华为配置Ethernet over GRE实现AC与无线网关之间的二层互通
组网图形
图1 通过Ethernet over GRE实现AC与无线网关之间的二层互通的组网图
组网需求
如图1所示,某企业通过无线网络为用户提供上网服务,其中AP负责用户流量的接入,AC负责AP的接入和用户的认证,WAG作为用户网关并负责IP地址的分配。AC和WAG之间通过IP/MPLS骨干网相连。由于该场景需要接入的AP数量非常多,为避免WAG上大量的GRE隧道频繁建立及删除导致资源消耗严重等问题,管理员采用在AC和WAG之间部署Ethernet over GRE功能实现二层互通的方案。
数据规划
| 配置项 | 数据 |
|---|---|
| 管理VLAN | VLAN100 |
| 业务VLAN | VLAN101 |
| AC的源接口 | VLANIF100:10.23.100.1/24 |
| DHCP服务器 | AC作为DHCP服务器为AP分配IP地址,WAG作为DHCP服务器为STA分配IP地址 |
| AP的IP地址池 | 10.23.100.2~10.23.100.254/24 |
| STA的IP地址池 | 10.23.101.3~10.23.101.254/24 |
| AP组 |
|
| 域管理模板 |
|
| SSID模板 |
|
| 安全模板 |
|
| VAP模板 |
|
| 配置项 | 数据 |
|---|---|
| AC Tunnel接口 |
|
| AC VE接口 |
|
配置思路
为实现上述需求,需要在AC和WAG之间部署Ethernet over GRE功能,通过VE接口将Ethernet报文通过GRE隧道转发,实现AC与WAG之间的二层互通。
Ethernet over GRE的配置思路如下:
-
所有设备之间运行IGP路由协议实现公网互通。
-
在AC上创建Tunnel接口,部署GRE隧道。注意Tunnel的源地址是发出报文的物理接口IP地址,目的地址是接收报文的IP地址。
-
在AC上创建VE接口,并加入相应的VLAN。
-
在AC上配置无线业务。本例中,WLAN安全策略为WPA-WPA2+PSK+AES,实际配置请按照需要配置相应的安全策略。
操作步骤
- 配置各物理接口的IP地址
# 配置AC。<HUAWEI> system-view [HUAWEI] sysname AC [AC] vlan batch 10 100 101 [AC] interface gigabitethernet 0/0/1 [AC-GigabitEthernet0/0/1] port link-type trunk [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 [AC-GigabitEthernet0/0/1] quit [AC] interface gigabitethernet 0/0/2 [AC-GigabitEthernet0/0/2] port link-type trunk [AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101 [AC-GigabitEthernet0/0/2] port trunk pvid vlan 100 [AC-GigabitEthernet0/0/2] quit [AC] interface vlanif 10 [AC-Vlanif10] ip address 10.20.1.1 24 [AC-Vlanif10] quit# 配置WAG,略。 - 配置Tunnel接口,部署GRE隧道
# 这里假设所有设备之间运行IGP路由协议实现公网互通,并且对AC而言GRE隧道的源接口地址为10.20.1.1,目的接口地址为10.30.1.1(WAG)。[AC] interface tunnel 0/0/1 [AC-Tunnel0/0/1] tunnel-protocol gre [AC-Tunnel0/0/1] ip address 10.40.1.1 255.255.255.0 [AC-Tunnel0/0/1] source 10.20.1.1 [AC-Tunnel0/0/1] destination 10.30.1.1 [AC-Tunnel0/0/1] quit - 创建VE接口并加入VLAN,注意VE接口和用户侧报文的入接口加入相同的VLAN
[AC] interface virtual-ethernet 0/0/1 [AC-Virtual-Ethernet0/0/1] port link-type trunk [AC-Virtual-Ethernet0/0/1] undo port trunk allow-pass vlan 1 [AC-Virtual-Ethernet0/0/1] port trunk allow-pass vlan 101 [AC-Virtual-Ethernet0/0/1] quit - VE接口与GRE隧道绑定,实现Ethernet报文通过GRE隧道转发
# 配置AC。[AC] interface tunnel 0/0/1 [AC-Tunnel0/0/1] map interface virtual-ethernet 0/0/1 [AC-Tunnel0/0/1] quit# 分别在AC上查看VE接口的状态。[AC] display interface virtual-ethernet Virtual-Ethernet0/0/1 current state : UP Line protocol current state : UP Description:HUAWEI, AC Series, Virtual-Ethernet0/0/1 Interface Switch Port, PVID : 1, TPID : 8100(Hex), The Maximum Transmit Unit is 1500 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0200-0000-00e0 Current system time: 2018-01-23 20:16:05Input bandwidth utilization : 0%Output bandwidth utilization : 0% - 配置DHCP服务器为STA和AP分配IP地址
# 在AC上配置VLANIF100接口为AP提供IP地址。[AC] dhcp enable [AC] interface vlanif 100 [AC-Vlanif100] ip address 10.23.100.1 24 [AC-Vlanif100] dhcp select interface [AC-Vlanif100] quit# 在WAG上为STA提供IP地址。略。 - 配置AP上线
# 创建AP组,用于将相同配置的AP都加入同一AP组中。 [AC] wlan [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] quit # 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。 [AC-wlan-view] regulatory-domain-profile name default [AC-wlan-regulate-domain-default] country-code cn [AC-wlan-regulate-domain-default] quit [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] regulatory-domain-profile default Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AC-wlan-ap-group-ap-group1] quit [AC-wlan-view] quit # 配置AC的源接口。 [AC] capwap source interface vlanif 100 # 在AC上离线导入AP,并将AP加入AP组“ap-group1”中。假设AP的MAC地址为60de-4476-e360,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为60de-4476-e360的AP部署在1号区域,命名此AP为area_1。 ap auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap auth-mode mac-auth。举例中使用的AP为AP5030DN,具有射频0和射频1两个射频。AP5030DN的射频0为2.4GHz射频,射频1为5GHz射频。[AC] wlan [AC-wlan-view] ap auth-mode mac-auth [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [AC-wlan-ap-0] ap-name area_1 Warning: This operation may cause AP reset. Continue? [Y/N]:y [AC-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y [AC-wlan-ap-0] quit # 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。 [AC-wlan-view] display ap all Total AP information: nor : normal [1] Extrainfo : Extra information P : insufficient power supply -------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo -------------------------------------------------------------------------------------------------- 0 00e0-fc76-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S - -------------------------------------------------------------------------------------------------- Total: 1 - 配置WLAN业务参数
# 创建名为“wlan-net”的安全模板,并配置安全策略。 举例中以配置WPA-WPA2+PSK+AES的安全策略为例,密码为“a1234567”,实际配置中请根据实际情况,配置符合实际要求的安全策略。[AC-wlan-view] security-profile name wlan-net [AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes [AC-wlan-sec-prof-wlan-net] quit # 创建名为“wlan-net”的SSID模板,并配置SSID名称为“wlan-net”。 [AC-wlan-view] ssid-profile name wlan-net [AC-wlan-ssid-prof-wlan-net] ssid wlan-net [AC-wlan-ssid-prof-wlan-net] quit # 创建名为“wlan-net”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。 [AC-wlan-view] vap-profile name wlan-net [AC-wlan-vap-prof-wlan-net] forward-mode tunnel [AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101 [AC-wlan-vap-prof-wlan-net] security-profile wlan-net [AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net [AC-wlan-vap-prof-wlan-net] quit # 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板“wlan-net”的配置。 [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0 [AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1 [AC-wlan-ap-group-ap-group1] quit - 检查配置结果
WLAN业务配置会自动下发给AP,配置完成后,通过执行命令display vap ssid wlan-net查看如下信息,当“Status”项显示为“ON”时,表示AP对应的射频上的VAP已创建成功。[AC-wlan-view] display vap ssid wlan-net WID : WLAN ID -------------------------------------------------------------------------------- AP ID AP name RfID WID BSSID Status Auth type STA SSID -------------------------------------------------------------------------------- 0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net 0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net ------------------------------------------------------------------------------- Total: 2 STA搜索到名为“wlan-net”的无线网络,输入密码“a1234567”并正常关联后,在AC上执行display station ssid wlan-net命令,可以查看到用户已经接入到无线网络“wlan-net”中。[AC-wlan-view] display station ssid wlan-net Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) --------------------------------------------------------------------------------- STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address --------------------------------------------------------------------------------- e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101 10.23.101.254 --------------------------------------------------------------------------------- Total: 1 2.4G: 0 5G: 1
配置文件
AC的配置文件#sysname AC
#
vlan batch 10 100 to 101
#
dhcp enable
#
interface Vlanif10ip address 10.20.1.1 255.255.255.0
#
interface Vlanif100ip address 10.23.100.1 255.255.255.0dhcp select interface
#
interface GigabitEthernet0/0/1port link-type trunkport trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2port link-type trunkport trunk pvid vlan 100port trunk allow-pass vlan 100 to 101
#
interface Virtual-Ethernet0/0/1port link-type trunkundo port trunk allow-pass vlan 1port trunk allow-pass vlan 101
#
interface Tunnel0/0/1ip address 10.40.1.1 255.255.255.0tunnel-protocol gresource 10.20.1.1destination 10.30.1.1map interface Virtual-Ethernet0/0/1
#
capwap source interface vlanif100
#
wlansecurity-profile name wlan-netsecurity wpa-wpa2 psk pass-phrase %^%#t2*V0VTj#9iEQkEnC)59YCFlO\*RyW5];yUs&K4W%^%# aesssid-profile name wlan-netssid wlan-netvap-profile name wlan-netforward-mode tunnelservice-vlan vlan-id 101ssid-profile wlan-netsecurity-profile wlan-netap-group name ap-group1radio 0vap-profile wlan-net wlan 1radio 1vap-profile wlan-net wlan 1ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 21500826412SG4900740ap-name area_1ap-group ap-group1
#
return
