国家 / 地区

03-典型配置案例(AC+FIT AP)

50-H3C无线控制器WLAN基于策略转发的双网关场景典型配置举例(V7)

本章节下载  (228.06 KB)

docurl=/cn/Service/Document_Software/Document_Center/Home/Wlan/00-Public/Trending/Wlan_OneNote/H3C_V7_OneNote/03/202002/1274629_30005_0.htm

50-H3C无线控制器WLAN基于策略转发的双网关场景典型配置举例(V7)

H3C 无线控制器

WLAN基于策略转发的双网关场景典型配置举例(V7)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2019 新华三技术有限公司 版权所有,保留一切权利。

非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。

除新华三技术有限公司的商标外,本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。

本文档中的信息可能变动,恕不另行通知。



1  简介

本文档介绍WLAN基于策略转发的双网关场景配置举例。

2  配置前提

本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请以设备实际情况为准。

本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。

本文档假设您已了解WLAN接入、AP管理、NAT、DHCP特性。

3  配置举例

3.1  组网需求

图1所示,某公司存在着大量的分支站点或者办事机构,每个分支机构的AP跨Internet统一向AC注册。AP根据目的地址来决定是集中转发到集团总部内网还是本地转发出互联网。Router A为分支机构路由器,Router B为集团路由器。具体应用需求如下:

·            AP通过Router A获取IP地址;

·            AP跨Internet向AC注册;

·            Client从AC上获取IP地址及进行域名解析;

·            Client通过在AP上进行本地转发访问公网,通过在AC上进行集中式转发访问集团总部内网。

图1 WLAN基于策略转发的双网关场景配置组网图

 

3.2  配置思路

·            为了让分支机构的AP能够跨Internet与集团总部的AC建立连接,需要在Router A上配置Option 43,并手动指定AC的IP地址。同时为了让分支机构的AP可以通过外网访问集团总部的AC,需要在Router A和Router B上配置NAT功能。

·            实际组网中分支机构数量较多,导致AP数量也会比较多,为了简化配置,需要在AC上开启自动AP及自动AP固化功能。

·            由于访问不同网络采用的转发方式不一样,需要在AC上配置无线转发策略。

·            为了使AP访问集团内部网络,需要使用文本文档编辑AP的配置文件,并将配置文件上传到AC存储介质上。

·            配置本举例之前,请保证网络中各设备之间路由可达。

3.3  配置步骤

3.3.1  配置Router A

(1)       配置DHCP功能

# 开启DHCP服务器功能。

<RouterA> system-view

[RouterA] dhcp enable

# 配置DHCP地址池ap,负责为AP分配IP地址。

[RouterA] dhcp server ip-pool ap

[RouterA-dhcp-pool-ap] network 192.168.10.0 mask 255.255.255.0

[RouterA-dhcp-pool-ap] gateway-list 192.168.10.1

# 通过自定义选项的方式配置Option 43的内容,为AP指定Router B的IP地址202.202.1.22/24,由于在Router B上配置了NAT映射,AP会通过映射找到AC的IP地址。

[RouterA-dhcp-pool-ap] option 43 hex 8007000001CACA0116

[RouterA-dhcp-pool-ap] quit

(2)       配置NAT功能,使AP能够访问外网。

# 配置地址组0,包含外网地址202.20.1.20。

[RouterA] nat address-group 0

[RouterA-address-group-0] address 202.20.1.20 202.20.1.20

[RouterA-address-group-0] quit

# 配置ACL 2000,仅允许对内部网络中192.168.10.0/24网段的AP报文进行地址转换。

[RouterA] acl basic 2000

[RouterA-acl-ipv4-basic-2000] rule permit source 192.168.10.0 0.0.0.255

[RouterA-acl-ipv4-basic-2000] quit

# 在接口GigabitEthernet1/0/2上配置出方向动态地址转换,允许使用地址组0中的地址对匹配ACL 2000的报文进行源地址转换。

[RouterA] interface gigabitethernet 1/0/2

[RouterA-GigabitEthernet1/0/2] nat outbound 2000 address-group 0

[RouterA-GigabitEthernet1/0/2] quit

[RouterA] quit

3.3.2  配置RouterB

(1)       配置NAT功能,使AP可以访问AC。

# 配置ACL 3000,允许对202.20.1.0/24网段地址访问AC的报文进行地址转换。

<RouterB> system-view

[RouterB] acl advanced 3000

[RouterB-acl-ipv4-adv-3000] rule 0 permit ip source 202.20.1.0 0.0.0.255 destination 202.202.1.22 0

[RouterB-acl-ipv4-adv-3000] quit

# 在接口GigabitEthernet1/0/1上配置NAT内部服务器,将符合ACL规则3000的目的地址统一转换成相同的内部服务器地址。

[RouterB] interface gigabitethernet 1/0/1

[RouterB-GigabitEthernet1/0/1] nat server global 3000 inside 192.168.1.111

[RouterB-GigabitEthernet1/0/1] quit

[RouterB] quit

3.3.3  配置AC

(1)       创建map-OnAP.txt文件

# 在本地创建文件map-OnAP.txt,并上传到AC上。其中文件内容如下:

vlan 2

interface Vlan-interface1

 nat outbound 3000

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1

interface Vlan-interface2

 ip address 172.16.4.3 255.255.255.0

acl advanced 3000

 rule 0 permit ip source 172.16.4.0 0.0.0.255

(2)       配置基本功能

# 请参照组网图配置各接口的IP地址(略)。

# 创建VLAN 2,并配置VLAN 2的IP地址为172.16.4.1/24。

<AC> system-view

[AC] vlan 2

[AC-vlan2] quit

[AC] interface vlan-interface 2

[AC-Vlan-interface2] ip address 172.16.4.1 255.255.255.0

[AC-Vlan-interface2] quit

# 将接口GigabitEthernet1/0/2加入到VLAN 2中。

[AC] interface gigabitethernet 1/0/2

[AC-GigabitEthernet1/0/2] port link-mode bridge

[AC-GigabitEthernet1/0/2] port link-type trunk

[AC-GigabitEthernet1/0/2] undo port trunk permit vlan 1

[AC-GigabitEthernet1/0/2] port trunk permit vlan 2

[AC-GigabitEthernet1/0/2] quit

# 配置AC到本地和远端公网地址段的路由,以及到集团总部内网172.16.5.0/24网段的路由。

[AC] ip route-static 202.20.1.0 24 192.168.1.22

[AC] ip route-static 202.202.1.0 24 192.168.1.22

[AC] ip route-static 172.16.5.0 24 172.16.4.2

(3)       配置DHCP及DNS功能。

# 开启DHCP服务器功能,并配置DHCP地址池sta,为Client分配IP地址。

[AC] dhcp enable

[AC] dhcp server ip-pool sta

[AC-dhcp-pool-sta] network 172.16.4.0 mask 255.255.255.0

[AC-dhcp-pool-sta] gateway-list 172.16.4.1

# 配置集团内部DNS服务器的IP地址为192.168.1.10/24。

[AC-dhcp-pool-sta] dns-list 192.168.1.10

# 配置不参与自动分配的IP地址(网关地址、预留给AP的业务VLAN接口的IP地址)。

[AC-dhcp-pool-sta] forbidden-ip 172.16.4.1 172.16.4.3

[AC-dhcp-pool-sta] quit

(4)       配置AP管理功能。

# 开启自动AP和AP自动固化功能。

[AC] wlan auto-ap enable

[AC] wlan auto-persistent enable

(5)       配置无线转发策略

# 创建IPv4高级ACL 3001,并制订如下规则:对DNS报文、BOOTPC和BOOTPS报文以及源IP为172.16.4.0/24目的IP为172.16.4.0/24和172.16.5.0/24网段的报文放行。

[AC] acl advanced 3001

[AC-acl-ipv4-adv-3001] rule 0 permit udp source-port eq dns

[AC-acl-ipv4-adv-3001] rule 1 permit udp destination-port eq dns

[AC-acl-ipv4-adv-3001] rule 2 permit udp source-port eq bootpc

[AC-acl-ipv4-adv-3001] rule 3 permit udp destination-port eq bootps

[AC-acl-ipv4-adv-3001] rule 4 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.4.0 0.0.0.255

[AC-acl-ipv4-adv-3001] rule 5 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.5.0 0.0.0.255

[AC-acl-ipv4-adv-3001] quit

# 创建无线转发策略remote,将符合ACL规则3001的报文采用集中式转发。

[AC] wlan forwarding-policy remote

[AC-wlan-fp-remote] classifier acl 3001 behavior remote

[AC-wlan-fp-remote] quit

# 创建无线服务模板chn,配置SSID为CHN,配置客户端从无线服务模板chn上线后将被加入到VLAN 2。

[AC] wlan service-template chn

[AC-wlan-st-chn] ssid CHN

[AC-wlan-st-chn] vlan 2

# 配置转发位置为AP,应用无线转发策略remote,并开启无线转发策略。

[AC-wlan-st-chn] client forwarding-location ap

[AC-wlan-st-chn] client forwarding-policy-name remote

[AC-wlan-st-chn] client forwarding-policy enable

# 开启服务模板。

[AC-wlan-st-chn] service-template enable

[AC-wlan-st-chn] quit

# 将配置文件map-OnAP.txt下载到AP。

[AC] wlan ap-group default-group

[AC-wlan-ap-group-default-group] ap-model WA4320i-ACN

[AC-wlan-ap-group-default-group-ap-model-WA4320i-ACN] map-configuration flash:/map-OnAP.txt

# 在radio 1上绑定无线服务模板chn,并使能radio。

[AC-wlan-ap-group-default-group-ap-model-WA4320i-ACN] radio 1

[AC-wlan-ap-group-default-group-ap-model-WA4320i-ACN-radio-1] service-template chn

[AC-wlan-ap-group-default-group-ap-model-WA4320i-ACN-radio-1] radio enable

[AC-wlan-ap-group-default-group-ap-model-WA4320i-ACN-radio-1] quit

[AC-wlan-ap-group-default-group-ap-model-WA4320i-ACN] quit

[AC-wlan-ap-group-default-group] quit

3.4   验证配置

# 在AC上查看AP的详细信息,可以看到AP与AC成功建立隧道连接并进入Run状态,发现方式为DHCP选项方式,AP地址为公网地址202.20.1.20。

[AC] display wlan ap all

Total number of APs: 1

Total number of connected APs: 1

Total number of connected manual APs: 1

Total number of connected auto APs: 0

Total number of connected common APs: 1

Total number of connected WTUs: 0

Total number of inside APs: 0

Maximum supported APs: 2048

Remaining APs: 2047

Total AP licenses: 32

Remaining AP licenses: 31

 

                                 AP information

 State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad

         C = Config, DC = DataCheck, R = Run, M = Master, B = Backup

 

AP name                        APID  State Model           Serial ID

ap1                            2     R/M   WA4320i-ACN     210235A1GQC149001806

 

[AC] display wlan ap name ap1 verbose

AP name : ap1

AP ID : 2

AP group name : default-group

State : Run

Backup type : Master

Online time : 1 days 5 hours 25 minutes 22 seconds

System up time : 1 days 6 hours 30 minutes 4 seconds

Model : WA4320i-ACN

Region code : CN

Region code lock : Disabled

Serial ID : 210235A1GQC149001806

MAC address : 70f9-6dd3-61e0

IP address : 202.20.1.20

UDP control port number : 1099

UDP data port number : 1102

H/W version : Ver.C

S/W version : R2215

Boot version : 7.10

USB state : N/A

Power Level : N/A

PowerInfo : N/A

Description : Not configured

Priority : 4

Echo interval : 10 seconds

Echo count : 3 counts

Keepalive interval : 10 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

Discovery type : DHCP

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 34001

Received control packets : 34001

Echo requests : 10591

Lost echo responses : 3

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 202.20.1.20

Tunnel down reason : Processed join request in Run state

Connection count : 15

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

LED mode : Normal

Remote configuration : Disabled

Radio 1:

    Basic BSSID : 70f9-6dd3-61e0

    Admin state : Up

    Radio type : 802.11ac

    Antenna type : internal

    Client dot11ac-only : Disabled

    Client dot11n-only : Disabled

    Channel band-width : 20/40/80MHz

    Active band-width : 20/40/80MHz

    Secondary channel offset : SCA

    Short GI for 20MHz : Supported

    Short GI for 40MHz : Supported

    Short GI for 80MHz : Supported

    Short GI for 160MHz : Not supported

    A-MSDU : Enabled

    A-MPDU : Enabled

    LDPC : Not Supported

    STBC : Supported

    Operational VHT-MCS Set:

        Mandatory : Not configured

        Supported : NSS1 0,1,2,3,4,5,6,7,8,9

                                NSS2 0,1,2,3,4,5,6,7,8,9

        Multicast : Not configured

    Operational HT MCS Set:

        Mandatory : Not configured

        Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

                                10, 11, 12, 13, 14, 15

        Multicast : Not configured

    Channel : 149(auto)

    Channel usage(%) : 0

    Max power : 20 dBm

    Operational rate:

        Mandatory : 6, 12, 24 Mbps

        Multicast : Auto

        Supported : 9, 18, 36, 48, 54 Mbps

        Disabled : Not configured

    Distance : 1 km

    ANI : Enabled

    Fragmentation threshold : 2346 bytes

    Beacon interval : 100 TU

    Protection threshold : 2346 bytes

    Long retry threshold : 4

    Short retry threshold : 7

    Maximum rx duration : 2000 ms

    Noise floor : -105 dBm

    Smart antenna : Enabled

    Smart antenna policy : Auto

    Protection mode : cts-to-self

    Continuous mode : N/A

    HT protection mode : No protection

Radio 2:

    Basic BSSID : 70f9-6dd3-61f0

    Admin state : Down

    Radio type : 802.11n(2.4GHz)

    Antenna type : internal

    Client dot11n-only : Disabled

    Channel band-width : 20MHz

    Active band-width : 20MHz

    Secondary channel offset : SCN

    Short GI for 20MHz : Supported

    Short GI for 40MHz : Supported

    A-MSDU : Enabled

    A-MPDU : Enabled

    LDPC : Not Supported

    STBC : Supported

    Operational HT MCS Set:

        Mandatory : Not configured

        Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

                                10, 11, 12, 13, 14, 15

        Multicast : Not configured

    Channel : 6(auto)

    Channel usage(%) : 0

    Max power : 20 dBm

    Preamble type : Short

    Operational rate:

        Mandatory : 1, 2, 5.5, 11 Mbps

        Multicast : Auto

        Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps

        Disabled : Not configured

    Distance : 1 km

    ANI : Enabled

    Fragmentation threshold : 2346 bytes

    Beacon interval : 100 TU

    Protection threshold : 2346 bytes

    Long retry threshold : 4

    Short retry threshold : 7

    Maximum rx duration : 2000 ms

    Noise floor : 0 dBm

    Smart antenna : Enabled

    Smart antenna policy : Auto

    Protection mode : cts-to-self

    Continuous mode : N/A

    HT protection mode : No protection

# 在AC上查看Client信息,可以看到Client获取了172.16.4.0/24网段地址,转发策略为remote。

[AC] display wlan client

Total number of clients: 1

 

MAC address    User name  AP name        RID IP address      IPv6 address   VLAN

0015-005e-9348 N/A        ap1            1   172.16.4.11                    2

[AC] display wlan client verbose

Total number of clients: 1

 

 MAC address : 0015-005e-9348

 IPv4 address : 172.16.4.11

 IPv6 address : N/A

 Username : N/A

 AID : 1

 AP ID : 2

 AP name : ap1

 Radio ID : 1

 SSID : CHN

 BSSID : 70f9-6dd3-61e0

 VLAN ID : 2

 Sleep count : 0

 Wireless mode : 802.11an

 Channel bandwidth : 40MHz

 20/40 BSS Coexistence Management : Not supported

 SM power save : Disabled

 Short GI for 20MHz : Supported

 Short GI for 40MHz : Supported

 STBC RX capability : Supported

 STBC TX capability : Not supported

 LDPC RX capability : Not supported

 Block Ack : N/A

 Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,

                                     8, 9, 10, 11, 12, 13, 14,

                                     15

 Supported rates : 6, 9, 12, 18, 24, 36,

                                     48, 54 Mbps

 QoS mode : WMM

 Listen interval : 100

 RSSI : 0

 Rx/Tx rate : 0/0

 Authentication method : Open system

 Security mode : PRE-RSNA

 AKM mode : N/A

 Cipher suite : N/A

 User authentication mode : Bypass

 Authorization ACL ID : N/A

 Authorization user profile : N/A

 Roam status : N/A

 Key derivation : N/A

 PMF status : N/A

 Forwarding policy name : remote

 Online time : 0days 0hours 0minutes 33seconds

 FT status : Inactive

# Client分别ping集团总部内网地址172.16.4.2、172.16.5.1和172.16.5.2,可以正常ping通。

C:\Users\h3c>ping 172.16.4.2

 

Pinging 172.16.4.2 with 32 bytes of data:

Reply from 172.16.4.2: bytes=32 time=6ms TTL=255

Reply from 172.16.4.2: bytes=32 time=3ms TTL=255

Reply from 172.16.4.2: bytes=32 time=6ms TTL=255

Reply from 172.16.4.2: bytes=32 time=1ms TTL=255

 

Ping statistics for 172.16.4.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 6ms, Average = 4ms

 

C:\Users\h3c>ping 172.16.5.1

 

Pinging 172.16.5.1 with 32 bytes of data:

Reply from 172.16.5.1: bytes=32 time=9ms TTL=255

Reply from 172.16.5.1: bytes=32 time=1ms TTL=255

Reply from 172.16.5.1: bytes=32 time=5ms TTL=255

Reply from 172.16.5.1: bytes=32 time=1ms TTL=255

 

Ping statistics for 172.16.5.1:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 9ms, Average = 4ms

 

C:\Users\h3c>ping 172.16.5.2

 

Pinging 172.16.5.2 with 32 bytes of data:

Reply from 172.16.5.2: bytes=32 time=8ms TTL=255

Reply from 172.16.5.2: bytes=32 time=2ms TTL=255

Reply from 172.16.5.2: bytes=32 time=5ms TTL=255

Reply from 172.16.5.2: bytes=32 time=3ms TTL=255

 

Ping statistics for 172.16.5.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 2ms, Maximum = 8ms, Average = 4ms

 

# Client ping外网www.baidu.com,可以ping通。

C:\Users\h3c>ping www.baidu.com

 

Pinging www.baidu.com [202.202.1.188] with 32 bytes of data:

Reply from 202.202.1.188: bytes=32 time=7ms TTL=255

Reply from 202.202.1.188: bytes=32 time=3ms TTL=255

Reply from 202.202.1.188: bytes=32 time=3ms TTL=255

Reply from 202.202.1.188: bytes=32 time=2ms TTL=255

 

Ping statistics for 202.202.1.188:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 2ms, Maximum = 7ms, Average = 3ms

3.5  配置文件

·            Router A

#

nat address-group 0

 address 202.20.1.20 202.20.1.20

#

 dhcp enable

#

dhcp server ip-pool ap

 gateway-list 192.168.10.1

 network 192.168.10.0 mask 255.255.255.0

 option 43 hex 8007000001caca0116

#

interface GigabitEthernet1/0/2

 nat outbound 2000 address-group 0

#

acl basic 2000

 rule 0 permit source 192.168.10.0 0.0.0.255

#

·            Router B

#

interface GigabitEthernet1/0/1

 nat server global 3000 inside 192.168.1.111

#

acl advanced 3000

 rule 0 permit ip source 202.20.1.0 0.0.0.255 destination 202.202.1.22 0

#

·            AC

#

 dhcp enable

#

vlan 2

#

dhcp server ip-pool sta

 gateway-list 172.16.4.1

 network 172.16.4.0 mask 255.255.255.0

 dns-list 192.168.1.10

 forbidden-ip 172.16.4.1

 forbidden-ip 172.16.4.3

#

wlan forwarding-policy remote

 classifier acl 3001 behavior remote

#

wlan service-template chn

 ssid CHN

 vlan 2

 client forwarding-location ap

 client forwarding-policy-name remote

 client forwarding-policy enable

 service-template enable

#

interface Vlan-interface2

 ip address 172.16.4.1 255.255.255.0

#

interface GigabitEthernet1/0/2

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 2

#

 ip route-static 172.16.5.0 24 172.16.4.2

 ip route-static 202.20.1.0 24 192.168.1.22

 ip route-static 202.202.1.0 24 192.168.1.22

#

acl advanced 3001

 rule 0 permit udp source-port eq dns

 rule 1 permit udp destination-port eq dns

 rule 2 permit udp source-port eq bootpc

 rule 3 permit udp destination-port eq bootps

 rule 4 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.4.0 0.0.0.255

 rule 5 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.5.0 0.0.0.255

#

 wlan auto-ap enable

 wlan auto-persistent enable

#

wlan ap-group default-group

 ap-model WA4320i-ACN

  radio 1

   radio enable

   service-template chn

  radio 2

  gigabitethernet 1

  gigabitethernet 2

#

4  相关资料

·            《H3C 无线控制器产品 配置指导》中的“WLAN配置指导”。

·            《H3C 无线控制器产品 命令参考》中的“WLAN命令参考”。

·            《H3C 无线控制器产品 配置指导》中的“三层技术-IP业务配置指导”。

·            《H3C 无线控制器产品 命令参考》中的“三层技术-IP业务命令参考”。

不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!