- 產品與解決方案
- 行業解決方案
- 服務
- 支持
- 合作夥伴
- 關於我們
05-H3C無線控製器WLAN基於策略轉發的雙網關場景配置舉例
本章節下載: 05-H3C無線控製器WLAN基於策略轉發的雙網關場景配置舉例 (269.04 KB)
H3C無線控製器WLAN基於策略轉發的雙網關場景配置舉例
Copyright © 2023 bobty下载软件 版權所有,保留一切權利。
非經本公司書麵許可,任何單位和個人不得擅自摘抄、複製本文檔內容的部分或全部,並不得以任何形式傳播。
除bobty下载软件 的商標外,本手冊中出現的其它公司的商標、產品標識及商品名稱,由各自權利人擁有。
本文檔中的信息可能變動,恕不另行通知。
本文檔介紹WLAN基於策略轉發的雙網關場景配置舉例。
本文檔不嚴格與具體軟、硬件版本對應,如果使用過程中與產品實際情況有差異,請以設備實際情況為準。
本文檔中的配置均是在實驗室環境下進行的配置和驗證,配置前設備的所有參數均采用出廠時的缺省配置。如果您已經對設備進行了配置,為了保證配置效果,請確認現有配置和以下舉例中的配置不衝突。
本文檔假設您已了解WLAN接入、AP管理、NAT、DHCP特性。
如圖1所示,某公司存在著大量的分支站點或者辦事機構,每個分支機構的AP跨Internet統一向AC注冊。AP根據目的地址來決定是集中轉發到集團總部內網還是本地轉發出互聯網。Router A為分支機構路由器,Router B為集團路由器。具體應用需求如下:
· AP通過Router A獲取IP地址;
· AP跨Internet向AC注冊;
· Client從AC上獲取IP地址及進行域名解析;
· Client通過在AP上進行本地轉發訪問公網,通過在AC上進行集中式轉發訪問集團總部內網。
圖1 WLAN基於策略轉發的雙網關場景配置組網圖
· 為了讓分支機構的AP能夠跨Internet與集團總部的AC建立連接,需要在Router A上配置Option 43,並手動指定AC的IP地址。同時為了讓分支機構的AP可以通過外網訪問集團總部的AC,需要在Router A和Router B上配置NAT功能。
· 實際組網中分支機構數量較多,導致AP數量也會比較多,為了簡化配置,需要在AC上開啟自動AP及自動AP固化功能。
· 由於訪問不同網絡采用的轉發方式不一樣,需要在AC上配置無線轉發策略。
· 為了使AP訪問集團內部網絡,需要使用文本文檔編輯AP的配置文件,並將配置文件上傳到AC存儲介質上。
· 配置本舉例之前,請保證網絡中各設備之間路由可達。
(1) 配置DHCP功能
# 開啟DHCP服務器功能。
<RouterA> system-view
[RouterA] dhcp enable
# 配置DHCP地址池ap,負責為AP分配IP地址。
[RouterA] dhcp server ip-pool ap
[RouterA-dhcp-pool-ap] network 192.168.10.0 mask 255.255.255.0
[RouterA-dhcp-pool-ap] gateway-list 192.168.10.1
# 通過自定義選項的方式配置Option 43的內容,為AP指定Router B的IP地址202.202.1.22/24,由於在Router B上配置了NAT映射,AP會通過映射找到AC的IP地址。
[RouterA-dhcp-pool-ap] option 43 hex 8007000001CACA0116
[RouterA-dhcp-pool-ap] quit
(2) 配置NAT功能,使AP能夠訪問外網。
# 配置地址組0,包含外網地址202.20.1.20。
[RouterA] nat address-group 0
[RouterA-address-group-0] address 202.20.1.20 202.20.1.20
[RouterA-address-group-0] quit
# 配置ACL 2000,僅允許對內部網絡中192.168.10.0/24網段的AP報文進行地址轉換。
[RouterA] acl basic 2000
[RouterA-acl-ipv4-basic-2000] rule permit source 192.168.10.0 0.0.0.255
[RouterA-acl-ipv4-basic-2000] quit
# 在接口GigabitEthernet1/0/2上配置出方向動態地址轉換,允許使用地址組0中的地址對匹配ACL 2000的報文進行源地址轉換。
[RouterA] interface gigabitethernet 1/0/2
[RouterA-GigabitEthernet1/0/2] nat outbound 2000 address-group 0
[RouterA-GigabitEthernet1/0/2] quit
[RouterA] quit
(1) 配置NAT功能,使AP可以訪問AC。
# 配置ACL 3000,允許對202.20.1.0/24網段地址訪問AC的報文進行地址轉換。
<RouterB> system-view
[RouterB] acl advanced 3000
[RouterB-acl-ipv4-adv-3000] rule 0 permit ip source 202.20.1.0 0.0.0.255 destination 202.202.1.22 0
[RouterB-acl-ipv4-adv-3000] quit
# 在接口GigabitEthernet1/0/1上配置NAT內部服務器,將符合ACL規則3000的目的地址統一轉換成相同的內部服務器地址。
[RouterB] interface gigabitethernet 1/0/1
[RouterB-GigabitEthernet1/0/1] nat server global 3000 inside 192.168.1.111
[RouterB-GigabitEthernet1/0/1] quit
[RouterB] quit
(1) 創建map-OnAP.txt文件
# 在本地創建文件map-OnAP.txt,並上傳到AC上。其中文件內容如下:
vlan 2
interface Vlan-interface1
nat outbound 3000
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1
interface Vlan-interface2
ip address 172.16.4.3 255.255.255.0
acl advanced 3000
rule 0 permit ip source 172.16.4.0 0.0.0.255
(2) 配置基本功能
# 請參照組網圖配置各接口的IP地址(略)。
# 創建VLAN 2,並配置VLAN 2的IP地址為172.16.4.1/24。
<AC> system-view
[AC] vlan 2
[AC-vlan2] quit
[AC] interface vlan-interface 2
[AC-Vlan-interface2] ip address 172.16.4.1 255.255.255.0
[AC-Vlan-interface2] quit
# 將接口GigabitEthernet1/0/2加入到VLAN 2中。
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-mode bridge
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/2] port trunk permit vlan 2
[AC-GigabitEthernet1/0/2] quit
# 配置AC到本地和遠端公網地址段的路由,以及到集團總部內網172.16.5.0/24網段的路由。
[AC] ip route-static 202.20.1.0 24 192.168.1.22
[AC] ip route-static 202.202.1.0 24 192.168.1.22
[AC] ip route-static 172.16.5.0 24 172.16.4.2
(3) 配置DHCP及DNS功能。
# 開啟DHCP服務器功能,並配置DHCP地址池sta,為Client分配IP地址。
[AC] dhcp enable
[AC] dhcp server ip-pool sta
[AC-dhcp-pool-sta] network 172.16.4.0 mask 255.255.255.0
[AC-dhcp-pool-sta] gateway-list 172.16.4.1
# 配置集團內部DNS服務器的IP地址為192.168.1.10/24。
[AC-dhcp-pool-sta] dns-list 192.168.1.10
# 配置不參與自動分配的IP地址(網關地址、預留給AP的業務VLAN接口的IP地址)。
[AC-dhcp-pool-sta] forbidden-ip 172.16.4.1 172.16.4.3
[AC-dhcp-pool-sta] quit
(4) 配置AP管理功能。
# 開啟自動AP和AP自動固化功能。
[AC] wlan auto-ap enable
[AC] wlan auto-persistent enable
(5) 配置無線轉發策略
# 創建IPv4高級ACL 3001,並製訂如下規則:對DNS報文、BOOTPC和BOOTPS報文以及源IP為172.16.4.0/24目的IP為172.16.4.0/24和172.16.5.0/24網段的報文放行。
[AC] acl advanced 3001
[AC-acl-ipv4-adv-3001] rule 0 permit udp source-port eq dns
[AC-acl-ipv4-adv-3001] rule 1 permit udp destination-port eq dns
[AC-acl-ipv4-adv-3001] rule 2 permit udp source-port eq bootpc
[AC-acl-ipv4-adv-3001] rule 3 permit udp destination-port eq bootps
[AC-acl-ipv4-adv-3001] rule 4 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.4.0 0.0.0.255
[AC-acl-ipv4-adv-3001] rule 5 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.5.0 0.0.0.255
[AC-acl-ipv4-adv-3001] quit
# 創建無線轉發策略remote,將符合ACL規則3001的報文采用集中式轉發。再開啟本地轉發模式下的外網流量轉發功能。
[AC] wlan forwarding-policy remote
[AC-wlan-fp-remote] classifier acl 3001 behavior remote
[AC-wlan-fp-remote] client behavior-local network-flow-forwarding enable
[AC-wlan-fp-remote] quit
# 創建無線服務模板chn,配置SSID為CHN,配置客戶端從無線服務模板chn上線後將被加入到VLAN 2。
[AC] wlan service-template chn
[AC-wlan-st-chn] ssid CHN
[AC-wlan-st-chn] vlan 2
# 配置轉發位置為AP,應用無線轉發策略remote,並開啟無線轉發策略。
[AC-wlan-st-chn] client forwarding-location ap
[AC-wlan-st-chn] client forwarding-policy-name remote
[AC-wlan-st-chn] client forwarding-policy enable
# 配置身份認證與密鑰管理模式為PSK模式,配置PSK密鑰為明文字符串12345678。
[AC-wlan-st-chn] akm mode psk
[AC-wlan-st-chn] preshared-key pass-phrase simple 12345678
# 配置加密套件為CCMP,安全信息元素為RSN。
[AC-wlan-st-chn] cipher-suite ccmp
[AC-wlan-st-chn] security-ie rsn
# 開啟服務模板。
[AC-wlan-st-chn] service-template enable
[AC-wlan-st-chn] quit
# 將配置文件map-OnAP.txt下載到AP。
[AC] wlan ap-group default-group
[AC-wlan-ap-group-default-group] ap-model WA6320
[AC-wlan-ap-group-default-group-ap-model-WA6320] map-configuration flash:/map-OnAP.txt
# 在radio 1上綁定無線服務模板chn,並使能radio。
[AC-wlan-ap-group-default-group-ap-model-WA6320] radio 1
[AC-wlan-ap-group-default-group-ap-model-WA6320-radio-1] service-template chn
[AC-wlan-ap-group-default-group-ap-model-WA6320-radio-1] radio enable
[AC-wlan-ap-group-default-group-ap-model-WA6320-radio-1] quit
[AC-wlan-ap-group-default-group-ap-model-WA6320] quit
[AC-wlan-ap-group-default-group] quit
# 在AC上查看AP的詳細信息,可以看到AP與AC成功建立隧道連接並進入Run狀態,發現方式為DHCP選項方式,AP地址為公網地址202.20.1.20。
[AC] display wlan ap all
Total number of APs: 1
Total number of connected APs: 1
Total number of connected manual APs: 1
Total number of connected auto APs: 0
Total number of connected common APs: 1
Total number of connected WTUs: 0
Total number of inside APs: 0
Maximum supported APs: 2048
Remaining APs: 2047
Total AP licenses: 32
Local AP licenses: 32
Server AP licenses: 0
Remaining local AP licenses: 31
Sync AP licenses: 0
AP information
State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad
C = Config, DC = DataCheck, R = Run, M = Master, B = Backup
AP name APID State Model Serial ID
0015-005e-9348 2 R/M WA6320 219801A28N819CE0002T
[AC] display wlan ap name 0015-005e-9348 verbose
AP name : 0015-005e-9348
AP ID : 2
AP group name : default-group
State : Run
Backup type : Master
Online time : 1 days 5 hours 25 minutes 22 seconds
System up time : 1 days 6 hours 30 minutes 4 seconds
Model : WA6320
Region code : CN
Region code lock : Disabled
Serial ID : 219801A28N819CE0002T
MAC address : 70f9-6dd3-61e0
IP address : 202.20.1.20
UDP control port number : 1099
UDP data port number : 1102
H/W version : Ver.C
S/W version : R2215
Boot version : 7.10
USB state : N/A
Power Level : N/A
PowerInfo : N/A
Description : Not configured
Priority : 4
Echo interval : 10 seconds
Echo count : 3 counts
Keepalive interval : 10 seconds
Statistics report interval : 50 seconds
Fragment size (data) : 1500
Fragment size (control) : 1450
MAC type : Local MAC & Split MAC
Tunnel mode : Local Bridging & 802.3 Frame & Native Frame
Discovery type : DHCP
Retransmission count : 3
Retransmission interval : 5 seconds
Firmware upgrade : Enabled
Sent control packets : 34001
Received control packets : 34001
Echo requests : 10591
Lost echo responses : 3
Average echo delay : 3
Last reboot reason : User soft reboot
Latest IP address : 202.20.1.20
Tunnel down reason : Processed join request in Run state
Connection count : 15
Backup Ipv4 : Not configured
Backup Ipv6 : Not configured
Tunnel encryption : Disabled
LED mode : Normal
Remote configuration : Disabled
Radio 1:
Basic BSSID : 70f9-6dd3-61e0
Admin state : Up
Radio type : 802.11ac
Antenna type : internal
Client dot11ac-only : Disabled
Client dot11n-only : Disabled
Channel band-width : 20/40/80MHz
Active band-width : 20/40/80MHz
Secondary channel offset : SCA
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160MHz : Not supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational VHT-MCS Set:
Mandatory : Not configured
Supported : NSS1 0,1,2,3,4,5,6,7,8,9
NSS2 0,1,2,3,4,5,6,7,8,9
Multicast : Not configured
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 149(auto)
Channel usage(%) : 0
Max power : 20 dBm
Operational rate:
Mandatory : 6, 12, 24 Mbps
Multicast : Auto
Supported : 9, 18, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise floor : -105 dBm
Smart antenna : Enabled
Smart antenna policy : Auto
Protection mode : cts-to-self
Continuous mode : N/A
HT protection mode : No protection
Radio 2:
Basic BSSID : 70f9-6dd3-61f0
Admin state : Down
Radio type : 802.11n(2.4GHz)
Antenna type : internal
Client dot11n-only : Disabled
Channel band-width : 20MHz
Active band-width : 20MHz
Secondary channel offset : SCN
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 6(auto)
Channel usage(%) : 0
Max power : 20 dBm
Preamble type : Short
Operational rate:
Mandatory : 1, 2, 5.5, 11 Mbps
Multicast : Auto
Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise floor : 0 dBm
Smart antenna : Enabled
Smart antenna policy : Auto
Protection mode : cts-to-self
Continuous mode : N/A
HT protection mode : No protection
# 在AC上查看Client信息,可以看到Client獲取了172.16.4.0/24網段地址,轉發策略為remote。
[AC] display wlan client
Total number of clients: 1
MAC address User name AP name RID IP address VLAN
0015-005e-9348 N/A 0015-005e-9348 1 172.16.4.11 2
[AC] display wlan client verbose
Total number of clients: 1
MAC address : 0015-005e-9348
IPv4 address : 172.16.4.11
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 2
AP name : 0015-005e-9348
Radio ID : 1
SSID : CHN
BSSID : 70f9-6dd3-61e0
VLAN ID : 2
Sleep count : 0
Wireless mode : 802.11an
Channel bandwidth : 40MHz
20/40 BSS Coexistence Management : Not supported
SM power save : Disabled
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
STBC RX capability : Supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
Block Ack : N/A
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 100
RSSI : 0
Rx/Tx rate : 0/0
Authentication method : Open system
Security mode : PRE-RSNA
AKM mode : N/A
Cipher suite : N/A
User authentication mode : Bypass
Authorization ACL ID : N/A
Authorization user profile : N/A
Roam status : N/A
Key derivation : N/A
PMF status : N/A
Forwarding policy name : remote
Online time : 0days 0hours 0minutes 33seconds
FT status : Inactive
# Client分別ping集團總部內網地址172.16.4.2、172.16.5.1和172.16.5.2,可以正常ping通。
C:\Users\h3c>ping 172.16.4.2
Pinging 172.16.4.2 with 32 bytes of data:
Reply from 172.16.4.2: bytes=32 time=6ms TTL=255
Reply from 172.16.4.2: bytes=32 time=3ms TTL=255
Reply from 172.16.4.2: bytes=32 time=6ms TTL=255
Reply from 172.16.4.2: bytes=32 time=1ms TTL=255
Ping statistics for 172.16.4.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 6ms, Average = 4ms
C:\Users\h3c>ping 172.16.5.1
Pinging 172.16.5.1 with 32 bytes of data:
Reply from 172.16.5.1: bytes=32 time=9ms TTL=255
Reply from 172.16.5.1: bytes=32 time=1ms TTL=255
Reply from 172.16.5.1: bytes=32 time=5ms TTL=255
Reply from 172.16.5.1: bytes=32 time=1ms TTL=255
Ping statistics for 172.16.5.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 9ms, Average = 4ms
C:\Users\h3c>ping 172.16.5.2
Pinging 172.16.5.2 with 32 bytes of data:
Reply from 172.16.5.2: bytes=32 time=8ms TTL=255
Reply from 172.16.5.2: bytes=32 time=2ms TTL=255
Reply from 172.16.5.2: bytes=32 time=5ms TTL=255
Reply from 172.16.5.2: bytes=32 time=3ms TTL=255
Ping statistics for 172.16.5.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 8ms, Average = 4ms
# Client ping外網www.baidu.com,可以ping通。
C:\Users\h3c>ping www.baidu.com
Pinging www.baidu.com [202.202.1.188] with 32 bytes of data:
Reply from 202.202.1.188: bytes=32 time=7ms TTL=255
Reply from 202.202.1.188: bytes=32 time=3ms TTL=255
Reply from 202.202.1.188: bytes=32 time=3ms TTL=255
Reply from 202.202.1.188: bytes=32 time=2ms TTL=255
Ping statistics for 202.202.1.188:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 7ms, Average = 3ms
· Router A
#
nat address-group 0
address 202.20.1.20 202.20.1.20
#
dhcp enable
#
dhcp server ip-pool ap
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0
option 43 hex 8007000001caca0116
#
interface GigabitEthernet1/0/2
nat outbound 2000 address-group 0
#
acl basic 2000
rule 0 permit source 192.168.10.0 0.0.0.255
#
· Router B
#
interface GigabitEthernet1/0/1
nat server global 3000 inside 192.168.1.111
#
acl advanced 3000
rule 0 permit ip source 202.20.1.0 0.0.0.255 destination 202.202.1.22 0
#
· AC
#
dhcp enable
#
vlan 2
#
dhcp server ip-pool sta
gateway-list 172.16.4.1
network 172.16.4.0 mask 255.255.255.0
dns-list 192.168.1.10
forbidden-ip 172.16.4.1
forbidden-ip 172.16.4.3
#
wlan forwarding-policy remote
classifier acl 3001 behavior remote
client behavior-local network-flow-forwarding enable
#
wlan service-template chn
ssid CHN
vlan 2
client forwarding-location ap
client forwarding-policy-name remote
client forwarding-policy enable
akm mode psk
preshared-key pass-phrase cipher $c$3$4T2hQpGTY8qC3U4KL3G2sMgv9RNfRZdZfDqY
cipher-suite ccmp
security-ie rsn
service-template enable
#
interface Vlan-interface2
ip address 172.16.4.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 2
#
ip route-static 172.16.5.0 24 172.16.4.2
ip route-static 202.20.1.0 24 192.168.1.22
ip route-static 202.202.1.0 24 192.168.1.22
#
acl advanced 3001
rule 0 permit udp source-port eq dns
rule 1 permit udp destination-port eq dns
rule 2 permit udp source-port eq bootpc
rule 3 permit udp destination-port eq bootps
rule 4 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.4.0 0.0.0.255
rule 5 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.5.0 0.0.0.255
#
wlan auto-ap enable
wlan auto-persistent enable
#
wlan ap-group default-group
ap-model WA6320
radio 1
radio enable
service-template chn
radio 2
gigabitethernet 1
gigabitethernet 2
#
· 《H3C 無線控製器產品 配置指導》中的“WLAN配置指導”。
· 《H3C 無線控製器產品 命令參考》中的“WLAN命令參考”。
· 《H3C 無線控製器產品 配置指導》中的“三層技術-IP業務配置指導”。
· 《H3C 無線控製器產品 命令參考》中的“三層技術-IP業務命令參考”。
不同款型規格的資料略有差異, 詳細信息請向具體銷售和400谘詢。H3C保留在沒有任何通知或提示的情況下對資料內容進行修改的權利!
支持
