Native AC + SVF Solution: Parents Containing Aggregation Switches Function as Gateways for Wired and Wireless Users
Networking Requirements
Core switches set up a CSS that functions as the core of the entire campus network to implement high network reliability and forwarding of a large amount of data.
Aggregation switches set up stacks to implement device-level backup and increase the interface density and forwarding bandwidth. In addition, aggregation switches are configured with the native AC function to manage APs and transmit wireless service traffic on the entire network, implementing wired and wireless convergence.
There are a large number of wired and wireless access devices that are widely distributed. To implement unified management and configuration and reduce management costs, SVF is deployed on the network. Aggregation and access switches set up SVF systems. In such an SVF system, the stack of aggregation switches functions as the parent, and access switches function as ASs. The parent manages and configures ASs in a unified manner.
In this example, aggregation switches set up stacks that function as gateways for wired and wireless users on the entire network and are responsible for routing and forwarding of user services.
Device Requirements and Versions
Location |
Device Requirement |
Device Used in This Example |
Version Used in This Example |
|---|---|---|---|
Core layer |
- |
S12700E |
V200R019C10 |
Aggregation layer |
|
S5731-H |
|
Access layer |
Fixed switches that can function as ASs |
S5735-L |
|
AP |
- |
AP6050DN |
V200R019C00 |
Deployment Roadmap
Step |
Deployment Roadmap |
Devices Involved |
|---|---|---|
1 |
Configure CSS, stacking, and MAD on switches. |
Core and aggregation switches |
2 |
Configure interfaces and VLANs on switches to implement Layer 2 communication. |
Core, aggregation, and access switches |
3 |
Configure VLANIF interfaces on switches and assign IP addresses to the VLANIF interfaces. |
Core and aggregation switches |
3 |
Configure DHCP on switches so that the switches function as DHCP servers to assign IP addresses to wired and wireless users. |
Aggregation switches |
4 |
Configure routing on switches to implement Layer 3 communication. |
Core and aggregation switches |
5 |
Configure stacks of aggregation switches as parents to set up SVF systems with level-1 ASs. |
Aggregation switches |
6 |
Configure wireless services on switches so that APs and STAs can go online. |
Aggregation switches |
Data Plan
Item |
VLAN ID |
Network Segment |
|---|---|---|
Network segment for communication with AGG1 |
VLAN 70 |
172.16.70.1/24 |
Network segment for communication with AGG2 |
VLAN 80 |
172.16.80.1/24 |
Network segment for communication with servers |
VLAN 1000 |
192.168.11.254/24 |
Device |
Item |
VLAN ID |
Network Segment |
|---|---|---|---|
AGG1 |
Management VLAN for APs |
VLAN 20 |
192.168.20.0/24 |
Service VLANs for wireless users |
VLAN 30 |
172.16.30.0/24 |
|
VLAN 31 |
172.16.31.0/24 |
||
Service VLAN for wired users |
VLAN 50 |
172.16.50.0/24 |
|
Network segment for communication with CORE |
VLAN 70 |
172.16.70.2/24 |
|
AGG2 |
Management VLAN for APs |
VLAN 21 |
192.168.21.0/24 |
Service VLANs for wireless users |
VLAN 40 |
172.16.40.0/24 |
|
VLAN 41 |
172.16.41.0/24 |
||
Service VLAN for wired users |
VLAN 60 |
172.16.60.0/24 |
|
Network segment for communication with CORE |
VLAN 80 |
172.16.80.2/24 |
Item |
AGG1 Data |
AGG2 Data |
|---|---|---|
Traffic profile |
traff: The user isolation mode is Layer 2 isolation and Layer 3 communication. |
|
Security profiles |
|
|
SSID profiles |
|
|
AP group |
ap-group1 |
ap-group2 |
Regulatory domain profile |
domain1 |
domain2 |
VAP profiles |
|
|
Item |
Data |
|---|---|
Parent |
AGG1 |
MAC address of the AS and AP |
as-layer1-1 (ACC1): 00e0-fc01-0033 |
Management VLAN of the SVF system |
VLAN 20 |
IP address of the management VLANIF interface |
192.168.20.1/24 |
Parent's interface connected to as-layer1-1 |
GE0/0/3 Add the interface to Eth-Trunk 30 and bind it to fabric port 1. |
as-layer1-1's interface connected to AP1 |
GE0/0/4 Add the interface to an AP port group. |
AS authentication mode |
Whitelist authentication |
Service configuration of an AS administrator profile |
Administrator profile admin_profile1, in which the administrator user name and password are configured AS group admin_group1, which includes all ASs Bind the administrator profile admin_profile1 to the AS group admin_group1. |
Service configuration of an AS network basic profile |
Network basic profile basic_profile_1, in which VLAN 50 is configured as the VLAN from which packets are allowed to pass through Port group port_group_1, which includes all downlink interfaces (except GigabitEthernet 0/0/4 connected to an AP) of as-layer1-1 Bind network basic profile basic_profile_1 to port group port_group_1. |
Item |
Data |
|---|---|
Parent |
AGG2 |
MAC address of the AS and AP |
as-layer1-2 (ACC2): 00e0-fc01-0044 |
Management VLAN of the SVF system |
VLAN 21 |
IP address of the management VLANIF interface |
192.168.21.1/24 |
Parent's interface connected to as-layer1-2 |
GE0/0/3 Add the interface to Eth-Trunk 40 and bind it to fabric port 2. |
as-layer1-2's interface connected to AP2 |
GE0/0/4 Add the interface to an AP port group. |
AS authentication mode |
Whitelist authentication |
Service configuration of an AS administrator profile |
Administrator profile admin_profile2, in which the administrator user name and password are configured AS group admin_group2, which includes all ASs Bind the administrator profile admin_profile2 to the AS group admin_group2. |
Service configuration of an AS network basic profile |
Network basic profile basic_profile_2, in which VLAN 60 is configured as the VLAN from which packets are allowed to pass through Port group port_group_2, which includes all downlink interfaces (except GigabitEthernet 0/0/4 connected to an AP) of as-layer1-2 Bind network basic profile basic_profile_2 to port group port_group_2. |
Deployment Precautions
It is not recommended that VLAN 1 be used as the management VLAN or a service VLAN. Remove all interfaces from VLAN 1. Allow an interface to transparently transmit packets from a VLAN based on actual service requirements. Do not allow an interface to transparently transmit packets from all VLANs.
In tunnel forwarding mode, the management VLAN and service VLAN must be different. Otherwise, MAC address flapping will occur, leading to a packet forwarding error. The network between the AC and APs needs to permit only packets tagged with the management VLAN ID and deny packets tagged with the service VLAN ID.
- In tunnel forwarding mode, service packets from APs are encapsulated in CAPWAP data tunnels and transmitted to the AC. The AC then forwards the packets to the upper-layer network. Therefore, service packets and management packets can be transmitted properly when the interfaces that connect the AC to APs are added to the management VLAN and the interface that connects the AC to the upper-layer network is added to a service VLAN.
When an AS goes online, it must be unconfigured (has no startup configuration file) and has no input on the console interface. Before connecting an AS to an SVF system, you are advised to remove the cable on the console interface.
Each AS can be a stack of up to five member devices that are the same model and provide the same number or different numbers of interfaces. An AS can be a stack of devices of the same series but different models. In such an AS, you can run the slot command to change the preconfigured device model.
Each AS has a unique management MAC address. By default, the device MAC address is used as the management MAC address. You can view the MAC address on the MAC address label attached to the device or run the as access manage-mac command to specify the management MAC address of the AS.
If an AS is a stack, its name and MAC address have been preconfigured on the parent of an SVF system, and the AS goes online and is connected to the SVF system, you are advised to set up the stack for the AS and configure the preconfigured MAC address as the management MAC address. When preconfiguring the name and MAC address of the AS, configure the MAC address of the stack master switch as the MAC address. In this case, the management MAC address of the AS is the same as the preconfigured MAC address by default, and no management MAC address needs to be configured. If you configure the name and MAC address of the AS after it goes online and is connected to the SVF system, the management MAC address does not need to be configured.
If switches whose downlink service interfaces can be configured as stack member interfaces set up a stack through these interfaces, the switches cannot join an SVF system as ASs.
If downlink service interfaces of an AS are configured as member interfaces of an uplink fabric port, all the downlink interfaces of the AS cannot be configured as stack member interfaces.
When replacing a faulty AS, pay attention to the following points:
The AS can be replaced with only a device of the same model. If the new device is of a different model, it joins the SVF system as a new AS and does not inherit services of the replaced AS.
Only a standalone AS can be replaced. If an AS is a stack, it cannot be replaced.
To ensure that a new AS that replaces the faulty AS can be successfully authenticated, run the auth-mode none command to set the AS authentication mode to none authentication, or run the whitelist mac-address command to add the management MAC address of the new AS to the whitelist. If the new AS has no management MAC address configured, the system MAC address is used as the management MAC address.
Procedure
- Configure CSS on core switches and stacking on aggregation switches, and configure MAD on the switches.
For details, see Typical CSS and Stack Deployment.
- Configure interfaces and VLANs on CORE.# Create VLANs.
[CORE] vlan batch 70 80 1000
# Create Eth-Trunk 10 for connecting to AGG1 and add interfaces to the Eth-Trunk. The configuration of the Eth-Trunk interface for connecting to AGG2 is similar.
[CORE] interface eth-trunk 10 [CORE-Eth-Trunk10] description connect to AGG1 [CORE-Eth-Trunk10] mode lacp [CORE-Eth-Trunk10] port link-type trunk [CORE-Eth-Trunk10] port trunk allow-pass vlan 70 [CORE-Eth-Trunk10] quit [CORE] interface xgigabitethernet 1/1/0/1 [CORE-XGigabitEthernet1/1/0/1] eth-trunk 10 [CORE-XGigabitEthernet1/1/0/1] quit [CORE] interface xgigabitethernet 2/1/0/2 [CORE-XGigabitEthernet2/1/0/2] eth-trunk 10 [CORE-XGigabitEthernet2/1/0/2] quit
# Add the interface connected to a server to VLAN 1000.
[CORE] interface xgigabitethernet 1/2/0/1 [CORE-XGigabitEthernet1/2/0/1] port link-type access [CORE-XGigabitEthernet1/2/0/1] port default vlan 1000 [CORE-XGigabitEthernet1/2/0/1] quit
- Configure interfaces and VLANs on AGG1. The configuration on AGG2 is similar.
# Create VLANs.
[AGG1] vlan batch 20 30 31 50 70
# Configure an Eth-Trunk interface for connecting to CORE.
[AGG1] interface eth-trunk 10 [AGG1-Eth-Trunk10] description connect to CORE [AGG1-Eth-Trunk10] mode lacp [AGG1-Eth-Trunk10] port link-type trunk [AGG1-Eth-Trunk10] port trunk allow-pass vlan 70 [AGG1-Eth-Trunk10] quit [AGG1] interface xgigabitEthernet 0/0/1 [AGG1-XGigabitEthernet0/0/1] eth-trunk 10 [AGG1-XGigabitEthernet0/0/1] quit [AGG1] interface xgigabitEthernet 1/0/1 [AGG1-XGigabitEthernet1/0/1] eth-trunk 10 [AGG1-XGigabitEthernet1/0/1] quit
- Configure VLANIF interfaces on CORE and assign IP addresses to the VLANIF interfaces.
# Create Layer 3 interface VLANIF 70 for connecting to AGG1.
[CORE] interface vlanif 70 [CORE-Vlanif70] ip address 172.16.70.1 255.255.255.0 [CORE-Vlanif70] quit
# Create Layer 3 interface VLANIF 80 for connecting to AGG2.
[CORE] interface vlanif 80 [CORE-Vlanif80] ip address 172.16.80.1 255.255.255.0 [CORE-Vlanif80] quit
# Create Layer 3 interface VLANIF 1000 for connecting to a server.
[CORE] interface vlanif 1000 [CORE-Vlanif1000] ip address 192.168.11.254 255.255.255.0 [CORE-Vlanif1000] quit
- Configure VLANIF interfaces on AGG1 and assign IP addresses to the VLANIF interfaces. The configuration on AGG2 is similar.
# Create Layer 3 interface VLANIF 70 for connecting to CORE.
[AGG1] interface vlanif 70 [AGG1-Vlanif70] ip address 172.16.70.2 255.255.255.0 [AGG1-Vlanif70] quit
- Configure DHCP on AGG1 so that AGG1 functions as a DHCP server to assign IP addresses to wired and wireless users. The configuration on AGG2 is similar.
# Enable DHCP globally and configure DHCP snooping for service VLANs.
[AGG1] dhcp enable [AGG1] dhcp snooping enable [AGG1] vlan 30 [AGG1-vlan30] dhcp snooping enable [AGG1-vlan30] quit [AGG1] vlan 31 [AGG1-vlan31] dhcp snooping enable [AGG1-vlan31] quit [AGG1] vlan 50 [AGG1-vlan50] dhcp snooping enable [AGG1-vlan50] quit
# Create VLANIF 20 for wireless management and configure AGG1 to assign an IP address to AP1 from the interface address pool.
[AGG1] interface vlanif 20 [AGG1-Vlanif20] ip address 192.168.20.1 255.255.255.0 [AGG1-Vlanif20] dhcp select interface [AGG1-Vlanif20] dhcp server option 43 ip-address 192.168.20.1 //Configure the parent to send its IP address to the AS so that the AS establishes a CAPWAP link with only the specified IP address. [AGG1-Vlanif20] quit
# Create Layer 3 interfaces VLANIF 30 and VLANIF 31 for wireless services and configure AGG1 to assign IP addresses to STAs from the interface address pools.
[AGG1] interface vlanif 30 [AGG1-Vlanif30] ip address 172.16.30.1 255.255.255.0 [AGG1-Vlanif30] dhcp select interface [AGG1-Vlanif30] dhcp server dns-list 192.168.11.2 //Configure the DNS server for terminals. [AGG1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service VLAN for wireless users. Otherwise, wireless users cannot communicate with each other through the AC. Determine whether to configure this command based on actual requirements. [AGG1-Vlanif30] quit [AGG1] interface vlanif 31 [AGG1-Vlanif31] ip address 172.16.31.1 255.255.255.0 [AGG1-Vlanif31] dhcp select interface [AGG1-Vlanif31] dhcp server dns-list 192.168.11.2 //Configure the DNS server for terminals. [AGG1-Vlanif31] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service VLAN for wireless users. Otherwise, wireless users cannot communicate with each other through the AC. Determine whether to configure this command based on actual requirements. [AGG1-Vlanif31] quit
# Create Layer 3 interface VLANIF 50 for wired services and configure AGG1 to assign IP addresses to wired terminals from the interface address pool.
[AGG1] interface vlanif 50 [AGG1-Vlanif50] ip address 172.16.50.1 255.255.255.0 [AGG1-Vlanif50] dhcp select interface [AGG1-Vlanif50] dhcp server dns-list 192.168.11.2 //Configure the DNS server for terminals. [AGG1-Vlanif50] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service VLAN for wireless users. Otherwise, wireless users cannot communicate with each other through the AC. Determine whether to configure this command based on actual requirements. [AGG1-Vlanif50] quit
- Configure routing on core and aggregation switches to implement Layer 3 communication. You can configure a routing protocol based on actual requirements. In this example, OSPF is used.# Configure OSPF on CORE.
[CORE] ospf 1 router-id 1.1.1.1 [CORE-ospf-1] area 0 [CORE-ospf-1-area-0.0.0.0] network 172.16.70.0 0.0.0.255 [CORE-ospf-1-area-0.0.0.0] network 172.16.80.0 0.0.0.255 [CORE-ospf-1-area-0.0.0.0] network 192.168.11.0 0.0.0.255 [CORE-ospf-1-area-0.0.0.0] quit [CORE-ospf-1] quit
# Configure OSPF on AGG1. The configuration on AGG2 is similar.[AGG1] ospf 1 router-id 2.2.2.2 [AGG1-ospf-1] area 0 [AGG1-ospf-1-area-0.0.0.0] network 172.16.70.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.0] network 172.16.50.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.0] network 192.168.20.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.0] network 192.168.30.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.0] network 192.168.31.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.0] quit [AGG1-ospf-1] quit [AGG1] quit
- Configure AGG1 as the parent to set up an SVF system with an AS. The configuration on AGG2 is similar.# Activate the license of the SVF system.
<AGG1> license active xxxxxx.dat
# Set the STP mode to STP or RSTP.<AGG1> system-view [AGG1] stp mode rstp
# Configure the source interface of the CAPWAP tunnel.
[AGG1] capwap source interface vlanif 20
# (Optional) Preconfigure the name of the AS. The MAC address specified in the following command is the management MAC address of the AS.If you do not perform this step, the system will generate AS information when the AS connects to the SVF system. An AS name is in the format of system default name-system MAC address.
If you perform this step, ensure that the configured model and mac-address are the same as the actual AS information. The value of mac-address must be the management or system MAC address of an AS. To view the management MAC address of an AS, run the display as access configuration command on the AS. If the management MAC address is displayed as --, set mac-address to the system MAC address when configuring the AS name. If the parameter settings are different from the actual AS information, the AS cannot go online.
[AGG1] uni-mng Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may be triggered and service traffic will be affected. Continue? [Y/N]:y [AGG1-um] as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0033 [AGG1-um-as-as-layer1-1] quit
# Configure a fabric port that connects the parent to the AS.
[AGG1-um] interface fabric-port 1 [AGG1-um-fabric-port-1] port member-group interface Eth-Trunk 30 [AGG1-um-fabric-port-1] quit [AGG1-um] quit [AGG1] interface gigabitEthernet 0/0/3 [AGG1-GigabitEthernet0/0/3] eth-trunk 30 [AGG1-GigabitEthernet0/0/3] quit
# Configure whitelist authentication for the AS to connect to the SVF system.
To view the management MAC address of an AS, run the display as access configuration command on the AS. If the management MAC address is displayed as --, the MAC address configured in the whitelist is the system MAC address of the AS. Otherwise, the MAC address configured in the whitelist is the management MAC address of the AS.
[AGG1] as-auth [AGG1-as-auth] undo auth-mode [AGG1-as-auth] whitelist mac-address 00e0-fc01-0033 [AGG1-as-auth] quit
# Clear the configuration of ACC1 and restart ACC1. The SVF system can then be set up. The configuration on ACC2 is similar.
Before restarting an AS, check whether the interface that connects the AS to the parent is a downlink interface. To view all downlink interfaces on the AS, run the display port connection-type access all command on the AS. If this interface is a downlink interface, run the uni-mng up-direction fabric-port command in the user view on the AS to configure this interface as a member interface of an uplink fabric port before restarting the AS. Otherwise, the AS cannot go online. To check whether the interface has been configured as a member interface of an uplink fabric port, run the display uni-mng up-direction fabric-port command on the AS.
<ACC1> reset saved-configuration Warning: The action will delete the saved configuration in the device. The configuration will be erased to reconfigure. Continue? [Y/N]:y <ACC1> reboot
# After the access switch is restarted successfully, you can view that the AS has gone online on the parent.
[AGG1] display as all Total: 1, Normal: 1, Fault: 0, Idle: 0, Version mismatch: 0 -------------------------------------------------------------------------------- No. Type MAC IP State Name -------------------------------------------------------------------------------- 0 S5720-SI 00e0-fc01-0033 192.168.20.66 normal as-layer1-1 --------------------------------------------------------------------------------
# Configure an AS administrator profile and bind it to the AS.
[AGG1] uni-mng [AGG1-um] as-admin-profile name admin_profile1 [AGG1-um-as-admin-admin_profile1] user asuser password YsHsjx_202206 [AGG1-um-as-admin-admin_profile1] quit [AGG1-um] as-group name admin_group1 [AGG1-um-as-group-admin_group1] as name-include as [AGG1-um-as-group-admin_group1] as-admin-profile admin_profile1 [AGG1-um-as-group-admin_group1] quit# Configure a network basic profile and bind it to interfaces of the AS.
[AGG1-um] network-basic-profile name basic_profile_1 [AGG1-um-net-basic-basic_profile_1] user-vlan 50 [AGG1-um-net-basic-basic_profile_1] quit [AGG1-um] port-group name port_group_1 [AGG1-um-portgroup-port_group_1] as name as-layer1-1 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24 [AGG1-um-portgroup-port_group_1] network-basic-profile basic_profile_1 [AGG1-um-portgroup-port_group_1] quit
# Commit the configurations so that the configurations in service profiles can be delivered to the AS.
[AGG1-um] commit as all Warning: Committing the configuration will take a long time. Continue?[Y/N]: y
# Check whether the configurations in service profiles are successfully delivered to the AS.
[AGG1-um] display uni-mng commit-result profile Result of profile: -------------------------------------------------------------------------------- AS Name Commit Time Commit/Execute Result -------------------------------------------------------------------------------- as-layer1-1 2019-10-23 05:55:29 Success/Success --------------------------------------------------------------------------------
- Configure wireless services on AGG1 so that AP1 can go online. The configuration on AGG2 is similar.
# Run the port-group connect-ap name command to create an AP port group and bind it to the AS so that APs can go online in the SVF system.
[AGG1] uni-mng [AGG1-um] port-group connect-ap name ap [AGG1-um-portgroup-ap-ap] as name as-layer1-1 interface GigabitEthernet 0/0/3 [AGG1-um-portgroup-ap-ap] quit [AGG1-um] commit as all Warning: Committing the configuration will take a long time. Continue? [Y/N]:y Info: This operation may take a few seconds. Please wait... [AGG1-um] quit
# Create an AP group to add APs with the same configurations to the AP group.
[AGG1] wlan [AGG1-wlan-view] ap-group name ap-group1 [AGG1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure a country code in the profile, and apply the profile to the AP group.
[AGG1-wlan-view] regulatory-domain-profile name domain1 [AGG1-wlan-regulate-domain-domain1] country-code cn [AGG1-wlan-regulate-domain-domain1] quit [AGG1-wlan-view] ap-group name ap-group1 [AGG1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AGG1-wlan-ap-group-ap-group1] quit
# Add AP1 to the AP group ap-group1 and configure a name for the AP based on its deployment location.
[AGG1-wlan-view] ap auth-mode mac-auth [AGG1-wlan-view] ap-id 1 ap-mac 00e0-fc12-6660 [AGG1-wlan-ap-1] ap-name area_1 Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than V200R009C00. Warning: This operation may cause AP reset. Continue? [Y/N]:y [AGG1-wlan-ap-1] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AGG1-wlan-ap-1] quit [AGG1-wlan-view] quit
# After powering on AP1, run the display ap all command on AGG1 to check the AP running status. The command output shows that the State field displays nor, indicating that AP1 is in normal state.
[AGG1] display ap all Total AP information: nor : normal [1] ExtraInfo : Extra information P : insufficient power supply ------------------------------------------------------------------------------------------------------ ID MAC Name Group IP Type State STA Uptime ExtraInfo ------------------------------------------------------------------------------------------------------ 1 00e0-fc12-6660 area_1 ap-group1 192.168.20.243 AP6050DN nor 0 43S - ------------------------------------------------------------------------------------------------------
- Configure AGG1 so that STAs can go online. The configuration on AGG2 is similar.
# Configure WLAN service parameters, and create security profiles, SSID profiles, and a traffic profile.
[AGG1] wlan [AGG1h-wlan-view] security-profile name sec1 [AGG1-wlan-sec-prof-sec1] security open [AGG1-wlan-sec-prof-sec1] quit [AGG1-wlan-view] ssid-profile name ssid1 [AGG1-wlan-ssid-prof-ssid1] ssid Employee [AGG1-wlan-ssid-prof-ssid1] quit [AGG1h-wlan-view] security-profile name sec2 [AGG1-wlan-sec-prof-sec2] security open [AGG1-wlan-sec-prof-sec2] quit [AGG1-wlan-view] ssid-profile name ssid2 [AGG1-wlan-ssid-prof-ssid2] ssid Guest [AGG1-wlan-ssid-prof-ssid2] quit [AGG1-wlan-view] traffic-profile name traff [AGG1-wlan-traffic-prof-traff] user-isolate l2 [AGG1-wlan-traffic-prof-traff] quit
# Create WLAN VAP profiles, configure the service data forwarding mode and service VLANs, apply security profiles, SSID profiles, and the traffic profile, and enable IPSG, dynamic ARP inspection, and strict STA IP address learning through DHCP.
[AGG1-wlan-view] vap-profile name vap1 [AGG1-wlan-vap-prof-vap1] forward-mode tunnel [AGG1-wlan-vap-prof-vap1] service-vlan vlan-id 30 [AGG1-wlan-vap-prof-vap1] security-profile sec1 [AGG1-wlan-vap-prof-vap1] ssid-profile ssid1 [AGG1-wlan-vap-prof-vap1] traffic-profile traff [AGG1-wlan-vap-prof-vap1] ip source check user-bind enable [AGG1-wlan-vap-prof-vap1] arp anti-attack check user-bind enable [AGG1-wlan-vap-prof-vap1] learn-client-address dhcp-strict [AGG1-wlan-vap-prof-vap1] quit [AGG1-wlan-view] vap-profile name vap2 [AGG1-wlan-vap-prof-vap2] forward-mode tunnel [AGG1-wlan-vap-prof-vap2] service-vlan vlan-id 31 [AGG1-wlan-vap-prof-vap2] security-profile sec2 [AGG1-wlan-vap-prof-vap2] ssid-profile ssid2 [AGG1-wlan-vap-prof-vap2] traffic-profile traff [AGG1-wlan-vap-prof-vap2] ip source check user-bind enable [AGG1-wlan-vap-prof-vap2] arp anti-attack check user-bind enable [AGG1-wlan-vap-prof-vap2] learn-client-address dhcp-strict [AGG1-wlan-vap-prof-vap2] quit
IP packet check enabled using the ip source check user-bind enable command is based on binding entries. Therefore:
- For DHCP users, enable DHCP snooping on the device to automatically generate dynamic binding entries.
- For users using static IP addresses, manually configure static binding entries.
The prerequisites for running the learn-client-address dhcp-strict command are as follows:
- The DHCP trusted interface configured on an AP has been disabled using the undo dhcp trust port command in the VAP profile view.
- STA IP address learning has been enabled using the undo learn-client-address { ipv4 | ipv6 } disable command in the VAP profile view.
# Bind VAP profiles to the AP group.
[AGG1-wlan-view] ap-group name ap-group1 [AGG1-wlan-ap-group-ap-group1] vap-profile vap1 wlan 1 radio 0 [AGG1-wlan-ap-group-ap-group1] vap-profile vap2 wlan 2 radio 0 [AGG1-wlan-ap-group-ap-group1] vap-profile vap1 wlan 1 radio 1 [AGG1-wlan-ap-group-ap-group1] vap-profile vap2 wlan 2 radio 1 [AGG1-wlan-ap-group-ap-group1] quit [AGG1-wlan-view] quit
Verifying the Deployment
Expected Result
Wired and wireless users can access the campus network.
Verification Method
The following uses AGG1 as an example. The verification method on AGG2 is similar.
- Run the following command on AGG1. The command output shows that an AP has obtained an IP address successfully.
[AGG1] display ip pool interface vlanif20 used Pool-name : Vlanif20 Pool-No : 0 Lease : 1 Days 0 Hours 0 Minutes Domain-name : - DNS-server0 : - NBNS-server0 : - Netbios-type : - Position : Interface Status : Unlocked Gateway-0 : - Network : 192.168.20.0 Mask : 255.255.255.0 VPN instance : -- Logging : Disable Conflicted address recycle interval: - Address Statistic: Total :254 Used :2 Idle :252 Expired :0 Conflict :0 Disabled :0 ------------------------------------------------------------------------------------- Network section Start End Total Used Idle(Expired) Conflict Disabled ------------------------------------------------------------------------------------- 192.168.20.1 192.168.20.254 254 2 252(0) 0 0 ------------------------------------------------------------------------------------- Client-ID format as follows: DHCP : mac-address PPPoE : mac-address IPSec : user-id/portnumber/vrf PPP : interface index L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id ------------------------------------------------------------------------------------- Index IP Client-ID Type Left Status ------------------------------------------------------------------------------------- 65 192.168.20.66 00e0-fc12-4455 DHCP 74620 Used 242 192.168.20.243 00e0-fc12-4400 DHCP 83235 Used ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- - Run the following command on AGG1. The command outputs show that a wired user has obtained an IP address successfully.
[AGG1] display ip pool interface vlanif50 used Pool-name : Vlanif50 Pool-No : 3 Lease : 1 Days 0 Hours 0 Minutes Domain-name : - DNS-server0 : 192.168.11.2 NBNS-server0 : - Netbios-type : - Position : Interface Status : Unlocked Gateway-0 : - Network : 172.16.50.0 Mask : 255.255.255.0 VPN instance : -- Logging : Disable Conflicted address recycle interval: - Address Statistic: Total :254 Used :1 Idle :253 Expired :0 Conflict :0 Disabled :0 ------------------------------------------------------------------------------------- Network section Start End Total Used Idle(Expired) Conflict Disabled ------------------------------------------------------------------------------------- 172.16.50.1 172.16.50.254 254 1 253(0) 0 0 ------------------------------------------------------------------------------------- Client-ID format as follows: DHCP : mac-address PPPoE : mac-address IPSec : user-id/portnumber/vrf PPP : interface index L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id ------------------------------------------------------------------------------------- Index IP Client-ID Type Left Status ------------------------------------------------------------------------------------- 231 172.16.50.232 00e0-fc12-3344 DHCP 82799 Used ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- - Wired and wireless users can communicate with each other.
# AP1 can ping a device in the server zone.
<area_1> ping 192.168.11.1 PING 192.168.11.1: 56 data bytes, press CTRL_C to break Reply from 192.168.11.1: bytes=56 Sequence=1 ttl=62 time=1 ms Reply from 192.168.11.1: bytes=56 Sequence=2 ttl=62 time=1 ms Reply from 192.168.11.1: bytes=56 Sequence=3 ttl=62 time=1 ms Reply from 192.168.11.1: bytes=56 Sequence=4 ttl=62 time=1 ms Reply from 192.168.11.1: bytes=56 Sequence=5 ttl=62 time=1 ms --- 192.168.11.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms# After a wireless user connects to AP1, you can view information about the wireless user on AGG1.
[AGG1] display station ssid Employee Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ----------------------------------------------------------------------------------------------- STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address ----------------------------------------------------------------------------------------------- 00e0-fc12-3388 1 area_1 1/1 5G 11n 107/72 -58 30 172.16.30.180 ----------------------------------------------------------------------------------------------- Total: 1 2.4G: 0 5G: 1
# PC1 can ping the wireless user connected to AP1.
C:\Users>ping 172.16.30.180 Pinging 172.16.30.180 with 32 bytes of data: Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Ping statistics for 172.16.30.180: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
Configuration Files
# CORE configuration file
# sysname CORE # vlan batch 70 80 1000 # interface Vlanif70 ip address 172.16.70.1 255.255.255.0 # interface Vlanif80 ip address 172.16.80.1 255.255.255.0 # interface Vlanif1000 ip address 192.168.11.254 255.255.255.0 # interface Eth-Trunk10 description connect to AGG1 port link-type trunk port trunk allow-pass vlan 70 mode lacp # interface Eth-Trunk20 port link-type trunk port trunk allow-pass vlan 80 mode lacp # interface XGigabitEthernet1/1/0/1 eth-trunk 10 # interface XGigabitEthernet1/1/0/2 eth-trunk 20 # interface XGigabitEthernet1/1/0/10 mad detect mode direct # interface XGigabitEthernet1/2/0/1 port link-type access port default vlan 1000 # interface XGigabitEthernet2/1/0/1 eth-trunk 20 # interface XGigabitEthernet2/1/0/2 eth-trunk 10 # interface XGigabitEthernet2/1/0/10 mad detect mode direct # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 172.16.70.0 0.0.0.255 network 172.16.80.0 0.0.0.255 network 192.168.11.0 0.0.0.255 # return
# AGG1 configuration file
# sysname AGG1 # vlan batch 20 30 to 31 50 70 # stp mode rstp # dhcp enable # dhcp snooping enable # vlan 30 dhcp snooping enable vlan 31 dhcp snooping enable vlan 50 dhcp snooping enable # interface Vlanif20 ip address 192.168.20.1 255.255.255.0 dhcp select interface dhcp server option 43 ip-address 192.168.21.1 # interface Vlanif30 ip address 172.16.30.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.2 # interface Vlanif31 ip address 172.16.31.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.2 # interface Vlanif50 ip address 172.16.50.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.2 # interface Vlanif70 ip address 172.16.70.2 255.255.255.0 # interface Eth-Trunk10 description connect to CORE port link-type trunk port trunk allow-pass vlan 70 mode lacp # interface Eth-Trunk30 port link-type hybrid port hybrid tagged vlan 1 20 50 stp root-protection stp edged-port disable mode lacp mad relay # interface GigabitEthernet0/0/3 eth-trunk 30 # interface GigabitEthernet0/0/10 mad detect mode direct # interface GigabitEthernet1/0/3 eth-trunk 30 # interface GigabitEthernet1/0/10 mad detect mode direct # interface XGigabitEthernet0/0/1 eth-trunk 10 # interface XGigabitEthernet1/0/1 eth-trunk 10 # ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 172.16.50.0 0.0.0.255 network 172.16.70.0 0.0.0.255 network 192.168.20.0 0.0.0.255 network 192.168.30.0 0.0.0.255 network 192.168.31.0 0.0.0.255 # capwap source interface vlanif20 # wlan traffic-profile name traff user-isolate l2 security-profile name sec1 security open security-profile name sec2 security open ssid-profile name ssid1 ssid Employee ssid-profile name ssid2 ssid Guest vap-profile name vap1 forward-mode tunnel service-vlan vlan-id 30 ssid-profile ssid1 security-profile sec1 traffic-profile traff ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode tunnel service-vlan vlan-id 31 ssid-profile ssid2 security-profile sec2 traffic-profile traff ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict regulatory-domain-profile name domain1 ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 radio 1 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 ap-id 1 type-id 30 ap-mac 00e0-fc12-6660 ap-sn 2102355547W0E3000316 ap-name area_1 ap-group ap-group1 # as-auth whitelist mac-address 00e0-fc01-0033 # uni-mng as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0033 interface fabric-port 1 port member-group interface Eth-Trunk 30 as-admin-profile name admin_profile1 user asuser password %^%#sq5k3X.(.$5$SNQ$c%lMO&+13%>0}:$k#+2rG-06%^%# network-basic-profile name basic_profile_1 user-vlan 50 as-group name admin_group1 as-admin-profile admin_profile1 as name as-layer1-1 port-group name port_group_1 network-basic-profile basic_profile_1 as name as-layer1-1 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24 port-group connect-ap name ap as name as-layer1-1 interface GigabitEthernet 0/0/3 # return
# AGG2 configuration file
# sysname AGG2 # vlan batch 21 40 to 41 60 80 # stp mode rstp # dhcp enable # dhcp snooping enable # vlan 40 dhcp snooping enable vlan 41 dhcp snooping enable vlan 60 dhcp snooping enable # interface Vlanif21 ip address 192.168.21.1 255.255.255.0 dhcp select interface dhcp server option 43 ip-address 192.168.21.1 # interface Vlanif40 ip address 172.16.40.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.2 # interface Vlanif41 ip address 172.16.41.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.2 # interface Vlanif60 ip address 172.16.60.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.2 # interface Vlanif80 ip address 172.16.80.2 255.255.255.0 # interface Eth-Trunk20 description connect to CORE port link-type trunk port trunk allow-pass vlan 80 # interface Eth-Trunk40 port link-type hybrid port hybrid tagged vlan 1 21 60 stp root-protection stp edged-port disable mode lacp mad relay # interface GigabitEthernet0/0/3 eth-trunk 40 # interface GigabitEthernet0/0/10 mad detect mode direct # interface GigabitEthernet1/0/3 eth-trunk 40 # interface GigabitEthernet1/0/10 mad detect mode direct # interface XGigabitEthernet0/0/1 eth-trunk 20 # interface XGigabitEthernet1/0/1 eth-trunk 20 # ospf 1 router-id 3.3.3.3 area 0.0.0.0 network 172.16.60.0 0.0.0.255 network 172.16.80.0 0.0.0.255 network 192.168.21.0 0.0.0.255 network 192.168.40.0 0.0.0.255 network 192.168.41.0 0.0.0.255 # capwap source interface vlanif21 # wlan traffic-profile name traff user-isolate l2 security-profile name sec1 security open security-profile name sec2 security open ssid-profile name ssid1 ssid Employee ssid-profile name ssid2 ssid Guest vap-profile name vap1 forward-mode tunnel service-vlan vlan-id 40 ssid-profile ssid1 security-profile sec1 traffic-profile traff ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode tunnel service-vlan vlan-id 41 ssid-profile ssid2 security-profile sec2 traffic-profile traff ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict regulatory-domain-profile name domain2 ap-group name ap-group2 regulatory-domain-profile domain2 radio 0 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 radio 1 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 ap-id 2 type-id 56 ap-mac 00e0-fc12-6670 ap-sn 21500829352SGA900583 ap-name area_2 ap-group ap-group2 # as-auth whitelist mac-address 00e0-fc01-0044 # uni-mng as name as-layer1-2 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0044 interface fabric-port 2 port member-group interface Eth-Trunk 40 as-admin-profile name admin_profile2 user asuser password %^%#3Ag*%O5C-!I90O"cF.vRg;LU'.]J02Uy7z>I:yhB%^%# network-basic-profile name basic_profile_2 user-vlan 60 as-group name admin_group2 as-admin-profile admin_profile2 as name as-layer1-2 port-group name port_group_2 network-basic-profile basic_profile_2 as name as-layer1-2 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24 port-group connect-ap name ap as name as-layer1-2 interface GigabitEthernet 0/0/3 # return