标签：inf   employee   重复   tin   operation   .com   res   rfid   sid   

配置交换机。

将接口GE0/0/1～GE0/0/5, 都加入VLAN100（AP管理VLAN，用于AC与AP之间互相通信）。
接口GE0/0/1～GE0/0/5下的配置完全一致，以配置接口GE0/0/1为例。
system-view
sysname MaLa-Switch
vlan batch 100
interface gigabitethernet 0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable
quit
#在交换机上创建VLANIF100～VLANIF103、VLANIF200和VLANIF201并配置IP地址。其中VLANIF100为AP的网关，VLANIF101为办公用户的网关，VLANIF102为开发部门员工的网关，VLANIF103为guest用户的网关；然后配置交换机接口GE0/0/6加入VLAN101～VLAN103（业务vlan）以及VLAN200，用于承载业务流量以及与交换机之间通信，接口GE0/0/24加入VLAN201, 于交换机与路由器通信。

interface vlanif 100
ip address 172.16.100.254 24
quit
interface vlanif 101
ip address 172.16.101.254 24
quit
interface vlanif 102
ip address 172.16.102.254 24
quit
interface vlanif 103
ip address 172.16.103.254 24
quit
int vlanif 200
ip add 10.10.200.2 24
quit
int vlanif 201
ip add 10.10.201.2 24
quit
interface gigabitethernet 0/0/6
port link-type trunk
port trunk allow-pass vlan 101 to 103 200
quit
interface gigabitethernet 0/0/24
port link-type trunk
port trunk allow-pass vlan 201
quit

AC配置：将AC连接交换机的接口GE0/0/6加入VLAN101～VLAN103和VLAN200。

<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 101 to 103 200
[AC] interface vlanif 200
[AC-Vlanif200] ip address 10.10.200.1 24
[AC-Vlanif200] quit
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 101 to 103 200
[AC-GigabitEthernet0/0/1] quit

出口路由器配置：配置到Switch的路由。

ip route-static 172.16.100.0 24 10.10.201.2
ip route-static 172.16.101.0 24 10.10.201.2
ip route-static 172.16.102.0 24 10.10.201.2
ip route-static 172.16.103.0 24 10.10.201.2

配置Switch的缺省路由，下一跳为Router的VLANIF201。

[Switch_B] ip route-static 0.0.0.0 0.0.0.0 10.10.201.1

配置AC到AP的路由，下一跳为Switch的VLANIF200。

[AC] ip route-static 172.16.100.0 24 10.10.200.2
步骤2 配置DHCP服务，为AP和终端机分配IP地址

配置Switch作为DHCP服务器给AP和终端分配IP地址。AP和AC间为三层网络时需要通过配置Option 43向AP通告AC的IP地址。

dhcp enable
ip pool ap
network 172.16.100.0 mask 24
gateway-list 172.16.100.254
option 43 sub-option 3 ascii 10.10.200.1
quit
ip pool BanGong
network 172.16.101.0 mask 24
gateway-list 172.16.101.254
Dns-list 114.114.114.114
quit
ip pool KaiFa
network 172.16.102.0 mask 24
gateway-list 172.16.102.254
Dns-list 114.114.114.114
quit
ip pool Guest
network 172.16.103.0 mask 24
gateway-list 172.16.103.254
Dns-list 114.114.114.114
quit
步骤3 配置VLAN pool，用于承载无线的业务VLAN

新建3个VLAN pool，BanGong、KaiFa、Guest，将VLAN101和VLAN102、103分别加入对应的vlan pool

说明：本例VLAN pool中的概念为：vlan用于在AC上隔离各终端，如果终端数量比较多，例如超出了255个，一个vlan pool中就可包含2个或者多个vlan，每个vlan对应一个网段，通过隔离用户的广播域，减轻对无线网络性能的影响。VLAN分配的算法配置为“hash”。分配算法缺省情况下为“hash”，如果之前没有修改其缺省配置，可以不用执行命令assignment hash。
本例VLAN pool仅以加入VLAN101和VLAN102两个VLAN为例，实际可以配置多个VLAN加入VLAN
pool，配置方法与VLAN101和VLAN102一致，也需要在Switch_B上创建对应的VLANIF接口、配置IP地址，在Router上配置IP地址池。
vlan pool mala-BanGong
vlan 101
assignment hash
quit
vlan pool mala-KaiFa
vlan 102
assignment hash
quit
vlan pool mala-Guest
vlan 103
assignment hash
quit

步骤4 配置AP上线

创建3个AP组“MaLa-BanGong”和“MaLa-KaiFa”、“MaLa-Guest”。

[AC] wlan
[AC-wlan-view] ap-group name MaLa-BanGong
[AC-wlan-ap-group-BanGong] quit
[AC-wlan-view] ap-group name MaLa-KaiFa
[AC-wlan-ap-group-KaiFa] quit
[AC-wlan-view] ap-group name MaLa-Guest
[AC-wlan-ap-group-Guest] quit

创建域管理模板，在域管理模板下配置AC的国家码并在AP组下引用域管理模板。

[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulatory-domain-prof-domain1] country-code cn
[AC-wlan-regulatory-domain-prof-domain1] quit
[AC-wlan-view] ap-group name MaLa-BanGong
[AC-wlan-ap-group-Mala-bangong] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y
[AC-wlan-ap-group-Mala-banggong] quit
[AC-wlan-view] ap-group name MaLa-KaiFa
[AC-wlan-ap-group-Mala-kaifa] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y
[AC-wlan-ap-group-Mala-kaifa] quit

[AC-wlan-view] ap-group name MaLa-Guest
[AC-wlan-ap-group-MaLa-Guest] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y
[AC-wlan-ap-group-MaLa-Guest] quit

配置AC的源接口。

[AC] capwap source interface vlanif 200 此条命令非常重要！！

在AC上离线导入AP。将部署在前台大厅的AP都加入到AP组“Mala-guest”，部署在办公

区域的AP都加入到AP组“Maala-BanGong”，部署在2层办公区域的加入”Mala-kaifa“并且根据AP的部署位置为AP配置名称，便于从名称上就能够了解AP的部署位置。例如MAC地址为60de-4474-9640的AP部署在办公区域2楼的1号房间，命名此AP为“Bangong-AP1”。
说明
ap auth-mode命令缺省情况下为MAC认证，如果之前没有修改其缺省配置，可以不用执行ap authmode
mac-auth。
举例中使用的AP为AP6010DN-AGN，具有射频0和射频1两个射频。AP6010DN-AGN的射频0为
2.4GHz射频，射频1为5GHz射频。
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name ap1
[AC-wlan-ap-0] ap-group mala-bangong
Warning: This operation may cause AP reset. If the country code changes, it will clear channel,power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 2 ap-mac 60de-4476-e380
[AC-wlan-ap-1] ap-name ap2
[AC-wlan-ap-1] ap-group mala-bangong
Warning: This operation may cause AP reset. If the country code changes, it will clear channel,power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 3 ap-mac 60de-4474-9640
[AC-wlan-ap-2] ap-name ap3
[AC-wlan-ap-2] ap-group mala-kaifa
Warning: This operation may cause AP reset. If the country code changes, it will clear channel,power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 4 ap-mac 60de-4474-9660
[AC-wlan-ap-3] ap-name mala-kaifa
[AC-wlan-ap-3] ap-group employee
Warning: This operation may cause AP reset. If the country code changes, it will clear channel,power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 5 ap-mac 60de-4474-9660
[AC-wlan-ap-3] ap-name ap5
[AC-wlan-ap-3] ap-group mala-guest
Warning: This operation may cause AP reset. If the country code changes, it will clear channel,power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit

将AP上电后，当执行命令display ap all查看到AP的“State”字段为“nor”时，表示

AP正常上线。
[AC-wlan-view] display ap all
Total AP information:
nor : normal [4]

ID MAC Name Group IP Type State STA Uptime

0 60de-4474-9640 office2-1 employee 10.23.100.253 AP6010DN-AGN nor 0 2H:30M:1S
1 60de-4474-9660 office2-2 employee 10.23.100.251 AP6010DN-AGN nor 0 2H:35M:2S
2 60de-4476-e360 lobby-1 guest 10.23.100.254 AP6010DN-AGN nor 0 2H:29M:29S
3 60de-4476-e380 lobby-2 guest 10.23.100.252 AP6010DN-AGN nor 0 2H:34M:11S

Total: 4
步骤5 配置WLAN业务参数

创建名为“mala-bangong”和“mala-kaifa”、mala-guest的安全模板，并配置安全策略。

说明：举例中以配置WPA2+PSK+AES的安全策略为例，密码分别为“a1234567”、“b1234567”，实际配置中请根据实际情况，配置符合实际要求的安全策略。
[AC-wlan-view] security-profile name mala-bangong
[AC-wlan-sec-prof-guest] security wpa2 psk pass-phrase mala.bangong.com aes
[AC-wlan-sec-prof-guest] quit
[AC-wlan-view] security-profile name mala-kaifa
[AC-wlan-sec-prof-employee] security wpa2 psk pass-phrase mala.kaifa.com aes
[AC-wlan-sec-prof-employee] quit
[AC-wlan-view] security-profile name mala-guest
[AC-wlan-sec-prof-employee] security wpa2 psk pass-phrase mala.guest.com aes
[AC-wlan-sec-prof-employee] quit

创建名为“mala-bangong”和“mala-kaifa”mala-guest的SSID模板，并分别配置SSID名称 。

[AC-wlan-view] ssid-profile name mala-bangong
[AC-wlan-ssid-prof-guest] ssid MaLa-BanGong
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-guest] quit
[AC-wlan-view] ssid-profile name Mala-kaifa
[AC-wlan-ssid-prof-employee] ssid Mala-kaifa
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-employee] quit
[AC-wlan-view] ssid-profile name Mala-guest
[AC-wlan-ssid-prof-employee] ssid Mala-guest
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-employee] quit

创建名为“mala-bangong”和“mala-kaifa”、mala-guest的VAP模板，配置业务数据转发模式、业务

VLAN，并且引用安全模板和SSID模板。
[AC-wlan-view] vap-profile name mala-bangong
[AC-wlan-vap-prof-guest] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-guest] service-vlan vlan-pool mala-bangong
[AC-wlan-vap-prof-guest] security-profile mala-bangong
[AC-wlan-vap-prof-guest] ssid-profile mala-bangong
[AC-wlan-vap-prof-guest] quit
其余类似，不再重复。

配置AP组引用VAP模板，如果AP支持双频，AP上射频0和射频1都使用VAP模板的配置。

[AC-wlan-view] ap-group name mala-bangong
[AC-wlan-ap-group-guest] vap-profile mala-bangong wlan 1 radio 0
[AC-wlan-ap-group-guest] vap-profile mala-bangong 1 radio 1
[AC-wlan-ap-group-guest] quit
其余类似，不再重复。

步骤6 验证配置结果
WLAN业务配置会自动下发给AP，配置完成后，通过执行命令display vap ssid guest和
display vap ssid employee查看如下信息，当“Status”项显示为“ON”时，表示AP对
应的射频上的VAP已创建成功。
[AC-wlan-view] display vap ssid guest
WID : WLAN ID

AP ID AP name RfID WID BSSID Status Auth type STA SSID

0 lobby-1 0 1 60DE-4476-E360 ON WPA2-PSK 1 guest
0 lobby-1 1 1 60DE-4476-E370 ON WPA2-PSK 0 guest
1 lobby-2 0 1 60DE-4476-E380 ON WPA2-PSK 1 guest
1 lobby-2 1 1 60DE-4476-E390 ON WPA2-PSK 0 guest

Total: 4
[AC-wlan-view] display vap ssid employee
WID : WLAN ID

AP ID AP name RfID WID BSSID Status Auth type STA SSID

2 office2-1 0 1 60DE-4474-9640 ON WPA2-PSK 0 employee
2 office2-1 1 1 60DE-4474-9650 ON WPA2-PSK 1 employee
3 office2-2 0 1 60DE-4474-9660 ON WPA2-PSK 0 employee
3 office2-2 1 1 60DE-4474-9670 ON WPA2-PSK 1 employee

Total: 4
终端用户搜索到名为“MaLa-BanGong”和“Mala-kaifa”、Mala-guest的无线网络，分别输入密码“a1234567”和“b1234567”并正常关联后，在AC上执行display station ssid guest和display station ssid XXXX（ssid名称）命令，可以查看到用户已经分别接入到无线网络“guest”和
“employee”中。
[AC-wlan-view] display station ssid guest
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)

STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address

581f-28fc-7ead 0 lobby-1 0/1 2.4G 11n 2/4 -53 101 10.23.101.254

Total: 1 2.4G: 1 5G: 0
[AC-wlan-view] display station ssid employee
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)

STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address

e019-1dc7-1e08 2 office2-1 1/1 5G 11n 26/51 -61 102 10.23.103.254

Total: 1 2.4G: 0 5G: 1
四、总结
当然，无线里面还涉及很多概念性的知识，例如：无线帧结构、CAPWAP的原理、客户端主/被动扫描、AP上线注册过程等等技术原理，华为的官方文档里面有很详细的介绍，在此不再赘述。本文图片和大部分文字也均摘抄自华为厂商文档：AC6605&AC6005&AC6003&ACU2V200R006(C10&C20) 配置指南(CLI)，如有侵权，请联系作者，及时删除。
整理者：路路 Email：ciscolulu@163.com 2016年8月

无线网络部署与规划要点及案例分享

标签：inf   employee   重复   tin   operation   .com   res   rfid   sid   

原文地址：http://blog.51cto.com/ciscolulu/2062801