评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置VXLAN分布式网关组网下AC间二层漫游示例
组网需求
某企业有部署在不同区域的AC设备,AC设备上配置VXLAN分布式网关及DHCP Relay功能,无线用户通过AC设备下挂的AP设备接入网络,由DHCP Server分配IP地址。现在需求为实现AC设备间用户的二层漫游。
图1-72所示,STA在Area_1和Area_2之间实现二层漫游。
本举例中VXLAN隧道侧接口以X系列单板为例。
数据准备
表1-22 配置BGP EVPN相关数据
设备 |
EVPN实例 |
RD值 |
BD |
VNI |
Router id |
Peer IP |
|---|---|---|---|---|---|---|
VTEP1 |
evpn20:
|
1:20 |
20 |
20 |
10.1.1.1 |
10.2.2.2;10.3.3.3 |
VTEP2 |
evpn10:
|
2:10 |
10 |
10 |
10.2.2.2 |
10.1.1.1;10.3.3.3 |
VTEP3 |
evpn10:
|
3:10 |
10 |
10 |
10.3.3.3 |
10.1.1.1;10.2.2.2 |
表1-23 配置VPN实例相关数据
设备 |
接口 |
VPN实例 |
VNI |
RD值 |
|---|---|---|---|---|
VTEP1 |
VBDIF 20 |
vpn1:
|
100 |
1:100 |
VTEP2 |
VBDIF 10 |
vpn1:
|
100 |
2:100 |
VTEP3 |
VBDIF 10 |
vpn1:
|
100 |
3:100 |
表1-24 AC数据规划表
配置项 |
VTEP2 |
VTEP3 |
|---|---|---|
AP的IP地址分配 |
VTEP2配置基于接口VLANIF100的DHCP服务器,为相连的AP分配IP地址。 |
VTEP3配置基于接口VLANIF200的DHCP服务器,为相连的AP分配IP地址。 |
AP的IP地址池 |
192.168.100.2~192.168.100.254/24 |
192.168.200.2~192.168.200.254/24 |
STA的IP地址池 |
192.168.10.2~192.168.10.254/24 |
192.168.10.2~192.168.10.254/24 |
AC的源接口IP地址 |
源接口: VLANIF100:192.168.100.1/24 |
源接口: VLANIF200:192.168.200.1/24 |
AP组 |
|
|
域管理模板 |
|
|
SSID模板 |
|
|
安全模板 |
|
|
VAP模板 |
|
|
漫游参数 |
|
|
配置思路
采用如下思路配置VXLAN分布式网关组网下AC间二层漫游:
配置VXLAN网络。
- 分别在VTEP1、VTEP2、VTEP3上配置路由协议,保证网络三层互通。
- 分别在VTEP1、VTEP2、VTEP3上配置VXLAN接入业务部署方式。
- 分别在VTEP1、VTEP2、VTEP3上配置EVPN实例并绑定BD域。
- 分别在VTEP1、VTEP2、VTEP3上配置VPN实例并绑定VBDIF接口。
- 分别在VTEP1、VTEP2、VTEP3上配置它们之间的BGP EVPN对等体关系。
- 分别在VTEP1、VTEP2、VTEP3上配置VXLAN隧道目的端地址。
- 分别在VTEP1、VTEP2、VTEP3上配置VXLAN网关。
配置分布式网关的DHCP Relay功能。
在VTEP2、VTEP3上配置VXLAN隧道侧接口加入端口防攻击的白名单。
配置DHCP Server,为STA用户分配IP地址。
在VTEP2和VTEP3上配置AP管理VLAN的接入,并配置DHCP服务器功能,为AP分配管理IP。
在VTEP2和VTEP3上配置路由协议,实现AP管理IP网关之间的互通。
在VTEP2和VTEP3上配置AP上线。
在VTEP2和VTEP3上配置WLAN业务参数,实现STA访问WLAN网络功能。
在VTEP2和VTEP3上配置WLAN漫游功能,实现AC间二层漫游。
园区网络的三层互通是构建虚拟网络的基础条件,现网中,如果园区网络已经实现三层网络的互通,那么该举例中的步骤1可以省略。
配置注意事项
- 同一漫游组内的AC必须使用相同的软件C版本,否则可能会导致AC间漫游失败。
- 漫游组内每个AC上均需要配置AC间建链的IP地址、漫游组,并添加成员AC。
- 配置的漫游组内AC间建链的IP地址必须是AC的CAPWAP源IP地址。当配置了多个CAPWAP源地址时,仅可以指定一个CAPWAP源地址作为AC间建链地址。
- 每个AC上漫游组名称必须一致。
操作步骤
- 配置VXLAN网络
- 在VTEP2、VTEP3上配置DHCP Relay功能以及分布式网关的DHCP Relay重选路由功能
# 配置VTEP2。
[VTEP2] dhcp enable [VTEP2] dhcp option82 vendor-specific format vendor-sub-option 2 ip-address 10.2.2.2 [VTEP2] bridge-domain 10 [VTEP2-bd10] dhcp option82 insert enable [VTEP2-bd10] dhcp option82 encapsulation vendor-specific-id [VTEP2-bd10] quit [VTEP2] interface vbdif 10 [VTEP2-Vbdif10] dhcp select relay [VTEP2-Vbdif10] dhcp relay server-ip 192.168.20.10 [VTEP2-Vbdif10] dhcp relay information enable [VTEP2-Vbdif10] dhcp relay anycast gateway re-route enable [VTEP2-Vbdif10] quit
# 配置VTEP3。
[VTEP3] dhcp enable [VTEP3] dhcp option82 vendor-specific format vendor-sub-option 2 ip-address 10.3.3.3 [VTEP3] bridge-domain 10 [VTEP3-bd10] dhcp option82 insert enable [VTEP3-bd10] dhcp option82 encapsulation vendor-specific-id [VTEP3-bd10] quit [VTEP3] interface vbdif 10 [VTEP3-Vbdif10] dhcp select relay [VTEP3-Vbdif10] dhcp relay server-ip 192.168.20.10 [VTEP3-Vbdif10] dhcp relay information enable [VTEP3-Vbdif10] dhcp relay anycast gateway re-route enable [VTEP3-Vbdif10] quit
- 在VTEP2、VTEP3上配置VXLAN隧道侧接口加入端口防攻击的白名单。
# 在VTEP2上配置VXLAN隧道侧接口GigabitEthernet1//0/1加入端口防攻击的白名单。
[VTEP2] cpu-defend policy vxlan_tunnel_side [VTEP2-cpu-defend-policy-vxlan_tunnel_side] auto-port-defend whitelist 1 interface GigabitEthernet1/0/1 [VTEP2-cpu-defend-policy-vxlan_tunnel_side] quit [VTEP2] cpu-defend-policy vxlan_tunnel_side global
# 在VTEP3上配置VXLAN隧道侧接口GigabitEthernet1//0/1加入端口防攻击的白名单。
[VTEP3] cpu-defend policy vxlan_tunnel_side [VTEP3-cpu-defend-policy-vxlan_tunnel_side] auto-port-defend whitelist 1 interface GigabitEthernet1/0/1 [VTEP3-cpu-defend-policy-vxlan_tunnel_side] quit [VTEP3] cpu-defend-policy vxlan_tunnel_side global
- 验证DHCP Relay功能配置结果
# 上述配置成功后,在VTEP2、VTEP3上执行命令display dhcp relay可查看接口DHCP Relay配置情况。以VTEP2显示为例。
[VTEP2] display dhcp relay interface vbdif 10 DHCP relay agent running information of interface Vbdif10 : Server IP address [00] : 192.168.20.10 Gateway address in use : 192.168.10.1
- 配置DHCP服务器具体配置过程略。DHCP服务器需要满足以下条件:
- 在DHCP服务器上配置地址池,以便服务器端分配正确的IP地址给客户端。
- 建议配置地址池租期,提高IP地址的使用效率。
- 在VTEP2和VTEP3上配置AP管理VLAN的接入,并配置DHCP服务器功能,为AP分配管理IP
# 配置VTEP2。
[VTEP2] vlan 100 [VTEP22-vlan100] quit [VTEP2] interface gigabitethernet 1/0/2 [VTEP2-GigabitEthernet1/0/2] port link-type access [VTEP2-GigabitEthernet1/0/2] port default vlan 100 [VTEP2-GigabitEthernet1/0/2] quit [VTEP2] interface vlanif 100 [VTEP2-Vlanif100] ip address 192.168.100.1 24 [VTEP2-Vlanif100] dhcp select interface [VTEP2-Vlanif100] quit
# 配置VTEP3。
[VTEP3] vlan 200 [VTEP3-vlan200] quit [VTEP3] interface gigabitethernet 1/0/2 [VTEP3-GigabitEthernet1/0/2] port link-type access [VTEP3-GigabitEthernet1/0/2] port default vlan 200 [VTEP3-GigabitEthernet1/0/2] quit [VTEP3] interface vlanif 200 [VTEP3-Vlanif200] ip address 192.168.200.1 24 [VTEP3-Vlanif200] dhcp select interface [VTEP3-Vlanif200] quit
- 在VTEP2和VTEP3上配置其作为AC设备的CAPWAP隧道源IP地址
# 配置VTEP2
[VTEP2] capwap source interface vlanif 100
# 配置VTEP3
[VTEP3] capwap source interface vlanif 200
- 在VTEP2和VTEP3上配置路由协议,实现CAPWAP隧道源IP地址之间互通。
# 配置VTEP2
[VTEP2] ospf [VTEP2-ospf-1] area 0 [VTEP2-ospf-1-area-0.0.0.0] network 192.168.100.0 0.0.0.255 [VTEP2-ospf-1-area-0.0.0.0] quit [VTEP2-ospf-1] quit
# 配置VTEP3
[VTEP3] ospf [VTEP3-ospf-1] area 0 [VTEP3-ospf-1-area-0.0.0.0] network 192.168.200.0 0.0.0.255 [VTEP3-ospf-1-area-0.0.0.0] quit [VTEP3-ospf-1] quit
- 在VTEP2和VTEP3上分别配置AP上线,以VTEP2为例,VTEP3的配置同VTEP2类似# 创建AP组,用于将相同配置的AP都加入同一AP组中。
[VTEP2] wlan [VTEP2-wlan-view] ap-group name ap-group1 [VTEP2-wlan-ap-group-ap-group1] quit
# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。[VTEP2-wlan-view] regulatory-domain-profile name default [VTEP2-wlan-regulate-domain-default] country-code cn [VTEP2-wlan-regulate-domain-default] quit [VTEP2-wlan-view] ap-group name ap-group1 [VTEP2-wlan-ap-group-ap-group1] regulatory-domain-profile default Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [VTEP2-wlan-ap-group-ap-group1] quit [VTEP2-wlan-view] quit
# 在AC上离线导入AP,并将AP加入AP组“ap-group1”中。假设AP的MAC地址为60de-4476-e360,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为60de-4476-e360的AP部署在1号区域,命名此AP为area_1。ap auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap auth-mode mac-auth命令。
举例中使用的AP为AP5030DN,具有射频0和射频1两个射频。AP5030DN的射频0为2.4GHz射频,射频1为5GHz射频。
[VTEP2] wlan [VTEP2-wlan-view] ap auth-mode mac-auth [VTEP2-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [VTEP2-wlan-ap-0] ap-name area_1 Warning: This operation may cause AP reset. Continue? [Y/N]:y [VTEP2-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y [VTEP2-wlan-ap-0] quit
# 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。[VTEP2-wlan-view] display ap all Total AP information: nor : normal [1] Extra information: P : insufficient power supply -------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo -------------------------------------------------------------------------------------------------- 0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S - -------------------------------------------------------------------------------------------------- Total: 1
- 在VTEP2和VTEP3上配置WLAN业务参数,以VTEP2为例,VTEP3的配置同VTEP2类似# 创建名为“wlan-net”的安全模板,并配置安全策略。
举例中以配置WPA-WPA2+PSK+AES的安全策略为例,密码为“a1234567”,实际配置中请根据实际情况,配置符合实际要求的安全策略。
[VTEP2-wlan-view] security-profile name wlan-net [VTEP2-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes [VTEP2-wlan-sec-prof-wlan-net] quit
# 创建名为“wlan-net”的SSID模板,并配置SSID名称为“wlan-net”。[VTEP2-wlan-view] ssid-profile name wlan-net [VTEP2-wlan-ssid-prof-wlan-net] ssid wlan-net [VTEP2-wlan-ssid-prof-wlan-net] quit
# 创建名为“wlan-net”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。[VTEP2-wlan-view] vap-profile name wlan-net [VTEP2-wlan-vap-prof-wlan-net] forward-mode tunnel [VTEP2-wlan-vap-prof-wlan-net] service-vlan vlan-id 10 [VTEP2-wlan-vap-prof-wlan-net] security-profile wlan-net [VTEP2-wlan-vap-prof-wlan-net] ssid-profile wlan-net [VTEP2-wlan-vap-prof-wlan-net] quit
# 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板“wlan-net”的配置。[VTEP2-wlan-view] ap-group name ap-group1 [VTEP2-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0 [VTEP2-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1 [VTEP2-wlan-ap-group-ap-group1] quit
- 在VTEP2和VTEP3上配置的WLAN漫游功能
配置漫游组内AC间建链的IP地址。
# 配置VTEP2
[VTEP2-wlan-view] mobility-server local ip-address 192.168.100.1
# 配置VTEP3
[VTEP3-wlan-view] mobility-server local ip-address 192.168.200.1
创建漫游组,并配置AC_1和AC_2为漫游组成员。
# 配置VTEP2
[VTEP2-wlan-view] mobility-group name mobility [VTEP2-mc-mg-mobility] member ip-address 192.168.100.1 [VTEP2-mc-mg-mobility] member ip-address 192.168.200.1 [VTEP2-mc-mg-mobility] quit
# 配置VTEP3
[VTEP3-wlan-view] mobility-group name mobility [VTEP3-mc-mg-mobility] member ip-address 192.168.100.1 [VTEP3-mc-mg-mobility] member ip-address 192.168.200.1 [VTEP3-mc-mg-mobility] quit
- 验证配置结果# WLAN业务配置会自动下发给AP,配置完成后,分别在VTEP2和VTEP3上执行命令display vap ssid wlan-net查看VAP信息,当“Status”显示为“ON”时,表示AP对应射频上的VAP已创建成功。
[VTEP2-wlan-view] display vap ssid wlan-net WID : WLAN ID -------------------------------------------------------------------------------------- AP ID AP name RfID WID BSSID Status Auth type STA SSID -------------------------------------------------------------------------------------- 0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net 0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net --------------------------------------------------------------------------------------- Total: 2
[VTEP3-wlan-view] display vap ssid wlan-net WID : WLAN ID -------------------------------------------------------------------------------------- AP ID AP name RfID WID BSSID Status Auth type STA SSID -------------------------------------------------------------------------------------- 1 area_2 0 1 DCD2-FC04-B500 ON WPA/WPA2-PSK 0 wlan-net 1 area_2 1 1 DCD2-FC04-B510 ON WPA/WPA2-PSK 0 wlan-net ------------------------------------------------------------------------------------- Total: 2
# 在VTEP2上执行命令display mobility-group name mobility查看漫游组成员VTEP2和VTEP3的状态,当“State”显示为“normal”时,表示VTEP2和VTEP3正常。
# STA在area_1的覆盖范围内搜索到SSID为“wlan-net”的无线网络,输入密码“a1234567”并正常关联后,在VTEP2上执行命令display station ssid wlan-net,查看STA的接入信息,可以看到STA关联到了area_1,STA的MAC地址为“e019-1dc7-1e08”。[VTEP2-wlan-view] display station ssid wlan-net Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ------------------------------------------------------------------------------------ STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address ------------------------------------------------------------------------------------ e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -57 101 192.168.10.161 ------------------------------------------------------------------------------------ Total: 1 2.4G: 0 5G: 1
# 当STA从area_1的覆盖范围移动到AP_2的覆盖范围时,在VTEP3上执行命令display station ssid wlan-net,查看STA的接入信息,可以看到STA关联到了AP_2。[VTEP3-wlan-view] display station ssid wlan-net Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ------------------------------------------------------------------------------------ STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address ------------------------------------------------------------------------------------ e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101 192.168.10.161 ------------------------------------------------------------------------------------ Total: 1 2.4G: 0 5G: 1
# 在VTEP3上执行命令display station roam-track sta-mac e019-1dc7-1e08,可以查看该STA的漫游轨迹。[VTEP3-wlan-view] display station roam-track sta-mac e019-1dc7-1e08 Access SSID:wlan-net Rx/Tx: link receive rate/link transmit rate(Mbps) c:PMK Cache Roam r:802.11r Roam s:Same Frequency Network ------------------------------------------------------------------------------ L2/L3 AC IP AP name Radio ID BSSID TIME In/Out RSSI Out Rx/Tx ------------------------------------------------------------------------------ -- 192.168.100.1 area_1 1 60de-4476-e360 2018/06/09 16:11:51 -57/-57 22/3 L2 192.168.200.1 area_2 1 dcd2-fc04-b500 2018/06/09 16:13:53 -58/- -/- ------------------------------------------------------------------------------ Number: 1
配置文件
VTEP1的配置文件
# sysname VTEP1 # vlan batch 20 # ip vpn-instance vpn1 ipv4-family route-distinguisher 1:100 vpn-target 1:100 export-extcommunity evpn vpn-target 1:100 import-extcommunity evpn vxlan vni 100 # evpn vpn-instance evpn20 bd-mode route-distinguisher 1:20 vpn-target 1:100 20:1 export-extcommunity vpn-target 20:1 import-extcommunity # bridge-domain 20 l2 binding vlan 20 vxlan vni 20 evpn binding vpn-instance evpn20 # interface GigabitEthernet1/0/1 undo portswitch ip address 192.168.1.2 255.255.255.0 # interface GigabitEthernet1/0/2 undo portswitch ip address 192.168.2.1 255.255.255.0 # interface GigabitEthernet1/0/3 port link-type access port default vlan 20 # interface LoopBack1 ip address 10.1.1.1 255.255.255.255 # interface Vbdif20 ip binding vpn-instance vpn1 ip address 192.168.20.1 255.255.255.0 # interface Nve1 source 10.1.1.1 vni 20 head-end peer-list protocol bgp # bgp 100 router-id 10.1.1.1 peer 10.2.2.2 as-number 100 peer 10.2.2.2 connect-interface LoopBack1 peer 10.3.3.3 as-number 100 peer 10.3.3.3 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 10.2.2.2 enable peer 10.3.3.3 enable # l2vpn-family evpn policy vpn-target peer 10.2.2.2 enable peer 10.2.2.2 advertise irb peer 10.3.3.3 enable peer 10.3.3.3 advertise irb # ipv4-family vpn-instance vpn1 import-route direct advertise l2vpn evpn # ospf 1 router-id 10.1.1.1 area 0.0.0.0 network 10.1.1.1 0.0.0.0 network 192.168.1.0 0.0.0.255 network 192.168.2.0 0.0.0.255 # return
VTEP2的配置文件
# sysname VTEP2 # dhcp enable # dhcp option82 vendor-specific format vendor-sub-option 2 ip-address 10.2.2.2 # ip vpn-instance vpn1 ipv4-family route-distinguisher 2:100 vpn-target 1:100 export-extcommunity evpn vpn-target 1:100 import-extcommunity evpn vxlan vni 100 # evpn vpn-instance evpn10 bd-mode route-distinguisher 2:10 vpn-target 1:100 10:1 export-extcommunity vpn-target 10:1 import-extcommunity # bridge-domain 10 l2 binding vlan 10 vxlan vni 10 evpn binding vpn-instance evpn10 dhcp option82 insert enable dhcp option82 encapsulation vendor-specific-id # interface Vlanif100 ip address 192.168.100.1 255.255.255.0 dhcp select interface # interface GigabitEthernet1/0/1 undo portswitch ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet1/0/2 port link-type access port default vlan 100 # interface LoopBack1 ip address 10.2.2.2 255.255.255.255 # interface Vbdif10 mac-address 0000-5e00-0101 ip binding vpn-instance vpn1 arp collect host enable arp distribute-gateway enable ip address 192.168.10.1 255.255.255.0 dhcp select relay dhcp relay server-ip 192.168.20.10 dhcp relay information enable dhcp relay anycast gateway re-route enable # interface Nve1 source 10.2.2.2 vni 10 head-end peer-list protocol bgp # bgp 100 router-id 10.2.2.2 peer 10.1.1.1 as-number 100 peer 10.1.1.1 connect-interface LoopBack1 peer 10.3.3.3 as-number 100 peer 10.3.3.3 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 10.1.1.1 enable peer 10.3.3.3 enable # l2vpn-family evpn policy vpn-target peer 10.1.1.1 enable peer 10.1.1.1 advertise irb peer 10.3.3.3 enable peer 10.3.3.3 advertise irb # ipv4-family vpn-instance vpn1 import-route direct advertise l2vpn evpn # ospf 1 router-id 10.2.2.2 area 0.0.0.0 network 10.2.2.2 0.0.0.0 network 192.168.1.0 0.0.0.255 network 192.168.100.0 0.0.0.255 # cpu-defend policy vxlan_tunnel_side auto-defend whitelist 1 interface GigabitEthernet1/0/1 # cpu-defend-policy vxlan_tunnel_side global # capwap source interface vlanif100 # wlan security-profile name wlan-net security wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.4#U4,%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net forward-mode tunnel service-vlan vlan-id 10 ssid-profile wlan-net security-profile wlan-net regulatory-domain-profile name default mobility-server local ip-address 192.168.100.1 mobility-group name mobility member ip-address 192.168.100.1 member ip-address 192.168.200.1 ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 # return
VTEP3的配置文件
# sysname VTEP3 # dhcp enable # dhcp option82 vendor-specific format vendor-sub-option 2 ip-address 10.3.3.3 # ip vpn-instance vpn1 ipv4-family route-distinguisher 3:100 vpn-target 1:100 export-extcommunity evpn vpn-target 1:100 import-extcommunity evpn vxlan vni 100 # evpn vpn-instance evpn10 bd-mode route-distinguisher 3:10 vpn-target 1:100 10:1 export-extcommunity vpn-target 10:1 import-extcommunity # bridge-domain 10 l2 binding vlan 10 vxlan vni 10 evpn binding vpn-instance evpn10 dhcp option82 insert enable dhcp option82 encapsulation vendor-specific-id # interface Vlanif200 ip address 192.168.200.1 255.255.255.0 dhcp select interface # interface GigabitEthernet1/0/1 undo portswitch ip address 192.168.2.2 255.255.255.0 # interface GigabitEthernet1/0/2 port link-type trunk port default vlan 200 # interface LoopBack1 ip address 10.3.3.3 255.255.255.255 # interface Vbdif10 mac-address 0000-5e00-0101 ip binding vpn-instance vpn1 arp collect host enable arp distribute-gateway enable ip address 192.168.10.1 255.255.255.0 dhcp select relay dhcp relay server-ip 192.168.20.10 dhcp relay information enable dhcp relay anycast gateway re-route enable # interface Nve1 source 10.3.3.3 vni 10 head-end peer-list protocol bgp # bgp 100 router-id 10.3.3.3 peer 10.1.1.1 as-number 100 peer 10.1.1.1 connect-interface LoopBack1 peer 10.2.2.2 as-number 100 peer 10.2.2.2 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 10.1.1.1 enable peer 10.2.2.2 enable # l2vpn-family evpn policy vpn-target peer 10.1.1.1 enable peer 10.1.1.1 advertise irb peer 10.2.2.2 enable peer 10.2.2.2 advertise irb # ipv4-family vpn-instance vpn1 import-route direct advertise l2vpn evpn # ospf 1 router-id 10.3.3.3 area 0.0.0.0 network 10.3.3.3 0.0.0.0 network 192.168.2.0 0.0.0.255 network 192.168.200.0 0.0.0.255 # cpu-defend policy vxlan_tunnel_side auto-defend whitelist 1 interface GigabitEthernet1/0/1 # cpu-defend-policy vxlan_tunnel_side global # capwap source interface vlanif200 # wlan security-profile name wlan-net security wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.4#U4,%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net forward-mode tunnel service-vlan vlan-id 10 ssid-profile wlan-net security-profile wlan-net regulatory-domain-profile name default dca-channel 5g channel-set 149,153,157,161 mobility-server local ip-address 192.168.200.1 mobility-group name mobility member ip-address 192.168.100.1 member ip-address 192.168.200.1 ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 1 type-id 35 ap-mac dcd2-fc04-b500 ap-sn 210235554710CB000078 ap-name area_2 ap-group ap-group1 # return
