• 华为配置CAPWAP双栈覆盖业务示例


     

    配置CAPWAP双栈覆盖业务示例

    组网图形

    图1 配置CAPWAP双栈覆盖业务示例组网图

    • 业务需求
    • 组网需求
    • 数据规划
    • 配置思路
    • 配置注意事项
    • 操作步骤
    • 配置文件
    业务需求

    企业用户接入WLAN网络,以满足移动办公的最基本需求。且在覆盖区域内移动发生漫游时,不影响用户的业务使用。区域1(AP1覆盖的范围)为IPv4网络,区域2(AP2覆盖的范围)为IPv6网络,AC和AP之间配置IPV4和IPV6 CAPWAP双协议栈,AC可以同时管理IPv4和IPv6的AP。

    组网需求
    • AC组网方式:直连二层组网。
    • DHCP部署方式:AC作为DHCP服务器为AP和STA分配IPv4和IPv6地址。
    • 业务数据转发方式:隧道转发。
    数据规划
    表1 AC数据规划表

    配置项

    数据

    DHCP服务器

    AC作为DHCP服务器为STA和AP分配IPv4和IPv6地址

    AP的IP地址池

    IPv4地址池:10.23.100.2~10.23.100.254/24

    IPv6地址池:FC01::2~FC01::FFFF:FFFF:FFFF:FFFF/64

    STA的IP地址池

    IPv4地址池:10.23.101.2~10.23.101.254/24

    IPv6地址池:FC02::2~FC01::FFFF:FFFF:FFFF:FFFF/64

    AC的源接口IP地址

    IPv4源接口,VLANIF100:10.23.100.1/24

    IPv6源接口,VLANIF200:FC01::1/64

    AP组

    • 名称:ap-group_ipv4
    • 引用模板:VAP模板wlan-net、域管理模板default
    • 名称:ap-group_ipv6
    • 引用模板:VAP模板wlan-net、域管理模板default

    域管理模板

    • 名称:default
    • 国家码:中国

    SSID模板

    • 名称:wlan-net
    • SSID名称:wlan-net

    安全模板

    • 名称:wlan-net
    • 安全策略:WPA-WPA2+PSK+AES
    • 密码:a1234567

    VAP模板

    • 名称:wlan-net
    • 转发模式:隧道转发
    • 业务VLAN:VLAN101
    • 引用模板:SSID模板wlan-net、安全模板wlan-net
    配置思路
    1. 配置AP、AC和周边网络设备之间实现网络互通。
    2. 在AC上配置DHCPv4和DHCPv6服务器为AP分配IP地址,配置DHCPv6和DHCPv4服务器为STA分配IP地址。
    3. 配置AP上线。
      1. 创建AP组,按照区域进行AP组划分,将同一区域的AP都加入同一AP组中,并限制AP上线的IP版本号。
      2. 配置AC的系统参数,包括国家码、AC与AP之间通信的源接口。
      3. 配置AP上线的认证方式并离线导入AP,实现AP正常上线。
    4. 配置WLAN业务参数,实现STA访问WLAN网络功能。
    配置注意事项
    • 纯组播报文由于协议要求在无线空口没有ACK机制保障,且无线空口链路不稳定,为了纯组播报文能够稳定发送,通常会以低速报文形式发送。如果网络侧有大量异常组播流量涌入,则会造成无线空口拥堵。为了减小大量低速组播报文对无线网络造成的冲击,建议配置组播报文抑制功能。配置前请确认是否有组播业务,如果有,请谨慎配置限速值。
      • 业务数据转发方式采用直接转发时,建议在直连AP的交换机接口上配置组播报文抑制。
      • 业务数据转发方式采用隧道转发时,建议在AC的流量模板下配置组播报文抑制。
    • 建议在与AP直连的设备接口上配置端口隔离,如果不配置端口隔离,尤其是业务数据转发方式采用直接转发时,可能会在VLAN内形成大量不必要的广播报文,导致网络阻塞,影响用户体验。

    • 隧道转发模式下,管理VLAN和业务VLAN不能配置为同一VLAN,且AP和AC之间只能放通管理VLAN,不能放通业务VLAN。

    • V200R021C00版本开始,配置CAPWAP源接口或源地址时,会检查和安全相关的配置是否已存在,包括DTLS加密的PSK、AC间DTLS加密的PSK、登录AP的用户名和密码、全局离线管理VAP的登录密码,均已存在才能成功配置,否则会提示用户先完成相关的配置。
    • V200R021C00版本开始,AC默认开启CAPWAP控制隧道的DTLS加密功能。开启该功能,添加AP时AP会上线失败,此时需要先开启CAPWAP DTLS不认证方式(capwap dtls no-auth enable)让AP上线,以便AP获取安全凭证,AP上线后应及时关闭该功能(undo capwap dtls no-auth enable),避免未授权AP上线。
    操作步骤
    1. 配置周边设备

      # 配置接入交换机SwitchA的GE0/0/3接口加入VLAN100和VLAN200,GE0/0/1接口加入VLAN100,GE0/0/2接口加入VLAN200。GE0/0/1的缺省VLAN为VLAN100,GE0/0/2的缺省VLAN为VLAN200。
      1. system-view
      2. [HUAWEI] sysname SwitchA
      3. [SwitchA] vlan batch 100 200
      4. [SwitchA] interface gigabitethernet 0/0/1
      5. [SwitchA-GigabitEthernet0/0/1] port link-type trunk
      6. [SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
      7. [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
      8. [SwitchA-GigabitEthernet0/0/1] port-isolate enable
      9. [SwitchA-GigabitEthernet0/0/1] quit
      10. [SwitchA] interface gigabitethernet 0/0/2
      11. [SwitchA-GigabitEthernet0/0/2] port link-type trunk
      12. [SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 200
      13. [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
      14. [SwitchA-GigabitEthernet0/0/2] port-isolate enable
      15. [SwitchA-GigabitEthernet0/0/2] quit
      16. [SwitchA] interface gigabitethernet 0/0/3
      17. [SwitchA-GigabitEthernet0/0/3] port link-type trunk
      18. [SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200
      19. [SwitchA-GigabitEthernet0/0/3] quit
      # 配置Router的接口GE1/0/0加入VLAN101,创建接口VLANIF101并配置IPv4地址为10.23.101.2/24,IPv6地址为FC02::2/64。
      1. system-view
      2. [Huawei] sysname Router
      3. [Router] ipv6
      4. [Router] vlan batch 101
      5. [Router] interface gigabitethernet 1/0/0
      6. [Router-GigabitEthernet1/0/0] port link-type trunk
      7. [Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
      8. [Router-GigabitEthernet1/0/0] quit
      9. [Router] interface vlanif 101
      10. [Router-Vlanif101] ip address 10.23.101.2 24
      11. [Router-Vlanif101] ipv6 enable
      12. [Router-Vlanif101] ipv6 address fc02::2/64
      13. [Router-Vlanif101] quit
    2. 配置AC与其它网络设备互通

      # 配置AC的接口GE0/0/1加入VLAN100和VLAN200,GE0/0/2加入VLAN101。
      1. system-view
      2. [HUAWEI] sysname AC
      3. [AC] vlan batch 100 101 200
      4. [AC] interface gigabitethernet 0/0/1
      5. [AC-GigabitEthernet0/0/1] port link-type trunk
      6. [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 200
      7. [AC-GigabitEthernet0/0/1] quit
      8. [AC] interface gigabitethernet 0/0/2
      9. [AC-GigabitEthernet0/0/2] port link-type trunk
      10. [AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
      11. [AC-GigabitEthernet0/0/2] quit
    3. 配置DHCP服务器为STA和AP分配IP地址

      # 在AC上配置VLANIF100接口为AP提供IPv4地址。
      1. [AC] dhcp enable
      2. [AC] interface vlanif 100
      3. [AC-Vlanif100] ip address 10.23.100.1 24
      4. [AC-Vlanif100] dhcp select interface
      5. [AC-Vlanif100] quit
      # 在AC上配置VLANIF200接口为AP提供IPv6地址。
      1. [AC] ipv6
      2. [AC] dhcp enable
      3. [AC] dhcpv6 pool ap_pool
      4. [AC-dhcpv6-pool-ap_pool] address prefix fc01::/64
      5. [AC-dhcpv6-pool-ap_pool] quit
      6. [AC] interface vlanif 200
      7. [AC-Vlanif200] ipv6 enable
      8. [AC-Vlanif200] ipv6 address fc01::1/64
      9. [AC-Vlanif200] undo ipv6 nd ra halt
      10. [AC-Vlanif200] ipv6 nd autoconfig managed-address-flag
      11. [AC-Vlanif200] ipv6 nd autoconfig other-flag
      12. [AC-Vlanif200] dhcpv6 server ap_pool
      13. [AC-Vlanif200] quit
      # 配置VLANIF101接口下的DHCPv4服务器和DHCPv6服务器为STA提供IP地址。
      DNS服务器地址请根据实际需要配置。常用配置方法如下:
      • 对于IPv4

        • 接口地址池场景,需要在VLANIF接口视图下执行命令dhcp server dns-list ip-address &<1-8>。
        • 全局地址池场景,需要在IP地址池视图下执行命令dns-list ip-address &<1-8>。
      • 对于IPv6

        在IPv6地址池视图下执行命令dns-server ipv6-address

      1. [AC] dhcpv6 pool sta_pool
      2. [AC-dhcpv6-pool-sta_pool] address prefix fc02::/64
      3. [AC-dhcpv6-pool-sta_pool] quit
      4. [AC] interface vlanif 101
      5. [AC-Vlanif101] ipv6 enable
      6. [AC-Vlanif101] ip address 10.23.101.1 24
      7. [AC-Vlanif101] dhcp select interface
      8. [AC-Vlanif101] ipv6 address fc02::1/64
      9. [AC-Vlanif101] undo ipv6 nd ra halt
      10. [AC-Vlanif101] ipv6 nd autoconfig managed-address-flag
      11. [AC-Vlanif101] ipv6 nd autoconfig other-flag
      12. [AC-Vlanif101] dhcpv6 server sta_pool
      13. [AC-Vlanif101] quit
    4. 配置AP上线

      # 创建AP组,按照区域进行AP组划分,将同一区域的AP都加入同一AP组中,并限制AP上线的IP版本号。
      1. [AC] wlan
      2. [AC-wlan-view] ap-group name ap-group_ipv4
      3. [AC-wlan-ap-group-ap-group_ipv4] ap ip version ipv4
      4. Warning: This operation may cause AP offline, Whether to continue? [Y/N]:y
      5. [AC-wlan-ap-group-ap-group_ipv4] quit
      6. [AC-wlan-view] ap-group name ap-group_ipv6
      7. [AC-wlan-ap-group-ap-group_ipv6] ap ip version ipv6
      8. Warning: This operation may cause AP offline, Whether to continue? [Y/N]:y
      9. [AC-wlan-ap-group-ap-group_ipv6] quit
      # 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。
      1. [AC-wlan-view] regulatory-domain-profile name default
      2. [AC-wlan-regulate-domain-default] country-code cn
      3. [AC-wlan-regulate-domain-default] quit
      4. [AC-wlan-view] ap-group name ap-group_ipv4
      5. [AC-wlan-ap-group-ap-group_ipv4] regulatory-domain-profile default
      6. Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y
      7. [AC-wlan-ap-group-ap-group_ipv4] quit
      8. [AC-wlan-view] ap-group name ap-group_ipv6
      9. [AC-wlan-ap-group-ap-group_ipv6] regulatory-domain-profile default
      10. Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y
      11. [AC-wlan-ap-group-ap-group_ipv6] quit
      12. [AC-wlan-view] quit
      # 配置AC的源接口。
      1. [AC] capwap double-stack enable
      2. [AC] capwap source interface vlanif 100
      3. [AC] capwap source interface vlanif 200
      # 在AC上离线导入AP,并将AP分别加入AP组“ap-group_ipv4”和“ap-group_ipv6”中。假设AP1的MAC地址为dcd2-fcf6-76a0,AP2的MAC地址为60de-4476-e360。

      ap auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap auth-mode mac-auth

      举例中使用的AP为AP5030DN,具有射频0和射频1两个射频。AP5030DN的射频0为2.4GHz射频,射频1为5GHz射频。

      1. [AC] wlan
      2. [AC-wlan-view] ap auth-mode mac-auth
      3. [AC-wlan-view] ap-id 0 ap-mac dcd2-fcf6-76a0
      4. [AC-wlan-ap-0] ap-name ap1
      5. Warning: This operation may cause AP reset. Continue? [Y/N]:y
      6. [AC-wlan-ap-0] ap-group ap-group_ipv4
      7. Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
      8. [AC-wlan-ap-0] quit
      9. [AC-wlan-view] ap-id 1 ap-mac 60de-4476-e360
      10. [AC-wlan-ap-1] ap-name ap2
      11. Warning: This operation may cause AP reset. Continue? [Y/N]:y
      12. [AC-wlan-ap-1] ap-group ap-group_ipv6
      13. Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
      14. [AC-wlan-ap-1] quit

      # 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。

      1. [AC-wlan-view] display ap all
      2. Total AP information:
      3. nor : normal [2]
      4. Extrainfo : Extra information
      5. P : insufficient power supply
      6. ----------------------------------------------------------------------------------------------------
      7. ID MAC Name Group IP Type State STA Uptime ExtraInfo
      8. ----------------------------------------------------------------------------------------------------
      9. 0 dcd2-fcf6-76a0 ap1 ap-group_ipv4 10.23.100.138 AP5030DN nor 0 4H:49M:11S P
      10. 1 60de-4476-e360 ap2 ap-group_ipv6 FC01::9 AP5030DN nor 0 6H:3M:40S -
      11. ----------------------------------------------------------------------------------------------------
      12. Total: 2, printed: 2
    5. 配置WLAN业务参数

      # 开启设备处理STA IPv6业务的功能。
      [AC-wlan-view] sta-ipv6-service enable
      # 创建名为“wlan-net”的安全模板,并配置安全策略。

      举例中以配置WPA-WPA2+PSK+AES的安全策略为例,密码为“a1234567”,实际配置中请根据实际情况,配置符合实际要求的安全策略。

      1. [AC-wlan-view] security-profile name wlan-net
      2. [AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
      3. [AC-wlan-sec-prof-wlan-net] quit
      # 创建名为“wlan-net”的SSID模板,并配置SSID名称为“wlan-net”。
      1. [AC-wlan-view] ssid-profile name wlan-net
      2. [AC-wlan-ssid-prof-wlan-net] ssid wlan-net
      3. [AC-wlan-ssid-prof-wlan-net] quit
      # 创建名为“wlan-net”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。
      1. [AC-wlan-view] vap-profile name wlan-net
      2. [AC-wlan-vap-prof-wlan-net] forward-mode tunnel
      3. [AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
      4. [AC-wlan-vap-prof-wlan-net] security-profile wlan-net
      5. [AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
      6. [AC-wlan-vap-prof-wlan-net] quit
      # 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板“wlan-net”的配置。
      1. [AC-wlan-view] ap-group name ap-group_ipv4
      2. [AC-wlan-ap-group-ap-group_ipv4] vap-profile wlan-net wlan 1 radio 0
      3. [AC-wlan-ap-group-ap-group_ipv4] vap-profile wlan-net wlan 1 radio 1
      4. [AC-wlan-ap-group-ap-group_ipv4] quit
      5. [AC-wlan-view] ap-group name ap-group_ipv6
      6. [AC-wlan-ap-group-ap-group_ipv6] vap-profile wlan-net wlan 1 radio 0
      7. [AC-wlan-ap-group-ap-group_ipv6] vap-profile wlan-net wlan 1 radio 1
      8. [AC-wlan-ap-group-ap-group_ipv6] quit
    6. 验证配置结果

      WLAN业务配置会自动下发给AP,配置完成后,通过执行命令display vap ssid wlan-net查看如下信息,当“Status”项显示为“ON”时,表示AP对应的射频上的VAP已创建成功。

      1. [AC-wlan-view] display vap ssid wlan-net
      2. WID : WLAN ID
      3. -------------------------------------------------------------------------------------
      4. AP ID AP name RfID WID BSSID Status Auth type STA SSID
      5. -------------------------------------------------------------------------------------
      6. 1 ap1 0 1 DCD2-FCF6-76A0 ON WPA/WPA2-PSK 0 wlan-net
      7. 1 ap1 1 1 DCD2-FCF6-76B0 ON WPA/WPA2-PSK 0 wlan-net
      8. 2 ap2 0 1 60DE-4474-E360 ON WPA/WPA2-PSK 0 wlan-net
      9. 2 ap2 1 1 60DE-4474-E370 ON WPA/WPA2-PSK 0 wlan-net
      10. -------------------------------------------------------------------------------------
      11. Total: 4
      STA搜索到名为“wlan-net”的无线网络,输入密码“a1234567”并正常关联后,在AC上执行display station ssid wlan-net命令,可以查看到用户已经接入到无线网络“wlan-net”中。
      1. [AC-wlan-view] display station ssid wlan-net
      2. Rf/WLAN: Radio ID/WLAN ID
      3. Rx/Tx: link receive rate/link transmit rate(Mbps)
      4. ------------------------------------------------------------------------------------------------------------------------------------------------
      5. STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IPv4 address SSID IPv6 address
      6. ------------------------------------------------------------------------------------------------------------------------------------------------
      7. 508f-4cfb-0556 1 ap1 1/1 5G - -/- - 101 10.23.101.164 wlan-net FC02::A48F:A256:29D:8841
      8. c894-bbdc-99ae 2 ap2 1/1 5G - -/- - 101 10.23.101.204 wlan-net FC02::7057:14F:2211:7FA0
      9. ------------------------------------------------------------------------------------------------------------------------------------------------
      10. Total: 2 2.4G: 0 5G: 2
    配置文件
    • SwitchA的配置文件
      1. #
      2. sysname SwitchA
      3. #
      4. vlan batch 100 200
      5. #
      6. interface GigabitEthernet0/0/1
      7. port link-type trunk
      8. port trunk pvid vlan 100
      9. port trunk allow-pass vlan 100
      10. port-isolate enable group 1
      11. #
      12. interface GigabitEthernet0/0/2
      13. port link-type trunk
      14. port trunk pvid vlan 200
      15. port trunk allow-pass vlan 200
      16. port-isolate enable group 1
      17. #
      18. interface GigabitEthernet0/0/3
      19. port link-type trunk
      20. port trunk allow-pass vlan 100 200
      21. #
      22. return
    • Router的配置文件
      1. #
      2. sysname Router
      3. #
      4. ipv6
      5. #
      6. vlan batch 101
      7. #
      8. interface Vlanif101
      9. ipv6 enable
      10. ip address 10.23.101.2 255.255.255.0
      11. ipv6 address FC02::2/64
      12. #
      13. interface GigabitEthernet1/0/0
      14. port link-type trunk
      15. port trunk allow-pass vlan 101
      16. #
      17. return
    • AC的配置文件
      1. #
      2. sysname AC
      3. #
      4. ipv6
      5. #
      6. vlan batch 100 to 101 200
      7. #
      8. dhcp enable
      9. #
      10. dhcpv6 pool ap_pool
      11. address prefix FC01::/64
      12. #
      13. dhcpv6 pool sta_pool
      14. address prefix FC02::/64
      15. #
      16. interface Vlanif100
      17. ip address 10.23.100.1 255.255.255.0
      18. dhcp select interface
      19. #
      20. interface Vlanif101
      21. ipv6 enable
      22. ip address 10.23.101.1 255.255.255.0
      23. ipv6 address FC02::1/64
      24. undo ipv6 nd ra halt
      25. ipv6 nd autoconfig managed-address-flag
      26. ipv6 nd autoconfig other-flag
      27. dhcp select interface
      28. dhcpv6 server sta_pool
      29. dhcp server excluded-ip-address 10.23.101.2
      30. #
      31. interface Vlanif200
      32. ipv6 enable
      33. ipv6 address FC01::1/64
      34. undo ipv6 nd ra halt
      35. ipv6 nd autoconfig managed-address-flag
      36. ipv6 nd autoconfig other-flag
      37. dhcpv6 server ap_pool
      38. #
      39. interface GigabitEthernet0/0/1
      40. port link-type trunk
      41. port trunk allow-pass vlan 100 200
      42. #
      43. interface GigabitEthernet0/0/2
      44. port link-type trunk
      45. port trunk allow-pass vlan 101
      46. #
      47. capwap double-stack enable
      48. capwap source interface vlanif100
      49. capwap source interface vlanif200
      50. #
      51. wlan
      52. sta-ipv6-service enable
      53. security-profile name wlan-net
      54. security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
      55. ssid-profile name wlan-net
      56. ssid wlan-net
      57. vap-profile name wlan-net
      58. forward-mode tunnel
      59. service-vlan vlan-id 101
      60. ssid-profile wlan-net
      61. security-profile wlan-net
      62. regulatory-domain-profile name default
      63. ap-group name ap-group_ipv4
      64. ap ip version ipv4
      65. radio 0
      66. vap-profile wlan-net wlan 1
      67. radio 1
      68. vap-profile wlan-net wlan 1
      69. ap-group name ap-group_ipv6
      70. ap ip version ipv6
      71. radio 0
      72. vap-profile wlan-net wlan 1
      73. radio 1
      74. vap-profile wlan-net wlan 1
      75. ap-id 0 type-id 35 ap-mac dcd2-fcf6-76a0 ap-sn 2102351KDVW0JB015457
      76. ap-name ap1
      77. ap-group ap-group_ipv4
      78. ap-id 1 type-id 35 ap-mac 60de-4476-e360 ap-sn 21500831023GH9001248
      79. ap-name ap2
      80. ap-group ap-group_ipv6
      81. #
      82. return
  • 相关阅读:
    SQL语句如何避免在mysql插入重复数据
    极简opencv操作xml文件
    多进程编程(二):管道
    【AHK】解决WPS2019窗口大小bug\WPS窗口变小立即调整
    分享几种稳定靠谱的副业,从而增加你的额外收入
    ARM Linux DIY(十三)Qt5 移植
    Vue学习—基本语法
    Redis系列——redis启动,客户端day1-2
    增强现实基础介绍
    Go 命名规范:全面指南
  • 原文地址:https://blog.csdn.net/weixin_59383576/article/details/136224587