华为配置STA双栈业务覆盖业务示例
配置STA双栈业务覆盖业务示例
组网图形
图1 配置STA双栈业务示例组网图
业务需求
企业用户接入WLAN网络,以满足移动办公的最基本需求。且在覆盖区域内移动发生漫游时,不影响用户的业务使用。AC上同时配置IPV4和IPV6双协议栈,用户可以根据网络需要选用不同的协议栈访问网络。
组网需求
- AC组网方式:直连二层组网。
- DHCP部署方式:AC作为DHCP服务器为AP和STA分配IP地址。
- 业务数据转发方式:隧道转发。
数据规划
| 配置项 |
数据 |
|---|---|
| DHCP服务器 |
AC作为DHCP服务器为STA和AP分配IP地址 |
| AP的IP地址池 |
FC01::/64 |
| STA的IP地址池 |
IPv4地址池:10.23.101.2~10.23.101.254/24 IPv6地址池:FC02::/64 |
| AC的源接口IP地址 |
VLANIF100:FC01::1/64 |
| AP组 |
|
| 域管理模板 |
|
| SSID模板 |
|
| 安全模板 |
|
| VAP模板 |
|
配置思路
- 配置AP、AC和周边网络设备之间实现网络互通。
- 在AC上配置DHCPv6服务器为AP分配IP地址,配置DHCPv6和DHCPv4服务器为STA分配IP地址。
- 配置AP上线。
- 创建AP组,用于将需要进行相同配置的AP都加入到AP组,实现统一配置。
- 配置AC的系统参数,包括国家码、AC与AP之间通信的源接口。
- 配置AP上线的认证方式并离线导入AP,实现AP正常上线。
- 配置WLAN业务参数,实现STA访问WLAN网络功能。
配置注意事项
-
纯组播报文由于协议要求在无线空口没有ACK机制保障,且无线空口链路不稳定,为了纯组播报文能够稳定发送,通常会以低速报文形式发送。如果网络侧有大量异常组播流量涌入,则会造成无线空口拥堵。为了减小大量低速组播报文对无线网络造成的冲击,建议配置组播报文抑制功能。配置前请确认是否有组播业务,如果有,请谨慎配置限速值。
- 业务数据转发方式采用直接转发时,建议在直连AP的交换机接口上配置组播报文抑制。
- 业务数据转发方式采用隧道转发时,建议在AC的流量模板下配置组播报文抑制。
-
建议在与AP直连的设备接口上配置端口隔离,如果不配置端口隔离,尤其是业务数据转发方式采用直接转发时,可能会在VLAN内形成大量不必要的广播报文,导致网络阻塞,影响用户体验。
-
隧道转发模式下,管理VLAN和业务VLAN不能配置为同一VLAN,且AP和AC之间只能放通管理VLAN,不能放通业务VLAN。
- V200R021C00版本开始,配置CAPWAP源接口或源地址时,会检查和安全相关的配置是否已存在,包括DTLS加密的PSK、AC间DTLS加密的PSK、登录AP的用户名和密码、全局离线管理VAP的登录密码,均已存在才能成功配置,否则会提示用户先完成相关的配置。
- V200R021C00版本开始,AC默认开启CAPWAP控制隧道的DTLS加密功能。开启该功能,添加AP时AP会上线失败,此时需要先开启CAPWAP DTLS不认证方式(capwap dtls no-auth enable)让AP上线,以便AP获取安全凭证,AP上线后应及时关闭该功能(undo capwap dtls no-auth enable),避免未授权AP上线。
操作步骤
- 配置周边设备
# 配置接入交换机SwitchA的GE0/0/1和GE0/0/2接口加入VLAN100,GE0/0/1的缺省VLAN为VLAN100。
system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100 [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100 [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 [SwitchA-GigabitEthernet0/0/1] port-isolate enable [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 [SwitchA-GigabitEthernet0/0/2] quit # 配置Router的接口GE1/0/0加入VLAN101,创建接口VLANIF101并配置IPv4地址为10.23.101.2/24,IPv6地址为FC02::2/64。system-view [Huawei] sysname Router [Router] ipv6 [Router] vlan batch 101 [Router] interface gigabitethernet 1/0/0 [Router-GigabitEthernet1/0/0] port link-type trunk [Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 [Router-GigabitEthernet1/0/0] quit [Router] interface vlanif 101 [Router-Vlanif101] ip address 10.23.101.2 24 [Router-Vlanif101] ipv6 enable [Router-Vlanif101] ipv6 address fc02::2/64 [Router-Vlanif101] quit - 配置AC与其它网络设备互通
如果AC直接连接AP,需要在AC直连AP的接口上配置缺省VLAN为管理VLAN100。
# 配置AC的接口GE0/0/1加入VLAN100,GE0/0/2加入VLAN101。system-view [HUAWEI] sysname AC [AC] vlan batch 100 101 [AC] interface gigabitethernet 0/0/1 [AC-GigabitEthernet0/0/1] port link-type trunk [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 [AC-GigabitEthernet0/0/1] quit [AC] interface gigabitethernet 0/0/2 [AC-GigabitEthernet0/0/2] port link-type trunk [AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 [AC-GigabitEthernet0/0/2] quit - 配置DHCP服务器为STA和AP分配IP地址
# 在AC上配置VLANIF100接口为AP提供IP地址。
[AC] ipv6 [AC] dhcp enable [AC] dhcpv6 pool ap_pool [AC-dhcpv6-pool-ap_pool] address prefix fc01::/64 [AC-dhcpv6-pool-ap_pool] quit [AC] interface vlanif 100 [AC-Vlanif100] ipv6 enable [AC-Vlanif100] ipv6 address fc01::1/64 [AC-Vlanif100] undo ipv6 nd ra halt [AC-Vlanif100] ipv6 nd autoconfig managed-address-flag [AC-Vlanif100] ipv6 nd autoconfig other-flag [AC-Vlanif100] dhcpv6 server ap_pool [AC-Vlanif100] quit# 配置VLANIF101接口下的DHCPv4服务器和DHCPv6服务器为STA提供IP地址。DNS服务器地址请根据实际需要配置。常用配置方法如下:-
对于IPv4
- 接口地址池场景,需要在VLANIF接口视图下执行命令dhcp server dns-list ip-address &<1-8>。
- 全局地址池场景,需要在IP地址池视图下执行命令dns-list ip-address &<1-8>。
-
对于IPv6
在IPv6地址池视图下执行命令dns-server ipv6-address。
[AC] dhcpv6 pool sta_pool [AC-dhcpv6-pool-sta_pool] address prefix fc02::/64 [AC-dhcpv6-pool-sta_pool] quit [AC] interface vlanif 101 [AC-Vlanif101] ipv6 enable [AC-Vlanif101] ip address 10.23.101.1 24 [AC-Vlanif101] dhcp select interface [AC-Vlanif101] ipv6 address fc02::1/64 [AC-Vlanif101] undo ipv6 nd ra halt [AC-Vlanif101] ipv6 nd autoconfig managed-address-flag [AC-Vlanif101] ipv6 nd autoconfig other-flag [AC-Vlanif101] dhcpv6 server sta_pool [AC-Vlanif101] quit -
- 配置AP上线
# 创建AP组,用于将相同配置的AP都加入同一AP组中。
[AC] wlan [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] quit# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。[AC-wlan-view] regulatory-domain-profile name default [AC-wlan-regulate-domain-default] country-code cn [AC-wlan-regulate-domain-default] quit [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] regulatory-domain-profile default Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AC-wlan-ap-group-ap-group1] quit [AC-wlan-view] quit# 配置AC的源接口。[AC] capwap ipv6 enable [AC] capwap source interface vlanif 100# 在AC上离线导入AP,并将AP加入AP组“ap-group1”中。假设AP的MAC地址为60de-4476-e360,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为60de-4476-e360的AP部署在1号区域,命名此AP为area_1。ap auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap auth-mode mac-auth。
举例中使用的AP为AP5030DN,具有射频0和射频1两个射频。AP5030DN的射频0为2.4GHz射频,射频1为5GHz射频。
[AC] wlan [AC-wlan-view] ap auth-mode mac-auth [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [AC-wlan-ap-0] ap-name area_1 Warning: This operation may cause AP reset. Continue? [Y/N]:y [AC-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y [AC-wlan-ap-0] quit# 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。
[AC-wlan-view] display ap all Total AP information: nor : normal [1] ------------------------------------------------------------------------------ ID MAC Name Group IP Type State STA Uptime ------------------------------------------------------------------------------ 0 60de-4476-e360 area_1 ap-group1 FC01::3 AP5030DN nor 0 27S ------------------------------------------------------------------------------ Total: 1 - 配置WLAN业务参数
# 开启设备处理STA IPv6业务的功能。
[AC-wlan-view] sta-ipv6-service enable# 创建名为“wlan-net”的安全模板,并配置安全策略。举例中以配置WPA-WPA2+PSK+AES的安全策略为例,密码为“a1234567”,实际配置中请根据实际情况,配置符合实际要求的安全策略。
[AC-wlan-view] security-profile name wlan-net [AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes [AC-wlan-sec-prof-wlan-net] quit# 创建名为“wlan-net”的SSID模板,并配置SSID名称为“wlan-net”。[AC-wlan-view] ssid-profile name wlan-net [AC-wlan-ssid-prof-wlan-net] ssid wlan-net [AC-wlan-ssid-prof-wlan-net] quit# 创建名为“wlan-net”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。[AC-wlan-view] vap-profile name wlan-net [AC-wlan-vap-prof-wlan-net] forward-mode tunnel [AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101 [AC-wlan-vap-prof-wlan-net] security-profile wlan-net [AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net [AC-wlan-vap-prof-wlan-net] quit# 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板“wlan-net”的配置。[AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0 [AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1 [AC-wlan-ap-group-ap-group1] quit - 配置AP射频的信道和功率
射频的信道和功率自动调优功能默认开启,如果不关闭此功能则会导致手动配置不生效。举例中AP射频的信道和功率仅为示例,实际配置中请根据AP的国家码和网规结果进行配置。
# 关闭AP射频0的信道和功率自动调优功能,并配置AP射频0的信道和功率。[AC-wlan-view] ap-id 0 [AC-wlan-ap-0] radio 0 [AC-wlan-radio-0/0] calibrate auto-channel-select disable [AC-wlan-radio-0/0] calibrate auto-txpower-select disable [AC-wlan-radio-0/0] channel 20mhz 6 Warning: This action may cause service interruption. Continue?[Y/N]y [AC-wlan-radio-0/0] eirp 127 [AC-wlan-radio-0/0] quit# 关闭AP射频1的信道和功率自动调优功能,并配置AP射频1的信道和功率。[AC-wlan-ap-0] radio 1 [AC-wlan-radio-0/1] calibrate auto-channel-select disable [AC-wlan-radio-0/1] calibrate auto-txpower-select disable [AC-wlan-radio-0/1] channel 20mhz 149 Warning: This action may cause service interruption. Continue?[Y/N]y [AC-wlan-radio-0/1] eirp 127 [AC-wlan-radio-0/1] quit [AC-wlan-ap-0] quit - 验证配置结果
WLAN业务配置会自动下发给AP,配置完成后,通过执行命令display vap ssid wlan-net查看如下信息,当“Status”项显示为“ON”时,表示AP对应的射频上的VAP已创建成功。
[AC-wlan-view] display vap ssid wlan-net WID : WLAN ID -------------------------------------------------------------------------------- AP ID AP name RfID WID BSSID Status Auth type STA SSID -------------------------------------------------------------------------------- 0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net 0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net ------------------------------------------------------------------------------- Total: 2STA搜索到名为“wlan-net”的无线网络,输入密码“a1234567”并正常关联后,在AC上执行display station ssid wlan-net命令,可以查看到用户已经接入到无线网络“wlan-net”中。[AC-wlan-view] display station ssid wlan-net Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) --------------------------------------------------------------------------------------------------------------------- STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IPv4 address IPv6 address --------------------------------------------------------------------------------------------------------------------- 14cf-9202-13dc 0 area_1 0/1 2.4G 11n 5/1 -62 101 10.23.101.254 FC02::546E:C25C:F4C7:B2AD --------------------------------------------------------------------------------------------------------------------- Total: 1 2.4G: 1 5G: 0
配置文件
-
SwitchA的配置文件
# sysname SwitchA # vlan batch 100 # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 port-isolate enable group 1 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 # return -
Router的配置文件
# sysname Router # ipv6 # vlan batch 101 # interface Vlanif101 ipv6 enable ip address 10.23.101.2 255.255.255.0 ipv6 address FC02::2/64 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 101 # return -
AC的配置文件
# sysname AC # ipv6 # vlan batch 100 to 101 # dhcp enable # dhcpv6 pool ap_pool address prefix FC01::/64 # dhcpv6 pool sta_pool address prefix FC02::/64 # interface Vlanif100 ipv6 enable ipv6 address FC01::1/64 undo ipv6 nd ra halt ipv6 nd autoconfig managed-address-flag ipv6 nd autoconfig other-flag dhcpv6 server ap_pool # interface Vlanif101 ipv6 enable ip address 10.23.101.1 255.255.255.0 ipv6 address FC02::1/64 undo ipv6 nd ra halt ipv6 nd autoconfig managed-address-flag ipv6 nd autoconfig other-flag dhcp select interface dhcpv6 server sta_pool # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 101 # capwap ipv6 enable capwap source interface vlanif100 # wlan sta-ipv6-service enable security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net forward-mode tunnel service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net regulatory-domain-profile name default ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 radio 0 channel 20mhz 6 eirp 127 calibrate auto-channel-select disable calibrate auto-txpower-select disable radio 1 channel 20mhz 149 eirp 127 calibrate auto-channel-select disable calibrate auto-txpower-select disable # return