旁挂三层组网-多SSID-WAP安全部署-CFANZ编程社区

请添加图片描述
在这里插入图片描述

00e0-fc0d-3ee0

00e0-fcfd-5640
抄写AP MAC地址

[s5700]vlan 88
[s5700-vlan88]int g0/0/2
[s5700-GigabitEthernet0/0/2]p l a
[s5700-GigabitEthernet0/0/2]p d v 88
[s5700]int vlan 88
[s5700-Vlanif88]ip add 192.168.88.1 24

[s5700]vlan 100
[s5700]int g0/0/1
[s5700-GigabitEthernet0/0/1] p l t
[s5700-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[s5700-GigabitEthernet0/0/1]q

[s5700]dhcp enable

[s5700]ip pool vlan100pool
[s5700-ip-pool-vlan100pool]network 10.1.100.0 mask 24
[s5700-ip-pool-vlan100pool]gateway-list 10.1.100.1
[s5700-ip-pool-vlan100pool]excluded-ip-address 10.1.100.2 10.1.100.10
[s5700-ip-pool-vlan100pool]option 43 sub-option 2 ip-address 192.168.88.2
[s5700]int vlan 100
[s5700-Vlanif100]ip add 10.1.100.1 24
[s5700-Vlanif100]dhcp select global

[s5700]vlan batch 101 102
[s5700]ip pool vlan101pool
[s5700-ip-pool-vlan101pool]network 10.1.101.0 mask 24
[s5700-ip-pool-vlan101pool]gateway-list 10.1.101.1
[s5700-ip-pool-vlan101pool]excluded-ip-address 10.1.101.2 10.1.101.10

[s5700]ip pool vlan102pool
[s5700-ip-pool-vlan102pool]network 10.1.102.0 mask 24
[s5700-ip-pool-vlan102pool]gateway-list 10.1.102.1
[s5700-ip-pool-vlan102pool]excluded-ip-address 10.1.102.2 10.1.102.10
[s5700-ip-pool-vlan102pool]q

[s5700]int vlan 101
[s5700-Vlanif101]ip add 10.1.101.1 24
[s5700-Vlanif101]dhcp select global

[s5700]int vlan 102
[s5700-Vlanif102]ip add 10.1.102.1 24
[s5700-Vlanif102]dhcp select global

[s3700]vlan 100
[s3700-vlan100]q
[s3700]int e0/0/1
[s3700-Ethernet0/0/1]p l t
[s3700-Ethernet0/0/1]p t p v 100
[s3700-Ethernet0/0/1]port trunk allow-pass vlan all
[s3700-Ethernet0/0/1]q
[s3700]int e0/0/2
[s3700-Ethernet0/0/2]p l t
[s3700-Ethernet0/0/2]p t p v 100
[s3700-Ethernet0/0/2]port trunk allow-pass vlan all

[s3700]int g0/0/1
[s3700-GigabitEthernet0/0/1]p l t
[s3700-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[s3700]vlan batch 101 102

[AC6005]vlan 88
[AC6005-vlan88]q
[AC6005]int g0/0/1
[AC6005-GigabitEthernet0/0/1]p l a
[AC6005-GigabitEthernet0/0/1]p d v 88
[AC6005-GigabitEthernet0/0/1]q
[AC6005]int vlan88
[AC6005-Vlanif88]ip add 192.168.88.2 24
[AC6005-Vlanif88]q
[AC6005]ip route-static 0.0.0.0 0.0.0.0 192.168.88.1

AP上线

[AC6005]wlan
[AC6005-wlan-view]regulatory-domain-profile name domain1
[AC6005-wlan-regulate-domain-domain1]country-code cn
[AC6005-wlan-view]ap-group name ap-group1
[AC6005-wlan-ap-group-ap-group1]regulatory-domain-profile domain1

隧道
[AC6005]capwap source interface vlanif 88

AP上线认证 MAC 认证

[AC6005]wlan
[AC6005-wlan-view]ap auth-mode mac-auth
[AC6005-wlan-view]ap-mac 00e0-fc0d-3ee0 ap-id 0
[AC6005-wlan-ap-0]ap-group ap-group1

[AC6005-wlan-view]ap-mac 00e0-fcfd-5640 ap-id 1
[AC6005-wlan-ap-1]ap-group ap-group1

创建一个安全模板下发

[AC6005]wlan
[AC6005-wlan-view]security-profile name security-1
[AC6005-wlan-sec-prof-security-1]security wap psk pass-phrase lovehuawei

配置SSID模板

[AC6005-wlan-view]wlan
[AC6005-wlan-view]ssid-profile name ssid-1
[AC6005-wlan-ssid-prof-ssid-1]ssid huawei-guest

[AC6005-wlan-view]ssid-profile name ssid-2
[AC6005-wlan-ssid-prof-ssid-2]ssid huawei-office

配置WAP模板

[AC6005]wlan
[AC6005-wlan-view]vap-profile name huawei-vap-guest
[AC6005-wlan-vap-prof-huawei-vap-guest]forward-mode direct-forward
[AC6005-wlan-vap-prof-huawei-vap-guest]service-vlan vlan-id 101
[AC6005-wlan-vap-prof-huawei-vap-guest]security-profile security-1
[AC6005-wlan-vap-prof-huawei-vap-guest]ssid-profile ssid-1

[AC6005-wlan-view]vap-profile name huawei-vap-office
[AC6005-wlan-vap-prof-huawei-vap-office]forward-mode direct-forward
[AC6005-wlan-vap-prof-huawei-vap-office]service-vlan vlan-id 102
[AC6005-wlan-vap-prof-huawei-vap-office]security-profile security-1
[AC6005-wlan-vap-prof-huawei-vap-office]ssid-profile ssid-2

绑定VAP 模板到AP组下发

[AC6005]wlan
[AC6005-wlan-view]ap-group name ap-group1
[AC6005-wlan-ap-group-ap-group1]vap-profile huawei-vap-guest wlan 1 radio all
[AC6005-wlan-ap-group-ap-group1]vap-profile huawei-vap-office wlan 2 radio all