H3C AC+FIT完全设置

发布时间:2019-09-03 09:13:18编辑:auto阅读(2354)

    路由器: H3C MSR20-20 

    AC:  H3C WX3024E

    AP :2210-AG

           用户采用PON线路,动态分配地址,无固定IP,每月1088元,如果带有固定IP,则需要每月7088元,采用较经济的方式,每次用户查询ip138得到公网IP后远程管理。

          MSR上PPPOE拨号,建立2 VLAN,一个给内部使用,一个给访客,用访问列表对2Vlan做隔离。

    具体配置如下:

    #
     firewall enable      必须启用,否则ACL不起作用

    #
     domain default enable system
    #
     telnet server enable    也必须开启
    #
     dar p2p signature-file flash:/p2p_default.mtd
    #
     port-security enable
    #
    acl number 3000
     rule 0 permit ip source 10.20.0.0 0.0.255.255       内部用VLAN 
     rule 1 permit ip source 10.30.30.0 0.0.0.255         访客用VLAN
    acl number 3002
     rule 0 deny ip source 10.20.0.0 0.0.255.255 destination 10.30.30.0 0.0.0.255   禁止访客访问内部网络
    #
    vlan 1
    #
    vlan 3
    #
    domain system
     access-limit disable
     state active
     idle-cut disable
     self-service-url disable
    #
    user-group system
     group-attribute allow-guest
    #
    local-user admin
     password XXXXXXXXXXXXXXXXX

     authorization-attribute level 3
     service-type telnet
     service-type web
    local-user XXXXX

     password   XXXXXXXXXXXXXXXXXXX

     authorization-attribute level 3
     service-type telnet
     service-type web
    #
    cwmp
     undo cwmp enable
    #
    interface Aux0
     async mode flow
     link-protocol ppp
    #
    interface Cellular0/0
     async mode protocol
     link-protocol ppp
    #
    interface Dialer1
     nat outbound 3000
     link-protocol ppp
     ppp chap user  ADXXXXXXXX

     ppp chap password  XXXXXXXXXX

     ppp pap local-user adXXXXXX   password SIMPLE  XXXXXXXXX

     ip address ppp-negotiate
     dialer user adXXXXXXX
     dialer-group 1
     dialer bundle 1
    #
    interface Ethernet0/0
     port link-mode route       内部接口
    #
    interface Ethernet0/0.20           H3C必须通过子接口的方式创建VLAN 
     vlan-type dot1q vid 2
     ip address 10.20.0.254 255.255.0.0
    #
    interface Ethernet0/0.30
     vlan-type dot1q vid 3
     firewall packet-filter 3002 inbound
     firewall packet-filter 3002 outbound
     ip address 10.30.30.254 255.255.255.0
    #
    interface Ethernet0/1
     port link-mode route
     pppoe-client dial-bundle-number 1
    #
    interface NULL0
    #
    interface Vlan-interface1
    #
     ip route-static 0.0.0.0 0.0.0.0 Dialer1       静态路由
    #
     load xml-configuration
    #
     load tr069-configuration
    #
    user-interface tty 12
    user-interface aux 0
    user-interface vty 0 4
     authentication-mode scheme
     user privilege level 3
    #

    接下来是AC控制器

    尽量通过web上做设计,下面只是命令行显示的

    总体思路,开启2个VLAN的DHCP

    #
     telnet server enable
    #
     port-security enable
    #
     oap management-ip 192.168.0.101 slot 0
    #
     wlan auto-ap enable
    #
    vlan 1
    #
    vlan 2
    #
    domain system
     access-limit disable
     state active
     idle-cut disable
     self-service-url disable
    #
    dhcp server ip-pool poolvlan1                  管理vlan
     network 192.168.0.0 mask 255.255.255.0
    #
    dhcp server ip-pool poolvlan2          内部VLAN
     network 10.20.0.0 mask 255.255.0.0
     gateway-list 10.20.0.254
     dns-list 202.96.209.5 8.8.8.8
    #
    dhcp server ip-pool poolvlan3       访客vlan
     network 10.30.30.0 mask 255.255.255.0
     gateway-list 10.30.30.254
     dns-list 202.96.209.5 8.8.8.8
    #
    user-group system
     group-attribute allow-guest
    #
    local-user admin
     password 

     authorization-attribute level 3
     service-type telnet
     service-type web
    #
    wlan rrm
     dot11a mandatory-rate 6 12 24
     dot11a supported-rate 9 18 36 48 54
     dot11b mandatory-rate 1 2
     dot11b supported-rate 5.5 11
     dot11g mandatory-rate 1 2 5.5 11
     dot11g supported-rate 6 9 12 18 24 36 48 54
     load-balance session 15
    #
    wlan radio-policy 1025
    #
    wlan radio-policy 1537
    #
    wlan radio-policy 1793
    #
    wlan radio-policy 2049
    #
    wlan radio-policy 2305
    #
    wlan service-template 1 crypto
     ssid   XXXXX

     bind WLAN-ESS 0
     cipher-suite tkip
     security-ie rsn
     service-template enable
    #
    interface Bridge-Aggregation1
     port link-type trunk
     port trunk permit vlan all
    #
    interface NULL0
    #
    interface Vlan-interface1
     ip address 192.168.0.100 255.255.255.0
    #
    interface Vlan-interface2
     ip address 10.20.0.250 255.255.0.0
    #
    interface GigabitEthernet1/0/1
     port link-type trunk
     port trunk permit vlan all
     port link-aggregation group 1
    #
    interface GigabitEthernet1/0/2
     port link-type trunk
     port trunk permit vlan all
     port link-aggregation group 1
    #
    interface WLAN-ESS0
     port link-type hybrid
     port hybrid vlan 1 to 2 untagged
     port hybrid pvid vlan 2
     mac-vlan enable
     port-security port-mode psk
     port-security tx-key-type 11key
     port-security preshared-key pass-phrase


    interface WLAN-ESS1
     port link-type hybrid
     port hybrid vlan 1 untagged
    #
    wlan ap ap-1 model WA2210-AG id 2
     serial-id 

     radio 1
      radio-policy 513
      service-template 1 vlan-id 2
      radio enable
    #
    wlan ap ap-10 model WA2210-AG id 9
     serial-id 210235A0HTB118000791
     radio 1
      radio-policy 2305
      service-template 1 vlan-id 2
      radio enable
    #
    wlan ap ap-11 model WA2210-AG id 10
     serial-id 210235A0HTC118000273
     radio 1
      radio-policy 2561
      service-template 1 vlan-id 2
      radio enable
    #
    wlan ap ap-16 model WA2210-AG id 12
     serial-id 210235A0HTB118001313
     radio 1
      radio-policy 3073
      service-template 1 vlan-id 2
      radio enable
    #
    wlan ap auto-ap model WA2210-AG id 5
     serial-id auto
     radio 1
    #
    wlan load-balance-group 1     负载均衡
     description 26
     ap ap-4 radio 1
     ap ap-3 radio 1
     ap ap-2 radio 1
    #
    wlan load-balance-group 2
     description 27
     ap ap-9 radio 1
     ap ap-8 radio 1
     ap ap-11 radio 1
     ap ap-10 radio 1
    #
    wlan load-balance-group 3
     description 28
     ap ap-14 radio 1
     ap ap-13 radio 1
    #
     ip route-static 0.0.0.0 0.0.0.0 10.20.0.254
    #
     dhcp enable
    #
     arp-snooping enable
    #
     load xml-configuration
    #
    user-interface con 0
    user-interface vty 0 4
     authentication-mode scheme
     user privilege level 3
    #

    telnet到AC上后

    oap connect slot 0可以切换到交换引擎

    dhcp server ip-pool swpoolvlan3
     network 10.30.30.0 mask 255.255.
     gateway-list 10.30.30.254
     dns-list 202.96.209.5 8.8.8.8
    #

    interface Bridge-Aggregation1
     port link-type trunk
     port trunk permit vlan all
    #

    interface Vlan-interface3
     ip address 10.30.30.251 255.255.
    #
    interface GigabitEthernet1/0/1
     poe enable
    #
    interface GigabitEthernet1/0/2
     poe enable
    #
    interface GigabitEthernet1/0/22         此接口接FAT AP
     port access vlan 3
     poe enable
    #
    interface GigabitEthernet1/0/23        此接口为上联接口
     port link-type trunk
     port trunk permit vlan all
    #
    interface GigabitEthernet1/0/24
     port link-type trunk
     port trunk permit vlan all
    #

    interface GigabitEthernet1/0/29         内部和AC相连的接口,运行所有VLAN
     port link-type trunk
     port trunk permit vlan all
     port link-aggregation group 1
    #
    interface GigabitEthernet1/0/30
     port link-type trunk
     port trunk permit vlan all
     port link-aggregation group 1
    #

关键字

上一篇: 梁 python用法

下一篇: 用GNS3 配置静态路由