Hello everyone,
Today I will share with you how to configure WLAN services on a large-scale network.
Specifications
This example applies to AR routers of V200R008C00 and later versions.
Networking Requirements
On a network of a large enterprise in Figure 1-1, an aggregation switch Switch_B connects to an access switch Switch_A and an upstream Router. The enterprise needs to deploy a WLAN, with as few changes to the current network structure as possible.
The enterprise requirements are as follows:
A WLAN with the SSID guest is deployed in the lobby of the office building to provide wireless access services for visitors.
A WLAN with the SSID employee is deployed in office areas to provide wireless access services for employees.
Figure 1-1 Networking diagram of configuring WLAN services on a large-scale network
Procedure
Step 1 Configure Switch_A.
#
sysname Switch_A
#
vlan batch 100 to
102
//Create VLAN 100 (management VLAN), VLAN 101 (service VLAN), and VLAN 102
(service VLAN).
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
//Configure VLAN 100 as the default VLAN of GE0/0/1.
port trunk allow-pass vlan 100 to 101 //Add GE0/0/1 to
VLAN 100 and VLAN 101.
port-isolate enable group
1
//Enable port isolation on GE0/0/1.
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 102
//Add GE0/0/2 to VLAN 100 and VLAN 102.
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 to 102 //Add GE0/0/3 to
VLANs 100, 101, and 102.
#
return
Step 2 Configure Switch_B.
#
sysname Switch_B
#
vlan batch 100 to 102
//Create VLAN 100 (management VLAN), VLAN 101 (service VLAN), and VLAN 102
(service VLAN).
#
interface
GigabitEthernet0/0/1
port link-type
trunk
port trunk allow-pass vlan 100 to 102 //Add GE0/0/1 to
VLANs 100, 101, and
102.
#
interface
GigabitEthernet0/0/2
port link-type
trunk
port trunk allow-pass vlan 100 to 102 //Add GE0/0/2 to
VLANs 100, 101, and 102.
#
return
Step 3 Configure the AC.
#
sysname AC
#
vlan batch 101 to 102 //Create VLAN 100 (management
VLAN), VLAN 101 (service VLAN), and VLAN 102 (service VLAN).
#
dhcp enable //Enable
DHCP.
#
interface
Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 100 so
that the AC can assign IP addresses to
APs.
#
interface
Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 101 so
that the AC can assign IP addresses to STAs associated with
APs.
#
interface
Vlanif102
ip address 10.10.12.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 102 so
that the AC can assign IP addresses to STAs associated with
APs.
#
interface
Ethernet2/0/0
port link-type
trunk
port trunk allow-pass vlan 100 to 102 //Add
Ethernet2/0/0 to VLANs 100, 101, and 102.
#
capwap source interface vlanif100 //Specify the
AC's source interface.
#
wlan ac
security-profile name guest //Create
a security profile.
security wep
share-key //Configure the shared-key WEP authentication method.
wep key 0 wep-40 pass-phrase
%^%#z*z]6]#!|%n:n}Xz'mhKE{PfN|cIj*eU$jJYH48S%^%# //Configure a WEP key.
security-profile name employee //Create a
security profile.
security wpa2 psk pass-phrase
%^%#H{1<-b]4~"*+Y:4-'/URy;$+,33UgQf)@9I(Yl]V%^%# aes //Configure PSK authentication and CCMP encryption, and display the user
password in ciphertext.
ssid-profile name guest //Create an SSID profile.
ssid
guest //Set the SSID to guest.
ssid-profile name employee //Create an SSID profile.
ssid
employee //Set the SSID to employee.
vap-profile name guest //Create a VAP
profile named guest.
service-vlan vlan-id 101 //Configure VLAN 101 as a service
VLAN.
ssid-profile guest //Bind the SSID profile guest to the VAP profile guest.
security-profile guest //Bind the security
profile guest to the VAP profile guest.
vap-profile name employee //Create a VAP
profile named employee.
service-vlan vlan-id 102 //Configure VLAN
102 as a service VLAN.
ssid-profile employee //Bind the SSID profile employee to the VAP profile employee.
security-profile employee //Bind the security
profile employee to the VAP profile employee.
regulatory-domain-profile name domain1 //Create a regulatory domain profile.
ap-group name
guest //Create an AP group.
regulatory-domain-profile domain1 //Bind the domain profile to the AP group.
radio 0
vap-profile guest wlan
1 //Bind the VAP profile guest to the radio.
radio 1
vap-profile guest wlan
1 //Bind the VAP profile guest to the radio.
radio 2
vap-profile guest wlan
1 //Bind the VAP profile guest to the radio.
ap-group name
default //Create an AP group named default.
ap-group name
employee //Create an AP group named employee.
regulatory-domain-profile
domain1 //Bind the domain profile to the AP group.
radio 0
vap-profile employee wlan
1 //Bind the VAP profile employee to the radio.
radio 1
vap-profile employee wlan
1 //Bind the VAP profile employee to the radio.
radio 2
vap-profile employee wlan
1 //Bind the VAP profile employee to the radio.
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn
210235554710CB000042 //Add an AP offline.
ap-name area_1 //Configure
a name for the AP.
ap-group
guest //Add the AP
to the AP group guest.
ap-id 1 type-id 19 ap-mac 60de-4474-9640 ap-sn
210235554710CB000075 //Add an AP offline.
ap-name
area_2 //Configure
a name for the AP.
ap-group employee //Add the AP
to the AP group employee.
#
return
Step 4 Verify the configuration.
# After the service configuration is complete, run the display vap ssid guest and display vap ssid employee commands. If Status in the command output is displayed as ON, the VAPs have been successfully created on AP radios.
# Connect STAs to the WLANs with SSIDs guest and employee and enter the passwords a1234 and b1234567 respectively. Run the display station ssid guest and display station ssid employee commands on the AC. The command output shows that the STAs are connected to the WLANs guest and employee.
----End
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
The management VLAN and service VLAN cannot be configured the same.
In V200R008C30 and later versions, when multiple VAP profiles are configured and share one service VLAN, enable inter-service VLAN proxy ARP if the data forwarding mode is set to tunnel.
When serving as an AC, the device only in V200R008C30 and later versions supports tunnel forwarding for data packets.
That is all I want to share with you! Thank you!