随着移动办公需求的快速增加,企业部署稳定可靠的,并能统一管理的无线网络的需求非常普遍,本方案介绍了在一个中大型企业网内部快速部署WLAN网络的方案。
业务需求是用户通过WLAN接入网络,以满足移动办公的需求。且在覆盖区域内移动发生漫游时,不影响用户的业务使用。有办公PC就近接入AP的有线口,实现联网需求。
组网需求
AC组网方式:旁挂三层组网。
DHCP部署方式:
SW1为用户业务 和AP 提供DHCP服务
AP的地址池 10.1.10.X
拓扑说明
R1 出口路由器 内网接口 10.1.30.1/24
用户 employee 10.1.20.X VLAN20 隧道转发 密码a1234567
用户 guest 10.1.30.X Vlan30 直接转发 不加密
基础配置
出口路由器R1配置
sys
sysname R1
interface gigabitEthernet0/0/0
ip address 10.1.50.1 255.255.255.0
ip route-STAtic 10.1.20.0 255.255.255.0 10.1.50.2
ip route-static 10.1.30.0 255.255.255.0 10.1.50.2
接入交换机SW2配置
sys
sysname sw2
vlan batch 10 30
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 30
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 30
//连接AP端口pvid要设置为AP管理VLAN ID,隧道转发的VLAN不需要放行
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 30
关键配置核心交换机SW1配置
sys
sysname SW1
vlan batch 10 20 30 50
dhcp enable
ip pool ap
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
dns-list 8.8.8.8
ex 10.1.10.2
option 43 sub-option 2 ip 10.10.10.10
//划分VLAN,开启DHCP服务,AP地址池用OPTION43参数传递AC位置
ip pool employee
gateway-list 10.1.20.1
network 10.1.20.0 mask 255.255.255.0
dns-list 8.8.8.8
ip pool guest
gateway-list 10.1.30.1
network 10.1.30.0 mask 255.255.255.0
dns-list 8.8.8.8
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
dhcp select global
interface Vlanif20
ip address 10.1.20.1 255.255.255.0
dhcp select global
interface Vlanif30
ip address 10.1.30.1 255.255.255.0
dhcp select global
//DHCP地址获取用全局地址池模式
interface Vlanif50
ip address 10.1.50.2 255.255.255.0
interface GigabitEthernet0/0/1
port link-type access
port default vlan 50
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20 10
//连接AC端口要放行隧道传输的VLAN
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 30
ip route-static 10.10.10.10 255.255.255.255 10.1.10.2
//访问AC的路由
关键配置AC配置
sys
sysname AC1
vlan batch 20 10
interface Vlanif10
ip address 10.1.10.2 255.255.255.0
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20 10
interface loopback0
ip address 10.10.10.10 255.255.255.255
ip route-static 0.0.0.0 0 10.1.10.1
//配置默认路由
capwap source interface loopback0
//配置capwap隧道
wlan
ap auth-mode mac-auth
//ap认证模式为MAC认证
regulatory-domain-profile name ac1
country-code cn
//国家码为cn
security-profile name guest
security open
security-profile name employee
security wpa-wpa2 psk pass-phrase a1234567 aes
ssid-profile name guest
ssid guest
ssid-profile name employee
ssid employee
//配置SSID和加密模板
vap-profile name guest
forward-mode direct-forward
service-vlan vlan-id 30
ssid-profile guest
security-profile guest
vap-profile name employee
forward-mode tunnel
service-vlan vlan-id 20
ssid-profile employee
security-profile employee
//配置VAP模板
ap-group name ag1
regulatory-domain-profile ac1
vap-profile employee wlan 1 radio all
vap-profile guest wlan 2 radio all
//配置AP组,应用VAP模板
ap-mac 00e0-fca1-39e0
ap-name Ap1
ap-group ag1
ap-mac 00e0-fc50-6b90
ap-name AP2
ap-group ag1
//配置AP上线
AC上配置PC通过AP有线接口实现联网的配置
应用于AP或AP组 仅适合直接转发模式
wired-port-profile na v30
mode endpoint
vlan pvid 30
vlan untagged 30
//改变AP接口类型由root变为endpoint,配置端口pvid 和端口VLAN
ap-i 1
wired-port-profile V30 gigabitethernet 1
//应用于AP
//ap-g na ag1
//wired-port-profile V30 gigabitethernet 1
//也可以应用于AP组,使得配置在所有AP上都生效
ap-reset ap-i 1
//重启对应AP
配置完成后测试
AC上查看AP上线正常
在STA上可以看到所有的无线信号