华为综合案例-普通WLAN全覆盖配置(2)

时间:2024-04-01 22:14:29

组网图

结果验证

在AC_1和AC_2上执行display ap all命令,检查当前AP的状态,显示以下信息表示AP上线成功。


[AC_1] display ap all
Total AP information:
nor  : normal          [1]
ExtraInfo : Extra information
P  : insufficient power supply
----------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP              Type            State STA Uptime      ExtraInfo
----------------------------------------------------------------------------------------------------
0    60de-4476-e360 AP_1   wlan_net    10.128.1.254    AP6050DN        nor   0   10S         -
----------------------------------------------------------------------------------------------------
Total: 1


在AC_1和AC_2上执行display hsb-service 0命令,查看主备服务的建立情况,可以看到Service State字段的显示为Connected,说明主备服务通道已经成功建立。


[AC_1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
  Local IP Address       : 10.1.1.253
  Peer IP Address        : 10.1.1.254
  Source Port            : 10241
  Destination Port       : 10241
  Keep Alive Times       : 5
  Keep Alive Interval    : 3
  Service State          : Connected
  Service Batch Modules  : Access-user
  Shared-key             : -
----------------------------------------------------------
[AC_2] display hsb-service 0 
Hot Standby Service Information:
----------------------------------------------------------
  Local IP Address       : 10.1.1.254
  Peer IP Address        : 10.1.1.253
  Source Port            : 10241
  Destination Port       : 10241
  Keep Alive Times       : 5
  Keep Alive Interval    : 3
  Service State          : Connected
  Service Batch Modules  : Access-user
  Shared-key             : -
----------------------------------------------------------


在AC_1和AC_2上执行display hsb-group 0命令,查看HSB备份组的运行情况。


[AC_1] display hsb-group 0 
Hot Standby Group Information:
----------------------------------------------------------
  HSB-group ID                : 0
  Vrrp Group ID               : 1
  Vrrp Interface              : Vlanif800
  Service Index               : 0
  Group Vrrp Status           : Master
  Group Status                : Active
  Group Backup Process        : Realtime
  Peer Group Device Name      : AC6805
  Peer Group Software Version : V200R010C00
  Group Backup Modules        : Access-user
                                AP
                                DHCP
----------------------------------------------------------
[AC_2] display hsb-group 0 
Hot Standby Group Information:
----------------------------------------------------------
  HSB-group ID                : 0
  Vrrp Group ID               : 1
  Vrrp Interface              : Vlanif800
  Service Index               : 0
  Group Vrrp Status           : Backup
  Group Status                : Inactive
  Group Backup Process        : Realtime
  Peer Group Device Name      : AC6805
  Peer Group Software Version : V200R010C00
  Group Backup Modules        : Access-user
                                AP
                                DHCP
----------------------------------------------------------


用户是否能够通过RADIUS模板的认证。(已在RADIUS服务器上配置了测试用户test@huawei.com,用户密码123456)。


[AC_1] test-aaa test@huawei.com 123456 radius-template radius_huawei 
Info: Account test succeed.
  1. 完成配置后,用户可通过无线终端搜索到SSID为wlan_net的无线网络,用户关联到无线网络上后,无线终端能够被分配相应的IP地址。STA上打开浏览器访问Internet,自动跳转到Portal服务器提供的页面,在页面上输入正确的用户名(test@huawei.com)和密码(123456),认证通过后可以正常访问Internet。
  2. 用户使用手机可以正常使用漫游业务。


配置脚本


AC_1和AC_2的配置文件对比(加粗内容为AC_1和AC_2上的双机备份配置和无线配置同步配置,斜体内容为AC_1自动同步到AC_2的公有配置)

AC_1

AC_2

#
 sysname AC_1
#
radius-server source ip-address 172.16.1.1
#
vrrp recover-delay 60
#
vlan batch 700 to 701 800 810 820
#
authentication-profile name wlan_net_dot1x_auth
 dot1x-access-profile huawei
 authentication-scheme radius_huawei
 accounting-scheme radius_huawei
 radius-server radius_huawei
authentication-profile name wlan_net_portal_auth
 mac-access-profile mac
 portal-access-profile wlan_net
 free-rule-template default_free_rule
 authentication-scheme radius_huawei
 accounting-scheme radius_huawei
 radius-server radius_huawei
#
web-auth-server source-ip 172.16.1.1
#
dhcp enable
#
dhcp snooping enable
#
vlan 700
 description wlan_net
 dhcp snooping enable
vlan 701
 description wlan_net
 dhcp snooping enable
vlan 800
 description AP-management-vlan
#
radius-server template radius_huawei
 radius-server shared-key cipher %^%#b@)bNet)(Z)!N9T>p8kM(8w/N&3\>!KKg=DO<!R+%^%#
 radius-server authentication 172.16.1.254 1812 weight 80
 radius-server accounting 172.16.1.254 1813 weight 80
 radius-server timeout 1
radius-server authorization 172.16.1.254 shared-key cipher %^%#M"yY$,}"a8U12iTP4:u6nI-;9G/!eH`FJ:UePsB,%^%# 
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 172.16.1.253 mask 255.255.255.255
#
url-template name huawei
 url http://172.16.1.254:8080/portal
 url-parameter ssid ssid redirect-url url
#
web-auth-server huawei
 server-ip 172.16.1.254
 port 50200
 shared-key cipher %^%#6/j36uiW:M7dx'"L*2M*TN~P7t*K0(w9'=ER4bZ"%^%#
 url-template huawei
#
portal-access-profile name wlan_net
 web-auth-server huawei direct
#
aaa
 authentication-scheme radius_huawei
  authentication-mode radius
 accounting-scheme radius_huawei
  accounting-mode radius
  accounting realtime 15
#
interface Vlanif800
 ip address 10.128.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.128.1.1
 admin-vrrp vrid 1
 vrrp vrid 1 priority 120
 vrrp vrid 1 preempt-mode timer delay 1200
 dhcp select interface
 dhcp server excluded-ip-address 10.128.1.1 10.128.1.3 
#
interface Vlanif810
 ip address 10.1.1.253 255.255.255.252
#
interface Vlanif820
 ip address 172.16.1.2 255.255.255.0
 vrrp vrid 2 virtual-ip 172.16.1.1
 vrrp vrid 2 track admin-vrrp interface Vlanif800 vrid 1 unflowdown
#
interface GigabitEthernet0/0/23
 description Connect to AC_2_0/0/23
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 800 810 820
#
interface GigabitEthernet0/0/24
 description Connect to S12700_A_1/1/0/20
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 700 to 701 800 820
#
capwap source ip-address 10.128.1.1
#
hsb-service 0
 service-ip-port local-ip 10.1.1.253 peer-ip 10.1.1.254 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
 track vrrp vrid 1 interface Vlanif800
 bind-service 0
 hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
 traffic-profile name wlan_net
  user-isolate l2
 security-profile name open
  security open
 security-profile name dot1x
  security wpa2 dot1x aes
 ssid-profile name wlan_net_portal_auth
  ssid wlan_net_portal_auth
 ssid-profile name wlan_net_dot1x_auth
  ssid wlan_net_dot1x_auth
  dot11r enable
 vap-profile name wlan_net_portal_auth
  service-vlan vlan-id 700
  ssid-profile wlan_net_portal_auth
  security-profile open
  traffic-profile wlan_net
  authentication-profile wlan_net_portal_auth
  ip source check user-bind enable
  arp anti-attack check user-bind enable
  learn-client-address dhcp-strict
 vap-profile name wlan_net_dot1x_auth
  service-vlan vlan-id 701
  ssid-profile wlan_net_dot1x_auth
  security-profile dot1x
  traffic-profile wlan_net
  authentication-profile wlan_net_dot1x_auth
  ip source check user-bind enable
  arp anti-attack check user-bind enable
  learn-client-address dhcp-strict
 radio-2g-profile name 2G
 radio-5g-profile name 5G
 port-link-profile name default
 ap-group name wlan_net
  radio 0
   radio-2g-profile 2G
   vap-profile wlan_net_portal_auth wlan 1
   vap-profile wlan_net_dot1x_auth wlan 2
  radio 1
   radio-5g-profile 5G
   vap-profile wlan_net_portal_auth wlan 1
   vap-profile wlan_net_dot1x_auth wlan 2
  radio 2
   vap-profile wlan_net_portal_auth wlan 1
   vap-profile wlan_net_dot1x_auth wlan 2
 ap-id 1 ap-mac 60de-4476-e360
  ap-name AP_1
  ap-group wlan_net
 master controller
  master-redundancy track-vrrp vrid 1 interface Vlanif800
  master-redundancy peer-ip ip-address 10.1.1.254 local-ip ip-address 10.1.1.253 psk %^%#HdgY%JtWL>H[k@Rs~<-)6,u4A&I1e5mO%jVwv~*N%^%#
#
dot1x-access-profile name huawei
#
mac-access-profile name mac
#
return
#
 sysname AC_2
#
radius-server source ip-address 172.16.1.1
#
vrrp recover-delay 60
#
vlan batch 700 to 701 800 810 820
#
authentication-profile name wlan_net_dot1x_auth
 dot1x-access-profile huawei
 authentication-scheme radius_huawei
 accounting-scheme radius_huawei
 radius-server radius_huawei
authentication-profile name wlan_net_portal_auth
 mac-access-profile mac
 portal-access-profile wlan_net
 free-rule-template default_free_rule
 authentication-scheme radius_huawei
 accounting-scheme radius_huawei
 radius-server radius_huawei
#
web-auth-server source-ip 172.16.1.1
#
dhcp enable
#
dhcp snooping enable
#
vlan 700
 description wlan_net
 dhcp snooping enable
vlan 701
 description wlan_net
 dhcp snooping enable
vlan 800
 description AP-management-vlan
#
radius-server template radius_huawei
 radius-server shared-key cipher %^%#b@)bNet)(Z)!N9T>p8kM(8w/N&3\>!KKg=DO<!R+%^%#
 radius-server authentication 172.16.1.254 1812 weight 80
 radius-server accounting 172.16.1.254 1813 weight 80
 radius-server timeout 1
radius-server authorization 172.16.1.254 shared-key cipher %^%#M"yY$,}"a8U12iTP4:u6nI-;9G/!eH`FJ:UePsB,%^%# 
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 172.16.1.253 mask 255.255.255.255
#
url-template name huawei
 url http://172.16.1.254:8080/portal
 url-parameter ssid ssid redirect-url url
#
web-auth-server huawei
 server-ip 172.16.1.254
 port 50200
 shared-key cipher %^%#6/j36uiW:M7dx'"L*2M*TN~P7t*K0(w9'=ER4bZ"%^%#
 url-template huawei
#
portal-access-profile name wlan_net
 web-auth-server huawei direct
#
aaa
 authentication-scheme radius_huawei
  authentication-mode radius
 accounting-scheme radius_huawei
  accounting-mode radius
  accounting realtime 15
#
interface Vlanif800
 ip address 10.128.1.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.128.1.1
 admin-vrrp vrid 1


 dhcp select interface
 dhcp server excluded-ip-address 10.128.1.1 10.128.1.3 
#
interface Vlanif810
 ip address 10.1.1.254 255.255.255.252
#
interface Vlanif820
 ip address 172.16.1.3 255.255.255.0
 vrrp vrid 2 virtual-ip 172.16.1.1
 vrrp vrid 2 track admin-vrrp interface Vlanif800 vrid 1 unflowdown
#
interface GigabitEthernet0/0/23
 description Connect to AC_1_0/0/23
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 800 810 820
#
interface GigabitEthernet0/0/24
 description Connect to S12700_B_2/1/0/23
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 700 to 701 800 820
#
capwap source ip-address 10.128.1.1
#
hsb-service 0
 service-ip-port local-ip 10.1.1.254 peer-ip 10.1.1.253 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
 track vrrp vrid 1 interface Vlanif800
 bind-service 0
 hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
 traffic-profile name wlan_net
  user-isolate l2
 security-profile name open
  security open
 security-profile name dot1x
  security wpa2 dot1x aes
 ssid-profile name wlan_net_portal_auth
  ssid wlan_net_portal_auth
 ssid-profile name wlan_net_dot1x_auth
  ssid wlan_net_dot1x_auth
  dot11r enable
 vap-profile name wlan_net_portal_auth
  service-vlan vlan-id 700
  ssid-profile wlan_net_portal_auth
  security-profile open
  traffic-profile wlan_net
  authentication-profile wlan_net_portal_auth
  ip source check user-bind enable
  arp anti-attack check user-bind enable
  learn-client-address dhcp-strict
 vap-profile name wlan_net_dot1x_auth
  service-vlan vlan-id 701
  ssid-profile wlan_net_dot1x_auth
  security-profile dot1x
  traffic-profile wlan_net
  authentication-profile wlan_net_dot1x_auth
  ip source check user-bind enable
  arp anti-attack check user-bind enable
  learn-client-address dhcp-strict
 radio-2g-profile name 2G
 radio-5g-profile name 5G
 port-link-profile name default
 ap-group name wlan_net
  radio 0
   radio-2g-profile 2G
   vap-profile wlan_net_portal_auth wlan 1
   vap-profile wlan_net_dot1x_auth wlan 2
  radio 1
   radio-5g-profile 5G
   vap-profile wlan_net_portal_auth wlan 1
   vap-profile wlan_net_dot1x_auth wlan 2
  radio 2
   vap-profile wlan_net_portal_auth wlan 1
   vap-profile wlan_net_dot1x_auth wlan 2
 ap-id 1 ap-mac 60de-4476-e360
  ap-name AP_1
  ap-group wlan_net
 master controller
  master-redundancy track-vrrp vrid 1 interface Vlanif800
  master-redundancy peer-ip ip-address 10.1.1.253 local-ip ip-address 10.1.1.254 psk %^%#>j6VS_;z=54_*oRNpd<<'_-8DRj,,Y!T~_,Z$4yI%^%#
#
dot1x-access-profile name huawei
#
mac-access-profile name mac
#
return
集群系统

#
sysname CSS
#
vlan batch 730 800 820
#
interface Eth-Trunk1                                                                                           
 description Connect to S7700_Eth-Trunk1
 port link-type trunk  
 undo port trunk allow-pass vlan 1  
 port trunk allow-pass vlan 730 800
#
interface GigabitEthernet1/1/0/19
 eth-trunk 1
#
interface GigabitEthernet1/1/0/20
 description Connect to AC_1_0/0/24
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 730 800 820
#
interface GigabitEthernet1/1/0/21
 description Connect to Router_0/0/29
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 730 820
#
interface GigabitEthernet1/1/1/7
 mad detect mode direct
#
interface GigabitEthernet2/1/0/18
 description Connect to Router_0/0/30
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 730 820
#
interface GigabitEthernet2/1/0/22
 eth-trunk 1
#
interface GigabitEthernet2/1/0/23
 description Connect to AC_2_0/0/24
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 730 800 820
#
interface GigabitEthernet2/1/1/7
  mad detect mode direct
#
return
S7700

#
sysname S7700
#
vlan batch 730 800
#
interface Eth-Trunk1
 description Connect to S12700_Eth-Trunk1                                              
 port link-type trunk                                                            
 undo port trunk allow-pass vlan 1                                               
 port trunk allow-pass vlan 730 800 
#
interface Vlanif730
 ip address 10.173.1.1 255.255.252.0
 dhcp select relay
 dhcp relay server-ip 172.16.1.252
#
interface GigabitEthernet1/0/3
 description Connect to S5700_A_0/0/3
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 730 800
#
interface GigabitEthernet1/0/17
 eth-trunk 1
#
interface GigabitEthernet2/0/18
 eth-trunk 1
#
return
S5700_A

#
sysname S5700_A
#
vlan batch 730 800
#
traffic classifier huawei 
if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-ff00-0000
#
traffic behavior huawei 
statistic enable
car cir 100 
#
traffic policy huawei
classifier huawei behavior huawei
#
lldp enable
#
interface GigabitEthernet0/0/1
 description Connect to AP_1
 port link-type trunk
 port trunk pvid vlan 800 
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 730 800
 port-isolate enable group 1 
 stp edged-port enable 
 traffic-policy huawei inbound
 traffic-policy huawei outbound
#
interface GigabitEthernet0/0/2
 description Connect to AP_2
 port link-type trunk
 port trunk pvid vlan 800
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 730 800
 port-isolate enable group 1 
 stp edged-port enable 
 traffic-policy huawei inbound
 traffic-policy huawei outbound
#
interface GigabitEthernet0/0/3
 description Connect to S7700_1/0/3
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 730 800
#
return
父主题: 综合案例-普通WLAN覆盖
版权所有 © 华为技术有限公司
< 上一节下一节 >

场景化推荐配置

大广播域场景下的流量优化

在企业与园区场景中,通常采用单个大型子网的设计。单个大型子网简化了VLAN的配置、没有繁杂的漫游配置、故障定位简单。但是,单个大型子网使用大广播域,带来了大量报文复制发送、CPU使用率过高等问题。

通过将广播报文转单播处理、抑制未知单播、对AP多播报文进行限速等方法降低CPU处理量,以支撑大广播域场景。

# 打开mDNS单播应答功能。AC作为mDNS网关,对于mDNS服务请求报文,由AC进行服务单播代答。进而减少AC的复制流程。(缺省关闭,推荐开启)

<AC6805> system-view
[AC6805] mdns unicast-reply enable

# 打开IGMP Snooping功能和丢弃VLAN内收到的未知组播流功能。当主机和上游三层设备之间传递的IGMP协议报文通过二层组播设备时,IGMP Snooping分析报文携带的信息,根据这些信息建立和维护二层组播转发表,从而指导组播数据在数据链路层按需转发。(缺省关闭,推荐开启)


<AC6805> system-view
[AC6805] wlan
[AC6805-wlan-view] traffic-profile name default
[AC6805-wlan-traffic-prof-default] igmp-snooping enable
[AC6805-wlan-traffic-prof-default] quit
[AC6805-wlan-view] quit
[AC6805] vlan 10 
[AC6805-vlan10] multicast drop-unknown
# 打开ARP/ND/DHCP报文转单播处理功能。(缺省开启,推荐开启)

<AC6805> system-view
[AC6805] wlan
[AC6805-wlan-view] traffic-profile name default
[AC6805-wlan-traffic-prof-default] traffic-optimize bcmc unicast-send arp nd dhcp
# 打开ARP/ND/DHCP抑制功能。当空口广播或组播协议报文转为单播报文失败时,丢弃这些报文。(缺省开启,推荐开启)

<AC6805> system-view
[AC6805] wlan
[AC6805-wlan-view] traffic-profile name default
[AC6805-wlan-traffic-prof-default] traffic-optimize bcmc unicast-send mismatch-action drop
VR场景下的流量优化
AP对接VR设备场景下,由于丢包重传对用户体验影响较大,用户可将业务保障功能模式设置为可靠性优先,即在满足VR吞吐量要求下,通过空口适当降速,减小丢包、重传引起的抖动、延迟,提升用户体验。建议用户在VR游戏场景下,配置业务保障功能模式为可靠性优先,在VR视频场景下,建议配置为性能优先。

# 配置业务保障功能模式为可靠性优先。(缺省为性能优先)

<AC6805> system-view 
[AC6805] wlan  
[AC6805-wlan-view] ssid-profile name ssid1 
[AC6805-wlan-ssid-prof-ssid1] service-guarantee reliability-first

开掘常见问题

AP上线失败

问题描述

AP上线失败。

可能原因
  • 前期PoE交换机PoE参数配置错误
  • AC和AP间的链路没打通
  • 施工人员网线没做好

以上原因占据平时排查工作大部分时间。更多原因和解决处理方法请参考故障启示录中的AP上线失败

处理过程

处理过程如下:

  • 对照AP设备《产品描述》中指定的PoE供电协议标准,检查PoE供电设备是否满足。如果不符,则需要更换为满足要求的PoE供电设备。

    对于华为PoE交换机,在系统视图下执行display poe power命令,根据回显信息中的USMPW(mW)值可以确定其供电协议标准:15400表示该交换机支持的PoE供电协议是IEEE 802.3af标准,30000表示该交换机支持的PoE供电协议是IEEE 802.3at标准。

  • 检查AP与AC之间网络是否互通。如果不通,请检查对应配置是否正确。
  • 尝试更换连接AP的物理线路。