评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置大型网络WLAN基本业务示例
配置流程
WLAN不同的特性和功能需要在不同类型的模板下进行配置和维护,这些模板统称为WLAN模板,如域管理模板、射频模板、VAP模板、AP系统模板、AP有线口模板、WIDS模板、WDS模板。当用户在配置WLAN业务功能时,需要在对应功能的WLAN模板中进行参数配置,配置完成后,须将此模板引用到AP组或AP中,配置下发到AP,进而配置的功能在AP上生效。由于模板之间是存在各相互引用关系的,因此在用户配置过程中,需要提前了解各个模板之间存在的逻辑关系。模板的逻辑关系和基本配置流程请参见WLAN业务配置流程。
组网需求
如图4-37所示,某大型企业的现网中,汇聚交换机Switch_B下行连接接入交换机Switch_A,上行连接Router。用户希望能在尽可能少的更改现有组网架构的情况下部署WLAN网络。
用户的具体需求为:
- 企业办公楼的前台大厅部署SSID为“guest”的无线网络,为来访的客户提供无线网络接入。
- 办公区域部署SSID为“employee”的无线网络,为企业员工提供无线网络接入。
配置思路
采用如下的思路配置大型网络WLAN基本业务:
- 配置Switch_A、Switch_B和AC,实现二层网络互通。
- 在AC上配置基于全局的DHCP服务器为AP和STA分配IP地址。
- 配置AP上线。
- 创建AP组,用于将需要进行相同配置的AP都加入到AP组,实现统一配置。
- 配置AC的系统参数,包括国家码、AC与AP之间通信的源接口。
- 配置AP上线的认证方式并离线导入AP,实现AP正常上线。
- 配置WLAN业务参数,实现STA访问WLAN网络功能。
表4-11 数据规划表
配置项 |
数据 |
|
|---|---|---|
| DHCP服务器 | AC作为DHCP服务器为STA和AP分配IP地址 | |
| AP的IP地址池 | 10.10.10.2~10.10.10.254/24 | |
| STA的IP地址池 |
|
|
| AC的源接口IP地址 | VLANIF100:10.10.10.1/24 | |
| AP组 | 名称:guest 引用模板:VAP模板guest、域管理模板domain1 |
|
名称:employee 引用模板:VAP模板employee、域管理模板domain1 |
||
| 域管理模板 | 名称:domain1 国家码:CN |
|
| SSID模板 | 名称:guest SSID名称:guest |
|
名称:employee SSID名称:employee |
||
| 安全模板 | 名称:guest
|
|
名称:employee
|
||
| VAP模板 | 名称:guest
|
|
名称:employee
|
||
配置注意事项
纯组播报文由于协议要求在无线空口没有ACK机制保障,且无线空口链路不稳定,为了纯组播报文能够稳定发送,通常会以低速报文形式发送。如果网络侧有大量异常组播流量涌入,则会造成无线空口拥堵。为了减小大量低速组播报文对无线网络造成的冲击,建议配置组播报文抑制功能。配置前请确认是否有组播业务,如果有,请谨慎配置限速值。
- 业务数据转发方式采用直接转发时,建议在直连AP的交换机接口上配置组播报文抑制。
- 业务数据转发方式采用隧道转发时,建议在AC的流量模板下配置组播报文抑制。
- 管理VLAN和业务VLAN不能配置为同一VLAN。
在配置多个VAP模板,且多个VAP模板共用同一个service-vlan的场景下,如果配置数据转发方式为tunnel模式,则需要启动service-vlan间的Proxy ARP功能。
操作步骤
- 配置网络互通
# 配置Switch_A。将接口GE0/0/1加入VLAN100(管理VLAN),允许VLAN101(业务VLAN)的报文通过;将接口GE0/0/2加入VLAN100(管理VLAN),允许VLAN102(业务VLAN)的报文通过;将接口GE0/0/3允许VLAN100、VLAN101和VLAN102的报文通过。
建议在Switch_A连接AP的接口GE0/0/1和GE0/0/2上配置端口隔离,如果不配置端口隔离,可能会在VLAN内存在不必要的广播报文,或者导致不同AP间的WLAN用户二层互通的问题。
<Huawei> system-view [Huawei] sysname SwitchA [SwitchA] vlan batch 100 to 102 [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100 [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 [SwitchA-GigabitEthernet0/0/1] port-isolate enable [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100 [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102 [SwitchA-GigabitEthernet0/0/2] port-isolate enable [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface gigabitethernet 0/0/3 [SwitchA-GigabitEthernet0/0/3] port link-type trunk [SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101 102 [SwitchA-GigabitEthernet0/0/3] quit
# 配置Switch_B。配置接口GE0/0/1和GE0/0/2允许VLAN100、VLAN101和VLAN102的报文通过。
<Huawei> system-view [Huawei] sysname SwitchB [SwitchB] vlan batch 100 to 102 [SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1] port link-type trunk [SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 102 [SwitchB-GigabitEthernet0/0/1] quit [SwitchB] interface gigabitethernet 0/0/2 [SwitchB-GigabitEthernet0/0/2] port link-type trunk [SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 102 [SwitchB-GigabitEthernet0/0/2] quit
# 配置AC允许VLAN100、VLAN101和VLAN102的报文通过。
<Huawei> system-view [Huawei] sysname AC [AC] vlan batch 100 to 102 [AC] interface ethernet 2/0/0 [AC-Ethernet2/0/0] port link-type trunk [AC-Ethernet2/0/0] port trunk allow-pass vlan 100 to 102 [AC-Ethernet2/0/0] quit
- 配置AC作为DHCP服务器,为AP和STA分配IP地址
[AC] dhcp enable [AC] interface vlanif 100 [AC-Vlanif100] ip address 10.10.10.1 255.255.255.0 [AC-Vlanif100] dhcp select interface [AC-Vlanif100] quit [AC] interface vlanif 101 [AC-Vlanif101] ip address 10.10.11.1 255.255.255.0 [AC-Vlanif101] dhcp select interface [AC-Vlanif101] quit [AC] interface vlanif 102 [AC-Vlanif102] ip address 10.10.12.1 255.255.255.0 [AC-Vlanif102] dhcp select interface [AC-Vlanif102] quit
- 配置AP上线
# 创建AP组“guest”和“employee”。
[AC] wlan ac [AC-wlan-view] ap-group name guest Info: This operation may take a few seconds. Please wait for a moment..done. [AC-wlan-ap-group-guest] quit [AC-wlan-view] ap-group name employee Info: This operation may take a few seconds. Please wait for a moment..done. [AC-wlan-ap-group-employee] quit
# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。
[AC-wlan-view] regulatory-domain-profile name domain1 [AC-wlan-regulate-domain-domain1] country-code cn Info: The current country code is same with the input country code. [AC-wlan-regulate-domain-domain1] quit [AC-wlan-view] ap-group name guest [AC-wlan-ap-group-guest] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y [AC-wlan-ap-group-guest] quit [AC-wlan-view] ap-group name employee [AC-wlan-ap-group-employee] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y [AC-wlan-ap-group-employee] quit [AC-wlan-view] quit
# 配置AC的源接口。
# 在AC上离线导入AP。将部署在前台大厅的AP都加入到AP组“guest”,部署在办公区域的AP都加入到AP组“employee”,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为60de-4476-e360的AP部署在办公区域的1号房间,命名此AP为“area_1”。ap auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap auth-mode mac-auth。
[AC] wlan ac [AC-wlan-view] ap auth-mode mac-auth [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [AC-wlan-ap-0] ap-name area_1 [AC-wlan-ap-0] ap-group guest Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y Info: This operation may take a few seconds. Please wait for a moment.. done. [AC-wlan-ap-0] quit [AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640 [AC-wlan-ap-1] ap-name area_2 [AC-wlan-ap-1] ap-group employee Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y Info: This operation may take a few seconds. Please wait for a moment.. done. [AC-wlan-ap-1] quit
# 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。
[AC-wlan-view] display ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor : normal [2] -------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime -------------------------------------------------------------------------------------------- 0 60de-4476-e360 area_1 guest 10.10.10.253 AP6010DN-AGN nor 0 1M:22S 1 60de-4474-9640 area_2 employee 10.10.10.254 AP6010DN-AGN nor 0 5S -------------------------------------------------------------------------------------------- Total: 2 - 配置WLAN业务参数
# 创建名为“guest”和“employee”的安全模板,并配置安全策略。
举例中以配置WEP-40和WPA2+PSK+AES的安全策略为例,密码分别为“a1234”和“b1234567”,实际配置中请根据实际情况,配置符合实际要求的安全策略。
[AC-wlan-view] security-profile name guest [AC-wlan-sec-prof-guest] security wep share-key [AC-wlan-sec-prof-guest] wep key 0 wep-40 pass-phrase a1234 Warning: This action may cause service interruption. Continue?[Y/N]y Info: This operation may take a few seconds, please wait.done. [AC-wlan-sec-prof-guest]wep default-key 0 Warning: This action may cause service interruption. Continue?[Y/N]y Info: This operation may take a few seconds, please wait.done. [AC-wlan-sec-prof-guest] quit [AC-wlan-view] security-profile name employee [AC-wlan-sec-prof-employee] security wpa2 psk pass-phrase b1234567 aes [AC-wlan-sec-prof-employee] quit
# 创建名为“guest”和“employee”的SSID模板,并分别配置SSID名称为“guest”和“employee”。
[AC-wlan-view] ssid-profile name guest [AC-wlan-ssid-prof-guest] ssid guest Warning: This action may cause service interruption. Continue?[Y/N]y Info: This operation may take a few seconds, please wait.done. [AC-wlan-ssid-prof-guest] quit [AC-wlan-view] ssid-profile name employee [AC-wlan-ssid-prof-employee] ssid employee Warning: This action may cause service interruption. Continue?[Y/N]y Info: This operation may take a few seconds, please wait.done. [AC-wlan-ssid-prof-employee] quit
# 创建名为“guest”和“employee”的VAP模板,配置业务VLAN,并且引用安全模板和SSID模板。
[AC-wlan-view] vap-profile name guest [AC-wlan-vap-prof-guest] service-vlan vlan-id 101 Info: This operation may take a few seconds, please wait.done. [AC-wlan-vap-prof-guest] security-profile guest Info: This operation may take a few seconds, please wait..done. [AC-wlan-vap-prof-guest] ssid-profile guest Info: This operation may take a few seconds, please wait..done. [AC-wlan-vap-prof-guest] quit [AC-wlan-view] vap-profile name employee [AC-wlan-vap-prof-employee] service-vlan vlan-id 102 Info: This operation may take a few seconds, please wait.done. [AC-wlan-vap-prof-employee] security-profile employee Info: This operation may take a few seconds, please wait..done. [AC-wlan-vap-prof-employee] ssid-profile employee Info: This operation may take a few seconds, please wait..done. [AC-wlan-vap-prof-employee] quit
# 配置AP组引用VAP模板,AP上射频都使用VAP模板的配置。
[AC-wlan-view] ap-group name guest [AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio all Info: This operation may take a few seconds, please wait..done. [AC-wlan-ap-group-guest] quit [AC-wlan-view] ap-group name employee [AC-wlan-ap-group-employee] vap-profile employee wlan 1 radio all Info: This operation may take a few seconds, please wait..done. [AC-wlan-ap-group-employee] quit
# 提交配置。
[AC-wlan-view] commit all Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
- 验证配置结果
# WLAN业务配置完成后,通过执行命令display vap ssid guest和display vap ssid employee查看如下信息,当“Status”项显示为“ON”时,表示AP对应的射频上的VAP已创建成功。
[AC-wlan-view] display vap ssid guest Info: This operation may take a few seconds, please wait. WID : WLAN ID -------------------------------------------------------------------------- AP ID AP name RfID WID BSSID Status Auth type STA SSID -------------------------------------------------------------------------- 0 area_1 0 1 60DE-4476-E360 ON WEP+Share 0 guest 0 area_1 1 1 60DE-4476-E370 ON WEP+Share 0 guest -------------------------------------------------------------------------- Total: 2 [AC-wlan-view] display vap ssid employee Info: This operation may take a few seconds, please wait. WID : WLAN ID -------------------------------------------------------------------------- AP ID AP name RfID WID BSSID Status Auth type STA SSID -------------------------------------------------------------------------- 1 area_2 0 1 60DE-4474-9640 ON WPA2-PSK 0 employee 1 area_2 1 1 60DE-4474-9650 ON WPA2-PSK 0 employee -------------------------------------------------------------------------- Total: 2
# STA搜索到名为“guest”和“employee”的无线网络,分别输入密码“a1234”和“b1234567”并正常关联后,在AC上执行display station ssid guest和display station ssid employee命令,可以查看到用户已经分别接入到无线网络“guest”和“employee”中。
[AC-wlan-view] display station ssid guest Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ------------------------------------------------------------------------------------------ STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address ------------------------------------------------------------------------------------------ cc3a-61cf-6344 0 area_1 0/1 2.4G 11g 26/18 -54 101 10.10.11.254 ------------------------------------------------------------------------------------------ Total: 1 2.4G: 1 5G: 0 [AC-wlan-view] display station ssid employee Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ------------------------------------------------------------------------------------------ STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address ------------------------------------------------------------------------------------------ 8071-7a64-656f 1 area_2 1/1 5G 11n 65/56 -53 102 10.10.12.254 ------------------------------------------------------------------------------------------ Total: 1 2.4G: 0 5G: 1
配置文件
Switch_A的配置文件
# sysname SwitchA # vlan batch 100 to 102 # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 port-isolate enable group 1 # interface GigabitEthernet0/0/2 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 102 port-isolate enable group 1 # interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 100 to 102 # return
Switch_B的配置文件
# sysname SwitchB # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 to 102 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 to 102 # return
AC的配置文件
# sysname AC # vlan batch 100 to 102 # dhcp enable # interface Vlanif100 ip address 10.10.10.1 255.255.255.0 dhcp select interface # interface Vlanif101 ip address 10.10.11.1 255.255.255.0 dhcp select interface # interface Vlanif102 ip address 10.10.12.1 255.255.255.0 dhcp select interface # interface Ethernet2/0/0 port link-type trunk port trunk allow-pass vlan 100 to 102 # capwap source interface vlanif100 # wlan ac security-profile name guest security wep share-key wep key 0 wep-40 pass-phrase %^%#z*z]6]#!|%n:n}Xz'mhKE{PfN|cIj*eU$jJYH48S%^%# security-profile name employee security wpa2 psk pass-phrase %^%#H{1<-b]4~"*+Y:4-'/URy;$+,33UgQf)@9I(Yl]V%^%# aes ssid-profile name guest ssid guest ssid-profile name employee ssid employee vap-profile name guest service-vlan vlan-id 101 ssid-profile guest security-profile guest vap-profile name employee service-vlan vlan-id 102 ssid-profile employee security-profile employee regulatory-domain-profile name domain1 ap-group name guest regulatory-domain-profile domain1 radio 0 vap-profile guest wlan 1 radio 1 vap-profile guest wlan 1 radio 2 vap-profile guest wlan 1 ap-group name default ap-group name employee regulatory-domain-profile domain1 radio 0 vap-profile employee wlan 1 radio 1 vap-profile employee wlan 1 radio 2 vap-profile employee wlan 1 ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group guest ap-id 1 type-id 19 ap-mac 60de-4474-9640 ap-sn 210235554710CB000075 ap-name area_2 ap-group employee # return
