当前位置：首页 > news >正文

做注塑机的网站搜外友链平台

news 2025/8/16 21:07:39

做注塑机的网站,搜外友链平台,重庆企业网站建设报价,建设银行网站的机构有哪些配置WLAN AC和AP之间VPN穿越示例组网图形图1 配置WLAN AC和AP之间VPN穿越示例组网图业务需求组网需求数据规划配置思路配置注意事项操作步骤配置文件业务需求企业用户接入WLAN网络，以满足移动办公的最基本需求。且在覆盖区域内移动发生漫游时，不影响…

配置WLAN AC和AP之间VPN穿越示例

组网图形

图1 配置WLAN AC和AP之间VPN穿越示例组网图

业务需求
组网需求
数据规划
配置思路
配置注意事项
操作步骤
配置文件

业务需求

企业用户接入WLAN网络，以满足移动办公的最基本需求。且在覆盖区域内移动发生漫游时，不影响用户的业务使用。

AP位于企业分部，AC位于企业总部，管理员希望所有AP均由AC统一管理，且希望对分支和总部之间相互访问的流量进行安全保护，因此在分支网关和总部网关之间建立一个IPSec隧道来实施安全保护。

组网需求

AC组网方式：AC位于企业总部，AP位于企业分支，在AC和AP间配置IPSec隧道。
DHCP部署方式：Router_1作为DHCP服务器为STA和AP分配IP地址。
业务数据转发方式：直接转发。

数据规划

表1 数据规划表
配置项	数据
AC上WLAN无线业务数据规划
AP管理VLAN	VLAN200
STA业务VLAN	VLAN101
DHCP服务器	Router_1作为AP和STA的DHCP服务器
AP地址池	10.23.100.2～10.23.100.254/24
STA地址池	10.23.101.2～10.23.101.254/24
AC源地址	VLANIF200：10.23.200.1/24
AP组	名称：ap-group1 引用模板：VAP模板wlan-net、域管理模板default
域管理模板	名称：default 国家码：中国
SSID模板	名称：wlan-net SSID名称：wlan-net
安全模板	名称：wlan-net 安全策略：WPA-WPA2+PSK+AES 密码：a1234567
VAP模板	名称：wlan-net 转发模式：直接转发业务VLAN：VLAN 101 引用模板：SSID模板wlan-net、安全模板wlan-net
Router_2上IPSec数据规划
IKE参数	IKE版本：v1 协商模式：主模式对端地址：192.168.1.1 认证方式：预共享密钥预共享密钥：huawei@1234 认证算法：SHA2-256 加密算法：AES-128 DH组编号：group14
IPSec参数	安全协议：ESP ESP协商模式：主模式 ESP认证算法：SHA2-256 ESP加密算法：AES-128 封装模式：隧道模式
IPSec策略	IPSec连接名称：map1 接口名称：gigabitethernet 0/0/1 组网模式：分支站点连接编号：10 ACL编号：3101

配置思路

配置AP、AC和周边网络设备之间实现网络互通。
配置IPSec用于建立IPSec隧道。
1. 配置接口的IP地址和到对端的静态路由，保证两端路由可达。
2. 配置ACL，以定义需要IPSec保护的数据流。
3. 配置IPSec安全提议，定义IPSec的保护方法。
4. 配置IKE对等体，定义对等体间IKE协商时的属性。
5. 配置安全策略，并引用ACL、IPSec安全提议和IKE对等体，确定对何种数据流采取何种保护方法。
6. 在接口上应用安全策略组，使接口具有IPSec的保护功能。
配置AP上线。
1. 创建AP组，用于将需要进行相同配置的AP都加入到AP组，实现统一配置。
2. 配置AC的系统参数，包括国家码、AC与AP之间通信的源接口。
3. 配置AP上线的认证方式并离线导入AP，实现AP正常上线。
配置WLAN业务参数，实现STA访问WLAN网络功能。

配置注意事项

纯组播报文由于协议要求在无线空口没有ACK机制保障，且无线空口链路不稳定，为了纯组播报文能够稳定发送，通常会以低速报文形式发送。如果网络侧有大量异常组播流量涌入，则会造成无线空口拥堵。为了减小大量低速组播报文对无线网络造成的冲击，建议配置组播报文抑制功能。配置前请确认是否有组播业务，如果有，请谨慎配置限速值。
- 业务数据转发方式采用直接转发时，建议在直连AP的交换机接口上配置组播报文抑制。
- 业务数据转发方式采用隧道转发时，建议在AC的流量模板下配置组播报文抑制。
建议在与AP直连的设备接口上配置端口隔离，如果不配置端口隔离，尤其是业务数据转发方式采用直接转发时，可能会在VLAN内形成大量不必要的广播报文，导致网络阻塞，影响用户体验。
隧道转发模式下，管理VLAN和业务VLAN不能配置为同一VLAN，且AP和AC之间只能放通管理VLAN，不能放通业务VLAN。
V200R021C00版本开始，配置CAPWAP源接口或源地址时，会检查和安全相关的配置是否已存在，包括DTLS加密的PSK、AC间DTLS加密的PSK、登录AP的用户名和密码、全局离线管理VAP的登录密码，均已存在才能成功配置，否则会提示用户先完成相关的配置。
V200R021C00版本开始，AC默认开启CAPWAP控制隧道的DTLS加密功能。开启该功能，添加AP时AP会上线失败，此时需要先开启CAPWAP DTLS不认证方式（capwap dtls no-auth enable）让AP上线，以便AP获取安全凭证，AP上线后应及时关闭该功能（undo capwap dtls no-auth enable），避免未授权AP上线。

操作步骤

配置周边设备

# 配置Switch的GE0/0/1、GE0/0/2加入VLAN100、VLAN101，GE0/0/1的缺省VLAN为VLAN100。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd"><HUAWEI> <strong id="ZH-CN_TASK_0176912374__b214275661190921">system-view</strong>
[HUAWEI] <strong id="ZH-CN_TASK_0176912374__b1865000890190921">sysname Switch</strong>
[Switch] <strong id="ZH-CN_TASK_0176912374__b821356064190921">vlan batch 100 101</strong>
[Switch] <strong id="ZH-CN_TASK_0176912374__b806518261190921">interface gigabitethernet 0/0/1</strong>
[Switch-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b985873023190921">port link-type trunk</strong>
[Switch-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b402237438190921">port trunk pvid vlan 100</strong>
[Switch-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b2016261018190921">port trunk allow-pass vlan 100 101</strong>
[Switch-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b290287582190921">port-isolate enable</strong>
[Switch-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1989272359190921">quit</strong>
[Switch] <strong id="ZH-CN_TASK_0176912374__b1623215900190921">interface gigabitethernet 0/0/2</strong>
[Switch-GigabitEthernet0/0/2] <strong id="ZH-CN_TASK_0176912374__b239660969190921">port link-type trunk</strong>
[Switch-GigabitEthernet0/0/2] <strong id="ZH-CN_TASK_0176912374__b1500702096190921">port trunk allow-pass vlan 100 101</strong>
[Switch-GigabitEthernet0/0/2] <strong id="ZH-CN_TASK_0176912374__b1646779978190921">quit</strong></span></span></span>

# 配置Router_1的GE1/0/0加入VLAN100和VLAN101，假设接口GE0/0/1对端的Internet IP地址为192.168.1.2/24，在接口GE0/0/1上配置IP地址192.168.1.1/24。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd"><Huawei> <strong id="ZH-CN_TASK_0176912374__b1318968140190921">system-view</strong>
[Huawei] <strong id="ZH-CN_TASK_0176912374__b836839358190921">sysname Router_1</strong>
[Router_1] <strong id="ZH-CN_TASK_0176912374__b1561381150190921">vlan batch 100 101</strong>
[Router_1] <strong id="ZH-CN_TASK_0176912374__b1964950768190921">interface gigabitethernet 1/0/0</strong>
[Router_1-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912374__b326456138190921">port link-type trunk</strong>
[Router_1-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912374__b721632309190921">port trunk allow-pass vlan 100 101</strong>
[Router_1-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912374__b747948746190921">quit</strong>
[Router_1] <strong id="ZH-CN_TASK_0176912374__b443887167190921">interface gigabitethernet 0/0/1</strong>
[Router_1-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1802330456190921">ip address 192.168.1.1 255.255.255.0</strong>
[Router_1-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1949488140190921">quit</strong></span></span></span>

# 配置Router_1上的缺省路由，下一跳地址为192.168.1.2。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b775225273190921">ip route-static 0.0.0.0 0.0.0.0 192.168.1.2</strong></span></span></span>

# 配置Router_2的GE1/0/0加入VLAN200，并创建VLANIF200接口地址为10.23.200.2/24，假设接口GE0/0/1对端的Internet IP地址为192.168.2.2/24，在接口GE0/0/1上配置IP地址192.168.2.1/24。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd"><Huawei> <strong id="ZH-CN_TASK_0176912374__b916736472190921">system-view</strong>
[Huawei] <strong id="ZH-CN_TASK_0176912374__b630282277190921">sysname Router_2</strong>
[Router_2] <strong id="ZH-CN_TASK_0176912374__b2118286847190921">vlan batch 200</strong>
[Router_2] <strong id="ZH-CN_TASK_0176912374__b1135881526190921">interface gigabitethernet 1/0/0</strong>
[Router_2-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912374__b920445876190921">port link-type trunk</strong>
[Router_2-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912374__b1499093054190921">port trunk allow-pass vlan 200</strong>
[Router_2-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912374__b146042512190921">quit</strong>
[Router_2] <strong id="ZH-CN_TASK_0176912374__b717113523190921">interface gigabitethernet 0/0/1</strong>
[Router_2-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1281683461190921">ip address 192.168.2.1 255.255.255.0</strong>
[Router_2-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1075782585190921">quit</strong>
[Router_2] <strong id="ZH-CN_TASK_0176912374__b1612181943190921">interface vlanif 200</strong>
[Router_2-Vlanif200] <strong id="ZH-CN_TASK_0176912374__b1025487207190921">ip address 10.23.200.2 24</strong>
[Router_2-Vlanif200] <strong id="ZH-CN_TASK_0176912374__b970919734190921">quit</strong></span></span></span>

# 配置Router_2到AP侧的静态路由，下一跳地址为192.168.2.2。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_2] <strong id="ZH-CN_TASK_0176912374__b2032648930190921">ip route-static 10.23.100.0 255.255.255.0 192.168.2.2</strong>
[Router_2] <strong id="ZH-CN_TASK_0176912374__b1421719087190921">ip route-static192.168.1.0 255.255.255.0 192.168.2.2
</strong></span></span></span>

配置AC与其它网络设备互通

# 配置AC的接口GE0/0/1加入VLAN200，创建接口VLANIF200并配置IP地址10.23.200.1/24。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd"><AC> <strong>system-view</strong>
[AC] <strong>sysname AC</strong>
[AC] <strong>vlan batch 101 200</strong>
[AC] <strong>interface gigabitethernet 0/0/1</strong>
[AC-GigabitEthernet0/0/1] <strong>port link-type trunk</strong>
[AC-GigabitEthernet0/0/1] <strong>port trunk allow-pass vlan 200</strong>
[AC-GigabitEthernet0/0/1] <strong>quit</strong>
[AC] <strong>interface vlanif 200</strong>
[AC-Vlanif200] <strong>ip address 10.23.200.1 24</strong>
[AC-Vlanif200] <strong>quit</strong></span></span></span>

# 配置AC到AP侧的静态路由，下一跳地址为10.23.200.2。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC] <strong>ip route-static 10.23.100.0 255.255.255.0 10.23.200.2</strong></span></span></span>

配置DHCP服务器为STA和AP分配IP地址

# 在Router_1上配置DHCP服务器，为AP和STA分配IP地址。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b278967097190921">dhcp enable</strong>
[Router_1] <strong id="ZH-CN_TASK_0176912374__b452041200190921">interface vlanif 100</strong>
[Router_1-Vlanif100] <strong id="ZH-CN_TASK_0176912374__b1227135408190921">ip address 10.23.100.1 255.255.255.0</strong>
[Router_1-Vlanif100] <strong id="ZH-CN_TASK_0176912374__b727510669190921">dhcp select global</strong>
[Router_1-Vlanif100] <strong id="ZH-CN_TASK_0176912374__b966516186190921">quit</strong>
[Router_1] <strong id="ZH-CN_TASK_0176912374__b277550800190921">ip pool ap</strong>
[Router_1-ip-pool-ap] <strong id="ZH-CN_TASK_0176912374__b1416242333190921">gateway-list 10.23.100.1</strong>
[Router_1-ip-pool-ap] <strong id="ZH-CN_TASK_0176912374__b714490441190921">network 10.23.100.0 mask 24</strong>
[Router_1-ip-pool-ap] <strong id="ZH-CN_TASK_0176912374__b1883507180190921">option 43 sub-option 3 ascii 10.23.200.1</strong>
[Router_1-ip-pool-ap] <strong id="ZH-CN_TASK_0176912374__b1289689437190921">quit</strong>
[Router_1] <strong id="ZH-CN_TASK_0176912374__b1236770207190921">interface vlanif 101</strong>
[Router_1-Vlanif101] <strong id="ZH-CN_TASK_0176912374__b1592258061190921">ip address 10.23.101.1 255.255.255.0</strong>
[Router_1-Vlanif101] <strong id="ZH-CN_TASK_0176912374__b428517198190921">dhcp select interface</strong>
[Router_1-Vlanif101] <strong id="ZH-CN_TASK_0176912374__b989781329190921">quit</strong></span></span></span>

DNS服务器地址请根据实际需要配置。常用配置方法如下：

接口地址池场景，需要在VLANIF接口视图下执行命令dhcp server dns-list ip-address &<1-8>。
全局地址池场景，需要在IP地址池视图下执行命令dns-list ip-address &<1-8>。

配置ACL，定义需要IPSec隧道保护的数据流

# 在Router_2上配置ACL，定义由总部AC（10.23.200.0/24）去分支AP（10.23.100.0/24）的数据流。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_2] <strong id="ZH-CN_TASK_0176912374__b397033507190921">acl number 3101</strong>
[Router_2-acl-adv-3101] <strong id="ZH-CN_TASK_0176912374__b2102298401190921">rule permit ip source 10.23.200.0 0.0.0.255 destination 10.23.100.0 0.0.0.255</strong>
[Router_2-acl-adv-3101] <strong id="ZH-CN_TASK_0176912374__b1369467853190921">quit</strong></span></span></span>

# 在Router_1上配置ACL，定义由分支AP（10.23.100.0/24）去总部AC（10.23.200.0/24）的数据流。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b1708015814190921">acl number 3101</strong>
[Router_1-acl-adv-3101] <strong id="ZH-CN_TASK_0176912374__b969979589190921">rule permit ip source 10.23.100.0 0.0.0.255 destination 10.23.200.0 0.0.0.255</strong>
[Router_1-acl-adv-3101] <strong id="ZH-CN_TASK_0176912374__b1866057864190921">quit</strong></span></span></span>

配置IPSec

分别在Router_2和Router_1上创建IPSec安全提议

# 在Router_2上配置IPSec安全提议。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_2] <strong id="ZH-CN_TASK_0176912374__b583791630190921">ipsec proposal tran1</strong>
[Router_2-ipsec-proposal-tran1] <strong id="ZH-CN_TASK_0176912374__b1462250876190921">esp authentication-algorithm sha2-256</strong>
[Router_2-ipsec-proposal-tran1] <strong id="ZH-CN_TASK_0176912374__b622661980190921">esp encryption-algorithm aes-128</strong>
[Router_2-ipsec-proposal-tran1] <strong id="ZH-CN_TASK_0176912374__b35427758190921">quit</strong></span></span></span>

# 在Router_1上配置IPSec安全提议。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b139819425190921">ipsec proposal tran1</strong>
[Router_1-ipsec-proposal-tran1] <strong id="ZH-CN_TASK_0176912374__b1452234278190921">esp authentication-algorithm sha2-256</strong>
[Router_1-ipsec-proposal-tran1] <strong id="ZH-CN_TASK_0176912374__b1140016291190921">esp encryption-algorithm aes-128</strong>
[Router_1-ipsec-proposal-tran1] <strong id="ZH-CN_TASK_0176912374__b1865393971190921">quit</strong></span></span></span>

分别在Router_2和Router_1上配置IKE对等体

# 在Router_2上配置IKE安全提议。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_2] <strong id="ZH-CN_TASK_0176912374__b1606178070190921">ike proposal 5</strong>
[Router_2-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b182421504190921">authentication-algorithm sha2-256 </strong>
[Router_2-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b655460419190921">encryption-algorithm aes-128</strong>
[Router_2-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b181648080190921">dh group14</strong>
[Router_2-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b31158208190921">quit</strong></span></span></span>

# 在Router_2上配置IKE对等体，并根据默认配置，配置预共享密钥和对端ID。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_2] <strong id="ZH-CN_TASK_0176912374__b1870718951190921">ike peer spub</strong>
[Router_2-ike-peer-spub] <strong id="ZH-CN_TASK_0176912374__b1517647258190921">undo version 2 </strong>
[Router_2-ike-peer-spub] <strong id="ZH-CN_TASK_0176912374__b772017619190921">ike-proposal 5</strong>
[Router_2-ike-peer-spub] <strong id="ZH-CN_TASK_0176912374__b1599311400190921">pre-shared-key cipher huawei@1234</strong>
[Router_2-ike-peer-spub] <strong id="ZH-CN_TASK_0176912374__b1475728565190921">remote-address 192.168.1.1</strong>
[Router_2-ike-peer-spub] <strong id="ZH-CN_TASK_0176912374__b1780777266190921">quit</strong></span></span></span>

# 在Router_1上配置IKE安全提议。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b418590325190921">ike proposal 5</strong>
[Router_1-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b836119906190921">authentication-algorithm sha2-256 </strong>
[Router_1-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b2076210588190921">encryption-algorithm aes-128</strong>
[Router_1-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b623799734190921">dh group14</strong>
[Router_1-ike-proposal-5] <strong id="ZH-CN_TASK_0176912374__b2135127076190921">quit</strong></span></span></span>

# 在Router_1上配置IKE对等体，并根据默认配置，配置预共享密钥和对端ID。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b575600183190921">ike peer spua</strong>
[Router_1-ike-peer-spub] <strong id="ZH-CN_TASK_0176912374__b1570315392190921">undo version 2</strong>
[Router_1-ike-peer-spub] <strong id="ZH-CN_TASK_0176912374__b1546145067190921">ike-proposal 5</strong>
[Router_1-ike-peer-spua] <strong id="ZH-CN_TASK_0176912374__b1096926564190921">pre-shared-key cipher huawei@1234</strong>
[Router_1-ike-peer-spua] <strong id="ZH-CN_TASK_0176912374__b1751295969190921">remote-address 192.168.2.1</strong>
[Router_1-ike-peer-spua] <strong id="ZH-CN_TASK_0176912374__b1965179299190921">quit</strong></span></span></span>

分别在Router_2和Router_1上创建安全策略

# 在Router_2上配置IKE动态协商方式安全策略。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_2] <strong id="ZH-CN_TASK_0176912374__b786818396190921">ipsec policy map1 10 isakmp</strong>
[Router_2-ipsec-policy-isakmp-map1-10] <strong id="ZH-CN_TASK_0176912374__b1328345859190921">ike-peer spub</strong>
[Router_2-ipsec-policy-isakmp-map1-10] <strong id="ZH-CN_TASK_0176912374__b1666733307190921">proposal tran1</strong>
[Router_2-ipsec-policy-isakmp-map1-10] <strong id="ZH-CN_TASK_0176912374__b964066032190921">security acl 3101</strong>
[Router_2-ipsec-policy-isakmp-map1-10] <strong id="ZH-CN_TASK_0176912374__b1560463008190921">quit</strong></span></span></span>

# 在Router_1上配置IKE动态协商方式安全策略。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b1131217806190921">ipsec policy use1 10 isakmp</strong>
[Router_1-ipsec-policy-isakmp-use1-10] <strong id="ZH-CN_TASK_0176912374__b1665134320190921">ike-peer spua</strong>
[Router_1-ipsec-policy-isakmp-use1-10] <strong id="ZH-CN_TASK_0176912374__b776546322190921">proposal tran1</strong>
[Router_1-ipsec-policy-isakmp-use1-10] <strong id="ZH-CN_TASK_0176912374__b1791383655190921">security acl 3101</strong>
[Router_1-ipsec-policy-isakmp-use1-10] <strong id="ZH-CN_TASK_0176912374__b1742019934190921">quit</strong></span></span></span>

分别在Router_2和Router_1的接口上应用各自的安全策略组，使接口具有IPSec的保护功能

# 在Router_2的接口上引用安全策略组。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_2] <strong id="ZH-CN_TASK_0176912374__b839559069190921">interface gigabitethernet 0/0/1</strong>
[Router_2-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1789942937190921">ipsec policy map1</strong>
[Router_2-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1337042778190921">quit</strong></span></span></span>

# 在Router_1的接口上引用安全策略组。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[Router_1] <strong id="ZH-CN_TASK_0176912374__b758835624190921">interface gigabitethernet 0/0/1</strong>
[Router_1-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b355599860190921">ipsec policy use1</strong>
[Router_1-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912374__b1691806318190921">quit</strong></span></span></span>

配置AP上线

# 创建AP组，用于将相同配置的AP都加入同一AP组中。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1451837292190921">wlan</strong>
[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1710308668190921">ap-group name ap-group1</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b294415960190921">quit</strong></span></span></span>

# 创建域管理模板，在域管理模板下配置AC的国家码并在AP组下引用域管理模板。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1815954045190921">regulatory-domain-profile name default</strong>
[AC-wlan-regulate-domain-default] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1765454957190921">country-code cn</strong>
[AC-wlan-regulate-domain-default] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b464951690190921">quit</strong>
[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1132959133190921">ap-group name ap-group1</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b4510754102210">regulatory-domain-profile default</strong>
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:<strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_zh-cn_task_0175818418_b17491131153716">y</strong>  
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b101836067190921">quit</strong>
[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b465166413190921">quit</strong></span></span></span>

# 配置AC的源接口。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912370_b2076192014190921">capwap source interface vlanif 200</strong></span></span></span>

# 在AC上离线导入AP，并将AP加入AP组“ap-group1”中。假设AP的MAC地址为60de-4476-e360，并且根据AP的部署位置为AP配置名称，便于从名称上就能够了解AP的部署位置。例如MAC地址为60de-4476-e360的AP部署在1号区域，命名此AP为area_1。

ap auth-mode命令缺省情况下为MAC认证，如果之前没有修改其缺省配置，可以不用执行ap auth-mode mac-auth。

举例中使用的AP为AP5030DN，具有射频0和射频1两个射频。AP5030DN的射频0为2.4GHz射频，射频1为5GHz射频。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b763711121190921">wlan</strong>
[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1389711844190921">ap auth-mode mac-auth</strong>
[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1382708357190921">ap-id 0 ap-mac 60de-4476-e360</strong>
[AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1272920990190921">ap-name area_1</strong>
Warning: This operation may cause AP reset. Continue? [Y/N]:<strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_zh-cn_task_0175818418_b460951517190906">y</strong>  
[AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b614746147190921">ap-group ap-group1</strong>
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:<strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_zh-cn_task_0175818418_b1651706244190906">y</strong>  
[AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b959850628190921">quit</strong></span></span></span>

# 将AP上电后，当执行命令display ap all查看到AP的“State”字段为“nor”时，表示AP正常上线。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b482061123190921">display ap all</strong>
Total AP information:
nor  : normal          [1]
Extra information:
P  : insufficient power supply
--------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime      ExtraInfo
--------------------------------------------------------------------------------------------------
0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN        nor   0   10S         -
--------------------------------------------------------------------------------------------------
Total: 1</span></span></span>

配置WLAN业务参数

# 创建名为“wlan-net”的安全模板，并配置安全策略。

举例中以配置WPA-WPA2+PSK+AES的安全策略为例，密码为“a1234567”，实际配置中请根据实际情况，配置符合实际要求的安全策略。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1991067776190921">security-profile name wlan-net</strong>
[AC-wlan-sec-prof-wlan-net] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b851752672190921">security wpa-wpa2 psk pass-phrase a1234567 aes</strong>
[AC-wlan-sec-prof-wlan-net] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b337241812190921">quit</strong></span></span></span>

# 创建名为“wlan-net”的SSID模板，并配置SSID名称为“wlan-net”。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b69022931190921">ssid-profile name wlan-net</strong>
[AC-wlan-ssid-prof-wlan-net] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b36723145190921">ssid wlan-net</strong>
[AC-wlan-ssid-prof-wlan-net] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1738903244190921">quit</strong></span></span></span>

# 创建名为“wlan-net”的VAP模板，配置业务数据转发模式、业务VLAN，并且引用安全模板和SSID模板。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong>vap-profile name wlan-net</strong>
[AC-wlan-net-prof-wlan-net] <strong><strong>forward-mode direct-forward</strong></strong>
[AC-wlan-net-prof-wlan-net] <strong><strong>service-vlan vlan-id 101</strong></strong>
[AC-wlan-net-prof-wlan-net] <strong>security-profile wlan-net</strong>
[AC-wlan-net-prof-wlan-net] <strong>ssid-profile wlan-net</strong>
[AC-wlan-net-prof-wlan-net] <strong>quit</strong></span></span></span>

# 配置AP组引用VAP模板，AP上射频0和射频1都使用VAP模板“wlan-net”的配置。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b2051092768190921">ap-group name ap-group1</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1753511747190921">vap-profile wlan-net wlan 1 radio 0</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1212706755190921">vap-profile wlan-net wlan 1 radio 1</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b729861449190921">quit</strong></span></span></span>

配置AP射频的信道和功率

射频的信道和功率自动调优功能默认开启，如果不关闭此功能则会导致手动配置不生效。举例中AP射频的信道和功率仅为示例，实际配置中请根据AP的国家码和网规结果进行配置。

# 关闭AP射频0的信道和功率自动调优功能，并配置AP射频0的信道和功率。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b1423607009190921">ap-id 0</strong>
[AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b1534489953190921">radio 0</strong>
[AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b733594144190921">calibrate auto-channel-select disable</strong>
[AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b1154293079190921">calibrate auto-txpower-select disable</strong>
[AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b1858200296190921">channel 20mhz 6</strong>
Warning: This action may cause service interruption. Continue?[Y/N]<strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_zh-cn_task_0175818418_b1384307436190906">y</strong> 
[AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b554899294190921">eirp 127</strong>
[AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b1779547689190921">quit</strong></span></span></span>

# 关闭AP射频1的信道和功率自动调优功能，并配置AP射频1的信道和功率。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b33229250190921">radio 1</strong>
[AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b327597144190921">calibrate auto-channel-select disable</strong>
[AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b1164564697190921">calibrate auto-txpower-select disable</strong>
[AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b201103780190921">channel 20mhz 149</strong>
Warning: This action may cause service interruption. Continue?[Y/N]<strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_zh-cn_task_0175818418_b1384307436190906_1">y</strong> 
[AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b652286665190921">eirp 127</strong>
[AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b1440636620190921">quit</strong>
[AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912356_b904227301190921">quit</strong></span></span></span>

检查配置结果

WLAN业务配置会自动下发给AP，配置完成后，通过执行命令display vap ssid wlan-net查看如下信息，当“Status”项显示为“ON”时，表示AP对应的射频上的VAP已创建成功。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b367333496190921">display vap ssid wlan-net</strong>
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID   BSSID          Status  Auth type     STA   SSID
--------------------------------------------------------------------------------
0     area_1  0    1     60DE-4476-E360 <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1874482883190921">ON</strong>      WPA/WPA2-PSK  0     wlan-net
0     area_1  1    1     60DE-4476-E370 <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1628414885190921">ON</strong>      WPA/WPA2-PSK  0     wlan-net
-------------------------------------------------------------------------------
Total: 2</span></span></span>

STA搜索到名为“wlan-net”的无线网络，输入密码“a1234567”并正常关联后，在AC上执行display station ssid wlan-net命令，可以查看到用户已经接入到无线网络“wlan-net”中。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912374__zh-cn_task_0176912351_b1120837202190921">display station ssid wlan-net</strong>
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC         AP ID Ap name   Rf/WLAN  Band  Type  Rx/Tx      RSSI  VLAN  IP address
---------------------------------------------------------------------------------
e019-1dc7-1e08  0     area_1    1/1      5G    11n   46/59      -68   101   10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1</span></span></span>

# 配置成功后，在AC执行ping操作仍然可以ping通AP，它们之间的数据传输将被加密，执行命令display ipsec statistics可以查看数据包的统计信息。

# 在Router_2上执行display ike sa操作，结果如下。

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd"><Router_2> <strong>display ike sa</strong>Conn-ID      Peer           VPN    Flag(s)     Phase---------------------------------------------------------16          192.168.1.1  0       RD|ST      v1:214          192.168.1.1  0       RD|ST      v1:1Number of SA entries  : 2Number of SA entries of all cpu : 2 Flag Description:           RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUTHRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UPM--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING  </span></span></span>

配置文件

AC的配置文件

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">#sysname AC
#
vlan batch 101 200
#
interface Vlanif200ip address 10.23.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1port link-type trunk port trunk allow-pass vlan 200
#ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
#
capwap source interface vlanif200
#
wlansecurity-profile name wlan-netsecurity wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aesssid-profile name wlan-netssid wlan-netvap-profile name wlan-netservice-vlan vlan-id 101ssid-profile wlan-netsecurity-profile wlan-netregulatory-domain-profile name defaultap-group name ap-group1radio 0vap-profile wlan-net wlan 1radio 1vap-profile wlan-net wlan 1ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042ap-name area_1ap-group ap-group1radio 0channel 20mhz 6eirp 127calibrate auto-channel-select disable calibrate auto-txpower-select disableradio 1channel 20mhz 149eirp 127calibrate auto-channel-select disable calibrate auto-txpower-select disable
#
return</span></span></span>

Router_1的配置文件

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">#sysname Router_1
#
vlan batch 100 to 101
#
dhcp enable
#
acl number 3101rule 5 permit ip source 10.23.100.0 0.0.0.255 destination 10.23.200.0 0.0.0.255
#
ipsec proposal tran1esp authentication-algorithm sha2-256esp encryption-algorithm aes-128
#
ike proposal 5encryption-algorithm aes-128dh group14authentication-algorithm sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256
#
ike peer spuaundo version 2pre-shared-key cipher %@%@HCf#WZWU9A;yLoD#V$8G*i_/%@%@ike-proposal 5remote-address 192.168.2.1
#
ipsec policy use1 10 isakmpsecurity acl 3101ike-peer spuaproposal tran1
#
ip pool apgateway-list 10.23.100.1network 10.23.100.0 mask 255.255.255.0option 43 sub-option 3 ascii 10.23.200.1
#
interface Vlanif100ip address 10.23.100.1 255.255.255.0dhcp select global
#
interface Vlanif101ip address 10.23.101.1 255.255.255.0dhcp select interface
#
interface GigabitEthernet0/0/1ip address 192.168.1.1 255.255.255.0ipsec policy use1
#
interface GigabitEthernet1/0/0port link-type trunk port trunk allow-pass vlan 100 to 101
#
ip route-static 0.0.0.0 0.0.0.0 192.168.1.2
#
return</span></span></span>

Router_2的配置文件

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">#sysname Router_2
#
vlan batch 200
#
acl number 3101rule 5 permit ip source 10.23.200.0 0.0.0.255 destination 10.23.100.0 0.0.0.255
#
ipsec proposal tran1esp authentication-algorithm sha2-256   esp encryption-algorithm aes-128
#
ike proposal 5encryption-algorithm aes-128dh group14authentication-algorithm sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-sha2-256
#
ike peer spub v1undo version 2pre-shared-key cipher %@%@HCf#WZWU9A;yLoD#V$8G*i_/%@%@ike-proposal 5remote-address 192.168.1.1
#
ipsec policy map1 10 isakmpsecurity acl 3101ike-peer spubproposal tran1
#
interface Vlanif200ip address 10.23.200.2 255.255.255.0
#
interface GigabitEthernet0/0/1ip address 192.168.2.1 255.255.255.0ipsec policy map1
#
interface GigabitEthernet1/0/0port link-type trunk port trunk allow-pass vlan 200
#
ip route-static 10.23.100.0 255.255.255.0 192.168.2.2
ip route-static 192.168.1.0 255.255.255.0 192.168.2.2
#
return</span></span></span>

Switch的配置文件

<span style="color:#333333"><span style="background-color:#ffffff"><span style="background-color:#dddddd">#sysname Switch
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1port link-type trunkport trunk pvid vlan 100port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2port link-type trunkport trunk allow-pass vlan 100 to 101
#
return</span></span></span>

查看全文

http://www.yidumall.com/news/100401.html