华为WLAN-AC三层组网旁挂直接转发
https://zhuanlan.zhihu.com/p/518694707
路由
<R>dis cur
[V200R003C00]
#
sysname R
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0 //基础网络下联三层
ip address 10.10.50.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface LoopBack0 //上网测试
ip address 30.30.30.30 255.255.255.255
#
ip route-static 10.10.20.0 255.255.255.0 10.10.50.1 //下指业务vlan
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<R>
核心交换
<L3>
<L3>dis cur
#
sysname L3
#
undo info-center enable
#
vlan batch 10 20 50 60 /./vlan10 AP vlan20 业务 vlan50三层<-->路由 vlan60三层<-->AC
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
drop-profile default
#
ip pool ap //AP地址池
gateway-list 10.10.10.1
network 10.10.10.0 mask 255.255.255.0
option 43 sub-option 2 ip-address 20.20.20.20 //option 43 字段告诉AP,AC在哪里(20.20.20.20是AC的Loopback 0环回接口IP)
#
ip pool sta //用户地址池
gateway-list 10.10.20.1
network 10.10.20.0 mask 255.255.255.0
dns-list 222.222.222.222
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
description apMGT //AP管理地址的网关
ip address 10.10.10.1 255.255.255.0
dhcp select global //引用上面定义的全局DHCP地址池 此处还可以配置成接口地址池就不用上面的ip pool...了
#
interface Vlanif20 //用户地址网关
description toSTA
ip address 10.10.20.1 255.255.255.0
dhcp select global //用户使用全局DHCP地址池
#
interface Vlanif50 //三层与出口路由互联地址
ip address 10.10.50.1 255.255.255.0
#
interface Vlanif60 //三层与AC互联地址
description toAC
ip address 10.10.60.1 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1 //到出口路由
port link-type access
port default vlan 50
#
interface GigabitEthernet0/0/2 //到AC
description toAC
port link-type access
port default vlan 60
#
interface GigabitEthernet0/0/3 //到二层交换机
description toL2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.10.50.2 //默认网关(到路由内口)
ip route-static 20.20.20.0 255.255.255.0 10.10.60.2 //到AC的 Loopback 0(用于封装capwap隧道) 的路由
#
user-interface con 0
user-interface vty 0 4
#
return
<L3>
二层交换
<L2>
<L2>dis cur
#
sysname L2
#
undo info-center enable
#
vlan batch 10 20 //只建 管理vlan10 和 业务 vlan20
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10 //目的为了telnet管理,如果用console或不telnet本交换机 可以不要
ip address 10.10.10.2 255.255.255.0
#
interface MEth0/0/1
#
interface Ethernet0/0/1 //连接AP
description toAP1
port link-type trunk
port trunk pvid vlan 10
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
#
interface Ethernet0/0/2 //连接AP
description toAP2
port link-type trunk
port trunk pvid vlan 10
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
#
interface Ethernet0/0/3 //上联三层
description to三层
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
interface Ethernet0/0/12
#
interface Ethernet0/0/13
#
interface Ethernet0/0/14
#
interface Ethernet0/0/15
#
interface Ethernet0/0/16
#
interface Ethernet0/0/17
#
interface Ethernet0/0/18
#
interface Ethernet0/0/19
#
interface Ethernet0/0/20
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.1 //默认上指三层
#
user-interface con 0
user-interface vty 0 4
#
return
<L2>
AC控制器
<AC6605>dis cur
#
set memory-usage threshold 0
#
ssl renegotiation-rate 1
#
vlan batch 60 //AC与三层互联vlan
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
diffserv domain default
#
radius-server template default
#
pki realm default
rsa local-key-pair default
enrollment self-signed
#
ike proposal default
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme radius
radius-server default
domain default_admin
authentication-scheme default
local-user admin password irreversible-cipher $1a$tiVFQ48"R9$N^/d+%EB&Ulg[A->V;
>W}nBLJ66wv7HxP(6Xs]W0$
local-user admin privilege level 15
local-user admin service-type http
#
interface Vlanif60 //ac与L3互联地址
ip address 10.10.60.2 255.255.255.0
#
interface MEth0/0/1
undo negotiation auto
duplex half
#
interface GigabitEthernet0/0/1 //与L3的互联接口
description toL3
port link-type access
port default vlan 60
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
undo negotiation auto
duplex half
#
interface GigabitEthernet0/0/22
undo negotiation auto
duplex half
#
interface GigabitEthernet0/0/23
undo negotiation auto
duplex half
#
interface GigabitEthernet0/0/24
undo negotiation auto
duplex half
#
interface XGigabitEthernet0/0/1
#
interface XGigabitEthernet0/0/2
#
interface NULL0
#
interface LoopBack0 //CAPWAP隧道源地址 或接口 三层配置到此IP的路由 及vlan10 DHCP中的option43给AP指明AC在这里
ip address 20.20.20.20 255.255.255.255
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1
#
ip route-static 10.10.0.0 255.255.0.0 10.10.60.1 //AC要出去的路由(合并了)
#
AP上线及wlan业务配置
(一)AP上线
//配置capwap隧道的源地址为接口 Loopback 0的地址
capwap source interface loopback0 //capwap隧道源接口为AC上的Loopback 0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
protocol inbound all
user-interface vty 16 20
protocol inbound all
#
wlan
ap-group name default
regulatory-domain-profile default
yes
quit
ap auth-mode no-auth
(二)配置wlan业务
traffic-profile name default
//配置security模板, 可以有些用户需要密码 有些用户(无线)不需要密码
security-profile name sec-1
security wpa2 psk pass-phrase %^%#8EI~RH,V\DsOg['D3_6BHPfHWE4lK+_:v^>#F}>1%^%#
aes
security-profile name default
security-profile name default-wds
security-profile name default-mesh
//ssid模板配置 可以多个比如员工 客人 此只配置一个wifi001
ssid-profile name ssid-1
ssid wifi001
ssid-profile name default
//配置vap模板 可以多个 不同的vap模板对应 不同的业务vlan 不同的转发方式(直接或隧道) 不同的ssid 不同的密码
vap-profile name vap-1
forwarding-mode direct-forward //直接转发(默认)指令敲入不显示
或
forwarding-mode tunnel-forward
service-vlan vlan-id 20
ssid-profile ssid-1
security-profile sec-1
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
//创建域管理模板default(系统默认已有)
regulatory-domain-profile name default
country-code CN
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
wireless-access-specification
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
//进入AP组 绑定域管理模板default 和 多个vap模板
ap-group name default
regulatory-domain-profile default
vap-profile vap-1 wlan 1 radio all
vap-profile vap-2 wlan 2 radio all
//同下
radio 0
vap-profile vap-1 wlan 1
radio 1
vap-profile vap-1 wlan 1
radio 2
vap-profile vap-1 wlan 1
ap-id 0 type-id 35 ap-mac 00e0-fc95-6220 ap-sn 210235448310D249DC07
ap-id 1 type-id 35 ap-mac 00e0-fce6-3080 ap-sn 210235448310EC7C5E3C
provision-ap
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return
<AC6605>
