- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 关于我们
05-H3C无线控制器WLAN基于策略转发的双网关场景配置举例
本章节下载: 05-H3C无线控制器WLAN基于策略转发的双网关场景配置举例 (269.04 KB)
H3C无线控制器WLAN基于策略转发的双网关场景配置举例
Copyright © 2023 新华三技术有限公司 版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。
除新华三技术有限公司的商标外,本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。
本文档中的信息可能变动,恕不另行通知。
本文档介绍WLAN基于策略转发的双网关场景配置举例。
本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请以设备实际情况为准。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解WLAN接入、AP管理、NAT、DHCP特性。
如图1所示,某公司存在着大量的分支站点或者办事机构,每个分支机构的AP跨Internet统一向AC注册。AP根据目的地址来决定是集中转发到集团总部内网还是本地转发出互联网。Router A为分支机构路由器,Router B为集团路由器。具体应用需求如下:
· AP通过Router A获取IP地址;
· AP跨Internet向AC注册;
· Client从AC上获取IP地址及进行域名解析;
· Client通过在AP上进行本地转发访问公网,通过在AC上进行集中式转发访问集团总部内网。
图1 WLAN基于策略转发的双网关场景配置组网图
· 为了让分支机构的AP能够跨Internet与集团总部的AC建立连接,需要在Router A上配置Option 43,并手动指定AC的IP地址。同时为了让分支机构的AP可以通过外网访问集团总部的AC,需要在Router A和Router B上配置NAT功能。
· 实际组网中分支机构数量较多,导致AP数量也会比较多,为了简化配置,需要在AC上开启自动AP及自动AP固化功能。
· 由于访问不同网络采用的转发方式不一样,需要在AC上配置无线转发策略。
· 为了使AP访问集团内部网络,需要使用文本文档编辑AP的配置文件,并将配置文件上传到AC存储介质上。
· 配置本举例之前,请保证网络中各设备之间路由可达。
(1) 配置DHCP功能
# 开启DHCP服务器功能。
<RouterA> system-view
[RouterA] dhcp enable
# 配置DHCP地址池ap,负责为AP分配IP地址。
[RouterA] dhcp server ip-pool ap
[RouterA-dhcp-pool-ap] network 192.168.10.0 mask 255.255.255.0
[RouterA-dhcp-pool-ap] gateway-list 192.168.10.1
# 通过自定义选项的方式配置Option 43的内容,为AP指定Router B的IP地址202.202.1.22/24,由于在Router B上配置了NAT映射,AP会通过映射找到AC的IP地址。
[RouterA-dhcp-pool-ap] option 43 hex 8007000001CACA0116
[RouterA-dhcp-pool-ap] quit
(2) 配置NAT功能,使AP能够访问外网。
# 配置地址组0,包含外网地址202.20.1.20。
[RouterA] nat address-group 0
[RouterA-address-group-0] address 202.20.1.20 202.20.1.20
[RouterA-address-group-0] quit
# 配置ACL 2000,仅允许对内部网络中192.168.10.0/24网段的AP报文进行地址转换。
[RouterA] acl basic 2000
[RouterA-acl-ipv4-basic-2000] rule permit source 192.168.10.0 0.0.0.255
[RouterA-acl-ipv4-basic-2000] quit
# 在接口GigabitEthernet1/0/2上配置出方向动态地址转换,允许使用地址组0中的地址对匹配ACL 2000的报文进行源地址转换。
[RouterA] interface gigabitethernet 1/0/2
[RouterA-GigabitEthernet1/0/2] nat outbound 2000 address-group 0
[RouterA-GigabitEthernet1/0/2] quit
[RouterA] quit
(1) 配置NAT功能,使AP可以访问AC。
# 配置ACL 3000,允许对202.20.1.0/24网段地址访问AC的报文进行地址转换。
<RouterB> system-view
[RouterB] acl advanced 3000
[RouterB-acl-ipv4-adv-3000] rule 0 permit ip source 202.20.1.0 0.0.0.255 destination 202.202.1.22 0
[RouterB-acl-ipv4-adv-3000] quit
# 在接口GigabitEthernet1/0/1上配置NAT内部服务器,将符合ACL规则3000的目的地址统一转换成相同的内部服务器地址。
[RouterB] interface gigabitethernet 1/0/1
[RouterB-GigabitEthernet1/0/1] nat server global 3000 inside 192.168.1.111
[RouterB-GigabitEthernet1/0/1] quit
[RouterB] quit
(1) 创建map-OnAP.txt文件
# 在本地创建文件map-OnAP.txt,并上传到AC上。其中文件内容如下:
vlan 2
interface Vlan-interface1
nat outbound 3000
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1
interface Vlan-interface2
ip address 172.16.4.3 255.255.255.0
acl advanced 3000
rule 0 permit ip source 172.16.4.0 0.0.0.255
(2) 配置基本功能
# 请参照组网图配置各接口的IP地址(略)。
# 创建VLAN 2,并配置VLAN 2的IP地址为172.16.4.1/24。
<AC> system-view
[AC] vlan 2
[AC-vlan2] quit
[AC] interface vlan-interface 2
[AC-Vlan-interface2] ip address 172.16.4.1 255.255.255.0
[AC-Vlan-interface2] quit
# 将接口GigabitEthernet1/0/2加入到VLAN 2中。
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-mode bridge
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/2] port trunk permit vlan 2
[AC-GigabitEthernet1/0/2] quit
# 配置AC到本地和远端公网地址段的路由,以及到集团总部内网172.16.5.0/24网段的路由。
[AC] ip route-static 202.20.1.0 24 192.168.1.22
[AC] ip route-static 202.202.1.0 24 192.168.1.22
[AC] ip route-static 172.16.5.0 24 172.16.4.2
(3) 配置DHCP及DNS功能。
# 开启DHCP服务器功能,并配置DHCP地址池sta,为Client分配IP地址。
[AC] dhcp enable
[AC] dhcp server ip-pool sta
[AC-dhcp-pool-sta] network 172.16.4.0 mask 255.255.255.0
[AC-dhcp-pool-sta] gateway-list 172.16.4.1
# 配置集团内部DNS服务器的IP地址为192.168.1.10/24。
[AC-dhcp-pool-sta] dns-list 192.168.1.10
# 配置不参与自动分配的IP地址(网关地址、预留给AP的业务VLAN接口的IP地址)。
[AC-dhcp-pool-sta] forbidden-ip 172.16.4.1 172.16.4.3
[AC-dhcp-pool-sta] quit
(4) 配置AP管理功能。
# 开启自动AP和AP自动固化功能。
[AC] wlan auto-ap enable
[AC] wlan auto-persistent enable
(5) 配置无线转发策略
# 创建IPv4高级ACL 3001,并制订如下规则:对DNS报文、BOOTPC和BOOTPS报文以及源IP为172.16.4.0/24目的IP为172.16.4.0/24和172.16.5.0/24网段的报文放行。
[AC] acl advanced 3001
[AC-acl-ipv4-adv-3001] rule 0 permit udp source-port eq dns
[AC-acl-ipv4-adv-3001] rule 1 permit udp destination-port eq dns
[AC-acl-ipv4-adv-3001] rule 2 permit udp source-port eq bootpc
[AC-acl-ipv4-adv-3001] rule 3 permit udp destination-port eq bootps
[AC-acl-ipv4-adv-3001] rule 4 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.4.0 0.0.0.255
[AC-acl-ipv4-adv-3001] rule 5 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.5.0 0.0.0.255
[AC-acl-ipv4-adv-3001] quit
# 创建无线转发策略remote,将符合ACL规则3001的报文采用集中式转发。再开启本地转发模式下的外网流量转发功能。
[AC] wlan forwarding-policy remote
[AC-wlan-fp-remote] classifier acl 3001 behavior remote
[AC-wlan-fp-remote] client behavior-local network-flow-forwarding enable
[AC-wlan-fp-remote] quit
# 创建无线服务模板chn,配置SSID为CHN,配置客户端从无线服务模板chn上线后将被加入到VLAN 2。
[AC] wlan service-template chn
[AC-wlan-st-chn] ssid CHN
[AC-wlan-st-chn] vlan 2
# 配置转发位置为AP,应用无线转发策略remote,并开启无线转发策略。
[AC-wlan-st-chn] client forwarding-location ap
[AC-wlan-st-chn] client forwarding-policy-name remote
[AC-wlan-st-chn] client forwarding-policy enable
# 配置身份认证与密钥管理模式为PSK模式,配置PSK密钥为明文字符串12345678。
[AC-wlan-st-chn] akm mode psk
[AC-wlan-st-chn] preshared-key pass-phrase simple 12345678
# 配置加密套件为CCMP,安全信息元素为RSN。
[AC-wlan-st-chn] cipher-suite ccmp
[AC-wlan-st-chn] security-ie rsn
# 开启服务模板。
[AC-wlan-st-chn] service-template enable
[AC-wlan-st-chn] quit
# 将配置文件map-OnAP.txt下载到AP。
[AC] wlan ap-group default-group
[AC-wlan-ap-group-default-group] ap-model WA6320
[AC-wlan-ap-group-default-group-ap-model-WA6320] map-configuration flash:/map-OnAP.txt
# 在radio 1上绑定无线服务模板chn,并使能radio。
[AC-wlan-ap-group-default-group-ap-model-WA6320] radio 1
[AC-wlan-ap-group-default-group-ap-model-WA6320-radio-1] service-template chn
[AC-wlan-ap-group-default-group-ap-model-WA6320-radio-1] radio enable
[AC-wlan-ap-group-default-group-ap-model-WA6320-radio-1] quit
[AC-wlan-ap-group-default-group-ap-model-WA6320] quit
[AC-wlan-ap-group-default-group] quit
# 在AC上查看AP的详细信息,可以看到AP与AC成功建立隧道连接并进入Run状态,发现方式为DHCP选项方式,AP地址为公网地址202.20.1.20。
[AC] display wlan ap all
Total number of APs: 1
Total number of connected APs: 1
Total number of connected manual APs: 1
Total number of connected auto APs: 0
Total number of connected common APs: 1
Total number of connected WTUs: 0
Total number of inside APs: 0
Maximum supported APs: 2048
Remaining APs: 2047
Total AP licenses: 32
Local AP licenses: 32
Server AP licenses: 0
Remaining local AP licenses: 31
Sync AP licenses: 0
AP information
State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad
C = Config, DC = DataCheck, R = Run, M = Master, B = Backup
AP name APID State Model Serial ID
0015-005e-9348 2 R/M WA6320 219801A28N819CE0002T
[AC] display wlan ap name 0015-005e-9348 verbose
AP name : 0015-005e-9348
AP ID : 2
AP group name : default-group
State : Run
Backup type : Master
Online time : 1 days 5 hours 25 minutes 22 seconds
System up time : 1 days 6 hours 30 minutes 4 seconds
Model : WA6320
Region code : CN
Region code lock : Disabled
Serial ID : 219801A28N819CE0002T
MAC address : 70f9-6dd3-61e0
IP address : 202.20.1.20
UDP control port number : 1099
UDP data port number : 1102
H/W version : Ver.C
S/W version : R2215
Boot version : 7.10
USB state : N/A
Power Level : N/A
PowerInfo : N/A
Description : Not configured
Priority : 4
Echo interval : 10 seconds
Echo count : 3 counts
Keepalive interval : 10 seconds
Statistics report interval : 50 seconds
Fragment size (data) : 1500
Fragment size (control) : 1450
MAC type : Local MAC & Split MAC
Tunnel mode : Local Bridging & 802.3 Frame & Native Frame
Discovery type : DHCP
Retransmission count : 3
Retransmission interval : 5 seconds
Firmware upgrade : Enabled
Sent control packets : 34001
Received control packets : 34001
Echo requests : 10591
Lost echo responses : 3
Average echo delay : 3
Last reboot reason : User soft reboot
Latest IP address : 202.20.1.20
Tunnel down reason : Processed join request in Run state
Connection count : 15
Backup Ipv4 : Not configured
Backup Ipv6 : Not configured
Tunnel encryption : Disabled
LED mode : Normal
Remote configuration : Disabled
Radio 1:
Basic BSSID : 70f9-6dd3-61e0
Admin state : Up
Radio type : 802.11ac
Antenna type : internal
Client dot11ac-only : Disabled
Client dot11n-only : Disabled
Channel band-width : 20/40/80MHz
Active band-width : 20/40/80MHz
Secondary channel offset : SCA
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160MHz : Not supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational VHT-MCS Set:
Mandatory : Not configured
Supported : NSS1 0,1,2,3,4,5,6,7,8,9
NSS2 0,1,2,3,4,5,6,7,8,9
Multicast : Not configured
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 149(auto)
Channel usage(%) : 0
Max power : 20 dBm
Operational rate:
Mandatory : 6, 12, 24 Mbps
Multicast : Auto
Supported : 9, 18, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise floor : -105 dBm
Smart antenna : Enabled
Smart antenna policy : Auto
Protection mode : cts-to-self
Continuous mode : N/A
HT protection mode : No protection
Radio 2:
Basic BSSID : 70f9-6dd3-61f0
Admin state : Down
Radio type : 802.11n(2.4GHz)
Antenna type : internal
Client dot11n-only : Disabled
Channel band-width : 20MHz
Active band-width : 20MHz
Secondary channel offset : SCN
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 6(auto)
Channel usage(%) : 0
Max power : 20 dBm
Preamble type : Short
Operational rate:
Mandatory : 1, 2, 5.5, 11 Mbps
Multicast : Auto
Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise floor : 0 dBm
Smart antenna : Enabled
Smart antenna policy : Auto
Protection mode : cts-to-self
Continuous mode : N/A
HT protection mode : No protection
# 在AC上查看Client信息,可以看到Client获取了172.16.4.0/24网段地址,转发策略为remote。
[AC] display wlan client
Total number of clients: 1
MAC address User name AP name RID IP address VLAN
0015-005e-9348 N/A 0015-005e-9348 1 172.16.4.11 2
[AC] display wlan client verbose
Total number of clients: 1
MAC address : 0015-005e-9348
IPv4 address : 172.16.4.11
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 2
AP name : 0015-005e-9348
Radio ID : 1
SSID : CHN
BSSID : 70f9-6dd3-61e0
VLAN ID : 2
Sleep count : 0
Wireless mode : 802.11an
Channel bandwidth : 40MHz
20/40 BSS Coexistence Management : Not supported
SM power save : Disabled
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
STBC RX capability : Supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
Block Ack : N/A
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 100
RSSI : 0
Rx/Tx rate : 0/0
Authentication method : Open system
Security mode : PRE-RSNA
AKM mode : N/A
Cipher suite : N/A
User authentication mode : Bypass
Authorization ACL ID : N/A
Authorization user profile : N/A
Roam status : N/A
Key derivation : N/A
PMF status : N/A
Forwarding policy name : remote
Online time : 0days 0hours 0minutes 33seconds
FT status : Inactive
# Client分别ping集团总部内网地址172.16.4.2、172.16.5.1和172.16.5.2,可以正常ping通。
C:\Users\h3c>ping 172.16.4.2
Pinging 172.16.4.2 with 32 bytes of data:
Reply from 172.16.4.2: bytes=32 time=6ms TTL=255
Reply from 172.16.4.2: bytes=32 time=3ms TTL=255
Reply from 172.16.4.2: bytes=32 time=6ms TTL=255
Reply from 172.16.4.2: bytes=32 time=1ms TTL=255
Ping statistics for 172.16.4.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 6ms, Average = 4ms
C:\Users\h3c>ping 172.16.5.1
Pinging 172.16.5.1 with 32 bytes of data:
Reply from 172.16.5.1: bytes=32 time=9ms TTL=255
Reply from 172.16.5.1: bytes=32 time=1ms TTL=255
Reply from 172.16.5.1: bytes=32 time=5ms TTL=255
Reply from 172.16.5.1: bytes=32 time=1ms TTL=255
Ping statistics for 172.16.5.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 9ms, Average = 4ms
C:\Users\h3c>ping 172.16.5.2
Pinging 172.16.5.2 with 32 bytes of data:
Reply from 172.16.5.2: bytes=32 time=8ms TTL=255
Reply from 172.16.5.2: bytes=32 time=2ms TTL=255
Reply from 172.16.5.2: bytes=32 time=5ms TTL=255
Reply from 172.16.5.2: bytes=32 time=3ms TTL=255
Ping statistics for 172.16.5.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 8ms, Average = 4ms
# Client ping外网www.baidu.com,可以ping通。
C:\Users\h3c>ping www.baidu.com
Pinging www.baidu.com [202.202.1.188] with 32 bytes of data:
Reply from 202.202.1.188: bytes=32 time=7ms TTL=255
Reply from 202.202.1.188: bytes=32 time=3ms TTL=255
Reply from 202.202.1.188: bytes=32 time=3ms TTL=255
Reply from 202.202.1.188: bytes=32 time=2ms TTL=255
Ping statistics for 202.202.1.188:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 7ms, Average = 3ms
· Router A
#
nat address-group 0
address 202.20.1.20 202.20.1.20
#
dhcp enable
#
dhcp server ip-pool ap
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0
option 43 hex 8007000001caca0116
#
interface GigabitEthernet1/0/2
nat outbound 2000 address-group 0
#
acl basic 2000
rule 0 permit source 192.168.10.0 0.0.0.255
#
· Router B
#
interface GigabitEthernet1/0/1
nat server global 3000 inside 192.168.1.111
#
acl advanced 3000
rule 0 permit ip source 202.20.1.0 0.0.0.255 destination 202.202.1.22 0
#
· AC
#
dhcp enable
#
vlan 2
#
dhcp server ip-pool sta
gateway-list 172.16.4.1
network 172.16.4.0 mask 255.255.255.0
dns-list 192.168.1.10
forbidden-ip 172.16.4.1
forbidden-ip 172.16.4.3
#
wlan forwarding-policy remote
classifier acl 3001 behavior remote
client behavior-local network-flow-forwarding enable
#
wlan service-template chn
ssid CHN
vlan 2
client forwarding-location ap
client forwarding-policy-name remote
client forwarding-policy enable
akm mode psk
preshared-key pass-phrase cipher $c$3$4T2hQpGTY8qC3U4KL3G2sMgv9RNfRZdZfDqY
cipher-suite ccmp
security-ie rsn
service-template enable
#
interface Vlan-interface2
ip address 172.16.4.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 2
#
ip route-static 172.16.5.0 24 172.16.4.2
ip route-static 202.20.1.0 24 192.168.1.22
ip route-static 202.202.1.0 24 192.168.1.22
#
acl advanced 3001
rule 0 permit udp source-port eq dns
rule 1 permit udp destination-port eq dns
rule 2 permit udp source-port eq bootpc
rule 3 permit udp destination-port eq bootps
rule 4 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.4.0 0.0.0.255
rule 5 permit ip source 172.16.4.0 0.0.0.255 destination 172.16.5.0 0.0.0.255
#
wlan auto-ap enable
wlan auto-persistent enable
#
wlan ap-group default-group
ap-model WA6320
radio 1
radio enable
service-template chn
radio 2
gigabitethernet 1
gigabitethernet 2
#
· 《H3C 无线控制器产品 配置指导》中的“WLAN配置指导”。
· 《H3C 无线控制器产品 命令参考》中的“WLAN命令参考”。
· 《H3C 无线控制器产品 配置指导》中的“三层技术-IP业务配置指导”。
· 《H3C 无线控制器产品 命令参考》中的“三层技术-IP业务命令参考”。
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
