实验背景
企业内网无线终端数量越来越多,为了保证无线业务的稳定性,作为网络工程师的你决定新采购一台AC(AC2),与原有的AC(AC1)组成HSB备份组,与VRRP备份组结合实现AC的双机热备,提高无线的可靠性。
组网介绍
- 设备连接方式如图所示,AC1与AC2组成HSB备份组,采用VRRP热备份作为AC备份技术,AP1、AP2由AC1、AC2进行纳管(主备方式),所有AP都采用直接转发模式。
- S4交换机二层透传AP2的报文,S3作为AP管理地址、终端业务地址的网关。
- S3开启DHCP服务为AP1、AP2分配管理地址,为无线终端分配业务地址,AP通过DHCP报文中的Option43获取AC地址(VRRP虚拟IP地址)
数据规划:
配置项 | 配置参数 |
AP管理VLAN | VLAN10 |
STA业务VLAN | VLAN11 |
DHCP服务器 | S3作为DHCP服务器为AP分配IP地址 S3作为DHCP服务器为STA分配IP地址 |
AP的IP地址池 | 10.0.10.0/24 |
STA的IP地址池 | 10.0.11.0/24 |
AC的源接口IP地址 | 10.0.100.254(VRRP虚拟地址) |
AP组 | 名称:depart 引用模板:VAP模板depart |
域管理模板 | 名称:default 国家码:中国(CN) |
SSID模板 | 名称:depart SSID名称:HSB |
安全模板 | 名称:depart 安全策略:WPA2+PSK+AES 密码:a1234567 |
VAP模板 | 名称:depart 转发模式:直连模式 业务VLAN:VLAN11 引用模板:SSID模板depart,安全模板:depart |
VRRP备份组 | VRRP组号:1 虚拟IP地址:10.0.100.254 |
HSB | AC1的主备通道IP地址和端口号:10.0.100.1,10241 AC2的主备通道IP地址和端口号:10.0.100.2,10241 |
配置思路:
- 配置有线侧相关功能
- S3作为AP管理流量、无线终端业务流量的网关
- AC1、AC2使用VLANIF100与S3的VLANIF100进行三层通信
- 配置AC1、AC2上的WLAN业务,注意此时不需要配置CAPWAP源地址,配置完HSB、VRRP之后再进行配置
- 配置AC1上的双机热备份,指定AC1为VRRP组1的Master、HSB的主用设备,配置CAPWAP源地址为VRRP虚拟IP
- 配置AC2上的双机热备份,使得AC2成为HSB的备用设备,配置CAPWAP源地址为VRRP虚拟IP
- 验证双机热备份,关闭AC1的接口,查看AC2上AP、Station的状态
操作步骤
步骤1:有线侧网络配置
按照规划配置交换机、AC的有线侧网络配置
# 分别在S3、S4、AC1、AC2上创建VLAN,并将接口划分到对应的VLAN
[S3]vlan batch 10 11 100
[S3]interface GigabitEthernet 0/0/1
[S3-GigabitEthernet0/0/1]port link-type trunk
[S3-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[S3-GigabitEthernet0/0/1]quit
[S3]interface GigabitEthernet 0/0/2
[S3-GigabitEthernet0/0/2]port link-type trunk
[S3-GigabitEthernet0/0/2]port trunk allow-pass vlan 100
[S3-GigabitEthernet0/0/2]quit
[S3]interface GigabitEthernet 0/0/3
[S3-GigabitEthernet0/0/3]port link-type trunk
[S3-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 11
[S3-GigabitEthernet0/0/3]quit
[S3]interface GigabitEthernet 0/0/4
[S3-GigabitEthernet0/0/4]port link-type trunk
[S3-GigabitEthernet0/0/4]port trunk pvid vlan 10
[S3-GigabitEthernet0/0/4]port trunk allow-pass vlan 10 11
[S3-GigabitEthernet0/0/4]quit
S3连接AP1的接口PVID注意设置为VLAN10,连接S4的接口需要放通业务VLAN、管理VLAN,连接AC的接口放通VLAN100
[S4]vlan batch 10 11
[S4]interface GigabitEthernet 0/0/3
[S4-GigabitEthernet0/0/3]port link-type trunk
[S4-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 11
[S4-GigabitEthernet0/0/3]quit
[S4]interface GigabitEthernet 0/0/4
[S4-GigabitEthernet0/0/4]port link-type trunk
[S4-GigabitEthernet0/0/4]port trunk pvid vlan 10
[S4-GigabitEthernet0/0/4]port trunk allow-pass vlan 10 11
[S4-GigabitEthernet0/0/4]quit
S4连接AP的接口PVID注意设置为VLAN10,上行接口透传管理VLAN10、业务VLAN11
[AC1]vlan batch 100
[AC1]interface GigabitEthernet 0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/1]quit
接口放通VLAN100
[AC2]vlan batch 100
[AC2]interface GigabitEthernet 0/0/1
[AC2-GigabitEthernet0/0/1]port link-type trunk
[AC2-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[AC2-GigabitEthernet0/0/1]quit
# S3、AC1、AC2上创建VLANIF
[S3]interface Vlanif 10
[S3-Vlanif10]ip address 10.0.10.1 24
[S3-Vlanif10]quit
[S3]interface Vlanif 11
[S3-Vlanif11]ip address 10.0.11.1 24
[S3-Vlanif11]quit
[S3]interface Vlanif 100
[S3-Vlanif100]ip address 10.0.100.3 24
[S3-Vlanif100]quit
S3上VLANIF10作为AP1、AP2的管理VLAN网关,VLANIF11作为AP1、AP2下终端业务VLAN的网关,VLANIF100用于和AC1、AC2进行三层通信
[AC1]interface Vlanif 100
[AC1-Vlanif100]ip address 10.0.100.1 24
[AC1-Vlanif100]quit
AC1的VLANIF100作为CAPWAP通信接口(注意不是CAPWAP源接口)
[AC2]interface Vlanif 100
[AC2-Vlanif100]ip address 10.0.100.2 24
[AC2-Vlanif100]quit
AC2的VLANIF100作为CAPWAP通信接口(注意不是CAPWAP源接口)
# 在AC1、AC2上配置前往AP管理网段的路由
[AC1]ip route-static 10.0.10.0 24 10.0.100.3
[AC2]ip route-static 10.0.10.0 24 10.0.100.3
为了让AC和获取到管理网段地址的AP进行CAPWAP通信,在AC上手动配置静态路由
# 在S3上配置DHCP服务
[S3]dhcp enable
开启DHCP服务
[S3]ip pool ap
[S3-ip-pool-ap]network 10.0.10.0 mask 24
[S3-ip-pool-ap]gateway-list 10.0.10.1
[S3-ip-pool-ap]option 43 sub-option 3 ascii 10.0.100.254
[S3-ip-pool-ap]quit
[S3]ip pool service
[S3-ip-pool-service]network 10.0.11.0 mask 24
[S3-ip-pool-service]gateway-list 10.0.11.1
[S3-ip-pool-service]dns-list 10.0.11.1
[S3-ip-pool-service]quit
地址池ap为AP分配管理地址,携带Option43指定AC地址,注意该处地址为VRRP虚拟IP
地址吃server为AP1、AP2的无线终端分配地址,所有地址池的网关都设为S3的VLANIF接口地址
[S3]interface Vlanif 10
[S3-Vlanif10]dhcp select global
[S3-Vlanif10]quit
[S3]interface Vlanif 11
[S3-Vlanif11]dhcp select global
[S3-Vlanif11]quit
接口下选择全局地址池
步骤2:配置AC
创建ap-group depart,采用MAC地址认证的方式关联AP,将AP命名为AP1、AP2,关联到ap-group depart,配置参数模板关联到VAP模板
AC1、AC2上WLAN相关配置一致,此处以AC1为例,不再展示AC2的配置
# 创建名为depart的AP组
[AC1]wlan
[AC1-wlan-view]ap-group name depart
[AC1-wlan-ap-group-depart]quit
# 创建域管理模板,在域管理模板下配置AC的国家码
[AC1-wlan-view]regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default]country-code cn
[AC1-wlan-regulate-domain-default]quit
域管理模板提供对AP的国家码、调优信道集合和调优带宽等的配置
缺省情况下,系统上存在名为default的域管理模板,故当前进入了默认存在的default模板。
# 在AP组下引用域管理模板
[AC1-wlan-view]ap-group name depart
[AC1-wlan-ap-group-depart]regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC1-wlan-ap-group-depart]quit
# 添加AP
[AC1-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-id 0 ap-mac 00e0-fc52-6720
[AC1-wlan-ap-0]ap-name AP1
[AC1-wlan-ap-0]ap-group depart
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fc7e-51f0
[AC1-wlan-ap-1]ap-name AP2
[AC1-wlan-ap-1]ap-group depart
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC1-wlan-ap-1]quit
# 配置参数模板
[AC1-wlan-view]security-profile name depart
[AC1-wlan-sec-prof-depart]security wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-depart]quit
[AC1-wlan-view]ssid-profile name depart
[AC1-wlan-ssid-prof-depart]ssid HSB
[AC1-wlan-ssid-prof-depart]quit
[AC1-wlan-view]vap-profile name depart
[AC1-wlan-vap-prof-depart]forward-mode direct-forward
[AC1-wlan-vap-prof-depart]service-vlan vlan-id 11
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-depart]ssid-profile depart
[AC1-wlan-vap-prof-depart]security-profile depart
[AC1-wlan-vap-prof-depart]quit
[AC1-wlan-view]ap-group name depart
[AC1-wlan-ap-group-depart]vap-profile depart wlan 1 radio all
配置 security-profile depart,采用WPA2-PSK认证,配置预共享密钥为a1234567
配置 ssid-profile depart,设置SSID为HSB
配置 vap-profile,设置转发模式为直接转发,业务VLAN设置为11,调用ssid-profile depart、security-profile depart。
在 ap-group depart中调用vap-profile depart
步骤3:AC1上配置VRRP方式的双机热备份
配置AC1为VRRP组1的Master,配置HSB(双机热备份功能),将AC1上的业务信息通过备份链路批量备份、实时备份到AC2上,保证在主设备故障时业务能够不中断地顺利切换到备份设备
# 在AC1上创建管理VRRP备份组,配置AC1在该备份组中的优先级为120
[AC1]interface Vlanif 100
[AC1-Vlanif100]vrrp vrid 1 virtual-ip 10.0.100.254
[AC1-Vlanif100]vrrp vrid 1 priority 120
[AC1-Vlanif100]quit
# 在AC1上创建HSB主备服务0,并配置其主备通道IP地址和端口号
[AC1]hsb-service 0
[AC1-hsb-service-0]
[AC1-hsb-service-0]service-ip-port local-ip 10.0.100.1 peer-ip 10.0.100.2 local-
data-port 10241 peer-data-port 10241
[AC1-hsb-service-0]quit
# 在AC1上创建HSB备份组0,并配置其绑定HSB主备服务0和管理VRRP备份组
[AC1]hsb-group 0
[AC1-hsb-group-0]bind-service 0
[AC1-hsb-group-0]track vrrp vrid 1 interface Vlanif 100
[AC1-hsb-group-0]quit
# 配置NAC业务绑定HSB备份组、配置WLAN业务绑定HSB备份组、配置DHCP服务绑定HSB备份组
[AC1]hsb-service-type access-user hsb-group 0
[AC1]hsb-service-type ap hsb-group 0
[AC1]hsb-service-type dhcp hsb-group 0
# 使能双机热备功能
[AC1]hsb-group 0
[AC1-hsb-group-0]hsb enable
[AC1-hsb-group-0]quit
# 配置AC1的CAPWAP源地址
[AC1]capwap source ip-address 10.0.100.254
注意此处的地址为VRRP虚拟IP
步骤5:AC2上配置VRRP方式的双机热备份
配置AC2为VRRP组的Backup设备,配置双机热备份功能(HSB),AC2接收AC1备份过来的业务信息,保证主设备故障时可以立即接管业务。
# 在AC2上配置VRRP备份组
[AC2]interface Vlanif 100
[AC2-Vlanif100]vrrp vrid 1 virtual-ip 10.0.100.254
[AC2-Vlanif100]quit
# 在AC2上创建HSB主备服务0,并配置其主备通道IP地址和端口号
[AC2]hsb-service 0
[AC2-hsb-service-0]service-ip-port local-ip 10.0.100.2 peer-ip 10.0.100.1 local-
data-port 10241 peer-data-port 10241
[AC2-hsb-service-0]quit
# 在AC2上创建HSB备份组0,并配置其绑定HSB主备服务0和管理VRRP备份组
[AC2]hsb-group 0
[AC2-hsb-group-0]bind-service 0
[AC2-hsb-group-0]track vrrp vrid 1 interface Vlanif 100
[AC2-hsb-group-0]quit
# 配置NAC业务绑定HSB备份组、配置WLAN业务绑定HSB备份组、配置DHCP服务绑定HSB备份组
[AC2]hsb-service-type access-user hsb-group 0
[AC2]hsb-service-type ap hsb-group 0
[AC2]hsb-service-type dhcp hsb-group 0
# 使能双机热备功能
[AC2]hsb-group 0
[AC2-hsb-group-0]hsb enable
[AC2-hsb-group-0]quit
# 配置AC2的CAPWAP源地址
[AC1]capwap source ip-address 10.0.100.254
注意此处的地址为VRRP虚拟IP
步骤6:结果验证
# 在AC1、AC2上查看VRRP状态,可以看到AC1的State字段显示为Master,AC2的State字段的显示为Backup
此时 AC1 为虚拟IP:10.0.100.254的拥有者
# 在AC1和AC2上执行display hsb-service 0命令,查看主备服务建立情况
可以看到service Status字段的显示为Connected,说明主备服务通道已经成功建立。
# 在AC1和AC2上执行display hsb-group 0命令,查看HSB备份组的运行情况
# 在AC1、AC2上检查AP上线状态
此时在AC1上AP的状态为nomal,而在AC2上为Standby,AC2上的AP信息是由HSB备份组同步而来。
标签:hsb,10.0,WLAN,S3,备份,AC1,AC2,VRRP,depart From: https://www.cnblogs.com/hongliang888/p/16588924.html