- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 关于我们
手册下载
H3C WLAN设备VLAN部署指南-6W101-整本手册.pdf (394.51 KB)
H3C WLAN设备VLAN部署指南
Copyright © 2025 新华三技术有限公司 版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。
除新华三技术有限公司的商标外,本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。
本文中的内容为通用性技术信息,某些信息可能不适用于您所购买的产品。
目 录
在使用H3C WLAN设备时,用户常因简化配置而选择默认设置,将管理VLAN和业务VLAN均设为1,这容易引发各种网络问题,影响用户体验。
本文档针对隧道转发与本地转发场景,推荐了业务VLAN和AP管理VLAN的最佳配置方案,以帮助用户更有效地进行网络部署,从而减少类似问题的发生。
管理VLAN用于传输通过CAPWAP隧道转发的报文,包括管理报文和业务数据报文。
缺省情况下,AP管理报文不携带VLAN标签,由与AP直连的接入交换机为其添加VLAN标签。在实际组网中,应将该交换机接口的PVID设置为管理VLAN。
配置方法如下:
<Switch> system-view
[Switch] interface gigabitEthernet 1/0/1
[Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
如果在与AP直连的接入交换机上未配置PVID,交换机会默认为报文添加VLAN 1的标签,此时AP的管理VLAN即为VLAN 1。
本节management-vlan不推荐使用,建议仅在特定需求下使用,例如:不希望在AP上使用缺省的VLAN 1。
management-vlan即管理VLAN。在实际应用中,通过配置与AP直连的接入交换机来设置管理VLAN。如果用户不想使用默认的VLAN 1,可以通过wlan management-vlan命令配置AP的管理VLAN。只需在与AP直连的接入交换机上允许该管理VLAN通过,无需在交换机上进一步配置PVID。
配置方法如下:
登录FIT AP,并在FIT AP的系统视图下进行配置。
<ap1> system-view
[ap1] wlan management-vlan 100
业务VLAN用于传输业务数据报文,如果未进行配置,默认为VLAN 1。VLAN 1是缺省存在的VLAN,设备会默认将二层以太网端口加入其中,以实现零配置使用。然而,这会导致VLAN 1的广播域过大,容易引发报文在VLAN 1内的泛洪。因此,在规划WLAN网络时,不建议将VLAN 1用作管理VLAN或业务VLAN。
建议将业务VLAN和管理VLAN配置为不同的VLAN,并且避免使用VLAN 1。
下面将分别介绍隧道转发和本地转发模式下,对于管理VLAN和业务VLAN的配置要求以及配置示例。
在旁挂组网且采用隧道转发模式时,需要在AC上创建管理VLAN和业务VLAN。AC与AP之间的网络需允许管理VLAN通行,而AC与上层网络则需允许业务VLAN通行。
本例中管理VLAN为VLAN 100,业务VLAN为VLAN 200,VLAN相关配置示例如下:
# 创建VLAN 100,VLAN 100为AP接入的管理VLAN。
<Access Switch> system-view
[Access Switch] vlan 100
[Access Switch-vlan100] quit
# 配置接入交换机与AP相连的GigabitEthernet1/0/1接口属性为Trunk,禁止VLAN 1报文通过,PVID为VLAN 100,并允许VLAN 100通过。
[Access Switch] interface gigabitethernet 1/0/1
[Access Switch-GigabitEthernet1/0/1] port link-type trunk
[Access Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
[Access Switch-GigabitEthernet1/0/1] port trunk permit vlan 100
[Access Switch-GigabitEthernet1/0/1] quit
# 配置接入交换机与汇聚交换机相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,并允许VLAN 100通过。
[Access Switch] interface gigabitEthernet 1/0/2
[Access Switch-GigabitEthernet1/0/2] port link-type trunk
[Access Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/2] port trunk permit vlan 100
[Access Switch-GigabitEthernet1/0/2] quit
# 创建VLAN 100和VLAN 200,其中VLAN 100用于转发AC和AP间CAPWAP隧道内的流量,VLAN 200为无线客户端接入的业务VLAN。
<Aggregation Switch> system-view
[Aggregation Switch] vlan 100
[Aggregation Switch-vlan100] quit
[Aggregation Switch] vlan 200
[Aggregation Switch-vlan200] quit
# 配置汇聚交换机与接入交换机相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,并允许VLAN 100通过。
[Aggregation Switch] interface gigabitEthernet 1/0/2
[Aggregation Switch-GigabitEthernet1/0/2] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/2] port trunk permit vlan 100
[Aggregation Switch-GigabitEthernet1/0/2] quit
# 配置汇聚交换机和AC相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100和VLAN 200 通过。
[Aggregation Switch] interface gigabitEthernet 1/0/1
[Aggregation Switch-GigabitEthernet1/0/1] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Aggregation Switch-GigabitEthernet1/0/1] quit
# 配置汇聚交换机与核心交换机相连的接口GigabitEthernet1/0/3为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[Aggregation Switch] interface gigabitEthernet 1/0/3
[Aggregation Switch-GigabitEthernet1/0/3] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/3] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/3] port trunk permit vlan 200
[Aggregation Switch-GigabitEthernet1/0/3] quit
# 创建VLAN 100,用于转发AC和AP间CAPWAP隧道内的流量。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
# 创建VLAN 200,客户端使用该业务VLAN接入无线网络。
[AC] vlan 200
[AC-vlan200] quit
# 配置AC和汇聚交换机相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100和VLAN 200通过。
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/1] quit
# 创建VLAN 200,客户端使用该VLAN接入无线网络。
<Core Switch> system-view
[Core Switch] vlan 200
[Core Switch-vlan200] quit
# 配置核心交换机和汇聚交换机相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[Core Switch] interface gigabitEthernet 1/0/1
[Core Switch-GigabitEthernet1/0/1] port link-type trunk
[Core Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Core Switch-GigabitEthernet1/0/1] port trunk permit vlan 200
[Core Switch-GigabitEthernet1/0/1] quit
在直连组网模式下,采用隧道转发时,需在AC上创建管理VLAN和业务VLAN。确保AC与AP之间的网络允许管理VLAN通行,同时AC与上层网络需允许业务VLAN通行。
图2-2 隧道转发模式—直连组网示意图
本例中管理VLAN为VLAN 100,业务VLAN为VLAN 200,VLAN相关配置示例如下:
# 创建VLAN 100,VLAN 100为AP接入的管理VLAN。
<Access Switch> system-view
[Access Switch] vlan 100
[Access Switch-vlan100] quit
# 配置接入交换机与AP相连的GigabitEthernet1/0/1接口属性为Trunk,禁止VLAN 1报文通过,PVID为VLAN 100,并允许VLAN 100通过。
[Access Switch] interface gigabitethernet 1/0/1
[Access Switch-GigabitEthernet1/0/1] port link-type trunk
[Access Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
[Access Switch-GigabitEthernet1/0/1] port trunk permit vlan 100
[Access Switch-GigabitEthernet1/0/1] quit
# 配置接入交换机与汇聚交换机相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,并允许VLAN 100通过。
[Access Switch] interface gigabitEthernet 1/0/2
[Access Switch-GigabitEthernet1/0/2] port link-type trunk
[Access Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/2] port trunk permit vlan 100
[Access Switch-GigabitEthernet1/0/2] quit
# 创建VLAN 100,用于转发AC和AP间CAPWAP隧道内的流量。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
# 创建VLAN 200,客户端使用该业务VLAN接入无线网络。
[AC] vlan 200
[AC-vlan200] quit
# 配置AC和接入交换机相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100通过。
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/2] port trunk permit vlan 100
[AC-GigabitEthernet1/0/2] quit
# 配置AC和核心交换机相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 200
[AC-GigabitEthernet1/0/1] quit
# 创建VLAN 200,客户端使用该VLAN接入无线网络。
<Core Switch> system-view
[Core Switch] vlan 200
[Core Switch-vlan200] quit
# 配置核心交换机和AC相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[Core Switch] interface gigabitEthernet 1/0/1
[Core Switch-GigabitEthernet1/0/1] port link-type trunk
[Core Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Core Switch-GigabitEthernet1/0/1] port trunk permit vlan 200
[Core Switch-GigabitEthernet1/0/1] quit
在旁挂组网并采用本地转发模式时,需要在AC上创建管理VLAN,是否需要创建业务VLAN则视具体需求而定。网络设备需确保AC与AP之间能够通行管理VLAN,AP与上层网络之间能够通行业务VLAN。
· 如果客户端网关设置在AC上,则必须在AC上创建业务VLAN。
· 如果客户端网关不在AC上,业务数据不会经过AC,因此一般无需在AC上创建业务VLAN。不过,如果采用802.1X认证方式,由于认证报文需要通过CAPWAP隧道转发,AC上必须存在业务VLAN。
图2-3 本地转发模式—旁挂组网示意图
本例中管理VLAN为VLAN 100,业务VLAN为VLAN 200,VLAN相关配置示例如下:
# 使用文本文档编辑AP的配置文件,将配置文件命名为map.txt,并将配置文件上传到AC存储介质上。配置文件内容和格式如下:
System-view
vlan 200
interface gigabitethernet1/0/1
port link-type trunk
port trunk permit vlan 200
# 创建VLAN 100和VLAN 200,其中VLAN 100用于转发AC和AP间CAPWAP隧道内的流量,VLAN 200为无线客户端接入的业务VLAN。
<Access Switch> system-view
[Access Switch] vlan 100
[Access Switch-vlan100] quit
[Access Switch] vlan 200
[Access Switch-vlan200] quit
# 配置接入交换机与AP相连的GigabitEthernet1/0/1接口属性为Trunk,禁止VLAN 1报文通过,PVID为VLAN 100,并允许VLAN 100和VLAN 200通过。
[Access Switch] interface gigabitethernet 1/0/1
[Access Switch-GigabitEthernet1/0/1] port link-type trunk
[Access Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
[Access Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Access Switch-GigabitEthernet1/0/1] quit
# 配置接入交换机与汇聚交换机相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,并允许VLAN 100和VLAN 200通过。
[Access Switch] interface gigabitEthernet 1/0/2
[Access Switch-GigabitEthernet1/0/2] port link-type trunk
[Access Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[Access Switch-GigabitEthernet1/0/2] quit
# 创建VLAN 100和VLAN 200,其中VLAN 100用于转发AC和AP间CAPWAP隧道内的流量,VLAN 200为无线客户端接入的业务VLAN。
<Aggregation Switch> system-view
[Aggregation Switch] vlan 100
[Aggregation Switch-vlan100] quit
[Aggregation Switch] vlan 200
[Aggregation Switch-vlan200] quit
# 配置汇聚交换机与接入交换机相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,并允许VLAN 100和VLAN 200通过。
[Aggregation Switch] interface gigabitEthernet 1/0/2
[Aggregation Switch-GigabitEthernet1/0/2] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[Aggregation Switch-GigabitEthernet1/0/2] quit
# 配置汇聚交换机和AC相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100通过。
[Aggregation Switch] interface gigabitEthernet 1/0/1
[Aggregation Switch-GigabitEthernet1/0/1] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/1] port trunk permit vlan 100
[Aggregation Switch-GigabitEthernet1/0/1] quit
# 配置汇聚交换机与核心交换机相连的接口GigabitEthernet1/0/3为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[Aggregation Switch] interface gigabitEthernet 1/0/3
[Aggregation Switch-GigabitEthernet1/0/3] port link-type trunk
[Aggregation Switch-GigabitEthernet1/0/3] undo port trunk permit vlan 1
[Aggregation Switch-GigabitEthernet1/0/3] port trunk permit vlan 200
[Aggregation Switch-GigabitEthernet1/0/3] quit
# 创建VLAN 100,用于转发AC和AP间CAPWAP隧道内的流量。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
# 配置AC和汇聚交换机相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100通过。
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100
[AC-GigabitEthernet1/0/1] quit
# 创建VLAN 200,客户端使用该VLAN接入无线网络。
<Core Switch> system-view
[Core Switch] vlan 200
[Core Switch-vlan200] quit
# 配置核心交换机和汇聚交换机相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[Core Switch] interface gigabitEthernet 1/0/1
[Core Switch-GigabitEthernet1/0/1] port link-type trunk
[Core Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Core Switch-GigabitEthernet1/0/1] port trunk permit vlan 200
[Core Switch-GigabitEthernet1/0/1] quit
在直连组网且采用本地转发模式时,需在AC上创建管理VLAN和业务VLAN。同时,确保网络设备允许AC与AP之间的管理VLAN通行,以及AP与上层网络之间的业务VLAN通行。
图2-4 本地转发模式—直连组网示意图
本例中管理VLAN为VLAN 100,业务VLAN为VLAN 200,VLAN相关配置示例如下:
# 使用文本文档编辑AP的配置文件,将配置文件命名为map.txt,并将配置文件上传到AC存储介质上。配置文件内容和格式如下:
System-view
vlan 200
interface gigabitethernet1/0/1
port link-type trunk
port trunk permit vlan 200
# 创建VLAN 100和VLAN 200,其中VLAN 100用于转发AC和AP间CAPWAP隧道内的流量,VLAN 200为无线客户端接入的业务VLAN。
<Access Switch> system-view
[Access Switch] vlan 100
[Access Switch-vlan100] quit
[Access Switch] vlan 200
[Access Switch-vlan200] quit
# 配置接入交换机与AP相连的GigabitEthernet1/0/1接口属性为Trunk,禁止VLAN 1报文通过,PVID为VLAN 100,并允许VLAN 100和VLAN 200通过。
[Access Switch] interface gigabitethernet 1/0/1
[Access Switch-GigabitEthernet1/0/1] port link-type trunk
[Access Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100
[Access Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Access Switch-GigabitEthernet1/0/1] quit
# 配置接入交换机与AC相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,并允许VLAN 100和VLAN 200通过。
[Access Switch] interface gigabitEthernet 1/0/2
[Access Switch-GigabitEthernet1/0/2] port link-type trunk
[Access Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[Access Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[Access Switch-GigabitEthernet1/0/2] quit
# 创建VLAN 100,用于转发AC和AP间CAPWAP隧道内的流量。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
# 创建VLAN 200,客户端使用该业务VLAN接入无线网络。
[AC] vlan 200
[AC-vlan200] quit
# 配置AC和接入交换机相连的接口GigabitEthernet1/0/2为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100和VLAN 200通过。
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/2] quit
# 配置AC和核心交换机相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 200
[AC-GigabitEthernet1/0/1] quit
# 创建VLAN 200,客户端使用该VLAN接入无线网络。
<Core Switch> system-view
[Core Switch] vlan 200
[Core Switch-vlan200] quit
# 配置核心交换机和AC相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 200通过。
[Core Switch] interface gigabitEthernet 1/0/1
[Core Switch-GigabitEthernet1/0/1] port link-type trunk
[Core Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Core Switch-GigabitEthernet1/0/1] port trunk permit vlan 200
[Core Switch-GigabitEthernet1/0/1] quit
VLAN都已经放通,但是客户端无法上线。
可能是中间的网络设备没有创建报文携带的VLAN tag标签对应的VLAN。
检查中间的网络设备是否创建了报文携带的VLAN tag标签对应的VLAN,如果没有创建,请创建该VLAN;如果已经创建,请检查其他网络配置是否正确。
支持
