手册下载
H3C WLAN设备VLAN部署指南-6W100-整本手册.pdf (375.94 KB)
H3C WLAN设备VLAN部署指南
Copyright © 2022 新华三技术有限公司 版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。
除新华三技术有限公司的商标外,本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。
本文中的内容为通用性技术信息,某些信息可能不适用于您所购买的产品。
目 录
用户在使用H3C WLAN设备时,为了简化配置,经常会采用默认配置,即管理VLAN和业务VLAN为1的情况,从而引发各种网络问题,导致用户使用体验不佳。
本文档介绍了隧道转发和本地转发的场景下,对于业务VLAN和AP管理VLAN的推荐配置,旨在更好地指导用户进行业务网络部署,减少类似问题的出现。
管理VLAN负责传输通过CAPWAP隧道转发的报文,包括管理报文和通过CAPWAP隧道转发的业务数据报文。
缺省情况下,AP管理报文不带VLAN tag,由AP直连的接入交换机给AP管理报文打上VLAN tag标签。在实际应用中,应该将与AP直连的接入交换机接口的PVID配置为管理VLAN。
配置方法如下:
<Switch> system-view
[Switch] interface gigabitEthernet 1/0/1
[Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
如果在AP直连的接入交换机上没有配置PVID,则交换机会默认打上VLAN 1的tag标签,即AP的管理VLAN就是VLAN 1了。
本节management-vlan不推荐使用,建议仅在特定需求下使用,例如:不希望在AP上使用缺省的VLAN 1。
management-vlan实际上就是管理VLAN。上文提到实际应用中,使用与AP直连的接入交换机配置管理VLAN。如果用户不希望在AP上使用缺省的VLAN 1,则可以通过命令wlan management-vlan来配置AP的管理VLAN,只要在与AP直连的接入交换机上允许该管理VLAN通过即可,无需在AP的接入交换机再配置PVID。
配置方法如下:
登录FIT AP,并在FIT AP的系统视图下进行配置。
<ap1> system-view
[ap1] wlan management-vlan 100
业务VLAN负责传输业务数据报文,如果不配置的话,默认业务VLAN为VLAN 1。
VLAN 1是缺省存在的VLAN,为了做到零配置使用,缺省情况下,设备会将二层以太网端口加入到VLAN 1中。采用零配置时,会使VLAN 1的广播域过大,容易导致报文在VLAN 1内泛洪,因此在WLAN网络规划时,不推荐使用VLAN 1作为管理VLAN或者业务VLAN。
最佳推荐配置为业务VLAN和管理VLAN不同,并且都不为1。
下面将分别介绍隧道转发和本地转发模式下,对于管理VLAN和业务VLAN的配置要求以及配置示例。
旁挂组网+隧道转发模式下,AC上需要创建管理VLAN和业务VLAN。AC与AP之间的网络需要放通管理VLAN,AC与上层网络需要放通业务VLAN。
本例中管理VLAN为VLAN 100,业务VLAN为VLAN 200,VLAN相关配置示例如下:
# 创建VLAN 100,VLAN 100为AP接入的管理VLAN。
<Access Switch> system-view
[Access Switch] vlan 100
[Access Switch-vlan100] quit
# 配置接入交换机与AP相连的GigabitEthernet1/0/1接口属性为Trunk,禁止VLAN 1报文通过,PVID为VLAN 100,并允许VLAN 100通过。
[Access Switch] interface gigabitethernet 1/0/1
[Access Switch-GigabitEthernet1/0/1] port link-type trunk
[Access Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
[Access Switch-GigabitEthernet1/0/1] port trunk permit vlan 100
[Access Switch-GigabitEthernet1/0/1] quit
# 配置接入交换机与汇聚交换机相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,并允许VLAN 100通过。
[Access Switch] interface gigabitEthernet 1/0/2
[Access Switch-GigabitEthernet1/0/2] port link-type trunk
[Access Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/2] port trunk permit vlan 100
[Access Switch-GigabitEthernet1/0/2] quit
# 创建VLAN 100和VLAN 200,其中VLAN 100用于转发AC和AP间CAPWAP隧道内的流量,VLAN 200为无线客户端接入的业务VLAN。
<Aggregation Switch> system-view
[Aggregation Switch] vlan 100
[Aggregation Switch-vlan100] quit
[Aggregation Switch] vlan 200
[Aggregation Switch-vlan200] quit
# 配置汇聚交换机与接入交换机相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,并允许VLAN 100通过。
[Aggregation Switch] interface gigabitEthernet 1/0/2
[Aggregation Switch-GigabitEthernet1/0/2] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/2] port trunk permit vlan 100
[Aggregation Switch-GigabitEthernet1/0/2] quit
# 配置汇聚交换机和AC相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100和VLAN 200 通过。
[Aggregation Switch] interface gigabitEthernet 1/0/1
[Aggregation Switch-GigabitEthernet1/0/1] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Aggregation Switch-GigabitEthernet1/0/1] quit
# 配置汇聚交换机与核心交换机相连的接口GigabitEthernet1/0/3为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[Aggregation Switch] interface gigabitEthernet 1/0/3
[Aggregation Switch-GigabitEthernet1/0/3] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/3] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/3] port trunk permit vlan 200
[Aggregation Switch-GigabitEthernet1/0/3] quit
# 创建VLAN 100,用于转发AC和AP间CAPWAP隧道内的流量。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
# 创建VLAN 200,客户端使用该业务VLAN接入无线网络。
[AC] vlan 200
[AC-vlan200] quit
# 配置AC和汇聚交换机相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100和VLAN 200通过。
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/1] quit
# 创建VLAN 200,客户端使用该VLAN接入无线网络。
<Core Switch> system-view
[Core Switch] vlan 200
[Core Switch-vlan200] quit
# 配置核心交换机和汇聚交换机相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[Core Switch] interface gigabitEthernet 1/0/1
[Core Switch-GigabitEthernet1/0/1] port link-type trunk
[Core Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Core Switch-GigabitEthernet1/0/1] port trunk permit vlan 200
[Core Switch-GigabitEthernet1/0/1] quit
直连组网+隧道转发模式下,AC上需要创建管理VLAN和业务VLAN。AC与AP之间的网络需要放通管理VLAN,AC与上层网络需要放通业务VLAN。
图2-2 隧道转发模式—直连组网示意图
本例中管理VLAN为VLAN 100,业务VLAN为VLAN 200,VLAN相关配置示例如下:
# 创建VLAN 100,VLAN 100为AP接入的管理VLAN。
<Access Switch> system-view
[Access Switch] vlan 100
[Access Switch-vlan100] quit
# 配置接入交换机与AP相连的GigabitEthernet1/0/1接口属性为Trunk,禁止VLAN 1报文通过,PVID为VLAN 100,并允许VLAN 100通过。
[Access Switch] interface gigabitethernet 1/0/1
[Access Switch-GigabitEthernet1/0/1] port link-type trunk
[Access Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
[Access Switch-GigabitEthernet1/0/1] port trunk permit vlan 100
[Access Switch-GigabitEthernet1/0/1] quit
# 配置接入交换机与汇聚交换机相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,并允许VLAN 100通过。
[Access Switch] interface gigabitEthernet 1/0/2
[Access Switch-GigabitEthernet1/0/2] port link-type trunk
[Access Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/2] port trunk permit vlan 100
[Access Switch-GigabitEthernet1/0/2] quit
# 创建VLAN 100,用于转发AC和AP间CAPWAP隧道内的流量。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
# 创建VLAN 200,客户端使用该业务VLAN接入无线网络。
[AC] vlan 200
[AC-vlan200] quit
# 配置AC和接入交换机相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100通过。
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/2] port trunk permit vlan 100
[AC-GigabitEthernet1/0/2] quit
# 配置AC和核心交换机相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 200
[AC-GigabitEthernet1/0/1] quit
# 创建VLAN 200,客户端使用该VLAN接入无线网络。
<Core Switch> system-view
[Core Switch] vlan 200
[Core Switch-vlan200] quit
# 配置核心交换机和AC相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[Core Switch] interface gigabitEthernet 1/0/1
[Core Switch-GigabitEthernet1/0/1] port link-type trunk
[Core Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Core Switch-GigabitEthernet1/0/1] port trunk permit vlan 200
[Core Switch-GigabitEthernet1/0/1] quit
旁挂组网+本地转发模式下,AC上需要创建管理VLAN,是否需要创建业务VLAN则视具体情况来确认是否需要创建。AC与AP之间的网络设备需要放通管理VLAN,AP与上层网络之间的网络设备需要放通业务VLAN。
· 如果用户网关在AC上,则必须在AC上创建业务VLAN。
· 如果用户网关不在AC上,实际的业务数据并不会经过AC,因此一般是不需要在AC本地创建业务VLAN的。但是,如果认证方式为802.1X认证,由于认证报文需要通过CAPWAP隧道转发,因此,AC上必须已存在业务VLAN。
图2-3 本地转发模式—旁挂组网示意图
本例中管理VLAN为VLAN 100,业务VLAN为VLAN 200,VLAN相关配置示例如下:
# 使用文本文档编辑AP的配置文件,将配置文件命名为map.txt,并将配置文件上传到AC存储介质上。配置文件内容和格式如下:
System-view
vlan 200
interface gigabitethernet1/0/1
port link-type trunk
port trunk permit vlan 200
# 创建VLAN 100和VLAN 200,其中VLAN 100用于转发AC和AP间CAPWAP隧道内的流量,VLAN 200为无线客户端接入的业务VLAN。
<Access Switch> system-view
[Access Switch] vlan 100
[Access Switch-vlan100] quit
[Access Switch] vlan 200
[Access Switch-vlan200] quit
# 配置接入交换机与AP相连的GigabitEthernet1/0/1接口属性为Trunk,禁止VLAN 1报文通过,PVID为VLAN 100,并允许VLAN 100和VLAN 200通过。
[Access Switch] interface gigabitethernet 1/0/1
[Access Switch-GigabitEthernet1/0/1] port link-type trunk
[Access Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
[Access Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Access Switch-GigabitEthernet1/0/1] quit
# 配置接入交换机与汇聚交换机相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,并允许VLAN 100和VLAN 200通过。
[Access Switch] interface gigabitEthernet 1/0/2
[Access Switch-GigabitEthernet1/0/2] port link-type trunk
[Access Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[Access Switch-GigabitEthernet1/0/2] quit
# 创建VLAN 100和VLAN 200,其中VLAN 100用于转发AC和AP间CAPWAP隧道内的流量,VLAN 200为无线客户端接入的业务VLAN。
<Aggregation Switch> system-view
[Aggregation Switch] vlan 100
[Aggregation Switch-vlan100] quit
[Aggregation Switch] vlan 200
[Aggregation Switch-vlan200] quit
# 配置汇聚交换机与接入交换机相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,并允许VLAN 100和VLAN 200通过。
[Aggregation Switch] interface gigabitEthernet 1/0/2
[Aggregation Switch-GigabitEthernet1/0/2] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[Aggregation Switch-GigabitEthernet1/0/2] quit
# 配置汇聚交换机和AC相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100通过。
[Aggregation Switch] interface gigabitEthernet 1/0/1
[Aggregation Switch-GigabitEthernet1/0/1] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/1] port trunk permit vlan 100
[Aggregation Switch-GigabitEthernet1/0/1] quit
# 配置汇聚交换机与核心交换机相连的接口GigabitEthernet1/0/3为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[Aggregation Switch] interface gigabitEthernet 1/0/3
[Aggregation Switch-GigabitEthernet1/0/3] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/3] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/3] port trunk permit vlan 200
[Aggregation Switch-GigabitEthernet1/0/3] quit
# 创建VLAN 100,用于转发AC和AP间CAPWAP隧道内的流量。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
# 配置AC和汇聚交换机相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100通过。
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100
[AC-GigabitEthernet1/0/1] quit
# 创建VLAN 200,客户端使用该VLAN接入无线网络。
<Core Switch> system-view
[Core Switch] vlan 200
[Core Switch-vlan200] quit
# 配置核心交换机和汇聚交换机相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[Core Switch] interface gigabitEthernet 1/0/1
[Core Switch-GigabitEthernet1/0/1] port link-type trunk
[Core Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Core Switch-GigabitEthernet1/0/1] port trunk permit vlan 200
[Core Switch-GigabitEthernet1/0/1] quit
直连组网+本地转发模式下,AC上需要创建管理VLAN和业务VLAN。同时,AC与AP之间的网络设备需要放通管理VLAN,AP与上层网络之间的网络设备需要放通业务VLAN。
图2-4 本地转发模式—直连组网示意图
本例中管理VLAN为VLAN 100,业务VLAN为VLAN 200,VLAN相关配置示例如下:
# 使用文本文档编辑AP的配置文件,将配置文件命名为map.txt,并将配置文件上传到AC存储介质上。配置文件内容和格式如下:
System-view
vlan 200
interface gigabitethernet1/0/1
port link-type trunk
port trunk permit vlan 200
# 创建VLAN 100和VLAN 200,其中VLAN 100用于转发AC和AP间CAPWAP隧道内的流量,VLAN 200为无线客户端接入的业务VLAN。
<Access Switch> system-view
[Access Switch] vlan 100
[Access Switch-vlan100] quit
[Access Switch] vlan 200
[Access Switch-vlan200] quit
# 配置接入交换机与AP相连的GigabitEthernet1/0/1接口属性为Trunk,禁止VLAN 1报文通过,PVID为VLAN 100,并允许VLAN 100和VLAN 200通过。
[Access Switch] interface gigabitethernet 1/0/1
[Access Switch-GigabitEthernet1/0/1] port link-type trunk
[Access Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
[Access Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Access Switch-GigabitEthernet1/0/1] quit
# 配置接入交换机与AC相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,并允许VLAN 100和VLAN 200通过。
[Access Switch] interface gigabitEthernet 1/0/2
[Access Switch-GigabitEthernet1/0/2] port link-type trunk
[Access Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[Access Switch-GigabitEthernet1/0/2] quit
# 创建VLAN 100,用于转发AC和AP间CAPWAP隧道内的流量。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
# 创建VLAN 200,客户端使用该业务VLAN接入无线网络。
[AC] vlan 200
[AC-vlan200] quit
# 配置AC和接入交换机相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100和VLAN 200通过。
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/2] quit
# 配置AC和核心交换机相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 200
[AC-GigabitEthernet1/0/1] quit
# 创建VLAN 200,客户端使用该VLAN接入无线网络。
<Core Switch> system-view
[Core Switch] vlan 200
[Core Switch-vlan200] quit
# 配置核心交换机和AC相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[Core Switch] interface gigabitEthernet 1/0/1
[Core Switch-GigabitEthernet1/0/1] port link-type trunk
[Core Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Core Switch-GigabitEthernet1/0/1] port trunk permit vlan 200
[Core Switch-GigabitEthernet1/0/1] quit
VLAN都已经放通,但是客户端无法上线。
可能是中间的网络设备没有创建报文携带的VLAN tag标签对应的VLAN。
检查中间的网络设备是否创建了报文携带的VLAN tag标签对应的VLAN,如果没有创建,请创建该VLAN;如果已经创建,请检查其他网络配置是否正确。