实验三 WLAN旁路二层隧道转发
一、实验目的
(1)掌握使用华为eNSP,完成二层直连旁路方式的AC组网,业务数据隧道转发。
(2)掌握数据抓包分析的方法。
二、实验步骤
1、在eNSP中用路由器AR3260、S5700、AC6005、AP6050和STA构建如下的网络拓扑。用网线连接AR3260的GE0/0/0和S5700的GE0/0/1,用网线连接AC6005的GE0/0/2和S5700的GE0/0/2, 用网线连接AP6050的GE0/0/0和S5700的GE0/0/3。启动所有设备。
2、AR3260的配置
sy
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/2]ip add 192.168.1.1 30
[Huawei-GigabitEthernet0/0/2]int l0 进入环回口
[Huawei-LoopBack0]ip address 1.1.1.1 32 配置外网地址
[Huawei-LoopBack0]q
[Huawei]ip route-static 192.168.101.0 255.255.255.0 192.168.1.2
3、S5700配置
sys
[Huawei]sysname S5700
[S5700]vlan 200
[S5700-vlan200]int vlan 200 做上行口vlan
[S5700-Vlanif200]ip address 192.168.1.2 30 配置上行口IP
[S5700-Vlanif200]q
[S5700]int g0/0/1
[S5700-GigabitEthernet0/0/1]port hybrid pvid vlan 200
[S5700-GigabitEthernet0/0/1]port hybrid untagged vlan 200
[S5700-GigabitEthernet0/0/1]q
[S5700]dhcp enable
[S5700]vlan 101
[S5700-vlan101]int vla 101
[S5700-Vlanif101]ip add 192.168.101.1 24
[S5700-Vlanif101]dhcp select interface
[S5700-Vlanif101]dhcp server dns-list 8.8.8.8
[S5700]vlan batch 100 101
[S5700]int g0/0/3
[S5700-GigabitEthernet0/0/3]port link-type trunk
[S5700-GigabitEthernet0/0/3]port trunk pvid vlan 100
[S5700-GigabitEthernet0/0/3]port trunk allow-pass vlan 100
[S5700-GigabitEthernet0/0/2]int g0/0/2
[S5700-GigabitEthernet0/0/2]port link-type trunk
[S5700-GigabitEthernet0/0/2] port trunk pvid vlan 100
[S5700-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 101
[S5700-GigabitEthernet0/0/2]q
[S5700]ip route-static 0.0.0.0 0.0.0.0 192.168.1.1 4、AC6005配置
VLAN及接口配置
sys
[AC01]sysname AC6005
[AC6005]dhcp enable 开启dhcp
[AC6005]vlan 100
[AC6005-vlan100]int vlan 100 做管理vlan
[AC6005-Vlanif100]ip address 192.168.100.1 24
[AC6005-Vlanif100]dhcp select interface
[AC6005-Vlanif100]q
[AC6005]vlan 101
[AC6005-vlan101]q
[AC6005]int g0/0/2
[AC6005-GigabitEthernet0/0/2]port link-type trunk
[AC6005-GigabitEthernet0/0/2]port trunk pvid vlan 100
[AC6005-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 101
[AC6005-GigabitEthernet0/0/2]q 创建AP组及域管理模板,配置AC国家码
[AC6005]WLAN
[AC6005-wlan-view]ap-group name network2002 //配置AP组名
[AC6005-wlan-view]regulatory-domain-profile name default
[AC6005-wlan-regulate-domain-default]country-code CN
[AC6005-wlan-regulate-domain-default]q
[AC6005-wlan-view]ap-group name network2002
[AC6005-wlan-ap-group-ap-1]regulatory-domain-profile default配置AC的源接口
[AC6005]capwap source interface Vlanif 100AC上离线导入AP(AP6050)
[AC6005]wlan
[AC6005-wlan-view]ap auth-mode mac-auth[AC6005-wlan-view]display ap-type all
[AC6005-wlan-view] ap-id 0 type-id 56 ap-mac 00E0-FCAC-2420
[AC6005-wlan-ap-0]ap-name lin
[AC6005-wlan-ap-0]ap-group network2002查看AP上线
[AC6005]display ap all
配置WLAN业务参数
创建安全模板及策略
[AC6005-wlan-view]security-profile name WLAN //创建安全模板
[AC6005-wlan-sec-prof-WLAN]security wpa-wpa2 psk pass-phrase l12345678 aes//创建WPA-WPA2+PSK+AES的安全策略
[AC6005-wlan-sec-prof-WLAN]q创建名为WLAN的SSID模板,配置SSID为wifi
[AC6005-wlan-view]ssid-profile name WLAN
[AC6005-wlan-ssid-prof-WLAN]ssid wifi创建VAP模板及业务VLAN转发模式并引用安全模板SSID
[AC6005-wlan-view]vap-profile name WLAN
[AC6005-wlan-vap-prof-WLAN]forward-mode tunnel
[AC6005-wlan-vap-prof-WLAN]service-vlan vlan-id 101
[AC6005-wlan-vap-prof-WLAN]security-profile WLAN
[AC6005-wlan-vap-prof-WLAN]ssid-profile WLAN配置AP组引用VAP模板,AP射频1和0使用VAP WLAN模板
[AC6005-wlan-view]ap-group name network2002
[AC6005-wlan-ap-group-ap-1]vap-profile WLAN wlan 1 radio 0
[AC6005-wlan-ap-group-ap-1]vap-profile WLAN wlan 1 radio 1查看VAP模板信息
[AC6005]display vap ssid wifi
五、测试验证
STA1上连接名称为WLAN的无线局域网。
终端输入密码后可以获取ip地址,和外部网络通信正常。输入ipconfig查看STA获得的IP地址和DNS地址是否与配置一致。
测试与外网的联通性。
在AC6005的GE0/0/2端口进行抓包分析,验证数据报文和控制报文的转发方式。
数据报文(直接转发)
控制报文(隧道转发)
