二话不说,直接上图,三层旁挂,用lo2.2.2.2,作为capwap隧道接口
核心交换机创建vlan和vlanif接口
[Huawei]sysname sw1
[sw1]interface Vlanif 10
[sw1-Vlanif10]ip address 192.168.1.1 24 #与ar互联地址
[sw1-Vlanif10]q
[sw1]int vlanif 172
[sw1-Vlanif172]ip add 172.16.100.1 22 # 业务vlan
[sw1-Vlanif172]q
[sw1]interface Vlanif 101
[sw1-Vlanif101]ip ad 10.1.12.1 24 #与AC相连地址
[sw1]interface Vlanif 100
[sw1-Vlanif100]ip address 10.1.10.1 22 #给AP分配地址
配置接口VLAN
[sw1]interface GigabitEthernet 0/0/1
[sw1-GigabitEthernet0/0/1]port link-type access
[sw1-GigabitEthernet0/0/1]port default vlan 10 #与路由器互联
[sw1-GigabitEthernet0/0/1]int g0/0/2
[sw1-GigabitEthernet0/0/2]port link-type trunk
[sw1-GigabitEthernet0/0/2]port trunk allow-pass vlan 101 172
#与AC互联
[sw1]interface GigabitEthernet 0/0/3
[sw1-GigabitEthernet0/0/3]port trunk allow-pass vlan 100 172
#与接入交换机互联
[sw1-GigabitEthernet0/0/3]q
接入交换配置
[sw2]vlan batch 100 172
Info: This operation may take a few seconds. Please wait for a moment...done.
[sw2]interface Eth0/0/3
[sw2-Ethernet0/0/3]port link-type trunk
[sw2-Ethernet0/0/3]port trunk allow-pass vlan 100 172 #放行所有
[sw2-Ethernet0/0/3]int e 0/0/1
[sw2-Ethernet0/0/1]port link-type trunk
[sw2-Ethernet0/0/1]port trunk allow-pass vlan 100 172 #放行ap和业务vlan
[sw2-Ethernet0/0/1]port trunk pvid vlan 100 #分配默认接口
[sw2]interface Eth0/0/2
[sw2-Ethernet0/0/2]port link-type trunk
[sw2-Ethernet0/0/2]port trunk allow-pass vlan 100 172
[sw2-Ethernet0/0/2]port trunk pvid vlan 100 #同上
AC基础配置;
Enter system view, return user view with Ctrl+Z.
[AC6005]vlan batch 101 172
[AC6005]interface Vlanif 101
[AC6005-Vlanif101]ip address 10.1.12.2 24
[AC6005]interface LoopBack 0
[AC6005-LoopBack0]ip address 2.2.2.2 32 #创建环回口作为CAPWAP隧道源接口
[AC6005]interface GigabitEthernet 0/0/2
[AC6005-GigabitEthernet0/0/2]port link-type trunk
[AC6005-GigabitEthernet0/0/2]port trunk allow-pass vlan 101 172
#放通AC与核心互通的vlan 是否可以用ACCESS 未作实验 读者可以试试。
[AC6005-GigabitEthernet0/0/2]q
[AC6005]ping 10.1.12.1
PING 10.1.12.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.12.1: bytes=56 Sequence=1 ttl=255 time=130 ms
#测试直连接口互通,验证配置
路由器配置
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname ar1
[ar1]interface GigabitEthernet 0/0/1
[ar1-GigabitEthernet0/0/1]ip address 192.168.1.3 24
[ar1-GigabitEthernet0/0/1]q
[ar1]interface LoopBack 0
[ar1-LoopBack0]ip address 1.1.1.1 32 #假设运营商外网
[ar1-LoopBack0]q
[ar1]ping 192.168.1.1 #测试直连是否互通
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=100 ms
写回传路由,因172.16.100是业务地址
[ar1]ip route-static 172.16.100.0 255.255.252.0 192.168.1.1
#外网回传路由
核心交换机静态路由配置
[sw1]ip route-static 2.2.2.2 32 10.1.12.2 #通往AC的静态路由
[sw1]ip route-static 0.0.0.0 0.0.0.0 192.168.1.3 #外网出口路由
[sw1]ping -a 172.16.100.1 1.1.1.1 #测试网关是否能通外网
PING 1.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 1.1.1.1: bytes=56 Sequence=1 ttl=255 time=60 ms
AC路由配置
[AC6005]ip route-static 0.0.0.0 0.0.0.0 10.1.12.1
#AC出口路由和AC与ap的路由
[AC6005]ping -a 2.2.2.2 172.16.100.1
PING 172.16.100.1: 56 data bytes, press CTRL_C to break
Reply from 172.16.100.1: bytes=56 Sequence=1 ttl=255 time=30 ms
Reply from 172.16.100.1: bytes=56 Sequence=2 ttl=255 time=10 ms
[AC6005]ping -a 2.2.2.2 10.1.10.1
PING 10.1.10.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.10.1: bytes=56 Sequence=1 ttl=255 time=10 ms
[AC6005]ping -a 2.2.2.2 1.1.1.1
PING 1.1.1.1: 56 data bytes, press CTRL_C to break
Request time out
--- 1.1.1.1 ping statistics ---
1 packet(s) transmitted
0 packet(s) received
100.00% packet loss
#这里没通是因为只有出去没回程路由,需要在AR1上写条
Ip-route-static 2.2.2.2 255.255.255.255 192.168.1.1 即可互通
创建地址池
[sw1]ip pool vlan172 #创建业务地址池
Info:It's successful to create an IP address pool.
[sw1-ip-pool-vlan172]gateway-list 172.16.100.1
[sw1-ip-pool-vlan172]network 172.16.100.0 mask 22
[sw1-ip-pool-vlan172]excluded-ip-address 172.16.100.2 172.16.100.200
[sw1-ip-pool-vlan172]lease day 0 hour 4
[sw1-ip-pool-vlan172]dns-list 114.114.114.114
[sw1-ip-pool-vlan172]q
[sw1]ip pool vlan100 #创建ap地址池
Info:It's successful to create an IP address pool.
[sw1-ip-pool-vlan100]gateway-list 10.1.10.1
[sw1-ip-pool-vlan100]network 10.1.10.0 mask 22
[sw1-ip-pool-vlan100]option 43 sub-option 3 ascii 2.2.2.2
#三层地址,需要指定option 43 并指定源接口 2.2.2.2
使能DHCP功能
[sw1]dhcp enable
[sw1]interface Vlanif 172
[sw1-Vlanif172]dhcp select global #使能全局模式
[sw1]interface Vlanif 100
[sw1-Vlanif100]dhcp select global #使能全局模式
[sw1]ping -a 10.1.10.1 2.2.2.2
PING 2.2.2.2: 56 data bytes, press CTRL_C to break
Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=50 ms
Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=30 ms
开始AP上线配置:
#指定capwap隧道接口为lo0
[AC6005]capwap source interface LoopBack 0
创建AP组
[AC6005-wlan-view]ap-group name zhuzige
Info: This operation may take a few seconds. Please wait for a moment.done.
[AC6005-wlan-view]ap auth-mode mac-auth #3中AP认证方式,不认证,mac认证,SN号认证
[AC6005-wlan-view]ap-mac 00E0-FCAA-19E0 #这条命令可以用ap ap-id x ap-mac xxxx-xxxx-xxxx 用于指定ap的编号,方便于CAD布点图纸对应
[AC6005-wlan-ap-0]ap-name fool-1 #编写AP的名字
[AC6005-wlan-ap-0]display this
#
ap-name fool-1
[AC6005-wlan-ap-0]ap-group zhuzige #加入AP组方便对组进行调用,如手动设置配置VIP区域
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC6005-wlan-ap-0]q
[AC6005-wlan-view]ap-mac 00E0-FC0A-2590
[AC6005-wlan-ap-1]ap-name fool-2
[AC6005-wlan-ap-1]ap-group zhuzige
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC6005]dis ap all #查看AP组是否在线
[AC6005]dis ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
idle : idle [1]
nor : normal [1]
--------------------------------------------------------------------------------
----------
ID MAC Name Group IP Type State STA Uptime
--------------------------------------------------------------------------------
----------
0 00e0-fcaa-19e0 fool-1 zhuzige - - idle 0 -
1 00e0-fc0a-2590 fool-2 zhuzige - - idle 0 -
--------------------------------------------------------------------------------
----------
Total: 2
该处实验半天没出结果,怀疑是没得到免费的ARP原因排查了很久,刚开始怀疑DHCP没有使能成功,但用模拟器PC发现能获取到地址,排除了DHCP问题。
[sw1]display ip pool name vlan100
Pool-name : vlan100
Pool-No : 1
Lease : 1 Days 0 Hours 0 Minutes
Domain-name : -
Option-code : 43
Option-subcode : 3
Option-type : ascii
Option-value : 2.2.2.2
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Position : Local Status : Unlocked
Gateway-0 : 10.1.10.1
Mask : 255.255.252.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.8.1 10.1.11.254 1021 3 1018(0) 0 0
最后用ping命令试试了DHCP分配出去后的地址,结果又通了,不知道是否ENSP的原因?
[AC6005]ping -a 2.2.2.2 10.1.11.253
PING 10.1.11.253: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Reply from 10.1.11.253: bytes=56 Sequence=4 ttl=254 time=60 ms
--- 10.1.11.253 ping statistics ---
4 packet(s) transmitted
1 packet(s) received
75.00% packet loss
round-trip min/avg/max = 60/60/60 ms
[AC6005]ping -a 2.2.2.2 10.1.11.252
PING 10.1.11.252: 56 data bytes, press CTRL_C to break
Reply from 10.1.11.252: bytes=56 Sequence=1 ttl=127 time=60 ms
Reply from 10.1.11.252: bytes=56 Sequence=2 ttl=127 time=60 ms
Reply from 10.1.11.252: bytes=56 Sequence=3 ttl=127 time=60 ms
--- 10.1.11.252 ping statistics ---
3 packet(s) transmitted
3 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/60/60 ms
--- 10.1.11.251 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
[AC6005]ping -a 2.2.2.2 10.1.11.254
PING 10.1.11.254: 56 data bytes, press CTRL_C to break
Request time out
Reply from 10.1.11.254: bytes=56 Sequence=2 ttl=254 time=60 ms
Reply from 10.1.11.254: bytes=56 Sequence=3 ttl=254 time=60 ms
Reply from 10.1.11.254: bytes=56 Sequence=4 ttl=254 time=70 ms
--- 10.1.11.254 ping statistics ---
4 packet(s) transmitted
3 packet(s) received
25.00% packet loss
round-trip min/avg/max = 60/63/70 ms
如情况 AP上线了 ,NOR状态
[AC6005]dis ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
idle : idle [1]
nor : normal [1]
--------------------------------------------------------------------------------
----------
ID MAC Name Group IP Type State STA Uptime
--------------------------------------------------------------------------------
----------
0 00e0-fcaa-19e0 fool-1 zhuzige - - idle 0 -
1 00e0-fc0a-2590 fool-2 zhuzige 10.1.11.253 AP4030TN nor 0 11S
--------------------------------------------------------------------------------
----------
Total: 2
[AC6005]dis ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
nor : normal [2]
--------------------------------------------------------------------------------
----------
ID MAC Name Group IP Type State STA Uptime
--------------------------------------------------------------------------------
----------
0 00e0-fcaa-19e0 fool-1 zhuzige 10.1.11.254 AP4030TN nor 0 4S
1 00e0-fc0a-2590 fool-2 zhuzige 10.1.11.253 AP4030TN nor 0 20S
--------------------------------------------------------------------------------
----------
Total: 2
[AC6005]
-----------------------------------------------------------------------------
开始管理模板
先创建VAP模板
[AC6005-wlan-view]vap-profile name zhuzige
创建安全模板
[AC6005-wlan-view]security-profile name zhuzige
[AC6005-wlan-sec-prof-zhuzige]security wpa-wpa2 psk pass-phrase zhuzige123 aes
#采用预配密码的方式进行加密aes传输
#创建SSid模板
[AC6005-wlan-view]ssid-profile name zhuzige
[AC6005-wlan-ssid-prof-zhuzige]ssid zhuzige
在vap模板下引入 安全模板和ssid模板
[AC6005-wlan-view]vap-profile name zhuzige
[AC6005-wlan-vap-prof-zhuzige]security-profile zhuzige
[AC6005-wlan-vap-prof-zhuzige]ssid-profile zhuzige
[AC6005-wlan-vap-prof-zhuzige]display this
#
ssid-profile zhuzige
security-profile zhuzige
在VAP模板下设置转发方式和转发VLAN
[AC6005-wlan-view]vap-profile name zhuzige
[AC6005-wlan-vap-prof-zhuzige]service-vlan vlan-id 172
Info: This operation may take a few seconds, please wait.done.
[AC6005-wlan-vap-prof-zhuzige]forward-mode direct-forward
[AC6005-wlan-vap-prof-zhuzige]display this
#
service-vlan vlan-id 172
ssid-profile zhuzige
security-profile zhuzige
#
Return
创建域管理模板,设置国家射频信号。
[AC6005-wlan-view]regulatory-domain-profile name zhuzige
[AC6005-wlan-regulate-domain-zhuzige]country-code CN
Info: The current country code is same with the input country code.
进入AP组
[AC6005-wlan-view]ap-group name zhuzige
[AC6005-wlan-ap-group-zhuzige]regulatory-domain-profile zhuzige #引入域管理模板
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC6005-wlan-ap-group-zhuzige]vap-profile zhuzige wlan 1 radio all #引入vap模板 并开启双频信号
[AC6005-wlan-ap-group-zhuzige]Info: This operation may take a few seconds, please wait...done.
[AC6005-wlan-view]display vap ssid zhuzige #查看ap是否发出信号。
检查AP信号是否密码正确