H3C AC+FIT完全设置

路由器: H3C MSR20-20 

AC:  H3C WX3024E

AP :2210-AG

       用户采用PON线路,动态分配地址,无固定IP,每月1088元,如果带有固定IP,则需要每月7088元,采用较经济的方式,每次用户查询ip138得到公网IP后远程管理。

      MSR上PPPOE拨号,建立2 VLAN,一个给内部使用,一个给访客,用访问列表对2Vlan做隔离。

具体配置如下:

#
 firewall enable      必须启用,否则ACL不起作用

#
 domain default enable system
#
 telnet server enable    也必须开启
#
 dar p2p signature-file flash:/p2p_default.mtd
#
 port-security enable
#
acl number 3000
 rule 0 permit ip source 10.20.0.0 0.0.255.255       内部用VLAN 
 rule 1 permit ip source 10.30.30.0 0.0.0.255         访客用VLAN
acl number 3002
 rule 0 deny ip source 10.20.0.0 0.0.255.255 destination 10.30.30.0 0.0.0.255   禁止访客访问内部网络
#
vlan 1
#
vlan 3
#
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#
user-group system
 group-attribute allow-guest
#
local-user admin
 password XXXXXXXXXXXXXXXXX

 authorization-attribute level 3
 service-type telnet
 service-type web
local-user XXXXX

 password   XXXXXXXXXXXXXXXXXXX

 authorization-attribute level 3
 service-type telnet
 service-type web
#
cwmp
 undo cwmp enable
#
interface Aux0
 async mode flow
 link-protocol ppp
#
interface Cellular0/0
 async mode protocol
 link-protocol ppp
#
interface Dialer1
 nat outbound 3000
 link-protocol ppp
 ppp chap user  ADXXXXXXXX

 ppp chap password  XXXXXXXXXX

 ppp pap local-user adXXXXXX   password SIMPLE  XXXXXXXXX

 ip address ppp-negotiate
 dialer user adXXXXXXX
 dialer-group 1
 dialer bundle 1
#
interface Ethernet0/0
 port link-mode route       内部接口
#
interface Ethernet0/0.20           H3C必须通过子接口的方式创建VLAN 
 vlan-type dot1q vid 2
 ip address 10.20.0.254 255.255.0.0
#
interface Ethernet0/0.30
 vlan-type dot1q vid 3
 firewall packet-filter 3002 inbound
 firewall packet-filter 3002 outbound
 ip address 10.30.30.254 255.255.255.0
#
interface Ethernet0/1
 port link-mode route
 pppoe-client dial-bundle-number 1
#
interface NULL0
#
interface Vlan-interface1
#
 ip route-static 0.0.0.0 0.0.0.0 Dialer1       静态路由
#
 load xml-configuration
#
 load tr069-configuration
#
user-interface tty 12
user-interface aux 0
user-interface vty 0 4
 authentication-mode scheme
 user privilege level 3
#

接下来是AC控制器

尽量通过web上做设计,下面只是命令行显示的

总体思路,开启2个VLAN的DHCP

#
 telnet server enable
#
 port-security enable
#
 oap management-ip 192.168.0.101 slot 0
#
 wlan auto-ap enable
#
vlan 1
#
vlan 2
#
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#
dhcp server ip-pool poolvlan1                  管理vlan
 network 192.168.0.0 mask 255.255.255.0
#
dhcp server ip-pool poolvlan2          内部VLAN
 network 10.20.0.0 mask 255.255.0.0
 gateway-list 10.20.0.254
 dns-list 202.96.209.5 8.8.8.8
#
dhcp server ip-pool poolvlan3       访客vlan
 network 10.30.30.0 mask 255.255.255.0
 gateway-list 10.30.30.254
 dns-list 202.96.209.5 8.8.8.8
#
user-group system
 group-attribute allow-guest
#
local-user admin
 password 

 authorization-attribute level 3
 service-type telnet
 service-type web
#
wlan rrm
 dot11a mandatory-rate 6 12 24
 dot11a supported-rate 9 18 36 48 54
 dot11b mandatory-rate 1 2
 dot11b supported-rate 5.5 11
 dot11g mandatory-rate 1 2 5.5 11
 dot11g supported-rate 6 9 12 18 24 36 48 54
 load-balance session 15
#
wlan radio-policy 1025
#
wlan radio-policy 1537
#
wlan radio-policy 1793
#
wlan radio-policy 2049
#
wlan radio-policy 2305
#
wlan service-template 1 crypto
 ssid   XXXXX

 bind WLAN-ESS 0
 cipher-suite tkip
 security-ie rsn
 service-template enable
#
interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan all
#
interface NULL0
#
interface Vlan-interface1
 ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface2
 ip address 10.20.0.250 255.255.0.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk permit vlan all
 port link-aggregation group 1
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk permit vlan all
 port link-aggregation group 1
#
interface WLAN-ESS0
 port link-type hybrid
 port hybrid vlan 1 to 2 untagged
 port hybrid pvid vlan 2
 mac-vlan enable
 port-security port-mode psk
 port-security tx-key-type 11key
 port-security preshared-key pass-phrase


interface WLAN-ESS1
 port link-type hybrid
 port hybrid vlan 1 untagged
#
wlan ap ap-1 model WA2210-AG id 2
 serial-id 

 radio 1
  radio-policy 513
  service-template 1 vlan-id 2
  radio enable
#
wlan ap ap-10 model WA2210-AG id 9
 serial-id 210235A0HTB118000791
 radio 1
  radio-policy 2305
  service-template 1 vlan-id 2
  radio enable
#
wlan ap ap-11 model WA2210-AG id 10
 serial-id 210235A0HTC118000273
 radio 1
  radio-policy 2561
  service-template 1 vlan-id 2
  radio enable
#
wlan ap ap-16 model WA2210-AG id 12
 serial-id 210235A0HTB118001313
 radio 1
  radio-policy 3073
  service-template 1 vlan-id 2
  radio enable
#
wlan ap auto-ap model WA2210-AG id 5
 serial-id auto
 radio 1
#
wlan load-balance-group 1     负载均衡
 description 26
 ap ap-4 radio 1
 ap ap-3 radio 1
 ap ap-2 radio 1
#
wlan load-balance-group 2
 description 27
 ap ap-9 radio 1
 ap ap-8 radio 1
 ap ap-11 radio 1
 ap ap-10 radio 1
#
wlan load-balance-group 3
 description 28
 ap ap-14 radio 1
 ap ap-13 radio 1
#
 ip route-static 0.0.0.0 0.0.0.0 10.20.0.254
#
 dhcp enable
#
 arp-snooping enable
#
 load xml-configuration
#
user-interface con 0
user-interface vty 0 4
 authentication-mode scheme
 user privilege level 3
#

telnet到AC上后

oap connect slot 0可以切换到交换引擎

dhcp server ip-pool swpoolvlan3
 network 10.30.30.0 mask 255.255.
 gateway-list 10.30.30.254
 dns-list 202.96.209.5 8.8.8.8
#

interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan all
#

interface Vlan-interface3
 ip address 10.30.30.251 255.255.
#
interface GigabitEthernet1/0/1
 poe enable
#
interface GigabitEthernet1/0/2
 poe enable
#
interface GigabitEthernet1/0/22         此接口接FAT AP
 port access vlan 3
 poe enable
#
interface GigabitEthernet1/0/23        此接口为上联接口
 port link-type trunk
 port trunk permit vlan all
#
interface GigabitEthernet1/0/24
 port link-type trunk
 port trunk permit vlan all
#

interface GigabitEthernet1/0/29         内部和AC相连的接口,运行所有VLAN
 port link-type trunk
 port trunk permit vlan all
 port link-aggregation group 1
#
interface GigabitEthernet1/0/30
 port link-type trunk
 port trunk permit vlan all
 port link-aggregation group 1
#

你可能感兴趣的:(System,domain,路由器,default,firewall)