江蘇
愛快+華三設備跨三層管理AP、多SSID綁定VLAN及guest內(nèi)網(wǎng)隔離配置指南
本次客戶需求:有線網(wǎng)絡劃分若干VLAN,分別用于辦公、門禁監(jiān)控等,無線網(wǎng)絡也要分為辦公Wifi和訪客Wifi,且訪客Wifi禁止訪問任何的內(nèi)網(wǎng)資源。
先明確核心設備及網(wǎng)絡拓撲:
三條2000M寬帶+一條100M專線接入愛快路由器2.5G電口;華三三層交換機萬兆光口上聯(lián)愛快,23和24口端口聚合后,下聯(lián)華三可網(wǎng)管POE交換機,此交換機上僅連接愛快無線AP,所有監(jiān)控攝像機接在原有的舊的華三POE交換機上。
前置規(guī)劃準備:無線AP安裝就位,所有設備上電,web登錄愛快路由器,配置4個WAN接口,分別輸入三條2000M寬帶的賬號、密碼,還有一條專線的IP地址;配置萬兆Lan接口IP:192.168.101.2/30。
一、基礎規(guī)劃
磨刀不誤砍柴功,先定義一下各VLAN及接口對應關系,后續(xù)所有配置圍繞此規(guī)劃展開,核心規(guī)劃如下:
? 根據(jù)客戶現(xiàn)有狀況,有線網(wǎng)絡劃分三個VLAN:分別是VLAN10,VLAN2,VLAN30,分別代表了192.168.10.0/24,192.168.20.0/24,192.168.30.0/24。
? 辦公SSID:SSID名稱“Office”,綁定VLAN50,網(wǎng)段192.168.50.0/24,網(wǎng)關192.168.50.1,可正常訪問內(nèi)網(wǎng)及外網(wǎng)。
? 訪客SSID:SSID名稱“Guest”,綁定VLAN60,網(wǎng)段192.168.60.0/24,網(wǎng)關192.168.60.1(愛快路由器VLAN20接口IP),僅允許訪問外網(wǎng),禁止訪問內(nèi)網(wǎng)。
? AP需要一個單獨的管理VLAN:VLAN51,網(wǎng)段192.168.51.0/24,網(wǎng)關192.168.51.1,用于跨三層傳遞AP管理數(shù)據(jù),所有AP需獲取此網(wǎng)段IP,被愛快AC識別管理。
? 接口規(guī)劃:愛快路由器LAN1→三層交換機上行口(如GigabitEthernet1/0/28);三層交換機下行口(如GigabitEthernet0/0/23、24聚合)→POE交換機上行口(如GigabitEthernet0/0/15、16聚合);POE交換機PoE口(如GigabitEthernet1/0/1~1/0/8)→愛快AP。
二、華三三層交換機配置:VLAN、Trunk、路由、跨三層轉(zhuǎn)發(fā)
華三三層交換機承擔VLAN轉(zhuǎn)發(fā)、跨三層路由的功能,需確保AP管理VLAN、辦公VLAN、訪客VLAN的數(shù)據(jù)包能在三層交換機與愛快路由器之間正常轉(zhuǎn)發(fā),同時實現(xiàn)AP跨三層被AC管理。
(一)創(chuàng)建VLAN
直接舉例說明:
vlan 50
des wifi
Vlan 51
des AP-Manage
(二)配置DHCP服務
直接舉例說明:
dhcp server ip-pool wifi
gateway-list 192.168.50.1
network 192.168.50.0 mask 255.255.255.0
dns-list 61.177.7.1 114.114.114.114
forbidden-ip 192.168.50.1 192.168.50.10
forbidden-ip 192.168.50.231 192.168.50.254
dhcp server ip-pool AP-Manage
gateway-list 192.168.51.1
network 192.168.51.0 mask 255.255.255.0
dns-list 61.177.7.1 114.114.114.114
forbidden-ip 192.168.51.1
forbidden-ip 192.168.51.10
forbidden-ip 192.168.51.231
forbidden-ip 192.168.51.254
option 43 hex 0104c0a86502
Option 43配置項是跨三層管理AP的重點,0104是固定值,后面是192.168.101.2(愛快路由器Lan口IP)換算成十六進制得來的。
(三)配置VLAN接口IP
interface Vlan-interface50
ip address 192.168.50.1 255.255.255.0
dhcp server apply ip-pool wifi
interface Vlan-interface51
description AP-Manage
ip address 192.168.51.1 255.255.255.0
dhcp server apply ip-pool ap-manage
interface Vlan-interface101
ip address 192.168.101.1 255.255.255.0
(四)配置交換機端口
interface GigabitEthernet1/0/17
description to_tpsf1024s
port access vlan 20
dhcp snooping trust
interface GigabitEthernet1/0/18
description to_h3c_1224r
port access vlan 20
dhcp snooping trust
interface GigabitEthernet1/0/19
description to_poe—eru1_24
port link-type trunk
port trunk permit vlan all
dhcp snooping trust
interface GigabitEthernet1/0/20
description to_jieru2_24
port link-type trunk
port trunk permit vlan all
dhcp snooping trust
interface GigabitEthernet1/0/21
description to_pojieru3_24
port link-type trunk
port trunk permit vlan all
dhcp snooping trust
interface GigabitEthernet1/0/22
description to_poe_jiankong_24
port link-type trunk
port trunk permit vlan all
dhcp snooping trust
interface GigabitEthernet1/0/23
description TO_POE_Port15
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
interface GigabitEthernet1/0/24
description TO_POE_Port16
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
注意:GigabitEthernet1/0/23和24配置了聚合,連接到無線AP的POE交換機,提高數(shù)據(jù)傳輸效率。前提是先要創(chuàng)建聚合,命令如下:
interface Bridge-Aggregation1
description to_poe
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
dhcp snooping trust
(五)默認路由
ip route-static 0.0.0.0 0 192.168.101.2
(六)配置ACL,禁止訪客WIFI訪問內(nèi)網(wǎng)
acl number 3001
rule 5 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 15 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 20 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 25 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
rule 30 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.100.0 0.0.0.255
rule 35 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.101.0 0.0.0.255
rule 40 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.51.0 0.0.0.255
三、華三可網(wǎng)管POE交換機配置
主要配置如下:
vlan 60
description wifi-guest
stp mode rstp
stp global enable
interface Bridge-Aggregation1
description to_xe
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
dhcp snooping trust
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 51
poe enable
interface GigabitEthernet1/0/15
description TO_CORE_Port23
port link-type trunk
port trunk permit vlan all
poe enable
port link-aggregation group 1
interface GigabitEthernet1/0/16
description TO_CORE_Port24
port link-type trunk
port trunk permit vlan all
poe enable
port link-aggregation group 1
五、配置WIFI
WIFI的配置步驟如下:
(一)AP上線
1. 登錄愛快路由器【AC管理】→【無線概況】,打開AC智能控制開關;
2. 點擊AP列表,一兩分鐘后,所有AP上線,如果5分鐘還沒上線,就重啟一下POE交換機,如果重啟還不行,那就是無線AP的DHCP配置中option 43配置有誤,需要檢查修復;
3. 點AP分組,把所有上線的AP加入到同一個組。
(二)SSID與VLAN綁定驗證
1. 分別Office-WiFi和Guest-WiFi,并綁定到不同的VLAN;
2. 根據(jù)客戶要求,對Guest限速;
3. 驗證VLAN隔離:筆記本電腦連接Guest-WiFi,測試無法訪問其他幾個VLAN,說明VLAN綁定及隔離成功。
六、下期預告:
異地訪問NAS卡頓為哪般?三地局域網(wǎng)互聯(lián),實現(xiàn)異地設備的互聯(lián)互訪。
特別聲明:以上內(nèi)容(如有圖片或視頻亦包括在內(nèi))為自媒體平臺“網(wǎng)易號”用戶上傳并發(fā)布,本平臺僅提供信息存儲服務。
Notice: The content above (including the pictures and videos if any) is uploaded and posted by a user of NetEase Hao, which is a social media platform and only provides information storage services.
