同Service-set同网段的两个用户怎么才能应用业务随行

发布时间:  2016-02-26 浏览次数:  107 下载次数:  0
问题描述

在WLAN业务随行的环境下,遇到一个这样的问题在Controller上面注册了两个账号,对应两个安全组我们让两个安全组隔离起来(比如Teacher和Student),但是发现这两个用户怎么都隔离不了。

处理过程
这个问题的原因是这两个用户在AP上就互通了,不会走到交换机。因为这两个用户是同AP同Service-set同网段两个用户,如果这两个用户不进行用户个隔离那这两个用户在AP上就可以完成互通。
解决方案

所以service-set下面补充用户2层隔离的配置:
service-set name 3 id 3                                                                                                           
  forward-mode tunnel                                                                                                              
  wlan-ess 4                                                                                                                       
  ssid XXXXX                                                                                                                  
  user-isolate                                                                                                                     
  traffic-profile id 0                                                                                                             
  security-profile id 0                                                                                                            
  service-vlan 1004  

   
但这样配置的后果是无论controller上下发的是permit或是deny,这2个用户永远无法互通。这是因为这个时候用户间互相访问的报文,会从交换机的同一个端口进出,尤其是ARP报文,广播报文不会在从收到的接口发出,所以我们要在vlanif下面配置arp代理,并且是vlan内的代理。interface Vlanif1004                                                                                                               
ip address 115.1.1.1 255.255.255.0                                                                                                
domain name scu force                                                                                                             
domain name scu                                                                                                                   
authentication portal                                                                                                             
arp-proxy inner-sub-vlan-proxy enable                                                                                             
dhcp select interface

经过这样的配置就可以成功的让同AP同Service-set同网段的两个用户执行交换机上的业务随行策略。

 

END