AC旁挂组网三层互通数据直接转发

一、WLAN组网需求

        项目设计采用无线 AC+AP模式 ,AP 采用超六类网线直接连在 POE 接入层交换 机上,无线控制器连接汇聚三层交换组成网络通过机上,无线控制器连接汇聚 三层交换组成网络通过机上,无线控制器连接汇聚 三层交换组成网络通过交换机直接转发数据, WLC所受压力小,效率高可靠性强易于维护及扩展 。可通过控制器管让无线 AP 发射 出多个 SSID信号 ,不 通 SSID信号 分给不通部门或 人群使用, 针对不同 SSID信号做相应的权限分配,做相应的权限分配,使公司资源 安全得到保证。实现内网互通。

二、组网规划

配置项 数据
DHCP服务器 汇聚交换机作为DHCP服务器为AP,无线终端和有线终端分配IP地址
AP的IP地址池 10.1.100.50-10.1.100.254/24
STA的地址池 VLAN101(BroadXT):10.1.101.50-10.1.101.254/24
VLAN102(BroadXT_5G):10.1.102.50-10.1.102.254/24
VLAN103(BroadXT_Guest):10.1.103.50-10.1.103.254/24
AC的源接口地址 10.1.103.5/24
有线终端IP地址池 VLAN104:10.1.104.0/24
AP组 名称:bxzl
引用模板:VAP模板,域管理模板
域管理模板 名称:broadxt,国别码:CN
SSID模板 SSID名称:BroadXT
SSID名称:BroadXT_5G
SSID名称:BroadXT_Guest
安全模板 安全模板名称:BroadXT,
安全模板名称:BroadXT_5G
安全模板名称:BroadXT_Guest,不加密
VAP模板 名称:BroadXT
引用模板:安全模板BroadXT、SSID模板:BroadXT
转发模式:直接转发
业务VLAN:101
名称:BroadXT_5G
引用模板:安全模板BroadXT_5G、SSID模板:BroadXT_5G
转发模式:直接转发
业务VLAN:102
名称:BroadXT_Guest
引用模板:安全模板BroadXT_Guest、SSID模板:BroadXT_Guest
转发模式:直接转发
业务VLAN:103
二、实验拓扑图
三、配置过程
1、配置基础网络连通性
(1)POE交换机配置
1.1  首先在POE交换机上批量创建vlan 100,101,102,103
<Huawei>
<Huawei>system-view 
[Huawei]sysname POE
[POE]vlan batch 100 to 104
1.2  将相应的接口加入到响应的VLAN中
        直接转发模式下,将AP连接交换机的端口配置为Trunk,PVID配置为VLAN100,允许VLAN 100 VLAN 101 VLAN 102的数据帧通过。
[POE]
[POE]interface g0/0/2
[POE-GigabitEthernet0/0/2]port link-type trunk 
[POE-GigabitEthernet0/0/2]port trunk pvid vlan 100
[POE-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 to 104
[POE-GigabitEthernet0/0/2]q	
[POE]interface g0/0/3	
[POE-GigabitEthernet0/0/3]port link-type trunk 
[POE-GigabitEthernet0/0/3]port trunk pvid vlan  100	
[POE-GigabitEthernet0/0/3]port trunk allow-pass vlan 100 to 104
[POE-GigabitEthernet0/0/3]q	
[POE]interface g0/0/4
[POE-GigabitEthernet0/0/4]port link-type trunk 
[POE-GigabitEthernet0/0/4]port trunk pvid vlan 100
[POE-GigabitEthernet0/0/4]port trunk allow-pass vlan 100 to 104
[POE-GigabitEthernet0/0/4]quit
[POE]in	
[POE]inter 	
[POE]interface g0/0/5
[POE-GigabitEthernet0/0/5]port link-type  trunk 
[POE-GigabitEthernet0/0/5]port trunk pvid  vlan 100	
[POE-GigabitEthernet0/0/5]port trunk allow-pass vlan 100 to 104
[POE-GigabitEthernet0/0/5]quit
[POE]
1.3  连接汇聚交换机的端口配置为Trunk,允许所有的VLAN通过。
[POE]
[POE]interface g0/0/01
[POE-GigabitEthernet0/0/1]port link-type trunk 
[POE-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 to 4094
[POE-GigabitEthernet0/0/1]quit
[POE]
(2)汇聚交换机的配置
2.1  首先在汇聚交换机上批量创建VLAN100 101  102 103
<Huawei>system-view 
[Huawei]sysname Converge1
[Converge1]vlan batch 100 to 104
[Converge1]
2.2  将连接接入交换机的端口和连接AC的端口配置为Trunk链路,允许所有的VLAN通过
[Converge1]
[Converge1]interface g0/0/1
[Converge1-GigabitEthernet0/0/1]port link-type trunk 
[Converge1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[Converge1-GigabitEthernet0/0/1]quit	
[Converge1]interface g0/0/2	
[Converge1-GigabitEthernet0/0/2]port link-type trunk 	
[Converge1-GigabitEthernet0/0/2]port trunk allow-pass vlan all 
[Converge1-GigabitEthernet0/0/2]
[Converge1-GigabitEthernet0/0/2]quit
2.3  将连接有线接口的端口配置为Access,加入到VLAN104。
[Converge1]interface g0/0/3	
[Converge1-GigabitEthernet0/0/3]port link-type  access 
[Converge1-GigabitEthernet0/0/3]port default vlan 104
[Converge1-GigabitEthernet0/0/3]quit
[Converge1]
(3)AC的配置
3.1  首先在AC上批量创建VLAN 
<AC6605>sy	
<AC6605>system-view 
[AC6605]sysname AC
[AC]vlan batch 100 to 104
3.2  配置AC连接到汇聚交换机的端口配置为Trunk,允许所有的VLAN通过
[AC]inter	
[AC]interface g0/0/01
[AC-GigabitEthernet0/0/1]port link-type trunk 
[AC-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 to 2094
[AC-GigabitEthernet0/0/1]quit
[AC]
3.3  配置AC的VLAN100的IP地址为10.1.100.5
[AC]interface Vlanif 100
[AC-Vlanif100]ip ad	
[AC-Vlanif100]ip address 10.1.100.5 255.255.255.0
[AC-Vlanif100]quit
[AC]
3.4  配置AC指向网关的缺省路由
[AC]ip route-static 0.0.0.0 0.0.0.0 10.1.100.1
2、配置汇聚交换机作为DHCP服务器为AP、无线终端和有线终端分配IP地址
(1)配置汇聚交换机成为各VLAN的网关
[Converge1]
[Converge1]interface Vlanif 100
[Converge1-Vlanif100]ip address 10.1.100.1 255.255.255.0
[Converge1-Vlanif100]quit	
[Converge1]interface Vlanif 101
[Converge1-Vlanif101]ip address 10.1.101.1 255.255.255.0
[Converge1-Vlanif101]quit
[Converge1]interface Vlanif 102	
[Converge1-Vlanif102]ip address 10.1.102.1 255.255.255.0
[Converge1-Vlanif102]quit
[Converge1]interface Vlanif 103 
[Converge1-Vlanif103]ip address 10.1.103.1 24
[Converge1-Vlanif103]quit	
[Converge1]interface Vlanif 104 
[Converge1-Vlanif104]ip address 10.1.104.1 24
[Converge1-Vlanif104]quit
(2)配置汇聚交换机成为DHCP服务器
2.1  启动DHCP功能
[Converge1]dhcp enable
2.2  配置DHCP地址池
[Converge1]ip pool ap	
[Converge1-ip-pool-ap]gateway-list 10.1.100.1
[Converge1-ip-pool-ap]network 10.1.100.0 mask 255.255.255.0
[Converge1-ip-pool-ap]excluded-ip-address 10.1.100.2 10.1.100.50
[Converge1-ip-pool-ap]dns-list 221.12.1.227 221.12.33.227
[Converge1-ip-pool-ap]quit
[Converge1]
[Converge1]ip pool BroadXT
[Converge1-ip-pool-broadxt]gateway-list 10.1.101.1 
[Converge1-ip-pool-broadxt]network 10.1.101.0 mask 255.255.255.0
[Converge1-ip-pool-broadxt]excluded-ip-address 10.1.101.2 10.1.101.50
[Converge1-ip-pool-broadxt]dns-list 221.12.1.227 221.12.33.227
[Converge1]

[Converge1]ip pool BroadXT_5G
[Converge1-ip-pool-broadxt_5g]gateway-list 10.1.102.1 
[Converge1-ip-pool-broadxt_5g]network 10.1.102.0 mask 255.255.255.0
[Converge1-ip-pool-broadxt_5g]excluded-ip-address 10.1.102.2 10.1.102.50
[Converge1-ip-pool-broadxt_5g]dns-list 114.114.114.114
[Converge1-ip-pool-broadxt_5g]quit
[Converge1]
[Converge1]
[Converge1]ip pool BroadXT_Guest
[Converge1-ip-pool-broadxt_guest]gateway-list 10.1.103.1 
[Converge1-ip-pool-broadxt_guest]network 10.1.103.0 mask 255.255.255.0
[Converge1-ip-pool-broadxt_guest]excluded-ip-address 10.1.103.2 10.1.103.50
[Converge1-ip-pool-broadxt_guest]dns-list 114.114.114.114
[Converge1-ip-pool-broadxt_guest]quit
[Converge1]
[Converge1]ip pool PC_Client
[Converge1-ip-pool-pc_client]gateway-list 10.1.104.1 
[Converge1-ip-pool-pc_client]network 10.1.104.0 mask 255.255.255.0
[Converge1-ip-pool-pc_client]excluded-ip-address 10.1.104.2 10.1.104.50
[Converge1-ip-pool-pc_client]dns-list 114.114.114.114
[Converge1-ip-pool-pc_client]quit
[Converge1]
(3)在汇聚交换机的VLAN接口下调用DHCP地址池
[Converge1]
[Converge1]interface Vlanif 100
[Converge1-Vlanif100]dhcp select global 
[Converge1-Vlanif100]q

[Converge1]interface Vlanif 101
[Converge1-Vlanif101]dhcp select global
[Converge1-Vlanif101]quit

[Converge1]interface Vlanif 102
[Converge1-Vlanif102]dhcp select global
[Converge1-Vlanif102]q	

[Converge1]interface Vlanif 103
[Converge1-Vlanif103]dhcp select global
[Converge1-Vlanif103]q

[Converge1]interface Vlanif 104
[Converge1-Vlanif104]dhcp select global
[Converge1-Vlanif104]q
[Converge1]
(4)检查AP,有线客户端IP地址获取情况
3、配置AP上线
(1)创建AP组
[AC]wlan 
[AC-wlan-view]ap-group name bxzl
[AC-wlan-ap-group-bxzl]quit
[AC-wlan-view]
(2)配置AP上线
2.1 配置AC使用那个源接口IP与AP通信
[AC]capwap source interface Vlanif 100
2.2 创建域管理模板,配置AC的国家码
[AC]wlan 
[AC-wlan-view]regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1]country-code CN
[AC-wlan-regulate-domain-domain1]quit
[AC-wlan-view]
2.3 绑定域管理模板到AP组
[AC]wlan 
[AC-wlan-view]ap-group name bxzl
[AC-wlan-ap-group-bxzl]regulatory-domain-profile domain1
[AC-wlan-ap-group-bxzl]quit
[AC-wlan-view]
2.4 查看AP的Mac地址
<Huawei>display mac-address
-------------------------------------------------------------------------------
MAC Address    VLAN/VSI                          Learned-From        Type      
-------------------------------------------------------------------------------
00e0-fccb-1ad0    1/-                     GE0/0/0                    dynamic   
4c1f-cc51-5ab6    1/-                     GE0/0/0                    dynamic   

-------------------------------------------------------------------------------
Total items displayed = 2 

<Huawei>
    
<Huawei>display mac-address
-------------------------------------------------------------------------------
MAC Address    VLAN/VSI                          Learned-From        Type      
-------------------------------------------------------------------------------
00e0-fc6f-2e30    1/-                     GE0/0/0                    dynamic   
4c1f-cc51-5ab6    1/-                     GE0/0/0                    dynamic   

-------------------------------------------------------------------------------
Total items displayed = 2 

<Huawei>
2.5 配置AP认证方式
[AC]wlan
[AC-wlan-view]ap auth-mode mac-auth 
[AC-wlan-view]ap-mac 00e0-fccb-1ad0 ap-id 0
[AC-wlan-ap-0]ap-name bxzl-1
[AC-wlan-ap-0]ap-group bxzl
[AC-wlan-ap-0]quit
[AC-wlan-view]ap-mac 00e0-fc6f-2e30 ap-id 1
[AC-wlan-ap-1]ap-name bxzl-2
[AC-wlan-ap-1]ap-group bxzl
[AC-wlan-ap-1]quit
[AC-wlan-view]
2.6 在AC上查看AP上线状态
[AC]display ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
nor  : normal          [2]
--------------------------------------------------------------------------------
---------
ID   MAC            Name   Group IP           Type            State STA Uptime
--------------------------------------------------------------------------------
---------
0    00e0-fccb-1ad0 bxzl-1 bxzl  10.1.100.253 AP6050DN        nor   0   21S
1    00e0-fc6f-2e30 bxzl-2 bxzl  10.1.100.254 AP6050DN        nor   0   1M:8S
--------------------------------------------------------------------------------

Total: 2
[AC]
State状态显示为nor代表normal,表示AP已经正常上线。

4、配置WLAN业务下发
(1)创建安全模板
[AC]wlan 
[AC-wlan-view]se	
[AC-wlan-view]security-profile n	
[AC-wlan-view]security-profile name BroadXT
[AC-wlan-sec-prof-BroadXT]quit
[AC-wlan-view]security-profile name BroadXT_5G
[AC-wlan-sec-prof-BroadXT_5G]quit
[AC-wlan-view]security-profile name BroadXT_Guest
[AC-wlan-sec-prof-BroadXT_Guest]quit
[AC-wlan-view]
(2)创建SSID模板
[AC-wlan-view]ssid-profile name BroadXT
[AC-wlan-ssid-prof-BroadXT]ssid BroadXT
[AC-wlan-ssid-prof-BroadXT]quit
[AC-wlan-view]ssid-profile name BroadXT_5G
[AC-wlan-ssid-prof-BroadXT_5G]ssid BroadXT_5G
[AC-wlan-ssid-prof-BroadXT_5G]quit
[AC-wlan-view]ssid-profile name BroadXT_Guest
[AC-wlan-ssid-prof-BroadXT_Guest]ssid BroadXT_Guest
[AC-wlan-ssid-prof-BroadXT_Guest]quit
[AC-wlan-view]
(3)创建VAP模板,并调用安全模板和SSID模板,绑定VLAN信息
[AC-wlan-view]vap-profile name BroadXT
[AC-wlan-vap-prof-BroadXT]forward-mode direct-forward 
[AC-wlan-vap-prof-BroadXT]service-vlan vlan-id 101
[AC-wlan-vap-prof-BroadXT]security-profile BroadXT	
[AC-wlan-vap-prof-BroadXT]ssid-profile BroadXT
[AC-wlan-vap-prof-BroadXT]quit
[AC-wlan-view]
[AC-wlan-view]vap-profile name BroadXT_5G
[AC-wlan-vap-prof-BroadXT_5G]forward-mode direct-forward 
[AC-wlan-vap-prof-BroadXT_5G]service-vlan vlan-id 102
[AC-wlan-vap-prof-BroadXT_5G]security-profile BroadXT_5G
[AC-wlan-vap-prof-BroadXT_5G]ssid-profile BroadXT_5G
[AC-wlan-vap-prof-BroadXT_5G]quit
[AC-wlan-view]
[AC-wlan-view]vap-profile name BroadXT_Guest
[AC-wlan-vap-prof-BroadXT_Guest]forward-mode direct-forward 
[AC-wlan-vap-prof-BroadXT_Guest]service-vlan vlan-id 103
[AC-wlan-vap-prof-BroadXT_Guest]security-profile BroadXT_Guest
[AC-wlan-vap-prof-BroadXT_Guest]ssid-profile BroadXT_Guest
[AC-wlan-vap-prof-BroadXT_Guest]quit

[AC-wlan-view]
[AC-wlan-view]
(4)将VAP模板绑定到AP组中
[AC-wlan-view]ap-group name bxzl
[AC-wlan-ap-group-bxzl]vap-profile BroadXT wlan 1 radio all
[AC-wlan-ap-group-bxzl]vap-profile BroadXT_5G wlan 2 radio all
[AC-wlan-ap-group-bxzl]vap-profile BroadXT_Guest wlan 3 radio all
[AC-wlan-ap-group-bxzl]quit
[AC-wlan-view]
(5)查看业务下发状态
[AC]display vap ssid BroadXT
Info: This operation may take a few seconds, please wait.
WID : WLAN ID            
-------------------------------------------------------------------------------
AP ID AP name RfID WID  BSSID          Status  Auth type  STA   SSID         
-------------------------------------------------------------------------------
0     bxzl-1  0    1    00E0-FCCB-1AD0 ON      Open       0     BroadXT      
0     bxzl-1  1    1    00E0-FCCB-1AE0 ON      Open       0     BroadXT      
1     bxzl-2  0    1    00E0-FC6F-2E30 ON      Open       0     BroadXT      
1     bxzl-2  1    1    00E0-FC6F-2E40 ON      Open       0     BroadXT      
-------------------------------------------------------------------------------
Total: 4
[AC]display vap ssid BroadXT_5G
Info: This operation may take a few seconds, please wait.
WID : WLAN ID            
-------------------------------------------------------------------------------
AP ID AP name RfID WID  BSSID          Status  Auth type  STA   SSID         
-------------------------------------------------------------------------------
0     bxzl-1  0    2    00E0-FCCB-1AD1 ON      Open       0     BroadXT_5G   
0     bxzl-1  1    2    00E0-FCCB-1AE1 ON      Open       0     BroadXT_5G   
1     bxzl-2  0    2    00E0-FC6F-2E31 ON      Open       0     BroadXT_5G   
1     bxzl-2  1    2    00E0-FC6F-2E41 ON      Open       0     BroadXT_5G   
-------------------------------------------------------------------------------
Total: 4
[AC]display vap ssid BroadXT_Guest
Info: This operation may take a few seconds, please wait.
WID : WLAN ID            
-------------------------------------------------------------------------------
AP ID AP name RfID WID  BSSID          Status  Auth type  STA   SSID         
-------------------------------------------------------------------------------
0     bxzl-1  0    3    00E0-FCCB-1AD2 ON      Open       0     BroadXT_Guest
0     bxzl-1  1    3    00E0-FCCB-1AE2 ON      Open       0     BroadXT_Guest
1     bxzl-2  0    3    00E0-FC6F-2E32 ON      Open       0     BroadXT_Guest
1     bxzl-2  1    3    00E0-FC6F-2E42 ON      Open       0     BroadXT_Guest
-------------------------------------------------------------------------------
Total: 4
[AC]
当“Status”项显示为“ON”时,表示AP对应的射频上的VAP已创建成功。
5、测试连接
使用客户端来连接WiFi查看IP地址
6、安全加密认证
(1)启用MAC地址白名单认证
1.1  创建白名单名称
[AC]wlan
[AC-wlan-view]sta-whitelist-profile name BroadXT
1.2  添加白名单地址
[AC-wlan-whitelist-prof-BroadXT]sta-mac 5489-9835-3B8E
[AC-wlan-whitelist-prof-BroadXT]quit
[AC-wlan-view]
1.3  VAP模板引用白名单列表
[AC-wlan-view]vap-profile name BroadXT
[AC-wlan-vap-prof-BroadXT]sta-access-mode whitelist BroadXT
[AC-wlan-vap-prof-BroadXT]quit
[AC-wlan-view]
1.4  客户端测试连接,并ping有线客户端的网络连通性
STA1连接成功,其他主机无法连接
(2)要求对huawei2 SSID使用wpa2-psk认证(PSK密码使用a1234567),aes加密。
2.1  进入安全模板配置psk2认证
[AC-wlan-view]security-profile name BroadXT_5G
[AC-wlan-sec-prof-BroadXT_5G]security wpa2 psk pass-phrase 1234567890 aes
[AC-wlan-sec-prof-BroadXT_5G]quit
[AC-wlan-view]
2.2  客户端测试连接,并ping有线客户端的网络连通性
(3)要求对huawei3 SSID使用wpa2 802.1X认证,aes加密.
3.1  开启802.1X认证规则
3.2  配置RADIUS服务器模板radius
3.3  配置认证方案
3.4  配置802.1X接入模板,名称为“d1”
3.5  配置认证模板,名称为“p1”,调用接入模板“d1”,配置认证方法和认证服务器
3.6  在VAP模板下调用安全模板和认证模板  
3.7  客户端测试连接,并ping有线客户端的网络连通性
7、WLAN在同一个AC下的漫游
(1)开启射频调优功能,自动选择AP最佳信道和功率
1.1  配置AP的信道和发送功率自动选择功能
[AC-wlan-view]rrm-profile name huawei-1
[AC-wlan-rrm-prof-huawei-1]undo calibrate auto-channel-select disable
[AC-wlan-rrm-prof-huawei-1]undo calibrate auto-txpower-select disable
1.2  绑定RRM模板到2.4G和5G的射频模板
[AC-wlan-view]radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g]rrm-profile huawei-1
[AC-wlan-view]radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g]rrm-profile huawei-1
(2)在域管理模板下配置调优信道集合
[AC-wlan-view]regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1]dca-channel 2.4g channel-set 1,6,11 //配置调优信道集合
[AC-wlan-regulate-domain-domain1]dca-channel 5g bandwidth 20mhz //配置调优带宽
[AC-wlan-regulate-domain-domain1]dca-channel 5g channel-set 149,153,157,161 //配置调优信道集合
[AC-wlan-regulate-domain-domain1]q
(3)配置邻居探测功能
3.1  配置空口扫描策略
[AC-wlan-view]air-scan-profile name wlan-airscan
3.2  配置空口扫描信道集合。 缺省情况下,空口扫描信道集合为AP对应国家码支持的所有信道。
[AC-wlan-air-scan-prof-wlan-airscan]scan-channel-set dca-channel
3.3  配置空口扫描间隔时间。 缺省情况下,空口扫描间隔时间为60000毫秒。
[AC-wlan-air-scan-prof-wlan-airscan]scan-interval 80000
3.4  配置空口扫描持续时间。 缺省情况下,空口扫描持续时间为60毫秒。
[AC-wlan-air-scan-prof-wlan-airscan]scan-period 80
[AC-wlan-air-scan-prof-wlan-airscan]q
3.5  将空口扫描策略调用到2g和5g射频模板下
[AC-wlan-view]radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g]air-scan-profile wlan-airscan
[AC-wlan-view]radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g]air-scan-profile wlan-airscan
(4)将射频模板调用到ap组
[AC-wlan-view]ap-group name ap-group1 
[AC-wlan-ap-group-ap-group1]radio-2g-profile wlan-radio2g radio 0 
[AC-wlan-ap-group-ap-group1]radio-5g-profile wlan-radio5g radio 1
(5)启动射频调优
5.1  配置射频调优模式为手动调优,并手动触发射频调优。 
[AC-wlan-view] calibrate enable manual 
[AC-wlan-view] calibrate manual startup
配置漫游时应该注意的问题:
(1)SSID和数据转发模式必须一致;
(2)安全模板的认证方式必须一致,包括密钥;
(3)建议修改Channel为不干扰,而且重叠区域为10%~15%;
(4)在直接转发模式下,业务与管理VLAN都需要放行,否则漫游通过后VLAN不变,导致VLAN通过不了。

© 版权声明
THE END
喜欢就支持一下吧
点赞11 分享
评论 抢沙发

请登录后发表评论

    暂无评论内容