标签:冷备 depart AC2 S3 AP AC1 wlan 双链 WLAN
实验背景
企业内网无线终端数量越来越多,为了保证无线业务的稳定性,作为网络工程师的你决定采购一台AC,部署双链路冷备技术,与原有的AC进行主备备份,提高无线业务的可靠性
组网介绍
- 设备连接方式如图所示,AC1为主AC、AC2为备AC,AP分别与主、备AC建立CAPWAP隧道,AP与主、备AC之间定期交互CAPWAP报文检测链路状态,当AP检测到AP与主AC之间的链路发生故障时,AP通知备AC启动主备倒换,备AC升为主AC控制STA的无线接入功能,提高WLAN网络可靠性
- S4交换机二层透传AP2的报文,S3作为AP管理地址、终端业务地址的网关
- S3开启DHCP服务为AP1、AP2分配管理地址,为无线终端分配业务地址,AP通过DHCP报文中的Option43获取AC地址(AC1、AC2),所有AP都采用直接转发模式
数据规划:
配置项 | 配置参数 |
AP管理VLAN | VLAN10 |
STA业务VLAN | VLAN11 |
DHCP服务器 | S3作为DHCP服务器为AP分配IP地址 S3作为DHCP服务器为STA分配IP地址 |
AP的IP地址池 | 10.0.10.0/24 |
STA的IP地址池 | 10.0.11.0/24 |
AC的源接口IP地址 | 10.0.100.1、10.0.100.2 |
AP组 | 名称:depart 引用模板:VAP模板depart |
域管理模板 | 名称:default 国家码:中国(CN) |
SSID模板 | 名称:depart SSID名称:LB |
安全模板 | 名称:depart 安全策略:WPA2+PSK+AES 密码:a1234567 |
VAP模板 | 名称:depart 转发模式:直连模式 业务VLAN:VLAN11 引用模板:SSID模板depart,安全模板:depart |
双链路冷备 | AC1优先级:0 AC2优先级:1 |
配置思路:
- 配置有线侧相关功能
- S3作为AP管理流量、无线终端业务流量的网关
- AC1、AC2使用VLANIF100与S3的VLAN100进行三层通信,使用VLANIF100接口作为CAPWAP源接口
- 配置AC1、AC2上的WLAN业务
- 配置双链路冷备,配置AC1的优先级为0,AC2的优先级为1,使得AC1成为主AC、AC2成为备AC
- 验证双链路冷备,关闭AC1的接口,查看AC2上AP、Station状态
操作步骤
步骤1:有些侧网络配置
按照规划配置交换机、AC的有线侧网络配置
[S3]vlan batch 10 11 100
[S3]interface GigabitEthernet 0/0/1
[S3-GigabitEthernet0/0/1]port link-type trunk
[S3-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[S3-GigabitEthernet0/0/1]quit
[S3]interface GigabitEthernet 0/0/2
[S3-GigabitEthernet0/0/2]port link-type trunk
[S3-GigabitEthernet0/0/2]port trunk allow-pass vlan 100
[S3-GigabitEthernet0/0/2]quit
[S3]interface GigabitEthernet 0/0/3
[S3-GigabitEthernet0/0/3]port link-type trunk
[S3-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 11
[S3-GigabitEthernet0/0/3]quit
[S3]interface GigabitEthernet 0/0/4
[S3-GigabitEthernet0/0/4]port link-type trunk
[S3-GigabitEthernet0/0/4]port trunk pvid vlan 10
[S3-GigabitEthernet0/0/4]port trunk allow-pass vlan 10 11
[S3-GigabitEthernet0/0/4]quit
S3连接AP1的接口PVID注意设置为VLAN10,连接S4的接口需要放通业务VLAN、管理VLAN,连接AC的接口放通VLAN100
[S4]vlan batch 10 11
[S4]interface GigabitEthernet 0/0/3
[S4-GigabitEthernet0/0/3]port link-type trunk
[S4-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 11
[S4-GigabitEthernet0/0/3]quit
[S4]interface GigabitEthernet 0/0/4
[S4-GigabitEthernet0/0/4]port link-type trunk
[S4-GigabitEthernet0/0/4]port trunk pvid vlan 10
[S4-GigabitEthernet0/0/4]port trunk allow-pass vlan 10 11
[S4-GigabitEthernet0/0/4]quit
S4连接AP的接口PVID注意设置为VLAN10,上行接口透传管理VLAN10、业务VLAN11
[AC1]vlan batch 100
[AC1]interface GigabitEthernet 0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/1]quit
接口放通VLAN100
[AC2]vlan batch 100
[AC2]interface GigabitEthernet 0/0/1
[AC2-GigabitEthernet0/0/1]port link-type trunk
[AC2-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[AC2-GigabitEthernet0/0/1]quit
接口放通VLAN100
# S3、AC1、AC2上创建VLANIF
[S3]interface Vlanif 10
[S3-Vlanif10]ip address 10.0.10.1 24
[S3-Vlanif10]quit
[S3]interface Vlanif 11
[S3-Vlanif11]ip address 10.0.11.1 24
[S3-Vlanif11]quit
[S3]interface Vlanif 100
[S3-Vlanif100]ip address 10.0.100.3 24
[S3-Vlanif100]quit
S3上VLANIF10作为AP1、AP2的管理VLAN网关,VLAN11作为AP1、AP2下终端业务VLAN网关、VLANIF100用于AC1、AC2进行三层通信
[AC1]interface Vlanif 100
[AC1-Vlanif100]ip address 10.0.100.1 24
[AC1-Vlanif100]quit
[AC1]capwap source interface Vlanif 100
AC1的VLANIF100作为CAPWAP源接口
[AC2]interface Vlanif 100
[AC2-Vlanif100]ip address 10.0.100.2 24
[AC2-Vlanif100]quit
[AC2]capwap source interface Vlanif 100
AC2的VLANIF100作为CAPWAP源接口
# AC1、AC2上配置前往AP管理网段的路由
[AC1]ip route-static 10.0.10.0 24 10.0.100.3
[AC2]ip route-static 10.0.10.0 24 10.0.100.3
为了让AC和获取到管理网段地址的AP进行CAPWAP通信,在AC上手动配置静态路由
# 在S3上配置DHCP服务
[S3]dhcp enable
开启DHCP服务
[S3]ip pool ap
[S3-ip-pool-ap]network 10.0.10.0 mask 24
[S3-ip-pool-ap]gateway-list 10.0.10.1
[S3-ip-pool-ap]option 43 sub-option 2 ip-address 10.0.100.1 10.0.100.2
[S3-ip-pool-ap]quit
[S3]ip pool service
[S3-ip-pool-service]network 10.0.11.0 mask 24
[S3-ip-pool-service]gateway-list 10.0.11.1
[S3-ip-pool-service]dns-list 10.0.11.1
[S3-ip-pool-service]quit
地址池ap为AP分配管理地址,携带Option43指定AC地址,注意采用sub-option2同时指定主AC、备AC地址
地址池service为AP1、AP2的无线终端分配地址,所有地址池的网关都设为S3的VLANIF接口地址
[S3]interface Vlanif 10
[S3-Vlanif10]dhcp select global
[S3-Vlanif10]quit
[S3]interface Vlanif 11
[S3-Vlanif11]dhcp select global
[S3-Vlanif11]quit
接口下选择全局地址池
步骤3:配置AC
创建ap-group depart,采用MAC地址认证方式关联AP,将AP命名为AP1、AP2,关联到ap-group depart,配置参数模板关联到VAP模板
AC1、AC2上WLAN相关配置一致,此处以AC1为例,不再展示AC2的配置
# 创建名为depart的AP组
[AC1]wlan
[AC1-wlan-view]ap-group name depart
[AC1-wlan-ap-group-depart]quit
# 创建域管理模板,在域管理模板下配置AC的国家码
[AC1-wlan-view]regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default]country-code cn
[AC1-wlan-regulate-domain-default]quit
域管理模板提供对AP的国家码、调优信道集合和调优带宽等的配置
缺省情况下,系统上存在名为default的域管理模板。故当前进入了默认存在的default模板
# 在AP组下引用域管理模板
[AC1-wlan-view]ap-group name depart
[AC1-wlan-ap-group-depart]regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC1-wlan-ap-group-depart]quit
# 添加AP
[AC1-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-id 0 ap-mac 00e0-fcad-7c40
[AC1-wlan-ap-0]ap-name AP1
[AC1-wlan-ap-0]ap-group depart
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC1-wlan-ap-0]quit
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fc36-08d0
[AC1-wlan-ap-1]ap-name AP2
[AC1-wlan-ap-1]ap-group depart
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC1-wlan-ap-1]quit
# 配置参数模板
[AC1-wlan-view]security-profile name depart
[AC1-wlan-sec-prof-depart]security wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-depart]quit
[AC1-wlan-view]ssid-profile name depart
[AC1-wlan-ssid-prof-depart]ssid LB
[AC1-wlan-ssid-prof-depart]quit
[AC1-wlan-view]vap-profile name depart
[AC1-wlan-vap-prof-depart]security-profile depart
[AC1-wlan-vap-prof-depart]ssid-profile depart
[AC1-wlan-vap-prof-depart]service-vlan vlan-id 11
[AC1-wlan-vap-prof-depart]forward-mode direct-forward
[AC1-wlan-vap-prof-depart]quit
[AC1-wlan-view]ap-group name depart
[AC1-wlan-ap-group-depart]vap-profile depart wlan 1 radio all
[AC1-wlan-ap-group-depart]quit
配置 security-profile depart,采用WPA2-PSK认证,配置预共享密钥为a1234567
配置 ssid-profile depart,设置SSID为LB
配置 vap-profile,设置转发模式为直接转发,业务VLAN设置为11,调用ssid-profile depart、security-profile depart。
在 ap-group depart中调用vap-profile depart
步骤4:配置双链路冷备份
在主、备AC上为AP指定对方AC的IP地址,指定AC1的优先级为0,AC2的优先级为1,使得AC1成为主AC、AC2成为备AC
# 配置AC1
[AC1-wlan-view]ac protect protect-ac 10.0.100.2 priority 0
[AC1-wlan-view]undo ac protect restore disable
[AC1-wlan-view]ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.done.
Info: Capwap echo interval has changed to default value 25, capwap echo times to 3.
缺省情况下,双链路备份功能为使能,执行命令ac protect enable会提示重启所有AP。AP重启后,双链路备份功能开始生效
# 配置AC2
[AC2-wlan-view]ac protect protect-ac 10.0.100.1 priority 1
[AC2-wlan-view]undo ac protect restore disable
[AC2-wlan-view]ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.done.
Info: Capwap echo interval has changed to default value 25, capwap echo times to 3.
步骤5:结果验证
# 在AC1上执行命令display ac protect,查看AC上双链路信息和优先级
对端为10.0.100.2,本端优先级为0
# 在AC2上执行命令display ac protect,查看AC上双链路信息和优先级
对端为10.0.100.1,本端优先级为1
# 在AC1、AC2上检查AP上线状态
此时,在AC1上AP的状态为normal,而在AC2上位standby,AP分别与AC1、AC2建立了CAPWAP隧道
标签:冷备,depart,AC2,S3,AP,AC1,wlan,双链,WLAN 来源: https://www.cnblogs.com/hongliang888/p/16594588.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。