华为中小型企业网络建设

摘要

本文围绕某中小型企业网络拓扑，系统整合多技术栈实现了端到端部署：利用MSTP规划SW1与SW2间的链路冗余与VLAN流量负载；采用VRRP为各业务VLAN提供网关冗余，确保接入层交换机及终端网络的连续性；通过DHCP为有线终端与AP自动分配对应VLAN的IP地址；部署AC+AP实现无线终端的统一接入与管理；基于OSPF完成AR1、FW1与核心设备间的动态路由学习；最后在FW1配置NAT及安全策略，实现内网终端安全访问公网。全方案覆盖网络互联、冗余、无线、路由及安全等维度，全面适配中小型企业对高可用、易管理、高安全的组网需求。

网络拓扑图

有问题私信看主页

配置步骤

核心交换机SW1配置步骤

<SW1>system-view

$SW1$ sysname SW1 //设置设备名称为SW1

$SW1$ vlan batch 10 20 30 40 50 100 to 101 200 //批量创建VLAN

$SW1$ stp instance 1 root primary //设置为实例1的主根桥

$SW1$ stp instance 2 root secondary //设置为实例2的备份根桥

$SW1$ dhcp enable //启用DHCP服务

$SW1$ stp region-configuration //进入MSTP区域配置

$SW1-mst-region$ region-name huawei //设置区域名称为huawei

$SW1-mst-region$ instance 1 vlan 10 20 //实例1映射VLAN 10,20

$SW1-mst-region$ instance 2 vlan 30 40 //实例2映射VLAN 30,40

$SW1-mst-region$ active region-configuration //激活区域配置

$SW1-mst-region$ quit //退出区域配置

//VLAN接口配置

$SW1$ interface Vlanif10 //进入VLAN 10接口

$SW1-Vlanif10$ ip address 192.168.10.1 255.255.255.0 //配置IP地址

$SW1-Vlanif10$ vrrp vrid 10 virtual-ip 192.168.10.254 //配置VRRP虚拟网关

$SW1-Vlanif10$ vrrp vrid 10 priority 120 //设置VRRP优先级为120

$SW1-Vlanif10$ dhcp select relay //启用DHCP中继

$SW1-Vlanif10$ dhcp relay server-ip 10.1.1.2 //指定DHCP服务器

$SW1-Vlanif10$ quit

$SW1$ interface Vlanif20 //进入VLAN 20接口

$SW1-Vlanif20$ ip address 192.168.20.1 255.255.255.0

$SW1-Vlanif20$ vrrp vrid 20 virtual-ip 192.168.20.254

$SW1-Vlanif20$ vrrp vrid 20 priority 120

$SW1-Vlanif20$ dhcp select relay

$SW1-Vlanif20$ dhcp relay server-ip 10.1.1.2

$SW1-Vlanif20$ quit

$SW1$ interface Vlanif30 //进入VLAN 30接口

$SW1-Vlanif30$ ip address 192.168.30.1 255.255.255.0

$SW1-Vlanif30$ vrrp vrid 30 virtual-ip 192.168.30.254

$SW1-Vlanif30$ dhcp select relay

$SW1-Vlanif30$ dhcp relay server-ip 10.1.1.2

$SW1-Vlanif30$ quit

$SW1$ interface Vlanif40 //进入VLAN 40接口

$SW1-Vlanif40$ ip address 192.168.40.1 255.255.255.0

$SW1-Vlanif40$ vrrp vrid 40 virtual-ip 192.168.40.254

$SW1-Vlanif40$ dhcp select relay

$SW1-Vlanif40$ dhcp relay server-ip 10.1.1.2

$SW1-Vlanif40$ qui

//互联接口配置

$SW1$ interface Vlanif100 //进入VLAN 100接口

$SW1-Vlanif100$ ip address 10.1.1.1 255.255.255.252 //配置互联IP

$SW1-Vlanif100$ quit

$SW1$ interface Vlanif101 //进入VLAN 101接口

$SW1-Vlanif101$ ip address 10.1.1.9 255.255.255.252 //配置互联IP

$SW1-Vlanif101$ quit

$SW1$ interface Vlanif200 //进入VLAN 200接口

$SW1-Vlanif200$ ip address 192.168.200.1 255.255.255.0 //管理VLAN

$SW1-Vlanif200$ dhcp select relay

$SW1-Vlanif200$ dhcp relay server-ip 10.1.1.2

$SW1-Vlanif200$ quit

//链路聚合配置

$SW1$ interface Eth-Trunk1 //进入Eth-Trunk1

$SW1-Eth-Trunk1$ port link-type trunk //设置为Trunk类型

$SW1-Eth-Trunk1$ port trunk allow-pass vlan 10 20 30 40 100 to 101 200 //允许VLAN通过

$SW1-Eth-Trunk1$ mode lacp-static //设置LACP静态模式

$SW1-Eth-Trunk1$ quit

//物理端口配置

$SW1$ interface GigabitEthernet0/0/1 //进入GE0/0/1

$SW1-GigabitEthernet0/0/1$ port link-type trunk

$SW1-GigabitEthernet0/0/1$ port trunk allow-pass vlan 10 20 30 40 200

$SW1-GigabitEthernet0/0/1$ quit

$SW1$ interface GigabitEthernet0/0/2 //进入GE0/0/2

$SW1-GigabitEthernet0/0/2$ port link-type trunk

$SW1-GigabitEthernet0/0/2$ port trunk allow-pass vlan 10 20 30 40 200

$SW1-GigabitEthernet0/0/2$ quit

$SW1$ interface GigabitEthernet0/0/3 //进入GE0/0/3

$SW1-GigabitEthernet0/0/3$ port link-type trunk

$SW1-GigabitEthernet0/0/3$ port trunk allow-pass vlan 10 20 30 40 200

$SW1-GigabitEthernet0/0/3$ quit

$SW1$ interface GigabitEthernet0/0/4 //进入GE0/0/4

$SW1-GigabitEthernet0/0/4$ port link-type trunk

$SW1-GigabitEthernet0/0/4$ port trunk allow-pass vlan 10 20 30 40 200

$SW1-GigabitEthernet0/0/4$ quit

$SW1$ interface GigabitEthernet0/0/5 //进入GE0/0/5

$SW1-GigabitEthernet0/0/5$ port link-type access //设置为Access类型

$SW1-GigabitEthernet0/0/5$ port default vlan 100 //默认VLAN 100

$SW1-GigabitEthernet0/0/5$ quit

$SW1$ interface GigabitEthernet0/0/6 //进入GE0/0/6

$SW1-GigabitEthernet0/0/6$ eth-trunk 1 //加入Eth-Trunk1聚合组

$SW1-GigabitEthernet0/0/6$ quit

$SW1$ interface GigabitEthernet0/0/7 //进入GE0/0/7

$SW1-GigabitEthernet0/0/7$ eth-trunk 1 //加入Eth-Trunk1聚合组

$SW1-GigabitEthernet0/0/7$ quit

$SW1$ interface GigabitEthernet0/0/8 //进入GE0/0/8

$SW1-GigabitEthernet0/0/8$ port link-type trunk

$SW1-GigabitEthernet0/0/8$ port trunk allow-pass vlan 10 20 30 40 200

$SW1-GigabitEthernet0/0/8$ quit

$SW1$ interface GigabitEthernet0/0/9 //进入GE0/0/9

$SW1-GigabitEthernet0/0/9$ port link-type access //设置为Access类型

$SW1-GigabitEthernet0/0/9$ port default vlan 101 //默认VLAN 101

$SW1-GigabitEthernet0/0/9$ quit

//OSPF路由配置

$SW1$ ospf 1 //启动OSPF进程1

$SW1-ospf-1$ area 0.0.0.0 //进入骨干区域0

$SW1-ospf-1-area-0.0.0.0$ network 10.1.1.0 0.0.0.3 //宣告互联网络

$SW1-ospf-1-area-0.0.0.0$ network 10.1.1.8 0.0.0.3 //宣告互联网络

$SW1-ospf-1-area-0.0.0.0$ area 0.0.0.1 //进入区域1

$SW1-ospf-1-area-0.0.0.1$ network 192.168.30.0 0.0.0.255 //宣告VLAN网络

$SW1-ospf-1-area-0.0.0.1$ network 192.168.20.0 0.0.0.255

$SW1-ospf-1-area-0.0.0.1$ network 192.168.200.0 0.0.0.255

$SW1-ospf-1-area-0.0.0.1$ network 192.168.10.0 0.0.0.255

$SW1-ospf-1-area-0.0.0.1$ network 192.168.40.0 0.0.0.255

核心交换机SW2配置步骤

<SW2>system-view

$SW2$ sysname SW2 //设置设备名称为SW2

$SW2$ vlan batch 10 20 30 40 50 100 to 101 //批量创建VLAN

$SW2$ stp instance 1 root secondary //设置为实例1的备份根桥

$SW2$ stp instance 2 root primary //设置为实例2的主根桥

$SW2$ dhcp enable //启用DHCP服务

$SW2$ stp region-configuration //进入MSTP区域配置

$SW2-mst-region$ region-name huawei //设置区域名称为huawei

$SW2-mst-region$ instance 1 vlan 10 20 //实例1映射VLAN 10,20

$SW2-mst-region$ instance 2 vlan 30 40 //实例2映射VLAN 30,40

$SW2-mst-region$ active region-configuration //激活区域配置

$SW2-mst-region$ quit //退出区域配置

//VLAN接口配置

$SW2$ interface Vlanif10 //进入VLAN 10接口

$SW2-Vlanif10$ ip address 192.168.10.2 255.255.254.0 //配置IP地址(/23掩码)

$SW2-Vlanif10$ vrrp vrid 10 virtual-ip 192.168.10.254 //配置VRRP虚拟网关

$SW2-Vlanif10$ dhcp select relay //启用DHCP中继

$SW2-Vlanif10$ dhcp relay server-ip 10.1.1.6 //指定DHCP服务器

$SW2-Vlanif10$ quit

$SW2$ interface Vlanif20 //进入VLAN 20接口

$SW2-Vlanif20$ ip address 192.168.20.2 255.255.255.0

$SW2-Vlanif20$ vrrp vrid 20 virtual-ip 192.168.20.254

$SW2-Vlanif20$ dhcp select relay

$SW2-Vlanif20$ dhcp relay server-ip 10.1.10.9 //主DHCP服务器

$SW2-Vlanif20$ dhcp relay server-ip 10.1.1.6 //备用DHCP服务器

$SW2-Vlanif20$ quit

$SW2$ interface Vlanif30 //进入VLAN 30接口

$SW2-Vlanif30$ ip address 192.168.30.2 255.255.255.0

$SW2-Vlanif30$ vrrp vrid 30 virtual-ip 192.168.30.254

$SW2-Vlanif30$ vrrp vrid 30 priority 120 //设置VRRP优先级为120

$SW2-Vlanif30$ dhcp select relay

$SW2-Vlanif30$ dhcp relay server-ip 10.1.1.6

$SW2-Vlanif30$ quit

$SW2$ interface Vlanif40 //进入VLAN 40接口

$SW2-Vlanif40$ ip address 192.168.40.2 255.255.254.0 //配置IP地址(/23掩码)

$SW2-Vlanif40$ vrrp vrid 40 virtual-ip 192.168.40.254

$SW2-Vlanif40$ vrrp vrid 40 priority 120 //设置VRRP优先级为120

$SW2-Vlanif40$ dhcp select relay

$SW2-Vlanif40$ dhcp relay server-ip 10.1.1.6

$SW2-Vlanif40$ quit

//互联接口配置

$SW2$ interface Vlanif100 //进入VLAN 100接口

$SW2-Vlanif100$ ip address 10.1.1.5 255.255.255.252 //配置互联IP

$SW2-Vlanif100$ quit

$SW2$ interface Vlanif101 //进入VLAN 101接口

$SW2-Vlanif101$ ip address 10.1.1.14 255.255.255.252 //配置互联IP

$SW2-Vlanif101$ quit

//链路聚合配置

$SW2$ interface Eth-Trunk1 //进入Eth-Trunk1

$SW2-Eth-Trunk1$ port link-type trunk //设置为Trunk类型

$SW2-Eth-Trunk1$ port trunk allow-pass vlan 10 20 30 40 50 102 107 //允许VLAN通过

$SW2-Eth-Trunk1$ mode lacp-static //设置LACP静态模式

$SW2-Eth-Trunk1$ quit

//物理端口配置

$SW2$ interface GigabitEthernet0/0/1 //进入GE0/0/1

$SW2-GigabitEthernet0/0/1$ port link-type trunk

$SW2-GigabitEthernet0/0/1$ port trunk allow-pass vlan 10 20 30 40 200

$SW2-GigabitEthernet0/0/1$ quit

$SW2$ interface GigabitEthernet0/0/2 //进入GE0/0/2

$SW2-GigabitEthernet0/0/2$ port link-type trunk

$SW2-GigabitEthernet0/0/2$ port trunk allow-pass vlan 10 20 30 40 200

$SW2-GigabitEthernet0/0/2$ quit

$SW2$ interface GigabitEthernet0/0/3 //进入GE0/0/3

$SW2-GigabitEthernet0/0/3$ port link-type trunk

$SW2-GigabitEthernet0/0/3$ port trunk allow-pass vlan 10 20 30 40 200

$SW2-GigabitEthernet0/0/3$ quit

$SW2$ interface GigabitEthernet0/0/4 //进入GE0/0/4

$SW2-GigabitEthernet0/0/4$ port link-type trunk

$SW2-GigabitEthernet0/0/4$ port trunk allow-pass vlan 10 20 30 40 200

$SW2-GigabitEthernet0/0/4$ quit

$SW2$ interface GigabitEthernet0/0/5 //进入GE0/0/5

$SW2-GigabitEthernet0/0/5$ port link-type access //设置为Access类型

$SW2-GigabitEthernet0/0/5$ port default vlan 100 //默认VLAN 100

$SW2-GigabitEthernet0/0/5$ quit

$SW2$ interface GigabitEthernet0/0/6 //进入GE0/0/6

$SW2-GigabitEthernet0/0/6$ eth-trunk 1 //加入Eth-Trunk1聚合组

$SW2-GigabitEthernet0/0/6$ quit

$SW2$ interface GigabitEthernet0/0/7 //进入GE0/0/7

$SW2-GigabitEthernet0/0/7$ eth-trunk 1 //加入Eth-Trunk1聚合组

$SW2-GigabitEthernet0/0/7$ quit

$SW2$ interface GigabitEthernet0/0/8 //进入GE0/0/8

$SW2-GigabitEthernet0/0/8$ quit //端口未配置

$SW2$ interface GigabitEthernet0/0/9 //进入GE0/0/9

$SW2-GigabitEthernet0/0/9$ port link-type access //设置为Access类型

$SW2-GigabitEthernet0/0/9$ port default vlan 101 //默认VLAN 101

$SW2-GigabitEthernet0/0/9$ quit

//OSPF路由配置

$SW2$ ospf 1 //启动OSPF进程1

$SW2-ospf-1$ area 0.0.0.0 //进入骨干区域0

$SW2-ospf-1-area-0.0.0.0$ network 10.1.1.12 0.0.0.3 //宣告互联网络

$SW2-ospf-1-area-0.0.0.0$ network 10.1.1.4 0.0.0.3 //宣告互联网络

$SW2-ospf-1-area-0.0.0.0$ area 0.0.0.1 //进入区域1

$SW2-ospf-1-area-0.0.0.1$ network 192.168.30.0 0.0.0.255 //宣告VLAN网络

$SW2-ospf-1-area-0.0.0.1$ network 192.168.20.0 0.0.0.255

$SW2-ospf-1-area-0.0.0.1$ network 192.168.10.0 0.0.0.255

$SW2-ospf-1-area-0.0.0.1$ network 192.168.40.0 0.0.0.255

防火墙FW1配置步骤

<Fw1>system-view

$Fw1$ sysname Fw1 //设置设备名称为Fw1

$Fw1$ interface GigabitEthernet0/0/0 //进入GE0/0/0接口

$Fw1-GigabitEthernet0/0/0$ undo shutdown //启用接口

$Fw1-GigabitEthernet0/0/0$ ip address 10.1.1.10 255.255.255.252 //配置IP地址

$Fw1-GigabitEthernet0/0/0$ service-manage ping permit //允许ping管理

$Fw1-GigabitEthernet0/0/0$ quit

$Fw1$ interface GigabitEthernet1/0/0 //进入GE1/0/0接口

$Fw1-GigabitEthernet1/0/0$ undo shutdown //启用接口

$Fw1-GigabitEthernet1/0/0$ ip address 10.1.1.13 255.255.255.252 //配置IP地址

$Fw1-GigabitEthernet1/0/0$ service-manage ping permit //允许ping管理

$Fw1-GigabitEthernet1/0/0$ quit

$Fw1$ interface GigabitEthernet1/0/1 //进入GE1/0/1接口

$Fw1-GigabitEthernet1/0/1$ undo shutdown //启用接口

$Fw1-GigabitEthernet1/0/1$ ip address 100.1.1.1 255.255.255.252 //配置公网IP地址

$Fw1-GigabitEthernet1/0/1$ service-manage ping permit //允许ping管理

$Fw1-GigabitEthernet1/0/1$ quit

//安全区域配置

$Fw1$ firewall zone trust //进入信任区域

$Fw1-zone-trust$ set priority 85 //设置优先级为85

$Fw1-zone-trust$ add interface GigabitEthernet0/0/0 //添加GE0/0/0接口到信任区域

$Fw1-zone-trust$ add interface GigabitEthernet1/0/0 //添加GE1/0/0接口到信任区域

$Fw1-zone-trust$ quit

$Fw1$ firewall zone untrust //进入非信任区域

$Fw1-zone-untrust$ set priority 5 //设置优先级为5

$Fw1-zone-untrust$ add interface GigabitEthernet1/0/1 //添加GE1/0/1接口到非信任区域

$Fw1-zone-untrust$ quit

$Fw1$ firewall zone dmz //进入DMZ区域

$Fw1-zone-dmz$ set priority 50 //设置优先级为50

$Fw1-zone-dmz$ quit

//OSPF路由配置

$Fw1$ ospf 1 //启动OSPF进程1

$Fw1-ospf-1$ default-route-advertise //向OSPF区域通告默认路由

$Fw1-ospf-1$ area 0.0.0.0 //进入骨干区域0

$Fw1-ospf-1-area-0.0.0.0$ network 10.1.1.8 0.0.0.3 //宣告互联网络

$Fw1-ospf-1-area-0.0.0.0$ network 10.1.1.12 0.0.0.3 //宣告互联网络

$Fw1-ospf-1-area-0.0.0.0$ quit

$Fw1-ospf-1$ quit

$Fw1$ ip route-static 0.0.0.0 0.0.0.0 100.1.1.2 //配置默认路由指向互联网

//安全策略配置

$Fw1$ security-policy //进入安全策略视图

$Fw1-policy-security$ rule name qwe //创建名为qwe的安全规则

$Fw1-policy-security-rule-qwe$ source-zone trust //设置源安全区域为trust

$Fw1-policy-security-rule-qwe$ destination-zone untrust //设置目的安全区域为untrust

$Fw1-policy-security-rule-qwe$ action permit //设置动作为允许

$Fw1-policy-security-rule-qwe$ quit

$Fw1-policy-security$ quit

//NAT策略配置

$Fw1$ nat-policy //进入NAT策略视图

$Fw1-policy-nat$ rule name nat //创建名为nat的NAT规则

$Fw1-policy-nat-rule-nat$ source-zone trust //设置源区域为trust

$Fw1-policy-nat-rule-nat$ destination-zone untrust //设置目的区域为untrust

$Fw1-policy-nat-rule-nat$ source-address 192.168.10.0 mask 255.255.255.0 //设置源地址

$Fw1-policy-nat-rule-nat$ source-address 192.168.20.0 mask 255.255.255.0 //设置源地址

$Fw1-policy-nat-rule-nat$ source-address 192.168.30.0 mask 255.255.255.0 //设置源地址

$Fw1-policy-nat-rule-nat$ source-address 192.168.40.0 mask 255.255.255.0 //设置源地址

$Fw1-policy-nat-rule-nat$ action source-nat easy-ip //配置源NAT使用Easy IP方式

路由器AR1配置步骤

<R1>system-view

$R1$ sysname R1 //设置设备名称为R1

$R1$ vlan batch 10 100 //批量创建VLAN 10,100

$R1$ dhcp enable //启用DHCP服务

//DHCP地址池配置

$R1$ ip pool vlan10 //创建VLAN10的DHCP地址池

$R1-ip-pool-vlan10$ gateway-list 192.168.10.254 //设置网关为VRRP虚拟IP

$R1-ip-pool-vlan10$ network 192.168.10.0 mask 255.255.255.0 //设置地址池网段

$R1-ip-pool-vlan10$ dns-list 192.168.50.2 //设置DNS服务器

$R1-ip-pool-vlan10$ quit

$R1$ ip pool vlan20 //创建VLAN20的DHCP地址池

$R1-ip-pool-vlan20$ gateway-list 192.168.20.254 //设置网关为VRRP虚拟IP

$R1-ip-pool-vlan20$ network 192.168.20.0 mask 255.255.255.0 //设置地址池网段

$R1-ip-pool-vlan20$ dns-list 192.168.50.2 //设置DNS服务器

$R1-ip-pool-vlan20$ quit

$R1$ ip pool vlan30 //创建VLAN30的DHCP地址池

$R1-ip-pool-vlan30$ gateway-list 192.168.30.254 //设置网关为VRRP虚拟IP

$R1-ip-pool-vlan30$ network 192.168.30.0 mask 255.255.255.0 //设置地址池网段

$R1-ip-pool-vlan30$ dns-list 192.168.50.2 //设置DNS服务器

$R1-ip-pool-vlan30$ quit

$R1$ ip pool vlan40 //创建VLAN40的DHCP地址池

$R1-ip-pool-vlan40$ gateway-list 192.168.40.254 //设置网关为VRRP虚拟IP

$R1-ip-pool-vlan40$ network 192.168.40.0 mask 255.255.255.0 //设置地址池网段

$R1-ip-pool-vlan40$ dns-list 192.168.50.2 //设置DNS服务器

$R1-ip-pool-vlan40$ quit

$R1$ ip pool vlan200 //创建VLAN200的DHCP地址池

$R1-ip-pool-vlan200$ gateway-list 192.168.200.1 //设置网关为接口IP

$R1-ip-pool-vlan200$ network 192.168.200.0 mask 255.255.255.0 //设置地址池网段

$R1-ip-pool-vlan200$ option 43 sub-option 3 ascii 192.168.200.100 //设置DHCP选项43，用于AP发现AC

$R1-ip-pool-vlan200$ quit

//接口配置

$R1$ interface GigabitEthernet0/0/0 //进入GE0/0/0接口

$R1-GigabitEthernet0/0/0$ ip address 10.1.1.2 255.255.255.252 //配置互联IP地址

$R1-GigabitEthernet0/0/0$ dhcp select global //在该接口启用DHCP全局地址池

$R1-GigabitEthernet0/0/0$ quit

$R1$ interface GigabitEthernet0/0/1 //进入GE0/0/1接口

$R1-GigabitEthernet0/0/1$ ip address 10.1.1.6 255.255.255.252 //配置互联IP地址

$R1-GigabitEthernet0/0/1$ dhcp select global //在该接口启用DHCP全局地址池

$R1-GigabitEthernet0/0/1$ quit

//OSPF路由配置

$R1$ ospf 1 //启动OSPF进程1

$R1-ospf-1$ area 0.0.0.0 //进入骨干区域0

$R1-ospf-1-area-0.0.0.0$ network 10.1.1.0 0.0.0.3 //宣告互联网络10.1.1.0/30

$R1-ospf-1-area-0.0.0.0$ network 10.1.1.4 0.0.0.3 //宣告互联网络10.1.1.4/30

无线AC1配置步骤

<AC1>system-view

$AC1$ sysname AC1 //设置设备名称为AC1

$AC1$ vlan batch 10 20 30 40 200 //批量创建VLAN 10,20,30,40,200

$AC1$ interface Vlanif200 //进入VLAN 200虚拟接口

$AC1-Vlanif200$ ip address 192.168.200.100 255.255.255.0 //配置管理IP地址

$AC1-Vlanif200$ quit

$AC1$ interface GigabitEthernet0/0/1 //进入GE0/0/1接口

$AC1-GigabitEthernet0/0/1$ port link-type trunk //设置端口类型为Trunk

$AC1-GigabitEthernet0/0/1$ port trunk allow-pass vlan 10 20 30 40 200 //允许VLAN通过

$AC1-GigabitEthernet0/0/1$ quit

$AC1$ capwap source interface vlanif200 //设置CAPWAP源接口为Vlanif200

//WLAN无线配置

$AC1$ wlan //进入WLAN配置模式

$AC1-wlan-view$ security-profile name sec-wpa2 //创建安全配置文件sec-wpa2

$AC1-wlan-sec-prof-sec-wpa2$ security wpa-wpa2 psk pass-phrase 12345678 aes //配置WPA2-PSK加密

$AC1-wlan-sec-prof-sec-wpa2$ quit

$AC1-wlan-view$ ssid-profile name ssid //创建SSID配置文件ssid

$AC1-wlan-ssid-prof-ssid$ ssid HHHH //设置SSID名称为HHHH

$AC1-wlan-ssid-prof-ssid$ quit

//VAP配置文件配置

$AC1-wlan-view$ vap-profile name vap-ap1 //创建AP1的VAP配置文件

$AC1-wlan-vap-prof-vap-ap1$ forward-mode tunnel //设置转发模式为隧道模式

$AC1-wlan-vap-prof-vap-ap1$ service-vlan vlan-id 10 //设置业务VLAN为10

$AC1-wlan-vap-prof-vap-ap1$ ssid-profile ssid //绑定SSID配置文件

$AC1-wlan-vap-prof-vap-ap1$ security-profile sec-wpa2 //绑定安全配置文件

$AC1-wlan-vap-prof-vap-ap1$ quit

$AC1-wlan-view$ vap-profile name vap-ap2 //创建AP2的VAP配置文件

$AC1-wlan-vap-prof-vap-ap2$ forward-mode tunnel //设置转发模式为隧道模式

$AC1-wlan-vap-prof-vap-ap2$ service-vlan vlan-id 20 //设置业务VLAN为20

$AC1-wlan-vap-prof-vap-ap2$ ssid-profile ssid //绑定SSID配置文件

$AC1-wlan-vap-prof-vap-ap2$ security-profile sec-wpa2 //绑定安全配置文件

$AC1-wlan-vap-prof-vap-ap2$ quit

$AC1-wlan-view$ vap-profile name vap-ap3 //创建AP3的VAP配置文件

$AC1-wlan-vap-prof-vap-ap3$ forward-mode tunnel //设置转发模式为隧道模式

$AC1-wlan-vap-prof-vap-ap3$ service-vlan vlan-id 30 //设置业务VLAN为30

$AC1-wlan-vap-prof-vap-ap3$ ssid-profile ssid //绑定SSID配置文件

$AC1-wlan-vap-prof-vap-ap3$ security-profile sec-wpa2 //绑定安全配置文件

$AC1-wlan-vap-prof-vap-ap3$ quit

$AC1-wlan-view$ vap-profile name vap-ap4 //创建AP4的VAP配置文件

$AC1-wlan-vap-prof-vap-ap4$ forward-mode tunnel //设置转发模式为隧道模式

$AC1-wlan-vap-prof-vap-ap4$ service-vlan vlan-id 40 //设置业务VLAN为40

$AC1-wlan-vap-prof-vap-ap4$ ssid-profile ssid //绑定SSID配置文件

$AC1-wlan-vap-prof-vap-ap4$ security-profile sec-wpa2 //绑定安全配置文件

$AC1-wlan-vap-prof-vap-ap4$ quit

//AP组配置

$AC1-wlan-view$ ap-group name ap1-group //创建AP组ap1-group

$AC1-wlan-ap-group-ap1-group$ radio 0 //进入radio 0配置

$AC1-wlan-ap-group-ap1-group-radio-0$ vap-profile vap-ap1 wlan 1 //绑定VAP配置文件到WLAN 1

$AC1-wlan-ap-group-ap1-group-radio-0$ quit

$AC1-wlan-ap-group-ap1-group$ quit

$AC1-wlan-view$ ap-group name ap2-group //创建AP组ap2-group

$AC1-wlan-ap-group-ap2-group$ radio 0 //进入radio 0配置

$AC1-wlan-ap-group-ap2-group-radio-0$ vap-profile vap-ap2 wlan 1 //绑定VAP配置文件

$AC1-wlan-ap-group-ap2-group-radio-0$ quit

$AC1-wlan-ap-group-ap2-group$ quit

$AC1-wlan-view$ ap-group name ap3-group //创建AP组ap3-group

$AC1-wlan-ap-group-ap3-group$ radio 0 //进入radio 0配置

$AC1-wlan-ap-group-ap3-group-radio-0$ vap-profile vap-ap3 wlan 1 //绑定VAP配置文件

$AC1-wlan-ap-group-ap3-group-radio-0$ quit

$AC1-wlan-ap-group-ap3-group$ quit

$AC1-wlan-view$ ap-group name ap4-group //创建AP组ap4-group

$AC1-wlan-ap-group-ap4-group$ radio 0 //进入radio 0配置

$AC1-wlan-ap-group-ap4-group-radio-0$ vap-profile vap-ap4 wlan 1 //绑定VAP配置文件

$AC1-wlan-ap-group-ap4-group-radio-0$ quit

$AC1-wlan-ap-group-ap4-group$ quit

//AP设备注册配置

$AC1-wlan-view$ ap-id 1 ap-mac 00e0-fc85-5520 //配置AP 1，指定MAC地址

$AC1-wlan-ap-1$ ap-group ap1-group //将AP加入ap1-group组

$AC1-wlan-ap-1$ quit

$AC1-wlan-view$ ap-id 2 ap-mac 00e0-fccb-47c0 //配置AP 2，指定MAC地址

$AC1-wlan-ap-2$ ap-group ap2-group //将AP加入ap2-group组

$AC1-wlan-ap-2$ quit

$AC1-wlan-view$ ap-id 3 ap-mac 00e0-fc5c-7690 //配置AP 3，指定MAC地址

$AC1-wlan-ap-3$ ap-group ap3-group //将AP加入ap3-group组

$AC1-wlan-ap-3$ quit

$AC1-wlan-view$ ap-id 4 ap-mac 00e0-fcf2-4270 //配置AP 4，指定MAC地址

$AC1-wlan-ap-4$ ap-group ap4-group //将AP加入ap4-group组