WLAN V200R010C00 典型配置案例集
无线覆盖部署案例(会议室-室内高密)
适用范围和业务需求
适用范围
本案例适用于企业办公无线方案,空间范围大,对网规、覆盖及容量要求兼顾容量和成本的情况下保证信号覆盖与用户体验 ,规划要求高,需做好充足的准备和现场测试,并发率高,用户密度高。
业务需求
会议室场景的特点如下:
- 空间范围大
- 对网规、覆盖及容亮要求兼顾容量和成本的情况下保证信号覆盖与用户体验
- 满足单用户的下行流量2M,上行流量1M
- 终端的并发率高,用户密度高
接入需求
希望会议室中提供无线接入方式。
对于无线覆盖需要做到覆盖均匀、无盲区、高吞吐量、并发多用户处理能力强。一般高密中的接入终端类型,主要是笔记本电脑、平板电脑和手机接入,包含802.11ac设备。
室内无线设备需要部署便捷、外观美观时尚。
无线漫游需求
不同场所间漫游时重新接入无线网络,需要简化认证。
可靠性需求
当网络中的单台设备产生故障时,也需要保证网络可靠性。
安全性需求
需要解决不同AP间的WLAN用户二层互通的问题。
认证计费需求
无线用户需要通过Portal认证后才能接入网络。
方案设计
组网图
会议室高密无线方案推荐组网如下图所示。
网络设计分析
- 设备选型
- 选取AC6605或AC6005,提供小型或中型组网能力,部署更加灵活。
- 室内AP:选择AP4050DN、AP6050DN覆盖房间区域。
- 部署方案
基于有线核心网,采用室内AP覆盖。AC旁挂式部署,部署在核心层。
- 无线漫游
对于实现漫游,只需将所有AP的SSID和安全策略都配成一致即可。
对于认证方案,可采用MAC优先的Portal认证,从而达到漫游中简化认证的要求。
在室内高密场景中,建议开启智能漫游功能,当AP检测到STA的信噪比或接入速率低于指定的门限时,主动向STA发送解除关联报文,让STA重新连接或漫游,解决了STA在弱信号强度的情况下不会重新连接或漫游的问题。
- 可靠性
为了保证核心设备的可靠性,采用核心设备做集群,并配置多主检测。
为了保证WLAN业务的可靠性,可在网络中部署2台AC设备,并配置AC的VRRP热备份。当两台设备在确定主用(Master)设备和备用(Backup)设备后,由主用设备进行业务的转发,而备用设备处于待命状态,同时主用设备实时向备用设备发送状态信息和需要备份的信息,当主用设备出现故障后,备用设备及时接替主用设备的业务运行,从而提高了网络的可靠性。
- 安全性
在交换机与AP直接相连的接口上配置端口隔离,可解决不同AP间的WLAN用户二层互通的问题。
AP设备上有防盗锁孔,可以连接到防盗锁,保证设备的安全性。
实际部署时不建议使用VLAN 1作为业务VLAN,将各端口从VLAN1中退出。根据实际业务需求透传VLAN,禁止端口透传所有VLAN。
设备连接终端或AP的端口建议都配置为边缘端口。
将所有设备不使用的端口Shutdown。
使能设备的STA地址严格DHCP获取功能、ARP动态检测功能和IPSG功能,可防止非法用户的IP报文任意通过AP访问外部网络,提高设备安全性。
为了使DHCP客户端能通过合法的DHCP服务器获取IP地址,有效防止DHCP Server仿冒者攻击、DHCP Server的拒绝服务攻击、仿冒DHCP报文攻击等,建议配置DHCP Snooping功能。如果网络中同时存在有线用户和无线用户,交换机连接AP的接口不建议使能DHCP Snooping,可能会造成交换机用户绑定表超规格,所以针对有线用户,建议基于VLAN配置DHCP Snooping,针对无线用户,建议在无线侧VAP模板上配置。
为了减小大量低速组播报文对无线网络造成的冲击,如果网络中没有组播业务时,建议配置组播报文抑制功能。
- 接入设计
在室内高密场景中,建议开启短帧间间隔,可以提高802.11n和802.11ac的传输率。
在室内高密场景中,建议将无线用户的关联老化时间设置为1分钟,防止存在频繁离开整个无线网络覆盖的用户。
在室内高密场景中,建议开启Airtime调度功能,通过在同一业务下计算每个用户的无线信道占用时间,优先调度占用无线信道时间较少的用户,保证每个用户相对公平的占用无线信道,提升用户体验效果。
在高校室内高密场景下,建议使用RTS-CTS模式,RTS/CTS(Request To Send/Clear To Send)握手协议,可以避免信道冲突导致的数据传输失败。
- 认证计费需求
无线用户通过MAC优先的Portal认证后才能接入网络,认证点在AC上。
方案涉及网元的软件版本要求
本方案适用的产品和版本如下表所示。
产品名 |
产品版本 |
---|---|
AC6605 |
V200R010C00 |
AP4050DN、AP6050DN |
V200R010C00 |
S12700 |
V200R010C00 |
S7700 |
V200R010C00 |
S5700 |
V200R010C00 |
Agile Controller-Enterprise |
V100R002C10 |
配置思路和数据规划
配置思路
按照会议室的需求,采用如下的思路进行配置:
- 配置核心交换机集群,保证核心交换机的可靠性。
- 配置接入交换机、汇聚交换机和AC的网络互通。
- 配置DHCP服务,AC作为DHCP服务器为AP分配IP地址,外置DHCP服务器为STA分配IP地址。
- 在AC上配置RADIUS服务器认证、计费和授权模板,以便AC能够与RADIUS服务器联动。
- 配置AC的VRRP备份,保证WLAN业务可靠性。
- 在AC上配置WLAN业务,满足无线网络在高密场景下的无线接入需求。
- 在Agile Controller-Enterprise业务管理器中添加AC,并配置参数,保证Controller能与AC正常联动。
- 增加授权结果和授权规则,对用户认证成功后授予访问控制权限。
数据规划
为完成配置任务,需规划和的数据项。
项目 |
编号 |
接口号 |
所属VLAN |
IP地址 |
描述 |
---|---|---|---|---|---|
接入交换机S5700_A |
1 |
GE0/0/1 |
VLAN800、VLAN720 |
- |
连接AP_1 |
2 |
GE0/0/2 |
VLAN800、VLAN720 |
- |
连接AP_2 |
|
3 |
GE0/0/3 |
VLAN800、VLAN720 |
- |
连接汇聚交换机S7700 |
|
汇聚交换机S7700 |
13 |
GE1/0/3 |
VLAN800、VLAN720 |
- |
接入交换机S5700_A |
17 |
GE1/0/17 |
VLAN800、VLAN720 |
- |
连接S12700_A |
|
18 |
GE1/0/18 |
VLAN800、VLAN720 |
- |
连接S12700_B |
|
S12700_A和S12700_B集群 |
19 |
GE1/1/0/19 |
VLAN800、VLAN720 |
- |
连接汇聚交换机S7700 |
22 |
GE2/1/0/22 |
VLAN800、VLAN720 |
- |
||
20 |
GE1/1/0/20 |
VLAN800、VLAN820、VLAN720 |
- |
连接AC_1 |
|
23 |
GE2/1/0/23 |
VLAN800、VLAN820、VLAN720 |
- |
连接AC_2 |
|
21 |
GE1/1/0/21 |
VLAN820、VLAN720 |
- |
连接Router |
|
24 |
GE2/1/0/18 |
VLAN820、VLAN720 |
- |
连接Router |
|
AC_1 |
25 |
GE0/0/24 |
VLAN800、VLAN820、VLAN720 |
VLANIF800:10.128.1.2/24 VLANIF820:172.16.1.2/24 |
连接S12700_A |
26 |
GE0/0/23 |
VLAN810 |
VLANIF810:10.1.1.253/30 |
连接AC_2 |
|
AC_2 |
27 |
GE0/0/24 |
VLAN800、VLAN820、VLAN720 |
VLANIF800:10.128.1.3/24 VLANIF820:172.16.1.3/24 |
连接S12700_B |
28 |
GE0/0/23 |
VLAN810 |
VLANIF810:10.1.1.254/30 |
连接AC_1 |
项目 |
说明 |
---|---|
AP管理VLAN |
800 |
VRRP备份组 |
|
|
|
DHCP服务器 |
|
AP地址池 |
10.128.1.4~10.128.1.254/24 |
STA地址池 |
10.172.0.1~10.172.15.254/20( 除去10.172.1.1) |
AAA参数 |
认证方案:
计费方案:
|
RADIUS参数 |
RADIUS服务器模板名称:radius_huawei,其中:
RADIUS授权服务器:
|
Portal服务器模板 |
|
URL模板 |
|
Portal接入模板 |
|
MAC接入模板 |
|
免认证规则模板 |
|
认证模板 |
|
DNS服务器 |
IP地址:172.16.1.253 |
AP组 |
|
自动调优 |
|
SSID模板 |
|
安全模板 |
|
流量模板 |
|
VAP模板 |
|
RRM模板 |
|
2G射频模板 |
|
5G射频模板 |
|
Agile Controller-Enterprise |
|
配置步骤
配置核心交换机集群,保证核心交换机的可靠性
- 配置核心交换机集群。
# 在S12700-1和S12700-2上安装集群卡,连接集群卡的线缆,详细连线指导请参见“S交换机CSS助手”。
# 在配置集群连接方式、集群ID和集群优先级。
<S12700-1> system-view [S12700-1] set css mode css-card [S12700-1] set css id 1 Warning: Modifying the CSS chassis ID will cause interface configuration loss. Continue? [Y/N]:y Info: This operation may take a few seconds. Please wait.... Info: CSS configuration has been changed, and the new configuration will take effect after a reboot and CSS has been enabled. [S12700-1] set css priority 100 //在S12700-1上配置集群ID为1、集群优先级为100 <S12700-2> system-view [S12700-2] set css mode css-card [S12700-2] set css id 2 Warning: Modifying the CSS chassis ID will cause interface configuration loss. Continue? [Y/N]:y Info: This operation may take a few seconds. Please wait.... Info: CSS configuration has been changed, and the new configuration will take effect after a reboot and CSS has been enabled. [S12700-2] set css priority 10 //在S12700-2上配置集群ID为2、集群优先级为10
# 使能CSS。
[S12700-1] css enable //使能CSS功能并重启S12700-1 Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y [S12700-2] css enable //使能CSS功能并重启S12700-2 Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
# 重启核心交换机,查看集群状态,确认集群系统主交换机的CSS MASTER灯绿色常亮。
- 集群配置接口采用直连方式多主检测功能。
- 配置接口GE1/1/1/7采用直连方式多主检测功能。
<CSS> system-view [CSS] interface gigabitethernet 1/1/1/7 [CSS-GigabitEthernet1/1/1/7] mad detect mode direct Warning: This command will block the port, and no other configuration running on this port is recommended. Continue?[Y/N]:y [CSS-GigabitEthernet1/1/1/7] quit
- 配置接口GE2/1/1/7采用直连方式多主检测功能。
[CSS] interface gigabitethernet 2/1/1/7 [CSS-GigabitEthernet2/1/1/7] mad detect mode direct Warning: This command will block the port, and no other configuration running on this port is recommended. Continue?[Y/N]:y [CSS-GigabitEthernet2/1/1/7] quit
- 查看集群系统多主检测详细配置信息。
[CSS] display mad verbose Current MAD domain: 0 Current MAD status: Detect Mad direct detect interfaces configured: GigabitEthernet1/1/1/7 GigabitEthernet2/1/1/7 Mad relay detect interfaces configured: Excluded ports(configurable): Excluded ports(can not be configured): XGigabitEthernet1/6/0/0 XGigabitEthernet2/6/0/0
- 配置接口GE1/1/1/7采用直连方式多主检测功能。
- 配置核心交换机与FW之间的Eth-Trunk。
# 在CSS上创建Eth-Trunk10,用于连接FW,并加入Eth-Trunk成员接口。
[CSS] interface eth-trunk 10 //创建Eth-Trunk10接口,和FW对接 [CSS-Eth-Trunk10] quit [CSS] interface XGigabitethernet 1/1/0/0 [CSS-XGigabitEthernet1/1/0/0] eth-trunk 10 [CSS-XGigabitEthernet1/1/0/0] quit [CSS] interface XGigabitethernet 2/1/0/0 [CSS-XGigabitEthernet2/1/0/0] eth-trunk 10 [CSS-XGigabitEthernet2/1/0/0] quit
- 配置CSS与出口路由器之间的Eth-Trunk。
# 在CSS上创建Eth-Trunk20、Eth-Trunk30,用于连接Router1、Router2,并加入Eth-Trunk成员接口。
[CSS] interface eth-trunk 20 //创建Eth-Trunk20接口,和Router1对接 [CSS-Eth-Trunk20] quit [CSS] interface XGigabitethernet 1/1/0/1 [CSS-XGigabitEthernet1/1/0/1] eth-trunk 20 [CSS-XGigabitEthernet1/1/0/1] quit [CSS] interface XGigabitethernet 2/1/0/1 [CSS-XGigabitEthernet2/1/0/1] eth-trunk 20 [CSS-XGigabitEthernet2/1/0/1] quit [CSS] interface eth-trunk 30 //创建Eth-Trunk30接口,和Router2对接 [CSS-Eth-Trunk30] quit [CSS] interface XGigabitethernet 1/2/0/1 [CSS-XGigabitEthernet1/2/0/1] eth-trunk 30 [CSS-XGigabitEthernet1/2/0/1] quit [CSS] interface XGigabitethernet 2/2/0/1 [CSS-XGigabitEthernet2/2/0/1] eth-trunk 30 [CSS-XGigabitEthernet2/2/0/1] quit
- 配置连接汇聚交换机的Eth-Trunk。
# 在CSS上创建Eth-Trunk40并加入Eth-Trunk成员接口,Eth-Trunk40用于连接汇聚交换机S5720EI iStack-1,同时配置根保护功能。
[CSS] interface eth-trunk 40 [CSS-Eth-Trunk40] stp root-protection [CSS-Eth-Trunk40] quit [CSS] interface gigabitethernet 1/2/0/0 [CSS-GigabitEthernet1/2/0/0] eth-trunk 40 [CSS-GigabitEthernet1/2/0/0] quit [CSS] interface gigabitethernet 2/2/0/0 [CSS-GigabitEthernet2/2/0/0] eth-trunk 40 [CSS-GigabitEthernet2/2/0/0] quit
# 将CSS配置为STP根桥。在CSS上创建Eth-Trunk50并加入Eth-Trunk成员接口,Eth-Trunk50用于连接汇聚交换机S5720EI iStack-2,同时配置根保护功能。
[CSS] stp root primary [CSS] interface eth-trunk 50 [CSS-Eth-Trunk50] stp root-protection [CSS-Eth-Trunk50] quit [CSS] interface gigabitethernet 1/2/0/1 [CSS-GigabitEthernet1/2/0/1] eth-trunk 50 [CSS-GigabitEthernet1/2/0/1] quit [CSS] interface gigabitethernet 2/2/0/1 [CSS-GigabitEthernet2/2/0/1] eth-trunk 50 [CSS-GigabitEthernet2/2/0/1] quit
- 配置接口。
[CSS] interface loopback 0 [CSS-LoopBack0] ip address 3.3.3.3 32 //用来做Router ID [CSS-LoopBack0] quit [CSS] vlan batch 10 20 30 50 101 102 //批量创建VLAN [CSS] interface eth-trunk 10 [CSS-Eth-Trunk10] port link-type access [CSS-Eth-Trunk10] port default vlan 10 [CSS-Eth-Trunk10] quit [CSS] interface eth-trunk 20 [CSS-Eth-Trunk20] port link-type access [CSS-Eth-Trunk20] port default vlan 20 [CSS-Eth-Trunk20] quit [CSS] interface eth-trunk 30 [CSS-Eth-Trunk30] port link-type access [CSS-Eth-Trunk30] port default vlan 20 [CSS-Eth-Trunk30] quit [CSS] interface eth-trunk 40 [CSS-Eth-Trunk40] port link-type trunk [CSS-Eth-Trunk40] port trunk allow-pass vlan 30 101 //下行接口放行管理VLAN和业务VLAN [CSS-Eth-Trunk40] quit [CSS] interface eth-trunk 50 [CSS-Eth-Trunk50] port link-type trunk [CSS-Eth-Trunk50] port trunk allow-pass vlan 30 102 //下行接口放行管理VLAN和业务VLAN [CSS-Eth-Trunk50] quit [CSS] interface vlanif 10 [CSS-Vlanif10] ip address 172.16.10.2 24 //配置连接FW的VLANIF的IP地址 [CSS-Vlanif10] quit [CSS] interface vlanif 20 [CSS-Vlanif20] ip address 172.16.20.1 24 //配置连接Router的VLANIF的IP地址 [CSS-Vlanif20] quit [CSS] interface vlanif 30 [CSS-Vlanif30] ip address 172.16.30.1 24 //配置连接S5720EI iStack的VLANIF的IP地址 [CSS-Vlanif30] quit [CSS] interface vlanif 101 [CSS-Vlanif101] ip address 172.16.101.1 24 //配置提供宿舍区用户接入的业务vlanif IP地址 [CSS-Vlanif101] quit [CSS] interface vlanif 102 [CSS-Vlanif102] ip address 172.16.102.1 24 //配置提供教学区用户接入的业务vlanif IP地址 [CSS-Vlanif102] quit [CSS] interface Gigabitethernet 1/1/1/0 //进入连接HTTP服务器的接口 [CSS-GigabitEthernet1/1/1/0] port link-type access [CSS-GigabitEthernet1/1/1/0] port default vlan 50 //以Access方式加入VLAN 50 [CSS-GigabitEthernet1/1/1/0] quit [CSS] interface Gigabitethernet 1/1/1/1 //进入连接Agile Controller的接口 [CSS-GigabitEthernet1/1/1/1] port link-type access [CSS-GigabitEthernet1/1/1/1] port default vlan 50 //以Access方式加入VLAN 50 [CSS-GigabitEthernet1/1/1/1] quit [CSS] interface vlanif 50 [CSS-Vlanif50] ip address 172.16.50.1 24 //配置连接HTTP服务器和Agile Controller的IP地址 [CSS-Vlanif50] quit
- 配置路由。
# OSPF发布路由。
[CSS] router id 3.3.3.3 [CSS] ospf 1 [CSS-ospf-1] area 0.0.0.0 //配置为骨干区域 [CSS-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255 //发布连接FW的网段 [CSS-ospf-1-area-0.0.0.0] network 172.16.20.0 0.0.0.255 //发布连接出口路由器的网段 [CSS-ospf-1-area-0.0.0.0] network 172.16.50.0 0.0.0.255 //发布连接服务器的网段 [CSS-ospf-1-area-0.0.0.0] quit [CSS-ospf-1] area 0.0.0.1 //配置为Area1 [CSS-ospf-1-area-0.0.0.1] network 172.16.30.0 0.0.0.255 //发布连接S5720EI iStack-1的网段 [CSS-ospf-1-area-0.0.0.1] network 172.16.101.0 0.0.0.255 //发布宿舍区用户网段 [CSS-ospf-1-area-0.0.0.1] nssa //将Area1配置为NSSA区域 [CSS-ospf-1-area-0.0.0.1] quit [CSS-ospf-1] area 0.0.0.2 //配置为Area2 [CSS-ospf-1-area-0.0.0.2] network 172.16.102.0 0.0.0.255 //发布教学区用户网段 [CSS-ospf-1-area-0.0.0.2] nssa //将Area2配置为NSSA区域 [CSS-ospf-1-area-0.0.0.2] quit [CSS-ospf-1] quit
# 配置缺省路由,下一跳为Router1、Router2地址。
[CSS] ip route-static 0.0.0.0 0.0.0.0 172.16.20.2 [CSS] ip route-static 0.0.0.0 0.0.0.0 172.16.20.3
- 配置DHCP。
[CSS] dhcp enable [CSS] interface vlanif 101 [CSS-Vlanif101] dhcp select interface [CSS-Vlanif101] quit [CSS] interface vlanif 102 [CSS-Vlanif102] dhcp select interface [CSS-Vlanif102] quit
- 配置业务编排。
# 配置对接FW的隧道地址。
[CSS] interface loopback 100 //该地址建立隧道用 [CSS-LoopBack100] ip address 10.7.2.1 32 [CSS-LoopBack100] quit [CSS] interface loopback 101 //该地址建立隧道用 [CSS-LoopBack101] ip address 10.7.2.2 32 [CSS-LoopBack101] quit
# 配置到FW隧道地址的静态路由。
[CSS] ip route-static 10.6.2.1 32 172.16.10.1 [CSS] ip route-static 10.6.2.2 32 172.16.10.1
# 配置XMPP协议参数,以便在Controller上添加交换机设备
[CSS] group-policy controller 172.16.50.100 password Admin@123 src-ip 172.16.50.1
配置接入交换机、汇聚交换机和AC的网络互通
# 配置交换机S5700_A使AP与AC之间能互通。
<HUAWEI> system-view [HUAWEI] sysname S5700_A [S5700_A] vlan batch 720 800 [S5700_A] interface gigabitethernet 0/0/1 [S5700_A-GigabitEthernet0/0/1] description Connect to AP_1 [S5700_A-GigabitEthernet0/0/1] port link-type trunk [S5700_A-GigabitEthernet0/0/1] port trunk pvid vlan 800 [S5700_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 720 800 [S5700_A-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1 [S5700_A-GigabitEthernet0/0/1] port-isolate enable [S5700_A-GigabitEthernet0/0/1] stp edged-port enable [S5700_A-GigabitEthernet0/0/1] quit [S5700_A] interface gigabitethernet 0/0/2 [S5700_A-GigabitEthernet0/0/2] description Connect to AP_2 [S5700_A-GigabitEthernet0/0/2] port link-type trunk [S5700_A-GigabitEthernet0/0/2] port trunk pvid vlan 800 [S5700_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 720 800 [S5700_A-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1 [S5700_A-GigabitEthernet0/0/2] port-isolate enable [S5700_A-GigabitEthernet0/0/2] stp edged-port enable [S5700_A-GigabitEthernet0/0/2] quit [S5700_A] interface gigabitethernet 0/0/3 [S5700_A-GigabitEthernet0/0/3] description Connect to S7700_1/0/3 [S5700_A-GigabitEthernet0/0/3] port link-type trunk [S5700_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 720 800 [S5700_A-GigabitEthernet0/0/3] undo port trunk allow-pass vlan 1 [S5700_A-GigabitEthernet0/0/3] quit
[S5700_A] traffic classifier huawei [S5700_A-classifier-huawei] if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-ff00-0000 //本例中,组播MAC地址和掩码仅作示例,实际配置请根据实际组播地址写作。 [S5700_A-classifier-huawei] quit [S5700_A] traffic behavior huawei [S5700_A-behavior-huawei] statistic enable [S5700_A-behavior-huawei] car cir 100 //CIR参数需要根据实际情况进行调整,如接入交换机下接入的是中心AP的场景,则需要适当增大。 [S5700_A-behavior-huawei] quit [S5700_A] traffic policy huawei [S5700_A-policy-huawei] classifier huawei behavior huawei [S5700_A-policy-huawei] quit [S5700_A] interface gigabitethernet 0/0/1 [S5700_A-GigabitEthernet0/0/1] traffic-policy huawei outbound [S5700_A-GigabitEthernet0/0/1] traffic-policy huawei inbound [S5700_A] interface gigabitethernet 0/0/2 [S5700_A-GigabitEthernet0/0/2] traffic-policy huawei outbound [S5700_A-GigabitEthernet0/0/2] traffic-policy huawei inbound
如果网络中规划有组播业务,则不需要配置组播抑制。
# 配置S7700的接口GE1/0/3连接S5700_A、S12700_A和S12700_B加入VLAN800和VLAN720。
<HUAWEI> system-view [HUAWEI] sysname S7700 [S7700] vlan batch 720 800 [S7700] interface gigabitethernet 1/0/3 [S7700-GigabitEthernet1/0/3] description Connect to S5700_A_0/0/3 [S7700-GigabitEthernet1/0/3] port link-type trunk [S7700-GigabitEthernet1/0/3] port trunk allow-pass vlan 720 800 [S7700-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1 [S7700-GigabitEthernet1/0/3] quit [S7700] interface gigabitethernet 1/0/17 [S7700-GigabitEthernet1/0/17] description Connect to S12700_A_1/1/0/19 [S7700-GigabitEthernet1/0/17] port link-type trunk [S7700-GigabitEthernet1/0/17] port trunk allow-pass vlan 720 800 [S7700-GigabitEthernet1/0/17] undo port trunk allow-pass vlan 1 [S7700-GigabitEthernet1/0/17] quit [S7700] interface gigabitethernet 1/0/18 [S7700-GigabitEthernet1/0/18] description Connect to S12700_B_2/1/0/22 [S7700-GigabitEthernet1/0/18] port link-type trunk [S7700-GigabitEthernet1/0/18] port trunk allow-pass vlan 720 800 [S7700-GigabitEthernet1/0/18] undo port trunk allow-pass vlan 1 [S7700-GigabitEthernet1/0/18] quit
# 配置S12700_A和S12700_B的接口连接S7700、AC_1和AC_2加入VLAN720和VLAN800。
<Huawei> system-view [Huawei] sysname CSS [CSS] vlan batch 720 800 [CSS] interface gigabitethernet 1/1/0/19 [CSS-GigabitEthernet1/1/0/19] description Connect to S7700_1/0/17 [CSS-GigabitEthernet1/1/0/19] port link-type trunk [CSS-GigabitEthernet1/1/0/19] port trunk allow-pass vlan 720 800 [CSS-GigabitEthernet1/1/0/19] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet1/1/0/19] quit [CSS] interface gigabitethernet 1/1/0/20 [CSS-GigabitEthernet1/1/0/20] description Connect to AC_1_0/0/24 [CSS-GigabitEthernet1/1/0/20] port link-type trunk [CSS-GigabitEthernet1/1/0/20] port trunk allow-pass vlan 720 800 [CSS-GigabitEthernet1/1/0/20] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet1/1/0/20] quit [CSS] interface gigabitethernet 2/1/0/22 [CSS-GigabitEthernet2/1/0/22] description Connect to S7700_1/0/18 [CSS-GigabitEthernet2/1/0/22] port link-type trunk [CSS-GigabitEthernet2/1/0/22] port trunk allow-pass vlan 720 800 [CSS-GigabitEthernet2/1/0/22] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/1/0/22] quit [CSS] interface gigabitethernet 2/1/0/23 [CSS-GigabitEthernet2/1/0/23] description Connect to AC_2 _0/0/24 [CSS-GigabitEthernet2/1/0/23] port link-type trunk [CSS-GigabitEthernet2/1/0/23] port trunk allow-pass vlan 720 800 [CSS-GigabitEthernet2/1/0/23] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/1/0/23] quit
# 配置AC_1、AC_2连接S12700_A和S12700_B的接口加入VLAN800和VLAN720。
<AC6605> system-view [AC6605] sysname AC_1 [AC_1] vlan batch 720 800 [AC_1] interface gigabitethernet 0/0/24 [AC_1-GigabitEthernet0/0/24] description Connect to S12700_A_1/1/0/20 [AC_1-GigabitEthernet0/0/24] port link-type trunk [AC_1-GigabitEthernet0/0/24] port trunk allow-pass vlan 720 800 [AC_1-GigabitEthernet0/0/24] undo port trunk allow-pass vlan 1 [AC_1-GigabitEthernet0/0/24] quit
<AC6605> system-view [AC6605] sysname AC_2 [AC_2] vlan batch 720 800 [AC_2] interface gigabitethernet 0/0/24 [AC_2-GigabitEthernet0/0/24] description Connect to S12700_B_2/1/0/23 [AC_2-GigabitEthernet0/0/24] port link-type trunk [AC_2-GigabitEthernet0/0/24] port trunk allow-pass vlan 720 800 [AC_2-GigabitEthernet0/0/24] undo port trunk allow-pass vlan 1 [AC_2-GigabitEthernet0/0/24] quit
配置DHCP服务,AC作为DHCP服务器为AP分配IP地址,外置DHCP服务器为STA分配IP地址
- 配置AC_1和AC_2DHCP服务器为AP分配IP地址
[AC_1] dhcp enable [AC_1] interface vlanif 800 [AC_1-Vlanif800] ip address 10.128.1.2 255.255.255.0 [AC_1-Vlanif800] dhcp select interface [AC_1-Vlanif800] quit
[AC_2] dhcp enable [AC_2] interface vlanif 800 [AC_2-Vlanif800] ip address 10.128.1.3 255.255.255.0 [AC_2-Vlanif800] dhcp select interface [AC_2-Vlanif800] quit
- 配置S7700作为DHCP中继
[S7700] vlan batch 720 820 [S7700] dhcp enable [S7700] interface vlanif 720 [S7700-Vlanif720] ip address 10.172.1.1 255.255.240.0 [S7700-Vlanif720] dhcp select relay [S7700-Vlanif720] dhcp relay server-ip 172.16.1.252 //外置DHCP服务器IP地址: 172.16.1.252。 [S7700-Vlanif720] quit
- 配置S12700_A、S12700_B与外置DHCP服务器的链路放通业务VLAN720
[CSS] interface gigabitethernet 1/1/0/21 [CSS-GigabitEthernet1/1/0/21] description Connect to Router_0/0/29 [CSS-GigabitEthernet1/1/0/21] port link-type trunk [CSS-GigabitEthernet1/1/0/21] port trunk allow-pass vlan 720 [CSS-GigabitEthernet1/1/0/21] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet1/1/0/21] quit [CSS] interface gigabitethernet 2/1/0/18 [CSS-GigabitEthernet2/1/0/18] description Connect to Router_0/0/30 [CSS-GigabitEthernet2/1/0/18] port link-type trunk [CSS-GigabitEthernet2/1/0/18] port trunk allow-pass vlan 720 [CSS-GigabitEthernet2/1/0/18] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/1/0/18] quit
配置VRRP+HSB方式的备份
- 配置AC_1和AC_2的HSB互通
# 配置AC_1连接AC_2的接口GE0/0/23加入HSB VLAN810。
[AC_1] vlan batch 810 [AC_1] interface gigabitethernet 0/0/23 [AC_1-GigabitEthernet0/0/23] description Connect to AC_2_0/0/23 [AC_1-GigabitEthernet0/0/23] port link-type trunk [AC_1-GigabitEthernet0/0/23] port trunk allow-pass vlan 810 [AC_1-GigabitEthernet0/0/23] undo port trunk allow-pass vlan 1 [AC_1-GigabitEthernet0/0/23] quit [AC_1] interface vlanif 810 [AC_1-Vlanif810] ip address 10.1.1.253 30 [AC_1-Vlanif810] quit
# 配置AC_2连接AC_1的接口GE0/0/23加入HSB VLAN810。
[AC_2] vlan batch 810 [AC_2] interface gigabitethernet 0/0/23 [AC_2-GigabitEthernet0/0/23] description Connect to AC_1_0/0/23 [AC_2-GigabitEthernet0/0/23] port link-type trunk [AC_2-GigabitEthernet0/0/23] port trunk allow-pass vlan 810 [AC_2-GigabitEthernet0/0/23] undo port trunk allow-pass vlan 1 [AC_2-GigabitEthernet0/0/23] quit [AC_2] interface vlanif 810 [AC_2-Vlanif810] ip address 10.1.1.254 30 [AC_2-Vlanif810] quit
- 配置AC_1的VRRP方式的双机热备份
# 配置VRRP备份组的状态恢复延迟时间为60秒。
[AC_1] vrrp recover-delay 60
# 在AC_1上创建管理VRRP备份组,配置AC_1在该备份组中的优先级为120,并配置抢占时间为1200秒。
[AC_1] interface vlanif 800 [AC_1-Vlanif800] vrrp vrid 1 virtual-ip 10.128.1.1 [AC_1-Vlanif800] vrrp vrid 1 priority 120 [AC_1-Vlanif800] vrrp vrid 1 preempt-mode timer delay 1200 [AC_1-Vlanif800] admin-vrrp vrid 1 [AC_1-Vlanif800] quit
# 在AC_1上创建HSB主备服务0,并配置其主备通道IP地址和端口号。
[AC_1] hsb-service 0 [AC_1-hsb-service-0] service-ip-port local-ip 10.1.1.253 peer-ip 10.1.1.254 local-data-port 10241 peer-data-port 10241 [AC_1-hsb-service-0] quit
# 在AC_1上创建HSB备份组0,并配置其绑定HSB主备服务0和管理VRRP备份组。
[AC_1] hsb-group 0 [AC_1-hsb-group-0] bind-service 0 [AC_1-hsb-group-0] track vrrp vrid 1 interface vlanif 800 [AC_1-hsb-group-0] quit
# 配置AC_1业务绑定HSB备份组。
[AC_1] hsb-service-type access-user hsb-group 0 //配置NAC业务绑定HSB备份组。 [AC_1] hsb-service-type ap hsb-group 0 //配置WLAN业务备份使用的HSB类型为HSB组。 [AC_1] hsb-service-type dhcp hsb-group 0 //配置DHCP服务器绑定在双机热备DHCP服务器组。 [AC_1] hsb-group 0 [AC_1-hsb-group-0] hsb enable [AC_1-hsb-group-0] quit
- 在AC_2上配置VRRP方式的双机热备份
# 配置VRRP备份组的状态恢复延迟时间为60秒。
[AC_2] vrrp recover-delay 60
# 在AC_2上创建管理VRRP备份组。
[AC_2] interface vlanif 800 [AC_2-Vlanif800] vrrp vrid 1 virtual-ip 10.128.1.1 [AC_2-Vlanif800] admin-vrrp vrid 1 //设置VRRP备份组1为管理VRRP [AC_2-Vlanif800] quit
# 在AC_2上创建HSB主备服务0,并配置其主备通道IP地址和端口号。
[AC_2] hsb-service 0 [AC_2-hsb-service-0] service-ip-port local-ip 10.1.1.254 peer-ip 10.1.1.253 local-data-port 10241 peer-data-port 10241 [AC_2-hsb-service-0] quit
# 在AC_2上创建HSB备份组0,并配置其绑定HSB主备服务0和管理VRRP备份组。
[AC_2] hsb-group 0 [AC_2-hsb-group-0] bind-service 0 [AC_2-hsb-group-0] track vrrp vrid 1 interface vlanif 800 [AC_2-hsb-group-0] quit
# 配置AC_2业务绑定HSB备份组。
[AC_2] hsb-service-type access-user hsb-group 0 //配置NAC业务绑定HSB备份组。 [AC_2] hsb-service-type ap hsb-group 0 //配置WLAN业务备份使用的HSB类型为HSB组。 [AC_2] hsb-service-type dhcp hsb-group 0 //配置DHCP服务器绑定在双机热备DHCP服务器组。
在AC上配置RADIUS服务器认证、计费和授权模板,以便AC能够与RADIUS服务器联动
- 配置AC_1和AC_2与RADIUS服务器通信VLAN820和有线管理地址
# 配置AC_1连接S12700_A的接口加入VLAN820。
[AC_1] vlan batch 820 [AC_1] interface gigabitethernet 0/0/24 [AC_1-GigabitEthernet0/0/24] port trunk allow-pass vlan 820 [AC_1-GigabitEthernet0/0/24] quit [AC_1] interface vlanif 820 [AC_1-Vlanif820] ip address 172.16.1.2 24 [AC_1-Vlanif820] quit
# 配置AC_2连接S12700_B的接口加入VLAN820。
[AC_2] vlan batch 820 [AC_2] interface gigabitethernet 0/0/24 [AC_2-GigabitEthernet0/0/24] port trunk allow-pass vlan 820 [AC_2-GigabitEthernet0/0/24] quit [AC_2] interface vlanif 820 [AC_2-Vlanif820] ip address 172.16.1.3 24 [AC_2-Vlanif820] quit
# 在AC_1上创建成员VRRP备份组,并将VRRP备份组2和管理VRRP备份组1进行绑定。
[AC_1] interface vlanif 820 [AC_1-Vlanif820] vrrp vrid 2 virtual-ip 172.16.1.1 [AC_1-Vlanif820] vrrp vrid 2 track admin-vrrp interface Vlanif 800 vrid 1 unflowdown [AC_1-Vlanif820] quit
# 在AC_2上创建成员VRRP备份组,并将VRRP备份组2和管理VRRP备份组1进行绑定。
[AC_2] interface vlanif 820 [AC_2-Vlanif820] vrrp vrid 2 virtual-ip 172.16.1.1 [AC_2-Vlanif820] vrrp vrid 2 track admin-vrrp interface Vlanif 800 vrid 1 unflowdown [AC_2-Vlanif820] quit
- 配置S12700_A和S12700_B、RADIUS服务器与AC_1、AC_2设备互通
[CSS] vlan batch 820 [CSS] interface gigabitethernet 1/1/0/20 [CSS-GigabitEthernet1/1/0/20] port trunk allow-pass vlan 820 [CSS-GigabitEthernet1/1/0/20] quit [CSS] interface gigabitethernet 1/1/0/21 [CSS-GigabitEthernet1/1/0/21] port trunk allow-pass vlan 820 [CSS-GigabitEthernet1/1/0/21] quit [CSS] interface gigabitethernet 2/1/0/23 [CSS-GigabitEthernet2/1/0/23] port trunk allow-pass vlan 820 [CSS-GigabitEthernet2/1/0/23] quit [CSS] interface gigabitethernet 2/1/0/18 [CSS-GigabitEthernet2/1/0/18] port trunk allow-pass vlan 820 [CSS-GigabitEthernet2/1/0/18] quit
- 创建并配置RADIUS服务器模板、AAA方案
# 创建并配置RADIUS服务器模板“radius_huawei”。
[AC_1] radius-server template radius_huawei [AC_1-radius-radius_huawei] radius-server authentication 172.16.1.254 1812 source ip-address 172.16.1.1 weight 80 //配置认证服务器。 [AC_1-radius-radius_huawei] radius-server accounting 172.16.1.254 1813 source ip-address 172.16.1.1 weight 80 //配置计费服务器。 [AC_1-radius-radius_huawei] radius-server shared-key cipher huawei@123 [AC_1-radius-radius_huawei] radius-server timeout 1 [AC_1-radius-radius_huawei] quit
对于规模较大或者较繁忙的网络尽可能的配置最低的RADIUS重传超时,因为过长的超时时间会占用系统资源,更小的超时时间可以更好地提高AC的处理能力。
当前无线用户默认重传超时时间是5秒,当RADIUS服务器模板下配置了8个以上认证服务器的IP地址或者使用802.1X认证时,推荐将超时时间配置为1秒,以提升网络处理效率。
# 创建RADIUS授权服务器
[AC_1] radius-server authorization 172.16.1.254 shared-key cipher huawei@123
# 创建AAA认证方案“radius_huawei”并配置认证方式为RADIUS。
[AC_1] aaa [AC_1-aaa] authentication-scheme radius_huawei [AC_1-aaa-authen-radius_huawei] authentication-mode radius //配置认证模式为RADIUS认证。 [AC_1-aaa-authen-radius_huawei] quit [AC_1-aaa] accounting-scheme radius_huawei [AC_1-aaa-accounting-radius_huawei] accounting-mode radius //配置计费模式为RADIUS模式。 [AC_1-aaa-accounting-radius_huawei] accounting realtime 15 //开启实时计费功能,并设置实时计费时间间隔为15分钟。 [AC_1-aaa-accounting-radius_huawei] quit [AC_1-aaa] quit
实时计费间隔的取值对设备和RADIUS服务器的性能有要求,实时计费间隔的取值越小,对设备和RADIUS服务器的性能要求就越高。请根据用户数设置计费间隔,如下表所示。
表4-140 实时计费间隔和用户量之间的推荐比例关系用户数
实时计费间隔(分钟)
1~99
3
100~499
6
500~999
12
≥1000
≥15
- 配置URL模板,配置指向Portal服务器的重定向URL,并指定URL中携带的参数为用户关联SSID和接入用户访问的原始URL地址
[AC_1] url-template name huawei [AC_1-url-template-huawei] url http://172.16.1.254:8080/portal [AC_1-url-template-huawei] url-parameter ssid ssid redirect-url url [AC_1-url-template-huawei] quit
- 配置Portal服务器模板
[AC_1] web-auth-server huawei [AC_1-web-auth-server-huawei] server-ip 172.16.1.254 //配置Portal服务器地址。 [AC_1-web-auth-server-huawei] shared-key cipher huawei@123 //配置共享密钥。 [AC_1-web-auth-server-huawei] port 50200 //配置Protal服务器端口号。 [AC_1-web-auth-server-huawei] url-template huawei [AC_1-web-auth-server-huawei] source-ip 172.16.1.1 //配置源地址 [AC_1-web-auth-server-huawei] quit
在AC上配置WLAN业务,满足无线网络在会议室高密场景下的无线接入需求
- AC_1上创建VLAN,并配置DHCP Snooping功能
[AC_1] dhcp snooping enable [AC_1] vlan 720 [AC_1-vlan720] description meeting-room [AC_1-vlan720] dhcp snooping enable [AC_1-vlan720] quit [AC_1] vlan 800 [AC_1-vlan800] description AP-management-vlan [AC_1-vlan800] quit
- 配置LLDP功能
# 在AC_1上配置LLDP功能。
为了清楚了解设备之间的二层链接状态信息并进行网络拓扑分析,需要使能LLDP功能。当需要在AC上知道AP与接入交换机之间的二层的链接状态信息并进行网络拓扑分析时,需要使能WLAN的LLDP功能。WLAN的LLDP功能有两个开关,一个是全局开关,另一个是AP有线口链路模板视图下的开关。只有两个开关都处于使能状态下,AP才会发送或接收LLDP报文。两个开关默认都处于使能状态。
[AC_1] lldp enable [AC_1] wlan [AC_1-wlan-view] ap lldp enable [AC_1-wlan-view] port-link-profile name default [AC_1-wlan-port-link-prof-default] lldp enable [AC_1-wlan-port-link-prof-default] quit [AC_1-wlan-view] quit
# 在接入交换机上配置LLDP功能。
打开LLDP功能,使设备具有通过LLDP功能解析PD设备的能力;若不打开LLDP功能,设备仅通过解析与PD间的电流和电阻,实现对PD的检测和分类。相比电流和电阻解析,LLDP功能提供更全面、更准确的解析能力。打开全局的LLDP功能后,缺省情况下所有接口的LLDP功能都处于打开状态。
[S5700_A] lldp enable
- 配置AC_1的WLAN业务
# 配置AC的CAPWAP源地址。
[AC_1] capwap source ip-address 10.128.1.1
# 创建AC_1的AP group“meeting-room”,用于将相同配置的AP都加入同一AP组中。此处以AP_1为例,其他AP添加方法类似,不再赘述。
[AC_1] wlan [AC_1-wlan-view] ap-group name meeting-room [AC_1-wlan-ap-group-meeting-room] quit [AC_1-wlan-view] ap auth-mode mac-auth [AC_1-wlan-view] ap-id 1 ap-mac 60de-4476-e360 [AC_1-wlan-ap-1] ap-name AP_1 Warning: This operation may cause AP reset. Continue? [Y/N]:y [AC_1-wlan-ap-1] ap-group meeting-room Warning: This operation maybe cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AC_1-wlan-ap-1] quit [AC_1-wlan-view] quit
# 其他AP根据规划进行AP组配置。
# 配置Portal接入模板“portal”。
[AC_1] portal-access-profile name portal [AC_1-portal-access-profile-portal] web-auth-server huawei layer3 [AC_1-portal-access-profile-portal] quit
# 配置MAC接入模板“mac”。
[AC_1] mac-access-profile name mac [AC_1-mac-access-profile-mac] quit
# 配置免认证规则模板“default_free_rule”。
[AC_1] free-rule-template name default_free_rule [AC_1-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.253 mask 32 //DNS服务器IP地址:172.16.1.253。 [AC_1-free-rule-default_free_rule] quit
# 配置认证模板“authen-pro”。
[AC_1] authentication-profile name authen-pro [AC_1-authentication-profile-authen-pro] portal-access-profile portal [AC_1-authentication-profile-authen-pro] free-rule-template default_free_rule [AC_1-authentication-profile-authen-pro] authentication-scheme radius_huawei [AC_1-authentication-profile-authen-pro] mac-access-profile mac [AC_1-authentication-profile-authen-pro] accounting-scheme radius_huawei [AC_1-authentication-profile-authen-pro] radius-server radius_huawei [AC_1-authentication-profile-authen-pro] quit
# 创建安全模板,并配置安全策略。缺省情况下,安全策略为open方式的开放认证。
[AC_1] wlan [AC_1-wlan-view] security-profile name open [AC_1-wlan-sec-prof-open] quit
# 创建SSID模板“meeting-room”。
[AC_1-wlan-view] ssid-profile name meeting-room [AC_1-wlan-ssid-prof-meeting-room] ssid meeting-room [AC_1-wlan-ssid-prof-meeting-room] quit
# 配置名称为“meeting-room”的流量模板中二层用户隔离。
[AC_1-wlan-view] traffic-profile name meeting-room [AC_1-wlan-traffic-prof-meeting-room] user-isolate l2 [AC_1-wlan-traffic-prof-meeting-room] quit
# 创建VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板、SSID模板、认证模板和流量模板,使能STA地址严格DHCP获取功能、IPSG功能动态ARP检测功能。
[AC_1-wlan-view] vap-profile name meeting-room [AC_1-wlan-vap-prof-meeting-room] service-vlan vlan-id 720 [AC_1-wlan-vap-prof-meeting-room] security-profile open [AC_1-wlan-vap-prof-meeting-room] ssid-profile meeting-room [AC_1-wlan-vap-prof-meeting-room] authentication-profile authen-pro [AC_1-wlan-vap-prof-meeting-room] traffic-profile meeting-room [AC_1-wlan-vap-prof-meeting-room] ip source check user-bind enable [AC_1-wlan-vap-prof-meeting-room] arp anti-attack check user-bind enable [AC_1-wlan-vap-prof-meeting-room] learn-client-address dhcp-strict [AC_1-wlan-vap-prof-meeting-room] quit
ip source check user-bind enable命令的前置条件为:
由于该功能是基于绑定表进行匹配检查的,因此
- 对于DHCP用户,需要使能DHCP Snooping自动生成动态绑定表。
- 对于静态配置IP的用户,需要手工配置静态绑定表。
learn-client-address dhcp-strict命令的前置条件为:
- 在VAP模板视图下执行命令undo dhcp trust port去使能AP的DHCP信任功能。
- 执行命令undo learn-client-address { ipv4 | ipv6 } disable使能STA地址学习功能。
# 高密场景下网络优化参数配置。
[AC_1-wlan-view] calibrate enable schedule time 02:00:00 [AC_1-wlan-view] calibrate policy rogue-ap [AC_1-wlan-view] calibrate policy non-wifi [AC_1-wlan-view] calibrate sensitivity high [AC_1-wlan-view] rrm-profile name meeting-room [AC_1-wlan-rrm-prof-meeting-room] airtime-fair-schedule enable //使能空口调度功能。 [AC_1-wlan-rrm-prof-meeting-room] dynamic-edca enable //使能动态edca功能。 [AC_1-wlan-rrm-prof-meeting-room] undo sta-load-balance dynamic disable//使能动态负载均衡功能 [AC_1-wlan-rrm-prof-meeting-room] undo smart-roam disable [AC_1-wlan-rrm-prof-meeting-room] smart-roam roam-threshold check-snr [AC_1-wlan-rrm-prof-meeting-room] smart-roam roam-threshold snr 25 [AC_1-wlan-rrm-prof-meeting-room] smart-roam quick-kickoff-threshold snr 20 [AC_1-wlan-rrm-prof-meeting-room] quit [AC_1-wlan-view] traffic-profile name meeting-room [AC_1-wlan-traffic-prof-meeting-room] rate-limit client down 4096 [AC_1-wlan-traffic-prof-meeting-room] rate-limit client up 4096 [AC_1-wlan-traffic-prof-meeting-room] quit [AC_1-wlan-view] radio-2g-profile name 2G [AC_1-wlan-radio-2g-prof-2G] rts-cts-mode rts-cts //指定射频模板中RTS-CTS的工作模式。 [AC_1-wlan-radio-2g-prof-2G] rts-cts-threshold 1400 //指定射频模板中的RTS-CTS门限。 [AC_1-wlan-radio-2g-prof-2G] wmm edca-ap ac-be ecw ecwmin 5 ecwmax 6 Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-radio-2g-prof-2G] guard-interval-mode short [AC_1-wlan-radio-2g-prof-2G] beacon-interval 100 [AC_1-wlan-radio-2g-prof-2G] rrm-profile meeting-room Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-radio-2g-prof-2G] quit [AC_1-wlan-view] radio-5g-profile name 5G [AC_1-wlan-radio-5g-prof-5G] rts-cts-mode rts-cts [AC_1-wlan-radio-5g-prof-5G] rts-cts-threshold 1400 [AC_1-wlan-radio-5g-prof-5G] wmm edca-ap ac-be ecw ecwmin 5 ecwmax 6 Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-radio-5g-prof-5G] guard-interval-mode short [AC_1-wlan-radio-5g-prof-5G] beacon-interval 100 [AC_1-wlan-radio-5g-prof-5G] rrm-profile meeting-room Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-radio-5g-prof-5G] quit [AC_1-wlan-view] ssid-profile name meeting-room [AC_1-wlan-ssid-prof-meeting-room] beacon-2g-rate 11 [AC_1-wlan-ssid-prof-meeting-room] association-timeout 1 Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-ssid-prof-meeting-room] wmm edca-client ac-be ecw ecwmin 7 ecwmax 10 [AC_1-wlan-ssid-prof-meeting-room] quit
Beacon帧是一种周期发送的广播帧,AP通过周期发送Beacon帧来声明某个802.11网络的存在。Beacon周期配置太大,会导致STA休眠时间变长;Beacon周期配置太小,会导致空口开销变大。因此,建议用户根据VAP的数量调整Beacon周期的大小。缺省情况下,AP发送Beacon帧的周期为100TUs
对于单个射频下不同VAP数量对应的Beacon周期的配置建议值如下:
- 4个VAP及以内:100TUs左右
- 5~8个VAP:200TUs左右
- 9~12个VAP:300TUs左右
- 13~16个VAP:400TUs左右
配置如下:
[AC_1-wlan-view] radio-2g-profile name default
[AC_1-wlan-radio-2g-prof-default] beacon-interval 200
# 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板的配置。
[AC_1-wlan-view] ap-group name meeting-room [AC_1-wlan-ap-group-meeting-room] vap-profile meeting-room wlan 1 radio all [AC_1-wlan-ap-group-meeting-room] radio 0 [AC_1-wlan-group-radio-meeting-room/0] radio-2g-profile 2G Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-group-radio-meeting-room/0] quit [AC_1-wlan-ap-group-meeting-room] radio 1 [AC_1-wlan-group-radio-meeting-room/1] radio-5g-profile 5G Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-group-radio-meeting-room/1] quit [AC_1-wlan-ap-group-meeting-room] quit [AC_1-wlan-view] quit
- 配置AC_2的WLAN业务,类似AC_1的配置,此处不再赘述。
- 使能AC_2的双机热备功能。
[AC_2] hsb-group 0 [AC_2-hsb-group-0] hsb enable [AC_2-hsb-group-0] quit
在Agile Controller- Enterprise业务管理器中添加AC,并配置参数,保证Controller能与AC正常联动
选择“资源> 设备 > 设备管理”,单击“增加”。
参数 |
说明 |
---|---|
IP地址 |
VLANIF820虚拟IP地址:172.16.1.1 |
RADIUS认证密钥&RADIUS计费密钥 |
与RADIUS模板radius-server shared-key cipher huawei@123所指定的密钥一致 |
实时计费周期 |
与计费模板accounting realtime 15所指定的周期一致 |
Portal密钥 |
与Portal服务器模板shared-key cipher huawei@123所指定的密钥一致 |
接入终端IP地址列表 |
与STA地址池一致 |
增加授权结果和授权规则,对用户认证成功后授予访问控制权限
- 无线用户接入使用缺省认证授权规则,缺省授权规则允许认证后访问所有资源。
如需修改认证授权规则,选择“策略 > 准入控制 > 认证授权”。
- 可选:选择“策略 > 准入控制 > 页面定制 > 页面定制”,自定义推送页面。如未自定义采用系统默认页面。
- 可选:选择“策略>准入控制>页面定制>Portal页面推送策略”,设置页面推送规则。按优先级匹配页面推送规则。如未设置,按系统默认推送规则推送。
- 选择“系统 > 终端参数配置 > 全局参数”,启用MAC优先的Portal认证。
结果验证
- 在AC_1和AC_2上执行display ap all命令,检查当前AP的状态,显示以下信息表示AP上线成功。
[AC_1] display ap all
- 在AC_1和AC_2上执行display hsb-service 0命令,查看主备服务的建立情况,可以看到Service State字段的显示为Connected,说明主备服务通道已经成功建立。
[AC_1] display hsb-service 0 [AC_2] display hsb-service 0 Hot Standby Service Information:
- 在AC_1和AC_2上执行display hsb-group 0命令,查看HSB备份组的运行情况。
[AC_1] display hsb-group 0
[AC_2] display hsb-group 0
- 用户是否能够通过RADIUS模板的认证。(已在RADIUS服务器上配置了测试用户test@huawei.com,用户密码123456)。
[AC_1] test-aaa test@huawei.com 123456 radius-template radius_huawei Info: Account test succeed.
- 完成配置后,用户可通过无线终端搜索到SSID为meeting-room的无线网络,用户关联到无线网络上后,无线终端能够被分配相应的IP地址。STA上打开浏览器访问Internet,自动跳转到Portal服务器提供的页面,在页面上输入正确的用户名(test@huawei.com)和密码(123456),认证通过后可以正常访问Internet。
- 用户使用手机可以正常使用漫游业务。
配置脚本
AC_1 |
AC_2 |
---|---|
# sysname AC_1 # vrrp recover-delay 60 # vlan batch 720 800 810 820 # authentication-profile name authen-pro mac-access-profile mac portal-access-profile portal free-rule-template default_free_rule authentication-scheme radius_huawei accounting-scheme radius_huawei radius-server radius_huawei # dhcp enable # dhcp snooping enable # radius-server template radius_huawei radius-server shared-key cipher %^%#jH,7O6/D*,z;7%#@l0f,0IR!ZYX^g=Wj2k"rS~DB%^%# radius-server authentication 172.16.1.254 1812 source ip-address 172.16.1.1 weight 80 radius-server accounting 172.16.1.254 1813 source ip-address 172.16.1.1 weight 80 radius-server timeout 1 radius-server authorization 172.16.1.254 shared-keycipher %^%#`,w9~s3Q8L_.-7Pj=tQ#~~96BFa%N5d.Jw$F(!W@%^%# # free-rule-template name default_free_rule free-rule 1 destination ip 172.16.1.253 mask 255.255.255.255 # url-template name huawei url http://172.16.1.254:8080/portal url-parameter ssid ssid redirect-url url # web-auth-server huawei server-ip 172.16.1.254 port 50200 shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%# source-ip 172.16.1.1 url-template huawei # portal-access-profile name portal web-auth-server huawei layer3 # aaa authentication-scheme radius_huawei authentication-mode radius accounting-scheme radius_huawei accounting-mode radius accounting realtime 15 # interface Vlanif800 ip address 10.128.1.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.128.1.1 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1200 dhcp select interface # interface Vlanif810 ip address 10.1.1.253 255.255.255.252 # interface Vlanif820 ip address 172.16.1.2 255.255.255.0 vrrp vrid 2 virtual-ip 172.16.1.1 vrrp vrid 2 track admin-vrrp interface Vlanif 800 vrid 1 unflowdown # interface GigabitEthernet0/0/23 description Connect to AC_2_0/0/23 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 810 # interface GigabitEthernet0/0/24 description Connect to S12700_A_1/1/0/20 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 820 # capwap source ip-address 10.128.1.1 # hsb-service 0 service-ip-port local-ip 10.1.1.253 peer-ip 10.1.1.254 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif800 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan calibrate enable schedule time 02:00:00 calibrate policy rogue-ap calibrate policy non-wifi calibrate sensitivity high traffic-profile name meeting-room rate-limit client up 4096 rate-limit client down 4096 user-isolate l2 security-profile name open ssid-profile name meeting-room ssid meeting-room association-timeout 1 wmm edca-client ac-be aifsn 3 ecw ecwmin 7 ecwmax 10 txoplimit 0 beacon-2g-rate 11 vap-profile name meeting-room service-vlan vlan-id 720 ssid-profile meeting-room security-profile open traffic-profile meeting-room authentication-profile authen-pro ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict rrm-profile name meeting-room airtime-fair-schedule enable smart-roam roam-threshold snr 25 smart-roam quick-kickoff-threshold snr 20 dynamic-edca enable radio-2g-profile name 2G wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy normal rrm-profile meeting-room radio-5g-profile name 5G wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy normal rrm-profile meeting-room ap-group name meeting-room radio 0 radio-2g-profile 2G vap-profile meeting-room wlan 1 radio 1 radio-5g-profile 5G vap-profile meeting-room wlan 1 ap-id 1 type-id 75 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 ap-name AP_1 ap-group meeting-room # mac-access-profile name mac # return |
# sysname AC_2 # vrrp recover-delay 60 # vlan batch 720 800 810 820 # authentication-profile name authen-pro mac-access-profile mac portal-access-profile portal free-rule-template default_free_rule authentication-scheme radius_huawei accounting-scheme radius_huawei radius-server radius_huawei # dhcp enable # dhcp snooping enable # vlan 720 description meeting-room dhcp snooping enable vlan 800 description AP-management-vlan # radius-server template radius_huawei radius-server shared-key cipher %^%#jH,7O6/D*,z;7%#@l0f,0IR!ZYX^g=Wj2k"rS~DB%^%# radius-server authentication 172.16.1.254 1812 source ip-address 172.16.1.1 weight 80 radius-server accounting 172.16.1.254 1813 source ip-address 172.16.1.1 weight 80 radius-server timeout 1 radius-server authorization 172.16.1.254 shared-keycipher %^%#`,w9~s3Q8L_.-7Pj=tQ#~~96BFa%N5d.Jw$F(!W@%^%# # free-rule-template name default_free_rule free-rule 1 destination ip 172.16.1.253 mask 255.255.255.255 # url-template name huawei url http://172.16.1.254:8080/portal url-parameter ssid ssid redirect-url url # web-auth-server huawei server-ip 172.16.1.254 port 50200 shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%# source-ip 172.16.1.1 url-template huawei # portal-access-profile name portal web-auth-server huawei layer3 # aaa authentication-scheme radius_huawei authentication-mode radius accounting-scheme radius_huawei accounting-mode radius accounting realtime 15 # interface Vlanif800 ip address 10.128.1.3 255.255.255.0 vrrp vrid 1 virtual-ip 10.128.1.1 admin-vrrp vrid 1 dhcp select interface # interface Vlanif810 ip address 10.1.1.254 255.255.255.252 # interface Vlanif820 ip address 172.16.1.3 255.255.255.0 vrrp vrid 2 virtual-ip 172.16.1.1 vrrp vrid 2 track admin-vrrp interface Vlanif 800 vrid 1 unflowdown # interface GigabitEthernet0/0/23 description Connect to AC_1_0/0/23 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 810 # interface GigabitEthernet0/0/24 description Connect to S12700_B_1/1/0/20 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 820 # capwap source ip-address 10.128.1.1 # hsb-service 0 service-ip-port local-ip 10.1.1.254 peer-ip 10.1.1.253 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif800 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan calibrate enable schedule time 02:00:00 calibrate policy rogue-ap calibrate policy non-wifi calibrate sensitivity high traffic-profile name meeting-room rate-limit client up 4096 rate-limit client down 4096 user-isolate l2 security-profile name open ssid-profile name meeting-room ssid meeting-room association-timeout 1 wmm edca-client ac-be aifsn 3 ecw ecwmin 7 ecwmax 10 txoplimit 0 beacon-2g-rate 11 vap-profile name meeting-room service-vlan vlan-id 720 ssid-profile meeting-room security-profile open traffic-profile meeting-room authentication-profile authen-pro ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict rrm-profile name meeting-room airtime-fair-schedule enable smart-roam roam-threshold snr 25 smart-roam quick-kickoff-threshold snr 20 dynamic-edca enable radio-2g-profile name 2G wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy normal rrm-profile meeting-room radio-5g-profile name 5G wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy normal rrm-profile meeting-room ap-group name meeting-room radio 0 radio-2g-profile 2G vap-profile meeting-room wlan 1 radio 1 radio-5g-profile 5G vap-profile meeting-room wlan 1 ap-id 1 type-id 75 ap-mac 60de-4476-e360 ap-name AP_1 ap-group meeting-room # mac-access-profile name mac # return |
集群系统 |
---|
# sysname CSS # vlan batch 720 800 820 # interface GigabitEthernet1/1/0/19 description Connect to S7700_1/0/17 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 # interface GigabitEthernet1/1/0/20 description Connect to AC_1_0/0/24 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 820 # interface GigabitEthernet1/1/0/21 description Connect to Router_0/0/29 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 820 # interface GigabitEthernet1/1/1/7 mad detect mode direct # interface GigabitEthernet2/1/0/18 description Connect to Router_0/0/30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 820 # interface GigabitEthernet2/1/0/22 description Connect to S7700_1/0/18 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 # interface GigabitEthernet2/1/0/23 description Connect to AC_2_0/0/24 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 820 # interface GigabitEthernet2/1/1/7 mad detect mode direct # return |
S7700 |
---|
# sysname S7700 # vlan batch 720 800 # interface Vlanif720 ip address 10.172.1.1 255.255.240.0 dhcp select relay dhcp relay server-ip 172.16.1.252 # interface GigabitEthernet1/0/3 description Connect to S5700_A_0/0/3 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 # interface GigabitEthernet1/0/17 description Connect to S12700_A_1/1/0/19 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 # interface GigabitEthernet1/0/18 description Connect to S12700_B_2/1/0/22 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 # return |
S5700_A |
---|
# sysname S5700_A # traffic classifier huawei if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-ff00-0000 # traffic behavior huawei statistic enable car cir 100 # traffic policy huawei classifier huawei behavior huawei # vlan batch 720 800 # lldp enable # interface GigabitEthernet0/0/1 description Connect to AP_1 port link-type trunk port trunk pvid vlan 800 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 port-isolate enable group 1 stp edged-port enable traffic-policy huawei inbound traffic-policy huawei outbound # interface GigabitEthernet0/0/2 description Connect to AP_2 port link-type trunk port trunk pvid vlan 800 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 port-isolate enable group 1 stp edged-port enable traffic-policy huawei inbound traffic-policy huawei outbound # interface GigabitEthernet0/0/3 description Connect to S7700_1/0/3 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 720 800 # return |
开局常见问题处理
AP上线失败
问题描述
AP上线失败。
可能原因
- 前期PoE交换机PoE参数配置错误
- AC和AP间的链路没打通
- 施工人员网线没做好
以上原因占据平时排查工作大部分时间。
处理过程
处理过程如下:
- 对照AP设备《产品描述》中指定的PoE供电协议标准,检查PoE供电设备是否满足。如果不符,则需要更换为满足要求的PoE供电设备。
对于华为PoE交换机,在系统视图下执行display poe power命令,根据回显信息中的USMPW(mW)值可以确定其供电协议标准:15400表示该交换机支持的PoE供电协议是IEEE 802.3af标准,30000表示该交换机支持的PoE供电协议是IEEE 802.3at标准。
- 检查AP与AC之间网络是否互通。如果不通,请检查对应配置是否正确。
尝试更换连接AP的物理线路。