组网图
结果验证
javascript
在AC_1和AC_2上执行display ap all命令,检查当前AP的状态,显示以下信息表示AP上线成功。
[AC_1] display ap all
Total AP information:
nor : normal [1]
ExtraInfo : Extra information
P : insufficient power supply
----------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
----------------------------------------------------------------------------------------------------
0 60de-4476-e360 AP_1 wlan_net 10.128.1.254 AP6050DN nor 0 10S -
----------------------------------------------------------------------------------------------------
Total: 1
在AC_1和AC_2上执行display hsb-service 0命令,查看主备服务的建立情况,可以看到Service State字段的显示为Connected,说明主备服务通道已经成功建立。
[AC_1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.1.1.253
Peer IP Address : 10.1.1.254
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules : Access-user
Shared-key : -
----------------------------------------------------------
[AC_2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.1.1.254
Peer IP Address : 10.1.1.253
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules : Access-user
Shared-key : -
----------------------------------------------------------
在AC_1和AC_2上执行display hsb-group 0命令,查看HSB备份组的运行情况。
[AC_1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif800
Service Index : 0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Name : AC6805
Peer Group Software Version : V200R010C00
Group Backup Modules : Access-user
AP
DHCP
----------------------------------------------------------
[AC_2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif800
Service Index : 0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
Peer Group Device Name : AC6805
Peer Group Software Version : V200R010C00
Group Backup Modules : Access-user
AP
DHCP
----------------------------------------------------------
用户是否能够通过RADIUS模板的认证。(已在RADIUS服务器上配置了测试用户test@huawei.com,用户密码123456)。
[AC_1] test-aaa test@huawei.com 123456 radius-template radius_huawei
Info: Account test succeed.- 完成配置后,用户可通过无线终端搜索到SSID为wlan_net的无线网络,用户关联到无线网络上后,无线终端能够被分配相应的IP地址。STA上打开浏览器访问Internet,自动跳转到Portal服务器提供的页面,在页面上输入正确的用户名(test@huawei.com)和密码(123456),认证通过后可以正常访问Internet。
- 用户使用手机可以正常使用漫游业务。
配置脚本
javascript
AC_1和AC_2的配置文件对比(加粗内容为AC_1和AC_2上的双机备份配置和无线配置同步配置,斜体内容为AC_1自动同步到AC_2的公有配置)
AC_1
AC_2
#
sysname AC_1
#
radius-server source ip-address 172.16.1.1
#
vrrp recover-delay 60
#
vlan batch 700 to 701 800 810 820
#
authentication-profile name wlan_net_dot1x_auth
dot1x-access-profile huawei
authentication-scheme radius_huawei
accounting-scheme radius_huawei
radius-server radius_huawei
authentication-profile name wlan_net_portal_auth
mac-access-profile mac
portal-access-profile wlan_net
free-rule-template default_free_rule
authentication-scheme radius_huawei
accounting-scheme radius_huawei
radius-server radius_huawei
#
web-auth-server source-ip 172.16.1.1
#
dhcp enable
#
dhcp snooping enable
#
vlan 700
description wlan_net
dhcp snooping enable
vlan 701
description wlan_net
dhcp snooping enable
vlan 800
description AP-management-vlan
#
radius-server template radius_huawei
radius-server shared-key cipher %^%#b@)bNet)(Z)!N9T>p8kM(8w/N&3\>!KKg=DO<!R+%^%#
radius-server authentication 172.16.1.254 1812 weight 80
radius-server accounting 172.16.1.254 1813 weight 80
radius-server timeout 1
radius-server authorization 172.16.1.254 shared-key cipher %^%#M"yY$,}"a8U12iTP4:u6nI-;9G/!eH`FJ:UePsB,%^%#
#
free-rule-template name default_free_rule
free-rule 1 destination ip 172.16.1.253 mask 255.255.255.255
#
url-template name huawei
url http://172.16.1.254:8080/portal
url-parameter ssid ssid redirect-url url
#
web-auth-server huawei
server-ip 172.16.1.254
port 50200
shared-key cipher %^%#6/j36uiW:M7dx'"L*2M*TN~P7t*K0(w9'=ER4bZ"%^%#
url-template huawei
#
portal-access-profile name wlan_net
web-auth-server huawei direct
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
accounting-scheme radius_huawei
accounting-mode radius
accounting realtime 15
#
interface Vlanif800
ip address 10.128.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.128.1.1
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1200
dhcp select interface
dhcp server excluded-ip-address 10.128.1.1 10.128.1.3
#
interface Vlanif810
ip address 10.1.1.253 255.255.255.252
#
interface Vlanif820
ip address 172.16.1.2 255.255.255.0
vrrp vrid 2 virtual-ip 172.16.1.1
vrrp vrid 2 track admin-vrrp interface Vlanif800 vrid 1 unflowdown
#
interface GigabitEthernet0/0/23
description Connect to AC_2_0/0/23
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 800 810 820
#
interface GigabitEthernet0/0/24
description Connect to S12700_A_1/1/0/20
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 700 to 701 800 820
#
capwap source ip-address 10.128.1.1
#
hsb-service 0
service-ip-port local-ip 10.1.1.253 peer-ip 10.1.1.254 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface Vlanif800
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name wlan_net
user-isolate l2
security-profile name open
security open
security-profile name dot1x
security wpa2 dot1x aes
ssid-profile name wlan_net_portal_auth
ssid wlan_net_portal_auth
ssid-profile name wlan_net_dot1x_auth
ssid wlan_net_dot1x_auth
dot11r enable
vap-profile name wlan_net_portal_auth
service-vlan vlan-id 700
ssid-profile wlan_net_portal_auth
security-profile open
traffic-profile wlan_net
authentication-profile wlan_net_portal_auth
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name wlan_net_dot1x_auth
service-vlan vlan-id 701
ssid-profile wlan_net_dot1x_auth
security-profile dot1x
traffic-profile wlan_net
authentication-profile wlan_net_dot1x_auth
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
radio-2g-profile name 2G
radio-5g-profile name 5G
port-link-profile name default
ap-group name wlan_net
radio 0
radio-2g-profile 2G
vap-profile wlan_net_portal_auth wlan 1
vap-profile wlan_net_dot1x_auth wlan 2
radio 1
radio-5g-profile 5G
vap-profile wlan_net_portal_auth wlan 1
vap-profile wlan_net_dot1x_auth wlan 2
radio 2
vap-profile wlan_net_portal_auth wlan 1
vap-profile wlan_net_dot1x_auth wlan 2
ap-id 1 ap-mac 60de-4476-e360
ap-name AP_1
ap-group wlan_net
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif800
master-redundancy peer-ip ip-address 10.1.1.254 local-ip ip-address 10.1.1.253 psk %^%#HdgY%JtWL>H[k@Rs~<-)6,u4A&I1e5mO%jVwv~*N%^%#
#
dot1x-access-profile name huawei
#
mac-access-profile name mac
#
return
#
sysname AC_2
#
radius-server source ip-address 172.16.1.1
#
vrrp recover-delay 60
#
vlan batch 700 to 701 800 810 820
#
authentication-profile name wlan_net_dot1x_auth
dot1x-access-profile huawei
authentication-scheme radius_huawei
accounting-scheme radius_huawei
radius-server radius_huawei
authentication-profile name wlan_net_portal_auth
mac-access-profile mac
portal-access-profile wlan_net
free-rule-template default_free_rule
authentication-scheme radius_huawei
accounting-scheme radius_huawei
radius-server radius_huawei
#
web-auth-server source-ip 172.16.1.1
#
dhcp enable
#
dhcp snooping enable
#
vlan 700
description wlan_net
dhcp snooping enable
vlan 701
description wlan_net
dhcp snooping enable
vlan 800
description AP-management-vlan
#
radius-server template radius_huawei
radius-server shared-key cipher %^%#b@)bNet)(Z)!N9T>p8kM(8w/N&3\>!KKg=DO<!R+%^%#
radius-server authentication 172.16.1.254 1812 weight 80
radius-server accounting 172.16.1.254 1813 weight 80
radius-server timeout 1
radius-server authorization 172.16.1.254 shared-key cipher %^%#M"yY$,}"a8U12iTP4:u6nI-;9G/!eH`FJ:UePsB,%^%#
#
free-rule-template name default_free_rule
free-rule 1 destination ip 172.16.1.253 mask 255.255.255.255
#
url-template name huawei
url http://172.16.1.254:8080/portal
url-parameter ssid ssid redirect-url url
#
web-auth-server huawei
server-ip 172.16.1.254
port 50200
shared-key cipher %^%#6/j36uiW:M7dx'"L*2M*TN~P7t*K0(w9'=ER4bZ"%^%#
url-template huawei
#
portal-access-profile name wlan_net
web-auth-server huawei direct
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
accounting-scheme radius_huawei
accounting-mode radius
accounting realtime 15
#
interface Vlanif800
ip address 10.128.1.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.128.1.1
admin-vrrp vrid 1
dhcp select interface
dhcp server excluded-ip-address 10.128.1.1 10.128.1.3
#
interface Vlanif810
ip address 10.1.1.254 255.255.255.252
#
interface Vlanif820
ip address 172.16.1.3 255.255.255.0
vrrp vrid 2 virtual-ip 172.16.1.1
vrrp vrid 2 track admin-vrrp interface Vlanif800 vrid 1 unflowdown
#
interface GigabitEthernet0/0/23
description Connect to AC_1_0/0/23
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 800 810 820
#
interface GigabitEthernet0/0/24
description Connect to S12700_B_2/1/0/23
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 700 to 701 800 820
#
capwap source ip-address 10.128.1.1
#
hsb-service 0
service-ip-port local-ip 10.1.1.254 peer-ip 10.1.1.253 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface Vlanif800
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name wlan_net
user-isolate l2
security-profile name open
security open
security-profile name dot1x
security wpa2 dot1x aes
ssid-profile name wlan_net_portal_auth
ssid wlan_net_portal_auth
ssid-profile name wlan_net_dot1x_auth
ssid wlan_net_dot1x_auth
dot11r enable
vap-profile name wlan_net_portal_auth
service-vlan vlan-id 700
ssid-profile wlan_net_portal_auth
security-profile open
traffic-profile wlan_net
authentication-profile wlan_net_portal_auth
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name wlan_net_dot1x_auth
service-vlan vlan-id 701
ssid-profile wlan_net_dot1x_auth
security-profile dot1x
traffic-profile wlan_net
authentication-profile wlan_net_dot1x_auth
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
radio-2g-profile name 2G
radio-5g-profile name 5G
port-link-profile name default
ap-group name wlan_net
radio 0
radio-2g-profile 2G
vap-profile wlan_net_portal_auth wlan 1
vap-profile wlan_net_dot1x_auth wlan 2
radio 1
radio-5g-profile 5G
vap-profile wlan_net_portal_auth wlan 1
vap-profile wlan_net_dot1x_auth wlan 2
radio 2
vap-profile wlan_net_portal_auth wlan 1
vap-profile wlan_net_dot1x_auth wlan 2
ap-id 1 ap-mac 60de-4476-e360
ap-name AP_1
ap-group wlan_net
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif800
master-redundancy peer-ip ip-address 10.1.1.253 local-ip ip-address 10.1.1.254 psk %^%#>j6VS_;z=54_*oRNpd<<'_-8DRj,,Y!T~_,Z$4yI%^%#
#
dot1x-access-profile name huawei
#
mac-access-profile name mac
#
return
集群系统
#
sysname CSS
#
vlan batch 730 800 820
#
interface Eth-Trunk1
description Connect to S7700_Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 730 800
#
interface GigabitEthernet1/1/0/19
eth-trunk 1
#
interface GigabitEthernet1/1/0/20
description Connect to AC_1_0/0/24
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 730 800 820
#
interface GigabitEthernet1/1/0/21
description Connect to Router_0/0/29
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 730 820
#
interface GigabitEthernet1/1/1/7
mad detect mode direct
#
interface GigabitEthernet2/1/0/18
description Connect to Router_0/0/30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 730 820
#
interface GigabitEthernet2/1/0/22
eth-trunk 1
#
interface GigabitEthernet2/1/0/23
description Connect to AC_2_0/0/24
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 730 800 820
#
interface GigabitEthernet2/1/1/7
mad detect mode direct
#
return
S7700
#
sysname S7700
#
vlan batch 730 800
#
interface Eth-Trunk1
description Connect to S12700_Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 730 800
#
interface Vlanif730
ip address 10.173.1.1 255.255.252.0
dhcp select relay
dhcp relay server-ip 172.16.1.252
#
interface GigabitEthernet1/0/3
description Connect to S5700_A_0/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 730 800
#
interface GigabitEthernet1/0/17
eth-trunk 1
#
interface GigabitEthernet2/0/18
eth-trunk 1
#
return
S5700_A
#
sysname S5700_A
#
vlan batch 730 800
#
traffic classifier huawei
if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-ff00-0000
#
traffic behavior huawei
statistic enable
car cir 100
#
traffic policy huawei
classifier huawei behavior huawei
#
lldp enable
#
interface GigabitEthernet0/0/1
description Connect to AP_1
port link-type trunk
port trunk pvid vlan 800
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 730 800
port-isolate enable group 1
stp edged-port enable
traffic-policy huawei inbound
traffic-policy huawei outbound
#
interface GigabitEthernet0/0/2
description Connect to AP_2
port link-type trunk
port trunk pvid vlan 800
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 730 800
port-isolate enable group 1
stp edged-port enable
traffic-policy huawei inbound
traffic-policy huawei outbound
#
interface GigabitEthernet0/0/3
description Connect to S7700_1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 730 800
#
return
父主题: 综合案例-普通WLAN覆盖
版权所有 © 华为技术有限公司
< 上一节下一节 >场景化推荐配置
大广播域场景下的流量优化
在企业与园区场景中,通常采用单个大型子网的设计。单个大型子网简化了VLAN的配置、没有繁杂的漫游配置、故障定位简单。但是,单个大型子网使用大广播域,带来了大量报文复制发送、CPU使用率过高等问题。
通过将广播报文转单播处理、抑制未知单播、对AP多播报文进行限速等方法降低CPU处理量,以支撑大广播域场景。
打开mDNS单播应答功能。AC作为mDNS网关,对于mDNS服务请求报文,由AC进行服务单播代答。进而减少AC的复制流程。(缺省关闭,推荐开启)
<AC6805> system-view
[AC6805] mdns unicast-reply enable打开IGMP Snooping功能和丢弃VLAN内收到的未知组播流功能。当主机和上游三层设备之间传递的IGMP协议报文通过二层组播设备时,IGMP Snooping分析报文携带的信息,根据这些信息建立和维护二层组播转发表,从而指导组播数据在数据链路层按需转发。(缺省关闭,推荐开启)
javascript
<AC6805> system-view
[AC6805] wlan
[AC6805-wlan-view] traffic-profile name default
[AC6805-wlan-traffic-prof-default] igmp-snooping enable
[AC6805-wlan-traffic-prof-default] quit
[AC6805-wlan-view] quit
[AC6805] vlan 10
[AC6805-vlan10] multicast drop-unknown
# 打开ARP/ND/DHCP报文转单播处理功能。(缺省开启,推荐开启)
<AC6805> system-view
[AC6805] wlan
[AC6805-wlan-view] traffic-profile name default
[AC6805-wlan-traffic-prof-default] traffic-optimize bcmc unicast-send arp nd dhcp
# 打开ARP/ND/DHCP抑制功能。当空口广播或组播协议报文转为单播报文失败时,丢弃这些报文。(缺省开启,推荐开启)
<AC6805> system-view
[AC6805] wlan
[AC6805-wlan-view] traffic-profile name default
[AC6805-wlan-traffic-prof-default] traffic-optimize bcmc unicast-send mismatch-action drop
VR场景下的流量优化
AP对接VR设备场景下,由于丢包重传对用户体验影响较大,用户可将业务保障功能模式设置为可靠性优先,即在满足VR吞吐量要求下,通过空口适当降速,减小丢包、重传引起的抖动、延迟,提升用户体验。建议用户在VR游戏场景下,配置业务保障功能模式为可靠性优先,在VR视频场景下,建议配置为性能优先。
# 配置业务保障功能模式为可靠性优先。(缺省为性能优先)
<AC6805> system-view
[AC6805] wlan
[AC6805-wlan-view] ssid-profile name ssid1
[AC6805-wlan-ssid-prof-ssid1] service-guarantee reliability-first开掘常见问题
AP上线失败
问题描述
AP上线失败。
可能原因
- 前期PoE交换机PoE参数配置错误
- AC和AP间的链路没打通
- 施工人员网线没做好
以上原因占据平时排查工作大部分时间。更多原因和解决处理方法请参考故障启示录中的AP上线失败。
处理过程
处理过程如下:
-
对照AP设备《产品描述》中指定的PoE供电协议标准,检查PoE供电设备是否满足。如果不符,则需要更换为满足要求的PoE供电设备。 对于华为PoE交换机,在系统视图下执行display poe powe r命令,根据回显信息中的USMPW(mW)值可以确定其供电协议标准:15400表示该交换机支持的PoE供电协议是IEEE 802.3af标准,30000表示该交换机支持的PoE供电协议是IEEE 802.3at标准。
-
检查AP与AC之间网络是否互通。如果不通,请检查对应配置是否正确。
-
尝试更换连接AP的物理线路。