设备:路由器MSR3600-28, AC控制器WX3010E, AP WA2620I。 连线:路由器G0-G9口连接10根宽带,现阶段只用3根,多余的口预留但是做shutdown处理。路由器的G25口连接AC的交换板G2口。7个AP分别连接AC的7个poe供电口。 要求:网络分成两个部分,内部员工和外部客户。内部员工有有线设备连接路由器的G10-G26口,SSID:gynw为员工内部用加密码。外部客户只用SSID:中文名字。内部走192.168.10.0 255.255.255.0网段。客户走192.168.0.0 255.255.254.0网段。一共有3根宽带,内部员工专用第三根宽带,外部客户用第1,2两根宽带。 配置要点:
- 配置两个vlan,默认vlan 1让外网客户用,使用192.168.0.0 255.255.254.0网段;vlan 2让内部员工用,使用192.168.10.0 255.255.255.0网段。路由器,AC交换板和无线板都要配置vlan 2.
- 路由器配置2个ip地址池。
- 路由器25口做trunk 放行 vlan 2.和路由器连接的AC交换板2口也要同样这么做。AC内部交换板和无线板的内连口,聚合口也要同样做。 interface GigabitEthernet0/25
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 to 2 - 做acl 3000,用来匹配内网源地址需要做策略路由的流量,[rule 0 permit ip source 192.168.10.0 0.0.0.255]。
- 创建策略路由aaa的节点10,匹配acl 3000的数据流,设置apply动作,指定数据的出口为PPPoE拨号口Dialer 2 policy-based-route aaa permit node 10 if-match acl 3000 apply output-interface Dialer2
- 在内网用户流量的入接口调用策略路由pbr,让内部员工只能走第三根宽带[dialer2,G2],interface Vlan-interface2 ip address 192.168.10.1 255.255.255.0 tcp mss 1280 ip policy-based-route aaa 这个pbr规则必须加在vlan2 下,不能加在某个接口下。
- 同时,由于这条线路是您这两个网段独占的,不能和其他网段共享使用,就需要在NAT中限制用户做NAT interface Dialer2 ppp chap password cipher $c$3$Yw0N2YKuo7NdL5RE4YKUbJazaeR/AOOU7w== ppp chap user 048204900653 ppp ipcp dns admit-any ppp ipcp dns request ppp pap local-user 048204900653 password cipher $c$3$rAeTiTj4piiP164EsMA/XpDsOKtNeq6lxQ== dialer bundle enable dialer-group 3 dialer timer idle 0 dialer timer autodial 5 ip address ppp-negotiate nat outbound nat outbound 3000
- AC上的SSID gynw要绑定vlan 2
路由器MSR3600-28的配置:
#
#
version 7.1.064, Release 0707P16
#
sysname MSR3600
#
telnet server enable
#
track 1 interface GigabitEthernet0/0 physical
#
track 2 interface GigabitEthernet0/2 physical
#
track 3 interface GigabitEthernet0/1 physical
#
track 4 interface GigabitEthernet0/3 physical
#
track 5 interface GigabitEthernet0/4 physical
#
track 6 interface GigabitEthernet0/5 physical
#
track 7 interface GigabitEthernet0/6 physical
#
track 8 interface GigabitEthernet0/7 physical
#
track 9 interface GigabitEthernet0/8 physical
#
track 10 interface GigabitEthernet0/9 physical
#
dialer-group 1 rule ip permit
dialer-group 2 rule ip permit
dialer-group 3 rule ip permit
dialer-group 4 rule ip permit
dialer-group 5 rule ip permit
dialer-group 6 rule ip permit
dialer-group 7 rule ip permit
dialer-group 8 rule ip permit
dialer-group 9 rule ip permit
dialer-group 10 rule ip permit
#
dhcp enable
dhcp server always-broadcast
#
dns proxy enable
dns server 202.99.224.68
dns server 202.99.224.67
#
undo password-recovery enable
#
vlan 1
#
vlan 2
#
dhcp server ip-pool vlan-interface1
gateway-list 192.168.0.1
network 192.168.0.0 mask 255.255.254.0
dns-list 192.168.0.1
#
dhcp server ip-pool vlan-interface2
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0
dns-list 192.168.10.1
#
policy-based-route aaa permit node 10
if-match acl 3000
apply output-interface Dialer2
#
controller Cellular0/0
#
interface Aux0
#
interface Dialer0
ppp chap password cipher $c$3$ecA+KBC8rz+5PGyXLu3kKcOcBkcrCHI+tg==
ppp chap user 048204900645
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 048204900645 password cipher $c$3$a/VsoOD/jUszEEP9RLkdSp14K2my0b9JaA==
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
nat outbound
#
interface Dialer1
ppp chap password cipher $c$3$wm/nCS+BeOMruyyVTMmOC3JioNxJjCXB5Q==
ppp chap user 048204900456
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 048204900456 password cipher $c$3$ydfn+ujrrTHAdKfk20uCvO8qOP47MpVxXQ==
dialer bundle enable
dialer-group 2
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
nat outbound
#
interface Dialer2
ppp chap password cipher $c$3$Yw0N2YKuo7NdL5RE4YKUbJazaeR/AOOU7w==
ppp chap user 048204900653
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 048204900653 password cipher $c$3$rAeTiTj4piiP164EsMA/XpDsOKtNeq6lxQ==
dialer bundle enable
dialer-group 3
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
nat outbound
nat outbound 3000
#
interface Dialer3
ppp chap password cipher $c$3$el6CFL7gfLv4ktEgviHxbXO3QZLXGQ==
ppp chap user 111
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 111 password cipher $c$3$V8r6AuEi+KMtHkaR/EWcHO1bSb89VQ==
dialer bundle enable
dialer-group 4
ip address ppp-negotiate
nat outbound
#
interface Dialer4
ppp chap password cipher $c$3$vNITgsIPzeU1LiHGUGIfGuWNgVo4CA==
ppp chap user 1111
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 1111 password cipher $c$3$VV33bg+5NPtYnWHRQoZ+S0iy0U0nVA==
dialer bundle enable
dialer-group 5
ip address ppp-negotiate
nat outbound
#
interface Dialer5
ppp chap password cipher $c$3$0Oht5wslvxXg1dnx2bLGDdz/fmpbMA==
ppp chap user 111
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 111 password cipher $c$3$+Ps1s51RwTFrKOtj7H5e6QHRmJKBxw==
dialer bundle enable
dialer-group 6
ip address ppp-negotiate
nat outbound
#
interface Dialer6
ppp chap password cipher $c$3$Hw8OHk740qynoa2fqr9MjMLNvG2t7A==
ppp chap user 111
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 111 password cipher $c$3$327G0BXM7O1V0FFMBu6f0qop3pNxew==
dialer bundle enable
dialer-group 7
ip address ppp-negotiate
nat outbound
#
interface Dialer7
ppp chap password cipher $c$3$dtP7mC4BMg25fOP0+3PfqekDIQMN+Q==
ppp chap user 111
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 111 password cipher $c$3$24J2pkHqpdapDRfRzm0xHCU+P2hwIA==
dialer bundle enable
dialer-group 8
ip address ppp-negotiate
nat outbound
#
interface Dialer8
ppp chap password cipher $c$3$yHZdKgyovJ+3UzVGQCyZvhbA3MRh9Q==
ppp chap user 111
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 111 password cipher $c$3$/KDUpvv7NpF/2pPd7bDy8ELb6jdpHw==
dialer bundle enable
dialer-group 9
ip address ppp-negotiate
nat outbound
#
interface Dialer9
ppp chap password cipher $c$3$ndehLaaBxgeAmGwT78UFO0CDxVvIPg==
ppp chap user 111
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 111 password cipher $c$3$zLchZJKp8g30ATAXQJEk+LQD0hpkQw==
dialer bundle enable
dialer-group 10
ip address ppp-negotiate
nat outbound
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.0.1 255.255.254.0
tcp mss 1280
#
interface Vlan-interface2
ip address 192.168.10.1 255.255.255.0
tcp mss 1280
ip policy-based-route aaa
#
interface GigabitEthernet0/0
port link-mode route
description Multiple_Line
pppoe-client dial-bundle-number 0
#
interface GigabitEthernet0/1
port link-mode route
description Multiple_Line
pppoe-client dial-bundle-number 2
#
interface GigabitEthernet0/2
port link-mode route
description Multiple_Line
pppoe-client dial-bundle-number 1
#
interface GigabitEthernet0/3
port link-mode route
description Multiple_Line
shutdown
pppoe-client dial-bundle-number 3
#
interface GigabitEthernet0/4
port link-mode route
description Multiple_Line
shutdown
pppoe-client dial-bundle-number 4
#
interface GigabitEthernet0/5
port link-mode route
description Multiple_Line
shutdown
pppoe-client dial-bundle-number 5
#
interface GigabitEthernet0/6
port link-mode route
description Multiple_Line
shutdown
pppoe-client dial-bundle-number 6
#
interface GigabitEthernet0/7
port link-mode route
description Multiple_Line
shutdown
pppoe-client dial-bundle-number 7
#
interface GigabitEthernet0/8
port link-mode route
description Multiple_Line
shutdown
pppoe-client dial-bundle-number 8
#
interface GigabitEthernet0/9
port link-mode route
description Multiple_Line
shutdown
pppoe-client dial-bundle-number 9
#
interface GigabitEthernet0/27
port link-mode route
#
interface GigabitEthernet0/10
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/11
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/12
port link-mode bridge
#
interface GigabitEthernet0/13
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/14
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/15
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/16
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/17
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/18
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/19
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/20
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/21
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/22
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/23
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/24
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet0/25
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 to 2
#
interface GigabitEthernet0/26
port link-mode bridge
port access vlan 2
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
ip route-static 0.0.0.0 0 Dialer0 track 1
ip route-static 0.0.0.0 0 Dialer1 track 2
ip route-static 0.0.0.0 0 Dialer2 track 3
ip route-static 0.0.0.0 0 Dialer3 track 4
ip route-static 0.0.0.0 0 Dialer4 track 5
ip route-static 0.0.0.0 0 Dialer5 track 6
ip route-static 0.0.0.0 0 Dialer6 track 7
ip route-static 0.0.0.0 0 Dialer7 track 8
ip route-static 0.0.0.0 0 Dialer8 track 9
ip route-static 0.0.0.0 0 Dialer9 track 10
#
undo info-center enable
#
acl advanced 3000
rule 0 permit ip source 192.168.10.0 0.0.0.255
#
password-control enable
undo password-control aging enable
undo password-control history enable
password-control length 6
password-control login-attempt 3 exceed lock-time 10
password-control update-interval 0
password-control login idle-time 0
password-control complexity user-name check
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
service-type telnet http
authorization-attribute user-role network-admin
#
ip http enable
#
wlan global-configuration
firmware-upgrade disable
#
wlan ap-group default-group
vlan 1
#
return
WX3010E无线控制器AC板块配置:
#
#
version 5.20, Release 3509P61
#
sysname H3C
#
domain default enable system
#
telnet server enable
#
port-security enable
#
oap management-ip 192.168.1.101 slot 0
#
wlan auto-ap enable
wlan auto-persistent enable
#
password-recovery enable
#
vlan 1
#
vlan 2
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$QjPBVKuyxbVqX595iSGzqcZ8CP1Gp4X4
authorization-attribute level 3
service-type ssh telnet
service-type web
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
wlan service-template 1 crypto
ssid gynw
bind WLAN-ESS 0
cipher-suite ccmp
security-ie rsn
security-ie wpa
service-template enable
#
wlan service-template 2 clear
ssid 光音故事
bind WLAN-ESS 1
service-template enable
#
wlan ap-group default_group
ap 586a-b11f-eea0
ap 70f9-6db2-7bb0
ap 70f9-6db2-8c60
ap 70f9-6db2-95a0
ap 7425-8a5e-0fa0
ap 80f6-2e22-b700
ap 80f6-2e22-e720
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 1 to 2
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.0.200 255.255.254.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1 to 2
port link-aggregation group 1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan 1 to 2
port link-aggregation group 1
#
interface WLAN-ESS0
port link-type hybrid
port hybrid vlan 1 to 2 untagged
port hybrid pvid vlan 2
port-security port-mode psk
port-security tx-key-type 11key
port-security preshared-key pass-phrase cipher $c$3$cDV5bn1INalB7PgVeKBtRC9qLKht0Mf5Zgdn
#
interface WLAN-ESS1
port link-type hybrid
port hybrid vlan 1 untagged
#
wlan ap 586a-b11f-eea0 model WA2620i-AGN id 1
serial-id 219801A0CNC14C000490
radio 1
service-template 1
service-template 2
radio enable
radio 2
service-template 1
service-template 2
radio enable
#
wlan ap 70f9-6db2-7bb0 model WA2610i-GN id 5
serial-id 219801A0CKC146001641
radio 1
service-template 1
radio enable
#
wlan ap 70f9-6db2-8c60 model WA2610i-GN id 6
serial-id 219801A0CKC146001864
radio 1
service-template 1
radio enable
#
wlan ap 70f9-6db2-95a0 model WA2610i-GN id 7
serial-id 219801A0CKC146002009
radio 1
service-template 1
radio enable
#
wlan ap 7425-8a5e-0fa0 model WA2620i-AGN id 3
serial-id 219801A0CMC13A000027
radio 1
service-template 1
service-template 2
radio enable
radio 2
service-template 1
service-template 2
radio enable
#
wlan ap 80f6-2e22-b700 model WA2620i-AGN id 2
serial-id 219801A0CMC128000004
radio 1
service-template 1
service-template 2
radio enable
radio 2
service-template 1
service-template 2
radio enable
#
wlan ap 80f6-2e22-e720 model WA2620i-AGN id 4
serial-id 219801A0CMC128000388
radio 1
service-template 1
service-template 2
radio enable
radio 2
service-template 1
service-template 2
radio enable
#
wlan ips
malformed-detect-policy default
signature deauth_flood signature-id 1
signature broadcast_deauth_flood signature-id 2
signature disassoc_flood signature-id 3
signature broadcast_disassoc_flood signature-id 4
signature eapol_logoff_flood signature-id 5
signature eap_success_flood signature-id 6
signature eap_failure_flood signature-id 7
signature pspoll_flood signature-id 8
signature cts_flood signature-id 9
signature rts_flood signature-id 10
signature addba_req_flood signature-id 11
signature-policy default
countermeasure-policy default
attack-detect-policy default
virtual-security-domain default
attack-detect-policy default
malformed-detect-policy default
signature-policy default
countermeasure-policy default
#
ip route-static 192.168.10.0 255.255.255.0 192.168.0.0
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
#
return
WX3010E无线控制器交换板块配置:
#
#
version 5.20, Release 3507P29
#
sysname H3C
#
domain default enable system
#
telnet server enable
#
oap management-ip 192.168.1.100 slot 1
#
password-recovery enable
#
vlan 1
#
vlan 2
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user admin
password cipher $c$3$0UDibzB9kRQ6NNlhZAYUqJcOmaGlFiX0
authorization-attribute level 3
service-type telnet
service-type web
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 1 to 2
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.0.101 255.255.254.0
#
interface GigabitEthernet1/0/1
poe enable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan 1 to 2
poe enable
#
interface GigabitEthernet1/0/3
poe enable
#
interface GigabitEthernet1/0/4
poe enable
#
interface GigabitEthernet1/0/5
poe enable
#
interface GigabitEthernet1/0/6
poe enable
#
interface GigabitEthernet1/0/7
poe enable
#
interface GigabitEthernet1/0/8
poe enable
#
interface GigabitEthernet1/0/9
#
interface GigabitEthernet1/0/10
#
interface GigabitEthernet1/0/11
port link-type trunk
port trunk permit vlan 1 to 2
port link-aggregation group 1
#
interface GigabitEthernet1/0/12
port link-type trunk
port trunk permit vlan 1 to 2
port link-aggregation group 1
#
ip route-static 192.168.10.0 255.255.255.0 192.168.0.0
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user-interface vty 5 15
#
return
暂无评论
要发表评论,您必须先 登录