ACU2V200R006C10SPC100直接转发模式无线终端获取不到ip地址

发布时间:  2016-05-23 浏览次数:  279 下载次数:  0
问题描述

 

ACU2做无线控制器V200R006C10SPC100版本直接转发模式无线终端获取不到ip地址,隧道模式可以获取到ip地址

组网拓扑 ACU2(S12708G2/2/1/0)--------(G0/0/28)S5700(G0/0/1)------AP

 

ACU2配置:

ACU2

wired-port-profile name default
  undo dhcp trust port

#

capwap source interface vlanif4007

#

ssid-profile name HKZY
  ssid HKZY

#

vap-profile name HKZY

  service-vlan vlan-id 901

  learn-client-address dhcp-strict blacklist enable

  ssid-profile HKZY

#

ap-id 5010 type-id 46 ap-mac 70d9-312e-7da0 ap-sn 21500826402SFB902127

  ap-name JXL-1D-01-105

  ap-group JXL-1D-01

  radio 0

   channel 20mhz 3

   eirp 20

  radio 1

   channel 40mhz-minus 48

   eirp 23

#

ap-group name JXL-1D-01

  radio 0

   vap-profile HKZY wlan 4

   vap-profile HKZY_Teach wlan 6

   vap-profile PPPoE wlan 8

   vap-profile Admin wlan 9

  radio 1

   vap-profile HKZY wlan 4

   vap-profile HKZY_Teach wlan 6

   vap-profile PPPoE wlan 8

   vap-profile Admin wlan 9

 

交换机配置

S5700

vlan batch 901 to 909 2113 2120 3001 to 3003 4006 to 4007

#

interface GigabitEthernet0/0/1

port link-type trunk

port trunk pvid vlan 2120

port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/28

port link-type trunk

port trunk allow-pass vlan 2 to 4094

#

 S12700

interface GigabitEthernet2/2/1/0

combo-port copper

port link-type trunk

port trunk allow-pass vlan 2 to 4094

#

interface Vlanif901

description hkzy_wlan

ip address 10.101.32.1 255.255.224.0

web-auth-server hy layer3

domain name portal force

authentication portal

dhcp select interface

dhcp server dns-list 114.114.114.114 59.51.78.211 222.246.129.80

处理过程

1:测试AP有线口到业务vlan网关通信 无线终端设置静态ip地址关联无线ssid成功 ping网关10.101.32.1正常 确认vlan透传正常链路通信正常

2:测试链路DHCP报文转发 接入层交换机端口加入vlan901 接pc终端 dhcp动态获取ip地址正常  确认链路DHCP报文转发正常 DHCPserver工作正常

3:测试AP转发DHCP报文是否正常 AP POE端口镜像抓包 无线终端无线网卡抓包  无线终端发出DHCP Discover报文 AP有线口抓包未发现DHCP Discover报文

根因

AP有线接口G0/0/0关闭了 dhcp snooping信任端口功能,导致直接转发模式DHCP请求报文无法发出AP。删除undo dhcp trust port后业务恢复

配置undo dhcp trust port目的为了防止用户从APFE口获取IP,但是配置范围太大,GE口也被限制

有问题的配置:

wired-port-profile name default

 undo dhcp trust port 

解决方案

在ap组中关闭特定有线口DHCP功能

wired-port-profile name denyFakeDHCP

  undo dhcp trust port

ap-group name JXL-1D-01

  wired-port-profile denyFakeDHCP ethernet 0

  wired-port-profile denyFakeDHCP ethernet 1

  wired-port-profile denyFakeDHCP ethernet 2

  wired-port-profile denyFakeDHCP ethernet 3

建议与总结

配置无线业务建议先配置基本功能,成功之后再逐步添加复杂功能,防止个性化配置干扰基础功能。

END