配置小型网络WLAN业务
配置小型网络WLAN业务
介绍企业员工通过WLAN业务接入网络的配置举例。
组网需求
现某企业为了保证员工可以随时随地的访问公司网络,需要通过部署WLAN业务实现移动办公。如图1所示,FW作为AP通过固定IP地址方式接入Internet,通过无线方式连接STA终端。
- 提供名为“wlan-net”的无线网络。
- 员工分配到的IP地址网段为10.1.1.0/24。
配置思路
采用如下的思路配置小型网络的WLAN业务:
- 配置上下行接口。其中下行需要配置VLANIF接口承载WLAN业务,并启用DHCP服务器功能为STA分配地址。
- 配置AP国家码。
- 配置VAP及射频参数,完成无线网络创建。
- 配置NAT及路由,使内网用户可以访问Internet。
操作步骤
- 配置接口。
# 配置上行接口GigabitEthernet 0/0/1。
<AP> system-view [AP] interface GigabitEthernet 0/0/1 [AP-GigabitEthernet0/0/1] ip address 1.1.1.1 24 [AP-GigabitEthernet0/0/1] quit [AP] firewall zone untrust [AP-zone-untrust] add interface GigabitEthernet 0/0/1 [AP-zone-untrust] quit
# 配置下行接口VLANIF 10承载WLAN业务,并启用DHCP服务器功能为终端分配IP地址和DNS服务器。
[AP] dhcp enable [AP] vlan batch 10 [AP] interface Vlanif 10 [AP-Vlanif10] ip address 10.1.1.1 24 [AP-Vlanif10] dhcp select interface [AP-Vlanif10] dhcp server dns-list 10.2.2.2 [AP-Vlanif10] dhcp server domain-name huawei.com [AP-Vlanif10] quit [AP] firewall zone trust [AP-zone-trust] add interface Vlanif 10 [AP-zone-trust] quit
在Vlanif接口启用DHCP服务器,接口IP地址所在的网段就是地址池的范围。
- 配置AP的国家码。
[AP] wlan [AP-wlan-view] country-code cn
- 配置VAP及射频参数。
# 创建名为“wlan-security”的安全模板,并配置安全策略。
举例中以配置WPA2+PSK+AES的安全策略为例,密码为“Admin@123”,实际配置中请根据实际情况,配置符合实际要求的安全策略。
[AP-wlan-view] security-profile name wlan-security [AP-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase Admin@123 aes [AP-wlan-sec-prof-wlan-security] quit
# 创建名为“wlan-ssid”的SSID模板,并配置SSID名称为“wlan-net”。
[AP-wlan-view] ssid-profile name wlan-ssid [AP-wlan-ssid-prof-wlan-ssid] ssid wlan-net Warning: This action may cause service interruption. Continue?[Y/N]y [AP-wlan-ssid-prof-wlan-ssid] quit
# 创建名为“wlan-vap”的VAP模板,配置业务VLAN,并且引用安全模板和SSID模板。
[AP-wlan-view] vap-profile name wlan-vap [AP-wlan-vap-prof-wlan-vap] service-vlan vlan-id 10 [AP-wlan-vap-prof-wlan-vap] security-profile wlan-security [AP-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid [AP-wlan-vap-prof-wlan-vap] quit [AP-wlan-view] quit
# 配置射频参数并应用VAP模板。
举例中AP射频的信道和功率仅为示例,实际请根据AP国家码和网络规划结果进行配置。
[AP] interface wlan-radio0/0/0 [AP-Wlan-Radio0/0/0] channel 20mhz 6 Warning: This action may cause service interruption. Continue?[Y/N]y [AP-Wlan-Radio0/0/0] eirp 127 [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 1 [AP-Wlan-Radio0/0/0] quit [AP] interface wlan-radio0/0/1 [AP-Wlan-Radio0/0/1] channel 20mhz 149 Warning: This action may cause service interruption. Continue?[Y/N]y [AP-Wlan-Radio0/0/1] eirp 127 [AP-Wlan-Radio0/0/1] vap-profile wlan-vap wlan 1 [AP-Wlan-Radio0/0/1] quit
- 配置源NAT策略。
[AP] nat-policy [AP-policy-nat] rule name policy_nat1 [AP-policy-nat-rule-policy_nat1] source-zone trust [AP-policy-nat-rule-policy_nat1] destination-zone untrust [AP-policy-nat-rule-policy_nat1] source-address 10.1.1.0 24 [AP-policy-nat-rule-policy_nat1] action source-nat easy-ip [AP-policy-nat-rule-policy_nat1] quit [AP-policy-nat] quit
- 配置缺省路由,假设下一跳的路由器IP地址为1.1.1.254。
[AP] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
- 配置安全策略。
# 配置允许终端访问AP的安全策略。
[AP] security-policy [AP-policy-security] rule name policy_sec_ap01 [AP-policy-security-rule-policy_sec_ap01] source-zone trust [AP-policy-security-rule-policy_sec_ap01] destination-zone local [AP-policy-security-rule-policy_sec_ap01] action permit [AP-policy-security-rule-policy_sec_ap01] quit [AP-policy-security] rule name policy_sec_ap02 [AP-policy-security-rule-policy_sec_ap02] source-zone local [AP-policy-security-rule-policy_sec_ap02] destination-zone trust [AP-policy-security-rule-policy_sec_ap02] action permit [AP-policy-security-rule-policy_sec_ap02] quit
# 配置允许终端访问Internet的安全策略。
[AP-policy-security] rule name policy_sec_internet [AP-policy-security-rule-policy_sec_internet] source-zone trust [AP-policy-security-rule-policy_sec_internet] destination-zone untrust [AP-policy-security-rule-policy_sec_internet] source-address 10.1.1.0 24 [AP-policy-security-rule-policy_sec_internet] action permit [AP-policy-security-rule-policy_sec_internet] quit [AP-policy-security] quit
结果验证
配置完成后会自动生效,通过执行命令display vap ssid wlan-net查看如下信息,当“Status”项显示为“ON”时,表示AP对应的射频上的VAP已创建成功。
[AP] display vap ssid wlan-net WID : WLAN ID -------------------------------------------------------------------------------- AP MAC RfID WID BSSID Status Auth type STA SSID -------------------------------------------------------------------------------- 00bc-da3f-e900 0 1 00BC-DA3F-E900 ON WPA2-PSK 0 wlan-net 00bc-da3f-e900 1 1 00BC-DA3F-E910 ON WPA2-PSK 0 wlan-net ------------------------------------------------------------------------------- Total: 2
STA搜索到名为“wlan-net”的无线网络,输入密码“Admin@123”并正常关联后,在AP上执行display station all命令,可以查看到用户已经接入到无线网络“wlan-net”中。
[AP] display station all Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) --------------------------------------------------------------------------------------------------- STA MAC Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address SSID --------------------------------------------------------------------------------------------------- 14cf-9202-13dc 00bc-da3f-e900 1/1 5G 11ac 19/13 -63 10 10.1.1.254 wlan-net --------------------------------------------------------------------------------------------------- Total: 1 2.4G: 1 5G: 0
配置脚本
# sysname AP # vlan batch 10 # dhcp enable # interface Vlanif10 ip address 10.1.1.1 255.255.225.0 dhcp select interface dhcp server dns-list 10.2.2.2 dhcp server domain-name huawei.com # interface GigabitEthernet0/0/1 ip address 1.1.1.1 255.255.225.0 # firewall zone trust add interface Vlanif10 # firewall zone untrust add interface GigabitEthernet0/0/1 # wlan country-code cn security-profile name wlan-security security wpa2 psk pass-phrase %^%#(yk#Q+M[\CMK]1)AWMX7MjZ)=e`fy@fA+.J\ht3Y%^%# aes ssid-profile name wlan-ssid ssid wlan-net vap-profile name wlan-vap service-vlan vlan-id 10 ssid-profile wlan-ssid security-profile wlan-security # interface Wlan-Radio0/0/0 vap-profile wlan-vap wlan 1 channel 20mhz 6 eirp 127 # interface Wlan-Radio0/0/1 vap-profile wlan-vap wlan 1 channel 20mhz 149 eirp 127 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 # security-policy rule name policy_sec_ap01 source-zone trust destination-zone local action permit rule name policy_sec_ap02 source-zone local destination-zone trust action permit rule name policy_sec_internet source-zone trust destination-zone untrust source-address 10.1.1.0 24 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 10.1.1.0 24 action source-nat easy-ip return
版权声明:
作者:SE_YT
链接:https://www.cnesa.cn/2174.html
来源:CNESA
文章版权归作者所有,未经允许请勿转载。
共有 0 条评论