星痕1216
小分支职场网络覆盖案例总结

需求描述

1.AP部分:  AP数量较少,考虑到成本,AP使用FAT模式。

2.交换机部分:下联接入有线网部分和AP部分。

3.防火墙部分:网关、DHCP、NAT、IPSev VPN

具体配置

1.AP部分

====修改AP工作模式====
****查看AP工作模式****
[CN-SZBW-1F-OFFICE-AP11]display wlan device role 
Current running mode: FIT AP.
****将AP的工作模式由FIT修改为FAT****
reboot
ctrl+b
ctrl+y
3
====全局配置====
sys
sysn CN-SZBW-1F-OFFICE-AP21
vlan 100 to 106
****配置国家码****
wlan global-configuration
 region-code CN
***配置管理地址****
int vlan 106
 ip add 10.127.6.21 24
ip route-static 0.0.0.0 0 10.127.6.1

interface GigabitEthernet1/0/1
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 2 to 4094
****配置带外管理****
lldp global enable
undo telnet server enable
ssh server enable
public-key local create rsa
 2048
public-key local create dsa
 2048

line vty 0 4
 authentication-mode scheme
 protocol inbound ssh

local-user cdg-admin class manage
 password simple Qh123.com!
 service-type ftp 
 service-type ssh
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
****远程认证配置****
dot1x authentication-method eap

radius scheme sangfor
 primary authentication 10.1.32.250
 primary accounting 10.1.32.250
 key authentication cipher $c$3$Kd+IJwv8R4g6L773E2hH+/dP34hPRakK0ZaTCBzE
 key accounting cipher $c$3$9XBg/uQOMYOctQnfyv8xvichgGnpZpfWZSyhbPwM
 user-name-format without-domain
 nas-ip 10.127.6.21
domain sangfor
 authentication lan-access radius-scheme sangfor
 authorization lan-access radius-scheme sangfor
 accounting lan-access radius-scheme sangfor
****配置802.1X认证无线服务模板****wlan service-template cdg
 ssid CDG
 vlan 100
 client cache aging-time 0
 akm mode dot1x
 cipher-suite ccmp
 security-ie rsn
 client-security authentication-mode dot1x
 dot1x domain sangfor
 service-template enable

****配置psk认证无线服务模板****
wlan service-template cdg-guest
 ssid CDGSZ-Guest
 vlan 101
 akm mode psk
 preshared-key pass-phrase simple Qhsz0519!
 cipher-suite ccmp
 security-ie rsn
 service-template enable
****将无线服务模板绑定到WLAN-Radio 1/0/1和WLAN-Radio1/0/2接口****
interface range WLAN-Radio1/0/1 to WLAN-Radio1/0/2
 undo service-template 1
 undo service-template 16
 service-template cdg
 service-template cdg-guest
****配置漫游组****
# 创建漫游组office。
wlan mobility group qhszbw
 tunnel-type ipv4  # 配置漫游组IADTP隧道IP地址类型为IPv4。
 source ip 10.127.6.21  # 配置FAT AP加入漫游组时建立IADTP隧道的源IP地址为设备自身的IP地址。
 member auto-discovery  # 通过漫游组成员自动添加功能,添加漫游组内的AP成员。
 group enable  # 开启漫游组功能。
display wlan mobility roam-in #查看漫游组信息。
display wlan mobility roam-track mac-address #查看到客户端漫游信息
display wlan mobility roam-out #查看漫游组信息。
display wlan mobility group #查看漫游组信息。
# 开启基于无线服务模板的客户端限速功能,并且配置限制从客户端到AP方向和从AP到客户端方向数据传输的最大速率,使从客户端到AP方向的固定速率为4000 Kbps,从AP到客户端方向的共享速率为16000 Kbps。
[AP-wlan-st-service] client-rate-limit enable
[AP-wlan-st-service] client-rate-limit inbound mode static cir 4000
[AP-wlan-st-service] client-rate-limit outbound mode dynamic cir 16000

2.交换机部分

下联至有线:
interface Ethernet1/0/16
 port access vlan 102
 poe enable
下联至AP:
interface GigabitEthernet1/0/17
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 2 to 4094
 poe enable 
上联:
interface GigabitEthernet1/0/24
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 2 to 4094

3.防火墙部分

1)网关

    

  2)DHCP

  

  3)NAT

  

  4)IPSec VPN

    

     

  

  5)BGP配置

  

  

   

  

  

 4.H3C路由器对应IPSec VPN配置

interface tunnel 5101 mode gre
 ip address 10.0.101.1 255.255.255.252
 source LoopBack1
 destination 14.152.36.66

ike keychain kc_SZBW
 pre-shared-key address 14.152.36.66 255.255.255.255 key simple xxxx

acl advanced name gre_SZBW
 rule 0 permit gre source 220.243.177.1 0 destination 14.152.36.66 0

ipsec transform-set ts_0
 esp encryption-algorithm 3des-cbc 
 esp authentication-algorithm md5 
 pfs dh-group2

ipsec policy ipo_Branch 127 isakmp
 transform-set ts_0 
 security acl name gre_SZBW
 remote-address 14.152.36.66
 sa trigger-mode auto

ip prefix-list ipl_0 index 10 permit 10.0.0.0 8 less-equal 32
ip prefix-list ipl_101 index 10 permit 10.127.0.0 21 less-equal 32

bgp 65001
 peer 10.0.101.2 as-number 65101
 #
 address-family ipv4 unicast
  peer 10.0.101.2 enable
  peer 10.0.101.2 prefix-list ipl_101 import
  peer 10.0.101.2 prefix-list ipl_0 export

 

posted on 2023-07-20 17:21  星痕1216  阅读(109)  评论(0编辑  收藏  举报

Copyright © 2025 星痕1216
Powered by .NET 9.0 on Kubernetes Powered By博客园