华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置N+1备份示例
配置流程
WLAN不同的特性和功能需要在不同类型的模板下进行配置和维护,这些模板统称为WLAN模板,如域管理模板、射频模板、VAP模板、AP系统模板、AP有线口模板、WIDS模板、WDS模板、Mesh模板。当用户在配置WLAN业务功能时,需要在对应功能的WLAN模板中进行参数配置,配置完成后,须将此模板引用到AP组或AP中,配置才会自动下发到AP,进而配置的功能在AP上生效。由于模板之间是存在相互引用关系的,因此在用户配置过程中,需要先了解各个模板之间存在的逻辑关系。模板的逻辑关系和基本配置流程请参见WLAN业务配置流程。
组网需求
某大型企业,在各地存在分支机构,在各个分支机构都配有AC管理AP,为用户提供WLAN上网业务,用于收发邮件等上网需求,用户对网络的可靠性要求较低,允许可能出现的短时间业务中断。希望为所有的AC提供备份服务,并控制成本。在这种场景下,可以在企业总部部署一台高性能的AC作为备AC,为其它分支机构的主AC提供备份服务。
如图25-11所示,分支机构1中AC_1作为主AC为AP_1提供业务服务,分支机构2中AC_2作为主AC为AP_2提供业务服务,企业总部中AC_3作为备AC同时为AC_1和AC_2提供备份服务。AC_1通过Router_1连接Network,通过Router_1和Switch_1连接AP_1;AC_2通过Router_2连接Network,通过Router_2和Switch_2连接AP_2;AC_3通过Router_3连接Network,所有AC处于不同网段,AP与AC间也处于不同网段。Router_3作为DHCP服务器为WLAN网络中AP和STA动态分配IP地址。当AC_1或AC_2和AP间CAPWAP链路故障时,AC_3能够代替AC_1或AC_2继续为AP提供业务服务。
配置思路
- 配置各个AC和其它网络设备实现网络互通。Router_3作为DHCP Server为AP和STA分配IP地址。
- AC_1作为AP_1的主AC,AC_2作为AP_2的主AC,在主AC上配置WLAN基本业务。
- AC_3作为AP_1和AP_2的备AC,在备AC上配置WLAN基本业务,业务配置和主AC保持一致。
- 先后在主备AC上配置N+1备份功能。使能N+1备份时,会重启所有AP。
表25-4 数据准备
项目 |
数据 |
|---|---|
AP管理VLAN |
主AC_1上:VLAN99 |
主AC_2上:VLAN100 |
|
STA业务VLAN |
主AC_1上:VLAN101 |
主AC_2上:VLAN102 |
|
DHCP服务器 |
Router_3作为AP和STA的DHCP服务器 STA网关:
AP网关:
|
AP地址池 |
AP_1:10.23.99.2~10.23.99.254/24 AP_2:10.23.100.2~10.23.100.254/24 |
STA地址池 |
STA_1:10.23.101.2~10.23.101.254/24 STA_2:10.23.102.2~10.23.102.254/24 |
AP组 |
主AC_1上:
|
主AC_2上:
|
|
备AC_3上:
|
|
SSID模板 |
主AC_1上:
|
主AC_2上:
|
|
备AC_3上:
|
|
安全模板 |
|
AP系统模板 |
AC_1:
|
AC_2:
|
|
AC_3:
|
|
AC_1源接口 |
VLANIF201:10.23.201.1/24 |
AC_2源接口 |
VLANIF202:10.23.202.1/24 |
AC_3源接口 |
VLANIF203:10.23.203.1/24 |
配置注意事项
- 纯组播报文由于协议要求在无线空口没有ACK机制保障,且无线空口链路不稳定,为了纯组播报文能够稳定发送,通常会以低速报文形式发送。如果网络侧有大量异常组播流量涌入,则会造成无线空口拥堵。为了减小大量低速组播报文对无线网络造成的冲击,建议配置组播报文抑制功能。配置前请确认是否有组播业务,如果有,请谨慎配置限速值。
- 业务数据转发方式采用直接转发时,建议在直连AP的交换机接口上配置组播报文抑制。
- 业务数据转发方式采用隧道转发时,建议在AC的流量模板下配置组播报文抑制。
建议在与AP直连的设备接口上配置端口隔离,如果不配置端口隔离,尤其是业务数据转发方式采用直接转发时,可能会在VLAN内形成大量不必要的广播报文,导致网络阻塞,影响用户体验。
隧道转发模式下,管理VLAN和业务VLAN不能配置为同一VLAN,且AP和AC之间只能放通管理VLAN,不能放通业务VLAN。
- V200R021C00版本开始,配置CAPWAP源接口或源地址时,会检查和安全相关的配置是否已存在,包括DTLS加密的PSK、AC间DTLS加密的PSK、登录AP的用户名和密码、全局离线管理VAP的登录密码,均已存在才能成功配置,否则会提示用户先完成相关的配置。
- V200R021C00版本开始,AC默认开启CAPWAP控制隧道的DTLS加密功能。开启该功能,添加AP时AP会上线失败,此时需要先开启CAPWAP DTLS不认证方式(capwap dtls no-auth enable)让AP上线,以便AP获取安全凭证,AP上线后应及时关闭该功能(undo capwap dtls no-auth enable),避免未授权AP上线。
操作步骤
- 在AC上配置NAC模式为统一模式,以保证用户能够正常接入网络
<HUAWEI> system-view [HUAWEI] authentication unified-mode
如果当前NAC模式为传统模式,则配置NAC模式为统一模式后,需要保存配置并重启设备后生效。
- 配置Router、Switch和AC,使网络设备互通# 在Router_1上创建VLAN99、VLAN101和VLAN201,其中VLAN99用于WLAN的管理VLAN,VLAN101用于WLAN的业务VLAN。Router_1连接Switch_1的接口Eth2/0/0加入VLAN99和VLAN101,连接AC_1的接口Eth2/0/1加入VLAN201。VLANIF99下配置IP地址为10.23.99.1/24,VLANIF101下配置IP地址为10.23.101.1/24,VLANIF201下配置IP地址为10.23.201.2/24。
<HUAWEI> system-view [HUAWEI] sysname Router_1 [Router_1] vlan batch 99 101 201 [Router_1] interface ethernet 2/0/0 [Router_1-Ethernet2/0/0] port link-type trunk [Router_1-Ethernet2/0/0] port trunk allow-pass vlan 99 101 [Router_1-Ethernet2/0/0] quit [Router_1] interface ethernet 2/0/1 [Router_1-Ethernet2/0/1] port link-type trunk [Router_1-Ethernet2/0/1] port trunk allow-pass vlan 201 [Router_1-Ethernet2/0/1] quit [Router_1] interface vlanif 99 [Router_1-Vlanif99] ip address 10.23.99.1 255.255.255.0 [Router_1-Vlanif99] quit [Router_1] interface vlanif 101 [Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0 [Router_1-Vlanif101] quit [Router_1] interface vlanif 201 [Router_1-Vlanif201] ip address 10.23.201.2 255.255.255.0 [Router_1-Vlanif201] quit
# 在Router_2上创建VLAN100、VLAN102和VLAN202,其中VLAN100用于WLAN的管理VLAN,VLAN102用于WLAN的业务VLAN。Router_2连接Switch_2的接口Eth2/0/0加入VLAN100和VLAN102,连接AC_2的接口Eth2/0/1加入VLAN202。VLANIF100下配置IP地址为10.23.100.1/24,VLANIF102下配置IP地址为10.23.102.1/24,VLANIF202下配置IP地址为10.23.202.2/24。具体步骤参考Router_1上配置。
# 在Router_3上创建VLAN200、VLAN203,Router_3连接Network的接口Eth2/0/0加入VLAN200,连接AC_3的接口Eth2/0/1加入VLAN203。VLANIF200下配置IP地址为10.23.200.1/24,VLANIF203下配置IP地址为10.23.203.2/24。具体步骤参考Router_1上配置。
# 在AC_1上创建VLAN101、VLAN201,AC_1连接Router_1的接口GE1/0/1加入VLAN201。VLANIF201下配置IP地址为10.23.201.1/24。
<HUAWEI> system-view [HUAWEI] sysname AC_1 [AC_1] vlan batch 101 201 [AC_1] interface gigabitethernet 1/0/1 [AC_1-GigabitEthernet1/0/1] port link-type trunk [AC_1-GigabitEthernet1/0/1] port trunk allow-pass vlan 201 [AC_1-GigabitEthernet1/0/1] quit [AC_1] interface vlanif 201 [AC_1-Vlanif201] ip address 10.23.201.1 255.255.255.0 [AC_1-Vlanif201] quit
# 在AC_2上创建VLAN102、VLAN202,AC_2连接Router_2的接口GE1/0/1加入VLAN202。VLANIF202下配置IP地址为10.23.202.1/24。具体步骤参考AC_1上配置。
# 在AC_3上创建VLAN101、VLAN102、VLAN203,AC_3连接Router_3的接口GE1/0/1加入VLAN203。VLANIF203下配置IP地址为10.23.203.1/24。具体步骤参考AC_1上配置。
# 在Switch_1上创建VLAN99和VLAN101,Switch_1连接Router_1的接口GE0/0/2加入VLAN99和VLAN101,Switch_1连接AP_1的接口GE0/0/1加入VLAN99和VLAN101,且其PVID为VLAN99。
<HUAWEI> system-view [HUAWEI] sysname Switch_1 [Switch_1] vlan batch 99 101 [Switch_1] interface gigabitethernet 0/0/1 [Switch_1-GigabitEthernet0/0/1] port link-type trunk [Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 99 [Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 99 101 [Switch_1-GigabitEthernet0/0/1] port-isolate enable [Switch_1-GigabitEthernet0/0/1] quit [Switch_1] interface gigabitethernet 0/0/2 [Switch_1-GigabitEthernet0/0/2] port link-type trunk [Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 99 101 [Switch_1-GigabitEthernet0/0/2] quit
# 在Switch_2上创建VLAN100和VLAN102,Switch_2连接Router_2的接口GE0/0/2加入VLAN100和VLAN102,Switch_2连接AP_2的接口GE0/0/1加入VLAN100和VLAN102。具体步骤参考Switch_1上配置。
# 配置路由,使AC_1和AC_3、AP_1和AC_3、AC_2和AC_3、AP_2和AC_3互通。根据实际组网进行配置。此处省略具体步骤。
# 在AC_1上配置AC_1到AP_1的路由,下一跳为Router_1的VLANIF201,使AC_1和AP_1互通。[AC_1] ip route-static 10.23.99.0 24 10.23.201.2
# 在AC_2上配置AC_2到AP_2的路由,下一跳为Router_2的VLANIF202,使AC_2和AP_2互通。[AC_2] ip route-static 10.23.101.0 24 10.23.202.2
- 配置DHCP服务,为AP和STA分配IP地址
# 配置Router_1作为DHCP中继。
[Router_1] dhcp enable [Router_1] interface vlanif 99 [Router_1-Vlanif99] dhcp select relay [Router_1-Vlanif99] dhcp relay server-ip 10.23.200.1 [Router_1-Vlanif99] quit [Router_1] interface vlanif 101 [Router_1-Vlanif101] dhcp select relay [Router_1-Vlanif101] dhcp relay server-ip 10.23.200.1 [Router_1-Vlanif101] quit
# 配置Router_2作为DHCP中继。
[Router_2] dhcp enable [Router_2] interface vlanif 100 [Router_2-Vlanif100] dhcp select relay [Router_2-Vlanif100] dhcp relay server-ip 10.23.200.1 [Router_2-Vlanif100] quit [Router_2] interface vlanif 102 [Router_2-Vlanif102] dhcp select relay [Router_2-Vlanif102] dhcp relay server-ip 10.23.200.1 [Router_2-Vlanif102] quit
# 配置Router_3作为DHCP服务器为AP和STA分配IP地址,并配置option 43字段向AP_1通告AC_1和AC_3的IP地址,向AP_2通告AC_2和AC_3的IP地址。地址池ap_1_pool为AP_1分配地址,地址池ap_2_pool为AP_2分配地址,地址池sta_1_pool为STA_1分配地址,地址池sta_2_pool为STA_2分配地址。
本例中AP_1和AP_2不能共用一个地址池,否则AP_1能够发现AC_2,AP_2能够发现AC_1,AP无法通过指定优先级接入正确的AC。
DNS服务器地址请根据实际需要配置。常用配置方法如下:- 接口地址池场景,需要在VLANIF接口视图下执行命令dhcp server dns-list ip-address &<1-8>。
- 全局地址池场景,需要在IP地址池视图下执行命令dns-list ip-address &<1-8>。
[Router_3] dhcp enable [Router_3] ip pool ap_1_pool [Router_3-ip-pool-ap_1_pool] network 10.23.99.0 mask 24 [Router_3-ip-pool-ap_1_pool] gateway-list 10.23.99.1 [Router_3-ip-pool-ap_1_pool] option 43 sub-option 2 ip-address 10.23.201.1 10.23.203.1 [Router_3-ip-pool-ap_1_pool] quit [Router_3] ip pool ap_2_pool [Router_3-ip-pool-ap_2_pool] network 10.23.100.0 mask 24 [Router_3-ip-pool-ap_2_pool] gateway-list 10.23.100.1 [Router_3-ip-pool-ap_2_pool] option 43 sub-option 2 ip-address 10.23.202.1 10.23.203.1 [Router_3-ip-pool-ap_2_pool] quit [Router_3] ip pool sta_1_pool [Router_3-ip-pool-sta_1_pool] network 10.23.101.0 mask 24 [Router_3-ip-pool-sta_1_pool] gateway-list 10.23.101.1 [Router_3-ip-pool-sta_1_pool] quit [Router_3] ip pool sta_2_pool [Router_3-ip-pool-sta_2_pool] network 10.23.102.0 mask 24 [Router_3-ip-pool-sta_2_pool] gateway-list 10.23.102.1 [Router_3-ip-pool-sta_2_pool] quit
- 配置AC_1的WLAN基本业务
- 配置AP上线
# 创建AP组,用于将相同配置的AP都加入同一AP组中。
[AC_1] wlan [AC_1-wlan-view] ap-group name ap-group1 [AC_1-wlan-ap-group-ap-group1] quit
# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。
[AC_1-wlan-view] regulatory-domain-profile name domain1 [AC_1-wlan-regulate-domain-domain1] country-code cn [AC_1-wlan-regulate-domain-domain1] quit [AC_1-wlan-view] ap-group name ap-group1 [AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AC_1-wlan-ap-group-ap-group1] quit [AC_1-wlan-view] quit
# 配置AC的源接口。
[AC_1] capwap source interface vlanif 201
# 在AC上离线导入AP,并将AP加入AP组“ap-group1”中。假设AP的MAC地址为00e0-fc76-e360,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为00e0-fc76-e360的AP部署在1号区域,命名此AP为area_1。ap auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap auth-mode mac-auth。
举例中使用的AP为AP5030DN,具有射频0和射频1两个射频。AP5030DN的射频0为2.4GHz射频,射频1为5GHz射频。
[AC_1] wlan [AC_1-wlan-view] ap auth-mode mac-auth [AC_1-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360 [AC_1-wlan-ap-0] ap-name area_1 [AC_1-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurati ons of the radio, Whether to continue? [Y/N]:y [AC_1-wlan-ap-0] quit
# 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。
[AC_1-wlan-view] display ap all Total AP information: nor : normal [1] Extrainfo : Extra information P : insufficient power supply ---------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ---------------------------------------------------------------------------------------------------- 0 00e0-fc76-e360 area_1 ap-group1 10.23.99.254 AP5030DN nor 0 10S - ---------------------------------------------------------------------------------------------------- Total: 1
- 配置WLAN业务参数# 创建名为“wlan-security”的安全模板,并配置安全策略。
举例中以配置WPA2+PSK+AES的安全策略为例,密码为“a1234567”,实际配置中请根据实际情况,配置符合实际要求的安全策略。
[AC_1-wlan-view] security-profile name wlan-security [AC_1-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes [AC_1-wlan-sec-prof-wlan-security] quit
# 创建名为“wlan-net”的SSID模板,并配置SSID名称为“wlan-net”。
[AC_1-wlan-view] ssid-profile name wlan-net [AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net [AC_1-wlan-ssid-prof-wlan-net] quit
# 创建名为“wlan-vap”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。
[AC_1-wlan-view] vap-profile name wlan-vap [AC_1-wlan-vap-prof-wlan-vap] forward-mode direct-forward [AC_1-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 [AC_1-wlan-vap-prof-wlan-vap] security-profile wlan-security [AC_1-wlan-vap-prof-wlan-vap] ssid-profile wlan-net [AC_1-wlan-vap-prof-wlan-vap] quit
# 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板“wlan-vap”的配置。
[AC_1-wlan-view] ap-group name ap-group1 [AC_1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0 [AC_1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1 [AC_1-wlan-ap-group-ap-group1] quit
- 配置AP上线
- 配置AC_2的WLAN基本业务
# AC_2基本业务参数的配置请参考AC_1的配置过程。
# 配置AC_2的源接口。
[AC_2] capwap source interface vlanif 202
# “新建AP组”的“AP组名称”为“ap-group2”。
[AC_2] wlan [AC_2-wlan-view] ap-group name ap-group2 [AC_2-wlan-ap-group-ap-group2] quit
# 在AC上离线导入AP,并将AP加入AP组“ap-group2”中。假设AP的MAC地址为00e0-fc74-9640,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为00e0-fc74-9640的AP部署在2号区域,命名此AP为area_2。
[AC_2] wlan [AC_2-wlan-view] ap auth-mode mac-auth [AC_2-wlan-view] ap-id 1 ap-mac 00e0-fc74-9640 [AC_2-wlan-ap-1] ap-name area_2 [AC_2-wlan-ap-1] ap-group ap-group2 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurati ons of the radio, Whether to continue? [Y/N]:y [AC_2-wlan-ap-1] quit
# 创建名为“wlan-security”的安全模板,并配置安全策略。举例中以配置WPA2+PSK+AES的安全策略为例,密码为“a1234567”,实际配置中请根据实际情况,配置符合实际要求的安全策略。
[AC_2-wlan-view] security-profile name wlan-security [AC_2-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes [AC_2-wlan-sec-prof-wlan-security] quit
# 新建SSID配置SSID名称为“wlan-net1”。
[AC_2-wlan-view] ssid-profile name wlan-net1 [AC_2-wlan-ssid-prof-wlan-net1] ssid wlan-net1 [AC_2-wlan-ssid-prof-wlan-net1] quit
# 创建名为“wlan-vap1”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。
[AC_2-wlan-view] vap-profile name wlan-vap1 [AC_2-wlan-vap-prof-wlan-vap1] forward-mode direct-forward [AC_2-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 102 [AC_2-wlan-vap-prof-wlan-vap1] security-profile wlan-security [AC_2-wlan-vap-prof-wlan-vap1] ssid-profile wlan-net1 [AC_2-wlan-vap-prof-wlan-vap1] quit
# 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板“wlan-vap1”的配置。
[AC_2-wlan-view] ap-group name ap-group2 [AC_2-wlan-ap-group-ap-group2] vap-profile wlan-vap1 wlan 1 radio 0 [AC_2-wlan-ap-group-ap-group2] vap-profile wlan-vap1 wlan 1 radio 1 [AC_2-wlan-ap-group-ap-group2] quit
# 其他参数设置同AC_1。
- 配置AC_3的WLAN基本业务
- 配置AP上线
# 创建AP组,用于将相同配置的AP都加入同一AP组中。
[AC_3] wlan [AC_3-wlan-view] ap-group name ap-group1 [AC_3-wlan-ap-group-ap-group1] quit [AC_3-wlan-view] ap-group name ap-group2 [AC_3-wlan-ap-group-ap-group2] quit
# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。
[AC_3-wlan-view] regulatory-domain-profile name domain1 [AC_3-wlan-regulate-domain-domain1] country-code cn [AC_3-wlan-regulate-domain-domain1] quit [AC_3-wlan-view] ap-group name ap-group1 [AC_3-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AC_3-wlan-ap-group-ap-group1] quit [AC_3-wlan-view] ap-group name ap-group2 [AC_3-wlan-ap-group-ap-group2] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AC_3-wlan-ap-group-ap-group2] quit [AC_3-wlan-view] quit
# 配置AC_3的源接口。
[AC_3] capwap source interface vlanif 203
ap auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap auth-mode mac-auth。
[AC_3] wlan [AC_3-wlan-view] ap auth-mode mac-auth [AC_3-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360 [AC_3-wlan-ap-0] ap-name area_1 [AC_3-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y [AC_3-wlan-ap-0] quit [AC_3-wlan-view] ap-id 1 ap-mac 00e0-fc74-9640 [AC_3-wlan-ap-1] ap-name area_2 [AC_3-wlan-ap-1] ap-group ap-group2 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y [AC_3-wlan-ap-1] quit
# 可以查看到AP的“AP State”字段为“fault”。
[AC_3-wlan-view] display ap all Total AP information: idle : idle [2] Extrainfo : Extra information P : insufficient power supply ---------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ---------------------------------------------------------------------------------------------------- 0 00e0-fc76-e360 area_1 ap-group1 - - fault 0 - - 1 00e0-fc74-9640 area_2 ap-group2 - - fault 0 - - ---------------------------------------------------------------------------------------------------- Total: 2
- 配置WLAN业务参数# 创建名为“wlan-security”的安全模板,并配置安全策略。
举例中以配置WPA2+PSK+AES的安全策略为例,密码为“a1234567”,实际配置中请根据实际情况,配置符合实际要求的安全策略。
[AC_3-wlan-view] security-profile name wlan-security [AC_3-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes [AC_3-wlan-sec-prof-wlan-security] quit
# 创建名为“wlan-net”的SSID模板,并配置SSID名称为“wlan-net”。
[AC_3-wlan-view] ssid-profile name wlan-net [AC_3-wlan-ssid-prof-wlan-net] ssid wlan-net [AC_3-wlan-ssid-prof-wlan-net] quit
# 创建名为“wlan-net1”的SSID模板,并配置SSID名称为“wlan-net1”。
[AC_3-wlan-view] ssid-profile name wlan-net1 [AC_3-wlan-ssid-prof-wlan-net1] ssid wlan-net1 [AC_3-wlan-ssid-prof-wlan-net1] quit
# 创建名为“wlan-vap”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。
[AC_3-wlan-view] vap-profile name wlan-vap [AC_3-wlan-vap-prof-wlan-vap] forward-mode direct-forward [AC_3-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 [AC_3-wlan-vap-prof-wlan-vap] security-profile wlan-security [AC_3-wlan-vap-prof-wlan-vap] ssid-profile wlan-net [AC_3-wlan-vap-prof-wlan-vap] quit
# 创建名为“wlan-vap1”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。
[AC_3-wlan-view] vap-profile name wlan-vap1 [AC_3-wlan-vap-prof-wlan-vap1] forward-mode direct-forward [AC_3-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 102 [AC_3-wlan-vap-prof-wlan-vap1] security-profile wlan-security [AC_3-wlan-vap-prof-wlan-vap1] ssid-profile wlan-net1 [AC_3-wlan-vap-prof-wlan-vap1] quit
# 配置AP组引用VAP模板和AP系统模板,AP上射频0和射频1都使用VAP模板的配置。
[AC_3-wlan-view] ap-group name ap-group1 [AC_3-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0 [AC_3-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1 [AC_3-wlan-ap-group-ap-group1] quit [AC_3-wlan-view] ap-group name ap-group2 [AC_3-wlan-ap-group-ap-group2] vap-profile wlan-vap1 wlan 1 radio 0 [AC_3-wlan-ap-group-ap-group2] vap-profile wlan-vap1 wlan 1 radio 1 [AC_3-wlan-ap-group-ap-group2] quit
- 配置AP上线
- 配置主AC_1、主AC_2和备AC_3的N+1备份功能并使能# 在AC_1上,配置主备AC的IP地址,用于N+1备份。
[AC_1-wlan-view] ap-system-profile name ap-system [AC_1-wlan-ap-system-prof-ap-system] primary-access ip-address 10.23.201.1 [AC_1-wlan-ap-system-prof-ap-system] backup-access ip-address 10.23.203.1 [AC_1-wlan-ap-system-prof-ap-system] quit [AC_1-wlan-view] ap-group name ap-group1 [AC_1-wlan-ap-group-ap-group1] ap-system-profile ap-system [AC_1-wlan-ap-group-ap-group1] quit
# 在AC_2上,配置主备AC的IP地址,用于N+1备份。[AC_2-wlan-view] ap-system-profile name ap-system1 [AC_2-wlan-ap-system-prof-ap-system1] primary-access ip-address 10.23.202.1 [AC_2-wlan-ap-system-prof-ap-system1] backup-access ip-address 10.23.203.1 [AC_2-wlan-ap-system-prof-ap-system1] quit [AC_2-wlan-view] ap-group name ap-group2 [AC_2-wlan-ap-group-ap-group2] ap-system-profile ap-system1 [AC_2-wlan-ap-group-ap-group2] quit
# 在AC_3上,配置主备AC的IP地址,用于N+1备份。[AC_3-wlan-view] ap-system-profile name ap-system [AC_3-wlan-ap-system-prof-ap-system] primary-access ip-address 10.23.201.1 [AC_3-wlan-ap-system-prof-ap-system] backup-access ip-address 10.23.203.1 [AC_3-wlan-ap-system-prof-ap-system] quit [AC_3-wlan-view] ap-group name ap-group1 [AC_3-wlan-ap-group-ap-group1] ap-system-profile ap-system [AC_3-wlan-ap-group-ap-group1] quit [AC_3-wlan-view] ap-system-profile name ap-system1 [AC_3-wlan-ap-system-prof-ap-system1] primary-access ip-address 10.23.202.1 [AC_3-wlan-ap-system-prof-ap-system1] backup-access ip-address 10.23.203.1 [AC_3-wlan-ap-system-prof-ap-system1] quit [AC_3-wlan-view] ap-group name ap-group2 [AC_3-wlan-ap-group-ap-group2] ap-system-profile ap-system1 [AC_3-wlan-ap-group-ap-group2] quit
# 在AC_1上,使能N+1备份功能,重启所有AP使N+1备份功能生效。缺省情况下,N+1备份功能开启,执行命令undo ac protect enable会提示Info。需要在主AC上继续执行命令ap-reset all重启所有AP,AP重启后,N+1备份功能开始生效。
[AC_1-wlan-view] undo ac protect enable Info: Backup function has already disabled. [AC_1-wlan-view] ap-reset all Warning: Reset AP(s), continue?[Y/N]:y
# 在AC_2上,使能N+1备份功能,重启所有AP使N+1备份功能生效。[AC_2-wlan-view] undo ac protect enable Info: Backup function has already disabled. [AC_2-wlan-view] ap-reset all Warning: Reset AP(s), continue?[Y/N]:y
# 在AC_3上,开启回切开关,使能N+1备份功能。缺省情况下,全局回切功能处于使能状态,执行命令undo ac protect restore disable会提示Info。
[AC_3-wlan-view] undo ac protect restore disable Info: Protect restore has already enabled. [AC_3-wlan-view] undo ac protect enable Info: Backup function has already disabled. [AC_3-wlan-view] ap-reset all Warning: Reset AP(s), continue?[Y/N]:y
- 验证配置结果
# 在主AC_1上执行命令display ac protect和display ap-system-profile,查看AC上N+1备份信息。
[AC_1-wlan-view] display ac protect ------------------------------------------------------------ Protect state : disable Protect AC : - Priority : 0 Protect restore : enable ... ------------------------------------------------------------ [AC_1-wlan-view] display ap-system-profile name ap-system ------------------------------------------------------------------------------ AC priority : - Protect AC IP address : - Primary AC : 10.23.201.1 Backup AC : 10.23.203.1 ... ------------------------------------------------------------------------------
# 在主AC_2上执行命令display ac protect和display ap-system-profile,查看AC上N+1备份信息。
[AC_2-wlan-view] display ac protect ------------------------------------------------------------ Protect state : disable Protect AC : - Priority : 0 Protect restore : enable ... ------------------------------------------------------------ [AC_2-wlan-view] display ap-system-profile name ap-system1 ------------------------------------------------------------------------------ AC priority : - Protect AC IP address : - Primary AC : 10.23.202.1 Backup AC : 10.23.203.1 ... ------------------------------------------------------------------------------
# 在备AC_3上执行命令display ac protect和display ap-system-profile,查看AC上N+1备份信息。
[AC_3-wlan-view] display ac protect ------------------------------------------------------------ Protect state : disable Protect AC : - Priority : 0 Protect restore : enable ... ------------------------------------------------------------ [AC_3-wlan-view] display ap-system-profile name ap-system ------------------------------------------------------------------------------ AC priority : - Protect AC IP address : - Primary AC : 10.23.201.1 Backup AC : 10.23.203.1 ... ------------------------------------------------------------------------------ [AC_3-wlan-view] display ap-system-profile name ap-system1 ------------------------------------------------------------------------------ AC priority : - Protect AC IP address : - Primary AC : 10.23.202.1 Backup AC : 10.23.203.1 ... ------------------------------------------------------------------------------
AP下的无线接入用户可以搜索到SSID标识为“wlan-net”或“wlan-net1”的WLAN网络并正常上线。
当AP与AC_1和AC_2的链路中断后,AC_3切换为主AC,保证业务可以快速恢复。
配置文件
Switch_1的配置文件
# sysname Switch_1 # vlan batch 99 101 # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 99 port trunk allow-pass vlan 99 101 port-isolate enable group 1 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 99 101 # return
Switch_2的配置文件
# sysname Switch_2 # vlan batch 100 102 # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 102 port-isolate enable group 1 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 102 # return
AC_1的配置文件
# sysname AC_1 # vlan batch 101 201 # interface Vlanif201 ip address 10.23.201.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 201 # ip route-static 10.23.99.0 255.255.255.0 10.23.201.2 # capwap source interface Vlanif201 # wlan security-profile name wlan-security security wpa2 psk pass-phrase %^%#hgEp#@>security wpa2 psk pass-phrase %^%#hgEp#@> ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-vap service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-security regulatory-domain-profile name domain1 ap-system-profile name ap-system primary-access ip-address 10.23.201.1 backup-access ip-address 10.23.203.1 ap-group name ap-group1 ap-system-profile ap-system regulatory-domain-profile domain1 radio 0 vap-profile wlan-vap wlan 1 radio 1 vap-profile wlan-vap wlan 1 ap-id 0 type-id 19 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 # return
AC_2的配置文件
# sysname AC_2 # vlan batch 102 202 # interface Vlanif202 ip address 10.23.202.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 202 # ip route-static 10.23.101.0 255.255.255.0 10.23.202.2 # capwap source interface vlanif202 # wlan security-profile name wlan-security security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes ssid-profile name wlan-net1 ssid wlan-net1 vap-profile name wlan-vap1 service-vlan vlan-id 102 ssid-profile wlan-net1 security-profile wlan-security regulatory-domain-profile name domain1 ap-system-profile name ap-system1 primary-access ip-address 10.23.202.1 backup-access ip-address 10.23.203.1 ap-group name ap-group2 ap-system-profile ap-system1 regulatory-domain-profile domain1 radio 0 vap-profile wlan-vap1 wlan 1 radio 1 vap-profile wlan-vap1 wlan 1 ap-id 1 type-id 19 ap-mac 00e0-fc74-9640 ap-sn 210235419610D2000097 ap-name area_2 ap-group ap-group2 # return
AC_3的配置文件
# sysname AC_3 # vlan batch 101 to 102 203 # interface Vlanif203 ip address 10.23.203.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 203 # capwap source interface vlanif203 # wlan security-profile name wlan-security security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes ssid-profile name wlan-net ssid wlan-net ssid-profile name wlan-net1 ssid wlan-net1 vap-profile name wlan-vap service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-security vap-profile name wlan-vap1 service-vlan vlan-id 102 ssid-profile wlan-net1 security-profile wlan-security regulatory-domain-profile name domain1 ap-system-profile name ap-system primary-access ip-address 10.23.201.1 backup-access ip-address 10.23.203.1 ap-system-profile name ap-system1 primary-access ip-address 10.23.202.1 backup-access ip-address 10.23.203.1 ap-group name ap-group1 ap-system-profile ap-system regulatory-domain-profile domain1 radio 0 vap-profile wlan-vap wlan 1 radio 1 vap-profile wlan-vap wlan 1 ap-group name ap-group2 ap-system-profile ap-system1 regulatory-domain-profile domain1 radio 0 vap-profile wlan-vap1 wlan 1 radio 1 vap-profile wlan-vap1 wlan 1 ap-id 0 type-id 19 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 ap-id 1 type-id 19 ap-mac 00e0-fc74-9640 ap-sn 210235419610D2000097 ap-name area_2 ap-group ap-group2 # returnRouter_1的配置文件
# sysname Router_1 # vlan batch 99 101 201 # dhcp enable # interface Vlanif99 ip address 10.23.99.1 255.255.255.0 dhcp select relay dhcp relay server-ip 10.23.200.1 # interface Vlanif101 ip address 10.23.101.1 255.255.255.0 dhcp select relay dhcp relay server-ip 10.23.200.1 # interface Vlanif201 ip address 10.23.201.2 255.255.255.0 # interface Ethernet2/0/0 port link-type trunk port trunk allow-pass vlan 99 101 # interface Ethernet2/0/1 port link-type trunk port trunk allow-pass vlan 201 # return
Router_2的配置文件
# sysname Router_2 # vlan batch 100 102 202 # dhcp enable # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 dhcp select relay dhcp relay server-ip 10.23.200.1 # interface Vlanif102 ip address 10.23.102.1 255.255.255.0 dhcp select relay dhcp relay server-ip 10.23.200.1 # interface Vlanif202 ip address 10.23.202.2 255.255.255.0 # interface Ethernet2/0/0 port link-type trunk port trunk allow-pass vlan 100 102 # interface Ethernet2/0/1 port link-type trunk port trunk allow-pass vlan 202 # return
Router_3的配置文件
# sysname Router_3 # vlan batch 200 203 # dhcp enable # ip pool ap_1_pool gateway-list 10.23.99.1 network 10.23.99.0 mask 255.255.255.0 option 43 sub-option 2 ip-address 10.23.201.1 10.23.203.1 # ip pool ap_2_pool gateway-list 10.23.100.1 network 10.23.100.0 mask 255.255.255.0 option 43 sub-option 2 ip-address 10.23.202.1 10.23.203.1 # ip pool sta_1_pool gateway-list 10.23.101.1 network 10.23.101.0 mask 255.255.255.0 # ip pool sta_2_pool gateway-list 10.23.102.1 network 10.23.102.0 mask 255.255.255.0 # interface Vlanif200 ip address 10.23.200.1 255.255.255.0 # interface Vlanif203 ip address 10.23.203.2 255.255.255.0 # interface Ethernet2/0/0 port link-type trunk port trunk allow-pass vlan 200 # interface Ethernet2/0/1 port link-type trunk port trunk allow-pass vlan 203 # return
