华为综合案例-普通WLAN全覆盖配置(2)
组网图
结果验证
在AC_1和AC_2上执行display ap all命令,检查当前AP的状态,显示以下信息表示AP上线成功。[AC_1] display ap all
Total AP information:
nor : normal [1]
ExtraInfo : Extra information
P : insufficient power supply
----------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
----------------------------------------------------------------------------------------------------
0 60de-4476-e360 AP_1 wlan_net 10.128.1.254 AP6050DN nor 0 10S -
----------------------------------------------------------------------------------------------------
Total: 1在AC_1和AC_2上执行display hsb-service 0命令,查看主备服务的建立情况,可以看到Service State字段的显示为Connected,说明主备服务通道已经成功建立。[AC_1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------Local IP Address : 10.1.1.253Peer IP Address : 10.1.1.254Source Port : 10241Destination Port : 10241Keep Alive Times : 5Keep Alive Interval : 3Service State : ConnectedService Batch Modules : Access-userShared-key : -
----------------------------------------------------------
[AC_2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------Local IP Address : 10.1.1.254Peer IP Address : 10.1.1.253Source Port : 10241Destination Port : 10241Keep Alive Times : 5Keep Alive Interval : 3Service State : ConnectedService Batch Modules : Access-userShared-key : -
----------------------------------------------------------在AC_1和AC_2上执行display hsb-group 0命令,查看HSB备份组的运行情况。[AC_1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------HSB-group ID : 0Vrrp Group ID : 1Vrrp Interface : Vlanif800Service Index : 0Group Vrrp Status : MasterGroup Status : ActiveGroup Backup Process : RealtimePeer Group Device Name : AC6805Peer Group Software Version : V200R010C00Group Backup Modules : Access-userAPDHCP
----------------------------------------------------------
[AC_2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------HSB-group ID : 0Vrrp Group ID : 1Vrrp Interface : Vlanif800Service Index : 0Group Vrrp Status : BackupGroup Status : InactiveGroup Backup Process : RealtimePeer Group Device Name : AC6805Peer Group Software Version : V200R010C00Group Backup Modules : Access-userAPDHCP
----------------------------------------------------------用户是否能够通过RADIUS模板的认证。(已在RADIUS服务器上配置了测试用户test@huawei.com,用户密码123456)。[AC_1] test-aaa test@huawei.com 123456 radius-template radius_huawei
Info: Account test succeed.- 完成配置后,用户可通过无线终端搜索到SSID为wlan_net的无线网络,用户关联到无线网络上后,无线终端能够被分配相应的IP地址。STA上打开浏览器访问Internet,自动跳转到Portal服务器提供的页面,在页面上输入正确的用户名(test@huawei.com)和密码(123456),认证通过后可以正常访问Internet。
- 用户使用手机可以正常使用漫游业务。
配置脚本
AC_1和AC_2的配置文件对比(加粗内容为AC_1和AC_2上的双机备份配置和无线配置同步配置,斜体内容为AC_1自动同步到AC_2的公有配置)AC_1AC_2#sysname AC_1
#
radius-server source ip-address 172.16.1.1
#
vrrp recover-delay 60
#
vlan batch 700 to 701 800 810 820
#
authentication-profile name wlan_net_dot1x_authdot1x-access-profile huaweiauthentication-scheme radius_huaweiaccounting-scheme radius_huaweiradius-server radius_huawei
authentication-profile name wlan_net_portal_authmac-access-profile macportal-access-profile wlan_netfree-rule-template default_free_ruleauthentication-scheme radius_huaweiaccounting-scheme radius_huaweiradius-server radius_huawei
#
web-auth-server source-ip 172.16.1.1
#
dhcp enable
#
dhcp snooping enable
#
vlan 700description wlan_netdhcp snooping enable
vlan 701description wlan_netdhcp snooping enable
vlan 800description AP-management-vlan
#
radius-server template radius_huaweiradius-server shared-key cipher %^%#b@)bNet)(Z)!N9T>p8kM(8w/N&3\>!KKg=DO<!R+%^%#radius-server authentication 172.16.1.254 1812 weight 80radius-server accounting 172.16.1.254 1813 weight 80radius-server timeout 1
radius-server authorization 172.16.1.254 shared-key cipher %^%#M"yY$,}"a8U12iTP4:u6nI-;9G/!eH`FJ:UePsB,%^%#
#
free-rule-template name default_free_rulefree-rule 1 destination ip 172.16.1.253 mask 255.255.255.255
#
url-template name huaweiurl http://172.16.1.254:8080/portalurl-parameter ssid ssid redirect-url url
#
web-auth-server huaweiserver-ip 172.16.1.254port 50200shared-key cipher %^%#6/j36uiW:M7dx'"L*2M*TN~P7t*K0(w9'=ER4bZ"%^%#url-template huawei
#
portal-access-profile name wlan_netweb-auth-server huawei direct
#
aaaauthentication-scheme radius_huaweiauthentication-mode radiusaccounting-scheme radius_huaweiaccounting-mode radiusaccounting realtime 15
#
interface Vlanif800ip address 10.128.1.2 255.255.255.0vrrp vrid 1 virtual-ip 10.128.1.1admin-vrrp vrid 1vrrp vrid 1 priority 120vrrp vrid 1 preempt-mode timer delay 1200dhcp select interfacedhcp server excluded-ip-address 10.128.1.1 10.128.1.3
#
interface Vlanif810ip address 10.1.1.253 255.255.255.252
#
interface Vlanif820ip address 172.16.1.2 255.255.255.0vrrp vrid 2 virtual-ip 172.16.1.1vrrp vrid 2 track admin-vrrp interface Vlanif800 vrid 1 unflowdown
#
interface GigabitEthernet0/0/23description Connect to AC_2_0/0/23port link-type trunkundo port trunk allow-pass vlan 1port trunk allow-pass vlan 800 810 820
#
interface GigabitEthernet0/0/24description Connect to S12700_A_1/1/0/20port link-type trunkundo port trunk allow-pass vlan 1port trunk allow-pass vlan 700 to 701 800 820
#
capwap source ip-address 10.128.1.1
#
hsb-service 0service-ip-port local-ip 10.1.1.253 peer-ip 10.1.1.254 local-data-port 10241 peer-data-port 10241
#
hsb-group 0track vrrp vrid 1 interface Vlanif800bind-service 0hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlantraffic-profile name wlan_netuser-isolate l2security-profile name opensecurity opensecurity-profile name dot1xsecurity wpa2 dot1x aesssid-profile name wlan_net_portal_authssid wlan_net_portal_authssid-profile name wlan_net_dot1x_authssid wlan_net_dot1x_authdot11r enablevap-profile name wlan_net_portal_authservice-vlan vlan-id 700ssid-profile wlan_net_portal_authsecurity-profile opentraffic-profile wlan_netauthentication-profile wlan_net_portal_authip source check user-bind enablearp anti-attack check user-bind enablelearn-client-address dhcp-strictvap-profile name wlan_net_dot1x_authservice-vlan vlan-id 701ssid-profile wlan_net_dot1x_authsecurity-profile dot1xtraffic-profile wlan_netauthentication-profile wlan_net_dot1x_authip source check user-bind enablearp anti-attack check user-bind enablelearn-client-address dhcp-strictradio-2g-profile name 2Gradio-5g-profile name 5Gport-link-profile name defaultap-group name wlan_netradio 0radio-2g-profile 2Gvap-profile wlan_net_portal_auth wlan 1vap-profile wlan_net_dot1x_auth wlan 2radio 1radio-5g-profile 5Gvap-profile wlan_net_portal_auth wlan 1vap-profile wlan_net_dot1x_auth wlan 2radio 2vap-profile wlan_net_portal_auth wlan 1vap-profile wlan_net_dot1x_auth wlan 2ap-id 1 ap-mac 60de-4476-e360ap-name AP_1ap-group wlan_netmaster controllermaster-redundancy track-vrrp vrid 1 interface Vlanif800master-redundancy peer-ip ip-address 10.1.1.254 local-ip ip-address 10.1.1.253 psk %^%#HdgY%JtWL>H[k@Rs~<-)6,u4A&I1e5mO%jVwv~*N%^%#
#
dot1x-access-profile name huawei
#
mac-access-profile name mac
#
return
#sysname AC_2
#
radius-server source ip-address 172.16.1.1
#
vrrp recover-delay 60
#
vlan batch 700 to 701 800 810 820
#
authentication-profile name wlan_net_dot1x_authdot1x-access-profile huaweiauthentication-scheme radius_huaweiaccounting-scheme radius_huaweiradius-server radius_huawei
authentication-profile name wlan_net_portal_authmac-access-profile macportal-access-profile wlan_netfree-rule-template default_free_ruleauthentication-scheme radius_huaweiaccounting-scheme radius_huaweiradius-server radius_huawei
#
web-auth-server source-ip 172.16.1.1
#
dhcp enable
#
dhcp snooping enable
#
vlan 700description wlan_netdhcp snooping enable
vlan 701description wlan_netdhcp snooping enable
vlan 800description AP-management-vlan
#
radius-server template radius_huaweiradius-server shared-key cipher %^%#b@)bNet)(Z)!N9T>p8kM(8w/N&3\>!KKg=DO<!R+%^%#radius-server authentication 172.16.1.254 1812 weight 80radius-server accounting 172.16.1.254 1813 weight 80radius-server timeout 1
radius-server authorization 172.16.1.254 shared-key cipher %^%#M"yY$,}"a8U12iTP4:u6nI-;9G/!eH`FJ:UePsB,%^%#
#
free-rule-template name default_free_rulefree-rule 1 destination ip 172.16.1.253 mask 255.255.255.255
#
url-template name huaweiurl http://172.16.1.254:8080/portalurl-parameter ssid ssid redirect-url url
#
web-auth-server huaweiserver-ip 172.16.1.254port 50200shared-key cipher %^%#6/j36uiW:M7dx'"L*2M*TN~P7t*K0(w9'=ER4bZ"%^%#url-template huawei
#
portal-access-profile name wlan_netweb-auth-server huawei direct
#
aaaauthentication-scheme radius_huaweiauthentication-mode radiusaccounting-scheme radius_huaweiaccounting-mode radiusaccounting realtime 15
#
interface Vlanif800ip address 10.128.1.3 255.255.255.0vrrp vrid 1 virtual-ip 10.128.1.1admin-vrrp vrid 1dhcp select interfacedhcp server excluded-ip-address 10.128.1.1 10.128.1.3
#
interface Vlanif810ip address 10.1.1.254 255.255.255.252
#
interface Vlanif820ip address 172.16.1.3 255.255.255.0vrrp vrid 2 virtual-ip 172.16.1.1vrrp vrid 2 track admin-vrrp interface Vlanif800 vrid 1 unflowdown
#
interface GigabitEthernet0/0/23description Connect to AC_1_0/0/23port link-type trunkundo port trunk allow-pass vlan 1port trunk allow-pass vlan 800 810 820
#
interface GigabitEthernet0/0/24description Connect to S12700_B_2/1/0/23port link-type trunkundo port trunk allow-pass vlan 1port trunk allow-pass vlan 700 to 701 800 820
#
capwap source ip-address 10.128.1.1
#
hsb-service 0service-ip-port local-ip 10.1.1.254 peer-ip 10.1.1.253 local-data-port 10241 peer-data-port 10241
#
hsb-group 0track vrrp vrid 1 interface Vlanif800bind-service 0hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlantraffic-profile name wlan_netuser-isolate l2security-profile name opensecurity opensecurity-profile name dot1xsecurity wpa2 dot1x aesssid-profile name wlan_net_portal_authssid wlan_net_portal_authssid-profile name wlan_net_dot1x_authssid wlan_net_dot1x_authdot11r enablevap-profile name wlan_net_portal_authservice-vlan vlan-id 700ssid-profile wlan_net_portal_authsecurity-profile opentraffic-profile wlan_netauthentication-profile wlan_net_portal_authip source check user-bind enablearp anti-attack check user-bind enablelearn-client-address dhcp-strictvap-profile name wlan_net_dot1x_authservice-vlan vlan-id 701ssid-profile wlan_net_dot1x_authsecurity-profile dot1xtraffic-profile wlan_netauthentication-profile wlan_net_dot1x_authip source check user-bind enablearp anti-attack check user-bind enablelearn-client-address dhcp-strictradio-2g-profile name 2Gradio-5g-profile name 5Gport-link-profile name defaultap-group name wlan_netradio 0radio-2g-profile 2Gvap-profile wlan_net_portal_auth wlan 1vap-profile wlan_net_dot1x_auth wlan 2radio 1radio-5g-profile 5Gvap-profile wlan_net_portal_auth wlan 1vap-profile wlan_net_dot1x_auth wlan 2radio 2vap-profile wlan_net_portal_auth wlan 1vap-profile wlan_net_dot1x_auth wlan 2ap-id 1 ap-mac 60de-4476-e360ap-name AP_1ap-group wlan_netmaster controllermaster-redundancy track-vrrp vrid 1 interface Vlanif800master-redundancy peer-ip ip-address 10.1.1.253 local-ip ip-address 10.1.1.254 psk %^%#>j6VS_;z=54_*oRNpd<<'_-8DRj,,Y!T~_,Z$4yI%^%#
#
dot1x-access-profile name huawei
#
mac-access-profile name mac
#
return
集群系统#
sysname CSS
#
vlan batch 730 800 820
#
interface Eth-Trunk1 description Connect to S7700_Eth-Trunk1port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 730 800
#
interface GigabitEthernet1/1/0/19eth-trunk 1
#
interface GigabitEthernet1/1/0/20description Connect to AC_1_0/0/24port link-type trunkundo port trunk allow-pass vlan 1port trunk allow-pass vlan 730 800 820
#
interface GigabitEthernet1/1/0/21description Connect to Router_0/0/29port link-type trunkundo port trunk allow-pass vlan 1port trunk allow-pass vlan 730 820
#
interface GigabitEthernet1/1/1/7mad detect mode direct
#
interface GigabitEthernet2/1/0/18description Connect to Router_0/0/30port link-type trunkundo port trunk allow-pass vlan 1port trunk allow-pass vlan 730 820
#
interface GigabitEthernet2/1/0/22eth-trunk 1
#
interface GigabitEthernet2/1/0/23description Connect to AC_2_0/0/24port link-type trunkundo port trunk allow-pass vlan 1port trunk allow-pass vlan 730 800 820
#
interface GigabitEthernet2/1/1/7mad detect mode direct
#
return
S7700#
sysname S7700
#
vlan batch 730 800
#
interface Eth-Trunk1description Connect to S12700_Eth-Trunk1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 730 800
#
interface Vlanif730ip address 10.173.1.1 255.255.252.0dhcp select relaydhcp relay server-ip 172.16.1.252
#
interface GigabitEthernet1/0/3description Connect to S5700_A_0/0/3port link-type trunkundo port trunk allow-pass vlan 1port trunk allow-pass vlan 730 800
#
interface GigabitEthernet1/0/17eth-trunk 1
#
interface GigabitEthernet2/0/18eth-trunk 1
#
return
S5700_A#
sysname S5700_A
#
vlan batch 730 800
#
traffic classifier huawei
if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-ff00-0000
#
traffic behavior huawei
statistic enable
car cir 100
#
traffic policy huawei
classifier huawei behavior huawei
#
lldp enable
#
interface GigabitEthernet0/0/1description Connect to AP_1port link-type trunkport trunk pvid vlan 800 undo port trunk allow-pass vlan 1port trunk allow-pass vlan 730 800port-isolate enable group 1 stp edged-port enable traffic-policy huawei inboundtraffic-policy huawei outbound
#
interface GigabitEthernet0/0/2description Connect to AP_2port link-type trunkport trunk pvid vlan 800undo port trunk allow-pass vlan 1port trunk allow-pass vlan 730 800port-isolate enable group 1 stp edged-port enable traffic-policy huawei inboundtraffic-policy huawei outbound
#
interface GigabitEthernet0/0/3description Connect to S7700_1/0/3port link-type trunkundo port trunk allow-pass vlan 1port trunk allow-pass vlan 730 800
#
return
父主题: 综合案例-普通WLAN覆盖
版权所有 © 华为技术有限公司
< 上一节下一节 >场景化推荐配置
大广播域场景下的流量优化
在企业与园区场景中,通常采用单个大型子网的设计。单个大型子网简化了VLAN的配置、没有繁杂的漫游配置、故障定位简单。但是,单个大型子网使用大广播域,带来了大量报文复制发送、CPU使用率过高等问题。
通过将广播报文转单播处理、抑制未知单播、对AP多播报文进行限速等方法降低CPU处理量,以支撑大广播域场景。
# 打开mDNS单播应答功能。AC作为mDNS网关,对于mDNS服务请求报文,由AC进行服务单播代答。进而减少AC的复制流程。(缺省关闭,推荐开启)
<AC6805> system-view [AC6805] mdns unicast-reply enable
# 打开IGMP Snooping功能和丢弃VLAN内收到的未知组播流功能。当主机和上游三层设备之间传递的IGMP协议报文通过二层组播设备时,IGMP Snooping分析报文携带的信息,根据这些信息建立和维护二层组播转发表,从而指导组播数据在数据链路层按需转发。(缺省关闭,推荐开启)
<AC6805> system-view
[AC6805] wlan
[AC6805-wlan-view] traffic-profile name default
[AC6805-wlan-traffic-prof-default] igmp-snooping enable
[AC6805-wlan-traffic-prof-default] quit
[AC6805-wlan-view] quit
[AC6805] vlan 10
[AC6805-vlan10] multicast drop-unknown
# 打开ARP/ND/DHCP报文转单播处理功能。(缺省开启,推荐开启)<AC6805> system-view
[AC6805] wlan
[AC6805-wlan-view] traffic-profile name default
[AC6805-wlan-traffic-prof-default] traffic-optimize bcmc unicast-send arp nd dhcp
# 打开ARP/ND/DHCP抑制功能。当空口广播或组播协议报文转为单播报文失败时,丢弃这些报文。(缺省开启,推荐开启)<AC6805> system-view
[AC6805] wlan
[AC6805-wlan-view] traffic-profile name default
[AC6805-wlan-traffic-prof-default] traffic-optimize bcmc unicast-send mismatch-action drop
VR场景下的流量优化
AP对接VR设备场景下,由于丢包重传对用户体验影响较大,用户可将业务保障功能模式设置为可靠性优先,即在满足VR吞吐量要求下,通过空口适当降速,减小丢包、重传引起的抖动、延迟,提升用户体验。建议用户在VR游戏场景下,配置业务保障功能模式为可靠性优先,在VR视频场景下,建议配置为性能优先。# 配置业务保障功能模式为可靠性优先。(缺省为性能优先)<AC6805> system-view
[AC6805] wlan
[AC6805-wlan-view] ssid-profile name ssid1
[AC6805-wlan-ssid-prof-ssid1] service-guarantee reliability-first
开掘常见问题
AP上线失败
问题描述
AP上线失败。
可能原因
- 前期PoE交换机PoE参数配置错误
- AC和AP间的链路没打通
- 施工人员网线没做好
以上原因占据平时排查工作大部分时间。更多原因和解决处理方法请参考故障启示录中的AP上线失败。
处理过程
处理过程如下:
- 对照AP设备《产品描述》中指定的PoE供电协议标准,检查PoE供电设备是否满足。如果不符,则需要更换为满足要求的PoE供电设备。
对于华为PoE交换机,在系统视图下执行display poe power命令,根据回显信息中的USMPW(mW)值可以确定其供电协议标准:15400表示该交换机支持的PoE供电协议是IEEE 802.3af标准,30000表示该交换机支持的PoE供电协议是IEEE 802.3at标准。
- 检查AP与AC之间网络是否互通。如果不通,请检查对应配置是否正确。
-
尝试更换连接AP的物理线路。