江蘇
愛(ài)快+華三設(shè)備跨三層管理AP、多SSID綁定VLAN及guest內(nèi)網(wǎng)隔離配置指南
本次客戶需求:有線網(wǎng)絡(luò)劃分若干VLAN,分別用于辦公、門(mén)禁監(jiān)控等,無(wú)線網(wǎng)絡(luò)也要分為辦公Wifi和訪客Wifi,且訪客Wifi禁止訪問(wèn)任何的內(nèi)網(wǎng)資源。
先明確核心設(shè)備及網(wǎng)絡(luò)拓?fù)洌?/p>
三條2000M寬帶+一條100M專線接入愛(ài)快路由器2.5G電口;華三三層交換機(jī)萬(wàn)兆光口上聯(lián)愛(ài)快,23和24口端口聚合后,下聯(lián)華三可網(wǎng)管POE交換機(jī),此交換機(jī)上僅連接愛(ài)快無(wú)線AP,所有監(jiān)控?cái)z像機(jī)接在原有的舊的華三POE交換機(jī)上。
前置規(guī)劃準(zhǔn)備:無(wú)線AP安裝就位,所有設(shè)備上電,web登錄愛(ài)快路由器,配置4個(gè)WAN接口,分別輸入三條2000M寬帶的賬號(hào)、密碼,還有一條專線的IP地址;配置萬(wàn)兆Lan接口IP:192.168.101.2/30。
一、基礎(chǔ)規(guī)劃
磨刀不誤砍柴功,先定義一下各VLAN及接口對(duì)應(yīng)關(guān)系,后續(xù)所有配置圍繞此規(guī)劃展開(kāi),核心規(guī)劃如下:
? 根據(jù)客戶現(xiàn)有狀況,有線網(wǎng)絡(luò)劃分三個(gè)VLAN:分別是VLAN10,VLAN2,VLAN30,分別代表了192.168.10.0/24,192.168.20.0/24,192.168.30.0/24。
? 辦公SSID:SSID名稱“Office”,綁定VLAN50,網(wǎng)段192.168.50.0/24,網(wǎng)關(guān)192.168.50.1,可正常訪問(wèn)內(nèi)網(wǎng)及外網(wǎng)。
? 訪客SSID:SSID名稱“Guest”,綁定VLAN60,網(wǎng)段192.168.60.0/24,網(wǎng)關(guān)192.168.60.1(愛(ài)快路由器VLAN20接口IP),僅允許訪問(wèn)外網(wǎng),禁止訪問(wèn)內(nèi)網(wǎng)。
? AP需要一個(gè)單獨(dú)的管理VLAN:VLAN51,網(wǎng)段192.168.51.0/24,網(wǎng)關(guān)192.168.51.1,用于跨三層傳遞AP管理數(shù)據(jù),所有AP需獲取此網(wǎng)段IP,被愛(ài)快AC識(shí)別管理。
? 接口規(guī)劃:愛(ài)快路由器LAN1→三層交換機(jī)上行口(如GigabitEthernet1/0/28);三層交換機(jī)下行口(如GigabitEthernet0/0/23、24聚合)→POE交換機(jī)上行口(如GigabitEthernet0/0/15、16聚合);POE交換機(jī)PoE口(如GigabitEthernet1/0/1~1/0/8)→愛(ài)快AP。
二、華三三層交換機(jī)配置:VLAN、Trunk、路由、跨三層轉(zhuǎn)發(fā)
華三三層交換機(jī)承擔(dān)VLAN轉(zhuǎn)發(fā)、跨三層路由的功能,需確保AP管理VLAN、辦公VLAN、訪客VLAN的數(shù)據(jù)包能在三層交換機(jī)與愛(ài)快路由器之間正常轉(zhuǎn)發(fā),同時(shí)實(shí)現(xiàn)AP跨三層被AC管理。
(一)創(chuàng)建VLAN
直接舉例說(shuō)明:
vlan 50
des wifi
Vlan 51
des AP-Manage
(二)配置DHCP服務(wù)
直接舉例說(shuō)明:
dhcp server ip-pool wifi
gateway-list 192.168.50.1
network 192.168.50.0 mask 255.255.255.0
dns-list 61.177.7.1 114.114.114.114
forbidden-ip 192.168.50.1 192.168.50.10
forbidden-ip 192.168.50.231 192.168.50.254
dhcp server ip-pool AP-Manage
gateway-list 192.168.51.1
network 192.168.51.0 mask 255.255.255.0
dns-list 61.177.7.1 114.114.114.114
forbidden-ip 192.168.51.1
forbidden-ip 192.168.51.10
forbidden-ip 192.168.51.231
forbidden-ip 192.168.51.254
option 43 hex 0104c0a86502
Option 43配置項(xiàng)是跨三層管理AP的重點(diǎn),0104是固定值,后面是192.168.101.2(愛(ài)快路由器Lan口IP)換算成十六進(jìn)制得來(lái)的。
(三)配置VLAN接口IP
interface Vlan-interface50
ip address 192.168.50.1 255.255.255.0
dhcp server apply ip-pool wifi
interface Vlan-interface51
description AP-Manage
ip address 192.168.51.1 255.255.255.0
dhcp server apply ip-pool ap-manage
interface Vlan-interface101
ip address 192.168.101.1 255.255.255.0
(四)配置交換機(jī)端口
interface GigabitEthernet1/0/17
description to_tpsf1024s
port access vlan 20
dhcp snooping trust
interface GigabitEthernet1/0/18
description to_h3c_1224r
port access vlan 20
dhcp snooping trust
interface GigabitEthernet1/0/19
description to_poe—eru1_24
port link-type trunk
port trunk permit vlan all
dhcp snooping trust
interface GigabitEthernet1/0/20
description to_jieru2_24
port link-type trunk
port trunk permit vlan all
dhcp snooping trust
interface GigabitEthernet1/0/21
description to_pojieru3_24
port link-type trunk
port trunk permit vlan all
dhcp snooping trust
interface GigabitEthernet1/0/22
description to_poe_jiankong_24
port link-type trunk
port trunk permit vlan all
dhcp snooping trust
interface GigabitEthernet1/0/23
description TO_POE_Port15
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
interface GigabitEthernet1/0/24
description TO_POE_Port16
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
注意:GigabitEthernet1/0/23和24配置了聚合,連接到無(wú)線AP的POE交換機(jī),提高數(shù)據(jù)傳輸效率。前提是先要?jiǎng)?chuàng)建聚合,命令如下:
interface Bridge-Aggregation1
description to_poe
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
dhcp snooping trust
(五)默認(rèn)路由
ip route-static 0.0.0.0 0 192.168.101.2
(六)配置ACL,禁止訪客WIFI訪問(wèn)內(nèi)網(wǎng)
acl number 3001
rule 5 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 15 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 20 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 25 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
rule 30 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.100.0 0.0.0.255
rule 35 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.101.0 0.0.0.255
rule 40 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.51.0 0.0.0.255
三、華三可網(wǎng)管POE交換機(jī)配置
主要配置如下:
vlan 60
description wifi-guest
stp mode rstp
stp global enable
interface Bridge-Aggregation1
description to_xe
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
dhcp snooping trust
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 51
poe enable
interface GigabitEthernet1/0/15
description TO_CORE_Port23
port link-type trunk
port trunk permit vlan all
poe enable
port link-aggregation group 1
interface GigabitEthernet1/0/16
description TO_CORE_Port24
port link-type trunk
port trunk permit vlan all
poe enable
port link-aggregation group 1
五、配置WIFI
WIFI的配置步驟如下:
(一)AP上線
1. 登錄愛(ài)快路由器【AC管理】→【無(wú)線概況】,打開(kāi)AC智能控制開(kāi)關(guān);
2. 點(diǎn)擊AP列表,一兩分鐘后,所有AP上線,如果5分鐘還沒(méi)上線,就重啟一下POE交換機(jī),如果重啟還不行,那就是無(wú)線AP的DHCP配置中option 43配置有誤,需要檢查修復(fù);
3. 點(diǎn)AP分組,把所有上線的AP加入到同一個(gè)組。
(二)SSID與VLAN綁定驗(yàn)證
1. 分別Office-WiFi和Guest-WiFi,并綁定到不同的VLAN;
2. 根據(jù)客戶要求,對(duì)Guest限速;
3. 驗(yàn)證VLAN隔離:筆記本電腦連接Guest-WiFi,測(cè)試無(wú)法訪問(wèn)其他幾個(gè)VLAN,說(shuō)明VLAN綁定及隔離成功。
六、下期預(yù)告:
異地訪問(wèn)NAS卡頓為哪般?三地局域網(wǎng)互聯(lián),實(shí)現(xiàn)異地設(shè)備的互聯(lián)互訪。
特別聲明:以上內(nèi)容(如有圖片或視頻亦包括在內(nèi))為自媒體平臺(tái)“網(wǎng)易號(hào)”用戶上傳并發(fā)布,本平臺(tái)僅提供信息存儲(chǔ)服務(wù)。
Notice: The content above (including the pictures and videos if any) is uploaded and posted by a user of NetEase Hao, which is a social media platform and only provides information storage services.
