随着移动办公需求的快速增加，企业部署稳定可靠的，并能统一管理的无线网络的需求非常普遍，本方案介绍了在一个中大型企业网内部快速部署WLAN网络的方案。

业务需求是用户通过WLAN接入网络，以满足移动办公的需求。且在覆盖区域内移动发生漫游时，不影响用户的业务使用。有办公PC就近接入AP的有线口，实现联网需求。

组网需求

AC组网方式：旁挂三层组网。

DHCP部署方式：

SW1为用户业务 和AP 提供DHCP服务

AP的地址池 10.1.10.X

拓扑说明

R1 出口路由器 内网接口 10.1.30.1/24

用户 employee 10.1.20.X VLAN20 隧道转发 密码a1234567

用户 guest 10.1.30.X VLAN30 直接转发 不加密

基础配置

出口路由器R1配置

sys

sysname R1

interface GigabitEthernet0/0/0

ip address 10.1.50.1 255.255.255.0

ip route-static 10.1.20.0 255.255.255.0 10.1.50.2

ip route-static 10.1.30.0 255.255.255.0 10.1.50.2

接入交换机SW2配置

sys

sysname sw2

vlan batch 10 30

interface GigabitEthernet0/0/1

port link-type trunk

port trunk pvid vlan 10

port trunk allow-pass vlan 10 30

interface GigabitEthernet0/0/2

port link-type trunk

port trunk pvid vlan 10

port trunk allow-pass vlan 10 30

//连接AP端口pvid要设置为AP管理VLAN ID，隧道转发的VLAN不需要放行

interface GigabitEthernet0/0/3

port link-type trunk

port trunk allow-pass vlan 10 30

关键配置核心交换机SW1配置

sys

sysname SW1

vlan batch 10 20 30 50

dhcp enable

ip pool ap

gateway-list 10.1.10.1

network 10.1.10.0 mask 255.255.255.0

dns-list 8.8.8.8

ex 10.1.10.2

option 43 sub-option 2 ip 10.10.10.10

//划分VLAN，开启DHCP服务，AP地址池用OPTION43参数传递AC位置

ip pool employee

gateway-list 10.1.20.1

network 10.1.20.0 mask 255.255.255.0

dns-list 8.8.8.8

ip pool guest

gateway-list 10.1.30.1

network 10.1.30.0 mask 255.255.255.0

dns-list 8.8.8.8

interface Vlanif10

ip address 10.1.10.1 255.255.255.0

dhcp select global

interface Vlanif20

ip address 10.1.20.1 255.255.255.0

dhcp select global

interface Vlanif30

ip address 10.1.30.1 255.255.255.0

dhcp select global

//DHCP地址获取用全局地址池模式

interface Vlanif50

ip address 10.1.50.2 255.255.255.0

interface GigabitEthernet0/0/1

port link-type access

port default vlan 50

interface GigabitEthernet0/0/2

port link-type trunk

port trunk allow-pass vlan 20 10

//连接AC端口要放行隧道传输的VLAN

interface GigabitEthernet0/0/3

port link-type trunk

port trunk allow-pass vlan 10 30

ip route-static 10.10.10.10 255.255.255.255 10.1.10.2

//访问AC的路由

关键配置AC配置

sys

sysname AC1

vlan batch 20 10

interface Vlanif10

ip address 10.1.10.2 255.255.255.0

interface GigabitEthernet0/0/2

port link-type trunk

port trunk allow-pass vlan 20 10

interface LoopBack0

ip address 10.10.10.10 255.255.255.255

ip route-static 0.0.0.0 0 10.1.10.1

//配置默认路由

capwap source interface loopback0

//配置capwap隧道

wlan

ap auth-mode mac-auth

//ap认证模式为MAC认证

regulatory-domain-profile name ac1

country-code cn

//国家码为cn

security-profile name guest

security open

security-profile name employee

security wpa-wpa2 psk pass-phrase a1234567 aes

ssid-profile name guest

ssid guest

ssid-profile name employee

ssid employee

//配置SSID和加密模板

vap-profile name guest

forward-mode direct-forward

service-vlan vlan-id 30

ssid-profile guest

security-profile guest

vap-profile name employee

forward-mode tunnel

service-vlan vlan-id 20

ssid-profile employee

security-profile employee

//配置VAP模板

ap-group name ag1

regulatory-domain-profile ac1

vap-profile employee wlan 1 radio all

vap-profile guest wlan 2 radio all

//配置AP组，应用VAP模板

ap-mac 00e0-fca1-39e0

ap-name Ap1

ap-group ag1

ap-mac 00e0-fc50-6b90

ap-name AP2

ap-group ag1

//配置AP上线

AC上配置PC通过AP有线接口实现联网的配置

应用于AP或AP组 仅适合直接转发模式

wired-port-profile na v30

mode endpoint

vlan pvid 30

vlan untagged 30

//改变AP接口类型由root变为endpoint，配置端口pvid 和端口VLAN

ap-i 1

wired-port-profile V30 gigabitethernet 1

//应用于AP

//ap-g na ag1

//wired-port-profile V30 gigabitethernet 1

//也可以应用于AP组，使得配置在所有AP上都生效

ap-reset ap-i 1

//重启对应AP

配置完成后测试

AC上查看AP上线正常

在STA上可以看到所有的无线信号

STA连接开放SSID，测试直接转发正常

STA连接加密SSID，测试加密隧道转发正常

PC获取IP正常，联网访问出口正常