Native AC + SVF Solution: the Parent Containing Core Switches Functions as the Gateway for Wired and Wireless Users
Networking Requirements
Core switches set up a CSS that functions as the core of the entire campus network to implement high network reliability and forwarding of a large amount of data. In addition, core switches are configured with the native AC function to manage APs and transmit wireless service traffic on the entire network, implementing wired and wireless convergence.
Aggregation switches set up stacks to implement device-level backup and increase the interface density and forwarding bandwidth.
There are a large number of wired and wireless access devices that are widely distributed. To implement unified management and configuration and reduce management costs, SVF is deployed on the network. Core, aggregation, and access switches set up an SVF system. In the SVF system, the CSS of core switches functions as the parent, and aggregation and access switches function as ASs. The parent manages and configures ASs in a unified manner.
In this example, core switches set up a CSS that functions as the gateway for wired and wireless users on the entire network and is responsible for routing and forwarding of user services on the entire network.
Device Requirements and Versions
Location |
Device Requirement |
Device Used in This Example |
Version Used in This Example |
|---|---|---|---|
Core layer |
|
S12700E |
V200R019C10 |
Aggregation layer |
- |
S5731-H |
|
Access layer |
- |
S5735-L |
|
AP |
- |
AP6050DN |
V200R019C00 |
Deployment Roadmap
Step |
Deployment Roadmap |
Devices Involved |
|---|---|---|
1 |
Configure CSS and stacking on switches. |
Core and aggregation switches |
2 |
Configure interfaces and VLANs on switches to implement Layer 2 communication. |
Core switches |
3 |
Configure DHCP on the CSS so that the CSS functions as the DHCP server to assign IP addresses to wired and wireless users. |
Core switches |
4 |
Configure the CSS of core switches as the parent to set up an SVF system with level-1 and level-2 ASs. |
Core, aggregation, and access switches |
5 |
Configure wireless services on core switches so that APs and STAs can go online. |
Core switches |
Data Plan
Item |
VLAN ID |
Network Segment |
|---|---|---|
Management VLAN |
VLAN 20 |
192.168.20.0/24 |
Service VLANs for wireless users (AP1) |
VLAN 30 |
172.16.30.0/24 |
VLAN 40 |
172.16.40.0/24 |
|
Service VLAN for a wired user (PC1) |
VLAN 50 |
172.16.50.0/24 |
Service VLAN for a wired user (PC2) |
VLAN 60 |
172.16.60.0/24 |
Network segment for communication with servers |
VLAN 1000 |
192.168.11.0/24 |
Item |
Data |
|---|---|
AP group |
ap-group |
Regulatory domain profile |
domain |
SSID profiles |
ssid1, ssid2 |
VAP profiles |
vap1, vap2 (The data forwarding mode in the VAP profiles is tunnel forwarding.) |
Item |
Data |
|---|---|
Parent |
CSS of two S12700E switches |
Parent's cards connected to ASs |
X1E cards of the same type in slot 1 of the two CSS member switches |
MAC addresses of ASs and APs |
as-layer1-1: 00e0-fc01-0011 as-layer1-2: 00e0-fc01-0022 as-layer2-1: 00e0-fc01-0033 as-layer2-2: 00e0-fc01-0044 |
Management VLAN of the SVF system |
VLAN 20 |
IP address of the management VLANIF interface |
192.168.20.1/24 |
Parent's interfaces connected to as-layer1-1 |
GE1/1/0/1 and GE2/1/0/2 Add the interfaces to Eth-Trunk 10 and bind them to fabric port 1. |
Parent's interfaces connected to as-layer1-2 |
GE1/1/0/2 and GE2/1/0/1 Add the interfaces to Eth-Trunk 20 and bind them to fabric port 2. |
as-layer1-1's interfaces connected to as-layer2-1 |
GE0/0/3 and GE1/0/3 Add the interfaces to Eth-Trunk 30 and bind them to fabric port 3. |
as-layer1-2's interfaces connected to as-layer2-2 |
GE0/0/3 and GE1/0/3 Add the interfaces to Eth-Trunk 40 and bind them to fabric port 4. |
as-layer2-1's interface connected to AP1 |
GE0/0/4 Add the interface to an AP port group. |
as-layer2-2's interface connected to AP2 |
GE0/0/4 Add the interface to an AP port group. |
AS authentication mode |
Whitelist authentication |
Service configuration of an AS administrator profile |
Administrator profile admin_profile, in which the administrator user name and password are configured AS group admin_group, which includes all ASs Bind the administrator profile admin_profile to the AS group admin_group. |
Service configuration of AS network basic profiles |
Network basic profile basic_profile_1, in which VLAN 50 is configured as the VLAN from which packets are allowed to pass through Network basic profile basic_profile_2, in which VLAN 60 is configured as the VLAN from which packets are allowed to pass through Network basic profile basic_profile_3, in which VLAN 50 is configured as the VLAN from which packets are allowed to pass through Network basic profile basic_profile_4, in which VLAN 60 is configured as the VLAN from which packets are allowed to pass through Port group port_group_1, which includes all downlink interfaces of as-layer1-1 Port group port_group_2, which includes all downlink interfaces of as-layer1-2 Port group port_group_3, which includes all downlink interfaces (except GigabitEthernet 0/0/4 connected to an AP) of as-layer2-1 Port group port_group_4, which includes all downlink interfaces (except GigabitEthernet 0/0/4 connected to an AP) of as-layer2-2 Bind network basic profile basic_profile_1 to port group port_group_1. Bind network basic profile basic_profile_2 to port group port_group_2. Bind network basic profile basic_profile_3 to port group port_group_3. Bind network basic profile basic_profile_4 to port group port_group_4. |
Deployment Precautions
It is not recommended that VLAN 1 be used as the management VLAN or a service VLAN. Remove all interfaces from VLAN 1. Allow an interface to transparently transmit packets from a VLAN based on actual service requirements. Do not allow an interface to transparently transmit packets from all VLANs.
In tunnel forwarding mode, the management VLAN and service VLAN must be different. Otherwise, MAC address flapping will occur, leading to a packet forwarding error. The network between the AC and APs needs to permit only packets tagged with the management VLAN ID and deny packets tagged with the service VLAN ID.
- In tunnel forwarding mode, service packets from APs are encapsulated in CAPWAP data tunnels and transmitted to the AC. The AC then forwards the packets to the upper-layer network. Therefore, service packets and management packets can be transmitted properly when the interfaces that connect the AC to APs are added to the management VLAN and the interface that connects the AC to the upper-layer network is added to a service VLAN.
When an AS goes online, it must be unconfigured (has no startup configuration file) and has no input on the console interface. Before connecting an AS to an SVF system, you are advised to remove the cable on the console interface.
Each AS can be a stack of up to five member devices that are the same model and provide the same number or different numbers of interfaces. An AS can be a stack of devices of the same series but different models. In such an AS, you can run the slot command to change the preconfigured device model.
Each AS has a unique management MAC address. By default, the device MAC address is used as the management MAC address. In this case, you can view the MAC address on the MAC address label attached to the device. To specify the management MAC address of an AS, run the as access manage-mac command.
If an AS is a stack, its name and MAC address have been preconfigured on the parent of an SVF system, and the AS goes online and is connected to the SVF system, you are advised to set up the stack for the AS and configure the preconfigured MAC address as the management MAC address. When preconfiguring the name and MAC address of the AS, configure the MAC address of the stack master switch as the MAC address. In this case, the management MAC address of the AS is the same as the preconfigured MAC address by default, and no management MAC address needs to be configured. If you configure the name and MAC address of the AS after it goes online and is connected to the SVF system, the management MAC address does not need to be configured.
If switches whose downlink service interfaces can be configured as stack member interfaces set up a stack through these interfaces, the switches cannot join an SVF system as ASs.
If downlink service interfaces of an AS are configured as member interfaces of an uplink fabric port, all the downlink interfaces of the AS cannot be configured as stack member interfaces.
When replacing a faulty AS, pay attention to the following points:
The AS can be replaced with only a device of the same model. If the new device is of a different model, it joins the SVF system as a new AS and does not inherit services of the replaced AS.
Only a standalone AS can be replaced. If an AS is a stack, it cannot be replaced.
To ensure that a new AS that replaces the faulty AS can be successfully authenticated, run the auth-mode none command to set the AS authentication mode to none authentication, or run the whitelist mac-address command to add the management MAC address of the new AS to the whitelist. If the new AS has no management MAC address configured, the system MAC address is used as the management MAC address.
Procedure
- Configure CSS on core switches and stacking on aggregation switches, and configure MAD on the switches.
For details, see Typical CSS and Stack Deployment.
- Configure interfaces and VLANs on CORE.# Create VLANs.
[CORE] vlan batch 20 30 40 50 60 1000
# Add the interface connected to a server to VLAN 1000.
[CORE] interface xgigabitethernet 1/2/0/1 [CORE-XGigabitEthernet1/2/0/1] port link-type access [CORE-XGigabitEthernet1/2/0/1] port default vlan 1000 [CORE-XGigabitEthernet1/2/0/1] quit
- Configure DHCP on CORE so that CORE functions as a DHCP server to assign IP addresses to wired and wireless users.
# Enable DHCP globally and configure DHCP snooping for service VLANs.
[CORE] dhcp enable [CORE] dhcp snooping enable [CORE] vlan 30 [CORE-vlan30] dhcp snooping enable [CORE-vlan30] quit [CORE] vlan 40 [CORE-vlan40] dhcp snooping enable [CORE-vlan40] quit [CORE] vlan 50 [CORE-vlan50] dhcp snooping enable [CORE-vlan50] quit [CORE] vlan 60 [CORE-vlan60] dhcp snooping enable [CORE-vlan60] quit
# Create VLANIF 20 for wireless management and configure CORE to assign IP addresses to APs from the interface address pool.
[CORE] interface vlanif 20 [CORE-Vlanif20] ip address 192.168.20.1 255.255.255.0 [CORE-Vlanif20] dhcp select interface [CORE-Vlanif20] dhcp server option 43 ip-address 192.168.20.1 //Configure the parent to send its IP address to ASs so that ASs establish CAPWAP links with only the specified IP address. [CORE-Vlanif20] quit
# Create Layer 3 interfaces VLANIF 30 and VLANIF 40 for wireless services and configure CORE to assign IP addresses to STAs from the interface address pools.
[CORE] interface vlanif 30 [CORE-Vlanif30] ip address 172.16.30.1 255.255.255.0 [CORE-Vlanif30] dhcp select interface [CORE-Vlanif30] quit [CORE] interface vlanif 40 [CORE-Vlanif40] ip address 172.16.40.1 255.255.255.0 [CORE-Vlanif40] dhcp select interface [CORE-Vlanif40] quit
# Create Layer 3 interfaces VLANIF 50 and VLANIF 60 for wired services and configure CORE to assign IP addresses to wired terminals from the interface address pools.
[CORE] interface vlanif 50 [CORE-Vlanif50] ip address 172.16.50.1 255.255.255.0 [CORE-Vlanif50] dhcp select interface [CORE-Vlanif50] quit [CORE] interface vlanif 60 [CORE-Vlanif60] ip address 172.16.60.1 255.255.255.0 [CORE-Vlanif60] dhcp select interface [CORE-Vlanif60] quit
# Create Layer 3 interface VLANIF 1000 for connecting to a server.
[CORE] interface vlanif 1000 [CORE-Vlanif1000] ip address 192.168.11.254 255.255.255.0 [CORE-Vlanif1000] quit [CORE] quit
- Configure CORE as the parent to set up an SVF system with level-1 and level-2 ASs.# Activate the license of the SVF system.
<CORE> license active xxxxxx.dat
# Set the STP mode to STP or RSTP.<CORE> system-view [CORE] stp mode rstp
# Configure the source interface of the CAPWAP tunnel.
[CORE] capwap source interface vlanif 20
# (Optional) Preconfigure the names of ASs. The MAC addresses specified in the following commands are the management MAC addresses of the ASs.If you do not perform this step, the system will generate AS information when ASs connect to the SVF system. An AS name is in the format of system default name-system MAC address.
If you perform this step, ensure that the configured model and mac-address are the same as the actual AS information. The value of mac-address must be the management or system MAC address of an AS. To view the management MAC address of an AS, run the display as access configuration command on the AS. If the management MAC address is displayed as --, set mac-address to the system MAC address when configuring the AS name. If the parameter settings are different from the actual AS information, the AS cannot go online.
[CORE] uni-mng Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may be triggered and service traffic will be affected. Continue? [Y/N]:y [CORE-um] as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0011 //Level-1 AS [CORE-um-as-as-layer1-1] quit [CORE-um] as name as-layer1-2 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0022 //Level-1 AS [CORE-um-as-as-layer1-2] quit [CORE-um] as name as-layer2-1 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0033 //Level-2 AS [CORE-um-as-as-layer2-1] quit [CORE-um] as name as-layer2-2 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0044 //Level-2 AS [CORE-um-as-as-layer2-2] quit
# Configure fabric ports that connect the parent to level-1 ASs.
[CORE-um] interface fabric-port 1 [CORE-um-fabric-port-1] port member-group interface Eth-Trunk 10 [CORE-um-fabric-port-1] quit [CORE-um] quit [CORE] interface xgigabitEthernet 1/1/0/1 [CORE-XGigabitEthernet1/1/0/1] eth-trunk 10 [CORE-XGigabitEthernet1/1/0/1] quit [CORE] interface xgigabitEthernet 2/1/0/2 [CORE-XGigabitEthernet2/1/0/2] eth-trunk 10 [CORE-XGigabitEthernet2/1/0/2] quit [CORE] uni-mng [CORE-um] interface fabric-port 2 [CORE-um-fabric-port-2] port member-group interface Eth-Trunk 20 [CORE-um-fabric-port-2] quit [CORE-um] quit [CORE] interface xgigabitEthernet 1/1/0/2 [CORE-XGigabitEthernet1/1/0/2] eth-trunk 20 [CORE-XGigabitEthernet1/1/0/2] quit [CORE] interface xgigabitEthernet 2/1/0/1 [CORE-XGigabitEthernet2/1/0/1] eth-trunk 20 [CORE-XGigabitEthernet2/1/0/1] quit
# Configure fabric ports that connect level-1 ASs to level-2 ASs.
[CORE] uni-mng [CORE-um] as name as-layer1-1 [CORE-um-as-as-layer1-1] down-direction fabric-port 3 member-group interface Eth-Trunk 30 [CORE-um-as-as-layer1-1] port Eth-Trunk 30 trunkmember interface GigabitEthernet 0/0/3 [CORE-um-as-as-layer1-1] quit [CORE-um] as name as-layer1-2 [CORE-um-as-as-layer1-2] down-direction fabric-port 4 member-group interface Eth-Trunk 40 [CORE-um-as-as-layer1-2] port Eth-Trunk 40 trunkmember interface GigabitEthernet 0/0/3 [CORE-um-as-as-layer1-2] quit [CORE-um] quit
# Configure whitelist authentication for ASs to connect to the SVF system.
To view the management MAC address of an AS, run the display as access configuration command on the AS. If the management MAC address is displayed as --, the MAC address configured in the whitelist is the system MAC address of the AS. Otherwise, the MAC address configured in the whitelist is the management MAC address of the AS.
[CORE] as-auth [CORE-as-auth] undo auth-mode [CORE-as-auth] whitelist mac-address 00e0-fc00-0011 [CORE-as-auth] whitelist mac-address 00e0-fc00-0022 [CORE-as-auth] whitelist mac-address 00e0-fc00-0033 [CORE-as-auth] whitelist mac-address 00e0-fc00-0044 [CORE-as-auth] quit
# Clear the configuration of AGG1 and restart AGG1. The SVF system can then be set up. The configurations of AGG2, ACC1, and ACC2 are similar to the configuration of AGG1.
Before restarting an AS, check whether the interface that connects the AS to the parent is a downlink interface. To view all downlink interfaces on the AS, run the display port connection-type access all command on the AS. If this interface is a downlink interface, run the uni-mng up-direction fabric-port command in the user view on the AS to configure this interface as a member interface of an uplink fabric port before restarting the AS. Otherwise, the AS cannot go online. To check whether the interface has been configured as a member interface of an uplink fabric port, run the display uni-mng up-direction fabric-port command on the AS.
<AGG1> reset saved-configuration Warning: The action will delete the saved configuration in the device. The configuration will be erased to reconfigure. Continue? [Y/N]:y <AGG1> reboot
# After access switches are restarted successfully, you can view that ASs have gone online on the parent.
[CORE] display as all Total: 4, Normal: 4, Fault: 0, Idle: 0, Version mismatch: 0 -------------------------------------------------------------------------------- No. Type MAC IP State Name -------------------------------------------------------------------------------- 0 S5720-SI 00e0-fc00-0011 192.168.20.254 normal as-layer1-1 1 S5720-SI 00e0-fc00-0022 192.168.20.253 normal as-layer1-2 2 S5720-SI 00e0-fc00-0033 192.168.20.252 normal as-layer2-1 3 S5720-SI 00e0-fc00-0044 192.168.20.251 normal as-layer2-2 --------------------------------------------------------------------------------
# Configure an AS administrator profile and bind it to all ASs.
[CORE] uni-mng [CORE-um] as-admin-profile name admin_profile [CORE-um-as-admin-admin_profile] user asuser password hello@123 [CORE-um-as-admin-admin_profile] quit [CORE-um] as-group name admin_group [CORE-um-as-group-admin_group] as name-include as [CORE-um-as-group-admin_group] as-admin-profile admin_profile [CORE-um-as-group-admin_group] quit
# Configure network basic profiles and bind them to interfaces of ASs.
[CORE-um] network-basic-profile name basic_profile_1 [CORE-um-net-basic-basic_profile_1] pass-vlan 50 [CORE-um-net-basic-basic_profile_1] quit [CORE-um] network-basic-profile name basic_profile_2 [CORE-um-net-basic-basic_profile_2] pass-vlan 60 [CORE-um-net-basic-basic_profile_2] quit [CORE-um] network-basic-profile name basic_profile_3 [CORE-um-net-basic-basic_profile_3] user-vlan 50 [CORE-um-net-basic-basic_profile_3] quit [CORE-um] network-basic-profile name basic_profile_4 [CORE-um-net-basic-basic_profile_4] user-vlan 60 [CORE-um-net-basic-basic_profile_4] quit [CORE-um] port-group name port_group_1 [CORE-um-portgroup-port_group_1] as name as-layer1-1 interface all [CORE-um-portgroup-port_group_1] network-basic-profile basic_profile_1 [CORE-um-portgroup-port_group_1] quit [CORE-um] port-group name port_group_2 [CORE-um-portgroup-port_group_2] as name as-layer1-2 interface all [CORE-um-portgroup-port_group_2] network-basic-profile basic_profile_2 [CORE-um-portgroup-port_group_2] quit [CORE-um] port-group name port_group_3 [CORE-um-portgroup-port_group_3] as name as-layer2-1 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24 [CORE-um-portgroup-port_group_3] network-basic-profile basic_profile_3 [CORE-um-portgroup-port_group_3] quit [CORE-um] port-group name port_group_4 [CORE-um-portgroup-port_group_4] as name as-layer2-2 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24 [CORE-um-portgroup-port_group_4] network-basic-profile basic_profile_4 [CORE-um-portgroup-port_group_4] quit
# Commit the configurations so that the configurations in service profiles can be delivered to ASs.
[CORE-um] commit as all Warning: Committing the configuration will take a long time. Continue?[Y/N]: y
# Run the display uni-mng commit-result profile command to check whether the configurations in service profiles have been delivered to ASs successfully.
[CORE-um] display uni-mng commit-result profile -------------------------------------------------------------------------------- AS Name Commit Time Commit/Execute Result -------------------------------------------------------------------------------- as-layer1-1 2019-10-16 08:55:25 Success/Success as-layer1-2 2019-10-16 08:55:25 Success/Success as-layer2-1 2019-10-16 08:55:25 Success/Success as-layer2-2 2019-10-16 08:55:25 Success/Success --------------------------------------------------------------------------------
- Configure wireless services on CORE so that APs can go online.
# Run the port-group connect-ap name command to create an AP port group and bind it to ASs so that APs can go online in the SVF system.
[CORE-um] port-group connect-ap name ap [CORE-um-portgroup-ap-ap] as name as-layer2-1 interface GigabitEthernet 0/0/3 [CORE-um-portgroup-ap-ap] as name as-layer2-2 interface GigabitEthernet 0/0/3 [CORE-um-portgroup-ap-ap] quit [CORE-um] commit as all Warning: Committing the configuration will take a long time. Continue? [Y/N]:y Info: This operation may take a few seconds. Please wait... [CORE-um] quit
# Create an AP group to add APs with the same configurations to the AP group.
[CORE] wlan [CORE-wlan-view] ap-group name ap-group [CORE-wlan-ap-group-ap-group] quit
# Create a regulatory domain profile, configure a country code in the profile, and apply the profile to the AP group.
[CORE-wlan-view] regulatory-domain-profile name domain [CORE-wlan-regulate-domain-domain] country-code cn [CORE-wlan-regulate-domain-domain] quit [CORE-wlan-view] ap-group name ap-group [CORE-wlan-ap-group-ap-group] regulatory-domain-profile domain Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [CORE-wlan-ap-group-ap-group] quit
# Add target APs to the AP group and configure names for the APs based on their deployment locations.
[CORE-wlan-view] ap auth-mode mac-auth [CORE-wlan-view] ap-id 1 ap-mac 00e0-fc12-6660 [CORE-wlan-ap-1] ap-name area_1 [CORE-wlan-ap-1] ap-group ap-group Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, whether to continue? [Y/N]:y Info: This operation may take a few seconds. Please wait for a moment.. done. [CORE-wlan-ap-1] quit [CORE-wlan-view] ap-id 2 ap-mac 00e0-fc12-6670 [CORE-wlan-ap-2] ap-name area_2 [CORE-wlan-ap-2] ap-group ap-group Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, whether to continue? [Y/N]:y Info: This operation may take a few seconds. Please wait for a moment.. done. [CORE-wlan-ap-2] quit [CORE-wlan-view] quit
# After powering on the APs, run the display ap all command on CORE to check the AP running status. The command output shows that the State field displays nor, indicating that the APs go online normally.
[CORE] display ap all Total AP information: nor : normal [2] ExtraInfo : Extra information P : insufficient power supply ---------------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ---------------------------------------------------------------------------------------------------------- 1 00e0-fc12-6660 area_1 ap-group 192.168.20.220 AP6050DN nor 0 14H:32M:47S - 2 00e0-fc12-6670 area_2 ap-group 192.168.20.163 AP6050DN nor 0 1M:40S - ----------------------------------------------------------------------------------------------------------
- Configure CORE so that STAs can go online.
# Configure WLAN service parameters.
[CORE] wlan [CORE-wlan-view] security-profile name sec1 [CORE-wlan-sec-prof-sec1] quit [CORE-wlan-view] ssid-profile name ssid1 [CORE-wlan-ssid-prof-ssid1] ssid test01 [CORE-wlan-ssid-prof-test01] quit [CORE-wlan-view] traffic-profile name traff1 [CORE-wlan-traffic-prof-traff1] user-isolate l2 [CORE-wlan-traffic-prof-traff1] quit [CORE-wlan-view] security-profile name sec2 [CORE-wlan-sec-prof-sec2] quit [CORE-wlan-view] ssid-profile name ssid2 [CORE-wlan-ssid-prof-ssid2] ssid test02 [CORE-wlan-ssid-prof-test02] quit [CORE-wlan-view] traffic-profile name traff2 [CORE-wlan-traffic-prof-traff2] user-isolate l2 [CORE-wlan-traffic-prof-traff2] quit
# Create WLAN VAP profiles, configure the service data forwarding mode and service VLANs, apply security profiles and SSID profiles, and enable strict STA IP address learning through DHCP, IPSG, and dynamic ARP inspection.
[CORE-wlan-view] vap-profile name vap1 [CORE-wlan-vap-prof-vap1] forward-mode tunnel [CORE-wlan-vap-prof-vap1] service-vlan vlan-id 30 [CORE-wlan-vap-prof-vap1] security-profile sec1 [CORE-wlan-vap-prof-vap1] ssid-profile ssid1 [CORE-wlan-vap-prof-vap1] traffic-profile traff1 [CORE-wlan-vap-prof-vap1] ip source check user-bind enable [CORE-wlan-vap-prof-vap1] arp anti-attack check user-bind enable [CORE-wlan-vap-prof-vap1] learn-client-address dhcp-strict [CORE-wlan-vap-prof-vap1] quit [CORE-wlan-view] vap-profile name vap2 [CORE-wlan-vap-prof-vap2] forward-mode tunnel [CORE-wlan-vap-prof-vap2] service-vlan vlan-id 40 [CORE-wlan-vap-prof-vap2] security-profile sec2 [CORE-wlan-vap-prof-vap2] ssid-profile ssid2 [CORE-wlan-vap-prof-vap2] traffic-profile traff2 [CORE-wlan-vap-prof-vap2] ip source check user-bind enable [CORE-wlan-vap-prof-vap2] arp anti-attack check user-bind enable [CORE-wlan-vap-prof-vap2] learn-client-address dhcp-strict [CORE-wlan-vap-prof-vap2] quit
IP packet check enabled using the ip source check user-bind enable command is based on binding entries. Therefore:
- For DHCP users, enable DHCP snooping on the device to automatically generate dynamic binding entries.
- For users using static IP addresses, manually configure static binding entries.
The prerequisites for running the learn-client-address dhcp-strict command are as follows:
- The DHCP trusted interface configured on an AP has been disabled using the undo dhcp trust port command in the VAP profile view.
- STA IP address learning has been enabled using the undo learn-client-address { ipv4 | ipv6 } disable command in the VAP profile view.
# Bind VAP profiles to the AP group.
[CORE-wlan-view] ap-group name ap-group [CORE-wlan-ap-group-ap-group] vap-profile vap1 wlan 1 radio 0 [CORE-wlan-ap-group-ap-group] vap-profile vap2 wlan 2 radio 0 [CORE-wlan-ap-group-ap-group] vap-profile vap1 wlan 1 radio 1 [CORE-wlan-ap-group-ap-group] vap-profile vap2 wlan 2 radio 1 [CORE-wlan-ap-group-ap-group] quit [CORE-wlan-view] quit
Verifying the Deployment
Expected Result
Wired and wireless users can access the campus network.
Verification Method
- Run the following command on CORE. The command output shows that ASs and APs have obtained IP addresses successfully.
[CORE] display ip pool interface vlanif20 used Pool-name : Vlanif20 Pool-No : 0 Lease : 1 Days 0 Hours 0 Minutes Domain-name : - DNS-server0 : - NBNS-server0 : - Netbios-type : - Position : Interface Status : Unlocked Gateway-0 : - Network : 192.168.20.0 Mask : 255.255.255.0 VPN instance : -- Logging : Disable Conflicted address recycle interval: - Address Statistic: Total :254 Used :6 Idle :252 Expired :0 Conflict :0 Disabled :0 ------------------------------------------------------------------------------------- Network section Start End Total Used Idle(Expired) Conflict Disabled ------------------------------------------------------------------------------------- 192.168.20.1 192.168.20.254 254 5 252(0) 0 0 ------------------------------------------------------------------------------------- Client-ID format as follows: DHCP : mac-address PPPoE : mac-address IPSec : user-id/portnumber/vrf PPP : interface index L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id ------------------------------------------------------------------------------------- Index IP Client-ID Type Left Status ------------------------------------------------------------------------------------- 162 192.168.20.163 00e0-fc12-6670 DHCP 82322 Used 219 192.168.20.220 00e0-fc12-6660 DHCP 77430 Used 250 192.168.20.251 00e0-fc00-0044 DHCP 80403 Used 251 192.168.20.252 00e0-fc00-0033 DHCP 79523 Used 252 192.168.20.253 00e0-fc00-0022 DHCP 79893 Used 253 192.168.20.254 00e0-fc00-0011 DHCP 80002 Used ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- - Run the following commands on CORE. The command outputs show that wired users have obtained IP addresses successfully.
[CORE] display ip pool interface vlanif50 used Pool-name : Vlanif50 Pool-No : 3 Lease : 1 Days 0 Hours 0 Minutes Domain-name : - DNS-server0 : - NBNS-server0 : - Netbios-type : - Position : Interface Status : Unlocked Gateway-0 : - Network : 172.16.50.0 Mask : 255.255.255.0 VPN instance : -- Logging : Disable Conflicted address recycle interval: - Address Statistic: Total :254 Used :1 Idle :253 Expired :0 Conflict :0 Disabled :0 ------------------------------------------------------------------------------------- Network section Start End Total Used Idle(Expired) Conflict Disabled ------------------------------------------------------------------------------------- 172.16.50.1 172.16.50.254 254 1 253(0) 0 0 ------------------------------------------------------------------------------------- Client-ID format as follows: DHCP : mac-address PPPoE : mac-address IPSec : user-id/portnumber/vrf PPP : interface index L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id ------------------------------------------------------------------------------------- Index IP Client-ID Type Left Status ------------------------------------------------------------------------------------- 202 172.16.50.203 00e0-fc030011 DHCP 75074 Used ------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------[CORE] display ip pool interface vlanif60 used Pool-name : Vlanif60 Pool-No : 4 Lease : 1 Days 0 Hours 0 Minutes Domain-name : - DNS-server0 : - NBNS-server0 : - Netbios-type : - Position : Interface Status : Unlocked Gateway-0 : - Network : 172.16.60.0 Mask : 255.255.255.0 VPN instance : -- Logging : Disable Conflicted address recycle interval: - Address Statistic: Total :254 Used :1 Idle :253 Expired :0 Conflict :0 Disabled :0 ------------------------------------------------------------------------------------- Network section Start End Total Used Idle(Expired) Conflict Disabled ------------------------------------------------------------------------------------- 172.16.60.1 172.16.60.254 254 1 253(0) 0 0 ------------------------------------------------------------------------------------- Client-ID format as follows: DHCP : mac-address PPPoE : mac-address IPSec : user-id/portnumber/vrf PPP : interface index L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id ------------------------------------------------------------------------------------- Index IP Client-ID Type Left Status ------------------------------------------------------------------------------------- 132 172.16.60.133 00e0-fc030022 DHCP 85899 Used ------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------
- Wired and wireless users can communicate with each other.
# AP1 can ping a device in the server zone.
<area_1> ping 192.168.11.1 PING 192.168.11.1: 56 data bytes, press CTRL_C to break Reply from 192.168.11.1: bytes=56 Sequence=1 ttl=63 time=1 ms Reply from 192.168.11.1: bytes=56 Sequence=2 ttl=63 time=1 ms Reply from 192.168.11.1: bytes=56 Sequence=3 ttl=63 time=1 ms Reply from 192.168.11.1: bytes=56 Sequence=4 ttl=63 time=1 ms Reply from 192.168.11.1: bytes=56 Sequence=5 ttl=63 time=1 ms --- 192.168.11.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms# After a wireless user connects to AP1, you can view information about the wireless user on CORE.
[CORE] display station ssid test01 Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ----------------------------------------------------------------------------------------------- STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address ----------------------------------------------------------------------------------------------- 00e0-fc12-3388 2 area_2 1/1 5G 11ac 117/115 -71 30 172.16.30.180 ----------------------------------------------------------------------------------------------- Total: 1 2.4G: 0 5G: 1
# PC1 can ping the wireless user connected to AP1.
C:\Users>ping 172.16.30.180 Pinging 172.16.30.180 with 32 bytes of data: Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Ping statistics for 172.16.30.180: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
Configuration Files
# sysname CORE # vlan batch 20 30 40 50 60 1000 # stp mode rstp # dhcp enable # dhcp snooping enable # drop-profile default # vlan 30 dhcp snooping enable vlan 40 dhcp snooping enable vlan 50 dhcp snooping enable vlan 60 dhcp snooping enable # interface Vlanif20 ip address 192.168.20.1 255.255.255.0 dhcp select interface dhcp server option 43 ip-address 192.168.20.1 # interface Vlanif30 ip address 172.16.30.1 255.255.255.0 dhcp select interface # interface Vlanif40 ip address 172.16.40.1 255.255.255.0 dhcp select interface # interface Vlanif50 ip address 172.16.50.1 255.255.255.0 dhcp select interface # interface Vlanif60 ip address 172.16.60.1 255.255.255.0 dhcp select interface # interface Vlanif1000 ip address 192.168.11.254 255.255.255.0 dhcp select interface # interface Eth-Trunk10 port link-type hybrid port hybrid tagged vlan 1 20 50 stp root-protection stp edged-port disable mode lacp loop-detection disable mad relay # interface Eth-Trunk20 # interface XGigabitEthernet1/1/0/1 eth-trunk 10 # interface XGigabitEthernet1/1/0/2 eth-trunk 20 # interface XGigabitEthernet1/1/0/10 mad detect mode direct # interface XGigabitEthernet2/1/0/1 eth-trunk 20 # interface XGigabitEthernet2/1/0/2 eth-trunk 10 # interface XGigabitEthernet2/1/0/10 mad detect mode direct # interface XGigabitEthernet1/2/0/1 port link-type access port default vlan 1000 # capwap source interface vlanif20 # wlan traffic-profile name traff1 user-isolate l2 traffic-profile name default security-profile name sec1 security-profile name default security-profile name default-wds security-profile name default-mesh ssid-profile name ssid1 ssid test01 ssid-profile name ssid2 ssid test02 ssid-profile name default vap-profile name vap1 forward-mode tunnel service-vlan vlan-id 30 ssid-profile ssid1 security-profile sec1 traffic-profile traff1 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode tunnel service-vlan vlan-id 40 ssid-profile ssid2 security-profile sec2 traffic-profile traff2 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name default wds-profile name default mesh-handover-profile name default mesh-profile name default regulatory-domain-profile name domain regulatory-domain-profile name default air-scan-profile name default rrm-profile name default radio-2g-profile name default radio-5g-profile name default wids-profile name default ap-system-profile name default port-link-profile name default wired-port-profile name default ap-group name default ap-group name ap-group regulatory-domain-profile domain ap-group name ap-group1 radio 0 vap-profile vap1 wlan 1 radio 1 vap-profile vap1 wlan 1 ap-id 1 type-id 30 ap-mac 00e0-fc12-4400 ap-sn 2102355547W0E3000316 ap-name area_1 ap-group ap-group provision-ap wlan work-group default # as-auth undo auth-mode whitelist mac-address 00e0-fc00-0011 whitelist mac-address 00e0-fc00-0022 whitelist mac-address 00e0-fc00-0033 whitelist mac-address 00e0-fc00-0044 # uni-mng as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0011 down-direction fabric-port 1 member-group interface Eth-Trunk 30 port Eth-Trunk 30 trunkmember interface GigabitEthernet0/0/3 as name as-layer1-2 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0022 down-direction fabric-port 1 member-group interface Eth-Trunk 40 port Eth-Trunk 10 trunkmember interface GigabitEthernet0/0/4 as name as-layer2-1 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0033 as name as-layer2-2 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0044 interface fabric-port 1 port member-group interface Eth-Trunk 10 interface fabric-port 2 port member-group interface Eth-Trunk 20 interface fabric-port 3 port member-group interface Eth-Trunk 30 interface fabric-port 4 port member-group interface Eth-Trunk 40 as-admin-profile name admin_profile user asuser password %^%#@ROwA@p_b1-Y5,#^8JYBZ~w-&ZE2KL;EKLVI4%^%# network-basic-profile name basic_profile_1 pass-vlan 50 network-basic-profile name basic_profile_2 pass-vlan 60 network-basic-profile name basic_profile_3 pass-vlan 50 network-basic-profile name basic_profile_4 pass-vlan 60 as-group name admin_group as-admin-profile admin_profile as name as-layer1-1 as name as-layer1-2 as name as-layer2-1 as name as-layer2-2 port-group name port_group_1 network-basic-profile basic_profile_1 as name as-layer1-1 interface all port-group name port_group_2 network-basic-profile basic_profile_2 as name as-layer1-2 interface all port-group name port_group_3 network-basic-profile basic_profile_3 as name as-layer2-1 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24 port-group name port_group_4 network-basic-profile basic_profile_4 as name as-layer2-2 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24 port-group connect-ap name ap as name as-layer2-1 interface GigabitEthernet 0/0/3 as name as-layer2-2 interface GigabitEthernet 0/0/3 # return
