华为WLAN专题报道【详细模版命令解释】【组网模式大分析】
请查看这里:
http://www.elvhome.com/html/20151110/2015111010100652851.html
配置大型公共场所的N+1备份
规格
适用的AC:AC6605、AC6005
适用的AP:所有形态的AP
适用的版本:V200R005C00
组网需求
某大型公共场所,为用户提供免费WLAN上网业务,由于场所面积大,用户数量众多,部署了众多AP,这些AP由多台AC管理。由于该业务属于增值业务,用户对网络的可靠性要求较低,允许可能出现的短时间业务中断。希望为所有的AC提供备份服务,并控制成本。可以通过构建N+1备份的无线局域网,提供可靠网络服务的同时,减少了用户购买设备的花费,并且构建N+1组网的AC设备硬件形态可以不同,只需要软件版本保持一致。
如图1所示,AC_1作为主AC为AP_1提供业务服务,AC_2作为主AC为AP_2提供业务服务,AC_3作为备AC同时为AC_1和AC_2提供备份服务。AC通过Switch_1连接出口网关Router,通过Switch_1和Switch_2连接AP,所有AC和AP处于同一网段。Switch_1作为DHCP服务器为AP和STA动态分配IP地址。当AC_1或AC_2和AP间CAPWAP链路故障时,AC_3能够代替AC_1或AC_2继续为AP提供业务服务。
图1
配置N+1备份示例组网图
表1 数据规划表
| 配置项 | 数据 |
| WLAN服务 | WEP Open-System认证,不加密。 |
| AP管理VLAN | VLAN100 |
| AP域 | AP_1:10 AP_2:11 |
| 服务集 | AP_1: Name:huawei1 SSID:huawei1 WLAN虚接口:WLAN-ESS 1 数据转发模式:直接转发 AP_2: Name:huawei2 SSID:huawei2 WLAN虚接口:WLAN-ESS 1 数据转发模式:直接转发 |
| WLAN业务VLAN | AP_1:VLAN101 AP_2:VLAN102 |
| AC Carrier ID/AC ID | Other/1 |
| AC_1管理IP地址 | VLANIF100接口:192.168.10.1/24 |
| AC_2管理IP地址 | VLANIF100接口:192.168.10.2/24 |
| AC_3管理IP地址 | VLANIF100接口:192.168.10.3/24 |
| AP的IP地址池 | 192.168.10.5~192.168.10.254/24 |
| AP网关 | 192.168.10.4/24(Switch_1) |
| STA的IP地址池 | 192.168.11.2~192.168.11.254/24 192.168.12.2~192.168.12.254/24 |
| STA网关 | 192.168.11.1/24(Switch_1) 192.168.12.1/24(Switch_1) |
| DHCP服务器 | Switch_1作为DHCP服务器,为AP和STA分配地址 |
配置思路
配置各个AC和其它网络设备实现网络互通。Switch_1作为DHCP Server为AP和STA分配IP地址。
AC_1作为AP_1的主AC,AC_2作为AP_2的主AC,在主AC上配置WLAN基本业务。
AC_3作为AP_1和AP_2的备AC,在备AC上配置WLAN基本业务,业务配置和主AC保持一致。
主AC上提交配置给AP,保证用户能够访问企业内部网络。
先后在主备AC上配置N+1备份功能。使能N+1备份时,会重启所有AP。
操作步骤
1、配置Switch和AC,使AP和AC互通
# 在Switch_1上创建VLAN100、VLAN101、VLAN102,其中VLAN100用于WLAN的管理VLAN,VLAN101和VLAN102用于WLAN的业务VLAN。Switch_1连接AC_1的接口GE0/0/1加入VLAN100和VLAN101,Switch_1连接AC_2的接口GE0/0/2加入VLAN100和VLAN102,Switch_1连接AC_3的接口GE0/0/3和连接Switch_2的接口GE0/0/4加入VLAN100、VLAN101和VLAN102。
<Quidway> system-view [Quidway] sysname Switch_1 [Switch_1] vlan batch 100 to 102 [Switch_1] interface gigabitethernet 0/0/1 [Switch_1-GigabitEthernet0/0/1] port link-type trunk [Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101 [Switch_1-GigabitEthernet0/0/1] quit [Switch_1] interface gigabitethernet 0/0/2 [Switch_1-GigabitEthernet0/0/2] port link-type trunk [Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102 [Switch_1-GigabitEthernet0/0/2] quit [Switch_1] interface gigabitethernet 0/0/3 [Switch_1-GigabitEthernet0/0/3] port link-type trunk [Switch_1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 102 [Switch_1-GigabitEthernet0/0/3] quit [Switch_1] interface gigabitethernet 0/0/4 [Switch_1-GigabitEthernet0/0/4] port link-type trunk [Switch_1-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 102 [Switch_1-GigabitEthernet0/0/4] quit
# 配置AC_1连接Switch_1的接口GE0/0/1加入VLAN100和VLAN101。
<AC6605> system-view [AC6605] sysname AC_1 [AC_1] vlan batch 100 101 [AC_1] interface gigabitethernet 0/0/1 [AC_1-GigabitEthernet0/0/1] port link-type trunk [AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101 [AC_1-GigabitEthernet0/0/1] quit [AC_1] interface vlanif 100 [AC_1-vlanif100] ip address 192.168.10.1 255.255.255.0 [AC_1-vlanif100] quit
# 配置AC_2连接Switch_1的接口GE0/0/1加入VLAN100和VLAN102。
<AC6605> system-view [AC6605] sysname AC_2 [AC_2] vlan batch 100 102 [AC_2] interface gigabitethernet 0/0/1 [AC_2-GigabitEthernet0/0/1] port link-type trunk [AC_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102 [AC_2-GigabitEthernet0/0/1] quit [AC_2] interface vlanif 100 [AC_2-vlanif100] ip address 192.168.10.2 255.255.255.0 [AC_2-vlanif100] quit
# 配置AC_3连接Switch_1的接口GE0/0/1加入VLAN100、VLAN101和VLAN102。
<AC6605> system-view [AC6605] sysname AC_3 [AC_3] vlan batch 100 to 102 [AC_3] interface gigabitethernet 0/0/1 [AC_3-GigabitEthernet0/0/1] port link-type trunk [AC_3-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 102 [AC_3-GigabitEthernet0/0/1] quit [AC_3] interface vlanif 100 [AC_3-vlanif100] ip address 192.168.10.3 255.255.255.0 [AC_3-vlanif100] quit
# 配置Switch_2连接Switch_1的接口GE0/0/3加入VLAN100、VLAN101和VLAN102,Switch_2连接AP_1的接口GE0/0/1加入VLAN100和VLAN101,Switch_2连接AP_2的接口GE0/0/2加入VLAN100和VLAN102。
说明: 建议在Switch_2连接AP的接口GE0/0/1和GE0/0/2上配置端口隔离,如果不配置端口隔离,可能会在VLAN内存在不必要的广播报文,或者导致不同AP间的WLAN用户二层互通的问题。
<Quidway> system-view [Quidway] sysname Switch_2 [Switch_2] vlan batch 100 to 102 [Switch_2] interface gigabitethernet 0/0/1 [Switch_2-GigabitEthernet0/0/1] port link-type trunk [Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100 [Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101 [Switch_2-GigabitEthernet0/0/1] port-isolate enable [Switch_2-GigabitEthernet0/0/1] quit [Switch_2] interface gigabitethernet 0/0/2 [Switch_2-GigabitEthernet0/0/2] port link-type trunk [Switch_2-GigabitEthernet0/0/2] port trunk pvid vlan 100 [Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102 [Switch_2-GigabitEthernet0/0/2] port-isolate enable [Switch_2-GigabitEthernet0/0/2] quit [Switch_2] interface gigabitethernet 0/0/3 [Switch_2-GigabitEthernet0/0/3] port link-type trunk [Switch_2-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 102 [Switch_2-GigabitEthernet0/0/3] quit
2、配置Switch_1作为DHCP服务器为AP和STA分配IP地址。VLANIF100使用接口地址池为AP分配IP地址,VLANIF101和VLANIF102使用接口地址池分别为STA1和STA2分配IP地址
[Switch_1] dhcp enable [Switch_1] interface vlanif 100 [Switch_1-vlanif100] ip address 192.168.10.4 255.255.255.0 [Switch_1-vlanif100] dhcp select interface [Switch_1-vlanif100] dhcp server excluded-ip-address 192.168.10.1 192.168.10.3 [Switch_1-vlanif100] quit [Switch_1] interface vlanif 101 [Switch_1-vlanif101] ip address 192.168.11.1 255.255.255.0 [Switch_1-vlanif101] dhcp select interface [Switch_1-vlanif101] quit [Switch_1] interface vlanif 102 [Switch_1-vlanif102] ip address 192.168.12.1 255.255.255.0 [Switch_1-vlanif102] dhcp select interface [Switch_1-vlanif102] quit
3、配置AC_1的WLAN基本业务
a、配置系统参数
# 配置AC_1的国家码。
# 配置AC_1 ID和运营商标识。
[AC_1] wlan ac-global ac id 1 carrier id other
# 配置AC_1的源接口。
[AC_1] wlan[AC_1-wlan-view] wlan ac source interface vlanif 100
b、在AC_1上管理AP
# 现场获取AP的MAC地址后,查看AP的设备类型ID。
# 根据查询到的AP设备类型ID,离线添加AP。假设AP_1的类型为AP6010DN-AGN,其MAC地址为60de-4476-e360。
[AC_1-wlan-view] ap-auth-mode mac-auth [AC_1-wlan-view] ap id 1 type-id 19 mac 60de-4476-e360 [AC_1-wlan-ap-1] quit
说明: ap-auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap-auth-mode mac-auth。
# 配置AP域并将AP加入到AP域。
[AC_1-wlan-view] ap-region id 10 [AC_1-wlan-ap-region-10] quit [AC_1-wlan-view] ap id 1 [AC_1-wlan-ap-1] region-id 10 [AC_1-wlan-ap-1] quit
# 将AP上电后,可以查看到AP的“AP State”字段为normal。
c、配置WLAN业务参数
# 创建名为“wmm”的WMM模板。
# 创建名为“radio”的射频模板,绑定WMM模板“wmm”。
[AC_1-wlan-view] radio-profile name radio id 1 [AC_1-wlan-radio-prof-radio] wmm-profile name wmm [AC_1-wlan-radio-prof-radio] quit [AC_1-wlan-view] quit
# 创建WLAN-ESS接口1。
[AC_1] interface wlan-ess 1 [AC_1-Wlan-Ess1] port hybrid pvid vlan 101 [AC_1-Wlan-Ess1] port hybrid untagged vlan 101 [AC_1-Wlan-Ess1] quit
# 创建名为“security”的安全模板。
[AC_1] wlan [AC_1-wlan-view] security-profile name security id 1 [AC_1-wlan-sec-prof-security] quit
# 创建名为“traffic”的流量模板。
[AC_1-wlan-view] traffic-profile name traffic id 1 [AC_1-wlan-traffic-prof-traffic] quit
# 创建名为“huawei1”的服务集并绑定WLAN-ESS接口、安全模板和流量模板,并设置转发模式为直接转发。
[AC_1-wlan-view] service-set name huawei1 id 1 [AC_1-wlan-service-set-huawei1] ssid huawei1 [AC_1-wlan-service-set-huawei1] wlan-ess 1 [AC_1-wlan-service-set-huawei1] security-profile name security [AC_1-wlan-service-set-huawei1] traffic-profile name traffic [AC_1-wlan-service-set-huawei1] service-vlan 101 [AC_1-wlan-service-set-huawei1] forward-mode direct-forward [AC_1-wlan-service-set-huawei1] quit
d、配置VAP
# 配置VAP。
[AC_1-wlan-view] ap 1 radio 0 [AC_1-wlan-radio-1/0] radio-profile name radio [AC_1-wlan-radio-1/0] service-set name huawei1 [AC_1-wlan-radio-1/0] quit
4、配置AC_2的WLAN基本业务
说明: AC_2基本业务其他参数的配置请参考AC_1的配置过程,流程如下:
AC_2的配置详见配置文件。
AC_2上离线添加类型为AP6010DN-AGN,MAC地址为dcd2-fc04-b500的AP,并将AP加入AP域11;
创建接口WLAN-ESS1,并且加入VLAN102;
创建名为“huawei2”的服务集并绑定业务VLAN102。
5、配置AC_3的WLAN基本业务
a、配置系统参数
# 配置AC_3的国家码。
# 配置AC_3 ID和运营商标识。
[AC_3] wlan ac-global ac id 1 carrier id other
# 配置AC_3的源接口。
[AC_3] wlan[AC_3-wlan-view] wlan ac source interface vlanif 100
b、在AC_3上管理AP
# 现场获取AP的MAC地址后,查看AP的设备类型ID。
# 根据查询到的AP设备类型ID,离线添加在AC_1和AC_2中添加过的AP。假设AP_1、AP_2的类型都为AP6010DN-AGN,其MAC地址分别为60de-4476-e360、dcd2-fc04-b500。
[AC_3-wlan-view] ap-auth-mode mac-auth [AC_3-wlan-view] ap id 1 type-id 19 mac 60de-4476-e360 [AC_3-wlan-ap-1] quit [AC_3-wlan-view] ap id 2 type-id 19 mac dcd2-fc04-b500 [AC_3-wlan-ap-2] quit
说明: ap-auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap-auth-mode mac-auth。
# 配置AP域并将AP加入到AP域。
[AC_3-wlan-view] ap-region id 10 [AC_3-wlan-ap-region-10] quit [AC_3-wlan-view] ap id 1 [AC_3-wlan-ap-1] region-id 10 [AC_3-wlan-ap-1] quit [AC_3-wlan-view] ap-region id 11 [AC_3-wlan-ap-region-11] quit [AC_3-wlan-view] ap id 2 [AC_3-wlan-ap-2] region-id 11 [AC_3-wlan-ap-2] quit
# 将AP上电后,可以查看到AP的“AP State”字段为fault。
c、配置WLAN业务参数
# 创建名为“wmm”的WMM模板。
[AC_3-wlan-view] wmm-profile name wmm id 1 [AC_3-wlan-wmm-prof-wmm] quit
# 创建名为“radio”的射频模板,绑定WMM模板“wmm”。
[AC_3-wlan-view] radio-profile name radio id 1 [AC_3-wlan-radio-prof-radio] wmm-profile name wmm [AC_3-wlan-radio-prof-radio] quit [AC_3-wlan-view] quit
# 创建WLAN-ESS接口1和WLAN-ESS接口2。
[AC_3] interface wlan-ess 1 [AC_3-Wlan-Ess1] port hybrid pvid vlan 101 [AC_3-Wlan-Ess1] port hybrid untagged vlan 101 [AC_3-Wlan-Ess1] quit [AC_3] interface wlan-ess 2 [AC_3-Wlan-Ess2] port hybrid pvid vlan 102 [AC_3-Wlan-Ess2] port hybrid untagged vlan 102 [AC_3-Wlan-Ess2] quit
# 创建名为“security”的安全模板。
[AC_3] wlan [AC_3-wlan-view] security-profile name security id 1 [AC_3-wlan-sec-prof-security] quit
# 创建名为“traffic”的流量模板。
[AC_3-wlan-view] traffic-profile name traffic id 1 [AC_3-wlan-traffic-prof-traffic] quit
# 创建名为“huawei1”和“huawei2”的服务集并绑定WLAN-ESS接口、安全模板和流量模板,并设置转发模式为直接转发。
[AC_3-wlan-view] service-set name huawei1 id 1 [AC_3-wlan-service-set-huawei1] ssid huawei1 [AC_3-wlan-service-set-huawei1] wlan-ess 1 [AC_3-wlan-service-set-huawei1] security-profile name security [AC_3-wlan-service-set-huawei1] traffic-profile name traffic [AC_3-wlan-service-set-huawei1] service-vlan 101 [AC_3-wlan-service-set-huawei1] forward-mode direct-forward [AC_3-wlan-service-set-huawei1] quit [AC_3-wlan-view] service-set name huawei2 id 2 [AC_3-wlan-service-set-huawei2] ssid huawei2 [AC_3-wlan-service-set-huawei2] wlan-ess 2 [AC_3-wlan-service-set-huawei2] security-profile name security [AC_3-wlan-service-set-huawei2] traffic-profile name traffic [AC_3-wlan-service-set-huawei2] service-vlan 102 [AC_3-wlan-service-set-huawei2] forward-mode direct-forward [AC_3-wlan-service-set-huawei2] quit
d、配置VAP
# 配置VAP。
[AC_3-wlan-view] ap 1 radio 0 [AC_3-wlan-radio-1/0] radio-profile name radio [AC_3-wlan-radio-1/0] service-set name huawei1 [AC_3-wlan-radio-1/0] quit [AC_3-wlan-view] ap 2 radio 0 [AC_3-wlan-radio-2/0] radio-profile name radio [AC_3-wlan-radio-2/0] service-set name huawei2 [AC_3-wlan-radio-2/0] quit
6、提交配置
# 在主AC_1提交配置给AP_1。
[AC_1-wlan-view] commit all Warning: Committing configuration may cause service interruption,continue?[Y/N]y
# 在主AC_2提交配置给AP_2。
[AC_2-wlan-view] commit all Warning: Committing configuration may cause service interruption,continue?[Y/N]y
7、配置主AC_1、主AC_2和备AC_3的N+1备份功能并使能
# 在AC_1上,批量配置AP的个性优先级、备AC_3的IP地址、AC全局优先级,用于N+1备份。
说明: 通过配置AC的优先级来决定主备AC,优先级高的AC作为主AC,优先级低的AC作为备AC。数字越小,优先级越高。优先级相同情况下可接入AP数大的AC为主AC;可接入AP数量相同情况下可接入用户数大的AC为主AC;以上都相同的情况下IP地址小的AC为主AC。
[AC_1-wlan-view] batch ap 1 priority 3 [AC_1-wlan-view] wlan ac protect priority 6 protect-ac 192.168.10.3
# 在AC_2上,批量配置AP的个性优先级、备AC_3的IP地址、AC全局优先级,用于N+1备份。
[AC_2-wlan-view] batch ap 1 priority 3 [AC_2-wlan-view] wlan ac protect priority 6 protect-ac 192.168.10.3
# 在AC_3上,批量配置AP对应的主AC的IP地址、配置全局优先级,用于N+1备份。
[AC_3-wlan-view] batch ap 1 protect-ac 192.168.10.1 [AC_3-wlan-view] batch ap 2 protect-ac 192.168.10.2 [AC_3-wlan-view] wlan ac protect priority 5
# 在AC_1上,使能N+1备份功能,重启所有AP使N+1备份功能生效。
说明: 缺省情况下,N+1备份功能开启,执行命令wlan ac protect disable会提示Error。需要在主AC上继续执行命令ap-reset all重启所有AP,AP重启后,N+1备份功能开始生效。
[AC_1-wlan-view] wlan ac protect disable Error: Backup function has already disabled. [AC_1-wlan-view] ap-reset all Warning: Reset AP! Continue? [Y/N]y
# 在AC_2上,使能N+1备份功能,重启所有AP使N+1备份功能生效。
[AC_2-wlan-view] wlan ac protect disable Error: Backup function has already disabled. [AC_2-wlan-view] ap-reset all Warning: Reset AP! Continue? [Y/N]y
# 在AC_3上,开启回切开关,使能N+1备份功能。
[AC_3-wlan-view] wlan ac protect restore enable[AC_3-wlan-view] wlan ac protect disable Error: Backup function has already disabled. [AC_3-wlan-view] ap-reset all Warning: Reset AP! Continue? [Y/N]y
8、验证配置结果
# 在主AC_1上执行命令display wlan ac protect和display ap id 1,查看AC上N+1备份信息。
[AC_1-wlan-view] display wlan ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : 192.168.10.3
Priority : 6
Protect restore : enable
Coldbackup kickoff station: disable
------------------------------------------------------------
[AC_1-wlan-view] display ap id 1AP 1 detail information:
------------------------------------------------------------------------------
AP type ID: 19
AP type: AP6010DN-AGN
AP profile ID: 0
AP region ID: 10
Sysname: ap-1
Keep-Service: Disable
AP access priority mode: Priority Access 5GHz Radio
State: normal
AP mac address: 60de-4476-e360
AP sn: 210235419610CB002287
AP static IP address: -
AP performance-statistic cycle: 15 minutes
AP System Network: -
AP lineport total number: 1
lineport MTU: 9216
lineport MAC: 60de-4476-e360
AP high temperature threshold(°C): 60
AP low temperature threshold(°C): -10
AC priority: 3
Protect ac IP address: 192.168.10.3
AP LLDP message-transmission delay time(s) : 2
AP LLDP message-transmission hold-multiplier : 4
AP LLDP message-transmission interval time(s): 30
AP LLDP restart delay time(s): 2
AP LLDP Admin Status: txrx
AP LLDP report interval time(s): 30
AP Management VLAN: -
AP configurable acl scope : 3000-3031
AP configurable acl scope : 6000-6031
AP configurable free-rule numbers : 96
AP Support 4-Way HandShake:Yes
Dynamic-blacklist : disable
Dynamic-blacklist aging-duration(s) : 600
Attack detection flood interval(s) : 60
Attack detection flood times : 300
Attack detection psk interval(s) : 60
Attack detection psk times : 20
AeroScout : disable
Ekahau : disable
------------------------------------------------------------------------------
# 在主AC_2上执行命令display wlan ac protect和display ap id 1,查看AC上N+1备份信息。
# 在备AC_3上执行命令display wlan ac protect、display ap id 1和display ap id 2,查看AC上N+1备份信息。
AP下的无线接入用户可以搜索到SSID标识为“huawei1”或“huawei2”的WLAN网络并正常上线。
当AP与AC_1和AC_2的链路中断后,AC_3切换为主AC,保证业务的稳定。
