WLAN V200R010C00 典型配置案例集

无线覆盖部署案例（会议室-室内高密）

适用范围和业务需求
方案设计
配置思路和数据规划
配置步骤
结果验证
配置脚本
开局常见问题处理
- AP上线失败

适用范围和业务需求

适用范围

本案例适用于企业办公无线方案，空间范围大，对网规、覆盖及容量要求兼顾容量和成本的情况下保证信号覆盖与用户体验，规划要求高，需做好充足的准备和现场测试，并发率高，用户密度高。

业务需求

会议室场景的特点如下：

空间范围大
对网规、覆盖及容亮要求兼顾容量和成本的情况下保证信号覆盖与用户体验
满足单用户的下行流量2M，上行流量1M
终端的并发率高，用户密度高

接入需求

希望会议室中提供无线接入方式。

对于无线覆盖需要做到覆盖均匀、无盲区、高吞吐量、并发多用户处理能力强。一般高密中的接入终端类型，主要是笔记本电脑、平板电脑和手机接入，包含802.11ac设备。

室内无线设备需要部署便捷、外观美观时尚。

无线漫游需求

不同场所间漫游时重新接入无线网络，需要简化认证。

可靠性需求

当网络中的单台设备产生故障时，也需要保证网络可靠性。

安全性需求

需要解决不同AP间的WLAN用户二层互通的问题。

认证计费需求

无线用户需要通过Portal认证后才能接入网络。

方案设计

组网图

会议室高密无线方案推荐组网如下图所示。

图4-103 组网图

网络设计分析

设备选型
- 选取AC6605或AC6005，提供小型或中型组网能力，部署更加灵活。
- 室内AP：选择AP4050DN、AP6050DN覆盖房间区域。
部署方案
基于有线核心网，采用室内AP覆盖。AC旁挂式部署，部署在核心层。
无线漫游
对于实现漫游，只需将所有AP的SSID和安全策略都配成一致即可。

对于认证方案，可采用MAC优先的Portal认证，从而达到漫游中简化认证的要求。

在室内高密场景中，建议开启智能漫游功能，当AP检测到STA的信噪比或接入速率低于指定的门限时，主动向STA发送解除关联报文，让STA重新连接或漫游，解决了STA在弱信号强度的情况下不会重新连接或漫游的问题。
可靠性
为了保证核心设备的可靠性，采用核心设备做集群，并配置多主检测。

为了保证WLAN业务的可靠性，可在网络中部署2台AC设备，并配置AC的VRRP热备份。当两台设备在确定主用（Master）设备和备用（Backup）设备后，由主用设备进行业务的转发，而备用设备处于待命状态，同时主用设备实时向备用设备发送状态信息和需要备份的信息，当主用设备出现故障后，备用设备及时接替主用设备的业务运行，从而提高了网络的可靠性。
安全性
在交换机与AP直接相连的接口上配置端口隔离，可解决不同AP间的WLAN用户二层互通的问题。

AP设备上有防盗锁孔，可以连接到防盗锁，保证设备的安全性。

实际部署时不建议使用VLAN 1作为业务VLAN，将各端口从VLAN1中退出。根据实际业务需求透传VLAN，禁止端口透传所有VLAN。

设备连接终端或AP的端口建议都配置为边缘端口。

将所有设备不使用的端口Shutdown。

使能设备的STA地址严格DHCP获取功能、ARP动态检测功能和IPSG功能，可防止非法用户的IP报文任意通过AP访问外部网络，提高设备安全性。

为了使DHCP客户端能通过合法的DHCP服务器获取IP地址，有效防止DHCP Server仿冒者攻击、DHCP Server的拒绝服务攻击、仿冒DHCP报文攻击等，建议配置DHCP Snooping功能。如果网络中同时存在有线用户和无线用户，交换机连接AP的接口不建议使能DHCP Snooping，可能会造成交换机用户绑定表超规格，所以针对有线用户，建议基于VLAN配置DHCP Snooping，针对无线用户，建议在无线侧VAP模板上配置。

为了减小大量低速组播报文对无线网络造成的冲击，如果网络中没有组播业务时，建议配置组播报文抑制功能。
接入设计
在室内高密场景中，建议开启短帧间间隔，可以提高802.11n和802.11ac的传输率。

在室内高密场景中，建议将无线用户的关联老化时间设置为1分钟，防止存在频繁离开整个无线网络覆盖的用户。

在室内高密场景中，建议开启Airtime调度功能，通过在同一业务下计算每个用户的无线信道占用时间，优先调度占用无线信道时间较少的用户，保证每个用户相对公平的占用无线信道，提升用户体验效果。

在高校室内高密场景下，建议使用RTS-CTS模式，RTS/CTS（Request To Send/Clear To Send）握手协议，可以避免信道冲突导致的数据传输失败。
认证计费需求
无线用户通过MAC优先的Portal认证后才能接入网络，认证点在AC上。

方案涉及网元的软件版本要求

本方案适用的产品和版本如下表所示。

产品名	产品版本
AC6605	V200R010C00
AP4050DN、AP6050DN	V200R010C00
S12700	V200R010C00
S7700	V200R010C00
S5700	V200R010C00
Agile Controller-Enterprise	V100R002C10

配置思路和数据规划

配置思路

按照会议室的需求，采用如下的思路进行配置：

配置核心交换机集群，保证核心交换机的可靠性。
配置接入交换机、汇聚交换机和AC的网络互通。
配置DHCP服务，AC作为DHCP服务器为AP分配IP地址，外置DHCP服务器为STA分配IP地址。
在AC上配置RADIUS服务器认证、计费和授权模板，以便AC能够与RADIUS服务器联动。
配置AC的VRRP备份，保证WLAN业务可靠性。
在AC上配置WLAN业务，满足无线网络在高密场景下的无线接入需求。
在Agile Controller-Enterprise业务管理器中添加AC，并配置参数，保证Controller能与AC正常联动。
增加授权结果和授权规则，对用户认证成功后授予访问控制权限。

数据规划

为完成配置任务，需规划和的数据项。

项目	编号	接口号	所属VLAN	IP地址	描述
接入交换机S5700_A	1	GE0/0/1	VLAN800、VLAN720	-	连接AP_1
	2	GE0/0/2	VLAN800、VLAN720	-	连接AP_2
	3	GE0/0/3	VLAN800、VLAN720	-	连接汇聚交换机S7700
汇聚交换机S7700	13	GE1/0/3	VLAN800、VLAN720	-	接入交换机S5700_A
	17	GE1/0/17	VLAN800、VLAN720	-	连接S12700_A
	18	GE1/0/18	VLAN800、VLAN720	-	连接S12700_B
S12700_A和S12700_B集群	19	GE1/1/0/19	VLAN800、VLAN720	-	连接汇聚交换机S7700
	22	GE2/1/0/22	VLAN800、VLAN720	-	连接汇聚交换机S7700
	20	GE1/1/0/20	VLAN800、VLAN820、VLAN720	-	连接AC_1
	23	GE2/1/0/23	VLAN800、VLAN820、VLAN720	-	连接AC_2
	21	GE1/1/0/21	VLAN820、VLAN720	-	连接Router
	24	GE2/1/0/18	VLAN820、VLAN720	-	连接Router
AC_1	25	GE0/0/24	VLAN800、VLAN820、VLAN720	VLANIF800：10.128.1.2/24 VLANIF820：172.16.1.2/24	连接S12700_A
AC_1	26	GE0/0/23	VLAN810	VLANIF810：10.1.1.253/30	连接AC_2
AC_2	27	GE0/0/24	VLAN800、VLAN820、VLAN720	VLANIF800：10.128.1.3/24 VLANIF820：172.16.1.3/24	连接S12700_B
AC_2	28	GE0/0/23	VLAN810	VLANIF810：10.1.1.254/30	连接AC_1

项目	说明
AP管理VLAN	800
VRRP备份组	虚拟IP地址：VLANIF800 10.128.1.1 管理VRRP备份组ID：1 备份业务：DHCP、用户接入、AP AC_1：优先级：120 抢占时间：1200秒恢复延迟时间：60秒 HSB主备服务：本端IP地址为10.1.1.253，对端IP地址为10.1.1.254，本端及对端端口号均为10241。 AC_2：优先级：100（缺省）恢复延迟时间：60秒 HSB主备服务：本端IP地址为10.1.1.254，对端IP地址为10.1.1.253，本端及对端端口号均为10241。
VRRP备份组	虚拟IP地址：VLANIF820 172.16.1.1 成员VRRP备份组ID：2 VRRP备份组2和VRRP备份组1联动
DHCP服务器	AP的DHCP服务器：AC STA的DHCP服务器：外置DHCP服务器172.16.1.252，S7700作为DHCP Relay（VLANIF720：10.172.1.1/20）
AP地址池	10.128.1.4～10.128.1.254/24
STA地址池	10.172.0.1～10.172.15.254/20( 除去10.172.1.1)
AAA参数	认证方案：名称：radius_huawei 认证模式：RADIUS认证计费方案：名称：radius_huawei 计费模式：RADIUS模式实时计费功能：开启实时计费时间间隔：15分钟
RADIUS参数	RADIUS服务器模板名称：radius_huawei，其中：认证服务器IP地址：172.16.1.254 认证端口号：1812 计费服务器IP地址：172.16.1.254 计费端口号：1813 重传超时时间：1s 共享密钥：huawei@123 RADIUS授权服务器：授权服务器IP地址：172.16.1.254 RADIUS共享密钥：huawei@123
Portal服务器模板	服务器名称：huawei IP地址：172.16.1.254 端口号：50200 共享密钥：huawei@123
URL模板	模板名称：huawei URL携带SSID参数：ssid URL携带用户URL地址参数：url URL地址：http://172.16.1.254:8080/portal
Portal接入模板	名称：portal 引用模板：Portal服务器模板huawei
MAC接入模板	名称：mac
免认证规则模板	名称：default_free_rule 免认证资源：DNS服务器的地址（172.16.1.253）
认证模板	名称：authen-pro 引用模板和认证方案：Portal模板portal、MAC接入模板mac、RADIUS服务器模板radius_huawei、RADIUS认证方案radius_huawei、RADIUS计费方案radius_huawei、免认证规则模板default_free_rule
DNS服务器	IP地址：172.16.1.253
AP组	名称：meeting-room 国家码：CHINA 安全策略：开放认证引用模板：VAP模板meeting-room、2G射频模板2G、5G射频模板5G
自动调优	调优模式：定时调优，设置在用户下班期间，如凌晨调优策略：rogue-ap、non-wifi 调优灵敏度：high
SSID模板	名称：meeting-room SSID：meeting-room 无线用户的关联老化时间设置为1分钟配置2.4GHz射频类型Beacon帧的发送速率11Mbps 调整AC_BE报文edca参数为：Client：ecwmin:7 ecwmax:10
安全模板	名称：open 安全策略：开放认证
流量模板	名称：meeting-room 用户隔离：二层隔离限制用户速率：上下行均为4Mbps
VAP模板	名称：meeting-room 转发模式：直接转发（缺省）业务VLAN：VLAN720 频谱导航：开启（缺省） IPSG功能：使能动态ARP检测功能：使能 STA地址学习功能：使能STA地址严格DHCP获取功能引用模板：SSID模板meeting-room、安全模板open、认证模板authen-pro、流量模板meeting-room
RRM模板	名称：meeting-room 空口调度功能：使能动态edca：使能动态负载均衡：使能智能漫游：使能漫游触发方式：check-snr，门限值 25 快速强制用户下线触发方式：check-snr，门限值 20
2G射频模板	名称：2G rts-cts：模式为rts-cts，门限值1400 AP发送Beacon帧的周期：100ms 配置GI模式：short(短帧间隔) 调整AC_BE报文edca参数为： AP：ecwmin:5 ecwmax:6 引用模板：RRM模板meeting-room
5G射频模板	名称：5G rts-cts：模式为rts-cts，门限值1400 AP发送Beacon帧的周期：100ms 配置GI模式：short(短帧间隔) 调整AC_BE报文edca参数为： AP：ecwmin:5 ecwmax:6 引用模板：RRM模板meeting-room
Agile Controller-Enterprise	设备IP地址：172.16.1.254 认证端口号：1812 计费端口号：1813 RADIUS共享密钥：huawei@123 Portal服务器接收报文的端口：50200 Portal共享密钥：huawei@123

配置步骤

配置核心交换机集群，保证核心交换机的可靠性

配置核心交换机集群。

# 在S12700-1和S12700-2上安装集群卡，连接集群卡的线缆，详细连线指导请参见“S交换机CSS助手”。

# 在配置集群连接方式、集群ID和集群优先级。

<S12700-1> system-view 
[S12700-1] set css mode css-card 
[S12700-1] set css id 1 
Warning: Modifying the CSS chassis ID will cause interface configuration loss. Continue? [Y/N]:y 
Info: This operation may take a few seconds. Please wait.... 
Info: CSS configuration has been changed, and the new configuration will take effect after a reboot and CSS has been enabled.
[S12700-1] set css priority 100      //在S12700-1上配置集群ID为1、集群优先级为100 
<S12700-2> system-view 
[S12700-2] set css mode css-card 
[S12700-2] set css id 2 
Warning: Modifying the CSS chassis ID will cause interface configuration loss. Continue? [Y/N]:y 
Info: This operation may take a few seconds. Please wait.... 
Info: CSS configuration has been changed, and the new configuration will take effect after a reboot and CSS has been enabled.
[S12700-2] set css priority 10       //在S12700-2上配置集群ID为2、集群优先级为10

# 使能CSS。

[S12700-1] css enable                         //使能CSS功能并重启S12700-1
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y 
[S12700-2] css enable                       //使能CSS功能并重启S12700-2
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y

# 重启核心交换机，查看集群状态，确认集群系统主交换机的CSS MASTER灯绿色常亮。

集群配置接口采用直连方式多主检测功能。

配置接口GE1/1/1/7采用直连方式多主检测功能。

<CSS> system-view
[CSS] interface gigabitethernet 1/1/1/7
[CSS-GigabitEthernet1/1/1/7] mad detect mode direct
Warning: This command will block the port, and no other configuration running on this port is recommended. Continue?[Y/N]:y
[CSS-GigabitEthernet1/1/1/7] quit

配置接口GE2/1/1/7采用直连方式多主检测功能。

[CSS] interface gigabitethernet 2/1/1/7
[CSS-GigabitEthernet2/1/1/7] mad detect mode direct
Warning: This command will block the port, and no other configuration running on this port is recommended. Continue?[Y/N]:y
[CSS-GigabitEthernet2/1/1/7] quit

查看集群系统多主检测详细配置信息。

[CSS] display mad verbose                                                        
Current MAD domain: 0                                                           
Current MAD status: Detect                                                      
Mad direct detect interfaces configured:                                        
 GigabitEthernet1/1/1/7                                                         
 GigabitEthernet2/1/1/7                                                         
Mad relay detect interfaces configured:                                         
Excluded ports(configurable):                                                   
Excluded ports(can not be configured):                                          
 XGigabitEthernet1/6/0/0                                                        
 XGigabitEthernet2/6/0/0

配置核心交换机与FW之间的Eth-Trunk。

# 在CSS上创建Eth-Trunk10，用于连接FW，并加入Eth-Trunk成员接口。

[CSS] interface eth-trunk 10  //创建Eth-Trunk10接口，和FW对接
[CSS-Eth-Trunk10] quit
[CSS] interface XGigabitethernet 1/1/0/0
[CSS-XGigabitEthernet1/1/0/0] eth-trunk 10
[CSS-XGigabitEthernet1/1/0/0] quit
[CSS] interface XGigabitethernet 2/1/0/0
[CSS-XGigabitEthernet2/1/0/0] eth-trunk 10
[CSS-XGigabitEthernet2/1/0/0] quit

配置CSS与出口路由器之间的Eth-Trunk。

# 在CSS上创建Eth-Trunk20、Eth-Trunk30，用于连接Router1、Router2，并加入Eth-Trunk成员接口。

[CSS] interface eth-trunk 20  //创建Eth-Trunk20接口，和Router1对接
[CSS-Eth-Trunk20] quit
[CSS] interface XGigabitethernet 1/1/0/1 
[CSS-XGigabitEthernet1/1/0/1] eth-trunk 20
[CSS-XGigabitEthernet1/1/0/1] quit
[CSS] interface XGigabitethernet 2/1/0/1
[CSS-XGigabitEthernet2/1/0/1] eth-trunk 20
[CSS-XGigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 30  //创建Eth-Trunk30接口，和Router2对接
[CSS-Eth-Trunk30] quit
[CSS] interface XGigabitethernet 1/2/0/1 
[CSS-XGigabitEthernet1/2/0/1] eth-trunk 30
[CSS-XGigabitEthernet1/2/0/1] quit
[CSS] interface XGigabitethernet 2/2/0/1
[CSS-XGigabitEthernet2/2/0/1] eth-trunk 30
[CSS-XGigabitEthernet2/2/0/1] quit

配置连接汇聚交换机的Eth-Trunk。

# 在CSS上创建Eth-Trunk40并加入Eth-Trunk成员接口，Eth-Trunk40用于连接汇聚交换机S5720EI iStack-1，同时配置根保护功能。

[CSS] interface eth-trunk 40
[CSS-Eth-Trunk40] stp root-protection
[CSS-Eth-Trunk40] quit
[CSS] interface gigabitethernet 1/2/0/0 
[CSS-GigabitEthernet1/2/0/0] eth-trunk 40
[CSS-GigabitEthernet1/2/0/0] quit
[CSS] interface gigabitethernet 2/2/0/0
[CSS-GigabitEthernet2/2/0/0] eth-trunk 40
[CSS-GigabitEthernet2/2/0/0] quit

# 将CSS配置为STP根桥。在CSS上创建Eth-Trunk50并加入Eth-Trunk成员接口，Eth-Trunk50用于连接汇聚交换机S5720EI iStack-2，同时配置根保护功能。

[CSS] stp root primary
[CSS] interface eth-trunk 50  
[CSS-Eth-Trunk50] stp root-protection
[CSS-Eth-Trunk50] quit
[CSS] interface gigabitethernet 1/2/0/1 
[CSS-GigabitEthernet1/2/0/1] eth-trunk 50
[CSS-GigabitEthernet1/2/0/1] quit
[CSS] interface gigabitethernet 2/2/0/1
[CSS-GigabitEthernet2/2/0/1] eth-trunk 50
[CSS-GigabitEthernet2/2/0/1] quit

配置接口。

[CSS] interface loopback 0
[CSS-LoopBack0] ip address 3.3.3.3 32  //用来做Router ID
[CSS-LoopBack0] quit
[CSS] vlan batch 10 20 30 50 101 102 //批量创建VLAN 
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type access
[CSS-Eth-Trunk10] port default vlan 10
[CSS-Eth-Trunk10] quit
[CSS] interface eth-trunk 20
[CSS-Eth-Trunk20] port link-type access
[CSS-Eth-Trunk20] port default vlan 20 
[CSS-Eth-Trunk20] quit
[CSS] interface eth-trunk 30
[CSS-Eth-Trunk30] port link-type access
[CSS-Eth-Trunk30] port default vlan 20 
[CSS-Eth-Trunk30] quit
[CSS] interface eth-trunk 40
[CSS-Eth-Trunk40] port link-type trunk
[CSS-Eth-Trunk40] port trunk allow-pass vlan 30 101  //下行接口放行管理VLAN和业务VLAN
[CSS-Eth-Trunk40] quit
[CSS] interface eth-trunk 50
[CSS-Eth-Trunk50] port link-type trunk
[CSS-Eth-Trunk50] port trunk allow-pass vlan 30 102  //下行接口放行管理VLAN和业务VLAN
[CSS-Eth-Trunk50] quit
[CSS] interface vlanif 10  
[CSS-Vlanif10] ip address 172.16.10.2 24  //配置连接FW的VLANIF的IP地址
[CSS-Vlanif10] quit
[CSS] interface vlanif 20  
[CSS-Vlanif20] ip address 172.16.20.1 24  //配置连接Router的VLANIF的IP地址
[CSS-Vlanif20] quit
[CSS] interface vlanif 30  
[CSS-Vlanif30] ip address 172.16.30.1 24  //配置连接S5720EI iStack的VLANIF的IP地址
[CSS-Vlanif30] quit
[CSS] interface vlanif 101  
[CSS-Vlanif101] ip address 172.16.101.1 24  //配置提供宿舍区用户接入的业务vlanif IP地址
[CSS-Vlanif101] quit
[CSS] interface vlanif 102 
[CSS-Vlanif102] ip address 172.16.102.1 24  //配置提供教学区用户接入的业务vlanif IP地址
[CSS-Vlanif102] quit
[CSS] interface Gigabitethernet 1/1/1/0  //进入连接HTTP服务器的接口
[CSS-GigabitEthernet1/1/1/0] port link-type access
[CSS-GigabitEthernet1/1/1/0] port default vlan 50  //以Access方式加入VLAN 50
[CSS-GigabitEthernet1/1/1/0] quit
[CSS] interface Gigabitethernet 1/1/1/1 //进入连接Agile Controller的接口
[CSS-GigabitEthernet1/1/1/1] port link-type access
[CSS-GigabitEthernet1/1/1/1] port default vlan 50  //以Access方式加入VLAN 50
[CSS-GigabitEthernet1/1/1/1] quit
[CSS] interface vlanif 50  
[CSS-Vlanif50] ip address 172.16.50.1 24  //配置连接HTTP服务器和Agile Controller的IP地址
[CSS-Vlanif50] quit

配置路由。

# OSPF发布路由。

[CSS] router id 3.3.3.3
[CSS] ospf 1
[CSS-ospf-1] area 0.0.0.0     //配置为骨干区域
[CSS-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255 //发布连接FW的网段
[CSS-ospf-1-area-0.0.0.0] network 172.16.20.0 0.0.0.255 //发布连接出口路由器的网段
[CSS-ospf-1-area-0.0.0.0] network 172.16.50.0 0.0.0.255 //发布连接服务器的网段
[CSS-ospf-1-area-0.0.0.0] quit
[CSS-ospf-1] area 0.0.0.1     //配置为Area1
[CSS-ospf-1-area-0.0.0.1] network 172.16.30.0 0.0.0.255 //发布连接S5720EI iStack-1的网段
[CSS-ospf-1-area-0.0.0.1] network 172.16.101.0 0.0.0.255 //发布宿舍区用户网段
[CSS-ospf-1-area-0.0.0.1] nssa //将Area1配置为NSSA区域
[CSS-ospf-1-area-0.0.0.1] quit
[CSS-ospf-1] area 0.0.0.2     //配置为Area2
[CSS-ospf-1-area-0.0.0.2] network 172.16.102.0 0.0.0.255 //发布教学区用户网段
[CSS-ospf-1-area-0.0.0.2] nssa //将Area2配置为NSSA区域
[CSS-ospf-1-area-0.0.0.2] quit
[CSS-ospf-1] quit

# 配置缺省路由，下一跳为Router1、Router2地址。

[CSS] ip route-static 0.0.0.0 0.0.0.0 172.16.20.2  
[CSS] ip route-static 0.0.0.0 0.0.0.0 172.16.20.3

配置DHCP。

[CSS] dhcp enable
[CSS] interface vlanif 101
[CSS-Vlanif101] dhcp select interface
[CSS-Vlanif101] quit
[CSS] interface vlanif 102
[CSS-Vlanif102] dhcp select interface
[CSS-Vlanif102] quit

配置业务编排。

# 配置对接FW的隧道地址。

[CSS] interface loopback 100     //该地址建立隧道用  
[CSS-LoopBack100] ip address 10.7.2.1 32 
[CSS-LoopBack100] quit
[CSS] interface loopback 101    //该地址建立隧道用
[CSS-LoopBack101] ip address 10.7.2.2 32
[CSS-LoopBack101] quit

# 配置到FW隧道地址的静态路由。

[CSS] ip route-static 10.6.2.1 32 172.16.10.1
[CSS] ip route-static 10.6.2.2 32 172.16.10.1

# 配置XMPP协议参数，以便在Controller上添加交换机设备

[CSS] group-policy controller 172.16.50.100 password Admin@123 src-ip 172.16.50.1

配置接入交换机、汇聚交换机和AC的网络互通

# 配置交换机S5700_A使AP与AC之间能互通。

<HUAWEI> system-view 
[HUAWEI] sysname S5700_A
[S5700_A] vlan batch 720 800 
[S5700_A] interface gigabitethernet 0/0/1
[S5700_A-GigabitEthernet0/0/1] description Connect to AP_1
[S5700_A-GigabitEthernet0/0/1] port link-type trunk
[S5700_A-GigabitEthernet0/0/1] port trunk pvid vlan 800
[S5700_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 720 800
[S5700_A-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[S5700_A-GigabitEthernet0/0/1] port-isolate enable
[S5700_A-GigabitEthernet0/0/1] stp edged-port enable
[S5700_A-GigabitEthernet0/0/1] quit
[S5700_A] interface gigabitethernet 0/0/2
[S5700_A-GigabitEthernet0/0/2] description Connect to AP_2
[S5700_A-GigabitEthernet0/0/2] port link-type trunk
[S5700_A-GigabitEthernet0/0/2] port trunk pvid vlan 800
[S5700_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 720 800
[S5700_A-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[S5700_A-GigabitEthernet0/0/2] port-isolate enable
[S5700_A-GigabitEthernet0/0/2] stp edged-port enable 
[S5700_A-GigabitEthernet0/0/2] quit
[S5700_A] interface gigabitethernet 0/0/3
[S5700_A-GigabitEthernet0/0/3] description Connect to S7700_1/0/3
[S5700_A-GigabitEthernet0/0/3] port link-type trunk
[S5700_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 720 800
[S5700_A-GigabitEthernet0/0/3] undo port trunk allow-pass vlan 1
[S5700_A-GigabitEthernet0/0/3] quit

# （可选）配置网络中组播报文抑制功能。在接入交换机连接AP的接口上配置流策略，控制组播速率。

[S5700_A] traffic classifier huawei
[S5700_A-classifier-huawei] if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-ff00-0000 //本例中，组播MAC地址和掩码仅作示例，实际配置请根据实际组播地址写作。
[S5700_A-classifier-huawei] quit
[S5700_A] traffic behavior huawei
[S5700_A-behavior-huawei] statistic enable
[S5700_A-behavior-huawei] car cir 100 //CIR参数需要根据实际情况进行调整，如接入交换机下接入的是中心AP的场景，则需要适当增大。
[S5700_A-behavior-huawei] quit
[S5700_A] traffic policy huawei
[S5700_A-policy-huawei] classifier huawei behavior huawei
[S5700_A-policy-huawei] quit
[S5700_A] interface gigabitethernet 0/0/1
[S5700_A-GigabitEthernet0/0/1] traffic-policy huawei outbound
[S5700_A-GigabitEthernet0/0/1] traffic-policy huawei inbound
[S5700_A] interface gigabitethernet 0/0/2
[S5700_A-GigabitEthernet0/0/2] traffic-policy huawei outbound
[S5700_A-GigabitEthernet0/0/2] traffic-policy huawei inbound

如果网络中规划有组播业务，则不需要配置组播抑制。

# 配置S7700的接口GE1/0/3连接S5700_A、S12700_A和S12700_B加入VLAN800和VLAN720。

<HUAWEI> system-view
[HUAWEI] sysname S7700
[S7700] vlan batch 720 800
[S7700] interface gigabitethernet 1/0/3
[S7700-GigabitEthernet1/0/3] description Connect to S5700_A_0/0/3
[S7700-GigabitEthernet1/0/3] port link-type trunk
[S7700-GigabitEthernet1/0/3] port trunk allow-pass vlan 720 800
[S7700-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
[S7700-GigabitEthernet1/0/3] quit
[S7700] interface gigabitethernet 1/0/17
[S7700-GigabitEthernet1/0/17] description Connect to S12700_A_1/1/0/19
[S7700-GigabitEthernet1/0/17] port link-type trunk
[S7700-GigabitEthernet1/0/17] port trunk allow-pass vlan 720 800
[S7700-GigabitEthernet1/0/17] undo port trunk allow-pass vlan 1
[S7700-GigabitEthernet1/0/17] quit
[S7700] interface gigabitethernet 1/0/18
[S7700-GigabitEthernet1/0/18] description Connect to S12700_B_2/1/0/22
[S7700-GigabitEthernet1/0/18] port link-type trunk
[S7700-GigabitEthernet1/0/18] port trunk allow-pass vlan 720 800
[S7700-GigabitEthernet1/0/18] undo port trunk allow-pass vlan 1
[S7700-GigabitEthernet1/0/18] quit

# 配置S12700_A和S12700_B的接口连接S7700、AC_1和AC_2加入VLAN720和VLAN800。

<Huawei> system-view 
[Huawei] sysname CSS 
[CSS] vlan batch 720 800 
[CSS] interface gigabitethernet 1/1/0/19
[CSS-GigabitEthernet1/1/0/19] description Connect to S7700_1/0/17 
[CSS-GigabitEthernet1/1/0/19] port link-type trunk 
[CSS-GigabitEthernet1/1/0/19] port trunk allow-pass vlan 720 800 
[CSS-GigabitEthernet1/1/0/19] undo port trunk allow-pass vlan 1 
[CSS-GigabitEthernet1/1/0/19] quit 
[CSS] interface gigabitethernet 1/1/0/20 
[CSS-GigabitEthernet1/1/0/20] description Connect to AC_1_0/0/24 
[CSS-GigabitEthernet1/1/0/20] port link-type trunk 
[CSS-GigabitEthernet1/1/0/20] port trunk allow-pass vlan 720 800 
[CSS-GigabitEthernet1/1/0/20] undo port trunk allow-pass vlan 1 
[CSS-GigabitEthernet1/1/0/20] quit 
[CSS] interface gigabitethernet 2/1/0/22
[CSS-GigabitEthernet2/1/0/22] description Connect to S7700_1/0/18 
[CSS-GigabitEthernet2/1/0/22] port link-type trunk 
[CSS-GigabitEthernet2/1/0/22] port trunk allow-pass vlan 720 800 
[CSS-GigabitEthernet2/1/0/22] undo port trunk allow-pass vlan 1 
[CSS-GigabitEthernet2/1/0/22] quit 
[CSS] interface gigabitethernet 2/1/0/23
[CSS-GigabitEthernet2/1/0/23] description Connect to AC_2 _0/0/24 
[CSS-GigabitEthernet2/1/0/23] port link-type trunk 
[CSS-GigabitEthernet2/1/0/23] port trunk allow-pass vlan 720 800 
[CSS-GigabitEthernet2/1/0/23] undo port trunk allow-pass vlan 1 
[CSS-GigabitEthernet2/1/0/23] quit

# 配置AC_1、AC_2连接S12700_A和S12700_B的接口加入VLAN800和VLAN720。

<AC6605> system-view
[AC6605] sysname AC_1
[AC_1] vlan batch 720 800
[AC_1] interface gigabitethernet 0/0/24
[AC_1-GigabitEthernet0/0/24] description Connect to S12700_A_1/1/0/20
[AC_1-GigabitEthernet0/0/24] port link-type trunk
[AC_1-GigabitEthernet0/0/24] port trunk allow-pass vlan 720 800
[AC_1-GigabitEthernet0/0/24] undo port trunk allow-pass vlan 1
[AC_1-GigabitEthernet0/0/24] quit

<AC6605> system-view
[AC6605] sysname AC_2
[AC_2] vlan batch 720 800
[AC_2] interface gigabitethernet 0/0/24
[AC_2-GigabitEthernet0/0/24] description Connect to S12700_B_2/1/0/23
[AC_2-GigabitEthernet0/0/24] port link-type trunk
[AC_2-GigabitEthernet0/0/24] port trunk allow-pass vlan 720 800
[AC_2-GigabitEthernet0/0/24] undo port trunk allow-pass vlan 1
[AC_2-GigabitEthernet0/0/24] quit

配置DHCP服务，AC作为DHCP服务器为AP分配IP地址，外置DHCP服务器为STA分配IP地址

配置AC_1和AC_2DHCP服务器为AP分配IP地址

[AC_1] dhcp enable 
[AC_1] interface vlanif 800 
[AC_1-Vlanif800] ip address 10.128.1.2 255.255.255.0 
[AC_1-Vlanif800] dhcp select interface 
[AC_1-Vlanif800] quit

[AC_2] dhcp enable 
[AC_2] interface vlanif 800 
[AC_2-Vlanif800] ip address 10.128.1.3 255.255.255.0 
[AC_2-Vlanif800] dhcp select interface 
[AC_2-Vlanif800] quit

配置S7700作为DHCP中继

[S7700] vlan batch 720 820
[S7700] dhcp enable 
[S7700] interface vlanif 720  
[S7700-Vlanif720] ip address 10.172.1.1 255.255.240.0 
[S7700-Vlanif720] dhcp select relay 
[S7700-Vlanif720] dhcp relay server-ip 172.16.1.252  //外置DHCP服务器IP地址: 172.16.1.252。
[S7700-Vlanif720] quit

配置S12700_A、S12700_B与外置DHCP服务器的链路放通业务VLAN720

[CSS] interface gigabitethernet 1/1/0/21  
[CSS-GigabitEthernet1/1/0/21] description Connect to Router_0/0/29  
[CSS-GigabitEthernet1/1/0/21] port link-type trunk  
[CSS-GigabitEthernet1/1/0/21] port trunk allow-pass vlan 720  
[CSS-GigabitEthernet1/1/0/21] undo port trunk allow-pass vlan 1  
[CSS-GigabitEthernet1/1/0/21] quit  
[CSS] interface gigabitethernet 2/1/0/18 
[CSS-GigabitEthernet2/1/0/18] description Connect to Router_0/0/30  
[CSS-GigabitEthernet2/1/0/18] port link-type trunk  
[CSS-GigabitEthernet2/1/0/18] port trunk allow-pass vlan 720  
[CSS-GigabitEthernet2/1/0/18] undo port trunk allow-pass vlan 1  
[CSS-GigabitEthernet2/1/0/18] quit

配置VRRP+HSB方式的备份

配置AC_1和AC_2的HSB互通

# 配置AC_1连接AC_2的接口GE0/0/23加入HSB VLAN810。

[AC_1] vlan batch 810 
[AC_1] interface gigabitethernet 0/0/23
[AC_1-GigabitEthernet0/0/23] description Connect to AC_2_0/0/23 
[AC_1-GigabitEthernet0/0/23] port link-type trunk 
[AC_1-GigabitEthernet0/0/23] port trunk allow-pass vlan 810 
[AC_1-GigabitEthernet0/0/23] undo port trunk allow-pass vlan 1 
[AC_1-GigabitEthernet0/0/23] quit 
[AC_1] interface vlanif 810 
[AC_1-Vlanif810] ip address 10.1.1.253 30
[AC_1-Vlanif810] quit

# 配置AC_2连接AC_1的接口GE0/0/23加入HSB VLAN810。

[AC_2] vlan batch 810  
[AC_2] interface gigabitethernet 0/0/23
[AC_2-GigabitEthernet0/0/23] description Connect to AC_1_0/0/23 
[AC_2-GigabitEthernet0/0/23] port link-type trunk 
[AC_2-GigabitEthernet0/0/23] port trunk allow-pass vlan 810 
[AC_2-GigabitEthernet0/0/23] undo port trunk allow-pass vlan 1 
[AC_2-GigabitEthernet0/0/23] quit 
[AC_2] interface vlanif 810 
[AC_2-Vlanif810] ip address 10.1.1.254 30 
[AC_2-Vlanif810] quit

配置AC_1的VRRP方式的双机热备份

# 配置VRRP备份组的状态恢复延迟时间为60秒。

[AC_1] vrrp recover-delay 60

# 在AC_1上创建管理VRRP备份组，配置AC_1在该备份组中的优先级为120，并配置抢占时间为1200秒。

[AC_1] interface vlanif 800  
[AC_1-Vlanif800] vrrp vrid 1 virtual-ip 10.128.1.1  
[AC_1-Vlanif800] vrrp vrid 1 priority 120  
[AC_1-Vlanif800] vrrp vrid 1 preempt-mode timer delay 1200  
[AC_1-Vlanif800] admin-vrrp vrid 1  
[AC_1-Vlanif800] quit

# 在AC_1上创建HSB主备服务0，并配置其主备通道IP地址和端口号。

[AC_1] hsb-service 0 
[AC_1-hsb-service-0] service-ip-port local-ip 10.1.1.253 peer-ip 10.1.1.254 local-data-port 10241 peer-data-port 10241 
[AC_1-hsb-service-0] quit

# 在AC_1上创建HSB备份组0，并配置其绑定HSB主备服务0和管理VRRP备份组。

[AC_1] hsb-group 0  
[AC_1-hsb-group-0] bind-service 0  
[AC_1-hsb-group-0] track vrrp vrid 1 interface vlanif 800  
[AC_1-hsb-group-0] quit

# 配置AC_1业务绑定HSB备份组。

[AC_1] hsb-service-type access-user hsb-group 0 //配置NAC业务绑定HSB备份组。 
[AC_1] hsb-service-type ap hsb-group 0 //配置WLAN业务备份使用的HSB类型为HSB组。
[AC_1] hsb-service-type dhcp hsb-group 0 //配置DHCP服务器绑定在双机热备DHCP服务器组。 
[AC_1] hsb-group 0 
[AC_1-hsb-group-0] hsb enable 
[AC_1-hsb-group-0] quit

在AC_2上配置VRRP方式的双机热备份

# 配置VRRP备份组的状态恢复延迟时间为60秒。

[AC_2] vrrp recover-delay 60

# 在AC_2上创建管理VRRP备份组。

[AC_2] interface vlanif 800 
[AC_2-Vlanif800] vrrp vrid 1 virtual-ip 10.128.1.1 
[AC_2-Vlanif800] admin-vrrp vrid 1  //设置VRRP备份组1为管理VRRP 
[AC_2-Vlanif800] quit

# 在AC_2上创建HSB主备服务0，并配置其主备通道IP地址和端口号。

[AC_2] hsb-service 0 
[AC_2-hsb-service-0] service-ip-port local-ip 10.1.1.254 peer-ip 10.1.1.253 local-data-port 10241 peer-data-port 10241 
[AC_2-hsb-service-0] quit

# 在AC_2上创建HSB备份组0，并配置其绑定HSB主备服务0和管理VRRP备份组。

[AC_2] hsb-group 0  
[AC_2-hsb-group-0] bind-service 0  
[AC_2-hsb-group-0] track vrrp vrid 1 interface vlanif 800  
[AC_2-hsb-group-0] quit

# 配置AC_2业务绑定HSB备份组。

[AC_2] hsb-service-type access-user hsb-group 0 //配置NAC业务绑定HSB备份组。 
[AC_2] hsb-service-type ap hsb-group 0 //配置WLAN业务备份使用的HSB类型为HSB组。
[AC_2] hsb-service-type dhcp hsb-group 0 //配置DHCP服务器绑定在双机热备DHCP服务器组。

在AC上配置RADIUS服务器认证、计费和授权模板，以便AC能够与RADIUS服务器联动

配置AC_1和AC_2与RADIUS服务器通信VLAN820和有线管理地址

# 配置AC_1连接S12700_A的接口加入VLAN820。

[AC_1] vlan batch 820
[AC_1] interface gigabitethernet 0/0/24
[AC_1-GigabitEthernet0/0/24] port trunk allow-pass vlan 820
[AC_1-GigabitEthernet0/0/24] quit
[AC_1] interface vlanif 820
[AC_1-Vlanif820] ip address 172.16.1.2 24
[AC_1-Vlanif820] quit

# 配置AC_2连接S12700_B的接口加入VLAN820。

[AC_2] vlan batch 820 
[AC_2] interface gigabitethernet 0/0/24
[AC_2-GigabitEthernet0/0/24] port trunk allow-pass vlan 820
[AC_2-GigabitEthernet0/0/24] quit
[AC_2] interface vlanif 820
[AC_2-Vlanif820] ip address 172.16.1.3 24
[AC_2-Vlanif820] quit

# 在AC_1上创建成员VRRP备份组，并将VRRP备份组2和管理VRRP备份组1进行绑定。

[AC_1] interface vlanif 820
[AC_1-Vlanif820] vrrp vrid 2 virtual-ip 172.16.1.1 
[AC_1-Vlanif820] vrrp vrid 2 track admin-vrrp interface Vlanif 800 vrid 1 unflowdown
[AC_1-Vlanif820] quit

# 在AC_2上创建成员VRRP备份组，并将VRRP备份组2和管理VRRP备份组1进行绑定。

[AC_2] interface vlanif 820
[AC_2-Vlanif820] vrrp vrid 2 virtual-ip 172.16.1.1 
[AC_2-Vlanif820] vrrp vrid 2 track admin-vrrp interface Vlanif 800 vrid 1 unflowdown
[AC_2-Vlanif820] quit

配置S12700_A和S12700_B、RADIUS服务器与AC_1、AC_2设备互通

[CSS] vlan batch 820
[CSS] interface gigabitethernet 1/1/0/20 
[CSS-GigabitEthernet1/1/0/20] port trunk allow-pass vlan 820 
[CSS-GigabitEthernet1/1/0/20] quit 
[CSS] interface gigabitethernet 1/1/0/21 
[CSS-GigabitEthernet1/1/0/21] port trunk allow-pass vlan 820 
[CSS-GigabitEthernet1/1/0/21] quit 
[CSS] interface gigabitethernet 2/1/0/23
[CSS-GigabitEthernet2/1/0/23] port trunk allow-pass vlan 820 
[CSS-GigabitEthernet2/1/0/23] quit 
[CSS] interface gigabitethernet 2/1/0/18
[CSS-GigabitEthernet2/1/0/18] port trunk allow-pass vlan 820 
[CSS-GigabitEthernet2/1/0/18] quit

创建并配置RADIUS服务器模板、AAA方案

# 创建并配置RADIUS服务器模板“radius_huawei”。

[AC_1] radius-server template radius_huawei 
[AC_1-radius-radius_huawei] radius-server authentication 172.16.1.254 1812 source ip-address 172.16.1.1 weight 80 //配置认证服务器。 
[AC_1-radius-radius_huawei] radius-server accounting 172.16.1.254 1813 source ip-address 172.16.1.1 weight 80 //配置计费服务器。 
[AC_1-radius-radius_huawei] radius-server shared-key cipher huawei@123 
[AC_1-radius-radius_huawei] radius-server timeout 1
[AC_1-radius-radius_huawei] quit

对于规模较大或者较繁忙的网络尽可能的配置最低的RADIUS重传超时，因为过长的超时时间会占用系统资源，更小的超时时间可以更好地提高AC的处理能力。

当前无线用户默认重传超时时间是5秒，当RADIUS服务器模板下配置了8个以上认证服务器的IP地址或者使用802.1X认证时，推荐将超时时间配置为1秒，以提升网络处理效率。

# 创建RADIUS授权服务器

[AC_1] radius-server authorization  172.16.1.254 shared-key cipher huawei@123

# 创建AAA认证方案“radius_huawei”并配置认证方式为RADIUS。

[AC_1] aaa 
[AC_1-aaa] authentication-scheme radius_huawei 
[AC_1-aaa-authen-radius_huawei] authentication-mode radius //配置认证模式为RADIUS认证。 
[AC_1-aaa-authen-radius_huawei] quit
[AC_1-aaa] accounting-scheme radius_huawei 
[AC_1-aaa-accounting-radius_huawei] accounting-mode radius //配置计费模式为RADIUS模式。 
[AC_1-aaa-accounting-radius_huawei] accounting realtime 15 //开启实时计费功能，并设置实时计费时间间隔为15分钟。 
[AC_1-aaa-accounting-radius_huawei] quit
[AC_1-aaa] quit

实时计费间隔的取值对设备和RADIUS服务器的性能有要求，实时计费间隔的取值越小，对设备和RADIUS服务器的性能要求就越高。请根据用户数设置计费间隔，如下表所示。

表4-140 实时计费间隔和用户量之间的推荐比例关系

用户数	实时计费间隔（分钟）
1～99	3
100～499	6
500～999	12
≥1000	≥15

配置URL模板，配置指向Portal服务器的重定向URL，并指定URL中携带的参数为用户关联SSID和接入用户访问的原始URL地址

[AC_1] url-template name huawei 
[AC_1-url-template-huawei] url http://172.16.1.254:8080/portal 
[AC_1-url-template-huawei] url-parameter ssid ssid redirect-url url 
[AC_1-url-template-huawei] quit

配置Portal服务器模板

[AC_1] web-auth-server huawei 
[AC_1-web-auth-server-huawei] server-ip 172.16.1.254 //配置Portal服务器地址。 
[AC_1-web-auth-server-huawei] shared-key cipher huawei@123  //配置共享密钥。 
[AC_1-web-auth-server-huawei] port 50200  //配置Protal服务器端口号。 
[AC_1-web-auth-server-huawei] url-template huawei 
[AC_1-web-auth-server-huawei] source-ip 172.16.1.1  //配置源地址
[AC_1-web-auth-server-huawei] quit

在AC上配置WLAN业务，满足无线网络在会议室高密场景下的无线接入需求

AC_1上创建VLAN，并配置DHCP Snooping功能

[AC_1] dhcp snooping enable
[AC_1] vlan 720  
[AC_1-vlan720] description meeting-room 
[AC_1-vlan720] dhcp snooping enable
[AC_1-vlan720] quit  
[AC_1] vlan 800  
[AC_1-vlan800] description AP-management-vlan  
[AC_1-vlan800] quit

配置LLDP功能
# 在AC_1上配置LLDP功能。

为了清楚了解设备之间的二层链接状态信息并进行网络拓扑分析，需要使能LLDP功能。当需要在AC上知道AP与接入交换机之间的二层的链接状态信息并进行网络拓扑分析时，需要使能WLAN的LLDP功能。WLAN的LLDP功能有两个开关，一个是全局开关，另一个是AP有线口链路模板视图下的开关。只有两个开关都处于使能状态下，AP才会发送或接收LLDP报文。两个开关默认都处于使能状态。
```
[AC_1] lldp enable
[AC_1] wlan
[AC_1-wlan-view] ap lldp enable
[AC_1-wlan-view] port-link-profile name default 
[AC_1-wlan-port-link-prof-default] lldp enable
[AC_1-wlan-port-link-prof-default] quit
[AC_1-wlan-view] quit
```
# 在接入交换机上配置LLDP功能。

打开LLDP功能，使设备具有通过LLDP功能解析PD设备的能力；若不打开LLDP功能，设备仅通过解析与PD间的电流和电阻，实现对PD的检测和分类。相比电流和电阻解析，LLDP功能提供更全面、更准确的解析能力。打开全局的LLDP功能后，缺省情况下所有接口的LLDP功能都处于打开状态。
```
[S5700_A] lldp enable
```

配置AC_1的WLAN业务

# 配置AC的CAPWAP源地址。

[AC_1] capwap source ip-address 10.128.1.1

# 创建AC_1的AP group“meeting-room”，用于将相同配置的AP都加入同一AP组中。此处以AP_1为例，其他AP添加方法类似，不再赘述。

[AC_1] wlan  
[AC_1-wlan-view] ap-group name meeting-room  
[AC_1-wlan-ap-group-meeting-room] quit  
[AC_1-wlan-view] ap auth-mode mac-auth 
[AC_1-wlan-view] ap-id 1 ap-mac 60de-4476-e360 
[AC_1-wlan-ap-1] ap-name AP_1 
Warning: This operation may cause AP reset. Continue? [Y/N]:y 
[AC_1-wlan-ap-1] ap-group meeting-room 
Warning: This operation maybe cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y   
[AC_1-wlan-ap-1] quit
[AC_1-wlan-view] quit

# 其他AP根据规划进行AP组配置。

# 配置Portal接入模板“portal”。

[AC_1] portal-access-profile name portal  
[AC_1-portal-access-profile-portal] web-auth-server huawei layer3  
[AC_1-portal-access-profile-portal] quit

# 配置MAC接入模板“mac”。

[AC_1] mac-access-profile name mac  
[AC_1-mac-access-profile-mac] quit

# 配置免认证规则模板“default_free_rule”。

[AC_1] free-rule-template name default_free_rule  
[AC_1-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.253 mask 32 //DNS服务器IP地址:172.16.1.253。 
[AC_1-free-rule-default_free_rule] quit

# 配置认证模板“authen-pro”。

[AC_1] authentication-profile name authen-pro  
[AC_1-authentication-profile-authen-pro] portal-access-profile portal  
[AC_1-authentication-profile-authen-pro] free-rule-template default_free_rule  
[AC_1-authentication-profile-authen-pro] authentication-scheme radius_huawei  
[AC_1-authentication-profile-authen-pro] mac-access-profile mac
[AC_1-authentication-profile-authen-pro] accounting-scheme radius_huawei  
[AC_1-authentication-profile-authen-pro] radius-server radius_huawei  
[AC_1-authentication-profile-authen-pro] quit

# 创建安全模板，并配置安全策略。缺省情况下，安全策略为open方式的开放认证。

[AC_1] wlan  
[AC_1-wlan-view] security-profile name open  
[AC_1-wlan-sec-prof-open] quit

# 创建SSID模板“meeting-room”。

[AC_1-wlan-view] ssid-profile name meeting-room  
[AC_1-wlan-ssid-prof-meeting-room] ssid meeting-room  
[AC_1-wlan-ssid-prof-meeting-room] quit

# 配置名称为“meeting-room”的流量模板中二层用户隔离。

[AC_1-wlan-view] traffic-profile name meeting-room
[AC_1-wlan-traffic-prof-meeting-room] user-isolate l2
[AC_1-wlan-traffic-prof-meeting-room] quit

# 创建VAP模板，配置业务数据转发模式、业务VLAN，并且引用安全模板、SSID模板、认证模板和流量模板，使能STA地址严格DHCP获取功能、IPSG功能动态ARP检测功能。

[AC_1-wlan-view] vap-profile name meeting-room  
[AC_1-wlan-vap-prof-meeting-room] service-vlan vlan-id 720  
[AC_1-wlan-vap-prof-meeting-room] security-profile open  
[AC_1-wlan-vap-prof-meeting-room] ssid-profile meeting-room  
[AC_1-wlan-vap-prof-meeting-room] authentication-profile authen-pro 
[AC_1-wlan-vap-prof-meeting-room] traffic-profile meeting-room 
[AC_1-wlan-vap-prof-meeting-room] ip source check user-bind enable 
[AC_1-wlan-vap-prof-meeting-room] arp anti-attack check user-bind enable
[AC_1-wlan-vap-prof-meeting-room] learn-client-address dhcp-strict
[AC_1-wlan-vap-prof-meeting-room] quit

ip source check user-bind enable命令的前置条件为：

由于该功能是基于绑定表进行匹配检查的，因此

对于DHCP用户，需要使能DHCP Snooping自动生成动态绑定表。
对于静态配置IP的用户，需要手工配置静态绑定表。

learn-client-address dhcp-strict命令的前置条件为：

在VAP模板视图下执行命令undo dhcp trust port去使能AP的DHCP信任功能。
执行命令undo learn-client-address { ipv4 | ipv6 } disable使能STA地址学习功能。

# 高密场景下网络优化参数配置。

[AC_1-wlan-view] calibrate enable schedule time 02:00:00
[AC_1-wlan-view] calibrate policy rogue-ap
[AC_1-wlan-view] calibrate policy non-wifi
[AC_1-wlan-view] calibrate sensitivity high
[AC_1-wlan-view] rrm-profile name meeting-room 
[AC_1-wlan-rrm-prof-meeting-room] airtime-fair-schedule enable //使能空口调度功能。  
[AC_1-wlan-rrm-prof-meeting-room] dynamic-edca enable //使能动态edca功能。  
[AC_1-wlan-rrm-prof-meeting-room] undo sta-load-balance dynamic disable//使能动态负载均衡功能
[AC_1-wlan-rrm-prof-meeting-room] undo smart-roam disable
[AC_1-wlan-rrm-prof-meeting-room] smart-roam roam-threshold check-snr
[AC_1-wlan-rrm-prof-meeting-room] smart-roam roam-threshold snr 25
[AC_1-wlan-rrm-prof-meeting-room] smart-roam quick-kickoff-threshold snr 20
[AC_1-wlan-rrm-prof-meeting-room] quit
[AC_1-wlan-view] traffic-profile name meeting-room                                      
[AC_1-wlan-traffic-prof-meeting-room] rate-limit client down 4096                       
[AC_1-wlan-traffic-prof-meeting-room] rate-limit client up 4096
[AC_1-wlan-traffic-prof-meeting-room] quit
[AC_1-wlan-view] radio-2g-profile name 2G
[AC_1-wlan-radio-2g-prof-2G] rts-cts-mode rts-cts //指定射频模板中RTS-CTS的工作模式。  
[AC_1-wlan-radio-2g-prof-2G] rts-cts-threshold 1400 //指定射频模板中的RTS-CTS门限。
[AC_1-wlan-radio-2g-prof-2G] wmm edca-ap ac-be ecw ecwmin 5 ecwmax 6
Warning: This action may cause service interruption. Continue?[Y/N]y 
[AC_1-wlan-radio-2g-prof-2G] guard-interval-mode short
[AC_1-wlan-radio-2g-prof-2G] beacon-interval 100
[AC_1-wlan-radio-2g-prof-2G] rrm-profile meeting-room
Warning: This action may cause service interruption. Continue?[Y/N]y 
[AC_1-wlan-radio-2g-prof-2G] quit
[AC_1-wlan-view] radio-5g-profile name 5G
[AC_1-wlan-radio-5g-prof-5G] rts-cts-mode rts-cts  
[AC_1-wlan-radio-5g-prof-5G] rts-cts-threshold 1400
[AC_1-wlan-radio-5g-prof-5G] wmm edca-ap ac-be ecw ecwmin 5 ecwmax 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC_1-wlan-radio-5g-prof-5G] guard-interval-mode short
[AC_1-wlan-radio-5g-prof-5G] beacon-interval 100
[AC_1-wlan-radio-5g-prof-5G] rrm-profile meeting-room
Warning: This action may cause service interruption. Continue?[Y/N]y  
[AC_1-wlan-radio-5g-prof-5G] quit
[AC_1-wlan-view] ssid-profile name meeting-room                                         
[AC_1-wlan-ssid-prof-meeting-room] beacon-2g-rate 11
[AC_1-wlan-ssid-prof-meeting-room] association-timeout 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC_1-wlan-ssid-prof-meeting-room] wmm edca-client ac-be ecw ecwmin 7 ecwmax 10
[AC_1-wlan-ssid-prof-meeting-room] quit

Beacon帧是一种周期发送的广播帧，AP通过周期发送Beacon帧来声明某个802.11网络的存在。Beacon周期配置太大，会导致STA休眠时间变长；Beacon周期配置太小，会导致空口开销变大。因此，建议用户根据VAP的数量调整Beacon周期的大小。缺省情况下，AP发送Beacon帧的周期为100TUs

对于单个射频下不同VAP数量对应的Beacon周期的配置建议值如下：

4个VAP及以内：100TUs左右
5～8个VAP：200TUs左右
9～12个VAP：300TUs左右
13～16个VAP：400TUs左右

配置如下：

[AC_1-wlan-view] radio-2g-profile name default

[AC_1-wlan-radio-2g-prof-default] beacon-interval 200

# 配置AP组引用VAP模板，AP上射频0和射频1都使用VAP模板的配置。

[AC_1-wlan-view] ap-group name meeting-room  
[AC_1-wlan-ap-group-meeting-room] vap-profile meeting-room wlan 1 radio all 
[AC_1-wlan-ap-group-meeting-room] radio 0
[AC_1-wlan-group-radio-meeting-room/0] radio-2g-profile 2G
Warning: This action may cause service interruption. Continue?[Y/N]y 
[AC_1-wlan-group-radio-meeting-room/0] quit
[AC_1-wlan-ap-group-meeting-room] radio 1
[AC_1-wlan-group-radio-meeting-room/1] radio-5g-profile 5G
Warning: This action may cause service interruption. Continue?[Y/N]y 
[AC_1-wlan-group-radio-meeting-room/1] quit
[AC_1-wlan-ap-group-meeting-room] quit
[AC_1-wlan-view] quit

配置AC_2的WLAN业务，类似AC_1的配置，此处不再赘述。

使能AC_2的双机热备功能。

[AC_2] hsb-group 0  
[AC_2-hsb-group-0] hsb enable  
[AC_2-hsb-group-0] quit

在Agile Controller- Enterprise业务管理器中添加AC，并配置参数，保证Controller能与AC正常联动

选择“资源> 设备 > 设备管理”，单击“增加”。

参数	说明
IP地址	VLANIF820虚拟IP地址：172.16.1.1
RADIUS认证密钥&RADIUS计费密钥	与RADIUS模板radius-server shared-key cipher huawei@123所指定的密钥一致
实时计费周期	与计费模板accounting realtime 15所指定的周期一致
Portal密钥	与Portal服务器模板shared-key cipher huawei@123所指定的密钥一致
接入终端IP地址列表	与STA地址池一致

增加授权结果和授权规则，对用户认证成功后授予访问控制权限

无线用户接入使用缺省认证授权规则，缺省授权规则允许认证后访问所有资源。
如需修改认证授权规则，选择“策略 > 准入控制 > 认证授权”。
可选：选择“策略 > 准入控制 > 页面定制 > 页面定制”，自定义推送页面。如未自定义采用系统默认页面。
可选：选择“策略>准入控制>页面定制>Portal页面推送策略”，设置页面推送规则。按优先级匹配页面推送规则。如未设置，按系统默认推送规则推送。
选择“系统 > 终端参数配置 > 全局参数”，启用MAC优先的Portal认证。

结果验证

在AC_1和AC_2上执行display ap all命令，检查当前AP的状态，显示以下信息表示AP上线成功。
```
[AC_1] display ap all  
```
在AC_1和AC_2上执行display hsb-service 0命令，查看主备服务的建立情况，可以看到Service State字段的显示为Connected，说明主备服务通道已经成功建立。
```
[AC_1] display hsb-service 0 
[AC_2] display hsb-service 0
Hot Standby Service Information:
```
在AC_1和AC_2上执行display hsb-group 0命令，查看HSB备份组的运行情况。
```
[AC_1] display hsb-group 0
```
```
[AC_2] display hsb-group 0
```
用户是否能够通过RADIUS模板的认证。（已在RADIUS服务器上配置了测试用户test@huawei.com，用户密码123456）。
```
[AC_1] test-aaa test@huawei.com 123456 radius-template radius_huawei  
Info: Account test succeed.
```
完成配置后，用户可通过无线终端搜索到SSID为meeting-room的无线网络，用户关联到无线网络上后，无线终端能够被分配相应的IP地址。STA上打开浏览器访问Internet，自动跳转到Portal服务器提供的页面，在页面上输入正确的用户名(test@huawei.com)和密码(123456)，认证通过后可以正常访问Internet。
用户使用手机可以正常使用漫游业务。

配置脚本

AC_1	AC_2
# sysname AC_1 # vrrp recover-delay 60 # vlan batch 720 800 810 820 # authentication-profile name authen-pro mac-access-profile mac portal-access-profile portal free-rule-template default_free_rule authentication-scheme radius_huawei accounting-scheme radius_huawei radius-server radius_huawei # dhcp enable # dhcp snooping enable # radius-server template radius_huawei radius-server shared-key cipher %^%#jH,7O6/D*,z;7%#@l0f,0IR!ZYX^g=Wj2k"rS~DB%^%# radius-server authentication 172.16.1.254 1812 source ip-address 172.16.1.1 weight 80 radius-server accounting 172.16.1.254 1813 source ip-address 172.16.1.1 weight 80 radius-server timeout 1 radius-server authorization 172.16.1.254 shared-keycipher %^%#`,w9~s3Q8L_.-7Pj=tQ#~~96BFa%N5d.Jw$F(!W@%^%# # free-rule-template name default_free_rule free-rule 1 destination ip 172.16.1.253 mask 255.255.255.255 # url-template name huawei url http://172.16.1.254:8080/portal url-parameter ssid ssid redirect-url url # web-auth-server huawei server-ip 172.16.1.254 port 50200 shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%# source-ip 172.16.1.1 url-template huawei # portal-access-profile name portal web-auth-server huawei layer3 # aaa authentication-scheme radius_huawei authentication-mode radius accounting-scheme radius_huawei accounting-mode radius accounting realtime 15 # interface Vlanif800 ip address 10.128.1.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.128.1.1 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1200 dhcp select interface # interface Vlanif810 ip address 10.1.1.253 255.255.255.252 # interface Vlanif820 ip address 172.16.1.2 255.255.255.0 vrrp vrid 2 virtual-ip 172.16.1.1 vrrp vrid 2 track admin-vrrp interface Vlanif 800 vrid 1 unflowdown # interface GigabitEthernet0/0/23 description Connect to AC_2_0/0/23 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 810 # interface GigabitEthernet0/0/24 description Connect to S12700_A_1/1/0/20 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 820 # capwap source ip-address 10.128.1.1 # hsb-service 0 service-ip-port local-ip 10.1.1.253 peer-ip 10.1.1.254 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif800 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan calibrate enable schedule time 02:00:00 calibrate policy rogue-ap calibrate policy non-wifi calibrate sensitivity high traffic-profile name meeting-room rate-limit client up 4096 rate-limit client down 4096 user-isolate l2 security-profile name open ssid-profile name meeting-room ssid meeting-room association-timeout 1 wmm edca-client ac-be aifsn 3 ecw ecwmin 7 ecwmax 10 txoplimit 0 beacon-2g-rate 11 vap-profile name meeting-room service-vlan vlan-id 720 ssid-profile meeting-room security-profile open traffic-profile meeting-room authentication-profile authen-pro ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict rrm-profile name meeting-room airtime-fair-schedule enable smart-roam roam-threshold snr 25 smart-roam quick-kickoff-threshold snr 20 dynamic-edca enable radio-2g-profile name 2G wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy normal rrm-profile meeting-room radio-5g-profile name 5G wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy normal rrm-profile meeting-room ap-group name meeting-room radio 0 radio-2g-profile 2G vap-profile meeting-room wlan 1 radio 1 radio-5g-profile 5G vap-profile meeting-room wlan 1 ap-id 1 type-id 75 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 ap-name AP_1 ap-group meeting-room # mac-access-profile name mac # return	# sysname AC_2 # vrrp recover-delay 60 # vlan batch 720 800 810 820 # authentication-profile name authen-pro mac-access-profile mac portal-access-profile portal free-rule-template default_free_rule authentication-scheme radius_huawei accounting-scheme radius_huawei radius-server radius_huawei # dhcp enable # dhcp snooping enable # vlan 720 description meeting-room dhcp snooping enable vlan 800 description AP-management-vlan # radius-server template radius_huawei radius-server shared-key cipher %^%#jH,7O6/D*,z;7%#@l0f,0IR!ZYX^g=Wj2k"rS~DB%^%# radius-server authentication 172.16.1.254 1812 source ip-address 172.16.1.1 weight 80 radius-server accounting 172.16.1.254 1813 source ip-address 172.16.1.1 weight 80 radius-server timeout 1 radius-server authorization 172.16.1.254 shared-keycipher %^%#`,w9~s3Q8L_.-7Pj=tQ#~~96BFa%N5d.Jw$F(!W@%^%# # free-rule-template name default_free_rule free-rule 1 destination ip 172.16.1.253 mask 255.255.255.255 # url-template name huawei url http://172.16.1.254:8080/portal url-parameter ssid ssid redirect-url url # web-auth-server huawei server-ip 172.16.1.254 port 50200 shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%# source-ip 172.16.1.1 url-template huawei # portal-access-profile name portal web-auth-server huawei layer3 # aaa authentication-scheme radius_huawei authentication-mode radius accounting-scheme radius_huawei accounting-mode radius accounting realtime 15 # interface Vlanif800 ip address 10.128.1.3 255.255.255.0 vrrp vrid 1 virtual-ip 10.128.1.1 admin-vrrp vrid 1 dhcp select interface # interface Vlanif810 ip address 10.1.1.254 255.255.255.252 # interface Vlanif820 ip address 172.16.1.3 255.255.255.0 vrrp vrid 2 virtual-ip 172.16.1.1 vrrp vrid 2 track admin-vrrp interface Vlanif 800 vrid 1 unflowdown # interface GigabitEthernet0/0/23 description Connect to AC_1_0/0/23 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 810 # interface GigabitEthernet0/0/24 description Connect to S12700_B_1/1/0/20 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 820 # capwap source ip-address 10.128.1.1 # hsb-service 0 service-ip-port local-ip 10.1.1.254 peer-ip 10.1.1.253 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif800 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan calibrate enable schedule time 02:00:00 calibrate policy rogue-ap calibrate policy non-wifi calibrate sensitivity high traffic-profile name meeting-room rate-limit client up 4096 rate-limit client down 4096 user-isolate l2 security-profile name open ssid-profile name meeting-room ssid meeting-room association-timeout 1 wmm edca-client ac-be aifsn 3 ecw ecwmin 7 ecwmax 10 txoplimit 0 beacon-2g-rate 11 vap-profile name meeting-room service-vlan vlan-id 720 ssid-profile meeting-room security-profile open traffic-profile meeting-room authentication-profile authen-pro ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict rrm-profile name meeting-room airtime-fair-schedule enable smart-roam roam-threshold snr 25 smart-roam quick-kickoff-threshold snr 20 dynamic-edca enable radio-2g-profile name 2G wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy normal rrm-profile meeting-room radio-5g-profile name 5G wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy normal rrm-profile meeting-room ap-group name meeting-room radio 0 radio-2g-profile 2G vap-profile meeting-room wlan 1 radio 1 radio-5g-profile 5G vap-profile meeting-room wlan 1 ap-id 1 type-id 75 ap-mac 60de-4476-e360 ap-name AP_1 ap-group meeting-room # mac-access-profile name mac # return

AC_1

AC_2

#
sysname AC_1
#
vrrp recover-delay 60
#
vlan batch 720 800 810 820
#
authentication-profile name authen-pro
 mac-access-profile mac
 portal-access-profile portal
 free-rule-template default_free_rule
 authentication-scheme radius_huawei 
 accounting-scheme radius_huawei
 radius-server radius_huawei
#
dhcp enable
#
dhcp snooping enable
#
radius-server template radius_huawei
 radius-server shared-key cipher %^%#jH,7O6/D*,z;7%#@l0f,0IR!ZYX^g=Wj2k"rS~DB%^%# 
 radius-server authentication 172.16.1.254 1812 source ip-address 172.16.1.1 weight 80
 radius-server accounting 172.16.1.254 1813 source ip-address 172.16.1.1 weight 80
radius-server timeout 1
radius-server authorization 172.16.1.254 shared-keycipher %^%#`,w9~s3Q8L_.-7Pj=tQ#~~96BFa%N5d.Jw$F(!W@%^%#
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 172.16.1.253 mask 255.255.255.255
#
url-template name huawei
 url http://172.16.1.254:8080/portal
 url-parameter ssid ssid redirect-url url
#
web-auth-server huawei
 server-ip 172.16.1.254
 port 50200
 shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
 source-ip 172.16.1.1
 url-template huawei
#
portal-access-profile name portal
 web-auth-server huawei layer3
#
aaa
 authentication-scheme radius_huawei
  authentication-mode radius
 accounting-scheme radius_huawei
  accounting-mode radius
  accounting realtime 15
#
interface Vlanif800
 ip address 10.128.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.128.1.1
 admin-vrrp vrid 1
 vrrp vrid 1 priority 120
 vrrp vrid 1 preempt-mode timer delay 1200
 dhcp select interface
#
interface Vlanif810
 ip address 10.1.1.253 255.255.255.252
#
interface Vlanif820
 ip address 172.16.1.2 255.255.255.0
 vrrp vrid 2 virtual-ip 172.16.1.1
 vrrp vrid 2 track admin-vrrp interface Vlanif 800 vrid 1 unflowdown
#
interface GigabitEthernet0/0/23
 description Connect to AC_2_0/0/23
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 810
#
interface GigabitEthernet0/0/24
 description Connect to S12700_A_1/1/0/20
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 720 800 820
#
capwap source ip-address 10.128.1.1
#
hsb-service 0
 service-ip-port local-ip 10.1.1.253 peer-ip 10.1.1.254 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
 track vrrp vrid 1 interface Vlanif800
 bind-service 0
 hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan 
 calibrate enable schedule time 02:00:00
 calibrate policy rogue-ap
 calibrate policy non-wifi
 calibrate sensitivity high
 traffic-profile name meeting-room
  rate-limit client up 4096
  rate-limit client down 4096
  user-isolate l2
 security-profile name open
 ssid-profile name meeting-room
  ssid meeting-room
  association-timeout 1
  wmm edca-client ac-be aifsn 3 ecw ecwmin 7 ecwmax 10 txoplimit 0
  beacon-2g-rate 11
 vap-profile name meeting-room
  service-vlan vlan-id 720
  ssid-profile meeting-room
  security-profile open
  traffic-profile meeting-room
  authentication-profile authen-pro
  ip source check user-bind enable
  arp anti-attack check user-bind enable
  learn-client-address dhcp-strict
 rrm-profile name meeting-room
  airtime-fair-schedule enable
  smart-roam roam-threshold snr 25
  smart-roam quick-kickoff-threshold snr 20
  dynamic-edca enable
 radio-2g-profile name 2G
   wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy normal
  rrm-profile meeting-room
 radio-5g-profile name 5G
  wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy normal
  rrm-profile meeting-room
 ap-group name meeting-room
  radio 0
   radio-2g-profile 2G
   vap-profile meeting-room wlan 1
  radio 1
   radio-5g-profile 5G
   vap-profile meeting-room wlan 1
 ap-id 1 type-id 75 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
  ap-name AP_1 
  ap-group meeting-room
#
mac-access-profile name mac 
#
return

#
sysname AC_2
#
vrrp recover-delay 60
#
vlan batch 720 800 810 820
#
authentication-profile name authen-pro
 mac-access-profile mac
 portal-access-profile portal
 free-rule-template default_free_rule
 authentication-scheme radius_huawei 
 accounting-scheme radius_huawei
 radius-server radius_huawei
#
dhcp enable
#
dhcp snooping enable
#
vlan 720
description meeting-room
dhcp snooping enable
vlan 800
description AP-management-vlan
#
radius-server template radius_huawei
 radius-server shared-key cipher %^%#jH,7O6/D*,z;7%#@l0f,0IR!ZYX^g=Wj2k"rS~DB%^%# 
 radius-server authentication 172.16.1.254 1812 source ip-address 172.16.1.1 weight 80
 radius-server accounting 172.16.1.254 1813 source ip-address 172.16.1.1 weight 80
radius-server timeout 1
radius-server authorization 172.16.1.254 shared-keycipher %^%#`,w9~s3Q8L_.-7Pj=tQ#~~96BFa%N5d.Jw$F(!W@%^%#
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 172.16.1.253 mask 255.255.255.255
#
url-template name huawei
 url http://172.16.1.254:8080/portal
 url-parameter ssid ssid redirect-url url
#
web-auth-server huawei
 server-ip 172.16.1.254
 port 50200
 shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
 source-ip 172.16.1.1
 url-template huawei
#
portal-access-profile name portal
 web-auth-server huawei layer3
#
aaa
 authentication-scheme radius_huawei
  authentication-mode radius
 accounting-scheme radius_huawei
  accounting-mode radius
  accounting realtime 15
#
interface Vlanif800
 ip address 10.128.1.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.128.1.1
 admin-vrrp vrid 1
 dhcp select interface
#
interface Vlanif810
 ip address 10.1.1.254 255.255.255.252
#
interface Vlanif820
 ip address 172.16.1.3 255.255.255.0
 vrrp vrid 2 virtual-ip 172.16.1.1
 vrrp vrid 2 track admin-vrrp interface Vlanif 800 vrid 1 unflowdown
#
interface GigabitEthernet0/0/23
 description Connect to AC_1_0/0/23
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 810
#
interface GigabitEthernet0/0/24
 description Connect to S12700_B_1/1/0/20
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 720 800 820
#
capwap source ip-address 10.128.1.1
#
hsb-service 0
 service-ip-port local-ip 10.1.1.254 peer-ip 10.1.1.253 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
 track vrrp vrid 1 interface Vlanif800
 bind-service 0
 hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan 
 calibrate enable schedule time 02:00:00
 calibrate policy rogue-ap
 calibrate policy non-wifi
 calibrate sensitivity high
 traffic-profile name meeting-room
  rate-limit client up 4096
  rate-limit client down 4096
   user-isolate l2
 security-profile name open
 ssid-profile name meeting-room
  ssid meeting-room
  association-timeout 1
  wmm edca-client ac-be aifsn 3 ecw ecwmin 7 ecwmax 10 txoplimit 0 
  beacon-2g-rate 11
 vap-profile name meeting-room
  service-vlan vlan-id 720
  ssid-profile meeting-room
  security-profile open
  traffic-profile meeting-room
  authentication-profile authen-pro
  ip source check user-bind enable
  arp anti-attack check user-bind enable
  learn-client-address dhcp-strict
 rrm-profile name meeting-room
  airtime-fair-schedule enable
  smart-roam roam-threshold snr 25
  smart-roam quick-kickoff-threshold snr 20
  dynamic-edca enable
 radio-2g-profile name 2G
  wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy normal
  rrm-profile meeting-room
 radio-5g-profile name 5G
  wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy normal
  rrm-profile meeting-room
 ap-group name meeting-room
  radio 0
   radio-2g-profile 2G
   vap-profile meeting-room wlan 1
  radio 1
   radio-5g-profile 5G
   vap-profile meeting-room wlan 1
 ap-id 1 type-id 75 ap-mac 60de-4476-e360 
  ap-name AP_1 
  ap-group meeting-room
#
mac-access-profile name mac
# 
return

集群系统
# sysname CSS # vlan batch 720 800 820 # interface GigabitEthernet1/1/0/19 description Connect to S7700_1/0/17 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 # interface GigabitEthernet1/1/0/20 description Connect to AC_1_0/0/24 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 820 # interface GigabitEthernet1/1/0/21 description Connect to Router_0/0/29 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 820 # interface GigabitEthernet1/1/1/7 mad detect mode direct # interface GigabitEthernet2/1/0/18 description Connect to Router_0/0/30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 820 # interface GigabitEthernet2/1/0/22 description Connect to S7700_1/0/18 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 # interface GigabitEthernet2/1/0/23 description Connect to AC_2_0/0/24 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 820 # interface GigabitEthernet2/1/1/7 mad detect mode direct # return

集群系统

#
sysname CSS
#
vlan batch 720 800 820
#
interface GigabitEthernet1/1/0/19
 description Connect to S7700_1/0/17
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 720 800
#
interface GigabitEthernet1/1/0/20
 description Connect to AC_1_0/0/24
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 720 800 820
#
interface GigabitEthernet1/1/0/21
 description Connect to Router_0/0/29
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 720 820
#
interface GigabitEthernet1/1/1/7
 mad detect mode direct
#
interface GigabitEthernet2/1/0/18
 description Connect to Router_0/0/30 
 port link-type trunk 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 720 820
#
interface GigabitEthernet2/1/0/22
 description Connect to S7700_1/0/18
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 720 800
#
interface GigabitEthernet2/1/0/23
 description Connect to AC_2_0/0/24
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 720 800 820
#
interface GigabitEthernet2/1/1/7
  mad detect mode direct
#
return

S7700
# sysname S7700 # vlan batch 720 800 # interface Vlanif720 ip address 10.172.1.1 255.255.240.0 dhcp select relay dhcp relay server-ip 172.16.1.252 # interface GigabitEthernet1/0/3 description Connect to S5700_A_0/0/3 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 # interface GigabitEthernet1/0/17 description Connect to S12700_A_1/1/0/19 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 # interface GigabitEthernet1/0/18 description Connect to S12700_B_2/1/0/22 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 # return

S7700

#
sysname S7700
#
vlan batch 720 800
#
interface Vlanif720
 ip address 10.172.1.1 255.255.240.0
 dhcp select relay
 dhcp relay server-ip 172.16.1.252
#
interface GigabitEthernet1/0/3
 description Connect to S5700_A_0/0/3
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 720 800
#
interface GigabitEthernet1/0/17
 description Connect to S12700_A_1/1/0/19
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 720 800
#
interface GigabitEthernet1/0/18
 description Connect to S12700_B_2/1/0/22
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 720 800
#
return

S5700_A
# sysname S5700_A # traffic classifier huawei if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-ff00-0000 # traffic behavior huawei statistic enable car cir 100 # traffic policy huawei classifier huawei behavior huawei # vlan batch 720 800 # lldp enable # interface GigabitEthernet0/0/1 description Connect to AP_1 port link-type trunk port trunk pvid vlan 800 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 port-isolate enable group 1 stp edged-port enable traffic-policy huawei inbound traffic-policy huawei outbound # interface GigabitEthernet0/0/2 description Connect to AP_2 port link-type trunk port trunk pvid vlan 800 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 port-isolate enable group 1 stp edged-port enable traffic-policy huawei inbound traffic-policy huawei outbound # interface GigabitEthernet0/0/3 description Connect to S7700_1/0/3 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 # return

S5700_A

#
sysname S5700_A
#
traffic classifier huawei 
if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-ff00-0000
#
traffic behavior huawei 
statistic enable
car cir 100 
#
traffic policy huawei
classifier huawei behavior huawei
#
vlan batch 720 800
#
lldp enable
#
interface GigabitEthernet0/0/1
 description Connect to AP_1
 port link-type trunk
 port trunk pvid vlan 800
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 720 800
 port-isolate enable group 1 
 stp edged-port enable 
 traffic-policy huawei inbound
 traffic-policy huawei outbound
#
interface GigabitEthernet0/0/2
 description Connect to AP_2
 port link-type trunk
 port trunk pvid vlan 800
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 720 800
 port-isolate enable group 1 
 stp edged-port enable 
 traffic-policy huawei inbound
 traffic-policy huawei outbound
#
interface GigabitEthernet0/0/3
 description Connect to S7700_1/0/3
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 720 800
#
return

开局常见问题处理

AP上线失败

问题描述

AP上线失败。

可能原因

前期PoE交换机PoE参数配置错误
AC和AP间的链路没打通
施工人员网线没做好

以上原因占据平时排查工作大部分时间。

处理过程

处理过程如下：

对照AP设备《产品描述》中指定的PoE供电协议标准，检查PoE供电设备是否满足。如果不符，则需要更换为满足要求的PoE供电设备。
对于华为PoE交换机，在系统视图下执行display poe power命令，根据回显信息中的USMPW（mW）值可以确定其供电协议标准：15400表示该交换机支持的PoE供电协议是IEEE 802.3af标准，30000表示该交换机支持的PoE供电协议是IEEE 802.3at标准。
检查AP与AC之间网络是否互通。如果不通，请检查对应配置是否正确。
尝试更换连接AP的物理线路。

适用范围和业务需求
方案设计
配置思路和数据规划
配置步骤
结果验证
配置脚本
开局常见问题处理
- AP上线失败

翻译

下载文档

更新时间：2024-03-04

文档编号：EDOC1100064370

浏览量：246716

下载量：6086

平均得分：5.0分