WLAN下配置双链路冷备
实验背景
企业内网无线终端数量越来越多,为了保证无线业务的稳定性,作为网络工程师的你决定采购一台AC,部署双链路冷备技术,与原有的AC进行主备备份,提高无线业务的可靠性
组网介绍
- 设备连接方式如图所示,AC1为主AC、AC2为备AC,AP分别与主、备AC建立CAPWAP隧道,AP与主、备AC之间定期交互CAPWAP报文检测链路状态,当AP检测到AP与主AC之间的链路发生故障时,AP通知备AC启动主备倒换,备AC升为主AC控制STA的无线接入功能,提高WLAN网络可靠性
- S4交换机二层透传AP2的报文,S3作为AP管理地址、终端业务地址的网关
- S3开启DHCP服务为AP1、AP2分配管理地址,为无线终端分配业务地址,AP通过DHCP报文中的Option43获取AC地址(AC1、AC2),所有AP都采用直接转发模式
数据规划:
配置项 | 配置参数 |
AP管理VLAN | VLAN10 |
STA业务VLAN | VLAN11 |
DHCP服务器 | S3作为DHCP服务器为AP分配IP地址 S3作为DHCP服务器为STA分配IP地址 |
AP的IP地址池 | 10.0.10.0/24 |
STA的IP地址池 | 10.0.11.0/24 |
AC的源接口IP地址 | 10.0.100.1、10.0.100.2 |
AP组 | 名称:depart 引用模板:VAP模板depart |
域管理模板 | 名称:default 国家码:中国(CN) |
SSID模板 | 名称:depart SSID名称:LB |
安全模板 | 名称:depart 安全策略:WPA2+PSK+AES 密码:a1234567 |
VAP模板 | 名称:depart 转发模式:直连模式 业务VLAN:VLAN11 引用模板:SSID模板depart,安全模板:depart |
双链路冷备 | AC1优先级:0 AC2优先级:1 |
配置思路:
- 配置有线侧相关功能
- S3作为AP管理流量、无线终端业务流量的网关
- AC1、AC2使用VLANIF100与S3的VLAN100进行三层通信,使用VLANIF100接口作为CAPWAP源接口
- 配置AC1、AC2上的WLAN业务
- 配置双链路冷备,配置AC1的优先级为0,AC2的优先级为1,使得AC1成为主AC、AC2成为备AC
- 验证双链路冷备,关闭AC1的接口,查看AC2上AP、Station状态
操作步骤
步骤1:有些侧网络配置
按照规划配置交换机、AC的有线侧网络配置
[S3]vlan batch 10 11 100
[S3]interface GigabitEthernet 0/0/1
[S3-GigabitEthernet0/0/1]port link-type trunk
[S3-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[S3-GigabitEthernet0/0/1]quit
[S3]interface GigabitEthernet 0/0/2
[S3-GigabitEthernet0/0/2]port link-type trunk
[S3-GigabitEthernet0/0/2]port trunk allow-pass vlan 100
[S3-GigabitEthernet0/0/2]quit
[S3]interface GigabitEthernet 0/0/3
[S3-GigabitEthernet0/0/3]port link-type trunk
[S3-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 11
[S3-GigabitEthernet0/0/3]quit
[S3]interface GigabitEthernet 0/0/4
[S3-GigabitEthernet0/0/4]port link-type trunk
[S3-GigabitEthernet0/0/4]port trunk pvid vlan 10
[S3-GigabitEthernet0/0/4]port trunk allow-pass vlan 10 11
[S3-GigabitEthernet0/0/4]quit
S3连接AP1的接口PVID注意设置为VLAN10,连接S4的接口需要放通业务VLAN、管理VLAN,连接AC的接口放通VLAN100
[S4]vlan batch 10 11
[S4]interface GigabitEthernet 0/0/3
[S4-GigabitEthernet0/0/3]port link-type trunk
[S4-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 11
[S4-GigabitEthernet0/0/3]quit
[S4]interface GigabitEthernet 0/0/4
[S4-GigabitEthernet0/0/4]port link-type trunk
[S4-GigabitEthernet0/0/4]port trunk pvid vlan 10
[S4-GigabitEthernet0/0/4]port trunk allow-pass vlan 10 11
[S4-GigabitEthernet0/0/4]quit
S4连接AP的接口PVID注意设置为VLAN10,上行接口透传管理VLAN10、业务VLAN11
[AC1]vlan batch 100
[AC1]interface GigabitEthernet 0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/1]quit
接口放通VLAN100
[AC2]vlan batch 100
[AC2]interface GigabitEthernet 0/0/1
[AC2-GigabitEthernet0/0/1]port link-type trunk
[AC2-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[AC2-GigabitEthernet0/0/1]quit
接口放通VLAN100
# S3、AC1、AC2上创建VLANIF
[S3]interface Vlanif 10
[S3-Vlanif10]ip address 10.0.10.1 24
[S3-Vlanif10]quit
[S3]interface Vlanif 11
[S3-Vlanif11]ip address 10.0.11.1 24
[S3-Vlanif11]quit
[S3]interface Vlanif 100
[S3-Vlanif100]ip address 10.0.100.3 24
[S3-Vlanif100]quit
S3上VLANIF10作为AP1、AP2的管理VLAN网关,VLAN11作为AP1、AP2下终端业务VLAN网关、VLANIF100用于AC1、AC2进行三层通信
[AC1]interface Vlanif 100
[AC1-Vlanif100]ip address 10.0.100.1 24
[AC1-Vlanif100]quit
[AC1]capwap source interface Vlanif 100
AC1的VLANIF100作为CAPWAP源接口
[AC2]interface Vlanif 100
[AC2-Vlanif100]ip address 10.0.100.2 24
[AC2-Vlanif100]quit
[AC2]capwap source interface Vlanif 100
AC2的VLANIF100作为CAPWAP源接口
# AC1、AC2上配置前往AP管理网段的路由
[AC1]ip route-static 10.0.10.0 24 10.0.100.3
[AC2]ip route-static 10.0.10.0 24 10.0.100.3
为了让AC和获取到管理网段地址的AP进行CAPWAP通信,在AC上手动配置静态路由
# 在S3上配置DHCP服务
[S3]dhcp enable
开启DHCP服务
[S3]ip pool ap
[S3-ip-pool-ap]network 10.0.10.0 mask 24
[S3-ip-pool-ap]gateway-list 10.0.10.1
[S3-ip-pool-ap]option 43 sub-option 2 ip-address 10.0.100.1 10.0.100.2
[S3-ip-pool-ap]quit
[S3]ip pool service
[S3-ip-pool-service]network 10.0.11.0 mask 24
[S3-ip-pool-service]gateway-list 10.0.11.1
[S3-ip-pool-service]dns-list 10.0.11.1
[S3-ip-pool-service]quit
地址池ap为AP分配管理地址,携带Option43指定AC地址,注意采用sub-option2同时指定主AC、备AC地址
地址池service为AP1、AP2的无线终端分配地址,所有地址池的网关都设为S3的VLANIF接口地址
[S3]interface Vlanif 10
[S3-Vlanif10]dhcp select global
[S3-Vlanif10]quit
[S3]interface Vlanif 11
[S3-Vlanif11]dhcp select global
[S3-Vlanif11]quit
接口下选择全局地址池
步骤3:配置AC
创建ap-group depart,采用MAC地址认证方式关联AP,将AP命名为AP1、AP2,关联到ap-group depart,配置参数模板关联到VAP模板
AC1、AC2上WLAN相关配置一致,此处以AC1为例,不再展示AC2的配置
# 创建名为depart的AP组
[AC1]wlan
[AC1-wlan-view]ap-group name depart
[AC1-wlan-ap-group-depart]quit
# 创建域管理模板,在域管理模板下配置AC的国家码
[AC1-wlan-view]regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default]country-code cn
[AC1-wlan-regulate-domain-default]quit
域管理模板提供对AP的国家码、调优信道集合和调优带宽等的配置
缺省情况下,系统上存在名为default的域管理模板。故当前进入了默认存在的default模板
# 在AP组下引用域管理模板
[AC1-wlan-view]ap-group name depart
[AC1-wlan-ap-group-depart]regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC1-wlan-ap-group-depart]quit
# 添加AP
[AC1-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-id 0 ap-mac 00e0-fcad-7c40
[AC1-wlan-ap-0]ap-name AP1
[AC1-wlan-ap-0]ap-group depart
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC1-wlan-ap-0]quit
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fc36-08d0
[AC1-wlan-ap-1]ap-name AP2
[AC1-wlan-ap-1]ap-group depart
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC1-wlan-ap-1]quit
# 配置参数模板
[AC1-wlan-view]security-profile name depart
[AC1-wlan-sec-prof-depart]security wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-depart]quit
[AC1-wlan-view]ssid-profile name depart
[AC1-wlan-ssid-prof-depart]ssid LB
[AC1-wlan-ssid-prof-depart]quit
[AC1-wlan-view]vap-profile name depart
[AC1-wlan-vap-prof-depart]security-profile depart
[AC1-wlan-vap-prof-depart]ssid-profile depart
[AC1-wlan-vap-prof-depart]service-vlan vlan-id 11
[AC1-wlan-vap-prof-depart]forward-mode direct-forward
[AC1-wlan-vap-prof-depart]quit
[AC1-wlan-view]ap-group name depart
[AC1-wlan-ap-group-depart]vap-profile depart wlan 1 radio all
[AC1-wlan-ap-group-depart]quit
配置 security-profile depart,采用WPA2-PSK认证,配置预共享密钥为a1234567
配置 ssid-profile depart,设置SSID为LB
配置 vap-profile,设置转发模式为直接转发,业务VLAN设置为11,调用ssid-profile depart、security-profile depart。
在 ap-group depart中调用vap-profile depart
步骤4:配置双链路冷备份
在主、备AC上为AP指定对方AC的IP地址,指定AC1的优先级为0,AC2的优先级为1,使得AC1成为主AC、AC2成为备AC
# 配置AC1
[AC1-wlan-view]ac protect protect-ac 10.0.100.2 priority 0
[AC1-wlan-view]undo ac protect restore disable
[AC1-wlan-view]ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.done.
Info: Capwap echo interval has changed to default value 25, capwap echo times to 3.
缺省情况下,双链路备份功能为使能,执行命令ac protect enable会提示重启所有AP。AP重启后,双链路备份功能开始生效
# 配置AC2
[AC2-wlan-view]ac protect protect-ac 10.0.100.1 priority 1
[AC2-wlan-view]undo ac protect restore disable
[AC2-wlan-view]ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.done.
Info: Capwap echo interval has changed to default value 25, capwap echo times to 3.
步骤5:结果验证
# 在AC1上执行命令display ac protect,查看AC上双链路信息和优先级
对端为10.0.100.2,本端优先级为0
# 在AC2上执行命令display ac protect,查看AC上双链路信息和优先级
对端为10.0.100.1,本端优先级为1
# 在AC1、AC2上检查AP上线状态
此时,在AC1上AP的状态为normal,而在AC2上位standby,AP分别与AC1、AC2建立了CAPWAP隧道