AC+AP(同广播域组网)

root
233
文章
0
评论
更多
 2020年12月28日19:09:27 评论 6059字阅读20分11秒

AC+AP(同广播域组网)

AP 是无线访问接入点(WirelessAccessPoint),作用是发射无线信号,也就相当于有线网络中的集线器,连接所有无线设备。

AC 是无线网络控制器(Wireless Access Point Controller)用来集中化控制无线ap,负责将来自不同AP的数据进行汇聚并接入互联网,同时完成AP设备的配置管理和无线用户的认证、管理,以及带宽、访问、切换、安全等控制功能。

同广播域组网思想

AC和AP之间连接

  • AC实际是三层交换机
  • AP信号发射器,负责一定的数据转发和转换,能够支持识别VLAN 能打TAG的设备

AC与AP之间,通关在一个vlan里使用PVID的方式进行通讯

如果SW1与AP直连的接口不打上一个与AC一个vlan PVID那么,DHCP就无法发送报文

配置trunk

//SW1
[SW1]vlan 100
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type trunk 
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all

//与AP直连的接口必须打标签
[SW1]int g0/0/2
[SW1-GigabitEthernet0/0/2]port link-type trunk 
[SW1-GigabitEthernet0/0/2]port trunk pvid vlan 100
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 100
//AC
[AC6005]int g0/0/01
[AC6005-GigabitEthernet0/0/1]port link-type trunk 
[AC6005-GigabitEthernet0/0/1]port trunk allow-pass vlan all

AC配置DHCP【AC或者交换机上配置都行】

DHCP开启中继器的问题,两个网段不在同一个vlan里就要开启中继器,在一个vlan里就不需要开启DHCP中继器

[AC6005]dhcp enable 
[AC6005]ip pool AC
[AC6005-ip-pool-AC]network 192.168.10.0 mask 255.255.255.0
[AC6005-ip-pool-AC]gateway-list 192.168.10.254
[AC6005-ip-pool-AC]dns-list 114.114.114.114

//在vlan 100上开启DHCP
[AC6005]vlan 100
[AC6005-Vlanif100]ip address 192.168.100.253 255.255.255.0
[AC6005-Vlanif100]dhcp select global

AP端进行验证DHCP分发的地址

[Huawei]dis ip int bri
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down
The number of interface that is UP in Physical is 2
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 2
The number of interface that is DOWN in Protocol is 0

Interface                         IP Address/Mask      Physical   Protocol  
NULL0                             unassigned           up         up(s)     
Vlanif1                           192.168.100.117/24   up         up

 

配置AP上线

AC创建的设备管理组里是不是可以有多个虚拟AP模板,一个AP的虚拟模板对应一个服务VLAN组网

基于前面的基础,在加一个AP设备

SW1

[SW1-GigabitEthernet0/0/3]dis this
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
return

 

1.AC创建AP设备管理组

[AC6005]wlan
[AC6005-wlan-view]ap-group name 68B

 

2.配置国家代码

//起 一个名字
[AC6005-wlan-ap-group-68B]regulatory-domain-profile name CHINA

//选择中国为国家代码
[AC6005-wlan-regulate-domain-CHINA]country-code cn
Info: The current country code is same with the input country code.

 

3.AP关联国家代码

[AC6005]wlan 
[AC6005-wlan-view]undo ap-group name 68B

//关联国家代码的名称,前面创建的名称
[AC6005-wlan-ap-group-68B]regulatory-domain-profile CHINA
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y

 

4.AC与AP建立capwap隧道的连接接口

//用于发送管理信息
[AC6005]capwap source interface Vlanif 100

 

5.AC配置认证

  • MAC地址认证

//查看AP的MAC地址,要看与AP相连接的接口

[Huawei]dis int g0/0/0
GigabitEthernet0/0/0 current state : UP
Line protocol current state : UP
Description:HUAWEI, AP Series, GigabitEthernet0/0/0 Interface
Switch Port, PVID :    1, TPID : 8100(Hex), The Maximum Frame Length is 1800
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc90-5b40

//添加AP设备MAC地址进行认证

[AC6005]wlan 
[AC6005-wlan-view]ap auth-mode ?
  mac-auth  MAC authenticated mode, default authenticated mode
  no-auth   No authenticated mode 
  sn-auth   SN authenticated mode 

//所有AP设备从0开始,进行管理AC设备
[AC6005-wlan-view]ap-id 0 ap-mac  00e0-fc90-5b40
[AC6005-wlan-view]ap-id 1 ap-mac  00e0-fc22-5780
  • SN码认证
  • 也可以不认证

两台配置完成的AP设备就会重启

[Huawei]
===== CAPWAP LINK IS UP!!! =====

 

6.查看上线的AP是否有问题

 

7.把AP设备关联到新的组下

由上图可以看到AP在一个默认的组下,我们需要把AP加入到前面创建的68B组内

[AC6005]wlan
//ap0设备
[AC6005-wlan-view]ap-id 0
[AC6005-wlan-ap-0]ap-group 68B
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.

//ap1设备
[AC6005-wlan-view]ap-id 1
[AC6005-wlan-ap-1]ap-group 68B
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.

查看AP状态,发现是Fault,这个是正常的,AP每次重新加入组都会重新启动AP设备

 

8.配置SSID和密码

//起策略组的名称叫什么
[AC6005]wlan
[AC6005-wlan-view]ssid-profile name FUNNET

//创建SSID名称
[AC6005-wlan-ssid-prof-FUNNET]ssid Kk
Info: This operation may take a few seconds, please wait.done.

//配置密码,创建安全模块的名称
[AC6005-wlan-ssid-prof-FUNNET]q
[AC6005-wlan-view]security-profile name FUNNET-S
[AC6005-wlan-sec-prof-FUNNET-S]security wpa-wpa2 ?
  dot1x  802.1x authentication    //需要单独的服务器,有客户端登录的,就选这个
  psk    Pre-shared key           //只做密码认证,需要网页认证的就选这个
// 8位以上密码,加密的方式是aes
[AC6005-wlan-sec-prof-FUNNET-S]security wpa-wpa2 psk pass-phrase QWER1234 aes

9.把SSID和密码关联到虚拟IP模板

  • SSID PROFILE   关联的名字
  • SEURITY PROFILE  关联的密码
  • 接入AP的用户使用哪个VLAN 比如使用VLAN 200
  • 转发方式
    • 集中转发

就是无线设备连接AP,通过AP设备把数据发给AC设备,AC设备在转发给SW,SW在把数据发给路由

    • 直接转发【这种更加好,也是默认的】

就是不同过AC设备转发了,直接发

  • 配置虚拟AP模板
[AC6005]wlan
[AC6005-wlan-view]vap-profile name 68B
  • 名字
//SSID的名称
[AC6005-wlan-vap-prof-68B]ssid-profile FUNNET
  • 密码组名称
//安全组的名称
[AC6005-wlan-vap-prof-68B]security-profile FUNNET-S
  • 用户
//服务用户的VLAN分配给VLAN200,不要和AP的组网vlan100一样
[AC6005]vlan 200
[AC6005-wlan-vap-prof-68B]service-vlan vlan-id 200

//直接转发,也是默认的
[AC6005-wlan-vap-prof-68B]forward-mode direct-forward
//SW1连接AP的接口需要使用Trunk并允许vlan200通过
[SW1-ip-pool-68b]int g0/0/2
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 200
[SW1-GigabitEthernet0/0/2]dis this
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100 200
#
return
[SW1]int g0/0/3
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 100 200
[SW1-GigabitEthernet0/0/3]dis this
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 200
#
return

SW1

 

10.关联虚拟AP组到真实AP组

[AC6005]wlan
[AC6005-wlan-view]ap-group name 68B
[AC6005-wlan-ap-group-68B]vap-profile 68B wlan 1 radio all

 

11.创建 SVI三层口支持用户转发,同时分配IP地址

[SW1]dhcp enable 
[SW1]vlan 200
[SW1]int vlan 200
[SW1-Vlanif200]ip add 192.168.200.254 24

//开启地址池接口DHCP功能
[SW1]dhcp enable 
[SW1-Vlanif200]dhcp select interface 
[SW1-Vlanif200]dhcp server dns-list 114.114.114.114

无线设备连接AP

 

AC设备查看AP设备状态的命令

nor就是正常

[AC6005]dis ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
nor  : normal          [2]
-------------------------------------------------------------------------------------------------------
ID   MAC            Name           Group   IP              Type            State STA Uptime
-------------------------------------------------------------------------------------------------------
0    00e0-fc90-5b40 00e0-fc90-5b40 default 192.168.100.117 AP6050DN        nor   0   16M:25S
1    00e0-fc22-5780 00e0-fc22-5780 default 192.168.100.83  AP6050DN        nor   0   3M:27S
-------------------------------------------------------------------------------------------------------
Total: 2

也可以看到用户有几个,在哪个设备上

 

 

继续阅读
weinxin
我的微信
这是我的微信扫一扫
  • 文本由 发表于 2020年12月28日19:09:27
  • 除非特殊声明,本站文章均为原创,转载请务必保留本文链接
匿名

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: