WLAN下配置双链路冷备

实验背景

企业内网无线终端数量越来越多,为了保证无线业务的稳定性,作为网络工程师的你决定采购一台AC,部署双链路冷备技术,与原有的AC进行主备备份,提高无线业务的可靠性

   

组网介绍

  • 设备连接方式如图所示,AC1为主AC、AC2为备AC,AP分别与主、备AC建立CAPWAP隧道,AP与主、备AC之间定期交互CAPWAP报文检测链路状态,当AP检测到AP与主AC之间的链路发生故障时,AP通知备AC启动主备倒换,备AC升为主AC控制STA的无线接入功能,提高WLAN网络可靠性
  • S4交换机二层透传AP2的报文,S3作为AP管理地址、终端业务地址的网关
  • S3开启DHCP服务为AP1、AP2分配管理地址,为无线终端分配业务地址,AP通过DHCP报文中的Option43获取AC地址(AC1、AC2),所有AP都采用直接转发模式

数据规划:

配置项

配置参数

AP管理VLAN

VLAN10

STA业务VLAN

VLAN11

DHCP服务器

S3作为DHCP服务器为AP分配IP地址

S3作为DHCP服务器为STA分配IP地址

AP的IP地址池

10.0.10.0/24

STA的IP地址池

10.0.11.0/24

AC的源接口IP地址

10.0.100.110.0.100.2

AP组

名称:depart

引用模板:VAP模板depart

域管理模板

名称:default

国家码:中国(CN)

SSID模板

名称:depart

SSID名称:LB

安全模板

名称:depart

安全策略:WPA2+PSK+AES

密码:a1234567

VAP模板

名称:depart

转发模式:直连模式

业务VLAN:VLAN11

引用模板:SSID模板depart,安全模板:depart

双链路冷备

AC1优先级:0

AC2优先级:1

配置思路:

  1. 配置有线侧相关功能
    1. S3作为AP管理流量、无线终端业务流量的网关
    2. AC1、AC2使用VLANIF100与S3的VLAN100进行三层通信,使用VLANIF100接口作为CAPWAP源接口
  2. 配置AC1、AC2上的WLAN业务
  3. 配置双链路冷备,配置AC1的优先级为0,AC2的优先级为1,使得AC1成为主AC、AC2成为备AC
  4. 验证双链路冷备,关闭AC1的接口,查看AC2上AP、Station状态

   

操作步骤

步骤1:有些侧网络配置

按照规划配置交换机、AC的有线侧网络配置

[S3]vlan batch 10 11 100        

[S3]interface GigabitEthernet 0/0/1

[S3-GigabitEthernet0/0/1]port link-type trunk         

[S3-GigabitEthernet0/0/1]port trunk allow-pass vlan 100

[S3-GigabitEthernet0/0/1]quit        

[S3]interface GigabitEthernet 0/0/2        

[S3-GigabitEthernet0/0/2]port link-type trunk         

[S3-GigabitEthernet0/0/2]port trunk allow-pass vlan 100

[S3-GigabitEthernet0/0/2]quit

[S3]interface GigabitEthernet 0/0/3        

[S3-GigabitEthernet0/0/3]port link-type trunk         

[S3-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 11

[S3-GigabitEthernet0/0/3]quit        

[S3]interface GigabitEthernet 0/0/4

[S3-GigabitEthernet0/0/4]port link-type trunk         

[S3-GigabitEthernet0/0/4]port trunk pvid vlan 10        

[S3-GigabitEthernet0/0/4]port trunk allow-pass vlan 10 11

[S3-GigabitEthernet0/0/4]quit

S3连接AP1的接口PVID注意设置为VLAN10,连接S4的接口需要放通业务VLAN、管理VLAN,连接AC的接口放通VLAN100

[S4]vlan batch 10 11

[S4]interface GigabitEthernet 0/0/3

[S4-GigabitEthernet0/0/3]port link-type trunk

[S4-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 11

[S4-GigabitEthernet0/0/3]quit        

[S4]interface GigabitEthernet 0/0/4        

[S4-GigabitEthernet0/0/4]port link-type trunk         

[S4-GigabitEthernet0/0/4]port trunk pvid vlan 10

[S4-GigabitEthernet0/0/4]port trunk allow-pass vlan 10 11

[S4-GigabitEthernet0/0/4]quit

S4连接AP的接口PVID注意设置为VLAN10,上行接口透传管理VLAN10、业务VLAN11

[AC1]vlan batch 100

[AC1]interface GigabitEthernet 0/0/1        

[AC1-GigabitEthernet0/0/1]port link-type trunk

[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100

[AC1-GigabitEthernet0/0/1]quit

接口放通VLAN100

[AC2]vlan batch 100        

[AC2]interface GigabitEthernet 0/0/1        

[AC2-GigabitEthernet0/0/1]port link-type trunk

[AC2-GigabitEthernet0/0/1]port trunk allow-pass vlan 100

[AC2-GigabitEthernet0/0/1]quit

接口放通VLAN100

# S3、AC1、AC2上创建VLANIF

[S3]interface Vlanif 10

[S3-Vlanif10]ip address 10.0.10.1 24

[S3-Vlanif10]quit        

[S3]interface Vlanif 11

[S3-Vlanif11]ip address 10.0.11.1 24

[S3-Vlanif11]quit        

[S3]interface Vlanif 100

[S3-Vlanif100]ip address 10.0.100.3 24

[S3-Vlanif100]quit

S3上VLANIF10作为AP1、AP2的管理VLAN网关,VLAN11作为AP1、AP2下终端业务VLAN网关、VLANIF100用于AC1、AC2进行三层通信

[AC1]interface Vlanif 100

[AC1-Vlanif100]ip address 10.0.100.1 24

[AC1-Vlanif100]quit

[AC1]capwap source interface Vlanif 100

AC1的VLANIF100作为CAPWAP源接口

[AC2]interface Vlanif 100        

[AC2-Vlanif100]ip address 10.0.100.2 24

[AC2-Vlanif100]quit        

[AC2]capwap source interface Vlanif 100

AC2的VLANIF100作为CAPWAP源接口

# AC1、AC2上配置前往AP管理网段的路由

[AC1]ip route-static 10.0.10.0 24 10.0.100.3

[AC2]ip route-static 10.0.10.0 24 10.0.100.3

为了让AC和获取到管理网段地址的AP进行CAPWAP通信,在AC上手动配置静态路由

# 在S3上配置DHCP服务

[S3]dhcp enable

开启DHCP服务

[S3]ip pool ap        

[S3-ip-pool-ap]network 10.0.10.0 mask 24

[S3-ip-pool-ap]gateway-list 10.0.10.1

[S3-ip-pool-ap]option 43 sub-option 2 ip-address 10.0.100.1 10.0.100.2

[S3-ip-pool-ap]quit

[S3]ip pool service

[S3-ip-pool-service]network 10.0.11.0 mask 24

[S3-ip-pool-service]gateway-list 10.0.11.1        

[S3-ip-pool-service]dns-list 10.0.11.1

[S3-ip-pool-service]quit

地址池ap为AP分配管理地址,携带Option43指定AC地址,注意采用sub-option2同时指定主AC、备AC地址

地址池service为AP1、AP2的无线终端分配地址,所有地址池的网关都设为S3的VLANIF接口地址

[S3]interface Vlanif 10        

[S3-Vlanif10]dhcp select global

[S3-Vlanif10]quit        

[S3]interface Vlanif 11        

[S3-Vlanif11]dhcp select global

[S3-Vlanif11]quit

接口下选择全局地址池

步骤3:配置AC

创建ap-group depart,采用MAC地址认证方式关联AP,将AP命名为AP1、AP2,关联到ap-group depart,配置参数模板关联到VAP模板

AC1、AC2上WLAN相关配置一致,此处以AC1为例,不再展示AC2的配置

# 创建名为depart的AP组

[AC1]wlan

[AC1-wlan-view]ap-group name depart

[AC1-wlan-ap-group-depart]quit

# 创建域管理模板,在域管理模板下配置AC的国家码

[AC1-wlan-view]regulatory-domain-profile name default

[AC1-wlan-regulate-domain-default]country-code cn

[AC1-wlan-regulate-domain-default]quit

域管理模板提供对AP的国家码、调优信道集合和调优带宽等的配置

缺省情况下,系统上存在名为default的域管理模板。故当前进入了默认存在的default模板

# 在AP组下引用域管理模板

[AC1-wlan-view]ap-group name depart        

[AC1-wlan-ap-group-depart]regulatory-domain-profile default

Warning: Modifying the country code will clear channel, power and antenna gain c

onfigurations of the radio and reset the AP. Continue?[Y/N]:y

[AC1-wlan-ap-group-depart]quit

# 添加AP

[AC1-wlan-view]ap auth-mode mac-auth         

[AC1-wlan-view]ap-id 0 ap-mac 00e0-fcad-7c40

[AC1-wlan-ap-0]ap-name AP1                

[AC1-wlan-ap-0]ap-group depart

Warning: This operation may cause AP reset. If the country code changes, it will

clear channel, power and antenna gain configurations of the radio, Whether to c

ontinue? [Y/N]:y

Info: This operation may take a few seconds. Please wait for a moment.. done.

[AC1-wlan-ap-0]quit        

[AC1-wlan-view]ap-id 1 ap-mac 00e0-fc36-08d0

[AC1-wlan-ap-1]ap-name AP2        

[AC1-wlan-ap-1]ap-group depart

Warning: This operation may cause AP reset. If the country code changes, it will

clear channel, power and antenna gain configurations of the radio, Whether to c

ontinue? [Y/N]:y

Info: This operation may take a few seconds. Please wait for a moment.. done.

[AC1-wlan-ap-1]quit

# 配置参数模板

[AC1-wlan-view]security-profile name depart        

[AC1-wlan-sec-prof-depart]security wpa2 psk pass-phrase a1234567 aes

[AC1-wlan-sec-prof-depart]quit

[AC1-wlan-view]ssid-profile name depart

[AC1-wlan-ssid-prof-depart]ssid LB

[AC1-wlan-ssid-prof-depart]quit

[AC1-wlan-view]vap-profile name depart

[AC1-wlan-vap-prof-depart]security-profile depart

[AC1-wlan-vap-prof-depart]ssid-profile depart

[AC1-wlan-vap-prof-depart]service-vlan vlan-id 11        

[AC1-wlan-vap-prof-depart]forward-mode direct-forward

[AC1-wlan-vap-prof-depart]quit        

[AC1-wlan-view]ap-group name depart        

[AC1-wlan-ap-group-depart]vap-profile depart wlan 1 radio all

[AC1-wlan-ap-group-depart]quit

配置 security-profile depart,采用WPA2-PSK认证,配置预共享密钥为a1234567

配置 ssid-profile depart,设置SSIDLB

配置 vap-profile,设置转发模式为直接转发,业务VLAN设置为11,调用ssid-profile departsecurity-profile depart

ap-group depart中调用vap-profile depart

步骤4:配置双链路冷备份

在主、备AC上为AP指定对方AC的IP地址,指定AC1的优先级为0,AC2的优先级为1,使得AC1成为主AC、AC2成为备AC

# 配置AC1

[AC1-wlan-view]ac protect protect-ac 10.0.100.2 priority 0        

[AC1-wlan-view]undo ac protect restore disable

[AC1-wlan-view]ac protect enable

Warning: This operation maybe cause AP reset, continue?[Y/N]:y

Info: This operation may take a few seconds. Please wait for a moment.done.

Info: Capwap echo interval has changed to default value 25, capwap echo times to 3.

缺省情况下,双链路备份功能为使能,执行命令ac protect enable会提示重启所有AP。AP重启后,双链路备份功能开始生效

# 配置AC2

[AC2-wlan-view]ac protect protect-ac 10.0.100.1 priority 1        

[AC2-wlan-view]undo ac protect restore disable

[AC2-wlan-view]ac protect enable

Warning: This operation maybe cause AP reset, continue?[Y/N]:y

Info: This operation may take a few seconds. Please wait for a moment.done.

Info: Capwap echo interval has changed to default value 25, capwap echo times to 3.

步骤5:结果验证

# 在AC1上执行命令display ac protect,查看AC上双链路信息和优先级

对端为10.0.100.2,本端优先级为0

# 在AC2上执行命令display ac protect,查看AC上双链路信息和优先级

对端为10.0.100.1,本端优先级为1

# 在AC1、AC2上检查AP上线状态

此时,在AC1上AP的状态为normal,而在AC2上位standby,AP分别与AC1、AC2建立了CAPWAP隧道

posted @ 2022-08-17 11:47  hongliang888  阅读(513)  评论(0编辑  收藏  举报