华为 AC+FIT AP 二层组网直接转发

拓扑图

一、交换机设置

<Huawei>sys
[Huawei]sys SW1
[SW1]un in en

[SW1]vlan batch 2 3

# 设置默认VLAN为2
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]p l t
[SW1-GigabitEthernet0/0/1]p t p v 2
[SW1-GigabitEthernet0/0/1]p t a v a

[SW1-GigabitEthernet0/0/1]int g0/0/2
[SW1-GigabitEthernet0/0/2]p l t
[SW1-GigabitEthernet0/0/2]p t a v a
[SW1-GigabitEthernet0/0/2]quit

二、AC控制器设置

1、创建VLAN，为AP跟STA配置DHCP

<AC6005>sys
[AC6005]sys AC1
[AC1]un in en

[AC1]vlan batch 2 3

[AC1]int g0/0/1
[AC1-GigabitEthernet0/0/1]p l t
[AC1-GigabitEthernet0/0/1]p t a v a
[AC1-GigabitEthernet0/0/1]quit

[AC1]dhcp enable

# 配置DHCP为AP分配地址
[AC1]int vlanif 2
[AC1-Vlanif2]ip addr 192.168.2.1 24
[AC1-Vlanif2]dhcp select int
[AC1-Vlanif2]quit

# 配置DHCP为STA分配地址
[AC1]int vlanif 3
[AC1-Vlanif3]ip addr 192.168.3.1 24
[AC1-Vlanif3]dhcp select int
[AC1-Vlanif3]dhcp server dns-list 114.114.114.114
[AC1-Vlanif3]quit

2、创建名为 "empolyee" 的AP组，并引用默认的域管理模板

[AC1]wlan
[AC1-wlan-view]ap-group name employee
[AC1-wlan-ap-group-employee]regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC1-wlan-ap-group-employee]quit
[AC1-wlan-view]quit

3、配置AC的源接口

[AC1]capwap source interface Vlanif 2

4、以MAC认证方式添加AP，并添加到AP组中

[AC1]wlan
[AC1-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-id 0 ap-mac 00E0-FC28-0710
[AC1-wlan-ap-0]ap-name area1
[AC1-wlan-ap-0]ap-group employee
Warning: This operation may cause AP reset. If the country code changes, it will
 clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
[AC1-wlan-ap-0]quit

5、创建安全模板，配置安全策略

[AC1-wlan-view]security-profile name employee

# 设置无线密码 "12345678"
[AC1-wlan-sec-prof-employee]security wpa-wpa2 psk pass-phrase 12345678 aes
Warning: The current password is too simple. For the sake of security, you are a
dvised to set a password containing at least two of the following: lowercase let
ters a to z, uppercase letters A to Z, digits, and special characters. Continue?
 [Y/N]:y # 确认
[AC1-wlan-sec-prof-employee]quit

6、创建SSID模板，并配置SSID名称为 "employee"

[AC1-wlan-view]ssid-profile name employee
[AC1-wlan-ssid-prof-employee]ssid employee
[AC1-wlan-ssid-prof-employee]quit

7、创建名VAP模板，配置业务数据转发模式、业务VLAN，并且引用安全模板和SSID模板。

[AC1-wlan-view]vap-profile name employee
[AC1-wlan-vap-prof-employee]forward-mode direct-forward
[AC1-wlan-vap-prof-employee]service-vlan vlan-id 3
[AC1-wlan-vap-prof-employee]security-profile employee
[AC1-wlan-vap-prof-employee]ssid-profile employee
[AC1-wlan-vap-prof-employee]quit

8、配置AP组引用VAP模板

[AC1-wlan-view]ap-group name employee
[AC1-wlan-ap-group-employee]vap-profile employee wlan 1 radio all
[AC1-wlan-ap-group-employee]quit
[AC1-wlan-view]quit

9、配置跟外网上联接口

[AC1]int g0/0/2
[AC1-GigabitEthernet0/0/2]p l a
[AC1-GigabitEthernet0/0/2]p d v 137
[AC1-GigabitEthernet0/0/2]int vlanif 137
[AC1-Vlanif137]ip addr 192.168.137.10 24
[AC1-Vlanif137]quit

# 开启AC控制器WEB管理界面
[AC1]http server enable

# 配置NAT实现上网功能
[AC1]acl 2000
[AC1-acl-basic-2000]rule 5 permit source 192.168.3.0 0.0.0.255
[AC1-acl-basic-2000]int vlanif 137
[AC1-Vlanif137]nat outbound 2000
[AC1-Vlanif137]quit

# 配置DNS
[AC1]dns resolve
[AC1]dns server 114.114.114.114

# 配置默认路由
[AC1]ip route-static 0.0.0.0 0.0.0.0 192.168.137.1

三、测试

1、显示AP状态，成功获取管理VLAN网段的IP

[AC1]dis ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
nor  : normal          [1]
--------------------------------------------------------------------------------
-------------
ID   MAC            Name  Group    IP            Type            State STA Uptim
e
--------------------------------------------------------------------------------
-------------
0    00e0-fc28-0710 area1 employee 192.168.2.156 AP2050DN        nor   1   27M:2
6S
--------------------------------------------------------------------------------
-------------
Total: 1

2、STA连接AP，输入上面设置的密码 "12345678"

3、STA成功获取业务VLAN网段的IP

四、查看AC管理界面

https://192.168.137.10/??

账号：admin / admin@huawei.com?