配置VXLAN分布式网关组网下AC间二层漫游示例
组网需求
某企业有部署在不同区域的AC设备,AC设备上配置VXLAN分布式网关及DHCP Relay功能,无线用户通过AC设备下挂的AP设备接入网络,由DHCP Server分配IP地址。现在需求为实现AC设备间用户的二层漫游。
图1-72所示,STA在Area_1和Area_2之间实现二层漫游。
本举例中VXLAN隧道侧接口以X系列单板为例。
数据准备
设备 |
EVPN实例 |
RD值 |
BD |
VNI |
Router id |
Peer IP |
---|---|---|---|---|---|---|
VTEP1 |
evpn20:
|
1:20 |
20 |
20 |
10.1.1.1 |
10.2.2.2;10.3.3.3 |
VTEP2 |
evpn10:
|
2:10 |
10 |
10 |
10.2.2.2 |
10.1.1.1;10.3.3.3 |
VTEP3 |
evpn10:
|
3:10 |
10 |
10 |
10.3.3.3 |
10.1.1.1;10.2.2.2 |
设备 |
接口 |
VPN实例 |
VNI |
RD值 |
---|---|---|---|---|
VTEP1 |
VBDIF 20 |
vpn1:
|
100 |
1:100 |
VTEP2 |
VBDIF 10 |
vpn1:
|
100 |
2:100 |
VTEP3 |
VBDIF 10 |
vpn1:
|
100 |
3:100 |
配置项 |
VTEP2 |
VTEP3 |
---|---|---|
AP的IP地址分配 |
VTEP2配置基于接口VLANIF100的DHCP服务器,为相连的AP分配IP地址。 |
VTEP3配置基于接口VLANIF200的DHCP服务器,为相连的AP分配IP地址。 |
AP的IP地址池 |
192.168.100.2~192.168.100.254/24 |
192.168.200.2~192.168.200.254/24 |
STA的IP地址池 |
192.168.10.2~192.168.10.254/24 |
192.168.10.2~192.168.10.254/24 |
AC的源接口IP地址 |
源接口: VLANIF100:192.168.100.1/24 |
源接口: VLANIF200:192.168.200.1/24 |
AP组 |
|
|
域管理模板 |
|
|
SSID模板 |
|
|
安全模板 |
|
|
VAP模板 |
|
|
漫游参数 |
|
|
配置思路
采用如下思路配置VXLAN分布式网关组网下AC间二层漫游:
配置VXLAN网络。
- 分别在VTEP1、VTEP2、VTEP3上配置路由协议,保证网络三层互通。
- 分别在VTEP1、VTEP2、VTEP3上配置VXLAN接入业务部署方式。
- 分别在VTEP1、VTEP2、VTEP3上配置EVPN实例并绑定BD域。
- 分别在VTEP1、VTEP2、VTEP3上配置VPN实例并绑定VBDIF接口。
- 分别在VTEP1、VTEP2、VTEP3上配置它们之间的BGP EVPN对等体关系。
- 分别在VTEP1、VTEP2、VTEP3上配置VXLAN隧道目的端地址。
- 分别在VTEP1、VTEP2、VTEP3上配置VXLAN网关。
配置分布式网关的DHCP Relay功能。
在VTEP2、VTEP3上配置VXLAN隧道侧接口加入端口防攻击的白名单。
配置DHCP Server,为STA用户分配IP地址。
在VTEP2和VTEP3上配置AP管理VLAN的接入,并配置DHCP服务器功能,为AP分配管理IP。
在VTEP2和VTEP3上配置路由协议,实现AP管理IP网关之间的互通。
在VTEP2和VTEP3上配置AP上线。
在VTEP2和VTEP3上配置WLAN业务参数,实现STA访问WLAN网络功能。
在VTEP2和VTEP3上配置WLAN漫游功能,实现AC间二层漫游。
园区网络的三层互通是构建虚拟网络的基础条件,现网中,如果园区网络已经实现三层网络的互通,那么该举例中的步骤1可以省略。
配置注意事项
- 同一漫游组内的AC必须使用相同的软件C版本,否则可能会导致AC间漫游失败。
- 漫游组内每个AC上均需要配置AC间建链的IP地址、漫游组,并添加成员AC。
- 配置的漫游组内AC间建链的IP地址必须是AC的CAPWAP源IP地址。当配置了多个CAPWAP源地址时,仅可以指定一个CAPWAP源地址作为AC间建链地址。
- 每个AC上漫游组名称必须一致。
操作步骤
- 配置VXLAN网络
- 在VTEP2、VTEP3上配置DHCP Relay功能以及分布式网关的DHCP Relay重选路由功能
# 配置VTEP2。
[VTEP2] dhcp enable [VTEP2] dhcp option82 vendor-specific format vendor-sub-option 2 ip-address 10.2.2.2 [VTEP2] bridge-domain 10 [VTEP2-bd10] dhcp option82 insert enable [VTEP2-bd10] dhcp option82 encapsulation vendor-specific-id [VTEP2-bd10] quit [VTEP2] interface vbdif 10 [VTEP2-Vbdif10] dhcp select relay [VTEP2-Vbdif10] dhcp relay server-ip 192.168.20.10 [VTEP2-Vbdif10] dhcp relay information enable [VTEP2-Vbdif10] dhcp relay anycast gateway re-route enable [VTEP2-Vbdif10] quit
# 配置VTEP3。
[VTEP3] dhcp enable [VTEP3] dhcp option82 vendor-specific format vendor-sub-option 2 ip-address 10.3.3.3 [VTEP3] bridge-domain 10 [VTEP3-bd10] dhcp option82 insert enable [VTEP3-bd10] dhcp option82 encapsulation vendor-specific-id [VTEP3-bd10] quit [VTEP3] interface vbdif 10 [VTEP3-Vbdif10] dhcp select relay [VTEP3-Vbdif10] dhcp relay server-ip 192.168.20.10 [VTEP3-Vbdif10] dhcp relay information enable [VTEP3-Vbdif10] dhcp relay anycast gateway re-route enable [VTEP3-Vbdif10] quit
- 在VTEP2、VTEP3上配置VXLAN隧道侧接口加入端口防攻击的白名单。
# 在VTEP2上配置VXLAN隧道侧接口GigabitEthernet1//0/1加入端口防攻击的白名单。
[VTEP2] cpu-defend policy vxlan_tunnel_side [VTEP2-cpu-defend-policy-vxlan_tunnel_side] auto-port-defend whitelist 1 interface GigabitEthernet1/0/1 [VTEP2-cpu-defend-policy-vxlan_tunnel_side] quit [VTEP2] cpu-defend-policy vxlan_tunnel_side global
# 在VTEP3上配置VXLAN隧道侧接口GigabitEthernet1//0/1加入端口防攻击的白名单。
[VTEP3] cpu-defend policy vxlan_tunnel_side [VTEP3-cpu-defend-policy-vxlan_tunnel_side] auto-port-defend whitelist 1 interface GigabitEthernet1/0/1 [VTEP3-cpu-defend-policy-vxlan_tunnel_side] quit [VTEP3] cpu-defend-policy vxlan_tunnel_side global
- 验证DHCP Relay功能配置结果
# 上述配置成功后,在VTEP2、VTEP3上执行命令display dhcp relay可查看接口DHCP Relay配置情况。以VTEP2显示为例。
[VTEP2] display dhcp relay interface vbdif 10 DHCP relay agent running information of interface Vbdif10 : Server IP address [00] : 192.168.20.10 Gateway address in use : 192.168.10.1
- 配置DHCP服务器具体配置过程略。DHCP服务器需要满足以下条件:
- 在DHCP服务器上配置地址池,以便服务器端分配正确的IP地址给客户端。
- 建议配置地址池租期,提高IP地址的使用效率。
- 在VTEP2和VTEP3上配置AP管理VLAN的接入,并配置DHCP服务器功能,为AP分配管理IP
# 配置VTEP2。
[VTEP2] vlan 100 [VTEP22-vlan100] quit [VTEP2] interface gigabitethernet 1/0/2 [VTEP2-GigabitEthernet1/0/2] port link-type access [VTEP2-GigabitEthernet1/0/2] port default vlan 100 [VTEP2-GigabitEthernet1/0/2] quit [VTEP2] interface vlanif 100 [VTEP2-Vlanif100] ip address 192.168.100.1 24 [VTEP2-Vlanif100] dhcp select interface [VTEP2-Vlanif100] quit
# 配置VTEP3。
[VTEP3] vlan 200 [VTEP3-vlan200] quit [VTEP3] interface gigabitethernet 1/0/2 [VTEP3-GigabitEthernet1/0/2] port link-type access [VTEP3-GigabitEthernet1/0/2] port default vlan 200 [VTEP3-GigabitEthernet1/0/2] quit [VTEP3] interface vlanif 200 [VTEP3-Vlanif200] ip address 192.168.200.1 24 [VTEP3-Vlanif200] dhcp select interface [VTEP3-Vlanif200] quit
- 在VTEP2和VTEP3上配置其作为AC设备的CAPWAP隧道源IP地址
# 配置VTEP2
[VTEP2] capwap source interface vlanif 100
# 配置VTEP3
[VTEP3] capwap source interface vlanif 200
- 在VTEP2和VTEP3上配置路由协议,实现CAPWAP隧道源IP地址之间互通。
# 配置VTEP2
[VTEP2] ospf [VTEP2-ospf-1] area 0 [VTEP2-ospf-1-area-0.0.0.0] network 192.168.100.0 0.0.0.255 [VTEP2-ospf-1-area-0.0.0.0] quit [VTEP2-ospf-1] quit
# 配置VTEP3
[VTEP3] ospf [VTEP3-ospf-1] area 0 [VTEP3-ospf-1-area-0.0.0.0] network 192.168.200.0 0.0.0.255 [VTEP3-ospf-1-area-0.0.0.0] quit [VTEP3-ospf-1] quit
- 在VTEP2和VTEP3上分别配置AP上线,以VTEP2为例,VTEP3的配置同VTEP2类似# 创建AP组,用于将相同配置的AP都加入同一AP组中。
[VTEP2] wlan [VTEP2-wlan-view] ap-group name ap-group1 [VTEP2-wlan-ap-group-ap-group1] quit
# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。[VTEP2-wlan-view] regulatory-domain-profile name default [VTEP2-wlan-regulate-domain-default] country-code cn [VTEP2-wlan-regulate-domain-default] quit [VTEP2-wlan-view] ap-group name ap-group1 [VTEP2-wlan-ap-group-ap-group1] regulatory-domain-profile default Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [VTEP2-wlan-ap-group-ap-group1] quit [VTEP2-wlan-view] quit
# 在AC上离线导入AP,并将AP加入AP组“ap-group1”中。假设AP的MAC地址为60de-4476-e360,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为60de-4476-e360的AP部署在1号区域,命名此AP为area_1。ap auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap auth-mode mac-auth命令。
举例中使用的AP为AP5030DN,具有射频0和射频1两个射频。AP5030DN的射频0为2.4GHz射频,射频1为5GHz射频。
[VTEP2] wlan [VTEP2-wlan-view] ap auth-mode mac-auth [VTEP2-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [VTEP2-wlan-ap-0] ap-name area_1 Warning: This operation may cause AP reset. Continue? [Y/N]:y [VTEP2-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y [VTEP2-wlan-ap-0] quit
# 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。[VTEP2-wlan-view] display ap all Total AP information: nor : normal [1] Extra information: P : insufficient power supply -------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo -------------------------------------------------------------------------------------------------- 0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S - -------------------------------------------------------------------------------------------------- Total: 1
- 在VTEP2和VTEP3上配置WLAN业务参数,以VTEP2为例,VTEP3的配置同VTEP2类似# 创建名为“wlan-net”的安全模板,并配置安全策略。
举例中以配置WPA-WPA2+PSK+AES的安全策略为例,密码为“a1234567”,实际配置中请根据实际情况,配置符合实际要求的安全策略。
[VTEP2-wlan-view] security-profile name wlan-net [VTEP2-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes [VTEP2-wlan-sec-prof-wlan-net] quit
# 创建名为“wlan-net”的SSID模板,并配置SSID名称为“wlan-net”。[VTEP2-wlan-view] ssid-profile name wlan-net [VTEP2-wlan-ssid-prof-wlan-net] ssid wlan-net [VTEP2-wlan-ssid-prof-wlan-net] quit
# 创建名为“wlan-net”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。[VTEP2-wlan-view] vap-profile name wlan-net [VTEP2-wlan-vap-prof-wlan-net] forward-mode tunnel [VTEP2-wlan-vap-prof-wlan-net] service-vlan vlan-id 10 [VTEP2-wlan-vap-prof-wlan-net] security-profile wlan-net [VTEP2-wlan-vap-prof-wlan-net] ssid-profile wlan-net [VTEP2-wlan-vap-prof-wlan-net] quit
# 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板“wlan-net”的配置。[VTEP2-wlan-view] ap-group name ap-group1 [VTEP2-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0 [VTEP2-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1 [VTEP2-wlan-ap-group-ap-group1] quit
- 在VTEP2和VTEP3上配置的WLAN漫游功能
配置漫游组内AC间建链的IP地址。
# 配置VTEP2
[VTEP2-wlan-view] mobility-server local ip-address 192.168.100.1
# 配置VTEP3
[VTEP3-wlan-view] mobility-server local ip-address 192.168.200.1
创建漫游组,并配置AC_1和AC_2为漫游组成员。
# 配置VTEP2
[VTEP2-wlan-view] mobility-group name mobility [VTEP2-mc-mg-mobility] member ip-address 192.168.100.1 [VTEP2-mc-mg-mobility] member ip-address 192.168.200.1 [VTEP2-mc-mg-mobility] quit
# 配置VTEP3
[VTEP3-wlan-view] mobility-group name mobility [VTEP3-mc-mg-mobility] member ip-address 192.168.100.1 [VTEP3-mc-mg-mobility] member ip-address 192.168.200.1 [VTEP3-mc-mg-mobility] quit
- 验证配置结果# WLAN业务配置会自动下发给AP,配置完成后,分别在VTEP2和VTEP3上执行命令display vap ssid wlan-net查看VAP信息,当“Status”显示为“ON”时,表示AP对应射频上的VAP已创建成功。
[VTEP2-wlan-view] display vap ssid wlan-net WID : WLAN ID -------------------------------------------------------------------------------------- AP ID AP name RfID WID BSSID Status Auth type STA SSID -------------------------------------------------------------------------------------- 0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net 0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net --------------------------------------------------------------------------------------- Total: 2
[VTEP3-wlan-view] display vap ssid wlan-net WID : WLAN ID -------------------------------------------------------------------------------------- AP ID AP name RfID WID BSSID Status Auth type STA SSID -------------------------------------------------------------------------------------- 1 area_2 0 1 DCD2-FC04-B500 ON WPA/WPA2-PSK 0 wlan-net 1 area_2 1 1 DCD2-FC04-B510 ON WPA/WPA2-PSK 0 wlan-net ------------------------------------------------------------------------------------- Total: 2
# 在VTEP2上执行命令display mobility-group name mobility查看漫游组成员VTEP2和VTEP3的状态,当“State”显示为“normal”时,表示VTEP2和VTEP3正常。
# STA在area_1的覆盖范围内搜索到SSID为“wlan-net”的无线网络,输入密码“a1234567”并正常关联后,在VTEP2上执行命令display station ssid wlan-net,查看STA的接入信息,可以看到STA关联到了area_1,STA的MAC地址为“e019-1dc7-1e08”。[VTEP2-wlan-view] display station ssid wlan-net Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ------------------------------------------------------------------------------------ STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address ------------------------------------------------------------------------------------ e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -57 101 192.168.10.161 ------------------------------------------------------------------------------------ Total: 1 2.4G: 0 5G: 1
# 当STA从area_1的覆盖范围移动到AP_2的覆盖范围时,在VTEP3上执行命令display station ssid wlan-net,查看STA的接入信息,可以看到STA关联到了AP_2。[VTEP3-wlan-view] display station ssid wlan-net Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ------------------------------------------------------------------------------------ STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address ------------------------------------------------------------------------------------ e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101 192.168.10.161 ------------------------------------------------------------------------------------ Total: 1 2.4G: 0 5G: 1
# 在VTEP3上执行命令display station roam-track sta-mac e019-1dc7-1e08,可以查看该STA的漫游轨迹。[VTEP3-wlan-view] display station roam-track sta-mac e019-1dc7-1e08 Access SSID:wlan-net Rx/Tx: link receive rate/link transmit rate(Mbps) c:PMK Cache Roam r:802.11r Roam s:Same Frequency Network ------------------------------------------------------------------------------ L2/L3 AC IP AP name Radio ID BSSID TIME In/Out RSSI Out Rx/Tx ------------------------------------------------------------------------------ -- 192.168.100.1 area_1 1 60de-4476-e360 2018/06/09 16:11:51 -57/-57 22/3 L2 192.168.200.1 area_2 1 dcd2-fc04-b500 2018/06/09 16:13:53 -58/- -/- ------------------------------------------------------------------------------ Number: 1
配置文件
VTEP1的配置文件
# sysname VTEP1 # vlan batch 20 # ip vpn-instance vpn1 ipv4-family route-distinguisher 1:100 vpn-target 1:100 export-extcommunity evpn vpn-target 1:100 import-extcommunity evpn vxlan vni 100 # evpn vpn-instance evpn20 bd-mode route-distinguisher 1:20 vpn-target 1:100 20:1 export-extcommunity vpn-target 20:1 import-extcommunity # bridge-domain 20 l2 binding vlan 20 vxlan vni 20 evpn binding vpn-instance evpn20 # interface GigabitEthernet1/0/1 undo portswitch ip address 192.168.1.2 255.255.255.0 # interface GigabitEthernet1/0/2 undo portswitch ip address 192.168.2.1 255.255.255.0 # interface GigabitEthernet1/0/3 port link-type access port default vlan 20 # interface LoopBack1 ip address 10.1.1.1 255.255.255.255 # interface Vbdif20 ip binding vpn-instance vpn1 ip address 192.168.20.1 255.255.255.0 # interface Nve1 source 10.1.1.1 vni 20 head-end peer-list protocol bgp # bgp 100 router-id 10.1.1.1 peer 10.2.2.2 as-number 100 peer 10.2.2.2 connect-interface LoopBack1 peer 10.3.3.3 as-number 100 peer 10.3.3.3 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 10.2.2.2 enable peer 10.3.3.3 enable # l2vpn-family evpn policy vpn-target peer 10.2.2.2 enable peer 10.2.2.2 advertise irb peer 10.3.3.3 enable peer 10.3.3.3 advertise irb # ipv4-family vpn-instance vpn1 import-route direct advertise l2vpn evpn # ospf 1 router-id 10.1.1.1 area 0.0.0.0 network 10.1.1.1 0.0.0.0 network 192.168.1.0 0.0.0.255 network 192.168.2.0 0.0.0.255 # return
VTEP2的配置文件
# sysname VTEP2 # dhcp enable # dhcp option82 vendor-specific format vendor-sub-option 2 ip-address 10.2.2.2 # ip vpn-instance vpn1 ipv4-family route-distinguisher 2:100 vpn-target 1:100 export-extcommunity evpn vpn-target 1:100 import-extcommunity evpn vxlan vni 100 # evpn vpn-instance evpn10 bd-mode route-distinguisher 2:10 vpn-target 1:100 10:1 export-extcommunity vpn-target 10:1 import-extcommunity # bridge-domain 10 l2 binding vlan 10 vxlan vni 10 evpn binding vpn-instance evpn10 dhcp option82 insert enable dhcp option82 encapsulation vendor-specific-id # interface Vlanif100 ip address 192.168.100.1 255.255.255.0 dhcp select interface # interface GigabitEthernet1/0/1 undo portswitch ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet1/0/2 port link-type access port default vlan 100 # interface LoopBack1 ip address 10.2.2.2 255.255.255.255 # interface Vbdif10 mac-address 0000-5e00-0101 ip binding vpn-instance vpn1 arp collect host enable arp distribute-gateway enable ip address 192.168.10.1 255.255.255.0 dhcp select relay dhcp relay server-ip 192.168.20.10 dhcp relay information enable dhcp relay anycast gateway re-route enable # interface Nve1 source 10.2.2.2 vni 10 head-end peer-list protocol bgp # bgp 100 router-id 10.2.2.2 peer 10.1.1.1 as-number 100 peer 10.1.1.1 connect-interface LoopBack1 peer 10.3.3.3 as-number 100 peer 10.3.3.3 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 10.1.1.1 enable peer 10.3.3.3 enable # l2vpn-family evpn policy vpn-target peer 10.1.1.1 enable peer 10.1.1.1 advertise irb peer 10.3.3.3 enable peer 10.3.3.3 advertise irb # ipv4-family vpn-instance vpn1 import-route direct advertise l2vpn evpn # ospf 1 router-id 10.2.2.2 area 0.0.0.0 network 10.2.2.2 0.0.0.0 network 192.168.1.0 0.0.0.255 network 192.168.100.0 0.0.0.255 # cpu-defend policy vxlan_tunnel_side auto-defend whitelist 1 interface GigabitEthernet1/0/1 # cpu-defend-policy vxlan_tunnel_side global # capwap source interface vlanif100 # wlan security-profile name wlan-net security wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.4#U4,%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net forward-mode tunnel service-vlan vlan-id 10 ssid-profile wlan-net security-profile wlan-net regulatory-domain-profile name default mobility-server local ip-address 192.168.100.1 mobility-group name mobility member ip-address 192.168.100.1 member ip-address 192.168.200.1 ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 # return
VTEP3的配置文件
# sysname VTEP3 # dhcp enable # dhcp option82 vendor-specific format vendor-sub-option 2 ip-address 10.3.3.3 # ip vpn-instance vpn1 ipv4-family route-distinguisher 3:100 vpn-target 1:100 export-extcommunity evpn vpn-target 1:100 import-extcommunity evpn vxlan vni 100 # evpn vpn-instance evpn10 bd-mode route-distinguisher 3:10 vpn-target 1:100 10:1 export-extcommunity vpn-target 10:1 import-extcommunity # bridge-domain 10 l2 binding vlan 10 vxlan vni 10 evpn binding vpn-instance evpn10 dhcp option82 insert enable dhcp option82 encapsulation vendor-specific-id # interface Vlanif200 ip address 192.168.200.1 255.255.255.0 dhcp select interface # interface GigabitEthernet1/0/1 undo portswitch ip address 192.168.2.2 255.255.255.0 # interface GigabitEthernet1/0/2 port link-type trunk port default vlan 200 # interface LoopBack1 ip address 10.3.3.3 255.255.255.255 # interface Vbdif10 mac-address 0000-5e00-0101 ip binding vpn-instance vpn1 arp collect host enable arp distribute-gateway enable ip address 192.168.10.1 255.255.255.0 dhcp select relay dhcp relay server-ip 192.168.20.10 dhcp relay information enable dhcp relay anycast gateway re-route enable # interface Nve1 source 10.3.3.3 vni 10 head-end peer-list protocol bgp # bgp 100 router-id 10.3.3.3 peer 10.1.1.1 as-number 100 peer 10.1.1.1 connect-interface LoopBack1 peer 10.2.2.2 as-number 100 peer 10.2.2.2 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 10.1.1.1 enable peer 10.2.2.2 enable # l2vpn-family evpn policy vpn-target peer 10.1.1.1 enable peer 10.1.1.1 advertise irb peer 10.2.2.2 enable peer 10.2.2.2 advertise irb # ipv4-family vpn-instance vpn1 import-route direct advertise l2vpn evpn # ospf 1 router-id 10.3.3.3 area 0.0.0.0 network 10.3.3.3 0.0.0.0 network 192.168.2.0 0.0.0.255 network 192.168.200.0 0.0.0.255 # cpu-defend policy vxlan_tunnel_side auto-defend whitelist 1 interface GigabitEthernet1/0/1 # cpu-defend-policy vxlan_tunnel_side global # capwap source interface vlanif200 # wlan security-profile name wlan-net security wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.4#U4,%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net forward-mode tunnel service-vlan vlan-id 10 ssid-profile wlan-net security-profile wlan-net regulatory-domain-profile name default dca-channel 5g channel-set 149,153,157,161 mobility-server local ip-address 192.168.200.1 mobility-group name mobility member ip-address 192.168.100.1 member ip-address 192.168.200.1 ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 1 type-id 35 ap-mac dcd2-fc04-b500 ap-sn 210235554710CB000078 ap-name area_2 ap-group ap-group1 # return