一、拓扑图
?
二、组网需求:
用户希望能在尽可能少的更改现有组网架构的情况下,进行WLAN部署,AC只对AP进行集中管理,STA的业务数据不需要转发到AC上。
AC通过三层核心SWA连接出口防火墙,并通过SWA和SWB连接AP。通过WLAN部署,提供SSID为public和work的无线网络方便用户接入。SWA作为DHCP服务器为无线用户和AP提供IP地址。
三、规划表:
| 配置项 | 数据 |
| WLAN服务 | 不认证,不加密 |
| AC的源接口 | VLANIF200:172.16.100.2/24 |
| AC Carrier ID/AC ID | Other/1 |
| AP域 | 10 |
| 服务集 | SSID:public、work 数据转发模式:直接转发 |
| DHCP服务器 | SWA作为DHCP服务器,为AP和STA分配地址 |
| AP的网关 | WLANIF100:192.168.10.1/24 |
| AP的IP地址池 | 192.168.10.2~192.168.10.254/24 |
| STA1的网关 | VLANIF101:192.168.11.1/24 |
| STA1的IP地址池 | 192.168.11.2~192.168.11.254/24 |
| STA2的网关 | VLANIF102:192.168.12.1/24 |
| STA2的IP地址池 | 192.168.12.2~192.168.12.254/24 |
四、配置思路
采用如下的思路配置WLAN网络基本业务:
- 配置SWA和SWB,实现二层网络互通;配置SWA、FW、和AC,实现三层网络互通
- 在SWA上配置基于全局的DHCP服务器为AP和STA分配IP地址
- 配置WLAN基本业务,保证用户能够通过WLAN网络接入Internet
五、操作步骤
1、配置SWB
1、修改名字,添加vlan
<Huawei>system-view
[Huawei]sysname SWB
[SWB]vlan batch 100 101 102
2、将接口G0/0/1允许vlan100、vlan101、vlan102的报文通过
[SWB]interface GigabitEthernet 0/0/1
[SWB-GigabitEthernet0/0/1]port link-type trunk
[SWB-GigabitEthernet0/0/1]port trunk allow-pass vlan 100 to 102
[SWB-GigabitEthernet0/0/1]quit
3、将接口G0/0/2加入vlan10(AP管理vlan),允许vlan101(AP业务vlan)的报文通过
[SWB]interface GigabitEthernet 0/0/2
[SWB-GigabitEthernet0/0/2]port link-type trunk
[SWB-GigabitEthernet0/0/2]port trunk pvid vlan 100
[SWB-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 101
[SWB-GigabitEthernet0/0/2]port-isolate enable
[SWB-GigabitEthernet0/0/2]quit
4、将接口G0/0/3加入vlan100(AP管理vlan),允许vlan102(AP业务vlan)的报文通过
[SWB]interface GigabitEthernet 0/0/3
[SWB-GigabitEthernet0/0/3]port link-type trunk
[SWB-GigabitEthernet0/0/3]port trunk pvid vlan 100
[SWB-GigabitEthernet0/0/3]port trunk allow-pass vlan 100 102
[SWB-GigabitEthernet0/0/3]port-isolate enable
[SWB-GigabitEthernet0/0/3]quit
#附-交换机版本
<SWB>display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.110 (S5700 V200R001C00)
Copyright (c) 2000-2011 HUAWEI TECH CO., LTD
Quidway S5700-28C-HI2、配置SWA
1、修改名称,添加vlan
<Huawei>system-view
[Huawei]sysname SWA
[SWA]vlan batch 100 101 102 200 201
2、为AP和STA配置DHCP地址池
[SWA]dhcp enable
[SWA]ip pool ap
[SWA-ip-pool-ap]network 192.168.10.0 mask 24
[SWA-ip-pool-ap]gateway-list 192.168.10.1
[SWA-ip-pool-ap]option 43 sub-option 3 ascii 172.16.100.2
[SWA-ip-pool-ap]quit
[SWA]ip pool sta1
[SWA-ip-pool-sta1]network 192.168.11.0 mask 24
[SWA-ip-pool-sta1]gateway-list 192.168.11.1
[SWA-ip-pool-sta1]quit
[SWA]ip pool sta2
[SWA-ip-pool-sta2]network 192.168.12.0 mask 24
[SWA-ip-pool-sta2]gateway-list 192.168.12.1
[SWA-ip-pool-sta2]quit
3、配置vlanif IP地址,给AP和STA分配IP
[SWA]interface Vlanif 100
[SWA-Vlanif100]ip address 192.168.10.1 24
[SWA-Vlanif100]dhcp select global
[SWA-Vlanif100]quit
[SWA]interface Vlanif 101
[SWA-Vlanif101]ip address 192.168.11.1 24
[SWA-Vlanif101]dhcp select global
[SWA-Vlanif101]quit
[SWA]interface Vlanif 102
[SWA-Vlanif102]ip address 192.168.12.1 24
[SWA-Vlanif102]dhcp select global
[SWA-Vlanif102]quit
[SWA]interface Vlanif 200
[SWA-Vlanif200]ip address 172.16.100.10 24
[SWA-Vlanif200]quit
[SWA]interface Vlanif 201
[SWA-Vlanif201]ip address 172.16.101.10 24
[SWA-Vlanif201]quit
4、配置接口
[SWA]interface GigabitEthernet 0/0/1
[SWA-GigabitEthernet0/0/1]port link-type trunk
[SWA-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SWA-GigabitEthernet0/0/1]quit
[SWA]interface GigabitEthernet 0/0/2
[SWA-GigabitEthernet0/0/2]port link-type trunk
[SWA-GigabitEthernet0/0/2]port trunk allow-pass vlan 200
[SWA-GigabitEthernet0/0/2]quit
[SWA]interface GigabitEthernet 0/0/3
[SWA-GigabitEthernet0/0/3]port link-type access
[SWA-GigabitEthernet0/0/3]port default vlan 201
[SWA-GigabitEthernet0/0/3]quit
5、配置默认路由
[SWA]ip route-static 0.0.0.0 0.0.0.0 172.16.101.1
#附-交换机版本
[SWA]display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.110 (S5700 V200R001C00)
Copyright (c) 2000-2011 HUAWEI TECH CO., LTD
Quidway S5700-28C-HI3、配置AC
1、配置AC连接SWA的接口G0/0/2允许vlan200的报文通过
<AC6605>system-view
[AC6605]vlan batch 101 102 200
[AC6605]interface Vlanif 200
[AC6605-Vlanif200]ip address 172.16.100.2 24
[AC6605-Vlanif200]quit
[AC6605]interface GigabitEthernet 0/0/2
[AC6605-GigabitEthernet0/0/2]port link-type trunk
[AC6605-GigabitEthernet0/0/2]port trunk allow-pass vlan 200
[AC6605-GigabitEthernet0/0/2]quit
2、配置AC到AP的路由,下一跳为SWA的vlanif200
[AC6605]ip route-static 192.168.10.0 24 172.16.100.10
3、配置AC的国家码
[AC6605]wlan ac-global country-code cn
4、配置AC ID和运营商标识
[AC6605]wlan ac-global ac id 1 carrier id other
5、配置AC的源接口
[AC6605]wlan
[AC6605-wlan-view]wlan ac source interface Vlanif 200
6、在AC上管理AP
#根据查询到的AP设备类型ID,离线添加AP。假设AP的类型为AP6010DN-AGN,其MAC地址分别为00E0-FCEC-66A0和00E0-FC07-60F0(ap-auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap-auth-mode mac-auth)
[AC6605-wlan-view]ap-auth-mode mac-auth
[AC6605-wlan-view]ap id 0 type-id 19 mac 00E0-FCEC-66A0
[AC6605-wlan-ap-0]quit
[AC6605-wlan-view]ap id 1 type-id 19 mac 00E0-FC07-60F0
[AC6605-wlan-ap-1]quit
#配置AP域并将AP加入到AP域
[AC6605-wlan-view]ap-region id 10
[AC6605-wlan-ap-region-10]quit
[AC6605-wlan-view]ap id 0
[AC6605-wlan-ap-0]region-id 10
[AC6605-wlan-ap-0]quit
[AC6605-wlan-view]ap id 1
[AC6605-wlan-ap-1]region-id 10
[AC6605-wlan-ap-1]quit
#将AP上电后,可以查看到AP的“AP State”字段为“normal”
[AC6605-wlan-view]display ap all
All AP information(Normal-2,UnNormal-0):
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
0 AP6010DN-AGN 00e0-fcec-66a0 0/10 normal ap-0
1 AP6010DN-AGN 00e0-fc07-60f0 0/10 normal ap-1
------------------------------------------------------------------------------
Total number: 2
7、配置WLAN业务参数
#创建名为“wmm”的WMM模板,参数采用默认配置
[AC6605-wlan-view]wmm-profile name wmm id 1
[AC6605-wlan-wmm-prof-wmm]quit
#创建名为“radio”的射频模板,绑定WMM模板“wmm”
[AC6605-wlan-view]radio-profile name radio id 1
[AC6605-wlan-radio-prof-radio]wmm-profile name wmm
[AC6605-wlan-radio-prof-radio]quit
[AC6605-wlan-view]quit
#创建WLAN-ESS接口
[AC6605]interface Wlan-Ess 0
[AC6605-Wlan-Ess0]port hybrid pvid vlan 101
[AC6605-Wlan-Ess0]port hybrid untagged vlan 101
[AC6605-Wlan-Ess0]quit
[AC6605]interface Wlan-Ess 1
[AC6605-Wlan-Ess1]port hybrid pvid vlan 102
[AC6605-Wlan-Ess1]port hybrid untagged vlan 102
[AC6605-Wlan-Ess1]quit
#创建名为“security”的安全模板,参数采用默认配置,即开放认证,不加密
[AC6605]wlan
[AC6605-wlan-view]security-profile name security id 1
[AC6605-wlan-sec-prof-security]quit
#创建名为“traffic”的流量模板,参数采用默认配置
[AC6605-wlan-view]traffic-profile name traffic id 1
[AC6605-wlan-traffic-prof-traffic]quit
#创建名为"public"和“work”的服务集并绑定WLAN-ESS接口、安全模板和流量模板
[AC6605-wlan-view]service-set name public id 1
[AC6605-wlan-service-set-public]ssid public
[AC6605-wlan-service-set-public]wlan-ess 0
[AC6605-wlan-service-set-public]security-profile name security
[AC6605-wlan-service-set-public]traffic-profile name traffic
[AC6605-wlan-service-set-public]service-vlan 101
[AC6605-wlan-service-set-public]forward-mode direct
[AC6605-wlan-service-set-public]quit
[AC6605-wlan-view]service-set name work id 2
[AC6605-wlan-service-set-work]ssid work
[AC6605-wlan-service-set-work]wlan-ess 1
[AC6605-wlan-service-set-work]security-profile name security
[AC6605-wlan-service-set-work]traffic-profile name traffic
[AC6605-wlan-service-set-work]service-vlan 102
[AC6605-wlan-service-set-work]forward-mode direct
[AC6605-wlan-service-set-work]quit
8、配置VAP下发
#配置VAP
[AC6605-wlan-view]ap 0 radio 0
[AC6605-wlan-radio-0/0]radio-profile name radio
Warning: Modify the Radio type may cause some parameters of Radio resume defaul
t value, are you sure to continue?[Y/N]:y
[AC6605-wlan-radio-0/0]service-set name public
[AC6605-wlan-radio-0/0]quit
[AC6605-wlan-view]ap 1 radio 0
[AC6605-wlan-radio-1/0]radio-profile name radio
Warning: Modify the Radio type may cause some parameters of Radio resume defaul
t value, are you sure to continue?[Y/N]:y
[AC6605-wlan-radio-1/0]service-set name work
[AC6605-wlan-radio-1/0]quit
#提交配置
[AC6605-wlan-view]commit all
Warning: Committing configuration may cause service interruption,continue?[Y/N
]y
9、验证配置结果
配置完成后,通过display vap ap 0 radio 0和display vap ap 1 radio 0命令,可以查看到VAP已创建成功
[AC6605-wlan-view]display vap ap 0 radio 0
All VAP Information(Total-1):
SS: Service-set BP: Bridge-profile MP: Mesh-profile
----------------------------------------------------------------------
AP ID Radio ID SS ID BP ID MP ID WLAN ID BSSID Type
0 0 1 - - 1 00E0-FCEC-66A0 service
----------------------------------------------------------------------
Total: 1
[AC6605-wlan-view]display vap ap 1 radio 0
All VAP Information(Total-1):
SS: Service-set BP: Bridge-profile MP: Mesh-profile
----------------------------------------------------------------------
AP ID Radio ID SS ID BP ID MP ID WLAN ID BSSID Type
1 0 2 - - 1 00E0-FC07-60F0 service
----------------------------------------------------------------------
Total: 1
STA搜索到名为“public”或"work"的无线网络并正常关联后,在AC上执行display station assoc-info命令,可以查看到用户已经接入到无线网络“public”和“work”中
[AC6605-wlan-view]display station assoc-info ap 0 radio 0
------------------------------------------------------------------------------
STA MAC AP-ID RADIO-ID SS-ID SSID
------------------------------------------------------------------------------
5489-9849-35f9 0 0 1 public
------------------------------------------------------------------------------
Total stations: 1
[AC6605-wlan-view]display station assoc-info ap 1 radio 0
------------------------------------------------------------------------------
STA MAC AP-ID RADIO-ID SS-ID SSID
------------------------------------------------------------------------------
5489-9898-0f07 1 0 2 work
------------------------------------------------------------------------------
Total stations: 1
#附-AC版本
<AC6605>display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.130 (AC6605 V200R003C00)
Copyright (C) 2011-2016 HUAWEI TECH CO., LTD
Huawei AC6605
?
?
?
4、简单配置防火墙
<USG6000V1>system-view
[USG6000V1]interface GigabitEthernet 1/0/3
[USG6000V1-GigabitEthernet1/0/3]ip address 172.16.101.1 24
[USG6000V1-GigabitEthernet1/0/3]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/3]quit
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/3
[USG6000V1-zone-trust]quit
[USG6000V1]ip route-static 192.168.0.0 16 172.16.101.10
?
