H3C Access Controllers
Policy-Based Forwarding with Dual Gateways
Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring policy-based forwarding with dual gateways· 1

Network configuration· 1

Analysis· 2

Restrictions and guidelines· 2

Procedures· 2

Configuring Router A· 2

Configuring Router B· 3

Configuring the AC· 3

Verifying the configuration· 6

Configuration files· 11

Related documentation· 13

 

Introduction

The following information provides a configuration example for configuring policy-based forwarding with dual gateways.

Prerequisites

This document applies to Comware-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of WLAN access, AP management, NAT, and DHCP.

Example: Configuring policy-based forwarding with dual gateways

Network configuration

As shown in Figure 1, the AC is deployed at the headquarters and an AP is deployed at the branch. Router A and Router B act as the gateways for the branch and the headquarters, respectively. The AP associates with the AC across the Internet.

Configure network settings to meet the following requirements:

·     Packets destined to the headquarters are forwarded by the AC and packets destined to the branch or Internet are forwarded by the AP.

·     The AP obtains IP addresses from Router A and the client obtains IP addresses from the AC.

Figure 1 Network diagram

 

Analysis

·     For the AP to discover the AC through the Internet, configure Option 43 and manually specify the IP address of the AC on Router A.

·     For the AP to communicate with the AC, configure NAT on both Router A and Router B.

·     To simplify configurations when a large number of APs are deployed at branches, enable auto AP and auto AP conversion on the AC.

·     For both the AP and the AC to forward packets, configure policy-based forwarding on the AC.

·     For the AP to obtain configurations automatically from the AC, use a text editor to create an AP configuration file and upload the file to the AC.

Restrictions and guidelines

Make sure devices in the network can reach each other.

Procedures

Configuring Router A

1.     Configure DHCP:

# Enable DHCP.

<RouterA> system-view

[RouterA] dhcp enable

# Create DHCP address pool ap, specify the subnet for dynamic allocation as 192.168.10.0/24, specify the gateway address as 192.168.10.1.

[RouterA] dhcp server ip-pool ap

[RouterA-dhcp-pool-ap] network 192.168.10.0 mask 255.255.255.0

[RouterA-dhcp-pool-ap] gateway-list 192.168.10.1

# Configure Option 43 that specifies the Router B's IP address 202.202.1.22/24.

[RouterA-dhcp-pool-ap] option 43 hex 8007000001CACA0116

[RouterA-dhcp-pool-ap] quit

2.     Configure NAT:

# Create NAT address group 0, and add address 202.20.1.20 to the group.

[RouterA] nat address-group 0

[RouterA-address-group-0] address 202.20.1.20 202.20.1.20

[RouterA-address-group-0] quit

# Create IPv4 basic ACL 2000 to permit only packets from source IP subnet 192.168.10.0/24.

[RouterA] acl basic 2000

[RouterA-acl-ipv4-basic-2000] rule permit source 192.168.10.0 0.0.0.255

[RouterA-acl-ipv4-basic-2000] quit

# Configure interface GigabitEthernet1/0/2 to translate the source addresses of outgoing packets permitted by ACL 2000 into the addresses in address group 0.

[RouterA] interface gigabitethernet 1/0/2

[RouterA-GigabitEthernet1/0/2] nat outbound 2000 address-group 0

[RouterA-GigabitEthernet1/0/2] quit

[RouterA] quit

Configuring Router B

1.     Configure NAT:

# Create IPv4 ACL 3000 to permit only packets from 202.20.1.0/24 to 202.202.1.22.

<RouterB> system-view

[RouterB] acl advanced 3000

[RouterB-acl-ipv4-adv-3000] rule 0 permit ip source 202.20.1.0 0.0.0.255 destination 202.202.1.22 0

[RouterB-acl-ipv4-adv-3000] quit

# Configure interface GigabitEthernet1/0/1 to allow users permitted by ACL 3000 to access the internal server at 192.168.1.111.

[RouterB] interface gigabitethernet 1/0/1

[RouterB-GigabitEthernet1/0/1] nat server global 3000 inside 192.168.1.111

[RouterB-GigabitEthernet1/0/1] quit

[RouterB] quit

Configuring the AC

1.     Create AP configuration file map-OnAP.txt as follows and then upload the file to the AC.

vlan 2

interface Vlan-interface1

 nat outbound 3000

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1

interface Vlan-interface2

 ip address 172.16.4.3 255.255.255.0

acl advanced 3000

 rule 0 permit ip source 172.16.4.0 0.0.0.255

2.     Configure basic AC functions:

# Configure interface IP addresses. (Details not shown.)

# Create VLAN 2 and VLAN-interface 2, and assign an IP address to the VLAN interface.

<AC> system-view

[AC] vlan 2

[AC-vlan2] quit

[AC] interface vlan-interface 2

[AC-Vlan-interface2] ip address 172.16.4.1 255.255.255.0

[AC-Vlan-interface2] quit

# Configure interface GigabitEthernet1/0/2 to operate in Layer 2 mode, set the port link type to trunk, remove the port from VLAN 1, and add the port to VLAN 2.

[AC] interface gigabitethernet 1/0/2

[AC-GigabitEthernet1/0/2] port link-mode bridge

[AC-GigabitEthernet1/0/2] port link-type trunk

[AC-GigabitEthernet1/0/2] undo port trunk permit vlan 1

[AC-GigabitEthernet1/0/2] port trunk permit vlan 2

[AC-GigabitEthernet1/0/2] quit

# Configure static routes to GigabitEthernet1/0/2 of Router A, GigabitEthernet1/0/1 of Router B, and headquarters' network segment 172.16.5.0/24.

[AC] ip route-static 202.20.1.0 24 192.168.1.22

[AC] ip route-static 202.202.1.0 24 192.168.1.22

[AC] ip route-static 172.16.5.0 24 172.16.4.2

3.     Configure DHCP:

# Enable DHCP.

[AC] dhcp enable

# Create DHCP address pool sta, specify the subnet for dynamic allocation as 172.16.4.0/24, and specify the gateway address as 172.16.4.1.

[AC] dhcp server ip-pool sta

[AC-dhcp-pool-sta] network 172.16.4.0 mask 255.255.255.0

[AC-dhcp-pool-sta] gateway-list 172.16.4.1

# Specify the DNS server address as 192.168.1.10.

[AC-dhcp-pool-sta] dns-list 192.168.1.10

# Exclude IP addresses 172.16.4.1 and 172.16.4.3 from dynamic allocation in DHCP address pool sta.

[AC-dhcp-pool-sta] forbidden-ip 172.16.4.1 172.16.4.3

[AC-dhcp-pool-sta] quit

4.     Enable auto AP and auto AP conversion.

[AC] wlan auto-ap enable

[AC] wlan auto-persistent enable

5.     Configure policy-based forwarding:

# Create IPv4 advanced ACL 3001, and configure ACL rules to permit DNS, BOOTPC, and BOOTPS packets and packets from 172.16.4.0/24 to 172.16.4.0/24 or 172.16.5.0/24.

[AC] acl advanced 3001

[AC-acl-ipv4-adv-3001] rule 0 permit udp source-port eq dns

[AC-acl-ipv4-adv-3001] rule 1 permit udp destination-port eq dns

[AC-acl-ipv4-adv-3001] rule 2 permit udp source-port eq bootpc

[AC-acl-ipv4-adv-3001] rule 3 permit udp destination-port eq bootps

[AC-acl-ipv4-adv-3001] rule 4 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.4.0 0.0.0.255

[AC-acl-ipv4-adv-3001] rule 5 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.5.0 0.0.0.255

[AC-acl-ipv4-adv-3001] quit

# Create forwarding policy remote, and configure the forwarding policy to perform centralized forwarding on packets that match ACL 3001.

[AC] wlan forwarding-policy remote

[AC-wlan-fp-remote] classifier acl 3001 behavior remote

[AC-wlan-fp-remote] quit

# Create service template chn, set the SSID to CHN, and assign clients coming online through the service template to VLAN 2.

[AC] wlan service-template chn

[AC-wlan-st-chn] ssid CHN

[AC-wlan-st-chn] vlan 2

# Enable APs to forward client traffic, apply forwarding policy remote to the service template, and enable the forwarding policy.

[AC-wlan-st-chn] client forwarding-location ap

[AC-wlan-st-chn] client forwarding-policy-name remote

[AC-wlan-st-chn] client forwarding-policy enable

# Set the PSK AKM mode and specify plaintext string 12345678 as the preshared key.

[AC-wlan-st-chn] akm mode psk

[AC-wlan-st-chn] preshared-key pass-phrase simple 12345678

# Set the CCMP cipher suite and enable RSN security IE.

[AC-wlan-st-chn] cipher-suite ccmp

[AC-wlan-st-chn] security-ie rsn

# Enable the service template.

[AC-wlan-st-chn] service-template enable

[AC-wlan-st-chn] quit

# Deploy configuration file map-OnAP.txt to WA6320 APs in the default AP group.

[AC] wlan ap-group default-group

[AC-wlan-ap-group-default-group] ap-model WA6320

[AC-wlan-ap-group-default-group-ap-model-WA6320] map-configuration flash:/map-OnAP.txt

# Bind service template chn to radio 1 and enable radio 1.

[AC-wlan-ap-group-default-group-ap-model-WA6320] radio 1

[AC-wlan-ap-group-default-group-ap-model-WA6320-radio-1] service-template chn

[AC-wlan-ap-group-default-group-ap-model-WA6320-radio-1] radio enable

[AC-wlan-ap-group-default-group-ap-model-WA6320-radio-1] quit

[AC-wlan-ap-group-default-group-ap-model-WA6320] quit

[AC-wlan-ap-group-default-group] quit

Verifying the configuration

# Verify that the AP has associated with the AC.

[AC] display wlan ap all

Total number of APs: 1

Total number of connected APs: 1

Total number of connected manual APs: 1

Total number of connected auto APs: 0

Total number of connected common APs: 1

Total number of connected WTUs: 0

Total number of inside APs: 0

Maximum supported APs: 2048

Remaining APs: 2047

Total AP licenses: 32

Local AP licenses: 32                                                           

Server AP licenses: 0                                                          

Remaining local AP licenses: 31                                                 

Sync AP licenses: 0

 

                                 AP information

 State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad

         C = Config, DC = DataCheck, R = Run, M = Master, B = Backup

 

AP name                        APID  State Model           Serial ID

0015-005e-9348                 2     R/M   WA6320          219801A28N819CE0002T

# Verify that the AP is in Run state, the discovery type is DHCP, and the AP's IP address is 202.20.1.20.

[AC] display wlan ap name 0015-005e-9348 verbose

AP name : 0015-005e-9348

AP ID : 2

AP group name : default-group

State : Run

Backup type : Master

Online time : 1 days 5 hours 25 minutes 22 seconds

System up time : 1 days 6 hours 30 minutes 4 seconds

Model : WA6320

Region code : CN

Region code lock : Disabled

Serial ID : 219801A28N819CE0002T

MAC address : 70f9-6dd3-61e0

IP address : 202.20.1.20

UDP control port number : 1099

UDP data port number : 1102

H/W version : Ver.C

S/W version : R2215

Boot version : 7.10

USB state : N/A

Power Level : N/A

PowerInfo : N/A

Description : Not configured

Priority : 4

Echo interval : 10 seconds

Echo count : 3 counts

Keepalive interval : 10 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

Discovery type : DHCP

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 34001

Received control packets : 34001

Echo requests : 10591

Lost echo responses : 3

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 202.20.1.20

Tunnel down reason : Processed join request in Run state

Connection count : 15

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

LED mode : Normal

Remote configuration : Disabled

Radio 1:

    Basic BSSID : 70f9-6dd3-61e0

    Admin state : Up

    Radio type : 802.11ac

    Antenna type : internal

    Client dot11ac-only : Disabled

    Client dot11n-only : Disabled

    Channel band-width : 20/40/80MHz

    Active band-width : 20/40/80MHz

    Secondary channel offset : SCA

    Short GI for 20MHz : Supported

    Short GI for 40MHz : Supported

    Short GI for 80MHz : Supported

    Short GI for 160MHz : Not supported

    A-MSDU : Enabled

    A-MPDU : Enabled

    LDPC : Not Supported

    STBC : Supported

    Operational VHT-MCS Set:

        Mandatory : Not configured

        Supported : NSS1 0,1,2,3,4,5,6,7,8,9

                                NSS2 0,1,2,3,4,5,6,7,8,9

        Multicast : Not configured

    Operational HT MCS Set:

        Mandatory : Not configured

        Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

                                10, 11, 12, 13, 14, 15

        Multicast : Not configured

    Channel : 149(auto)

    Channel usage(%) : 0

    Max power : 20 dBm

    Operational rate:

        Mandatory : 6, 12, 24 Mbps

        Multicast : Auto

        Supported : 9, 18, 36, 48, 54 Mbps

        Disabled : Not configured

    Distance : 1 km

    ANI : Enabled

    Fragmentation threshold : 2346 bytes

    Beacon interval : 100 TU

    Protection threshold : 2346 bytes

    Long retry threshold : 4

    Short retry threshold : 7

    Maximum rx duration : 2000 ms

    Noise floor : -105 dBm

    Smart antenna : Enabled

    Smart antenna policy : Auto

    Protection mode : cts-to-self

    Continuous mode : N/A

    HT protection mode : No protection

Radio 2:

    Basic BSSID : 70f9-6dd3-61f0

    Admin state : Down

    Radio type : 802.11n(2.4GHz)

    Antenna type : internal

    Client dot11n-only : Disabled

    Channel band-width : 20MHz

    Active band-width : 20MHz

    Secondary channel offset : SCN

    Short GI for 20MHz : Supported

    Short GI for 40MHz : Supported

    A-MSDU : Enabled

    A-MPDU : Enabled

    LDPC : Not Supported

    STBC : Supported

    Operational HT MCS Set:

        Mandatory : Not configured

        Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

                                10, 11, 12, 13, 14, 15

        Multicast : Not configured

    Channel : 6(auto)

    Channel usage(%) : 0

    Max power : 20 dBm

    Preamble type : Short

    Operational rate:

        Mandatory : 1, 2, 5.5, 11 Mbps

        Multicast : Auto

        Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps

        Disabled : Not configured

    Distance : 1 km

    ANI : Enabled

    Fragmentation threshold : 2346 bytes

    Beacon interval : 100 TU

    Protection threshold : 2346 bytes

    Long retry threshold : 4

    Short retry threshold : 7

    Maximum rx duration : 2000 ms

    Noise floor : 0 dBm

    Smart antenna : Enabled

    Smart antenna policy : Auto

    Protection mode : cts-to-self

    Continuous mode : N/A

    HT protection mode : No protection

# Verify that the client has come online with an IP address in subnet 172.16.4.0/24, and the forwarding policy is remote.

[AC] display wlan client

Total number of clients: 1

 

MAC address    User name  AP name         RID IP address      VLAN

0015-005e-9348 N/A        0015-005e-9348  1   172.16.4.11     2

[AC] display wlan client verbose

Total number of clients: 1

 

 MAC address : 0015-005e-9348

 IPv4 address : 172.16.4.11

 IPv6 address : N/A

 Username : N/A

 AID : 1

 AP ID : 2

 AP name : 0015-005e-9348

 Radio ID : 1

 SSID : CHN

 BSSID : 70f9-6dd3-61e0

 VLAN ID : 2

 Sleep count : 0

 Wireless mode : 802.11an

 Channel bandwidth : 40MHz

 20/40 BSS Coexistence Management : Not supported

 SM power save : Disabled

 Short GI for 20MHz : Supported

 Short GI for 40MHz : Supported

 STBC RX capability : Supported

 STBC TX capability : Not supported

 LDPC RX capability : Not supported

 Block Ack : N/A

 Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,

                                     8, 9, 10, 11, 12, 13, 14,

                                     15

 Supported rates : 6, 9, 12, 18, 24, 36,

                                     48, 54 Mbps

 QoS mode : WMM

 Listen interval : 100

 RSSI : 0

 Rx/Tx rate : 0/0

 Authentication method : Open system

 Security mode : PRE-RSNA

 AKM mode : N/A

 Cipher suite : N/A

 User authentication mode : Bypass

 Authorization ACL ID : N/A

 Authorization user profile : N/A

 Roam status : N/A

 Key derivation : N/A

 PMF status : N/A

 Forwarding policy name : remote

 Online time : 0days 0hours 0minutes 33seconds

 FT status : Inactive

# Verify that IP addresses (172.16.4.2, 172.16.5.1, and 172.16.5.2) in the headquarters' network can be pinged successfully.

C:\Users\h3c>ping 172.16.4.2

 

Pinging 172.16.4.2 with 32 bytes of data:

Reply from 172.16.4.2: bytes=32 time=6ms TTL=255

Reply from 172.16.4.2: bytes=32 time=3ms TTL=255

Reply from 172.16.4.2: bytes=32 time=6ms TTL=255

Reply from 172.16.4.2: bytes=32 time=1ms TTL=255

 

Ping statistics for 172.16.4.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 6ms, Average = 4ms

 

C:\Users\h3c>ping 172.16.5.1

 

Pinging 172.16.5.1 with 32 bytes of data:

Reply from 172.16.5.1: bytes=32 time=9ms TTL=255

Reply from 172.16.5.1: bytes=32 time=1ms TTL=255

Reply from 172.16.5.1: bytes=32 time=5ms TTL=255

Reply from 172.16.5.1: bytes=32 time=1ms TTL=255

 

Ping statistics for 172.16.5.1:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 9ms, Average = 4ms

 

C:\Users\h3c>ping 172.16.5.2

 

Pinging 172.16.5.2 with 32 bytes of data:

Reply from 172.16.5.2: bytes=32 time=8ms TTL=255

Reply from 172.16.5.2: bytes=32 time=2ms TTL=255

Reply from 172.16.5.2: bytes=32 time=5ms TTL=255

Reply from 172.16.5.2: bytes=32 time=3ms TTL=255

 

Ping statistics for 172.16.5.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 2ms, Maximum = 8ms, Average = 4ms

# Verify that a website on the Internet (for example, www.baidu.com) can be pinged successfully.

C:\Users\h3c>ping www.baidu.com

 

Pinging www.baidu.com [202.202.1.188] with 32 bytes of data:

Reply from 202.202.1.188: bytes=32 time=7ms TTL=255

Reply from 202.202.1.188: bytes=32 time=3ms TTL=255

Reply from 202.202.1.188: bytes=32 time=3ms TTL=255

Reply from 202.202.1.188: bytes=32 time=2ms TTL=255

 

Ping statistics for 202.202.1.188:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 2ms, Maximum = 7ms, Average = 3ms

Configuration files

·     Router A:

#

nat address-group 0

 address 202.20.1.20 202.20.1.20

#

 dhcp enable

#

dhcp server ip-pool ap

 gateway-list 192.168.10.1

 network 192.168.10.0 mask 255.255.255.0

 option 43 hex 8007000001caca0116

#

interface GigabitEthernet1/0/2

 nat outbound 2000 address-group 0

#

acl basic 2000

 rule 0 permit source 192.168.10.0 0.0.0.255

#

·     Router B:

#

interface GigabitEthernet1/0/1

 nat server global 3000 inside 192.168.1.111

#

acl advanced 3000

 rule 0 permit ip source 202.20.1.0 0.0.0.255 destination 202.202.1.22 0

#

·     AC:

#

 dhcp enable

#

vlan 2

#

dhcp server ip-pool sta

 gateway-list 172.16.4.1

 network 172.16.4.0 mask 255.255.255.0

 dns-list 192.168.1.10

 forbidden-ip 172.16.4.1

 forbidden-ip 172.16.4.3

#

wlan forwarding-policy remote

 classifier acl 3001 behavior remote

#

wlan service-template chn

 ssid CHN

 vlan 2

 client forwarding-location ap

 client forwarding-policy-name remote

 client forwarding-policy enable

 akm mode psk                                                                  

 preshared-key pass-phrase cipher $c$3$4T2hQpGTY8qC3U4KL3G2sMgv9RNfRZdZfDqY    

 cipher-suite ccmp                                                             

 security-ie rsn

 service-template enable

#

interface Vlan-interface2

 ip address 172.16.4.1 255.255.255.0

#

interface GigabitEthernet1/0/2

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 2

#

 ip route-static 172.16.5.0 24 172.16.4.2

 ip route-static 202.20.1.0 24 192.168.1.22

 ip route-static 202.202.1.0 24 192.168.1.22

#

acl advanced 3001

 rule 0 permit udp source-port eq dns

 rule 1 permit udp destination-port eq dns

 rule 2 permit udp source-port eq bootpc

 rule 3 permit udp destination-port eq bootps

 rule 4 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.4.0 0.0.0.255

 rule 5 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.5.0 0.0.0.255

#

 wlan auto-ap enable

 wlan auto-persistent enable

#

wlan ap-group default-group

 ap-model WA6320

  radio 1

   radio enable

   service-template chn

  radio 2

  gigabitethernet 1

  gigabitethernet 2

#

Related documentation

·     Network Connectivity Command Reference in H3C Access Controllers Command References

·     Network Connectivity Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN Access Command Reference in H3C Access Controllers Command References

·     WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides