我攻克的技术难题——关于配置VRRP热备份场景下的无线配置同步示例
原创我攻克的技术难题——关于配置VRRP热备份场景下的无线配置同步示例
原创
知孤云出岫
发布于 2024-02-07 11:32:21
发布于 2024-02-07 11:32:21
配置VRRP热备份场景下的无线配置同步示例
组网图形
图1 配置VRRP热备份场景下的无线配置同步组网图(直接转发)
- 业务需求
- 组网需求
- 数据规划
- 配置思路
- 配置注意事项
- 操作步骤
- 配置文件
业务需求
某企业为保证业务的正常运营,希望提高网络可靠性,同时还希望减少配置维护的工作量。为满足用户的需求,可以采用VRRP热备份下应用无线配置同步的方案。这种方案下,主、备AC通常部署在同一地理位置,但其业务切换速度非常快,可靠性比双链路热备份更高。
组网需求
- AC组网方式:旁挂二层组网。
- DHCP部署方式:AC作为DHCP服务器为AP分配IP地址、交换机集群作为DHCP服务器为STA分配IP地址。
- 业务数据转发方式:直接转发。
- 交换机集群:核心层两台交换机SwitchB和SwitchC采用集群卡集群方式进行组网,其中SwitchB为主交换机,SwitchC为备交换机。
数据规划
配置项 | 数据 |
|---|---|
AC1的源接口 | VLANIF100:10.23.100.1/24 |
AC2的源接口 | VLANIF100:10.23.100.2/24 |
管理VRRP备份组的虚拟IP地址 | 10.23.100.3/24 |
VAP模板 | 名称:wlan-net转发模式:直接转发业务VLAN:VLAN101引用模板:安全模板wlan-net、SSID模板wlan-net |
AP组 | 名称:ap-group1引用模板:VAP模板wlan-net、域管理模板default |
域管理模板 | 名称:default国家码:中国 |
SSID模板 | 名称:wlan-netSSID名称:wlan-net |
安全模板 | 名称:wlan-net安全策略:WPA-WPA2+PSK+AES密码:a1234567 |
DHCP服务器 | AC作为DHCP服务器为AP分配地址,交换机集群作为DHCP服务器为STA分配地址 |
AP的网关 | VLANIF100:10.23.100.3/24 |
AP的IP地址池 | 10.23.100.4~10.23.100.254/24 |
STA网关 | VLANIF101:10.23.101.1/24 |
STA的IP地址池 | 10.23.101.2~10.23.101.254/24 |
AC1的主备通道IP地址和端口号 | IP地址:VLANIF102,10.23.102.1/24端口号:10241 |
AC2的主备通道IP地址和端口号 | IP地址:VLANIF102,10.23.102.2/24端口号:10241 |
无线配置同步定时同步 | 定时同步的起始时间:凌晨一点定时同步的间隔时间:1440分钟 |
- 名称:wlan-net
- 转发模式:直接转发
- 业务VLAN:VLAN101
- 引用模板:安全模板wlan-net、SSID模板wlan-net
AP组
- 名称:ap-group1
- 引用模板:VAP模板wlan-net、域管理模板default
域管理模板
- 名称:default
- 国家码:中国
SSID模板
- 名称:wlan-net
- SSID名称:wlan-net
安全模板
- 名称:wlan-net
- 安全策略:WPA-WPA2+PSK+AES
- 密码:a1234567
DHCP服务器AC作为DHCP服务器为AP分配地址,交换机集群作为DHCP服务器为STA分配地址AP的网关VLANIF100:10.23.100.3/24AP的IP地址池10.23.100.4~10.23.100.254/24STA网关VLANIF101:10.23.101.1/24STA的IP地址池10.23.101.2~10.23.101.254/24AC1的主备通道IP地址和端口号IP地址:VLANIF102,10.23.102.1/24 端口号:10241AC2的主备通道IP地址和端口号IP地址:VLANIF102,10.23.102.2/24 端口号:10241无线配置同步定时同步定时同步的起始时间:凌晨一点 定时同步的间隔时间:1440分钟
配置思路
- 在SwitchB、SwitchC上配置集群卡集群功能,提高核心层可靠性,并使SwitchB成为主交换机。
- 配置AP、AC和其他网络设备之间实现网络互通。
- 在AC1和AC2上配置VRRP备份组。其中,AC1上配置较高优先级,作为主用设备承担流量转发;AC2上配置较低优先级,作为备用设备。
- 配置WLAN基本业务,保证用户能够通过WLAN网络接入Internet。
- 配置双机热备份功能,将AC1上的业务信息通过备份链路批量备份和实时备份到AC2上,保证在主设备故障时业务能够不中断地顺利切换到备份设备。
- 配置VRRP热备份场景下的无线配置同步功能。
配置注意事项
- 纯组播报文由于协议要求在无线空口没有ACK机制保障,且无线空口链路不稳定,为了纯组播报文能够稳定发送,通常会以低速报文形式发送。如果网络侧有大量异常组播流量涌入,则会造成无线空口拥堵。为了减小大量低速组播报文对无线网络造成的冲击,建议配置组播报文抑制功能。配置前请确认是否有组播业务,如果有,请谨慎配置限速值。
- 业务数据转发方式采用直接转发时,建议在直连AP的交换机接口上配置组播报文抑制。
- 业务数据转发方式采用隧道转发时,建议在AC的流量模板下配置组播报文抑制。
- 建议在与AP直连的设备接口上配置端口隔离,如果不配置端口隔离,尤其是业务数据转发方式采用直接转发时,可能会在VLAN内形成大量不必要的广播报文,导致网络阻塞,影响用户体验。
- 隧道转发模式下,管理VLAN和业务VLAN不能配置为同一VLAN,且AP和AC之间只能放通管理VLAN,不能放通业务VLAN。
- 配置时,用户还需关注有线网络的实际组网是否有环路存在。如果存在环路,需要为相关网元配置MSTP功能。
- VRRP热备份组网中,部署在主备AC上的DHCP地址池配置要保持一致。例如主备AC上不参与自动分配的IP地址范围必须保持一致。
操作步骤
配置集群卡集群功能
# 配置SwitchB的集群连接方式为集群卡集群,集群ID为1,集群优先级为100。
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100
# 配置SwitchC的集群连接方式为集群卡集群,集群ID为2,集群优先级为10。
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10
# 查看SwitchB上的集群配置信息。
[SwitchB] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off
# 查看SwitchC上的集群配置信息。
[SwitchC] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 2 Off CSS card 10 Off
# 使能SwitchB的集群功能并重新启动SwitchB。
[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# 使能SwitchC的集群功能并重新启动SwitchC。
[SwitchC] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# 通过任意主控板上的Console口本地登录集群,使用命令行查看集群组建是否成功。
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
3 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
4 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
<SwitchB> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
以上显示信息中,能够查看到两台成员交换机的单板状态及集群状态,表示集群建立完成。
# 查看集群链路状态是否正常。
<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7
32 1/14/0/8 10G 10G 2/14/0/8
--------------------------------------------------------------------------------
以上显示信息中,所有集群连接的链路都显示正常,至此可以说明集群组建完全成功。配置SwitchA、SwitchB、SwitchC、AC1和AC2,使AP与AC之间能够传输CAPWAP报文
当用户的数据转发方式为直接转发,建议在SwitchA连接AP的接口GE0/0/1上配置端口隔离,如果不配置端口隔离,可能会在VLAN内存在不必要的广播报文,或者导致不同AP间的WLAN用户二层互通。
# 配置SwitchA连接AP的接口GE0/0/1的PVID为VLAN100(管理VLAN)并加入VLAN100和VLAN101(业务VLAN),SwitchA连接SwitchB的接口GE0/0/2和SwitchA连接SwitchC的接口GE0/0/3加入Eth-Trunk10。
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo port link-type
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10
[SwitchA-GigabitEthernet0/0/3] quit
# 配置SwitchB的接口GE1/1/0/2和SwitchC的接口GE2/1/0/2加入Eth-Trunk10,SwitchB的接口E1/1/0/1和SwitchC的接口GE2/1/0/1加入VLAN100。
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] undo port link-type
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
[CSS-GigabitEthernet1/1/0/2] quit
[CSS] interface gigabitethernet 2/1/0/2
[CSS-GigabitEthernet2/1/0/2] undo port link-type
[CSS-GigabitEthernet2/1/0/2] eth-trunk 10
[CSS-GigabitEthernet2/1/0/2] quit
# 配置AC1连接SwitchB的接口GE0/0/1加入VLAN100,并配置VLANIF100。
<HUAWEI> system-view
[HUAWEI] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] quit
# 配置AC2连接SwitchC的接口GE0/0/1加入VLAN100,并配置VLANIF100。
<HUAWEI> system-view
[HUAWEI] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC2-GigabitEthernet0/0/1] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.2 24
[AC2-Vlanif100] quit配置AC1和AC2互通
# 配置AC1连接AC2的接口GE0/0/2加入VLAN102。
[AC1] vlan batch 102
[AC1] interface gigabitethernet 0/0/2
[AC1-GigabitEthernet0/0/2] port link-type trunk
[AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC1-GigabitEthernet0/0/2] quit
[AC1] interface vlanif 102
[AC1-Vlanif102] ip address 10.23.102.1 24
[AC1-Vlanif102] quit
# 配置AC2连接AC1的接口GE0/0/2加入VLAN102。
[AC2] vlan batch 102
[AC2] interface gigabitethernet 0/0/2
[AC2-GigabitEthernet0/0/2] port link-type trunk
[AC2-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC2-GigabitEthernet0/0/2] quit
[AC2] interface vlanif 102
[AC2-Vlanif102] ip address 10.23.102.2 24
[AC2-Vlanif102] quit配置DHCP服务器
DNS服务器地址请根据实际需要配置。常用配置方法如下:
接口地址池场景,需要在VLANIF接口视图下执行命令dhcp server dns-list ip-address &<1-8>。
全局地址池场景,需要在IP地址池视图下执行命令dns-list ip-address &<1-8>。
# 配置AC1作为DHCP服务器为AP分配IP地址。 10.23.100.1已分配给主AC,10.23.100.2已分配给备AC,10.23.100.3已分配给VRRP虚地址,需要在主备AC的接口地址池中配置为不参与自动分配的IP地址。
[AC1] dhcp enable
[AC1] dhcp server database enable
[AC1] dhcp server database recover
[AC1] interface vlanif 100
[AC1-Vlanif100] dhcp select interface
[AC1-Vlanif100] dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
[AC1-Vlanif100] quit
# AC2的配置与AC1相同。
# 配置CSS作为DHCP服务器为STA分配IP地址。
[CSS] dhcp enable
[CSS] interface vlanif 101
[CSS-Vlanif101] ip address 10.23.101.1 24
[CSS-Vlanif101] dhcp select interface
[CSS-Vlanif101] quit
在AC1上配置VRRP方式的双机热备份
# 配置VRRP备份组的状态恢复延迟时间为60秒。
[AC1] vrrp recover-delay 60
# 在AC1上创建管理VRRP备份组,配置AC1在该备份组中的优先级为120,并配置抢占时间为1800秒。
[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
[AC1-Vlanif100] quit
# 在AC1上创建HSB主备服务0,并配置其主备通道IP地址和端口号,配置HSB主备服务报文的重传次数和发送间隔。
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit
# 在AC1上创建HSB备份组0,并配置其绑定HSB主备服务0和管理VRRP备份组。
[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit
# 配置NAC业务绑定HSB备份组。
[AC1] hsb-service-type access-user hsb-group 0
# 配置WLAN业务绑定HSB备份组。
[AC1] hsb-service-type ap hsb-group 0
# 配置DHCP业务绑定HSB备份组。
[AC1] hsb-service-type dhcp hsb-group 0
# 使能双机热备功能。
[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable
[AC1-hsb-group-0] quit
在AC2上配置VRRP方式的双机热备份
# 配置VRRP备份组的状态恢复延迟时间为60秒。
[AC2] vrrp recover-delay 60
# 在AC2上创建管理VRRP备份组。
[AC2] interface vlanif 100
[AC2-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC2-Vlanif100] admin-vrrp vrid 1
[AC2-Vlanif100] quit
# 在AC2上创建HSB主备服务0,并配置其主备通道IP地址和端口号,配置HSB主备服务报文的重传次数和发送间隔。
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit
# 在AC2上创建HSB备份组0,并配置其绑定HSB主备服务0和管理VRRP备份组。
[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit
# 配置NAC业务绑定HSB备份组。
[AC2] hsb-service-type access-user hsb-group 0
# 配置WLAN业务绑定HSB备份组。
[AC2] hsb-service-type ap hsb-group 0
# 配置DHCP业务绑定HSB备份组。
[AC2] hsb-service-type dhcp hsb-group 0
配置AC1的WLAN业务
配置AC1的系统参数。
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source ip-address 10.23.100.3
在AC1上离线导入AP。
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information: P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 00e0-fc76-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1
配置AC1的WLAN业务参数。
# 创建名为“wlan-net”的安全模板,并配置安全策略。
举例中以配置WPA-WPA2+PSK+AES的安全策略为例,密码为“a1234567”,实际配置中请根据实际情况,配置符合实际要求的安全策略。
[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit
# 创建名为“wlan-net”的SSID模板,并配置SSID名称为“wlan-net”。
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
# 创建名为“wlan-net”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit
# 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板“wlan-net”的配置。
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
配置AC2的WLAN私有配置
# 配置AC2的源地址。
[AC2] capwap source ip-address 10.23.100.3
配置AC间控制隧道DTLS加密
# 在AC1上配置AC间控制隧道DTLS加密
[AC1] capwap dtls inter-controller psk a1234567
[AC1] capwap dtls inter-controller control-link encrypt
Warning: This operation may cause devices using CAPWAP connections to reset or go offline. Continue? [Y/N]:y
[AC1] wlan
# 在AC2上配置AC间控制隧道DTLS加密
[AC2] capwap dtls inter-controller psk a1234567
[AC2] capwap dtls inter-controller control-link encrypt
Warning: This operation may cause devices using CAPWAP connections to reset or go offline. Continue? [Y/N]:y
[AC2] wlan
配置VRRP热备份场景下的无线配置同步功能
# 配置AC1上的无线配置同步功能。
[AC1-wlan-view] master controller
[AC1-master-controller] master-redundancy peer-ip ip-address 10.23.102.2 local-ip ip-address 10.23.102.1 psk H@123456
[AC1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
[AC1-master-controller] quit
[AC1-wlan-view] quit
# 配置AC2上的无线配置同步功能。
[AC2-wlan-view] master controller
[AC2-master-controller] master-redundancy peer-ip ip-address 10.23.102.1 local-ip ip-address 10.23.102.2 psk H@123456
[AC2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
[AC2-master-controller] quit
[AC2-wlan-view] quit
# 在AC1上配置定时同步功能。
[AC1-wlan-view] synchronize-configuration auto interval 1440 start-time 01:00:00
手动触发无线配置同步
# 执行命令display sync-configuration status查看无线配置同步状态信息,状态为“cfg-mismatch”。需要在Master AC上手动触发无线配置同步到Backup Master AC上。等待Backup Master AC自动重启完成。
[AC1] display sync-configuration status
Controller role:Master/Backup/Local
----------------------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
----------------------------------------------------------------------------------------------------
10.23.102.2 Backup AC V200R019C10 cfg-mismatch(config check fail) -
----------------------------------------------------------------------------------------------------
Total: 1
[AC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its configurations. Whether to conti
nue? [Y/N]:y
在AC2上开启双机热备功能
# 开启双机热备功能。
[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit
检查配置结果
检查VRRP。
# 完成上述配置以后,在AC1和AC2上分别执行display vrrp命令,可以看到AC1的State字段的显示为Master,AC2的State字段的显示为Backup。
[AC1] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1800 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2016-11-17 16:58:22
Last change time : 2016-11-17 16:58:25
[AC2] display vrrp
Vlanif100 | Virtual Router 1
State : Backup
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2016-11-17 02:31:42 UTC-07:00
Last change time : 2016-11-17 02:32:21 UTC-07:00
# 在AC1和AC2上执行display hsb-service 0命令,查看主备服务的建立情况。可以看到Service State字段的显示为Connected,说明主备服务通道已经成功建立。
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.1
Peer IP Address : 10.23.102.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 3
Keep Alive Interval : 6
Service State : Connected
Service Batch Modules :
Shared-key : -
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.2
Peer IP Address : 10.23.102.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 3
Keep Alive Interval : 6
Service State : Connected
Service Batch Modules :
Shared-key : -
----------------------------------------------------------
# 在AC1和AC2上执行display hsb-group 0命令,查看HSB备份组的运行情况。
[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Name : AC
Peer Group Software Version : V200R019C10
Group Backup Modules : Access-user
AP
DHCP
----------------------------------------------------------
[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
Peer Group Device Name : AC
Peer Group Software Version : V200R019C10
Group Backup Modules : Access-user
AP
DHCP
---------------------------------------------------------
检查无线配置同步。
# 在Master AC和Backup Master AC上分别执行命令display sync-configuration status,查看无线配置同步状态信息。状态为“up”表示无线配置同步功能正常。
[AC1] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
-----------------------------------------------------------------------------------------
10.23.102.2 Backup AC V200R019C10 up 2017-09-01/11:18:15
-----------------------------------------------------------------------------------------
Total: 1
[AC2] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
-----------------------------------------------------------------------------------------
10.23.102.1 Master AC V200R019C10 up 2017-09-01/11:18:25
-----------------------------------------------------------------------------------------
Total: 1
AP下的无线接入用户可以搜索到SSID标识为“wlan-net”的WLAN网络并正常上线。
# 通过重启主AC的方式,模拟主AC故障的场景,验证备份配置。重启AC1,当AP与AC1的链路中断后,AC2切换为主AC,保证业务的稳定。
重启AC前,请执行命令save保存AC上的配置文件,以免重启后配置丢失。
# AC1重启期间,STA上业务不中断。AP切换到AC2上线,在AC2上执行命令display ap all可以查看AP的状态由standby变为normal。
# AC1重启恢复正常,触发主备回切后,AP会自动重新到AC1正常上线。配置文件
配置文件
SwitchA的配置文件
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface Eth-Trunk10
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
eth-trunk 10
#
interface GigabitEthernet0/0/3
eth-trunk 10
#
return
集群系统的配置文件
#
sysname CSS
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Eth-Trunk10
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet1/1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/1/0/2
eth-trunk 10
#
interface GigabitEthernet2/1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet2/1/0/2
eth-trunk 10
#
return
AC1和AC2的配置文件对比(加粗内容为AC1和AC2上的双机备份配置和无线配置同步配置,斜体内容为AC1自动同步到AC2的公有配置)
表2 配置文件对比
AC1
AC2
#
sysname AC1
#
vrrp recover-delay 60
#
vlan batch 100 to 102
#
dhcp enable
#
dhcp server database enable
dhcp server database recover
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.100.3
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1800
dhcp select interface
dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 102
#
capwap source ip-address 10.23.100.3
capwap dtls inter-controller control-link encrypt on
capwap dtls inter-controller psk %^%#*w\Z<afXL3.gRk5g|%CD62YcG!x.)Ks:m6(}V:PD%^%
#
hsb-service 0
service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif100
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#l{2<+jk#}MLoI!=wMR^@U")pIh<wUY3&FbIb(>"P%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
synchronize-configuration auto interval 1440 start-time 01:00:00
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 46 ap-mac 00e0-fc76-e360 ap-sn 21500826402SF6902787
ap-name area_1
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif100
master-redundancy peer-ip ip-address 10.23.102.2 local-ip ip-address 10.23.102.1 psk %^%#`P0}*pN+2P=Qf%V={&JQX(NhE"MP,/rC"F6%vqZF%^%#
#
return
#
sysname AC2
#
vrrp recover-delay 60
#
vlan batch 100 to 102
#
dhcp enable
#
dhcp server database enable
dhcp server database recover
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.100.3
admin-vrrp vrid 1
dhcp select interface
dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 102
#
capwap source ip-address 10.23.100.3
capwap dtls inter-controller control-link encrypt on
capwap dtls inter-controller psk %^%#*w\Z<afXL3.gRk5g|%CD62YcG!x.)Ks:m6(}V:PD%^%
#
hsb-service 0
service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
hsb-group 0
track vrrp vrid 1 interface Vlanif100
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#l{2<+jk#}MLoI!=wMR^@U")pIh<wUY3&FbIb(>"P%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
synchronize-configuration auto interval 1440 start-time 01:00:00
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 46 ap-mac 00e0-fc76-e360 ap-sn 21500826402SF6902787
ap-name area_1
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif100
master-redundancy peer-ip ip-address 10.23.102.1 local-ip ip-address 10.23.102.2 psk %^%#7KXNDf(-X/No\4)i&z|./NQ@)WDlUT'`K33Mef47%^%#
#
return
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
