0
点赞
收藏
分享

微信扫一扫

华为无线设备配置WIDS和WIPS

 

华为无线设备配置WIDS和WIPS_无线

1. 配置LSW和AC,使AP与AC之间能够传输CAPWAP报文

[LSW1]vlan batch 100

[LSW1-GigabitEthernet0/0/1]port link-type trunk  

[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100

[LSW1-GigabitEthernet0/0/2]port link-type trunk          

[LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 100

[LSW1-GigabitEthernet0/0/2]port trunk pvid vlan 100

[LSW1-GigabitEthernet0/0/3]port link-type trunk          

[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 100

[LSW1-GigabitEthernet0/0/3]port trunk pvid vlan 100

[AC1]vlan batch 100 101

[AC1-GigabitEthernet0/0/1]port link-type trunk          

[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100

2. 配置AC与上层网络设备互通

[AC1-GigabitEthernet0/0/2]port link-type trunk  

[AC1-GigabitEthernet0/0/2]port trunk allow-pass vlan 101

3. 配置AC作为DHCP服务器,为STA和AP分配IP地址

[AC1]dhcp enable  

[AC1-Vlanif100]ip add 10.1.100.1 24

[AC1-Vlanif100]dhcp select interface  

[AC1-Vlanif101]ip add 10.1.101.1 24  

[AC1-Vlanif101]dhcp select interface

4. 配置AP上线

[AC1]wlan

创建AP组

[AC1-wlan-view]ap-group name ap-group1  

[AC1-wlan-view]ap-group name ap-group2

创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板

[AC1-wlan-view]regulatory-domain-profile name domain1  

[AC1-wlan-regulate-domain-domain1]country-code cn

[AC1-wlan-view]ap-group name ap-group1                

[AC1-wlan-ap-group-ap-group1]regulatory-domain-profile domain1

[AC1-wlan-view]ap-group name ap-group2          

[AC1-wlan-ap-group-ap-group2]regulatory-domain-profile domain1

配置AC的源接口

[AC1]capwap source interface Vlanif 100

在AC上离线导入AP,并将AP1和AP3加入AP组

[AC1]wlan

[AC1-wlan-view]ap auth-mode mac-auth  

[AC1-wlan-view]ap-id 0 ap-mac 00e0-fc44-4f80

[AC1-wlan-ap-0]ap-name ap1

[AC1-wlan-ap-0]ap-group ap-group1

[AC1-wlan-view]ap-id 1 ap-mac 00e0-fce2-57f0

[AC1-wlan-ap-1]ap-name ap3  

[AC1-wlan-ap-1]ap-group ap-group2

 

华为无线设备配置WIDS和WIPS_华为_02

5. 配置WLAN业务参数

创建安全模板,并配置安全策略

[AC1-wlan-view]security-profile name wlan-security

[AC1-wlan-sec-prof-wlan-security]security  wpa2 psk pass-phrase abc@1234 aes

创建SSID模板,并配置SSID名称

[AC1-wlan-view]ssid-profile name wlan-ssid

[AC1-wlan-ssid-prof-wlan-ssid]ssid wlan-net

创建名为“wlan-vap1”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板

[AC1-wlan-view]vap-profile name wlan-vap1

[AC1-wlan-vap-prof-wlan-vap1]forward-mode tunnel  

[AC1-wlan-vap-prof-wlan-vap1]service-vlan vlan-id 101

[AC1-wlan-vap-prof-wlan-vap1]security-profile wlan-security

[AC1-wlan-vap-prof-wlan-vap1]ssid-profile wlan-ssid

创建名为“wlan-vap2”的VAP模板,引用SSID模板

[AC1-wlan-view]vap-profile name wlan-vap2    

[AC1-wlan-vap-prof-wlan-vap2]ssid-profile wlan-ssid

配置AP组引用VAP模板

[AC1-wlan-view]ap-group name ap-group1

[AC1-wlan-ap-group-ap-group1]vap-profile wlan-vap1 wlan 1 radio 0

[AC1-wlan-ap-group-ap-group1]vap-profile wlan-vap1 wlan 1 radio 1

[AC1-wlan-view]ap-group name ap-group2              

[AC1-wlan-ap-group-ap-group2]vap-profile wlan-vap2 wlan 2 radio 0

[AC1-wlan-ap-group-ap-group2]vap-profile wlan-vap2 wlan 2 radio 1

6. 配置AP3的射频0工作在监控模式

[AC1-wlan-ap-group-ap-group2]radio 0

[AC1-wlan-group-radio-ap-group2/0]work-mode monitor

7. 配置WIDS和WIPS功能

开启设备检测和非法设备反制功能

[AC1-wlan-group-radio-ap-group2/0]wids device detect enable  

[AC1-wlan-group-radio-ap-group2/0]wids contain enable

创建WIDS模板,并配置反制模式为反制非法AP设备

[AC1-wlan-view]wids-profile name wlan-wids

[AC1-wlan-wids-prof-wlan-wids]contain-mode spoof-ssid-ap

8. 配置AP组“ap-group2”引用WIDS模板

[AC1-wlan-view]ap-group name ap-group2              

[AC1-wlan-ap-group-ap-group2]wids-profile wlan-wids

举报

相关推荐

0 条评论