H3C AC+FIT完全设置
路由器: H3C MSR20-20
AC: H3C WX3024E
AP :2210-AG
用户采用PON线路,动态分配地址,无固定IP,每月1088元,如果带有固定IP,则需要每月7088元,采用较经济的方式,每次用户查询ip138得到公网IP后远程管理。
MSR上PPPOE拨号,建立2 VLAN,一个给内部使用,一个给访客,用访问列表对2Vlan做隔离。
具体配置如下:
# firewall enable 必须启用,否则ACL不起作用
# domain default enable system # telnet server enable 也必须开启 # dar p2p signature-file flash:/p2p_default.mtd # port-security enable # acl number 3000 rule 0 permit ip source 10.20.0.0 0.0.255.255 内部用VLAN rule 1 permit ip source 10.30.30.0 0.0.0.255 访客用VLAN acl number 3002 rule 0 deny ip source 10.20.0.0 0.0.255.255 destination 10.30.30.0 0.0.0.255 禁止访客访问内部网络 # vlan 1 # vlan 3 # domain system access-limit disable state active idle-cut disable self-service-url disable # user-group system group-attribute allow-guest # local-user admin password XXXXXXXXXXXXXXXXX
authorization-attribute level 3 service-type telnet service-type web local-user XXXXX
password XXXXXXXXXXXXXXXXXXX
authorization-attribute level 3 service-type telnet service-type web # cwmp undo cwmp enable # interface Aux0 async mode flow link-protocol ppp # interface Cellular0/0 async mode protocol link-protocol ppp # interface Dialer1 nat outbound 3000 link-protocol ppp ppp chap user ADXXXXXXXX
ppp chap password XXXXXXXXXX
ppp pap local-user adXXXXXX password SIMPLE XXXXXXXXX
ip address ppp-negotiate dialer user adXXXXXXX dialer-group 1 dialer bundle 1 # interface Ethernet0/0 port link-mode route 内部接口 # interface Ethernet0/0.20 H3C必须通过子接口的方式创建VLAN vlan-type dot1q vid 2 ip address 10.20.0.254 255.255.0.0 # interface Ethernet0/0.30 vlan-type dot1q vid 3 firewall packet-filter 3002 inbound firewall packet-filter 3002 outbound ip address 10.30.30.254 255.255.255.0 # interface Ethernet0/1 port link-mode route pppoe-client dial-bundle-number 1 # interface NULL0 # interface Vlan-interface1 # ip route-static 0.0.0.0 0.0.0.0 Dialer1 静态路由 # load xml-configuration # load tr069-configuration # user-interface tty 12 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme user privilege level 3 #
接下来是AC控制器
尽量通过web上做设计,下面只是命令行显示的
总体思路,开启2个VLAN的DHCP
# telnet server enable # port-security enable # oap management-ip 192.168.0.101 slot 0 # wlan auto-ap enable # vlan 1 # vlan 2 # domain system access-limit disable state active idle-cut disable self-service-url disable # dhcp server ip-pool poolvlan1 管理vlan network 192.168.0.0 mask 255.255.255.0 # dhcp server ip-pool poolvlan2 内部VLAN network 10.20.0.0 mask 255.255.0.0 gateway-list 10.20.0.254 dns-list 202.96.209.5 8.8.8.8 # dhcp server ip-pool poolvlan3 访客vlan network 10.30.30.0 mask 255.255.255.0 gateway-list 10.30.30.254 dns-list 202.96.209.5 8.8.8.8 # user-group system group-attribute allow-guest # local-user admin password
authorization-attribute level 3 service-type telnet service-type web # wlan rrm dot11a mandatory-rate 6 12 24 dot11a supported-rate 9 18 36 48 54 dot11b mandatory-rate 1 2 dot11b supported-rate 5.5 11 dot11g mandatory-rate 1 2 5.5 11 dot11g supported-rate 6 9 12 18 24 36 48 54 load-balance session 15 # wlan radio-policy 1025 # wlan radio-policy 1537 # wlan radio-policy 1793 # wlan radio-policy 2049 # wlan radio-policy 2305 # wlan service-template 1 crypto ssid XXXXX
bind WLAN-ESS 0 cipher-suite tkip security-ie rsn service-template enable # interface Bridge-Aggregation1 port link-type trunk port trunk permit vlan all # interface NULL0 # interface Vlan-interface1 ip address 192.168.0.100 255.255.255.0 # interface Vlan-interface2 ip address 10.20.0.250 255.255.0.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan all port link-aggregation group 1 # interface GigabitEthernet1/0/2 port link-type trunk port trunk permit vlan all port link-aggregation group 1 # interface WLAN-ESS0 port link-type hybrid port hybrid vlan 1 to 2 untagged port hybrid pvid vlan 2 mac-vlan enable port-security port-mode psk port-security tx-key-type 11key port-security preshared-key pass-phrase
interface WLAN-ESS1 port link-type hybrid port hybrid vlan 1 untagged # wlan ap ap-1 model WA2210-AG id 2 serial-id
radio 1 radio-policy 513 service-template 1 vlan-id 2 radio enable # wlan ap ap-10 model WA2210-AG id 9 serial-id 210235A0HTB118000791 radio 1 radio-policy 2305 service-template 1 vlan-id 2 radio enable # wlan ap ap-11 model WA2210-AG id 10 serial-id 210235A0HTC118000273 radio 1 radio-policy 2561 service-template 1 vlan-id 2 radio enable # wlan ap ap-16 model WA2210-AG id 12 serial-id 210235A0HTB118001313 radio 1 radio-policy 3073 service-template 1 vlan-id 2 radio enable # wlan ap auto-ap model WA2210-AG id 5 serial-id auto radio 1 # wlan load-balance-group 1 负载均衡 description 26 ap ap-4 radio 1 ap ap-3 radio 1 ap ap-2 radio 1 # wlan load-balance-group 2 description 27 ap ap-9 radio 1 ap ap-8 radio 1 ap ap-11 radio 1 ap ap-10 radio 1 # wlan load-balance-group 3 description 28 ap ap-14 radio 1 ap ap-13 radio 1 # ip route-static 0.0.0.0 0.0.0.0 10.20.0.254 # dhcp enable # arp-snooping enable # load xml-configuration # user-interface con 0 user-interface vty 0 4 authentication-mode scheme user privilege level 3 #
telnet到AC上后
oap connect slot 0可以切换到交换引擎
dhcp server ip-pool swpoolvlan3 network 10.30.30.0 mask 255.255. gateway-list 10.30.30.254 dns-list 202.96.209.5 8.8.8.8 #
interface Bridge-Aggregation1 port link-type trunk port trunk permit vlan all #
interface Vlan-interface3 ip address 10.30.30.251 255.255. # interface GigabitEthernet1/0/1 poe enable # interface GigabitEthernet1/0/2 poe enable # interface GigabitEthernet1/0/22 此接口接FAT AP port access vlan 3 poe enable # interface GigabitEthernet1/0/23 此接口为上联接口 port link-type trunk port trunk permit vlan all # interface GigabitEthernet1/0/24 port link-type trunk port trunk permit vlan all #
interface GigabitEthernet1/0/29 内部和AC相连的接口,运行所有VLAN port link-type trunk port trunk permit vlan all port link-aggregation group 1 # interface GigabitEthernet1/0/30 port link-type trunk port trunk permit vlan all port link-aggregation group 1 #