- 產品與解決方案
- 行業解決方案
- 服務
- 支持
- 合作夥伴
- 關於我們
02-H3C WLAN設備VLAN部署指南
本章節下載: 02-H3C WLAN設備VLAN部署指南 (375.99 KB)
H3C WLAN設備VLAN部署指南
Copyright © 2023 bobty下载软件 版權所有,保留一切權利。
非經本公司書麵許可,任何單位和個人不得擅自摘抄、複製本文檔內容的部分或全部,並不得以任何形式傳播。
除bobty下载软件 的商標外,本手冊中出現的其它公司的商標、產品標識及商品名稱,由各自權利人擁有。
本文中的內容為通用性技術信息,某些信息可能不適用於您所購買的產品。
目 錄
用戶在使用H3C WLAN設備時,為了簡化配置,經常會采用默認配置,即管理VLAN和業務VLAN為1的情況,從而引發各種網絡問題,導致用戶使用體驗不佳。
本文檔介紹了隧道轉發和本地轉發的場景下,對於業務VLAN和AP管理VLAN的推薦配置,旨在更好地指導用戶進行業務網絡部署,減少類似問題的出現。
管理VLAN負責傳輸通過CAPWAP隧道轉發的報文,包括管理報文和通過CAPWAP隧道轉發的業務數據報文。
缺省情況下,AP管理報文不帶VLAN tag,由AP直連的接入交換機給AP管理報文打上VLAN tag標簽。在實際應用中,應該將與AP直連的接入交換機接口的PVID配置為管理VLAN。
配置方法如下:
<Switch> system-view
[Switch] interface gigabitEthernet 1/0/1
[Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
如果在AP直連的接入交換機上沒有配置PVID,則交換機會默認打上VLAN 1的tag標簽,即AP的管理VLAN就是VLAN 1了。
本節management-vlan不推薦使用,建議僅在特定需求下使用,例如:不希望在AP上使用缺省的VLAN 1。
management-vlan實際上就是管理VLAN。上文提到實際應用中,使用與AP直連的接入交換機配置管理VLAN。如果用戶不希望在AP上使用缺省的VLAN 1,則可以通過命令wlan management-vlan來配置AP的管理VLAN,隻要在與AP直連的接入交換機上允許該管理VLAN通過即可,無需在AP的接入交換機再配置PVID。
配置方法如下:
登錄FIT AP,並在FIT AP的係統視圖下進行配置。
<ap1> system-view
[ap1] wlan management-vlan 100
業務VLAN負責傳輸業務數據報文,如果不配置的話,默認業務VLAN為VLAN 1。
VLAN 1是缺省存在的VLAN,為了做到零配置使用,缺省情況下,設備會將二層以太網端口加入到VLAN 1中。采用零配置時,會使VLAN 1的廣播域過大,容易導致報文在VLAN 1內泛洪,因此在WLAN網絡規劃時,不推薦使用VLAN 1作為管理VLAN或者業務VLAN。
最佳推薦配置為業務VLAN和管理VLAN不同,並且都不為1。
下麵將分別介紹隧道轉發和本地轉發模式下,對於管理VLAN和業務VLAN的配置要求以及配置示例。
旁掛組網+隧道轉發模式下,AC上需要創建管理VLAN和業務VLAN。AC與AP之間的網絡需要放通管理VLAN,AC與上層網絡需要放通業務VLAN。
本例中管理VLAN為VLAN 100,業務VLAN為VLAN 200,VLAN相關配置示例如下:
# 創建VLAN 100,VLAN 100為AP接入的管理VLAN。
<Access Switch> system-view
[Access Switch] vlan 100
[Access Switch-vlan100] quit
# 配置接入交換機與AP相連的GigabitEthernet1/0/1接口屬性為Trunk,禁止VLAN 1報文通過,PVID為VLAN 100,並允許VLAN 100通過。
[Access Switch] interface gigabitethernet 1/0/1
[Access Switch-GigabitEthernet1/0/1] port link-type trunk
[Access Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
[Access Switch-GigabitEthernet1/0/1] port trunk permit vlan 100
[Access Switch-GigabitEthernet1/0/1] quit
# 配置接入交換機與彙聚交換機相連的接口GigabitEthernet1/0/2為Trunk類型,禁止VLAN 1報文通過,並允許VLAN 100通過。
[Access Switch] interface gigabitEthernet 1/0/2
[Access Switch-GigabitEthernet1/0/2] port link-type trunk
[Access Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/2] port trunk permit vlan 100
[Access Switch-GigabitEthernet1/0/2] quit
# 創建VLAN 100和VLAN 200,其中VLAN 100用於轉發AC和AP間CAPWAP隧道內的流量,VLAN 200為無線客戶端接入的業務VLAN。
<Aggregation Switch> system-view
[Aggregation Switch] vlan 100
[Aggregation Switch-vlan100] quit
[Aggregation Switch] vlan 200
[Aggregation Switch-vlan200] quit
# 配置彙聚交換機與接入交換機相連的接口GigabitEthernet1/0/2為Trunk類型,禁止VLAN 1報文通過,並允許VLAN 100通過。
[Aggregation Switch] interface gigabitEthernet 1/0/2
[Aggregation Switch-GigabitEthernet1/0/2] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/2] port trunk permit vlan 100
[Aggregation Switch-GigabitEthernet1/0/2] quit
# 配置彙聚交換機和AC相連的接口GigabitEthernet1/0/1為Trunk類型,禁止VLAN 1報文通過,允許VLAN 100和VLAN 200 通過。
[Aggregation Switch] interface gigabitEthernet 1/0/1
[Aggregation Switch-GigabitEthernet1/0/1] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Aggregation Switch-GigabitEthernet1/0/1] quit
# 配置彙聚交換機與核心交換機相連的接口GigabitEthernet1/0/3為Trunk類型,禁止VLAN 1報文通過,允許VLAN 200通過。
[Aggregation Switch] interface gigabitEthernet 1/0/3
[Aggregation Switch-GigabitEthernet1/0/3] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/3] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/3] port trunk permit vlan 200
[Aggregation Switch-GigabitEthernet1/0/3] quit
# 創建VLAN 100,用於轉發AC和AP間CAPWAP隧道內的流量。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
# 創建VLAN 200,客戶端使用該業務VLAN接入無線網絡。
[AC] vlan 200
[AC-vlan200] quit
# 配置AC和彙聚交換機相連的接口GigabitEthernet1/0/1為Trunk類型,禁止VLAN 1報文通過,允許VLAN 100和VLAN 200通過。
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/1] quit
# 創建VLAN 200,客戶端使用該VLAN接入無線網絡。
<Core Switch> system-view
[Core Switch] vlan 200
[Core Switch-vlan200] quit
# 配置核心交換機和彙聚交換機相連的接口GigabitEthernet1/0/1為Trunk類型,禁止VLAN 1報文通過,允許VLAN 200通過。
[Core Switch] interface gigabitEthernet 1/0/1
[Core Switch-GigabitEthernet1/0/1] port link-type trunk
[Core Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Core Switch-GigabitEthernet1/0/1] port trunk permit vlan 200
[Core Switch-GigabitEthernet1/0/1] quit
直連組網+隧道轉發模式下,AC上需要創建管理VLAN和業務VLAN。AC與AP之間的網絡需要放通管理VLAN,AC與上層網絡需要放通業務VLAN。
圖2-2 隧道轉發模式—直連組網示意圖
本例中管理VLAN為VLAN 100,業務VLAN為VLAN 200,VLAN相關配置示例如下:
# 創建VLAN 100,VLAN 100為AP接入的管理VLAN。
<Access Switch> system-view
[Access Switch] vlan 100
[Access Switch-vlan100] quit
# 配置接入交換機與AP相連的GigabitEthernet1/0/1接口屬性為Trunk,禁止VLAN 1報文通過,PVID為VLAN 100,並允許VLAN 100通過。
[Access Switch] interface gigabitethernet 1/0/1
[Access Switch-GigabitEthernet1/0/1] port link-type trunk
[Access Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
[Access Switch-GigabitEthernet1/0/1] port trunk permit vlan 100
[Access Switch-GigabitEthernet1/0/1] quit
# 配置接入交換機與彙聚交換機相連的接口GigabitEthernet1/0/2為Trunk類型,禁止VLAN 1報文通過,並允許VLAN 100通過。
[Access Switch] interface gigabitEthernet 1/0/2
[Access Switch-GigabitEthernet1/0/2] port link-type trunk
[Access Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/2] port trunk permit vlan 100
[Access Switch-GigabitEthernet1/0/2] quit
# 創建VLAN 100,用於轉發AC和AP間CAPWAP隧道內的流量。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
# 創建VLAN 200,客戶端使用該業務VLAN接入無線網絡。
[AC] vlan 200
[AC-vlan200] quit
# 配置AC和接入交換機相連的接口GigabitEthernet1/0/2為Trunk類型,禁止VLAN 1報文通過,允許VLAN 100通過。
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/2] port trunk permit vlan 100
[AC-GigabitEthernet1/0/2] quit
# 配置AC和核心交換機相連的接口GigabitEthernet1/0/1為Trunk類型,禁止VLAN 1報文通過,允許VLAN 200通過。
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 200
[AC-GigabitEthernet1/0/1] quit
# 創建VLAN 200,客戶端使用該VLAN接入無線網絡。
<Core Switch> system-view
[Core Switch] vlan 200
[Core Switch-vlan200] quit
# 配置核心交換機和AC相連的接口GigabitEthernet1/0/1為Trunk類型,禁止VLAN 1報文通過,允許VLAN 200通過。
[Core Switch] interface gigabitEthernet 1/0/1
[Core Switch-GigabitEthernet1/0/1] port link-type trunk
[Core Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Core Switch-GigabitEthernet1/0/1] port trunk permit vlan 200
[Core Switch-GigabitEthernet1/0/1] quit
旁掛組網+本地轉發模式下,AC上需要創建管理VLAN,是否需要創建業務VLAN則視具體情況來確認是否需要創建。AC與AP之間的網絡設備需要放通管理VLAN,AP與上層網絡之間的網絡設備需要放通業務VLAN。
· 如果用戶網關在AC上,則必須在AC上創建業務VLAN。
· 如果用戶網關不在AC上,實際的業務數據並不會經過AC,因此一般是不需要在AC本地創建業務VLAN的。但是,如果認證方式為802.1X認證,由於認證報文需要通過CAPWAP隧道轉發,因此,AC上必須已存在業務VLAN。
圖2-3 本地轉發模式—旁掛組網示意圖
本例中管理VLAN為VLAN 100,業務VLAN為VLAN 200,VLAN相關配置示例如下:
# 使用文本文檔編輯AP的配置文件,將配置文件命名為map.txt,並將配置文件上傳到AC存儲介質上。配置文件內容和格式如下:
System-view
vlan 200
interface gigabitethernet1/0/1
port link-type trunk
port trunk permit vlan 200
# 創建VLAN 100和VLAN 200,其中VLAN 100用於轉發AC和AP間CAPWAP隧道內的流量,VLAN 200為無線客戶端接入的業務VLAN。
<Access Switch> system-view
[Access Switch] vlan 100
[Access Switch-vlan100] quit
[Access Switch] vlan 200
[Access Switch-vlan200] quit
# 配置接入交換機與AP相連的GigabitEthernet1/0/1接口屬性為Trunk,禁止VLAN 1報文通過,PVID為VLAN 100,並允許VLAN 100和VLAN 200通過。
[Access Switch] interface gigabitethernet 1/0/1
[Access Switch-GigabitEthernet1/0/1] port link-type trunk
[Access Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
[Access Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Access Switch-GigabitEthernet1/0/1] quit
# 配置接入交換機與彙聚交換機相連的接口GigabitEthernet1/0/2為Trunk類型,禁止VLAN 1報文通過,並允許VLAN 100和VLAN 200通過。
[Access Switch] interface gigabitEthernet 1/0/2
[Access Switch-GigabitEthernet1/0/2] port link-type trunk
[Access Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[Access Switch-GigabitEthernet1/0/2] quit
# 創建VLAN 100和VLAN 200,其中VLAN 100用於轉發AC和AP間CAPWAP隧道內的流量,VLAN 200為無線客戶端接入的業務VLAN。
<Aggregation Switch> system-view
[Aggregation Switch] vlan 100
[Aggregation Switch-vlan100] quit
[Aggregation Switch] vlan 200
[Aggregation Switch-vlan200] quit
# 配置彙聚交換機與接入交換機相連的接口GigabitEthernet1/0/2為Trunk類型,禁止VLAN 1報文通過,並允許VLAN 100和VLAN 200通過。
[Aggregation Switch] interface gigabitEthernet 1/0/2
[Aggregation Switch-GigabitEthernet1/0/2] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[Aggregation Switch-GigabitEthernet1/0/2] quit
# 配置彙聚交換機和AC相連的接口GigabitEthernet1/0/1為Trunk類型,禁止VLAN 1報文通過,允許VLAN 100通過。
[Aggregation Switch] interface gigabitEthernet 1/0/1
[Aggregation Switch-GigabitEthernet1/0/1] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/1] port trunk permit vlan 100
[Aggregation Switch-GigabitEthernet1/0/1] quit
# 配置彙聚交換機與核心交換機相連的接口GigabitEthernet1/0/3為Trunk類型,禁止VLAN 1報文通過,允許VLAN 200通過。
[Aggregation Switch] interface gigabitEthernet 1/0/3
[Aggregation Switch-GigabitEthernet1/0/3] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/3] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/3] port trunk permit vlan 200
[Aggregation Switch-GigabitEthernet1/0/3] quit
# 創建VLAN 100,用於轉發AC和AP間CAPWAP隧道內的流量。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
# 配置AC和彙聚交換機相連的接口GigabitEthernet1/0/1為Trunk類型,禁止VLAN 1報文通過,允許VLAN 100通過。
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100
[AC-GigabitEthernet1/0/1] quit
# 創建VLAN 200,客戶端使用該VLAN接入無線網絡。
<Core Switch> system-view
[Core Switch] vlan 200
[Core Switch-vlan200] quit
# 配置核心交換機和彙聚交換機相連的接口GigabitEthernet1/0/1為Trunk類型,禁止VLAN 1報文通過,允許VLAN 200通過。
[Core Switch] interface gigabitEthernet 1/0/1
[Core Switch-GigabitEthernet1/0/1] port link-type trunk
[Core Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Core Switch-GigabitEthernet1/0/1] port trunk permit vlan 200
[Core Switch-GigabitEthernet1/0/1] quit
直連組網+本地轉發模式下,AC上需要創建管理VLAN和業務VLAN。同時,AC與AP之間的網絡設備需要放通管理VLAN,AP與上層網絡之間的網絡設備需要放通業務VLAN。
圖2-4 本地轉發模式—直連組網示意圖
本例中管理VLAN為VLAN 100,業務VLAN為VLAN 200,VLAN相關配置示例如下:
# 使用文本文檔編輯AP的配置文件,將配置文件命名為map.txt,並將配置文件上傳到AC存儲介質上。配置文件內容和格式如下:
System-view
vlan 200
interface gigabitethernet1/0/1
port link-type trunk
port trunk permit vlan 200
# 創建VLAN 100和VLAN 200,其中VLAN 100用於轉發AC和AP間CAPWAP隧道內的流量,VLAN 200為無線客戶端接入的業務VLAN。
<Access Switch> system-view
[Access Switch] vlan 100
[Access Switch-vlan100] quit
[Access Switch] vlan 200
[Access Switch-vlan200] quit
# 配置接入交換機與AP相連的GigabitEthernet1/0/1接口屬性為Trunk,禁止VLAN 1報文通過,PVID為VLAN 100,並允許VLAN 100和VLAN 200通過。
[Access Switch] interface gigabitethernet 1/0/1
[Access Switch-GigabitEthernet1/0/1] port link-type trunk
[Access Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
[Access Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Access Switch-GigabitEthernet1/0/1] quit
# 配置接入交換機與AC相連的接口GigabitEthernet1/0/2為Trunk類型,禁止VLAN 1報文通過,並允許VLAN 100和VLAN 200通過。
[Access Switch] interface gigabitEthernet 1/0/2
[Access Switch-GigabitEthernet1/0/2] port link-type trunk
[Access Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[Access Switch-GigabitEthernet1/0/2] quit
# 創建VLAN 100,用於轉發AC和AP間CAPWAP隧道內的流量。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
# 創建VLAN 200,客戶端使用該業務VLAN接入無線網絡。
[AC] vlan 200
[AC-vlan200] quit
# 配置AC和接入交換機相連的接口GigabitEthernet1/0/2為Trunk類型,禁止VLAN 1報文通過,允許VLAN 100和VLAN 200通過。
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/2] quit
# 配置AC和核心交換機相連的接口GigabitEthernet1/0/1為Trunk類型,禁止VLAN 1報文通過,允許VLAN 200通過。
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 200
[AC-GigabitEthernet1/0/1] quit
# 創建VLAN 200,客戶端使用該VLAN接入無線網絡。
<Core Switch> system-view
[Core Switch] vlan 200
[Core Switch-vlan200] quit
# 配置核心交換機和AC相連的接口GigabitEthernet1/0/1為Trunk類型,禁止VLAN 1報文通過,允許VLAN 200通過。
[Core Switch] interface gigabitEthernet 1/0/1
[Core Switch-GigabitEthernet1/0/1] port link-type trunk
[Core Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Core Switch-GigabitEthernet1/0/1] port trunk permit vlan 200
[Core Switch-GigabitEthernet1/0/1] quit
VLAN都已經放通,但是客戶端無法上線。
可能是中間的網絡設備沒有創建報文攜帶的VLAN tag標簽對應的VLAN。
檢查中間的網絡設備是否創建了報文攜帶的VLAN tag標簽對應的VLAN,如果沒有創建,請創建該VLAN;如果已經創建,請檢查其他網絡配置是否正確。
不同款型規格的資料略有差異, 詳細信息請向具體銷售和400谘詢。H3C保留在沒有任何通知或提示的情況下對資料內容進行修改的權利!
支持
