华为配置WLAN AC和AP之间VPN穿越示例

配置WLAN AC和AP之间VPN穿越示例

组网图形

图1 配置WLAN AC和AP之间VPN穿越示例组网图
  • 业务需求
  • 组网需求
  • 数据规划
  • 配置思路
  • 配置注意事项
  • 操作步骤
  • 配置文件
业务需求

企业用户接入WLAN网络,以满足移动办公的最基本需求。且在覆盖区域内移动发生漫游时,不影响用户的业务使用。

AP位于企业分部,AC位于企业总部,管理员希望所有AP均由AC统一管理,且希望对分支和总部之间相互访问的流量进行安全保护,因此在分支网关和总部网关之间建立一个IPSec隧道来实施安全保护。

组网需求
  • AC组网方式:AC位于企业总部,AP位于企业分支,在AC和AP间配置IPSec隧道。
  • DHCP部署方式:Router_1作为DHCP服务器为STA和AP分配IP地址。
  • 业务数据转发方式:直接转发。
配置思路
  1. 配置AP、AC和周边网络设备之间实现网络互通。
  2. 配置IPSec用于建立IPSec隧道。
    1. 配置接口的IP地址和到对端的静态路由,保证两端路由可达。

    2. 配置ACL,以定义需要IPSec保护的数据流。

    3. 配置IPSec安全提议,定义IPSec的保护方法。

    4. 配置IKE对等体,定义对等体间IKE协商时的属性。

    5. 配置安全策略,并引用ACL、IPSec安全提议和IKE对等体,确定对何种数据流采取何种保护方法。

    6. 在接口上应用安全策略组,使接口具有IPSec的保护功能。

  3. 配置AP上线。
    1. 创建AP组,用于将需要进行相同配置的AP都加入到AP组,实现统一配置。
    2. 配置AC的系统参数,包括国家码、AC与AP之间通信的源接口。
    3. 配置AP上线的认证方式并离线导入AP,实现AP正常上线。
  4. 配置WLAN业务参数,实现STA访问WLAN网络功能。
配置注意事项
操作步骤
  1. 配置周边设备

    # 配置Switch的GE0/0/1、GE0/0/2加入VLAN100、VLAN101,GE0/0/1的缺省VLAN为VLAN100。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd"><HUAWEI> <strong id="ZH-CN_TASK_0176912374__b214275661190921">system-view</strong>
    [HUAWEI] <strong id="ZH-CN_TASK_0176912374__b1865000890190921">sysname Switch</strong>
    [Switch] <strong id="ZH-CN_TASK_0176912374__b821356064190921">vlan batch 100 101</strong>
    [Switch] <strong id="ZH-CN_TASK_0176912374__b806518261190921">interface gigabitethernet 0/0/1</strong>
    [Switch-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b985873023190921">port link-type trunk</strong>
    [Switch-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b402237438190921">port trunk pvid vlan 100</strong>
    [Switch-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b2016261018190921">port trunk allow-pass vlan 100 101</strong>
    [Switch-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b290287582190921">port-isolate enable</strong>
    [Switch-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1989272359190921">quit</strong>
    [Switch] <strong id="ZH-CN_TASK_0176912374__b1623215900190921">interface gigabitethernet 0/0/2</strong>
    [Switch-GigabitEthernet0/0/2] <strong id="ZH-CN_TASK_0176912374__b239660969190921">port link-type trunk</strong>
    [Switch-GigabitEthernet0/0/2] <strong id="ZH-CN_TASK_0176912374__b1500702096190921">port trunk allow-pass vlan 100 101</strong>
    [Switch-GigabitEthernet0/0/2] <strong id="ZH-CN_TASK_0176912374__b1646779978190921">quit</strong></span></span></span>
    # 配置Router_1的GE1/0/0加入VLAN100和VLAN101,假设接口GE0/0/1对端的Internet IP地址为192.168.1.2/24,在接口GE0/0/1上配置IP地址192.168.1.1/24。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd"><Huawei> <strong id="ZH-CN_TASK_0176912374__b1318968140190921">system-view</strong>
    [Huawei] <strong id="ZH-CN_TASK_0176912374__b836839358190921">sysname Router_1</strong>
    [Router_1] <strong id="ZH-CN_TASK_0176912374__b1561381150190921">vlan batch 100 101</strong>
    [Router_1] <strong id="ZH-CN_TASK_0176912374__b1964950768190921">interface gigabitethernet 1/0/0</strong>
    [Router_1-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912374__b326456138190921">port link-type trunk</strong>
    [Router_1-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912374__b721632309190921">port trunk allow-pass vlan 100 101</strong>
    [Router_1-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912374__b747948746190921">quit</strong>
    [Router_1] <strong id="ZH-CN_TASK_0176912374__b443887167190921">interface gigabitethernet 0/0/1</strong>
    [Router_1-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1802330456190921">ip address 192.168.1.1 255.255.255.0</strong>
    [Router_1-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1949488140190921">quit</strong></span></span></span>
    # 配置Router_1上的缺省路由,下一跳地址为192.168.1.2。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b775225273190921">ip route-static 0.0.0.0 0.0.0.0 192.168.1.2</strong></span></span></span>
    # 配置Router_2的GE1/0/0加入VLAN200,并创建VLANIF200接口地址为10.23.200.2/24,假设接口GE0/0/1对端的Internet IP地址为192.168.2.2/24,在接口GE0/0/1上配置IP地址192.168.2.1/24。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd"><Huawei> <strong id="ZH-CN_TASK_0176912374__b916736472190921">system-view</strong>
    [Huawei] <strong id="ZH-CN_TASK_0176912374__b630282277190921">sysname Router_2</strong>
    [Router_2] <strong id="ZH-CN_TASK_0176912374__b2118286847190921">vlan batch 200</strong>
    [Router_2] <strong id="ZH-CN_TASK_0176912374__b1135881526190921">interface gigabitethernet 1/0/0</strong>
    [Router_2-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912374__b920445876190921">port link-type trunk</strong>
    [Router_2-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912374__b1499093054190921">port trunk allow-pass vlan 200</strong>
    [Router_2-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912374__b146042512190921">quit</strong>
    [Router_2] <strong id="ZH-CN_TASK_0176912374__b717113523190921">interface gigabitethernet 0/0/1</strong>
    [Router_2-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1281683461190921">ip address 192.168.2.1 255.255.255.0</strong>
    [Router_2-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1075782585190921">quit</strong>
    [Router_2] <strong id="ZH-CN_TASK_0176912374__b1612181943190921">interface vlanif 200</strong>
    [Router_2-Vlanif200] <strong id="ZH-CN_TASK_0176912374__b1025487207190921">ip address 10.23.200.2 24</strong>
    [Router_2-Vlanif200] <strong id="ZH-CN_TASK_0176912374__b970919734190921">quit</strong></span></span></span>
    # 配置Router_2到AP侧的静态路由,下一跳地址为192.168.2.2。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_2] <strong id="ZH-CN_TASK_0176912374__b2032648930190921">ip route-static 10.23.100.0 255.255.255.0 192.168.2.2</strong>
    [Router_2] <strong id="ZH-CN_TASK_0176912374__b1421719087190921">ip route-static192.168.1.0 255.255.255.0 192.168.2.2
    </strong></span></span></span>
  2. 配置AC与其它网络设备互通

    # 配置AC的接口GE0/0/1加入VLAN200,创建接口VLANIF200并配置IP地址10.23.200.1/24。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd"><AC> <strong>system-view</strong>
    [AC] <strong>sysname AC</strong>
    [AC] <strong>vlan batch 101 200</strong>
    [AC] <strong>interface gigabitethernet 0/0/1</strong>
    [AC-GigabitEthernet0/0/1] <strong>port link-type trunk</strong>
    [AC-GigabitEthernet0/0/1] <strong>port trunk allow-pass vlan 200</strong>
    [AC-GigabitEthernet0/0/1] <strong>quit</strong>
    [AC] <strong>interface vlanif 200</strong>
    [AC-Vlanif200] <strong>ip address 10.23.200.1 24</strong>
    [AC-Vlanif200] <strong>quit</strong></span></span></span>
    # 配置AC到AP侧的静态路由,下一跳地址为10.23.200.2。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC] <strong>ip route-static 10.23.100.0 255.255.255.0 10.23.200.2</strong></span></span></span>
  3. 配置DHCP服务器为STA和AP分配IP地址

    # 在Router_1上配置DHCP服务器,为AP和STA分配IP地址。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b278967097190921">dhcp enable</strong>
    [Router_1] <strong id="ZH-CN_TASK_0176912374__b452041200190921">interface vlanif 100</strong>
    [Router_1-Vlanif100] <strong id="ZH-CN_TASK_0176912374__b1227135408190921">ip address 10.23.100.1 255.255.255.0</strong>
    [Router_1-Vlanif100] <strong id="ZH-CN_TASK_0176912374__b727510669190921">dhcp select global</strong>
    [Router_1-Vlanif100] <strong id="ZH-CN_TASK_0176912374__b966516186190921">quit</strong>
    [Router_1] <strong id="ZH-CN_TASK_0176912374__b277550800190921">ip pool ap</strong>
    [Router_1-ip-pool-ap] <strong id="ZH-CN_TASK_0176912374__b1416242333190921">gateway-list 10.23.100.1</strong>
    [Router_1-ip-pool-ap] <strong id="ZH-CN_TASK_0176912374__b714490441190921">network 10.23.100.0 mask 24</strong>
    [Router_1-ip-pool-ap] <strong id="ZH-CN_TASK_0176912374__b1883507180190921">option 43 sub-option 3 ascii 10.23.200.1</strong>
    [Router_1-ip-pool-ap] <strong id="ZH-CN_TASK_0176912374__b1289689437190921">quit</strong>
    [Router_1] <strong id="ZH-CN_TASK_0176912374__b1236770207190921">interface vlanif 101</strong>
    [Router_1-Vlanif101] <strong id="ZH-CN_TASK_0176912374__b1592258061190921">ip address 10.23.101.1 255.255.255.0</strong>
    [Router_1-Vlanif101] <strong id="ZH-CN_TASK_0176912374__b428517198190921">dhcp select interface</strong>
    [Router_1-Vlanif101] <strong id="ZH-CN_TASK_0176912374__b989781329190921">quit</strong></span></span></span>
    DNS服务器地址请根据实际需要配置。常用配置方法如下:
    • 接口地址池场景,需要在VLANIF接口视图下执行命令dhcp server dns-list ip-address &<1-8>。
    • 全局地址池场景,需要在IP地址池视图下执行命令dns-list ip-address &<1-8>。
  4. 配置ACL,定义需要IPSec隧道保护的数据流

    # 在Router_2上配置ACL,定义由总部AC(10.23.200.0/24)去分支AP(10.23.100.0/24)的数据流。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_2] <strong id="ZH-CN_TASK_0176912374__b397033507190921">acl number 3101</strong>
    [Router_2-acl-adv-3101] <strong id="ZH-CN_TASK_0176912374__b2102298401190921">rule permit ip source 10.23.200.0 0.0.0.255 destination 10.23.100.0 0.0.0.255</strong>
    [Router_2-acl-adv-3101] <strong id="ZH-CN_TASK_0176912374__b1369467853190921">quit</strong></span></span></span>
    # 在Router_1上配置ACL,定义由分支AP(10.23.100.0/24)去总部AC(10.23.200.0/24)的数据流。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b1708015814190921">acl number 3101</strong>
    [Router_1-acl-adv-3101] <strong id="ZH-CN_TASK_0176912374__b969979589190921">rule permit ip source 10.23.100.0 0.0.0.255 destination 10.23.200.0 0.0.0.255</strong>
    [Router_1-acl-adv-3101] <strong id="ZH-CN_TASK_0176912374__b1866057864190921">quit</strong></span></span></span>
  5. 配置IPSec
    1. 分别在Router_2和Router_1上创建IPSec安全提议

      # 在Router_2上配置IPSec安全提议。
      <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_2] <strong id="ZH-CN_TASK_0176912374__b583791630190921">ipsec proposal tran1</strong>
      [Router_2-ipsec-proposal-tran1] <strong id="ZH-CN_TASK_0176912374__b1462250876190921">esp authentication-algorithm sha2-256</strong>
      [Router_2-ipsec-proposal-tran1] <strong id="ZH-CN_TASK_0176912374__b622661980190921">esp encryption-algorithm aes-128</strong>
      [Router_2-ipsec-proposal-tran1] <strong id="ZH-CN_TASK_0176912374__b35427758190921">quit</strong></span></span></span>
      # 在Router_1上配置IPSec安全提议。
      <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b139819425190921">ipsec proposal tran1</strong>
      [Router_1-ipsec-proposal-tran1] <strong id="ZH-CN_TASK_0176912374__b1452234278190921">esp authentication-algorithm sha2-256</strong>
      [Router_1-ipsec-proposal-tran1] <strong id="ZH-CN_TASK_0176912374__b1140016291190921">esp encryption-algorithm aes-128</strong>
      [Router_1-ipsec-proposal-tran1] <strong id="ZH-CN_TASK_0176912374__b1865393971190921">quit</strong></span></span></span>
    2. 分别在Router_2和Router_1上配置IKE对等体

      # 在Router_2上配置IKE安全提议。
      <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_2] <strong id="ZH-CN_TASK_0176912374__b1606178070190921">ike proposal 5</strong>
      [Router_2-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b182421504190921">authentication-algorithm sha2-256 </strong>
      [Router_2-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b655460419190921">encryption-algorithm aes-128</strong>
      [Router_2-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b181648080190921">dh group14</strong>
      [Router_2-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b31158208190921">quit</strong></span></span></span>
      # 在Router_2上配置IKE对等体,并根据默认配置,配置预共享密钥和对端ID。
      <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_2] <strong id="ZH-CN_TASK_0176912374__b1870718951190921">ike peer spub</strong>
      [Router_2-ike-peer-spub] <strong id="ZH-CN_TASK_0176912374__b1517647258190921">undo version 2 </strong>
      [Router_2-ike-peer-spub] <strong id="ZH-CN_TASK_0176912374__b772017619190921">ike-proposal 5</strong>
      [Router_2-ike-peer-spub] <strong id="ZH-CN_TASK_0176912374__b1599311400190921">pre-shared-key cipher huawei@1234</strong>
      [Router_2-ike-peer-spub] <strong id="ZH-CN_TASK_0176912374__b1475728565190921">remote-address 192.168.1.1</strong>
      [Router_2-ike-peer-spub] <strong id="ZH-CN_TASK_0176912374__b1780777266190921">quit</strong></span></span></span>
      # 在Router_1上配置IKE安全提议。
      <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b418590325190921">ike proposal 5</strong>
      [Router_1-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b836119906190921">authentication-algorithm sha2-256 </strong>
      [Router_1-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b2076210588190921">encryption-algorithm aes-128</strong>
      [Router_1-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b623799734190921">dh group14</strong>
      [Router_1-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b2135127076190921">quit</strong></span></span></span>
      # 在Router_1上配置IKE对等体,并根据默认配置,配置预共享密钥和对端ID。
      <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b575600183190921">ike peer spua</strong>
      [Router_1-ike-peer-spub] <strong id="ZH-CN_TASK_0176912374__b1570315392190921">undo version 2</strong>
      [Router_1-ike-peer-spub] <strong id="ZH-CN_TASK_0176912374__b1546145067190921">ike-proposal 5</strong>
      [Router_1-ike-peer-spua] <strong id="ZH-CN_TASK_0176912374__b1096926564190921">pre-shared-key cipher huawei@1234</strong>
      [Router_1-ike-peer-spua] <strong id="ZH-CN_TASK_0176912374__b1751295969190921">remote-address 192.168.2.1</strong>
      [Router_1-ike-peer-spua] <strong id="ZH-CN_TASK_0176912374__b1965179299190921">quit</strong></span></span></span>
    3. 分别在Router_2和Router_1上创建安全策略

      # 在Router_2上配置IKE动态协商方式安全策略。
      <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_2] <strong id="ZH-CN_TASK_0176912374__b786818396190921">ipsec policy map1 10 isakmp</strong>
      [Router_2-ipsec-policy-isakmp-map1-10] <strong id="ZH-CN_TASK_0176912374__b1328345859190921">ike-peer spub</strong>
      [Router_2-ipsec-policy-isakmp-map1-10] <strong id="ZH-CN_TASK_0176912374__b1666733307190921">proposal tran1</strong>
      [Router_2-ipsec-policy-isakmp-map1-10] <strong id="ZH-CN_TASK_0176912374__b964066032190921">security acl 3101</strong>
      [Router_2-ipsec-policy-isakmp-map1-10] <strong id="ZH-CN_TASK_0176912374__b1560463008190921">quit</strong></span></span></span>
      # 在Router_1上配置IKE动态协商方式安全策略。
      <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b1131217806190921">ipsec policy use1 10 isakmp</strong>
      [Router_1-ipsec-policy-isakmp-use1-10] <strong id="ZH-CN_TASK_0176912374__b1665134320190921">ike-peer spua</strong>
      [Router_1-ipsec-policy-isakmp-use1-10] <strong id="ZH-CN_TASK_0176912374__b776546322190921">proposal tran1</strong>
      [Router_1-ipsec-policy-isakmp-use1-10] <strong id="ZH-CN_TASK_0176912374__b1791383655190921">security acl 3101</strong>
      [Router_1-ipsec-policy-isakmp-use1-10] <strong id="ZH-CN_TASK_0176912374__b1742019934190921">quit</strong></span></span></span>
    4. 分别在Router_2和Router_1的接口上应用各自的安全策略组,使接口具有IPSec的保护功能

      # 在Router_2的接口上引用安全策略组。
      <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_2] <strong id="ZH-CN_TASK_0176912374__b839559069190921">interface gigabitethernet 0/0/1</strong>
      [Router_2-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1789942937190921">ipsec policy map1</strong>
      [Router_2-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1337042778190921">quit</strong></span></span></span>
      # 在Router_1的接口上引用安全策略组。
      <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b758835624190921">interface gigabitethernet 0/0/1</strong>
      [Router_1-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b355599860190921">ipsec policy use1</strong>
      [Router_1-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1691806318190921">quit</strong></span></span></span>
  6. 配置AP上线

    # 创建AP组,用于将相同配置的AP都加入同一AP组中。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1451837292190921">wlan</strong>
    [AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1710308668190921">ap-group name ap-group1</strong>
    [AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b294415960190921">quit</strong></span></span></span>
    # 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1815954045190921">regulatory-domain-profile name default</strong>
    [AC-wlan-regulate-domain-default] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1765454957190921">country-code cn</strong>
    [AC-wlan-regulate-domain-default] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b464951690190921">quit</strong>
    [AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1132959133190921">ap-group name ap-group1</strong>
    [AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b4510754102210">regulatory-domain-profile default</strong>
    Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:<strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_zh-cn_task_0175818418_b17491131153716">y</strong>  
    [AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b101836067190921">quit</strong>
    [AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b465166413190921">quit</strong></span></span></span>
    # 配置AC的源接口。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912370_b2076192014190921">capwap source interface vlanif 200</strong></span></span></span>
    # 在AC上离线导入AP,并将AP加入AP组“ap-group1”中。假设AP的MAC地址为60de-4476-e360,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为60de-4476-e360的AP部署在1号区域,命名此AP为area_1。

    ap auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap auth-mode mac-auth

    举例中使用的AP为AP5030DN,具有射频0和射频1两个射频。AP5030DN的射频0为2.4GHz射频,射频1为5GHz射频。

    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b763711121190921">wlan</strong>
    [AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1389711844190921">ap auth-mode mac-auth</strong>
    [AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1382708357190921">ap-id 0 ap-mac 60de-4476-e360</strong>
    [AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1272920990190921">ap-name area_1</strong>
    Warning: This operation may cause AP reset. Continue? [Y/N]:<strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_zh-cn_task_0175818418_b460951517190906">y</strong>  
    [AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b614746147190921">ap-group ap-group1</strong>
    Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:<strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_zh-cn_task_0175818418_b1651706244190906">y</strong>  
    [AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b959850628190921">quit</strong></span></span></span>
    # 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b482061123190921">display ap all</strong>
    Total AP information:
    nor  : normal          [1]
    Extra information:
    P  : insufficient power supply
    --------------------------------------------------------------------------------------------------
    ID   MAC            Name   Group     IP            Type            State STA Uptime      ExtraInfo
    --------------------------------------------------------------------------------------------------
    0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN        nor   0   10S         -
    --------------------------------------------------------------------------------------------------
    Total: 1</span></span></span>
  7. 配置WLAN业务参数

    # 创建名为“wlan-net”的安全模板,并配置安全策略。

    举例中以配置WPA-WPA2+PSK+AES的安全策略为例,密码为“a1234567”,实际配置中请根据实际情况,配置符合实际要求的安全策略。

    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1991067776190921">security-profile name wlan-net</strong>
    [AC-wlan-sec-prof-wlan-net] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b851752672190921">security wpa-wpa2 psk pass-phrase a1234567 aes</strong>
    [AC-wlan-sec-prof-wlan-net] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b337241812190921">quit</strong></span></span></span>
    # 创建名为“wlan-net”的SSID模板,并配置SSID名称为“wlan-net”。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b69022931190921">ssid-profile name wlan-net</strong>
    [AC-wlan-ssid-prof-wlan-net] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b36723145190921">ssid wlan-net</strong>
    [AC-wlan-ssid-prof-wlan-net] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1738903244190921">quit</strong></span></span></span>
    # 创建名为“wlan-net”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong>vap-profile name wlan-net</strong>
    [AC-wlan-net-prof-wlan-net] <strong><strong>forward-mode direct-forward</strong></strong>
    [AC-wlan-net-prof-wlan-net] <strong><strong>service-vlan vlan-id 101</strong></strong>
    [AC-wlan-net-prof-wlan-net] <strong>security-profile wlan-net</strong>
    [AC-wlan-net-prof-wlan-net] <strong>ssid-profile wlan-net</strong>
    [AC-wlan-net-prof-wlan-net] <strong>quit</strong></span></span></span>
    # 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板“wlan-net”的配置。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b2051092768190921">ap-group name ap-group1</strong>
    [AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1753511747190921">vap-profile wlan-net wlan 1 radio 0</strong>
    [AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1212706755190921">vap-profile wlan-net wlan 1 radio 1</strong>
    [AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b729861449190921">quit</strong></span></span></span>
  8. 配置AP射频的信道和功率

    射频的信道和功率自动调优功能默认开启,如果不关闭此功能则会导致手动配置不生效。举例中AP射频的信道和功率仅为示例,实际配置中请根据AP的国家码和网规结果进行配置。

    # 关闭AP射频0的信道和功率自动调优功能,并配置AP射频0的信道和功率。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b1423607009190921">ap-id 0</strong>
    [AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b1534489953190921">radio 0</strong>
    [AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b733594144190921">calibrate auto-channel-select disable</strong>
    [AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b1154293079190921">calibrate auto-txpower-select disable</strong>
    [AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b1858200296190921">channel 20mhz 6</strong>
    Warning: This action may cause service interruption. Continue?[Y/N]<strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_zh-cn_task_0175818418_b1384307436190906">y</strong> 
    [AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b554899294190921">eirp 127</strong>
    [AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b1779547689190921">quit</strong></span></span></span>
    # 关闭AP射频1的信道和功率自动调优功能,并配置AP射频1的信道和功率。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b33229250190921">radio 1</strong>
    [AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b327597144190921">calibrate auto-channel-select disable</strong>
    [AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b1164564697190921">calibrate auto-txpower-select disable</strong>
    [AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b201103780190921">channel 20mhz 149</strong>
    Warning: This action may cause service interruption. Continue?[Y/N]<strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_zh-cn_task_0175818418_b1384307436190906_1">y</strong> 
    [AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b652286665190921">eirp 127</strong>
    [AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b1440636620190921">quit</strong>
    [AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b904227301190921">quit</strong></span></span></span>
  9. 检查配置结果

    WLAN业务配置会自动下发给AP,配置完成后,通过执行命令display vap ssid wlan-net查看如下信息,当“Status”项显示为“ON”时,表示AP对应的射频上的VAP已创建成功。

    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b367333496190921">display vap ssid wlan-net</strong>
    WID : WLAN ID
    --------------------------------------------------------------------------------
    AP ID AP name RfID WID   BSSID          Status  Auth type     STA   SSID
    --------------------------------------------------------------------------------
    0     area_1  0    1     60DE-4476-E360 <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1874482883190921">ON</strong>      WPA/WPA2-PSK  0     wlan-net
    0     area_1  1    1     60DE-4476-E370 <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1628414885190921">ON</strong>      WPA/WPA2-PSK  0     wlan-net
    -------------------------------------------------------------------------------
    Total: 2</span></span></span>

    STA搜索到名为“wlan-net”的无线网络,输入密码“a1234567”并正常关联后,在AC上执行display station ssid wlan-net命令,可以查看到用户已经接入到无线网络“wlan-net”中。

    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1120837202190921">display station ssid wlan-net</strong>
    Rf/WLAN: Radio ID/WLAN ID
    Rx/Tx: link receive rate/link transmit rate(Mbps)
    ---------------------------------------------------------------------------------
    STA MAC         AP ID Ap name   Rf/WLAN  Band  Type  Rx/Tx      RSSI  VLAN  IP address
    ---------------------------------------------------------------------------------
    e019-1dc7-1e08  0     area_1    1/1      5G    11n   46/59      -68   101   10.23.101.254
    ---------------------------------------------------------------------------------
    Total: 1 2.4G: 0 5G: 1</span></span></span>

    # 配置成功后,在AC执行ping操作仍然可以ping通AP,它们之间的数据传输将被加密,执行命令display ipsec statistics可以查看数据包的统计信息。

    # 在Router_2上执行display ike sa操作,结果如下。
    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd"><Router_2> <strong>display ike sa</strong>Conn-ID      Peer           VPN    Flag(s)     Phase---------------------------------------------------------16          192.168.1.1  0       RD|ST      v1:214          192.168.1.1  0       RD|ST      v1:1Number of SA entries  : 2Number of SA entries of all cpu : 2 Flag Description:           RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUTHRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UPM--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING  </span></span></span>
配置文件
  • AC的配置文件

    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">#sysname AC
    #
    vlan batch 101 200
    #
    interface Vlanif200ip address 10.23.200.1 255.255.255.0
    #
    interface GigabitEthernet0/0/1port link-type trunk port trunk allow-pass vlan 200
    #ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
    #
    capwap source interface vlanif200
    #
    wlansecurity-profile name wlan-netsecurity wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aesssid-profile name wlan-netssid wlan-netvap-profile name wlan-netservice-vlan vlan-id 101ssid-profile wlan-netsecurity-profile wlan-netregulatory-domain-profile name defaultap-group name ap-group1radio 0vap-profile wlan-net wlan 1radio 1vap-profile wlan-net wlan 1ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042ap-name area_1ap-group ap-group1radio 0channel 20mhz 6eirp 127calibrate auto-channel-select disable calibrate auto-txpower-select disableradio 1channel 20mhz 149eirp 127calibrate auto-channel-select disable calibrate auto-txpower-select disable
    #
    return</span></span></span>
  • Router_1的配置文件

    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">#sysname Router_1
    #
    vlan batch 100 to 101
    #
    dhcp enable
    #
    acl number 3101rule 5 permit ip source 10.23.100.0 0.0.0.255 destination 10.23.200.0 0.0.0.255
    #
    ipsec proposal tran1esp authentication-algorithm sha2-256esp encryption-algorithm aes-128
    #
    ike proposal 5encryption-algorithm aes-128dh group14authentication-algorithm sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256
    #
    ike peer spuaundo version 2pre-shared-key cipher %@%@HCf#WZWU9A;yLoD#V$8G*i_/%@%@ike-proposal 5remote-address 192.168.2.1
    #
    ipsec policy use1 10 isakmpsecurity acl 3101ike-peer spuaproposal tran1
    #
    ip pool apgateway-list 10.23.100.1network 10.23.100.0 mask 255.255.255.0option 43 sub-option 3 ascii 10.23.200.1
    #
    interface Vlanif100ip address 10.23.100.1 255.255.255.0dhcp select global
    #
    interface Vlanif101ip address 10.23.101.1 255.255.255.0dhcp select interface
    #
    interface GigabitEthernet0/0/1ip address 192.168.1.1 255.255.255.0ipsec policy use1
    #
    interface GigabitEthernet1/0/0port link-type trunk port trunk allow-pass vlan 100 to 101
    #
    ip route-static 0.0.0.0 0.0.0.0 192.168.1.2
    #
    return</span></span></span>
  • Router_2的配置文件

    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">#sysname Router_2
    #
    vlan batch 200
    #
    acl number 3101rule 5 permit ip source 10.23.200.0 0.0.0.255 destination 10.23.100.0 0.0.0.255
    #
    ipsec proposal tran1esp authentication-algorithm sha2-256   esp encryption-algorithm aes-128
    #
    ike proposal 5encryption-algorithm aes-128dh group14authentication-algorithm sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256
    #
    ike peer spub v1undo version 2pre-shared-key cipher %@%@HCf#WZWU9A;yLoD#V$8G*i_/%@%@ike-proposal 5remote-address 192.168.1.1
    #
    ipsec policy map1 10 isakmpsecurity acl 3101ike-peer spubproposal tran1
    #
    interface Vlanif200ip address 10.23.200.2 255.255.255.0
    #
    interface GigabitEthernet0/0/1ip address 192.168.2.1 255.255.255.0ipsec policy map1
    #
    interface GigabitEthernet1/0/0port link-type trunk port trunk allow-pass vlan 200
    #
    ip route-static 10.23.100.0 255.255.255.0 192.168.2.2
    ip route-static 192.168.1.0 255.255.255.0 192.168.2.2
    #
    return</span></span></span>
  • Switch的配置文件

    <span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">#sysname Switch
    #
    vlan batch 100 to 101
    #
    interface GigabitEthernet0/0/1port link-type trunkport trunk pvid vlan 100port trunk allow-pass vlan 100 to 101
    port-isolate enable group 1
    #
    interface GigabitEthernet0/0/2port link-type trunkport trunk allow-pass vlan 100 to 101
    #
    return</span></span></span>

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.hqwc.cn/news/487331.html

如若内容造成侵权/违法违规/事实不符,请联系编程知识网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

详解AP3216C(三合一sensor: 光照、距离、照射强度)驱动开发

目录 概述 1 认识AP3216C 1.1 AP3216C特性 1.2 AP3216C内部结构 1.3 AP3216C 硬件电路 1.4 AP3216C工作时序 1.4.1 I2C 写数据协议 1.4.2 I2C 读数据协议 1.5 重要的寄存器 1.5.1 系统配置寄存器 1.5.2 和中断相关寄存器 1.5.3 IR数据寄存器 1.5.4 ALS 数据寄存器 …

【openGL教程08】着色器(02)

LearnOpenGL - Shaders 一、说明 着色器是openGL渲染的重要内容&#xff0c;客户如果想自我实现渲染灵活性&#xff0c;可以用着色器进行编程&#xff0c;这种程序小脚本被传送到GPU的显卡内部&#xff0c;起到动态灵活的着色作用。 二、着色器简述 正如“Hello Triangle”一章…

【Logback】Logback 日志框架的架构

目录 1、Logger&#xff08;记录器&#xff09; &#xff08;1&#xff09;有效级别和级别继承 &#xff08;2&#xff09;日志打印和日志筛选 &#xff08;3&#xff09;记录器命名 2、Appenders&#xff08;追加器&#xff09; 3、Layouts&#xff08;布局&#xff09;…

Window部署SkyWalking

SkyWalking mysql的驱动依赖 选择下载版本 v9.4 现在后解压缩目录结构 一、修改config目录文件 application.yml 修改1&#xff1a; selector: ${SW_STORAGE:h2} 修改后&#xff1a; selector: ${SW_STORAGE:mysql} 修改2&#xff1a;使用mysql数据库 mysql: properti…

光伏气象站:实现自动化、高精度的气象监测

型号推荐&#xff1a;云境天合 TH-FGF9】光伏气象站是一种基于光伏技术的气象监测设备&#xff0c;它利用太阳能转化为电能&#xff0c;为气象站提供持续的电力供应&#xff0c;并实现自动化、高精度的气象监测。 光伏气象站的工作原理可以分为以下几个部分&#xff1a; 光伏发…

城市白模:裸眼3D下的未来都市构想

随着科技的飞速发展&#xff0c;城市规划与建设已经迈入了一个全新的时代。在这个时代里&#xff0c;“城市白模”成为了设计师、建筑师、城市规划者乃至普通市民的热门话题。那么&#xff0c;什么是“城市白模”&#xff1f;它又如何改变我们对城市的认知与期待呢&#xff1f;…

【Java程序设计】【C00279】基于Springboot的智慧外贸平台(有论文)

基于Springboot的智慧外贸平台&#xff08;有论文&#xff09; 项目简介项目获取开发环境项目技术运行截图 项目简介 这是一个基于Springboot的智慧外贸平台 本系统分为系统功能模块、管理员功能模块、买家功能模块以及商家功能模块。 系统功能模块&#xff1a;在平台首页可以…

axios是如何实现的(源码解析)

1 axios的实例与请求流程 在阅读源码之前&#xff0c;先大概了解一下axios实例的属性和请求整体流程&#xff0c;带着这些概念&#xff0c;阅读源码可以轻松不少&#xff01; 下图是axios实例属性的简图。 可以看到axios的实例上&#xff0c;其实主要就这三个东西&#xff1a…

RocketMQ快速实战以及集群架构原理详解

RocketMQ快速实战以及集群架构原理详解 组成部分 启动Rocket服务之前要先启动NameServer NameServer 提供轻量级Broker路由服务&#xff0c;主要是提供服务注册 Broker 实际处理消息存储、转发等服务的核心组件 Producer 消息生产者集群&#xff0c;通常为业务系统中的一个功…

(九)springmvc+mybatis+dubbo+zookeeper分布式架构 整合 - maven构建ant-framework核心代码Base封装

今天重点讲解的是ant-framework核心代码Base封装过程。 因为涉及到springmvc、mybatis的集成&#xff0c;为了使项目编码更简洁易用&#xff0c;这边将基础的BASE进行封装&#xff0c;其中包括&#xff1a;BaseBean、BaseDao、BaseService、CRUD的基础封装、分页组件的封装、m…

【JavaEE】_tomcat的安装与使用

目录 1. Tomcat简介 2. Tomcat安装 2.1 下载Tomcat并解压缩 2.2 启动Tomcat 2.2.1 Tomcat乱码问题 2.2.2 Tomcat闪退问题 2.3 访问Tomcat欢迎页面 3. 使用Tomcat部署前端代码 3.1 路径匹配 3.2 文件路径访问与网络访问 4. 静态页面与动态页面 5. 基于tomcat的网站后…

单片机04__基本定时器__毫秒微秒延时

基本定时器__毫秒微秒延时 基本定时器介绍&#xff08;STM32F40x&#xff09; STM32F40X芯片一共包含14个定时器&#xff0c;这14个定时器分为3大类&#xff1a; 通用定时器 10个 TIM9-TIM1和TIM2-TIM5 具有基本定时器功能&#xff0c; 还具有输入捕获&#xff0c;输出比较功…