ENSP-旁挂式AC

提醒：如果AC不能成功上线AP，一般问题不会出在AC上，优先关注AC-AP线路上的二层或三层组网的三层交换机

拓扑图

管理VLAN：99 | 业务VLAN：100

注意点：

1.连接AP的接口需要打上pvid为管理vlan的标签
2.AC和SW4之间为access口且capwap为AC g0/0/1的vlan号
3.AC需要设置静态路由 ip route static 0.0.0.0 0.0.0.0 192.168.31.1（下一跳地址即连接的SW4的接口地址）
4.管理vlan可在AC上设置地址池和分配地址
5.业务vlan在SW4上设置，可使用vrrp在AC和SW4上都设置，可使用DHCP中继DHCP路由器
6.AC中管理 vlan 的 ip pool 设置 option 43 sub-option 3 ascii 192.168.32.2（AC的接口地址）

配置

AC4

#sysname AC
#undo http secure-server enable
#set memory-usage threshold 0
#
ssl renegotiation-rate 1 
#
vlan batch 31 99 to 100
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
dhcp enable
#
diffserv domain default
#
radius-server template default
#
pki realm defaultrsa local-key-pair defaultenrollment self-signed
#
ike proposal defaultencryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-shareintegrity-algorithm hmac-sha2-256 prf hmac-sha2-256 
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
ip pool vlan99gateway-list 172.16.99.1 network 172.16.99.0 mask 255.255.255.0 excluded-ip-address 172.16.99.10 option 43 sub-option 3 ascii 192.168.31.2 
#
aaaauthentication-scheme defaultauthentication-scheme radiusauthentication-mode radiusauthorization-scheme defaultaccounting-scheme defaultdomain defaultauthentication-scheme radiusradius-server defaultdomain default_adminauthentication-scheme defaultlocal-user admin password irreversible-cipher $1a$%2+^YaTn$#$H}QIE7T'L5<CVR+O%"
g5=KakX9!"U#*%R0NI\1&@$local-user admin service-type http
#
interface Vlanif31ip address 192.168.31.2 255.255.255.0dhcp select global
#
interface Vlanif99ip address 172.16.99.10 255.255.255.0vrrp vrid 99 virtual-ip 172.16.99.1vrrp vrid 99 priority 120dhcp select relaydhcp relay server-ip 192.168.31.2
#
interface MEth0/0/1undo negotiation autoduplex half
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 31
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21undo negotiation autoduplex half
#
interface GigabitEthernet0/0/22undo negotiation autoduplex half
#
interface GigabitEthernet0/0/23undo negotiation autoduplex half
#
interface GigabitEthernet0/0/24undo negotiation autoduplex half
#
interface XGigabitEthernet0/0/1
#
interface XGigabitEthernet0/0/2
#
interface NULL0
#snmp-agent local-engineid 800007DB03000000000000snmp-agent 
#
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.31.1
#
capwap source interface vlanif31
#
user-interface con 0
user-interface vty 0 4protocol inbound all
user-interface vty 16 20protocol inbound all
#
wlantraffic-profile name defaultsecurity-profile name defaultsecurity-profile name wlan-netsecurity wpa-wpa2 psk pass-phrase %^%#Ii5]I|1%rNlDdPCIZ/wLM'EUEeGj<L:\8g$);_CA
%^%# aessecurity-profile name default-wdssecurity-profile name default-meshssid-profile name defaultssid-profile name wlan-netssid wlan-netvap-profile name defaultvap-profile name wlan-netservice-vlan vlan-id 100ssid-profile wlan-netsecurity-profile wlan-netwds-profile name defaultmesh-handover-profile name defaultmesh-profile name defaultregulatory-domain-profile name defaultair-scan-profile name defaultrrm-profile name defaultradio-2g-profile name defaultradio-5g-profile name defaultwids-spoof-profile name defaultwids-profile name defaultwireless-access-specificationap-system-profile name defaultport-link-profile name defaultwired-port-profile name defaultserial-profile name preset-enjoyor-toeap ap-group name defaultap-group name ap-group1radio 0vap-profile wlan-net wlan 1radio 1vap-profile wlan-net wlan 1ap-id 0 type-id 56 ap-mac 00e0-fc17-3cc0 ap-sn 210235448310EE058576ap-name area_1ap-group ap-group1provision-ap
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return

SW4

#
sysname SW4
#
vlan batch 10 to 14 20 31 50 99 to 100
#
stp instance 1 root primary
stp instance 2 root secondary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
drop-profile default
#
aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password simple adminlocal-user admin service-type http
#
interface Vlanif1ip address 192.168.1.2 255.255.255.0
#
interface Vlanif10ip address 192.168.10.10 255.255.255.0vrrp vrid 10 virtual-ip 192.168.10.1vrrp vrid 10 priority 130vrrp vrid 10 track interface GigabitEthernet0/0/5 reduced 50dhcp select relaydhcp relay server-ip 192.168.12.2
#
interface Vlanif11ip address 192.168.11.2 255.255.255.0
#
interface Vlanif12
#
interface Vlanif13ip address 192.168.13.1 255.255.255.0
#
interface Vlanif14ip address 192.168.14.1 255.255.255.0
#
interface Vlanif31ip address 192.168.31.1 255.255.255.0
#
interface Vlanif50ip address 192.168.50.254 255.255.255.0
#
interface Vlanif99ip address 172.16.99.10 255.255.255.0vrrp vrid 99 virtual-ip 172.16.99.1vrrp vrid 99 priority 120dhcp select relaydhcp relay server-ip 192.168.31.2
#
interface Vlanif100ip address 172.16.100.1 255.255.255.0dhcp select relaydhcp relay server-ip 192.168.12.2
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 11
#
interface GigabitEthernet0/0/2port link-type accessport default vlan 31
#
interface GigabitEthernet0/0/3port link-type trunkundo port trunk allow-pass vlan 1port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5port link-type accessport default vlan 14
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7port link-type accessport default vlan 13
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ospf 1area 0.0.0.0network 192.168.11.0 0.0.0.255network 192.168.10.0 0.0.0.255network 192.168.14.0 0.0.0.255network 192.168.13.0 0.0.0.255network 172.16.100.0 0.0.0.255network 192.168.31.0 0.0.0.255network 172.16.99.0 0.0.0.255
#
user-interface con 0
user-interface vty 0 4
#
return

LSW6

#
sysname SW6
#
vlan batch 10 99 to 100
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
drop-profile default
#
aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password simple adminlocal-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1port link-type trunkport trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2port link-type trunkport trunk pvid vlan 99undo port trunk allow-pass vlan 1port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3port link-type trunkport trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4port link-type accessport default vlan 10
#
interface GigabitEthernet0/0/5port link-type trunkport trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#

AC参考配置

    3、AC配置：syssysname ACvlan batch 10interface GigabitEthernet0/0/2port link-type trunkport trunk allow-pass vlan 10interface Vlanif10ip address 10.1.10.2 255.255.255.0capwap source interface vlanif 10wlanregulatory-domain-profile name defaultcountry-code cnquitap-group name ap-group1regulatory-domain-profile defaultquitap auth-mode mac-authap-id 0 ap-mac 00e0-fcbd-7250ap-name area_1ap-group ap-group1quitsecurity-profile name wlan-netsecurity wpa-wpa2 psk pass-phrase 12345678 aesquitssid-profile name wlan-netssid wlan-netquitvap-profile name wlan-netforward-mode direct-forwardservice-vlan vlan-id 20security-profile wlan-netssid-profile wlan-netquitap-group name ap-group1vap-profile wlan-net wlan 1 radio 0vap-profile wlan-net wlan 1 radio 1quit