Native AC Solution: Aggregation Switches Function as Gateways for Wired and Wireless Users
Networking Requirements
Core switches set up a CSS that functions as the core of the entire campus network to implement high network reliability and forwarding of a large amount of data. Aggregation switches set up stacks to implement device-level backup and increase the interface density and forwarding bandwidth. In addition, aggregation switches are configured with the native AC function to manage APs and transmit wireless service traffic on the entire network, implementing wired and wireless convergence.
In this example, aggregation switches set up stacks that function as gateways for wired and wireless users on the entire network and are responsible for routing and forwarding of user services.
Device Requirements and Versions
Location |
Device Requirement |
Device Used in This Example |
Version Used in This Example |
|---|---|---|---|
Core layer |
- |
S12700E |
V200R019C10 |
Aggregation layer |
|
S5731-H |
|
Access layer |
- |
S5735-L |
|
AP |
- |
AP6050DN |
V200R019C00 |
Deployment Roadmap
Step |
Deployment Roadmap |
Devices Involved |
|---|---|---|
1 |
Configure CSS, stacking, MAD, and uplink and downlink Eth-Trunk interfaces on switches. |
Core and aggregation switches |
2 |
Configure interfaces and VLANs on switches to implement Layer 2 communication. |
Core, aggregation, and access switches |
3 |
Configure VLANIF interfaces on switches and assign IP addresses to the VLANIF interfaces. |
Core and aggregation switches |
4 |
Configure DHCP on switches so that the switches function as DHCP servers to assign IP addresses to wired and wireless users. |
Aggregation switches |
5 |
Configure routing on switches to implement Layer 3 communication. |
Core and aggregation switches |
6 |
Configure wireless services on switches so that APs and STAs can go online. |
Aggregation switches |
Data Plan
Item |
VLAN ID |
Network Segment |
|---|---|---|
Network segment for communication with AGG1 |
VLAN 70 |
172.16.70.0/24 |
Network segment for communication with AGG2 |
VLAN 80 |
172.16.80.0/24 |
Network segment for communication with servers |
VLAN 1000 |
192.168.100.0/24 |
Device |
Item |
VLAN ID |
Network Segment |
|---|---|---|---|
AGG1 |
Management VLAN for APs |
VLAN 20 |
192.168.20.0/24 |
Service VLANs for wireless users |
VLAN 30 (employee) |
172.16.30.0/24 |
|
VLAN 31 (guest) |
172.16.31.0/24 |
||
Service VLAN for wired users |
VLAN 50 |
172.16.50.0/24 |
|
Network segment for communication with CORE |
VLAN 70 |
172.16.70.0/24 |
|
AGG2 |
Management VLAN for APs |
VLAN 21 |
192.168.21.0/24 |
Service VLANs for wireless users |
VLAN 40 (employee) |
172.16.40.0/24 |
|
VLAN 41 (guest) |
172.16.41.0/24 |
||
Service VLAN for wired users |
VLAN 60 |
172.16.60.0/24 |
|
Network segment for communication with CORE |
VLAN 80 |
172.16.80.0/24 |
Item |
AGG1 Data |
AGG2 Data |
|---|---|---|
Traffic profile |
traff: The user isolation mode is Layer 2 isolation and Layer 3 communication. |
|
Security profiles |
|
|
SSID profiles |
|
|
AP group |
ap-group1 |
ap-group2 |
Regulatory domain profile |
domain1 |
domain2 |
VAP profiles |
|
|
Deployment Precautions
It is not recommended that VLAN 1 be used as the management VLAN or a service VLAN. Remove all interfaces from VLAN 1. Allow an interface to transparently transmit packets from a VLAN based on actual service requirements. Do not allow an interface to transparently transmit packets from all VLANs.
In tunnel forwarding mode, the management VLAN and service VLAN must be different. Otherwise, MAC address flapping will occur, leading to a packet forwarding error. The network between the AC and APs needs to permit only packets tagged with the management VLAN ID and deny packets tagged with the service VLAN ID.
- In tunnel forwarding mode, service packets from APs are encapsulated in CAPWAP data tunnels and transmitted to the AC. The AC then forwards the packets to the upper-layer network. Therefore, service packets and management packets can be transmitted properly when the interfaces that connect the AC to APs are added to the management VLAN and the interface that connects the AC to the upper-layer network is added to a service VLAN.
Procedure
- Configure CSS on core switches and stacking on aggregation switches, and configure MAD and uplink and downlink Eth-Trunk interfaces on the switches.
For details, see Typical CSS and Stack Deployment.
- Configure interfaces and VLANs on CORE.# Create VLANs.
[CORE] vlan batch 70 80 1000
# Configure an Eth-Trunk interface for connecting to AGG1. The configuration of the Eth-Trunk interface for connecting to AGG2 is similar.
[CORE] interface eth-trunk 10 [CORE-Eth-Trunk10] description connect to AGG1 [CORE-Eth-Trunk10] mode lacp [CORE-Eth-Trunk10] port link-type trunk [CORE-Eth-Trunk10] port trunk allow-pass vlan 70 [CORE-Eth-Trunk10] undo port trunk allow-pass vlan 1 [CORE-Eth-Trunk10] quit
# Add the interface connected to a server to VLAN 1000.
[CORE] interface xgigabitethernet 1/2/0/1 [CORE-XGigabitEthernet1/2/0/1] port link-type access [CORE-XGigabitEthernet1/2/0/1] port default vlan 1000 [CORE-XGigabitEthernet1/2/0/1] quit
- Configure interfaces and VLANs on AGG1. The configuration on AGG2 is similar.
# Create VLANs.
<AGG1> system-view [AGG1] vlan batch 20 30 31 50 70# Configure an Eth-Trunk interface for connecting to CORE.
[AGG1] interface eth-trunk 10 [AGG1-Eth-Trunk10] description connect to CORE [AGG1-Eth-Trunk10] mode lacp [AGG1-Eth-Trunk10] port link-type trunk [AGG1-Eth-Trunk10] port trunk allow-pass vlan 70 [AGG1-Eth-Trunk10] undo port trunk allow-pass vlan 1 [AGG1-Eth-Trunk10] quit
# Configure a downlink interface for connecting to ACC1.
[AGG1] interface eth-trunk 30 [AGG1-Eth-Trunk30] mode lacp [AGG1-Eth-Trunk30] port link-type trunk [AGG1-Eth-Trunk30] port trunk allow-pass vlan 20 50 [AGG1-Eth-Trunk30] undo port trunk allow-pass vlan 1 [AGG1-Eth-Trunk30] port-isolate enable [AGG1-Eth-Trunk30] quit - Configure interfaces and VLANs on ACC1. The configuration on ACC2 is similar.
# Create VLANs.
[ACC1] vlan batch 20 50
# Configure an uplink interface for connecting to AGG1.
[ACC1] interface eth-trunk 30 [ACC1-Eth-Trunk30] mode lacp [ACC1-Eth-Trunk30] port link-type trunk [ACC1-Eth-Trunk30] port trunk allow-pass vlan 20 50 [ACC1-Eth-Trunk30] undo port trunk allow-pass vlan 1 [ACC1-Eth-Trunk30] quit
# Configure downlink interfaces connected to PC1 and AP1, and configure the interfaces as edge ports.
[ACC1] interface gigabitethernet 0/0/3 [ACC1-GigabitEthernet0/0/3] port link-type access [ACC1-GigabitEthernet0/0/3] port default vlan 50 [ACC1-GigabitEthernet0/0/3] port-isolate enable [ACC1-GigabitEthernet0/0/3] stp edged-port enable [ACC1-GigabitEthernet0/0/3] quit [ACC1] interface gigabitethernet 0/0/4 [ACC1-GigabitEthernet0/0/4] port link-type access [ACC1-GigabitEthernet0/0/4] port default vlan 20 [ACC1-GigabitEthernet0/0/4] port-isolate enable [ACC1-GigabitEthernet0/0/4] stp edged-port enable [ACC1-GigabitEthernet0/0/4] quit
- Configure VLANIF interfaces on CORE and assign IP addresses to the VLANIF interfaces.
# Create Layer 3 interface VLANIF 70 for connecting to AGG1.
[CORE] interface vlanif 70 [CORE-Vlanif70] ip address 172.16.70.1 255.255.255.0 [CORE-Vlanif70] quit
# Create Layer 3 interface VLANIF 80 for connecting to AGG2.
[CORE] interface vlanif 80 [CORE-Vlanif80] ip address 172.16.80.1 255.255.255.0 [CORE-Vlanif80] quit
# Create Layer 3 interface VLANIF 1000 for connecting to a server.
[CORE] interface vlanif 1000 [CORE-Vlanif1000] ip address 192.168.100.1 255.255.255.0 [CORE-Vlanif1000] quit
- Configure DHCP on AGG1 so that AGG1 functions as a DHCP server to assign IP addresses to wired and wireless users. The configuration on AGG2 is similar.
# Enable DHCP globally and configure DHCP snooping for service VLANs.
[AGG1] dhcp enable [AGG1] dhcp snooping enable [AGG1] vlan 30 [AGG1-vlan30] dhcp snooping enable [AGG1-vlan30] quit [AGG1] vlan 31 [AGG1-vlan31] dhcp snooping enable [AGG1-vlan31] quit [AGG1] vlan 50 [AGG1-vlan50] dhcp snooping enable [AGG1-vlan50] quit
# Create VLANIF 20 for wireless management and configure AGG1 to assign IP addresses to APs from the interface address pool.
[AGG1] interface vlanif 20 [AGG1-Vlanif20] ip address 192.168.20.1 255.255.255.0 [AGG1-Vlanif20] dhcp select interface [AGG1-Vlanif20] quit
# Create Layer 3 interfaces VLANIF 30 and VLANIF 31 for wireless services and configure AGG1 to assign IP addresses to STAs from the interface address pools.
[AGG1] interface vlanif 30 [AGG1-Vlanif30] ip address 172.16.30.1 255.255.255.0 [AGG1-Vlanif30] dhcp select interface [AGG1-Vlanif30] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals. [AGG1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service VLAN for wireless users. Otherwise, wireless users cannot communicate with each other through the AC. Determine whether to configure this command based on actual requirements. [AGG1-Vlanif30] quit [AGG1] interface vlanif 31 [AGG1-Vlanif31] ip address 172.16.31.1 255.255.255.0 [AGG1-Vlanif31] dhcp select interface [AGG1-Vlanif31] dhcp server dns-list 192.168.100.2 [AGG1-Vlanif31] arp-proxy inner-sub-vlan-proxy enable [AGG1-Vlanif31] quit
# Create Layer 3 interface VLANIF 50 for wired services and configure AGG1 to assign IP addresses to wired terminals from the interface address pool.
[AGG1] interface vlanif 50 [AGG1-Vlanif50] ip address 172.16.50.1 255.255.255.0 [AGG1-Vlanif50] dhcp select interface [AGG1-Vlanif50] dhcp server dns-list 192.168.100.2 [AGG1-Vlanif50] arp-proxy inner-sub-vlan-proxy enable [AGG1-Vlanif50] quit
# Create Layer 3 interface VLANIF 70 for connecting to CORE.
[AGG1] interface vlanif 70 [AGG1-Vlanif70] ip address 172.16.70.2 255.255.255.0 [AGG1-Vlanif70] quit
- Configure routing on core and aggregation switches to implement Layer 3 communication. You can configure a routing protocol based on actual requirements. In this example, OSPF is used.# Configure OSPF on CORE.
[CORE] ospf 1 router-id 1.1.1.1 [CORE-ospf-1] area 0 [CORE-ospf-1-area-0.0.0.0] network 172.16.70.0 0.0.0.255 [CORE-ospf-1-area-0.0.0.0] network 172.16.80.0 0.0.0.255 [CORE-ospf-1-area-0.0.0.0] network 192.168.100.0 0.0.0.255 [CORE-ospf-1-area-0.0.0.0] quit [CORE-ospf-1] quit
# Configure OSPF on AGG1. The configuration on AGG2 is similar.[AGG1] ospf 1 router-id 2.2.2.2 [AGG1-ospf-1] area 0 [AGG1-ospf-1-area-0.0.0.0] network 172.16.70.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.0] network 172.16.50.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.0] network 192.168.20.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.0] network 192.168.30.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.0] network 192.168.31.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.0] quit [AGG1-ospf-1] quit - Configure wireless services on AGG1 so that AP1 can go online. The configuration on AGG2 is similar.
# Configure the AC's source interface.
[AGG1] capwap source interface vlanif 20
# Create an AP group to add APs with the same configurations to the AP group.
[AGG1] wlan [AGG1-wlan-view] ap-group name ap-group1 [AGG1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure a country code in the profile, and apply the profile to the AP group.
[AGG1-wlan-view] regulatory-domain-profile name domain1 [AGG1-wlan-regulate-domain-domain1] country-code cn [AGG1-wlan-regulate-domain-domain1] quit [AGG1-wlan-view] ap-group name ap-group1 [AGG1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AGG1-wlan-ap-group-ap-group1] quit
# Add AP1 to the AP group ap-group1 and configure a name for the AP based on its deployment location.
[AGG1-wlan-view] ap auth-mode mac-auth [AGG1-wlan-view] ap-id 1 ap-mac 00e0-fc12-4400 [AGG1-wlan-ap-1] ap-name area_1 [AGG1-wlan-ap-1] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, whether to continue? [Y/N]:y [AGG1-wlan-ap-1] quit [AGG1-wlan-view] quit
# After powering on AP1, run the display ap all command on AGG1 to check the AP running status. The command output shows that the State field displays nor, indicating that AP1 is in normal state.
[AGG1] display ap all Total AP information: nor : normal [1] ExtraInfo : Extra information P : insufficient power supply ----------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ----------------------------------------------------------------------------------------------------- 1 00e0-fc12-4400 area_1 ap-group1 192.168.20.43 AP6050DN nor 0 4S - -----------------------------------------------------------------------------------------------------
- Configure AGG1 so that STAs can go online. The configuration on AGG2 is similar.
# Configure WLAN service parameters, and create security profiles, SSID profiles, and a traffic profile.
[AGG1] wlan [AGG1-wlan-view] security-profile name sec1 [AGG1-wlan-sec-prof-sec1] security open [AGG1-wlan-sec-prof-sec1] quit [AGG1-wlan-view] ssid-profile name ssid1 [AGG1-wlan-ssid-prof-ssid1] ssid Employee [AGG1-wlan-ssid-prof-ssid1] quit [AGG1-wlan-view] security-profile name sec2 [AGG1-wlan-sec-prof-sec2] security open [AGG1-wlan-sec-prof-sec2] quit [AGG1-wlan-view] ssid-profile name ssid2 [AGG1-wlan-ssid-prof-ssid2] ssid Guest [AGG1-wlan-ssid-prof-ssid2] quit [AGG1-wlan-view] traffic-profile name traff [AGG1-wlan-traffic-prof-traff] user-isolate l2 [AGG1-wlan-traffic-prof-traff] quit
# Create VAP profiles, configure the service data forwarding mode and service VLANs, apply security profiles, SSID profiles, and the traffic profile, and enable IPSG, dynamic ARP inspection, and strict STA IP address learning through DHCP.
[AGG1-wlan-view] vap-profile name vap1 [AGG1-wlan-vap-prof-vap1] forward-mode tunnel [AGG1-wlan-vap-prof-vap1] service-vlan vlan-id 30 [AGG1-wlan-vap-prof-vap1] security-profile sec1 [AGG1-wlan-vap-prof-vap1] ssid-profile ssid1 [AGG1-wlan-vap-prof-vap1] traffic-profile traff [AGG1-wlan-vap-prof-vap1] ip source check user-bind enable [AGG1-wlan-vap-prof-vap1] arp anti-attack check user-bind enable [AGG1-wlan-vap-prof-vap1] learn-client-address dhcp-strict [AGG1-wlan-vap-prof-vap1] quit [AGG1-wlan-view] vap-profile name vap2 [AGG1-wlan-vap-prof-vap2] forward-mode tunnel [AGG1-wlan-vap-prof-vap2] service-vlan vlan-id 31 [AGG1-wlan-vap-prof-vap2] security-profile sec2 [AGG1-wlan-vap-prof-vap2] ssid-profile ssid2 [AGG1-wlan-vap-prof-vap2] traffic-profile traff [AGG1-wlan-vap-prof-vap2] ip source check user-bind enable [AGG1-wlan-vap-prof-vap2] arp anti-attack check user-bind enable [AGG1-wlan-vap-prof-vap2] learn-client-address dhcp-strict [AGG1-wlan-vap-prof-vap2] quit
IP packet check enabled using the ip source check user-bind enable command is based on binding entries. Therefore:
- For DHCP users, enable DHCP snooping on the device to automatically generate dynamic binding entries.
- For users using static IP addresses, manually configure static binding entries.
The prerequisites for running the learn-client-address dhcp-strict command are as follows:
- The DHCP trusted interface configured on an AP has been disabled using the undo dhcp trust port command in the VAP profile view.
- STA IP address learning has been enabled using the undo learn-client-address { ipv4 | ipv6 } disable command in the VAP profile view.
# Bind VAP profiles to the AP group.
[AGG1-wlan-view] ap-group name ap-group1 [AGG1-wlan-ap-group-ap-group1] vap-profile vap1 wlan 1 radio 0 [AGG1-wlan-ap-group-ap-group1] vap-profile vap2 wlan 2 radio 0 [AGG1-wlan-ap-group-ap-group1] vap-profile vap1 wlan 1 radio 1 [AGG1-wlan-ap-group-ap-group1] vap-profile vap2 wlan 2 radio 1 [AGG1-wlan-ap-group-ap-group1] quit [AGG1-wlan-view] quit
Verifying the Deployment
Expected Result
Wired and wireless users can access the campus network.
Verification Method
The following uses AGG1 as an example. The verification method on AGG2 is similar.
- Run the following command on AGG1. The command output shows that an AP has obtained an IP address successfully.
[AGG1] display ip pool interface vlanif20 used Pool-name : Vlanif20 Pool-No : 0 Lease : 1 Days 0 Hours 0 Minutes Domain-name : - DNS-server0 : - NBNS-server0 : - Netbios-type : - Position : Interface Status : Unlocked Gateway-0 : - Network : 192.168.20.0 Mask : 255.255.255.0 VPN instance : -- Logging : Disable Conflicted address recycle interval: - Address Statistic: Total :254 Used :1 Idle :253 Expired :0 Conflict :0 Disabled :0 ------------------------------------------------------------------------------------- Network section Start End Total Used Idle(Expired) Conflict Disabled ------------------------------------------------------------------------------------- 192.168.20.1 192.168.20.254 254 1 253(0) 0 0 ------------------------------------------------------------------------------------- Client-ID format as follows: DHCP : mac-address PPPoE : mac-address IPSec : user-id/portnumber/vrf PPP : interface index L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id ------------------------------------------------------------------------------------- Index IP Client-ID Type Left Status ------------------------------------------------------------------------------------- 42 192.168.20.43 00e0-fc12-4400 DHCP 85890 Used ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- - Run the following command on AGG1. The command outputs show that a wired user has obtained an IP address successfully.
[AGG1] display ip pool interface vlanif50 used Pool-name : Vlanif50 Pool-No : 2 Lease : 1 Days 0 Hours 0 Minutes Domain-name : - DNS-server0 : 192.168.100.2 NBNS-server0 : - Netbios-type : - Position : Interface Status : Unlocked Gateway-0 : - Network : 172.16.50.0 Mask : 255.255.255.0 VPN instance : -- Logging : Disable Conflicted address recycle interval: - Address Statistic: Total :254 Used :1 Idle :253 Expired :0 Conflict :0 Disabled :0 ------------------------------------------------------------------------------------- Network section Start End Total Used Idle(Expired) Conflict Disabled ------------------------------------------------------------------------------------- 172.16.50.1 172.16.50.254 254 1 253(0) 0 0 ------------------------------------------------------------------------------------- Client-ID format as follows: DHCP : mac-address PPPoE : mac-address IPSec : user-id/portnumber/vrf PPP : interface index L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id ------------------------------------------------------------------------------------- Index IP Client-ID Type Left Status ------------------------------------------------------------------------------------- 173 172.16.50.174 00e0-fc12-3344 DHCP 86380 Used ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- - Wired and wireless users can communicate with each other.
# AP1 can ping a device in the server zone.
<area_1> ping 192.168.100.2 PING 192.168.100.2: 56 data bytes, press CTRL_C to break Reply from 192.168.100.2: bytes=56 Sequence=1 ttl=62 time=1 ms Reply from 192.168.100.2: bytes=56 Sequence=2 ttl=62 time=10 ms Reply from 192.168.100.2: bytes=56 Sequence=3 ttl=62 time=1 ms Reply from 192.168.100.2: bytes=56 Sequence=4 ttl=62 time=1 ms Reply from 192.168.100.2: bytes=56 Sequence=5 ttl=62 time=1 ms --- 192.168.100.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/2/10 ms# After a wireless user connects to AP1, you can view information about the wireless user on AGG1.[AGG1] display station ssid Employee Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ----------------------------------------------------------------------------------------------- STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address ----------------------------------------------------------------------------------------------- 00e0-fc12-4477 1 area_1 1/1 5G 11n 144/133 -47 30 172.16.30.180 ----------------------------------------------------------------------------------------------- Total: 1 2.4G: 0 5G: 1
# PC1 can ping the wireless user connected to AP1.
C:\Users>ping 172.16.30.180 Pinging 172.16.30.180 with 32 bytes of data: Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Ping statistics for 172.16.30.180: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
Configuration Files
# CORE configuration file
# sysname CORE # vlan batch 70 80 1000 # interface Vlanif70 ip address 172.16.70.1 255.255.255.0 # interface Vlanif80 ip address 172.16.80.1 255.255.255.0 # interface Vlanif1000 ip address 192.168.100.1 255.255.255.0 # interface Eth-Trunk10 description connect to AGG1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 70 mode lacp # interface Eth-Trunk20 description connect to AGG2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 80 mode lacp # interface XGigabitEthernet1/1/0/1 eth-trunk 10 # interface XGigabitEthernet1/1/0/2 eth-trunk 20 # interface XGigabitEthernet1/1/0/10 mad detect mode direct # interface XGigabitEthernet1/2/0/1 port link-type access port default vlan 1000 # interface XGigabitEthernet2/1/0/1 eth-trunk 20 # interface XGigabitEthernet2/1/0/2 eth-trunk 10 # interface XGigabitEthernet2/1/0/10 mad detect mode direct # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 172.16.70.0 0.0.0.255 network 172.16.80.0 0.0.0.255 network 192.168.100.0 0.0.0.255 # return
# AGG1 configuration file
# sysname AGG1 # vlan batch 20 30 to 31 50 70 # dhcp enable # dhcp snooping enable # vlan 30 dhcp snooping enable vlan 31 dhcp snooping enable vlan 50 dhcp snooping enable # interface Vlanif20 ip address 192.168.20.1 255.255.255.0 dhcp select interface # interface Vlanif30 ip address 172.16.30.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.100.2 # interface Vlanif31 ip address 172.16.31.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.100.2 # interface Vlanif50 ip address 172.16.50.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.100.2 # interface Vlanif70 ip address 172.16.70.2 255.255.255.0 # interface Eth-Trunk10 description connect to CORE port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 70 mode lacp # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 50 mode lacp port-isolate enable group 1 # interface GigabitEthernet0/0/3 eth-trunk 30 # interface GigabitEthernet0/0/10 mad detect mode direct # interface GigabitEthernet1/0/3 eth-trunk 30 # interface GigabitEthernet1/0/10 mad detect mode direct # interface XGigabitEthernet0/0/1 eth-trunk 10 # interface XGigabitEthernet1/0/1 eth-trunk 10 # ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 172.16.30.0 0.0.0.255 network 172.16.31.0 0.0.0.255 network 172.16.50.0 0.0.0.255 network 172.16.70.0 0.0.0.255 network 192.168.20.0 0.0.0.255 # capwap source interface vlanif20 # wlan traffic-profile name traff user-isolate l2 security-profile name sec1 security open security-profile name sec2 security open ssid-profile name ssid1 ssid Employee ssid-profile name ssid2 ssid Guest vap-profile name vap1 forward-mode tunnel service-vlan vlan-id 30 ssid-profile ssid1 security-profile sec1 traffic-profile traff ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode tunnel service-vlan vlan-id 31 ssid-profile ssid2 security-profile sec2 traffic-profile traff ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict regulatory-domain-profile name domain1 ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 radio 1 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 ap-id 1 type-id 30 ap-mac 00e0-fc12-4400 ap-sn 2102355547W0E3000316 ap-name area_1 ap-group ap-group1 # return
# AGG2 configuration file
# sysname AGG2 # vlan batch 21 40 to 41 60 80 # dhcp enable # dhcp snooping enable # vlan 40 dhcp snooping enable vlan 41 dhcp snooping enable vlan 60 dhcp snooping enable # interface Vlanif21 ip address 192.168.21.1 255.255.255.0 dhcp select interface # interface Vlanif40 ip address 172.16.40.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.100.2 # interface Vlanif41 ip address 172.16.41.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.100.2 # interface Vlanif60 ip address 172.16.60.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.100.2 # interface Vlanif80 ip address 172.16.80.2 255.255.255.0 # interface Eth-Trunk20 description connect to CORE port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 80 mode lacp # interface Eth-Trunk40 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 21 60 mode lacp port-isolate enable group 1 # interface GigabitEthernet0/0/3 eth-trunk 40 # interface GigabitEthernet0/0/10 mad detect mode direct # interface GigabitEthernet1/0/3 eth-trunk 40 # interface GigabitEthernet1/0/10 mad detect mode direct # interface XGigabitEthernet0/0/1 eth-trunk 20 # interface XGigabitEthernet1/0/1 eth-trunk 20 # ospf 1 router-id 3.3.3.3 area 0.0.0.0 network 172.16.40.0 0.0.0.255 network 172.16.41.0 0.0.0.255 network 172.16.60.0 0.0.0.255 network 172.16.80.0 0.0.0.255 network 192.168.21.0 0.0.0.255 # capwap source interface vlanif21 # wlan traffic-profile name traff user-isolate l2 security-profile name sec1 security open security-profile name sec2 security open ssid-profile name ssid1 ssid Employee ssid-profile name ssid2 ssid Guest vap-profile name vap1 forward-mode tunnel service-vlan vlan-id 40 ssid-profile ssid1 security-profile sec1 traffic-profile traff ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode tunnel service-vlan vlan-id 41 ssid-profile ssid2 security-profile sec2 traffic-profile traff ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict regulatory-domain-profile name domain2 ap-group name ap-group2 regulatory-domain-profile domain2 radio 0 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 radio 1 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 ap-id 2 type-id 56 ap-mac 00e0-fc12-3390 ap-sn 21500829352SGA900583 ap-name area_2 ap-group ap-group2 # return
# ACC1 configuration file
# sysname ACC1 # vlan batch 20 50 # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 50 mode lacp # interface GigabitEthernet0/0/1 eth-trunk 30 # interface GigabitEthernet0/0/2 eth-trunk 30 # interface GigabitEthernet0/0/3 port link-type access port default vlan 50 stp edged-port enable port-isolate enable group 1 # interface GigabitEthernet0/0/4 port link-type access port default vlan 20 stp edged-port enable port-isolate enable group 1 # return
# ACC2 configuration file
# sysname ACC2 # vlan batch 21 60 # interface Eth-Trunk40 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 21 60 mode lacp # interface GigabitEthernet0/0/1 eth-trunk 40 # interface GigabitEthernet0/0/2 eth-trunk 40 # interface GigabitEthernet0/0/3 port link-type access port default vlan 60 stp edged-port enable port-isolate enable group 1 # interface GigabitEthernet0/0/4 port link-type access port default vlan 21 stp edged-port enable port-isolate enable group 1 # return