2、需求:无线终端可以连接无线网络,实现数据互通
4、配置命令
第一步:AP上线 1、:配置AP上线:基础配置之让AP可以通过DHCP获取IP地址 1)汇聚交换机创建vlan, 配置端口角色 [hj-sw1]vlan batch 100 200 210 [hj-sw1]port-group group-member g0/0/1 to g0/0/5 [hj-sw1-port-group]port link-type trunk [hj-sw1-port-group]port trunk allow-pass vlan all 2)核心交换机创建vlan, 配置vlanif虚接口IP地址,配置端口角色 [HX-SW2]vlan batch 100 200 210 [HX-SW2]int vlan 100 [HX-SW2-Vlanif100]ip add 192.168.100.254 24 [HX-SW2-Vlanif100]int vlan 200 [HX-SW2-Vlanif200]ip add 192.168.200.254 24 [HX-SW2-Vlanif200]int vlan 210 [HX-SW2-Vlanif210]ip add 192.168.210.254 24 [HX-SW2-Vlanif210]quit [HX-SW2]int g0/0/2 [HX-SW2-G0/0/2]port link-type trunk [HX-SW2-G0/0/2]port trunk allow-pass vlan all [HX-SW2-G0/0/2]quit [HX-SW2]int g0/0/1 [HX-SW2-G0/0/1]port link-type access [HX-SW2-G0/0/1]port default vlan 210 [HX-SW2-G0/0/1]quit [HX-SW2]int g0/0/10 [HX-SW2-G0/0/10]port link-type access [HX-SW2-G0/0/10]port default vlan 200 [HX-SW2-G0/0/10]quit 3)DHCP-R1配置DHCP功能,配置IP地址池 [DHCP-R1]dhcp enable [DHCP-R1]ip pool vlan100 [DHCP-R1-ip-pool-vlan100]network 192.168.100.0 mask 24 [DHCP-R1-ip-pool-vlan100]gateway-list 192.168.100.254 [DHCP-R1-ip-pool-vlan100]dns-list 8.8.8.8 [DHCP-R1-ip-pool-vlan100]quit [DHCP-R1]int g0/0/0 [DHCP-R1-G0/0/0]ip add 192.168.210.1 24 [DHCP-R1-G0/0/0]dhcp select global 4)核心交换机SW2配置DHCP中继 [HX-SW2]dhcp enable [HX-SW2]int vlan 100 [HX-SW2-Vlanif100]dhcp select relay [HX-SW2-Vlanif100]dhcp relay server-ip 192.168.210.1 5) DHCP-R1 配置去往中继的回程路由(默认路由) [DHCP-R1]ip route-static 0.0.0.0 0.0.0.0 192.168.210.254 6)在hj-SW1中修改g0/0/2-g0/0/5的pvid为vlan100 [hj-sw1]port-group group-member g0/0/2 to g0/0/5 [hj-sw1-port-group]port trunk pvid vlan 100 备注:修改hj-sw1-g0/0/2 g0/0/3 g0/0/4 g0/0/5 接口的pvid改为vlan100的目的是: 让AP能够和核心交换机中的AP的网关地址(192.168.100.254-DHCP中继地址)能够通信 AP和DHCP中继能够互通后,AP发送的DHCP发现报文才能被中继设备转发给DHCP服务器 AP才可以获取到IP地址 备注:如果不修改hj-sw1-g0/0/2 g0/0/3 g0/0/4 g0/0/5 接口的pvid为vlan100的话, AP发送的流量默认属于vlan1 是无法和vlanif100通信的 验证:验证AP是否能够获取IP地址 <Huawei>dis system-information //在AP中验证是否获取IP地址 System Information =============================================== Serial Number : 21023544831070413239 :SN码 System Name : Huawei :系统名字(华为的设备) Country Code : US :国家代码:US (美国) MAC Address : 00:e0:fc:80:62:20 :MAC地址 Radio 0 MAC Address : 00:00:00:00:00:00 :射频信号频段 2.4GHz Radio 1 MAC Address : 00:00:00:00:00:10 : 射频信号频段 5GHz IP Address : 192.168.100.252 :成功从dhcp 获取IP地址 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.100.254 <Huawei>display ip int brief //查看vlanif 的接口IP地址 2、配置AP上线 : 在AC和AP之间建立capwap隧道 1)在AC中创建vlan200 并且把g0/0/10加入vlan200, 改为access [AC6605]vlan 200 [AC6605-vlan200]quit [AC6605]int vlan 200 [AC6605-Vlanif200]ip add 192.168.200.10 24 [AC6605-Vlanif200]quit [AC6605]int g0/0/10 [AC6605-G0/0/10]port link-type access [AC6605-G0/0/10]port default vlan 200 2)在AC中配置默认路由,能够实现和AP互联互通 [AC6605]ip route-static 0.0.0.0 0.0.0.0 192.168.200.254 备注:让AC可以和不同网段的AP实现互联互通 3)在DHCP服务中配置dhcp option 43:让AP知道AC的管理地址 [DHCP-R1]ip pool vlan100 [DHCP-R1-ip-pool-vlan100]option 43 sub-option 1 ip-address 192.168.200.10 备注:修改完option 43后,记得重启一下所有的AP设备 备注:AC要统一管理几百台AP设备,AP和AC之间的协议报文-管理流量要实现交互 所以AP和AC要建立capwap 隧道, 所以AP必须知道AC的管理IP地址 但是AP不清楚AC的管理IP地址是多少,所以就要让DHCP服务器告诉所有的AP 为什么要选择DHCP服务器呢,因为每一台AP开机的时候,都要从DHCP哪里获取IP地址 DHCP怎么告诉AP,AC的管理IP地址呢? 利用dhcp报文中,option 43 字段,下发AC的管理IP地址,给AP option 43 的编码方式,默认是3种 (option 43只针对IPv4地址) 1)ascll : ascll编码,优势:标点符号也可以编进去,可以连续写多个IP地址 2)hex: 16进制,要把IP地址改成16进制数,填写 3)ip-address :10进制,把IP地址填写进去 通过抓包:获取dhcp报文中option 43的值 01:04:c0:a8:c8:0a 备注: c0:a8:c8:0a 16进制数翻译为ipv4地址为 :192.168.200.10 4) 在AC中配置capwap 隧道 --在AC和AP之间建立隧道 [AC6605] capwap source ip-address 192.168.200.10 备注:创建capwap 隧道,指定隧道的源地址为AC的管理IP:192.168.200.10 ========================================= 备注:可以定义源接口,也可以定义源IP地址 :两条命令 capwap source ip-address 192.168.200.10 capwap source interface vlanif 200 ========================================= 5)在AC中填写AP的MAC地址,让AC知道AP的存在 [AC6605]wlan [AC6605-wlan-view]ap-id 1 ap-mac 00e0-fcb2-13f0 [AC6605-wlan-ap-1]quit [AC6605-wlan-view]ap-id 2 ap-mac 00e0-fcdd-4060 [AC6605-wlan-ap-2]quit [AC6605-wlan-view]ap-id 3 ap-mac 00e0-fcd6-4110 [AC6605-wlan-ap-3]quit [AC6605-wlan-view]ap-id 4 ap-mac 00e0-fc69-7790 验证: 1)AP和AC网络要互联互通 [AC6605]ping 192.168.200.254 [AC6605]ping 192.168.100.253 [AC6605]ping 192.168.100.252 [AC6605]ping 192.168.100.251 [AC6605]ping 192.168.100.250 [AC6605] dis ap all //AC上查看ap注册信息 ========================================================================= 排错方法: 1.检查AP是否获取IP地址了 2.检查AC能否ping通AP1 ---检查网络是否通 3.检查option参数 ---去dhcp服务器中ip pool 100中检查 option 是否配置正确 4.检查capwap隧道地址 --在AC中,检查capwap 隧道是否配置 5.重启ap --等待3分钟,看是否上线,如果不上线,重启ap [AC6605]dis ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor : normal [4] -------------------------------------------------------------------------------- ID MAC Name Group IP Type State -------------------------------------------------------------------------------- 1 00e0-fcb2-13f0 00e0-fcb2-13f0 default 192.168.100.253 AP6050DN nor 2 00e0-fcdd-4060 00e0-fcdd-4060 default 192.168.100.251 AP6050DN nor 3 00e0-fcd6-4110 00e0-fcd6-4110 default 192.168.100.250 AP6050DN nor 4 00e0-fc69-7790 00e0-fc69-7790 default 192.168.100.252 AP6050DN nor -------------------------------------------------------------------------------- 第二步:AC下发配置给AP 1)创建域管理配置文件-绑定国家码 [AC6605]wlan [AC6605-wlan-view]regulatory-domain-profile name ntd2306 [AC6605-wlan-regulate-domain-ntd2306]country-code cn [AC6605-wlan-regulate-domain-ntd2306]quit [AC6605-wlan-view]quit 2)创建AP组-绑定域管理配置文件 [AC6605]wlan [AC6605-wlan-view]ap-group name bangong [AC6605-wlan-ap-group-bangong]regulatory-domain-profile ntd2306 [AC6605-wlan-ap-group-bangong]quit [AC6605-wlan-view]ap-group name xuexi [AC6605-wlan-ap-group-xuexi]regulatory-domain-profile ntd2306 [AC6605-wlan-ap-group-xuexi]quit [AC6605-wlan-view]quit 3)创建AP组,在AP组里添加物理AP设备 [AC6605]wlan [AC6605-wlan-view]ap-id 1 //配置ap 1 [AC6605-wlan-ap-1]ap-name bangong1 //给ap1 命名为 bangong1 [AC6605-wlan-ap-1]ap-group bangong //把ap1 加入bangong 组 [AC6605-wlan-ap-1]quit [AC6605-wlan-view]ap-id 2 //配置ap 2 [AC6605-wlan-ap-2]ap-name bangong2 //给ap2 命名为 bangong2 [AC6605-wlan-ap-2]ap-group bangong //把ap2 加入bangong 组 [AC6605-wlan-ap-2]quit [AC6605-wlan-view]ap-id 3 //配置ap 3 [AC6605-wlan-ap-3]ap-name xuexi1 //给ap3 命名为 xuexi1 [AC6605-wlan-ap-3]ap-group xuexi //把ap3 加入xuexi组 [AC6605-wlan-ap-3]quit [AC6605-wlan-view]ap-id 4 //配置ap 4 [AC6605-wlan-ap-4]ap-name xuexi2 //给ap4 命名为 xuexi2 [AC6605-wlan-ap-4]ap-group xuexi //把ap4 加入xuexi组 4)验证AP设备是否加入AP组 [AC6605] dis ap all Total AP information: nor : normal [4] -------------------------------------------------------------------------------- ID MAC Name Group IP Type State ptime -------------------------------------------------------------------------------- 1 00e0-fcb2-13f0 bangong1 bangong 192.168.100.253 AP6050DN nor 2 00e0-fcdd-4060 bangong2 bangong 192.168.100.251 AP6050DN nor 3 00e0-fcd6-4110 xuexi1 xuexi 192.168.100.250 AP6050DN nor 4 00e0-fc69-7790 xuexi2 xuexi 192.168.100.252 AP6050DN nor -------------------------------------------------------------------------------- Total: 4 [AC6605] dis ap-group all -------------------------------------------------------------------------------- Name APs -------------------------------------------------------------------------------- bangong 2 default 0 xuexi 2 -------------------------------------------------------------------------------- Total: 3 5)创建SSID配置文件-定义无线网名 [AC6605]wlan [AC6605-wlan-view]ssid-profile name bangong //创建ssid模版,命名为bangong [AC6605-wlan-ssid-prof-bangong]ssid bangong //定义ssid的名字(无线网名) [AC6605-wlan-ssid-prof-bangong]quit [AC6605-wlan-view]ssid-profile name xuexi //创建ssid模版,命名为xuexi [AC6605-wlan-ssid-prof-xuexi]ssid xuexi //定义ssid的名字(无线网名) 6)创建安全配置文件-定义无线网安全策略 预共享密钥,加密方式 [AC6605]wlan [AC6605-wlan-view]security-profile name bangong //创建安全模版,命名为bangong [AC6605-wlan-sec-prof-bangong]security wpa-wpa2 psk pass-phrase a12345678 aes [AC6605-wlan-sec-prof-bangong]quit [AC6605-wlan-view]security-profile name xuexi [AC6605-wlan-sec-prof-xuexi]security wpa-wpa2 psk pass-phrase a12345678 aes //定义安全策略,定义预共享密钥,定义加密方式 备注: wpa-wap2 :是一种新的加密方式 psk :预共享密钥 pass-phrase : 口令短语 a12345678 :设置的密钥值 aes: 高级加密算法(美国国家标准加密算法) 7)在汇聚交换中创建vlan 101 102 103 104 [hj-SW1]vlan batch 101 102 103 104 8) 在核心交换机中创建vlan 101 102 103 104 [HX-SW2]vlan batch 101 102 103 104 9) 在核心交换机中创建vlan 101 102 103 104 [DHCP-R1]ip pool vlan101 [DHCP-R1-ip-pool-vlan101]network 192.168.101.0 mask 24 [DHCP-R1-ip-pool-vlan101]gateway-list 192.168.101.254 [DHCP-R1-ip-pool-vlan101]dns-list 8.8.8.8 [DHCP-R1-ip-pool-vlan101]ip pool vlan102 [DHCP-R1-ip-pool-vlan102]network 192.168.102.0 mask 24 [DHCP-R1-ip-pool-vlan102]gateway-list 192.168.102.254 [DHCP-R1-ip-pool-vlan102]dns-list 8.8.8.8 [DHCP-R1-ip-pool-vlan102]ip pool vlan103 [DHCP-R1-ip-pool-vlan103]network 192.168.103.0 mask 24 [DHCP-R1-ip-pool-vlan103]gateway-list 192.168.103.254 [DHCP-R1-ip-pool-vlan103]dns-list 8.8.8.8 [DHCP-R1-ip-pool-vlan103]ip pool vlan104 [DHCP-R1-ip-pool-vlan104]network 192.168.104.0 mask 24 [DHCP-R1-ip-pool-vlan104]gateway-list 192.168.104.254 [DHCP-R1-ip-pool-vlan104]dns-list 8.8.8.8 10) 在核心交换机中,给vlanif101 102 103 104 配置IP地址 并且做DHCP中继 [HX-SW2]int vlan 101 [HX-SW2-Vlanif101]ip add 192.168.101.254 24 [HX-SW2-Vlanif101]dhcp select relay [HX-SW2-Vlanif101]dhcp relay server-ip 192.168.210.1 [HX-SW2-Vlanif101]int vlan 102 [HX-SW2-Vlanif102]ip add 192.168.102.254 24 [HX-SW2-Vlanif102]dhcp select relay [HX-SW2-Vlanif102]dhcp relay server-ip 192.168.210.1 [HX-SW2-Vlanif102]int vlan 103 [HX-SW2-Vlanif103]ip add 192.168.103.254 24 [HX-SW2-Vlanif103]dhcp select relay [HX-SW2-Vlanif103]dhcp relay server-ip 192.168.210.1 [HX-SW2-Vlanif103]int vlan 104 [HX-SW2-Vlanif104]ip add 192.168.104.254 24 [HX-SW2-Vlanif104]dhcp select relay [HX-SW2-Vlanif104]dhcp relay server-ip 192.168.210.1 11)在AC设备中,创建VLAN池-绑定多个VLAN: 给STA(电脑和手机)用的VLAN [AC6605]vlan pool bangong //创建vlan池,命名为bangong [AC6605-vlan-pool-bangong]vlan 101 102 //将vlan 101 102 加入bangong池 [AC6605-vlan-pool-bangong]quit [AC6605]vlan pool xuexi //创建vlan池,命名为xuexi [AC6605-vlan-pool-xuexi]vlan 103 104 //将vlan 103 104 加入xuexi池 12)创建VAP模板--绑定VLAN池子, 绑定SSID模板, 绑定安全模板 [AC6605]wlan [AC6605-wlan-view]vap-profile name bangong //创建vap模版,命名为bangong [AC6605-wlan-vap-prof-bangong]ssid-profile bangong //绑定ssid模版 [AC6605-wlan-vap-prof-bangong]security-profile bangong //绑定安全模版 [AC6605-wlan-vap-prof-bangong]service-vlan vlan-pool bangong //绑定vlan池 [AC6605-wlan-vap-prof-bangong]quit [AC6605-wlan-view]vap-profile name xuexi //创建vap模版,命名为xuexi [AC6605-wlan-vap-prof-xuexi]ssid-profile xuexi //绑定ssid模版 [AC6605-wlan-vap-prof-xuexi]security-profile xuexi //绑定安全模版 [AC6605-wlan-vap-prof-xuexi]service-vlan vlan-pool xuexi //绑定vlan池 13)将VAP配置文件绑定到AP组,把配置下发给AP组的物理设备 [AC6605]wlan [AC6605-wlan-view]ap-group name bangong //进入ap组 [AC6605-wlan-ap-group-bangong]vap-profile bangong wlan 1 radio 0 [AC6605-wlan-ap-group-bangong]vap-profile bangong wlan 1 radio 1 [AC6605-wlan-ap-group-bangong]quit [AC6605-wlan-view]ap-group name xuexi [AC6605-wlan-ap-group-xuexi]vap-profile xuexi wlan 1 radio 0 [AC6605-wlan-ap-group-xuexi]vap-profile xuexi wlan 1 radio 1 //在ap设备组里绑定vap模版,并且定义射频频段 -指定AP组的射频频段: 2.4GHz 5.0GHz