配置WLAN跨VLAN的三层漫游
业务需求
企业用户通过WLAN接入网络,以满足移动办公的基本需求。在覆盖区域内移动发生跨VLAN漫游时,不影响用户的业务使用。
组网需求
- AC组网方式:旁挂三层组网。
- DHCP部署方式:
- AC作为DHCP服务器为AP分配IP地址。
- 汇聚交换机Core作为DHCP服务器为STA分配地址。
- 业务数据转发方式:直连转发
拓扑图:
数据规划:
配置项 | 数据 |
AP管理VLAN | VLAN10、VLAN100 |
STA业务VLAN |
|
DHCP服务器 | AC作为DHCP服务器为AP分配IP地址 汇聚交换机作为STA的DHCP服务器,STA的默认网关为10.23.101.1/24和10.23.102.1/24 |
AP的IP地址池 | 10.23.10.2~10.23.10.254/24 |
STA的IP地址池 |
|
AC的源接口IP地址 | VLANIF100:10.23.100.1/24 |
AP组 | 名称:ap-group1 引用模板:VAP模板wlan-net1、域管理模板default 名称:ap-group2 引用模板:VAP模板wlan-net2、域管理模板default |
域管理模板 |
|
SSID模板 |
|
安全模板 |
|
VAP模板 | 名称:wlan-net1 转发模式:直接转发 业务VLAN:VLAN101 引用模板:SSID模板wlan-net、安全模板wlan-net 名称:wlan-net2 转发模式:直接转发 业务VLAN:VLAN102 引用模板:SSID模板wlan-net、安全模板wlan-net |
配置思路:
- 配置AP、AC和周边设备之间实现网络互通
- 配置AP上线
- 创建AP组,用于将需要进行相同配置的AP都加入到AP组,实现统一配置
- 配置AC的系统参数,包括国家码、AC与AP之间通信的源接口
- 配置AP上线的认证方式并离线导入AP,实现AP正常上线
- 配置WLAN业务参数,实现STA访问WLAN网络功能
操作步骤
- 配置周边设备
# 配置接入交换机SWA的G0/0/1接口加入VLAN10和VLAN101、G0/0/2接口加入VLAN10和VLAN102、G0/0/3接口加入VLAN10、VLAN101和VLAN102,G0/0/1和G0/0/2接口缺省VLAN为VLAN10
<Huawei>system-view
[Huawei]sysname SWA
[SWA]vlan batch 10 101 102
[SWA]interface GigabitEthernet 0/0/1
[SWA-GigabitEthernet0/0/1]port link-type trunk
[SWA-GigabitEthernet0/0/1]port trunk pvid vlan 10
[SWA-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 101
[SWA-GigabitEthernet0/0/1]port-isolate enable
[SWA-GigabitEthernet0/0/1]quit
[SWA]interface GigabitEthernet 0/0/2
[SWA-GigabitEthernet0/0/2]port link-type trunk
[SWA-GigabitEthernet0/0/2]port trunk pvid vlan 10
[SWA-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 102
[SWA-GigabitEthernet0/0/2]port-isolate enable
[SWA-GigabitEthernet0/0/2]quit
[SWA]interface GigabitEthernet 0/0/3
[SWA-GigabitEthernet0/0/3]port link-type trunk
[SWA-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 101 102
[SWA-GigabitEthernet0/0/3]quit
# 配置汇聚交换机Core的接口GE0/0/1加入VLAN10、VLAN101和VLAN102,接口GE0/0/2加入VLAN100,接口GE0/0/3设置为access,并加入VLAN200,创建接口VLANIF100,地址为10.23.100.2/24,创建接口VLANIF200,地址为10.23.200.2/24。
<Huawei>system-view
[Huawei]sysname Core
[Core]vlan batch 10 100 101 102 200
[Core]interface GigabitEthernet 0/0/1
[Core-GigabitEthernet0/0/1]port link-type trunk
[Core-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 101 102
[Core-GigabitEthernet0/0/1]quit
[Core]interface GigabitEthernet 0/0/2
[Core-GigabitEthernet0/0/2]port link-type trunk
[Core-GigabitEthernet0/0/2]port trunk allow-pass vlan 100
[Core-GigabitEthernet0/0/2]quit
[Core]interface GigabitEthernet 0/0/3
[Core-GigabitEthernet0/0/3]port link-type access
[Core-GigabitEthernet0/0/3]port default vlan 200
[Core-GigabitEthernet0/0/3]quit
[Core]interface Vlanif 100
[Core-Vlanif100]ip address 10.23.100.2 24
[Core-Vlanif100]quit
[Core]interface Vlanif 200
[Core-Vlanif200]ip address 10.23.200.2 24
[Core-Vlanif200]quit
# 配置Router的接口GE0/0/0的IP地址为10.23.200.1/24,并配置10.23.101.0和10.23.102.0两个网段的路由,下一跳地址为交换机Core的VLANIF200
<Huawei>system-view
[Huawei]sysname Router
[Router]interface GigabitEthernet 0/0/0
[Router-GigabitEthernet0/0/0]ip address 10.23.200.1 24
[Router-GigabitEthernet0/0/0]quit.
[Router]ip route-static 10.23.101.0 24 10.23.200.2
[Router]ip route-static 10.23.102.0 24 10.23.200.2
- 配置AC与其他网络设备互通
# 配置AC的接口GE0/0/1加入VLAN100,并创建接口VLANIF100。
<AC6005>system-view
[AC6005]sysname AC1
[AC1]vlan batch 100 101 102
[AC1]int Vlanif 100
[AC1-Vlanif100]ip address 10.23.100.1 24
[AC1-Vlanif100]quit
[AC1]interface GigabitEthernet 0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/1]quit
# 配置AC到AP的路由,下一跳为SwitchB的VLANIF100。
[AC1]ip route-static 10.23.10.0 24 10.23.100.2
- 配置DHCP服务为AP和STA分配IP地址
# 在Core上配置DHCP中继,代理AC分配IP地址。
[Core]dhcp enable
[Core]interface Vlanif 10
[Core-Vlanif10]ip address 10.23.10.1 24
[Core-Vlanif10]dhcp select relay
[Core-Vlanif10]dhcp relay server-ip 10.23.100.1
[Core-Vlanif10]quit
# 在SwitchB上创建VLANIF101和VLANIF102接口为STA提供地址,并指定默认网关。
[Core]interface Vlanif 101
[Core-Vlanif101]ip address 10.23.101.1 24
[Core-Vlanif101]dhcp select interface
[Core-Vlanif101]quit
[Core]interface Vlanif 102
[Core-Vlanif102]ip address 10.23.102.1 24
[Core-Vlanif102]dhcp select interface
[Core-Vlanif102]quit
# 在AC上创建全局地址池为AP提供地址。
[AC1]dhcp enable
[AC1]ip pool ap-address
[AC1-ip-pool-ap-address]network 10.23.10.0 mask 24
[AC1-ip-pool-ap-address]gateway-list 10.23.10.1
[AC1-ip-pool-ap-address]option 43 sub-option 3 ascii 10.23.100.1
[AC1-ip-pool-ap-address]quit
[AC1]interface Vlanif 100
[AC1-Vlanif100]dhcp select global
[AC1-Vlanif100]quit
- 配置AP上线
# 创建AP组,用于将相同配置的AP都加入同一AP组中。
[AC1]wlan
[AC1-wlan-view]ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1]quit
[AC1-wlan-view]ap-group name ap-group2
[AC1-wlan-ap-group-ap-group2]quit
# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。
[AC1-wlan-view]regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default]country-code cn
[AC1-wlan-regulate-domain-default]quit
[AC1-wlan-view]ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1]regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC1-wlan-ap-group-ap-group1]quit
[AC1-wlan-view]ap-group name ap-group2
[AC1-wlan-ap-group-ap-group2]regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC1-wlan-ap-group-ap-group2]quit
[AC1-wlan-view]quit
# 配置AC的源接口。
[AC1]capwap source interface Vlanif 100
# 在AC上离线导入AP,并将area_1和area_2分别加入AP组"ap-group1"和"ap-group2"中。假设AP的MAC地址为00E0-FCF1-6080,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为00E0-FCF1-6080的AP部署在1号区域,命名此AP为area_1。
[AC1]wlan
[AC1-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-id 0 ap-mac 00E0-FCF1-6080
[AC1-wlan-ap-0]ap-name area_1
[AC1-wlan-ap-0]ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC1-wlan-ap-0]quit
[AC1-wlan-view]ap-id 1 ap-mac 00E0-FCD2-4210
[AC1-wlan-ap-1]ap-name area_2
[AC1-wlan-ap-1]ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC1-wlan-ap-1]quit
# 将AP上电后,当执行命令display ap all查看到AP的"State"字段为"nor"时,表示AP正常上线。
- 配置WLAN业务参数
# 创建名为"wlan-net"的安全模板,并配置安全策略。
[AC1-wlan-view]security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net]security wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net]quit
# 创建名为"wlan-net"的SSID模板,并配置SSID名称为"wlan-net"。
[AC1-wlan-view]ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net]ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net]quit
# 创建名为"wlan-net1"和"wlan-net2"的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。
[AC1-wlan-view]vap-profile name wlan-net1
[AC1-wlan-vap-prof-wlan-net1]security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net1]ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net1]service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net1]forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net1]quit
[AC1-wlan-view]vap-profile name wlan-net2
[AC1-wlan-vap-prof-wlan-net2]security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net2]ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net2]service-vlan vlan-id 102
[AC1-wlan-vap-prof-wlan-net2]forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net2]quit
# 配置AP组引用VAP模板,area_1上射频0和射频1都使用VAP模板"wlan-net1"的配置,area_2上射频0和射频1都使用VAP模板"wlan-net2"的配置。
[AC1-wlan-view]ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1]vap-profile wlan-net1 wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1]vap-profile wlan-net1 wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1]quit
[AC1-wlan-view]ap-group name ap-group2
[AC1-wlan-ap-group-ap-group2]vap-profile wlan-net2 wlan 1 radio 0
[AC1-wlan-ap-group-ap-group2]vap-profile wlan-net2 wlan 1 radio 1
验证配置
STA1在AP1下连接无线网络后获取到IP地址10.23.101.254,将SAT1移动到AP2下,查看IP地址,依然是10.23.101.254,没有变化,说明漫游是成功的
