评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置全局双链路备份示例(AC全局配置方式)
配置流程
WLAN不同的特性和功能需要在不同类型的模板下进行配置和维护,这些模板统称为WLAN模板,如域管理模板、射频模板、VAP模板、AP系统模板、AP有线口模板、WIDS模板、WDS模板。当用户在配置WLAN业务功能时,需要在对应功能的WLAN模板中进行参数配置,配置完成后,须将此模板引用到AP组或AP中,配置下发到AP,进而配置的功能在AP上生效。由于模板之间是存在各相互引用关系的,因此在用户配置过程中,需要提前了解各个模板之间存在的逻辑关系。模板的逻辑关系和基本配置流程请参见WLAN业务配置流程。
组网需求
某企业使用两台AP构建了无线局域网区域A,为用户提供WLAN上网服务。如图9-9所示,区域A的AP1和AP2直接连接交换机,企业采用双AC旁挂式部署,交换机上行通过出口路由接入Internet。现在企业希望采用双AC主备备份的方式提高无线用户的数据传输的可靠性。
表9-4 数据准备
| 项目 | 数据 |
|---|---|
AP管理VLAN |
VLAN100 |
STA业务VLAN |
VLAN101 |
DHCP服务器 |
Switch作为AP和STA的DHCP服务器 STA网关:10.10.11.1/24 AP网关:10.10.10.1/24 |
AP地址池 |
10.10.10.4~10.10.10.254/24 |
STA地址池 |
10.10.11.2~10.10.11.254/24 |
AC源接口 |
VLANIF100 |
主用AC |
AC1 本机优先级:0 |
备用AC |
AC2 本机优先级:1 |
AC1管理IP地址 |
VLANIF100接口:10.10.10.2/24 |
AC2管理IP地址 |
VLANIF100接口:10.10.10.3/24 |
AP组 |
|
SSID模板 |
|
安全模板 |
|
VAP模板 |
|
配置思路
- 配置AC1、AC2和其他网络设备实现网络互通。Switch作为DHCP Server为AP和STA分配IP地址。
- AC1作为主AC,在主AC上配置WLAN基本业务。
- AC2作为备AC,在备AC上配置WLAN基本业务,业务配置和AC1保持一致。
- 先后在主备AC上配置双链路备份功能。使能双链路备份时,会重启所有AP。双链路备份配置完成后、若任意主AC与AP间CAPWAP链路故障,备AC会替代此主AC管理AP继续工作。
配置注意事项
纯组播报文由于协议要求在无线空口没有ACK机制保障,且无线空口链路不稳定,为了纯组播报文能够稳定发送,通常会以低速报文形式发送。如果网络侧有大量异常组播流量涌入,则会造成无线空口拥堵。为了减小大量低速组播报文对无线网络造成的冲击,建议配置组播报文抑制功能。配置前请确认是否有组播业务,如果有,请谨慎配置限速值。
- 业务数据转发方式采用直接转发时,建议在直连AP的交换机接口上配置组播报文抑制。
- 业务数据转发方式采用隧道转发时,建议在AC的流量模板下配置组播报文抑制。
- 管理VLAN和业务VLAN不能配置为同一VLAN。
在配置多个VAP模板,且多个VAP模板共用同一个service-vlan的场景下,如果配置数据转发方式为tunnel模式,则需要启动service-vlan间的Proxy ARP功能。
操作步骤
- 配置Switch和AC,使AP和AC互通
# 在Switch上创建VLAN100和VLAN101,其中VLAN100用于WLAN的管理VLAN,VLAN101用于WLAN的业务VLAN。Switch连接AP的接口GE0/0/1和GE0/0/4配置为trunk类型接口,且PVID都为100,允许VLAN100和VLAN101的报文通过。配置Switch的接口GE0/0/2和GE0/0/3为trunk类型,允许VLAN100的报文通过。
<Huawei> system-view [Huawei] sysname Switch [Switch] vlan batch 100 101 [Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port link-type trunk [Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100 [Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101 [Switch-GigabitEthernet0/0/1] port-isolate enable [Switch-GigabitEthernet0/0/1] quit [Switch] interface gigabitethernet 0/0/4 [Switch-GigabitEthernet0/0/4] port link-type trunk [Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100 [Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101 [Switch-GigabitEthernet0/0/4] port-isolate enable [Switch-GigabitEthernet0/0/4] quit [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] port link-type trunk [Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 [Switch-GigabitEthernet0/0/2] quit [Switch] interface gigabitethernet 0/0/3 [Switch-GigabitEthernet0/0/3] port link-type trunk [Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 [Switch-GigabitEthernet0/0/3] quit
# 配置AC1连接Switch的接口Eth2/0/0加入VLAN100。
<Huawei> system-view [Huawei] sysname AC1 [AC1] vlan batch 100 [AC1-vlan100] quit [AC1] interface ethernet 2/0/0 [AC1-Ethernet2/0/0] port link-type trunk [AC1-Ethernet2/0/0] port trunk allow-pass vlan 100 [AC1-Ethernet2/0/0] quit
# 配置AC2连接Switch的接口Eth2/0/0加入VLAN100。
<Huawei> system-view [Huawei] sysname AC2 [AC2] vlan batch 100 [AC2-vlan100] quit [AC2] interface ethernet 2/0/0 [AC2-Ethernet2/0/0] port link-type trunk [AC2-Ethernet2/0/0] port trunk allow-pass vlan 100 [AC2-Ethernet2/0/0] quit
- 配置Switch的DHCP功能,为AP和STA分配IP地址
# 配置VLANIF100使用接口地址池为AP分配IP地址。
[Switch] dhcp enable [Switch] interface vlanif 100 [Switch-Vlanif100] ip address 10.10.10.1 255.255.255.0 [Switch-Vlanif100] dhcp select interface [Switch-Vlanif100] dhcp server excluded-ip-address 10.10.10.2 10.10.10.3 [Switch-Vlanif100] quit
# 配置VLANIF101使用接口地址池为STA分配IP地址。
[Switch] interface vlanif 101 [Switch-Vlanif101] ip address 10.10.11.1 255.255.255.0 [Switch-Vlanif101] dhcp select interface [Switch-Vlanif101] quit
- 配置AC1的WLAN基本业务
- 配置AP上线
# 创建AP组,用于将相同配置的AP都加入同一AP组中。
[AC1] wlan ac [AC1-wlan-view] ap-group name ap-group1 Info: This operation may take a few seconds. Please wait for a moment.done. [AC1-wlan-ap-group-ap-group1] quit# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。
[AC1-wlan-view] regulatory-domain-profile name domain1 [AC1-wlan-regulate-domain-domain1] country-code cn Info: The current country code is same with the input country code. [AC1-wlan-regulate-domain-domain1] quit [AC1-wlan-view] ap-group name ap-group1 [AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y [AC1-wlan-ap-group-ap-group1] quit [AC1-wlan-view] quit
# 配置AC的源接口。
[AC1] interface Vlanif 100 [AC1-Vlanif100] ip address 10.10.10.2 255.255.255.0 [AC1-Vlanif100] quit [AC1] capwap source interface vlanif 100
# 在AC上离线导入AP,并将AP加入AP组“ap-group1”中。假设AP的MAC地址分别为60de-4476-e360和60de-4474-9640,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为60de-4476-e360的AP部署在1号区域,命名此AP为“area_1”,MAC地址为60de-4474-9640的AP部署在2号区域,命名此AP为“area_2”。ap auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap auth-mode mac-auth。
[AC1] wlan ac [AC1-wlan-view] ap auth-mode mac-auth [AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [AC1-wlan-ap-0] ap-name area_1 [AC1-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y Info: This operation may take a few seconds. Please wait for a moment.. done. [AC1-wlan-ap-0] quit [AC1-wlan-view] ap-id 1 ap-mac 60de-4474-9640 [AC1-wlan-ap-1] ap-name area_2 [AC1-wlan-ap-1] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y Info: This operation may take a few seconds. Please wait for a moment.. done. [AC1-wlan-ap-1] quit
# 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。
[AC1-wlan-view] display ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor : normal [2] -------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime -------------------------------------------------------------------------------------------- 0 60de-4476-e360 area_1 ap-group1 10.10.10.253 AP6010DN-AGN nor 0 1M:22S 1 60de-4474-9640 area_2 ap-group1 10.10.10.254 AP6010DN-AGN nor 0 5S -------------------------------------------------------------------------------------------- Total: 2 - 配置WLAN业务参数
# 创建名为“wlan-security”的安全模板,并配置安全策略。
举例中以配置WPA2+PSK+AES的安全策略为例,密码为“a1234567”,实际配置中请根据实际情况,配置符合实际要求的安全策略。
[AC1-wlan-view] security-profile name wlan-security [AC1-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes [AC1-wlan-sec-prof-wlan-security] quit
# 创建名为“wlan-ssid”的SSID模板,并配置SSID名称为“wlan-net”。
[AC1-wlan-view] ssid-profile name wlan-ssid [AC1-wlan-ssid-prof-wlan-ssid] ssid wlan-net Warning: This action may cause service interruption. Continue?[Y/N]y Info: This operation may take a few seconds, please wait.done. [AC1-wlan-ssid-prof-wlan-ssid] quit
# 创建名为“wlan-vap”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。
[AC1-wlan-view] vap-profile name wlan-vap [AC1-wlan-vap-prof-wlan-vap] forward-mode direct-forward Warning: This action may cause service interruption. Continue?[Y/N]y Info: This operation may take a few seconds, please wait.done. [AC1-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 Info: This operation may take a few seconds, please wait.done. [AC1-wlan-vap-prof-wlan-vap] security-profile wlan-security Info: This operation may take a few seconds, please wait..done. [AC1-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid Info: This operation may take a few seconds, please wait..done. [AC1-wlan-vap-prof-wlan-vap] quit
# 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板“wlan-vap”的配置。
[AC1-wlan-view] ap-group name ap-group1 [AC1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0 Info: This operation may take a few seconds, please wait.done. [AC1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1 Info: This operation may take a few seconds, please wait.done. [AC1-wlan-ap-group-ap-group1] quit
- 配置AP上线
- 配置AC2的WLAN基本业务
# AC2基本业务其他参数的配置请参考AC1的配置过程,除源接口地址外其他配置参数和AC1一样。
# 配置AC2的源接口。
[AC2] interface vlanif 100 [AC2-Vlanif100] ip address 10.10.10.3 255.255.255.0 [AC2-Vlanif100] quit [AC2] capwap source interface vlanif 100 [AC2] wlan ac
- 配置主用AC1和备用AC2双链路备份功能
# 在AC1上,配置备AC2的IP地址,AC1的优先级,用于双链路备份。全局使能双链路备份和回切功能,重启所有AP使双链路备份功能生效。
缺省情况下,双链路备份功能未使能,执行命令ac protect enable会提示重启所有AP。AP重启后,双链路备份功能开始生效。
若双链路备份功能已使能,此处再执行命令ac protect enable不会重启AP,需要在主AC上继续执行命令ap-reset重启AP,AP重启后,双链路备份功能开始生效。
[AC1-wlan-view] ac protect protect-ac 10.10.10.3 priority 0 Warning: Operation successful. It will take effect after AP reset. [AC1-wlan-view] undo ac protect restore disable Info: Protect restore has already enabled. [AC1-wlan-view] ac protect enable Warning: This operation maybe cause AP reset, continue?[Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.done. Info: Capwap echo interval has changed to default value 25, capwap echo times to 3.
# 在AC2上,配置主用AC1的IP地址,AC2的优先级,用于双链路备份。[AC2-wlan-view] ac protect protect-ac 10.10.10.2 priority 1 [AC2-wlan-view] undo ac protect restore disable Info: Protect restore has already enabled. [AC2-wlan-view] ac protect enable Warning: This operation maybe cause AP reset, continue?[Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.done. Info: Capwap echo interval has changed to default value 25, capwap echo times to 3.
# 提交配置。
[AC1-wlan-view] commit all Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
[AC2-wlan-view] commit all Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
- 验证配置结果
# 在主备AC上分别执行命令display ac protect,查看2台AC上双链路信息和优先级。
[AC1-wlan-view] display ac protect ------------------------------------------------------------ Protect state : enable Protect AC : 10.10.10.3 Priority : 0 Protect restore : enable Coldbackup kickoff station: disable ------------------------------------------------------------
[AC2-wlan-view] display ac protect ------------------------------------------------------------ Protect state : enable Protect AC : 10.10.10.2 Priority : 1 Protect restore : enable Coldbackup kickoff station: disable ------------------------------------------------------------
# 当AP与AC1的链路中断后,AC2切换为主AC,保证业务的稳定。
配置文件
Switch的配置文件
# sysname Switch # vlan batch 100 to 101 # dhcp enable # interface Vlanif100 ip address 10.10.10.1 255.255.255.0 dhcp select interface dhcp server excluded-ip-address 10.10.10.2 10.10.10.3 # interface Vlanif101 ip address 10.10.11.1 255.255.255.0 dhcp select interface # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 port-isolate enable group 1 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet0/0/4 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 port-isolate enable group 1 # return
AC1的配置文件
# sysname AC1 # vlan batch 100 # interface Vlanif100 ip address 10.10.10.2 255.255.255.0 # interface Ethernet2/0/0 port link-type trunk port trunk allow-pass vlan 100 # capwap source interface vlanif100 # wlan ac ac protect enable protect-ac 10.10.10.3 security-profile name wlan-security security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes ssid-profile name wlan-ssid ssid wlan-net vap-profile name wlan-vap service-vlan vlan-id 101 ssid-profile wlan-ssid security-profile wlan-security regulatory-domain-profile name domain1 ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile wlan-vap wlan 1 radio 1 vap-profile wlan-vap wlan 1 ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 ap-id 1 type-id 19 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097 ap-name area_2 ap-group ap-group1 # return
AC2的配置文件
# sysname AC2 # vlan batch 100 # interface Vlanif100 ip address 10.10.10.3 255.255.255.0 # interface Ethernet2/0/0 port link-type trunk port trunk allow-pass vlan 100 # capwap source interface vlanif100 # wlan ac ac protect enable protect-ac 10.10.10.2 priority 1 security-profile name wlan-security security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes ssid-profile name wlan-ssid ssid wlan-net vap-profile name wlan-vap service-vlan vlan-id 101 ssid-profile wlan-ssid security-profile wlan-security regulatory-domain-profile name domain1 ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile wlan-vap wlan 1 radio 1 vap-profile wlan-vap wlan 1 ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 ap-id 1 type-id 19 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097 ap-name area_2 ap-group ap-group1 # return
