使用WLAN planner网规工具规划各AP位置及AP射频的工作信道、功率等,配置信道模式和功率模式为固定模式,为每个AP配置各自的信道和功率。 |
AP102 | 射频0:信道6、功率等级10 | |
AP103 | 射频0:信道11、功率等级10 射频1:信道153、功率等级10 | |
AP201 | 射频0:信道1、功率等级10 | |
AP202 | 射频0:信道6、功率等级10 | |
AP203 | 射频0:信道11、功率等级10 射频1:信道157、功率等级10 |
配置思路
采用如下的思路配置有线无线用户统一接入示例:
- 配置各网络设备,使AP、接入交换机S5700-1、S5700-2、AC和上层网络设备之间实现网络互通。
- 配置AC作为DHCP服务器,为AP、有线用户和无线用户分配IP地址。
- 配置RADIUS服务器认证、计费和授权模板和Portal认证。
- 配置WLAN基本业务,包括AC系统参数、AC上管理AP和WLAN业务参数。
- 配置VAP并下发配置。
配置注意事项
- 纯组播报文由于协议要求在无线空口没有ACK机制保障,且无线空口链路不稳定,为了纯组播报文能够稳定发送,通常会以低速报文形式发送。如果网络侧有大量异常组播流量涌入,则会造成无线空口拥堵。为了减小大量低速组播报文对无线网络造成的冲击,建议配置组播报文抑制功能。配置前请确认是否有组播业务,如果有,请谨慎配置限速值。
- 业务数据转发方式采用直接转发时,建议在直连AP的交换机接口上配置组播报文抑制。
- 业务数据转发方式采用隧道转发时,建议在AC的流量模板下配置组播报文抑制。
- 配置方法请参见:如何配置组播报文抑制,减小大量低速组播报文对无线网络造成的冲击?
- 建议在与AP直连的设备接口上配置端口隔离,如果不配置端口隔离,尤其是业务数据转发方式采用直接转发时,可能会在VLAN内形成大量不必要的广播报文,导致网络阻塞,影响用户体验。
- 隧道转发模式下,管理VLAN和业务VLAN不能配置为同一VLAN,且AP和AC之间只能放通管理VLAN,不能放通业务VLAN。
- V200R021C00版本开始,配置CAPWAP源接口或源地址时,会检查和安全相关的配置是否已存在,包括DTLS加密的PSK、AC间DTLS加密的PSK、登录AP的用户名和密码、全局离线管理VAP的登录密码,均已存在才能成功配置,否则会提示用户先完成相关的配置。
- V200R021C00版本开始,AC默认开启CAPWAP控制隧道的DTLS加密功能。开启该功能,添加AP时AP会上线失败,此时需要先开启CAPWAP DTLS不认证方式(capwap dtls no-auth enable)让AP上线,以便AP获取安全凭证,AP上线后应及时关闭该功能(undo capwap dtls no-auth enable),避免未授权AP上线。
操作步骤
- 配置各网络设备互通
# 配置交换机S5700-1和S5700-2的接口GE0/0/1~GE0/0/4都加入VLAN100(管理VLAN),S5700-1的接口GE0/0/1~GE0/0/4加入VLAN201(有线业务报文所属VLAN),S5700-2的接口GE0/0/1~GE0/0/4加入VLAN202(有线业务报文所属VLAN),其中直连AP的接口需要配置PVID,并建议直连AP的接口配置端口隔离以减少广播报文。以配置S5700-1为例,S5700-2的配置与S5700-1类似,具体请参考配置文件。
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1] interface gigabitethernet 0/0/2
[S5700-1-GigabitEthernet0/0/2] port link-type trunk
[S5700-1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 100 //直连AP的接口需要配置PVID
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //配置端口隔离以减少广播报文
[S5700-1-GigabitEthernet0/0/2] quit
[S5700-1] interface gigabitethernet 0/0/3
[S5700-1-GigabitEthernet0/0/3] port link-type trunk
[S5700-1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/3] quit
[S5700-1] interface gigabitethernet 0/0/4
[S5700-1-GigabitEthernet0/0/4] port link-type trunk
[S5700-1-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/4] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/4] port-isolate enable
[S5700-1-GigabitEthernet0/0/4] quit# 配置AC连接接入交换机S5700-1的接口GE1/0/1加入VLAN100和VLAN201,连接接入交换机S5700-2的接口GE1/0/2加入VLAN100和VLAN202,连接上层网络的接口GE1/0/4加入VLAN300,连接Agile Controller的接口GE1/0/3加入VLAN200。
[HUAWEI] sysname AC
[AC] vlan batch 100 200 201 202 300
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 201
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 202
[AC-GigabitEthernet1/0/2] quit
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 200
[AC-GigabitEthernet1/0/3] quit
[AC] interface gigabitethernet 1/0/4
[AC-GigabitEthernet1/0/4] port link-type trunk
[AC-GigabitEthernet1/0/4] port trunk allow-pass vlan 300
[AC-GigabitEthernet1/0/4] quit# 配置VLANIF200,用于AC和Agile Controller通信。
[AC] interface vlanif 200
[AC-Vlanif200] ip address 10.23.200.2 24 //配置IP地址用于AC和Agile Controller通信
[AC-Vlanif200] quit- 配置AC为DHCP Server,分别为PC、AP、STA分配IP地址
DNS服务器地址请根据实际需要配置。常用配置方法如下:
- 接口地址池场景,需要在VLANIF接口视图下执行命令dhcp server dns-list ip-address &<1-8>。
- 全局地址池场景,需要在IP地址池视图下执行命令dns-list ip-address &<1-8>。
# 配置AC通过接口地址池为PC、AP、STA分配IP地址。
[AC] dhcp enable
[AC] vlan batch 101 102
[AC] interface vlanif 100 //配置接口地址池为AP分配IP地址
[AC-Vlanif100] description manage_ap
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101 //配置接口地址池为一楼无线用户STA分配IP地址
[AC-Vlanif101] description manage_floor1_sta
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102 //配置接口地址池为二楼无线用户STA分配IP地址
[AC-Vlanif102] description manage_floor2_sta
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
[AC] interface vlanif 201 //配置接口地址池为一楼有线用户PC分配IP地址
[AC-Vlanif201] description manage_floor1_pc
[AC-Vlanif201] ip address 10.23.201.1 24
[AC-Vlanif201] dhcp select interface
[AC-Vlanif201] quit
[AC] interface vlanif 202 //配置接口地址池为二楼有线用户PC分配IP地址
[AC-Vlanif202] description manage_floor2_pc
[AC-Vlanif202] ip address 10.23.202.1 24
[AC-Vlanif202] dhcp select interface
[AC-Vlanif202] quit- 配置RADIUS服务器认证、计费和授权模板和Portal认证
# 配置AC的RADIUS服务器认证、计费和授权模板。
[AC] radius-server template radius1 //创建名为radius1的RADIUS服务器模板
[AC-radius-radius1] radius-server authentication 10.23.200.1 1812 source ip-address 10.23.200.2 weight 80 //配置RADIUS认证服务器,认证端口1812,AC使用10.23.200.2和RADIUS服务器通信
[AC-radius-radius1] radius-server accounting 10.23.200.1 1813 source ip-address 10.23.200.2 weight 80 //配置RADIUS计费服务器,以便获取终端用户的上下线信息,计费端口1813,AC使用10.23.200.2和RADIUS服务器通信
[AC-radius-radius1] radius-server shared-key cipher Admin@123 //配置RADIUS服务器预共享密钥
[AC-radius-radius1] undo radius-server user-name domain-included //设备向RADIUS服务器发送的用户名不包含域名,当RADIUS服务器不接受带域名的用户时需要配置
[AC-radius-radius1] quit
[AC] radius-server authorization 10.23.200.1 shared-key cipher Admin@123 //配置RADIUS授权服务器的地址,共享密钥为Admin@123,必须与认证密钥和计费密钥一致。配置授权服务器以便RADIUS服务器向AC下发授权规则。
[AC] aaa
[AC-aaa] authentication-scheme radius1 //创建名为radius1的认证方案
[AC-aaa-authen-radius1] authentication-mode radius //Agile Controller作为RADIUS服务器,认证方案必须配置为RADIUS
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1 //创建名为radius1的计费方案
[AC-aaa-accounting-radius1] accounting-mode radius //配置计费方案为RADIUS方式。为了方便RADIUS服务器维护账号的状态信息,例如上下线信息,强制帐号下线,计费模式必须配置为radius
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1 //创建名为portal1的域
[AC-aaa-domain-portal1] authentication-scheme radius1 //绑定认证方案radius1
[AC-aaa-domain-portal1] accounting-scheme radius1 //绑定计费方案radius1
[AC-aaa-domain-portal1] radius-server radius1 //绑定RADIUS服务器模板radius1
[AC-aaa-domain-portal1] quit
[AC-aaa] quit# 配置Portal服务器。
[AC] web-auth-server portal1 //创建名为portal1的Portal服务器模板
[AC-web-auth-server-portal1] server-ip 10.23.200.1 //配置Portal服务器的IP地址
[AC-web-auth-server-portal1] port 50100 //配置设备向Portal服务器主动发送报文时使用的目的端口号为50100,缺省为50100
[AC-web-auth-server-portal1] shared-key cipher Admin@123 //配置AC与Portal服务器信息交互的共享密钥
[AC-web-auth-server-portal1] url http://10.23.200.1:8080/portal //配置指向Portal服务器的URL
[AC-web-auth-server-portal1] quit# 使能Portal认证的功能,对无线用户进行Portal认证,有线用户进行免认证。
[AC] portal-access-profile name portal1
[AC-portal-acces-profile-portal1] web-auth-server portal1 direct //绑定名为portal1的Portal服务器模板并指定Portal认证方式为二层认证方式
[AC-portal-acces-profile-portal1] quit
[AC] authentication-profile name portal1
[AC-authen-profile-portal1] portal-access-profile portal1
[AC-authen-profile-portal1] access-domain portal1 force //配置用户强制域为portal1
[AC-authen-profile-portal1] quit- 配置AP上线
# 创建AP组,用于将相同配置的AP都加入同一AP组中。
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] quit# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn //配置AC的国家码,使AC管理的AP的射频特性符合不同国家或区域的法律法规要求,国家码缺省值为CN
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit# 配置AC的源接口。
[AC] capwap source interface vlanif 100# 在AC上离线导入AP。
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 101 ap-mac 60de-4476-e320
[AC-wlan-ap-101] ap-name ap-101
[AC-wlan-ap-101] ap-group ap-group1 //部署在一楼的AP都加入到AP组ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102 ap-mac 60de-4476-e340
[AC-wlan-ap-102] ap-name ap-102
[AC-wlan-ap-102] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 103 ap-mac dcd2-fc04-b520
[AC-wlan-ap-103] ap-name ap-103
[AC-wlan-ap-103] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-103] quit
[AC-wlan-view] ap-id 201 ap-mac 60de-4476-e360
[AC-wlan-ap-201] ap-name ap-201
[AC-wlan-ap-201] ap-group ap-group2 //部署在二楼的AP都加入到AP组ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-201] quit
[AC-wlan-view] ap-id 202 ap-mac 60de-4476-e380
[AC-wlan-ap-202] ap-name ap-202
[AC-wlan-ap-202] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-202] quit
[AC-wlan-view] ap-id 203 ap-mac dcd2-fc04-b540
[AC-wlan-ap-203] ap-name ap-203
[AC-wlan-ap-203] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-203] quit# 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。
[AC-wlan-view] display ap all
Total AP information:
nor : normal [6]
-------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-------------------------------------------------------------------------------------------------
101 60de-4476-e320 ap-101 ap-group1 10.23.101.254 AP2030DN nor 0 10S
102 60de-4476-e340 ap-102 ap-group1 10.23.101.253 AP2030DN nor 0 15S
103 dcd2-fc04-b520 ap-103 ap-group1 10.23.101.252 AP5030DN nor 0 23S
201 60de-4476-e360 ap-201 ap-group2 10.23.102.251 AP2030DN nor 0 45S
202 60de-4476-e380 ap-202 ap-group2 10.23.102.250 AP2030DN nor 0 49S
203 dcd2-fc04-b540 ap-203 ap-group2 10.23.102.249 AP5030DN nor 0 55S
-------------------------------------------------------------------------------------------------
Total: 6# 配置AP2030DN的上行有线口GE0/0/0和下行接口Eth0/0/0、Eth0/0/1允许有线业务报文通过。
[AC-wlan-view] wired-port-profile name wired1
[AC-wlan-wired-port-wired1] vlan pvid 201 //AP2030DN下行接口用于连接PC等有线用户终端,需要配置PVID,VLAN201用于传输一楼的有线业务报文
[AC-wlan-wired-port-wired1] vlan untagged 201 //AP2030DN下行接口用于连接PC等有线用户终端,需要配置untagged
[AC-wlan-wired-port-wired1] quit
[AC-wlan-view] wired-port-profile name wired2
[AC-wlan-wired-port-wired2] vlan tagged 201 //AP2030DN上行接口用于连接上行网络设备,需要配置tagged
[AC-wlan-wired-port-wired2] quit
[AC-wlan-view] wired-port-profile name wired3
[AC-wlan-wired-port-wired3] vlan pvid 202 //AP2030DN下行接口用于连接PC等有线用户终端,需要配置PVID,VLAN202用于传输二楼的有线业务报文
[AC-wlan-wired-port-wired3] vlan untagged 202
[AC-wlan-wired-port-wired3] quit
[AC-wlan-view] wired-port-profile name wired4
[AC-wlan-wired-port-wired4] vlan tagged 202
[AC-wlan-wired-port-wired4] quit
[AC-wlan-view] ap-id 101
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 1
[AC-wlan-ap-101] wired-port-profile wired2 gigabitethernet 0
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102
[AC-wlan-ap-102] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-102] wired-port-profile wired1 ethernet 1
[AC-wlan-ap-102] wired-port-profile wired2 gigabitethernet 0
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 201
[AC-wlan-ap-201] wired-port-profile wired3 ethernet 0
[AC-wlan-ap-201] wired-port-profile wired3 ethernet 1
[AC-wlan-ap-201] wired-port-profile wired4 gigabitethernet 0
[AC-wlan-ap-201] quit
[AC-wlan-view] ap-id 202
[AC-wlan-ap-202] wired-port-profile wired3 ethernet 0
[AC-wlan-ap-202] wired-port-profile wired3 ethernet 1
[AC-wlan-ap-202] wired-port-profile wired4 gigabitethernet 0
[AC-wlan-ap-202] quit- 配置WLAN业务参数
# 创建名为“wlan-security”的安全模板,并配置安全策略。
[AC-wlan-view] security-profile name wlan-security //接口下已经使能了Portal认证,所以安全策略使用缺省的OPEN方式,不认证,不加密
[AC-wlan-sec-prof-wlan-security] security open
[AC-wlan-sec-prof-wlan-security] quit# 创建名为“wlan-ssid”的SSID模板,并配置SSID名称为“hospital-wlan”。
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid hospital-wlan //配置SSID名称为hospital-wlan
[AC-wlan-ssid-prof-wlan-ssid] quit# 配置名为“traffic1”的流量模板,并配置无线用户二层隔离。
[AC-wlan-view] traffic-profile name traffic1
[AC-wlan-traffic-prof-traffic1] user-isolate l2
Warning: Enabling user isolation may interrupt services. Are you sure you want to continue? [Y/N]:y# 创建名为“wlan-vap1”和“wlan-vap2”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板、SSID模板、认证模板和流量模板。
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel //配置业务转发模式为隧道转发
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101 //缺省情况下VLAN ID为1,修改VLAN ID为101
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap1] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-view] vap-profile name wlan-vap2
[AC-wlan-vap-prof-wlan-vap2] forward-mode tunnel //配置业务转发模式为隧道转发
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102 //缺省情况下VLAN ID为1,修改VLAN ID为102
[AC-wlan-vap-prof-wlan-vap2] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap2] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap2] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap2] quit# 配置AP组引用VAP模板。
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 1 radio 0
[AC-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 1 radio 1
[AC-wlan-ap-group-ap-group2] quit- 配置AP射频的信道和功率
# 关闭信道和功率自动调优功能。
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group1/0] calibrate auto-txpower-select disable
[AC-wlan-group-radio-ap-group1/0] quit
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group1/1] calibrate auto-txpower-select disable
[AC-wlan-group-radio-ap-group1/1] quit
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] radio 0
[AC-wlan-group-radio-ap-group2/0] calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group2/0] calibrate auto-txpower-select disable
[AC-wlan-group-radio-ap-group2/0] quit
[AC-wlan-ap-group-ap-group2] radio 1
[AC-wlan-group-radio-ap-group2/1] calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group2/1] calibrate auto-txpower-select disable
[AC-wlan-group-radio-ap-group2/1] quit
[AC-wlan-ap-group-ap-group2] quit# 配置AP射频的信道和功率
[AC-wlan-view] ap-id 101
[AC-wlan-ap-101] radio 0
[AC-wlan-radio-101/0] channel 20mhz 1 //根据WLAN planner网规工具规划的结果配置信道
[AC-wlan-radio-101/0] eirp 10 //根据WLAN planner网规工具规划的结果配置功率
[AC-wlan-radio-101/0] quit
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102
[AC-wlan-ap-102] radio 0
[AC-wlan-radio-102/0] channel 20mhz 6
[AC-wlan-radio-102/0] eirp 10
[AC-wlan-radio-102/0] quit
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 103
[AC-wlan-ap-103] radio 0
[AC-wlan-radio-103/0] channel 20mhz 11
[AC-wlan-radio-103/0] eirp 10
[AC-wlan-radio-103/0] quit
[AC-wlan-ap-103] quit
[AC-wlan-view] ap-id 103
[AC-wlan-ap-103] radio 1 //AP5030支持两个射频,此步配置射频1
[AC-wlan-radio-103/1] channel 20mhz 153
[AC-wlan-radio-103/1] eirp 10
[AC-wlan-radio-103/1] quit
[AC-wlan-ap-103] quit
[AC-wlan-view] ap-id 201
[AC-wlan-ap-201] radio 0
[AC-wlan-radio-201/0] channel 20mhz 1
[AC-wlan-radio-201/0] eirp 10
[AC-wlan-radio-201/0] quit
[AC-wlan-ap-201] quit
[AC-wlan-view] ap-id 202
[AC-wlan-ap-202] radio 0
[AC-wlan-radio-202/0] channel 20mhz 6
[AC-wlan-radio-202/0] eirp 10
[AC-wlan-radio-202/0] quit
[AC-wlan-ap-202] quit
[AC-wlan-view] ap-id 203
[AC-wlan-ap-203] radio 0
[AC-wlan-radio-203/0] channel 20mhz 11
[AC-wlan-radio-203/0] eirp 10
[AC-wlan-radio-203/0] quit
[AC-wlan-ap-203] quit
[AC-wlan-view] ap-id 203
[AC-wlan-ap-203] radio 1
[AC-wlan-radio-203/1] channel 20mhz 157
[AC-wlan-radio-203/1] eirp 10
[AC-wlan-radio-203/1] quit
[AC-wlan-ap-203] quit- 验证配置结果
# 配置完成后,通过display vap all命令,可以查看到VAP已创建成功。
[AC-wlan-view] display vap all
WID : WLAN ID
----------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
----------------------------------------------------------------------------------
101 ap-101 0 1 60DE-4476-E320 ON OPEN 0 hospital-wlan
102 ap-102 0 1 60DE-4476-E340 ON OPEN 0 hospital-wlan
103 ap-103 0 1 DCD2-FC04-B520 ON OPEN 0 hospital-wlan
103 ap-103 1 1 DCD2-FC04-B530 ON OPEN 0 hospital-wlan
201 ap-201 0 1 60DE-4476-E360 ON OPEN 0 hospital-wlan
202 ap-202 0 1 60DE-4476-E380 ON OPEN 0 hospital-wlan
203 ap-203 0 1 DCD2-FC04-B540 ON OPEN 0 hospital-wlan
203 ap-203 1 1 DCD2-FC04-B550 ON OPEN 0 hospital-wlan
---------------------------------------------------------------------------------
Total: 8# STA搜索到名为“hospital-wlan”的无线网络并正常关联后,STA能够被分配相应的IP地址,用户输入密钥可以访问无线网络,在AC上执行display station all命令,可以查看到用户已经接入到无线网络“hospital-wlan”中。
[AC-wlan-view] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address SSID
----------------------------------------------------------------------------------------------------------
14cf-9208-9abf 0 ap-101 0/1 2.4G 11n 3/8 -70 10 10.23.101.254 hospital-wlan
----------------------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0# 无线用户STA和有线用户PC能够分配到IP地址,正常连接网络。
配置文件
- 接入有线用户的交换机S5700-1的配置文件
#
sysname S5700-1
#
vlan batch 100 201
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 201
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 201
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 201
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 201
port-isolate enable group 1
#
return- 接入无线用户的交换机S5700-2的配置文件
#
sysname S5700-2
#
vlan batch 100 202
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 202
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 202
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 202
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 202
port-isolate enable group 1
#
return- AC的配置文件
#
sysname AC
#
vlan batch 100 to 102 200 to 202 300
#
authentication-profile name portal1
portal-access-profile portal1
access-domain portal1
access-domain portal1 force
#
dhcp enable
#
radius-server template radius1
radius-server shared-key cipher %^%#ZGx{:~QFtUUhhG!`ba-PTj=H1p_J<1/%ZAXuB5)0%^%#
radius-server authentication 10.23.200.1 1812 source ip-address 10.23.200.2 weight 80
radius-server accounting 10.23.200.1 1813 source ip-address 10.23.200.2 weight 80
undo radius-server user-name domain-included
radius-server authorization 10.23.200.1 shared-key cipher %^%#w]=@OYp:T9"u@{I2RD4U5QJi2{u]$M{]DND|;=s"%^%#
#
web-auth-server portal1
server-ip 10.23.200.1
port 50100
shared-key cipher %^%#yJ0=%9W@FVMN/=HIR9EN@1abUN6>a(Bn@MHR7Bl4%^%#
url http://10.23.200.1:8080/portal
#
portal-access-profile name portal1
web-auth-server portal1 direct
#
aaa
authentication-scheme radius1
authentication-mode radius
accounting-scheme radius1
accounting-mode radius
domain portal1
authentication-scheme radius1
accounting-scheme radius1
radius-server radius1
#
interface Vlanif100
description manage_ap
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
description manage_floor1_sta
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
description manage_floor2_sta
ip address 10.23.102.1 255.255.255.0
dhcp select interface
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface Vlanif201
description manage_floor1_pc
ip address 10.23.201.1 255.255.255.0
dhcp select interface
#
interface Vlanif202
description manage_floor2_pc
ip address 10.23.202.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100 201
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100 202
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 300
#
capwap source interface vlanif100
#
wlan
traffic-profile name traffic1
user-isolate l2
security-profile name wlan-security
ssid-profile name wlan-ssid
ssid hospital-wlan
vap-profile name wlan-vap1
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
traffic-profile traffic1
authentication-profile portal1
vap-profile name wlan-vap2
forward-mode tunnel
service-vlan vlan-id 102
ssid-profile wlan-ssid
security-profile wlan-security
traffic-profile traffic1
authentication-profile portal1
regulatory-domain-profile name domain1
wired-port-profile name wired1
vlan pvid 201
vlan untagged 201
wired-port-profile name wired2
vlan tagged 201
wired-port-profile name wired3
vlan pvid 202
vlan untagged 202
wired-port-profile name wired4
vlan tagged 202
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap1 wlan 1
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
vap-profile wlan-vap1 wlan 1
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group2
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap2 wlan 1
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
vap-profile wlan-vap2 wlan 1
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-id 101 type-id 46 ap-mac 60de-4476-e320 ap-sn 210235419610CB002378
ap-name ap-101
ap-group ap-group1
wired-port-profile wired1 ethernet 0
wired-port-profile wired1 ethernet 1
wired-port-profile wired2 gigabitethernet 0
radio 0
channel 20mhz 1
eirp 10
ap-id 102 type-id 46 ap-mac 60de-4476-e340 ap-sn 210235419610CB002204
ap-name ap-102
ap-group ap-group1
wired-port-profile wired1 ethernet 0
wired-port-profile wired1 ethernet 1
wired-port-profile wired2 gigabitethernet 0
radio 0
channel 20mhz 6
eirp 10
ap-id 103 type-id 35 ap-mac dcd2-fc04-b520 ap-sn 210235419610CB002561
ap-name ap-103
ap-group ap-group1
radio 0
channel 20mhz 11
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-id 201 type-id 46 ap-mac 60de-4476-e360 ap-sn 210235419610CB002287
ap-name ap-201
ap-group ap-group2
wired-port-profile wired3 ethernet 0
wired-port-profile wired3 ethernet 1
wired-port-profile wired4 gigabitethernet 0
radio 0
channel 20mhz 1
eirp 10
ap-id 202 type-id 46 ap-mac 60de-4476-e380 ap-sn 210235419610CB002984
ap-name ap-202
ap-group ap-group2
wired-port-profile wired3 ethernet 0
wired-port-profile wired3 ethernet 1
wired-port-profile wired4 gigabitethernet 0
radio 0
channel 20mhz 6
eirp 10
ap-id 203 type-id 35 ap-mac dcd2-fc04-b540 ap-sn 210235419610CB002632
ap-name ap-203
ap-group ap-group2
radio 0
channel 20mhz 11
eirp 10
radio 1
channel 20mhz 157
eirp 10
#
return
