H3C AC+FIT完全设置
路由器: H3C MSR20-20
AC: H3C WX3024E
AP :2210-AG
用户采用PON线路,动态分配地址,无固定IP,每月1088元,如果带有固定IP,则需要每月7088元,采用较经济的方式,每次用户查询ip138得到公网IP后远程管理。
MSR上PPPOE拨号,建立2 VLAN,一个给内部使用,一个给访客,用访问列表对2Vlan做隔离。
具体配置如下:
#
firewall enable 必须启用,否则ACL不起作用
#
domain default enable system
#
telnet server enable 也必须开启
#
dar p2p signature-file flash:/p2p_default.mtd
#
port-security enable
#
acl number 3000
rule 0 permit ip source 10.20.0.0 0.0.255.255 内部用VLAN
rule 1 permit ip source 10.30.30.0 0.0.0.255 访客用VLAN
acl number 3002
rule 0 deny ip source 10.20.0.0 0.0.255.255 destination 10.30.30.0 0.0.0.255 禁止访客访问内部网络
#
vlan 1
#
vlan 3
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
local-user admin
passWord XXXXXXXXXXXXXXXXX
authorization-attribute level 3
service-type telnet
service-type WEB
local-user XXXXX
password XXXXXXXXXXXXXXXXXXX
authorization-attribute level 3
service-type telnet
service-type web
#
cwmp
undo cwmp enable
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Cellular0/0
async mode protocol
link-protocol ppp
#
interface Dialer1
nat outbound 3000
link-protocol ppp
ppp chap user ADXXXXXXXX
ppp chap password XXXXXXXXXX
ppp pap local-user adXXXXXX password SIMPLE XXXXXXXXX
ip address ppp-neGotiate
dialer user adXXXXXXX
dialer-group 1
dialer bundle 1
#
interface Ethernet0/0
port link-mode route 内部接口
#
interface Ethernet0/0.20 H3C必须通过子接口的方式创建VLAN
vlan-type dot1q vid 2
ip address 10.20.0.254 255.255.0.0
#
interface Ethernet0/0.30
vlan-type dot1q vid 3
firewall packet-filter 3002 inbound
firewall packet-filter 3002 outbound
ip address 10.30.30.254 255.255.255.0
#
interface Ethernet0/1
port link-mode route
pppoe-client dial-bundle-number 1
#
interface NULL0
#
interface Vlan-interface1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1 静态路由
#
load xml-configuration
#
load tr069-configuration
#
user-interface tty 12
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
#
接下来是AC控制器
尽量通过web上做设计,下面只是命令行显示的
总体思路,开启2个VLAN的DHCP
#
telnet server enable
#
port-security enable
#
oap management-ip 192.168.0.101 slot 0
#
wlan auto-ap enable
#
vlan 1
#
vlan 2
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool poolvlan1 管理vlan
network 192.168.0.0 mask 255.255.255.0
#
dhcp server ip-pool poolvlan2 内部VLAN
network 10.20.0.0 mask 255.255.0.0
gateway-list 10.20.0.254
dns-list 202.96.209.5 8.8.8.8
#
dhcp server ip-pool poolvlan3 访客vlan
network 10.30.30.0 mask 255.255.255.0
gateway-list 10.30.30.254
dns-list 202.96.209.5 8.8.8.8
#
user-group system
group-attribute allow-guest
#
local-user admin
password
authorization-attribute level 3
service-type telnet
service-type web
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
load-balance session 15
#
wlan radio-policy 1025
#
wlan radio-policy 1537
#
wlan radio-policy 1793
#
wlan radio-policy 2049
#
wlan radio-policy 2305
#
wlan service-template 1 crypto
ssid XXXXX
bind WLAN-ESS 0
cipher-suite tkip
security-ie rsn
service-template enable
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan all
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface2
ip address 10.20.0.250 255.255.0.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
#
interface WLAN-ESS0
port link-type hybrid
port hybrid vlan 1 to 2 untagged
port hybrid pvid vlan 2
Mac-vlan enable
port-security port-mode psk
port-security tx-key-type 11key
port-security preshared-key pass-phrase
interface WLAN-ESS1
port link-type hybrid
port hybrid vlan 1 untagged
#
wlan ap ap-1 model WA2210-AG id 2
serial-id
radio 1
radio-policy 513
service-template 1 vlan-id 2
radio enable
#
wlan ap ap-10 model WA2210-AG id 9
serial-id 210235A0HTB118000791
radio 1
radio-policy 2305
service-template 1 vlan-id 2
radio enable
#
wlan ap ap-11 model WA2210-AG id 10
serial-id 210235A0HTC118000273
radio 1
radio-policy 2561
service-template 1 vlan-id 2
radio enable
#
wlan ap ap-16 model WA2210-AG id 12
serial-id 210235A0HTB118001313
radio 1
radio-policy 3073
service-template 1 vlan-id 2
radio enable
#
wlan ap auto-ap model WA2210-AG id 5
serial-id auto
radio 1
#
wlan load-balance-group 1 负载均衡
description 26
ap ap-4 radio 1
ap ap-3 radio 1
ap ap-2 radio 1
#
wlan load-balance-group 2
description 27
ap ap-9 radio 1
ap ap-8 radio 1
ap ap-11 radio 1
ap ap-10 radio 1
#
wlan load-balance-group 3
description 28
ap ap-14 radio 1
ap ap-13 radio 1
#
ip route-static 0.0.0.0 0.0.0.0 10.20.0.254
#
dhcp enable
#
arp-snooping enable
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
#
telnet到AC上后
oap connect slot 0可以切换到交换引擎
dhcp server ip-pool swpoolvlan3
network 10.30.30.0 mask 255.255.
gateway-list 10.30.30.254
dns-list 202.96.209.5 8.8.8.8
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan all
#
interface Vlan-interface3
ip address 10.30.30.251 255.255.
#
interface GigabitEthernet1/0/1
poe enable
#
interface GigabitEthernet1/0/2
poe enable
#
interface GigabitEthernet1/0/22 此接口接FAT AP
port access vlan 3
poe enable
#
interface GigabitEthernet1/0/23 此接口为上联接口
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/24
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/29 内部和AC相连的接口,运行所有VLAN
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
#
interface GigabitEthernet1/0/30
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
#
相关文章