H3C開(kāi)局AC配置指導(dǎo)課件

1、行號(hào)配置解釋備注1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331

2、341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332

3、342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333

4、34335336337338339340341342343344345346347348349350351<UBJZO-MB-WLAN-AC21-01>dis cur# version 5.20, Release 2308# sysname UBJZO-MB-WLAN-AC21-01# clock timezone GMT add 08:00:00# super password level 3 cipher X7A'-%9#+WZ/3:L02.;!Q!# nas device-id 1# domain default enable cmcc# telnet server

5、enable# user-isolation vlan 1101 enable user-isolation vlan 1101 permit-mac 0000-5e00-0102 user-isolation vlan 1801 enable user-isolation vlan 1801 permit-mac 0000-5e00-0103# port-security enable# dhbk enable backup-type symmetric-path dhbk vlan 4001 # portal server cmcc-edu ip 0 url ht

6、tp:/0:8080/portal/ server-type cmcc portal server cmcc ip 40 url 40:7080/index.php server-type cmcc portal free-rule 1 source any destination ip 0 mask 55 portal free-rule 2 source any destination ip 07 mask 5

7、5 portal free-rule 3 source any destination ip mask 55 portal free-rule 4 source any destination ip mask 55 portal free-rule 5 source ip mask 55 destination any portal free-rule 7 source any destination ip mask 255.2

8、55.255.255 portal free-rule 8 source any destination ip mask 55 portal free-rule 9 source ip mask 55 destination any portal free-rule 11 source interface Bridge-Aggregation1 destination any portal free-rule 15 source any destination ip 5

9、mask 55 portal free-rule 16 source any destination ip 00 mask 55 portal free-rule 19 source any destination ip 42 mask 55 portal free-rule 20 source any destination ip 17 mask 55 portal free-rule 21 source any des

10、tination ip 40 mask 55 portal device-id 0061.0716.270.00# hot-backup enable domain 1 hot-backup vlan 4001# wlan capture file-name SnifferRecord#vlan 1#vlan 160#vlan 164 to 166#vlan 1101 description UserClient_CMCC#vlan 1801 description UserClient_CMCC-EDU#vlan 4000 descriptio

11、n Mgmt-with-IpAddress#vlan 4001 description hot-backup-vlan#vlan 4002 description DHBK-VLAN#radius scheme cmcc server-type extended primary authentication 38 1645 primary accounting 38 1646 key authentication cipher abQuGU4cQTpZL8rzyG52eg= key accounting cipher abQuGU4cQTpZL8rz

12、yG52eg= user-name-format keep-original nas-ip 8 retry stop-accounting 10radius scheme hubei server-type extended primary authentication primary accounting key authentication cipher BaZ+2npa/d8fuhywwHL0Kw= key accounting cipher BaZ+2npa/d8fuhywwHL0Kw= nas-ip 21

13、8 retry stop-accounting 10#domain cmcc authentication portal radius-scheme cmcc authorization portal radius-scheme cmcc accounting portal radius-scheme cmcc access-limit disable state active idle-cut enable 15 10000 self-service-url disabledomain edu authentication portal radius-scheme hub

14、ei authorization portal radius-scheme hubei accounting portal radius-scheme hubei access-limit disable state active idle-cut enable 15 10000 self-service-url disabledomain system access-limit disable state active idle-cut disable self-service-url disable#dhcp server ip-pool ap_dhcp_server-1 network

15、 mask #dhcp server ip-pool ap_dhcp_server-2 network mask #dhcp server ip-pool ap_dhcp_server-3 network mask #dhcp server ip-pool userclent_dhcp_server-cmcc network mask gateway-list dns-l

16、ist 0 07 expired day 0 hour 1#dhcp server ip-pool userclient_dhcp_server-cmcc-edu network mask gateway-list dns-list 0 07 expired day 0 hour 1#user-group system group-attribute allow-guest#local-user jzyd password

17、simple JZyd123! authorization-attribute level 3 service-type ssh telnet service-type web#wlan rrm dot11a mandatory-rate 6 12 24 dot11a supported-rate 9 18 36 48 54 dot11b mandatory-rate 1 2 dot11b supported-rate 5.5 11 dot11g mandatory-rate 1 2 5.5 11 dot11g supported-rate 6 9 12 18 24 36 48 54#wlan

18、 service-template 1 clear ssid CMCC bind WLAN-ESS 1 service-template enable#wlan service-template 2 clear ssid CMCC-EDU bind WLAN-ESS 2 service-template enable#interface Bridge-Aggregation1 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 160 164 to 166 1101 1801 4000 to 400

19、1 stp disable#interface NULL0#interface Vlan-interface160 ip address 6 48 vrrp vrid 1 virtual-ip 8 vrrp vrid 1 priority 110 vrrp vrid 1 track 1#interface Vlan-interface164 description Gateway_of_ap-group-1 ip address #interface Vlan-inte

20、rface165 description Gateway_of_ap-group-2 ip address #interface Vlan-interface166 description Gateway_of_ap-group-3 ip address # interface Vlan-interface1101 description GateWay_of_CMCC ip address vrrp vrid 2 virtual-ip 10

21、.104.0.1 vrrp vrid 2 priority 110 vrrp vrid 2 track 1 reduced 20 portal server cmcc method direct portal nas-port-type wireless portal backup-group 1 portal nas-ip 8 access-user detect type arp retransmit 5 interval 10#interface Vlan-interface1801 description GateWay_of_CMCC-EDU ip addre

22、ss vrrp vrid 3 virtual-ip vrrp vrid 3 priority 110 vrrp vrid 3 track 1 reduced 20 portal nas-port-type wireless portal backup-group 2 portal nas-ip 8 access-user detect type arp retransmit 5 interval 10# interface Vlan-interface4000 ip address 192.16

23、8.100.1 #interface M-GigabitEthernet1/0/0 description MGMT ip address 54 48#interface Ten-GigabitEthernet1/0/1 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 160 164 to 166 1101 1801 4000 to 4001 port link-aggregation group 1#interface

24、Ten-GigabitEthernet1/0/2 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 160 164 to 166 1101 1801 4000 to 4001 port link-aggregation group 1#interface WLAN-ESS1 port access vlan 1101#interface WLAN-ESS2 port access vlan 1801#nqa entry wlan cmcc type icmp-echo destination ip

25、 5 frequency 2000 reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trap-only source ip 6#wlan ap test model WA2100 id 1 priority level 7 serial-id 210235A22WC07B000009 backup-ac ip radio 1 service-template 1 nas-id 3700071627000460 s

26、ervice-template 2 nas-id 3700071627000460 radio enable# dhcp-snooping# ip route-static 5# info-center logfile frequency 3600 info-center logfile size-quota 10# snmp-agent snmp-agent local-engineid 800063A203C4CAD9308D94 snmp-agent community read sbzg_)(321 snmp-agent comm

27、unity write yxzl_)(123 snmp-agent sys-info version all snmp-agent target-host trap address udp-domain 20 params securityname public# track 1 nqa entry wlan cmcc reaction 1# dhcp server forbidden-ip dhcp server forbidden-ip dhcp server forbidden-ip

28、dhcp server forbidden-ip dhcp server forbidden-ip dhcp server forbidden-ip dhcp server forbidden-ip dhcp server forbidden-ip dhcp server forbidden-ip dhcp server forbidden-ip dhcp server forbidden-ip dhcp

29、server forbidden-ip # dhcp enable# nqa schedule wlan cmcc start-time now lifetime forever# ntp-service source-interface Vlan-interface160 ntp-service unicast-server 8 ntp-service unicast-server 5 ntp-service unicast-server 00 ntp-service unicast-server 6

30、4# ssh server enable# load xml-configuration#user-interface con 0user-interface aux 0 authentication-mode none user privilege level 3user-interface vty 0 4 authentication-mode scheme user privilege level 3#return系統(tǒng)名稱,根據(jù)規(guī)劃配置時(shí)區(qū)及時(shí)間配置超級(jí)密碼配置主AC的device-id配為1，備用配為2默認(rèn)認(rèn)證域，配置為cmcc開(kāi)啟telnet服務(wù)器端，便于遠(yuǎn)程登錄

31、開(kāi)啟VLAN 1101的用戶隔離允許所有的用戶與網(wǎng)關(guān)通信，該MAC地址為CMCC或者CMCC-EDU網(wǎng)關(guān)接口的VRRP組MAC。開(kāi)啟主備AC之間的DHCP地址池備份，不同AC板卡的主備需要采用不同的VLAN，以防止廣播風(fēng)暴。例如第二塊板卡的dhbk vlan為4002Cmcc-edu的portal server地址，該處全省配置都一樣，不用更改，注意server-type配置為cmcc（默認(rèn)type為imc）Cmcc的portal server地址，該處配置全省一樣，不用更改。免認(rèn)證名單，該處配置全省一樣，不用更改。免認(rèn)證名單，該處配置全省一樣，不用更改。免認(rèn)證名單，IP地址需要變更，變成主備

32、AC之間所屬CMCC認(rèn)證接口的VRRP虛地址。免認(rèn)證名單，IP地址需要變更，變成主AC所屬CMCCEDU認(rèn)證接口地址。免認(rèn)證名單，IP地址需要變更，變成備AC所屬CMCC認(rèn)證接口地址。免認(rèn)證名單，IP地址需要變更，變成主備AC之間所屬CMCC認(rèn)證接口的VRRP虛地址。免認(rèn)證名單，IP地址需要變更，變成主AC所屬CMCC認(rèn)證接口地址。免認(rèn)證名單，IP地址需要變更，變成主AC所屬CMCC認(rèn)證接口地址。允許AC內(nèi)聯(lián)接口免認(rèn)證免認(rèn)證名單，該處配置全省一樣，不用更改。免認(rèn)證名單，該處配置全省一樣，不用更改。免認(rèn)證名單，該處配置全省一樣，不用更改。免認(rèn)證名單，該處配置全省一樣，不用更改。免認(rèn)證名單，該處配

33、置全省一樣，不用更改。配置portal device-id,按照規(guī)劃統(tǒng)一配置，主備AC相同，不同AC不同。主備AC之間的熱備，不同AC之間熱備 域應(yīng)配置為不同。AC的上行接口VLAN，按照規(guī)劃配置即可AP的通道VLAN，按照規(guī)劃配置CMCC用戶網(wǎng)關(guān)VLANCMCC-EDU用戶網(wǎng)關(guān)VLAN帶地址的管理VLAN，用于AC及交換板之間通信，不透?jìng)鞯酵饩W(wǎng)主備AC之間熱備VLANDHCP server之間的熱備VLANCMCC RADIUS配置，除nas-ip地址變更為AC與上行設(shè)備互聯(lián)的VRRP虛擬地址之外，其他不做變更。Cmcc認(rèn)證接入密碼為：88-89Cmcc計(jì)費(fèi)接入密碼為：88-89除nas-i

34、p地址變更為AC與上行設(shè)備互聯(lián)的VRRP虛擬地址之外CMCC-EDU RADIUS配置，除nas-ip地址變更為AC與上行設(shè)備互聯(lián)的VRRP虛擬地址之外，其他不做變更。CMCC-EDU認(rèn)證接入密碼為：Ha2f%c6*lCMCC-EDU計(jì)費(fèi)接入密碼為：Ha2f%c6*lNAS-IP與CMCC配置相同CMCC認(rèn)證域，用于綁定CMMC的RADIUS配置，開(kāi)局不用變動(dòng)。CMCC-EDU認(rèn)證域，用于綁定CMCC-EDU與RADUIS配置，開(kāi)局不做變動(dòng)。AP的第一個(gè)地址池，按照規(guī)劃配置即可AP的第二個(gè)地址池，按照規(guī)劃配置即可AP的第三個(gè)地址池，按照規(guī)劃配置即可CMCC用戶的地址池，按照規(guī)劃配置即可CMCC-EDU用戶地址池，按照規(guī)劃配置即可創(chuàng)建本地用戶用戶的授權(quán)級(jí)別，3為最大服務(wù)類型為