Upload
candace-powers
View
346
Download
11
Embed Size (px)
Citation preview
13
L2 Deployment
In a L2 deployment, WLAN controller acts as an Ethernet bridge After authentication, frames from client are bridged onto L2 network
802.1q VLANs can be used Clients can all be on same VLAN Client can be assigned to VLAN based on ESSID, location, or
authentication result (802.1x)
Uplink ports can be 802.1q tagged Or a different physical uplink port can be used per VLAN
Address assignment through external DHCP server normally (internal DHCP server available) Client broadcasts for DHCP, controller bridges the broadcast on user’s
VLAN
14
Theory of Operations
Data Center
First Floor
Second Floor
DHCPE-mail
10
11
14
10.1.10.96AP1/1st Floor
10.1.10.68AP2/1st Floor
10.1.11.42AP3/2nd Floor
10.1.11.36AP4/2nd Floor
VLAN 14: 10.1.14.6/24loopback: 10.1.14.7/32
VLAN 14
15
Data Center
First Floor
Second Floor
DHCPE-mail
10
11
14
10.1.10.96AP1/1st Floor
10.1.10.68AP2/1st Floor
10.1.11.42AP3/2nd Floor
10.1.11.36AP4/2nd Floor
Mobility Controllervlan 14: 10.1.14.6/24loopback: 10.1.14.7/32vlan 100vlan 101
150-200 Users per VLAN
VLAN 101
VLAN 100
Layer 3 Switchvlan 100: 10.1.100.1/24vlan 101: 10.1.101.1/24
ap group “1st Floor”vlan 100
ap group “2nd Floor”vlan 101
802.1q14, 100,
101
Theory of Operations
16
Data Center
First Floor
Second Floor
DHCPE-mail
10
11
14
10.1.10.96AP1/1st Floor
10.1.10.68AP2/1st Floor
10.1.11.42AP3/2nd Floor
10.1.11.36AP4/2nd Floor
Mobility ControllerVLAN 14: 10.1.14.6/24loopback: 10.1.14.7/32VLAN 100VLAN 101
Layer 3 switchVLAN 100: 10.1.100.1/24VLAN 101: 10.1.101.1/24
DHCP Request802.1114
100
SIP: 10.96DIP: 14.7802.3
GRE
802.1q14, 100, 101
ap group “1st Floor”vlan 100
ap group “2nd Floor”vlan 101
802.3
Theory of Operations
17
Data Center
First Floor
Second Floor
DHCPE-mail
10
11
14
10.1.10.96AP1/1st Floor
10.1.10.68AP2/1st Floor
10.1.11.42AP3/2nd Floor
10.1.11.36AP4/2nd Floor
Mobility ControllerVLAN 14: 10.1.14.6/24loopback: 10.1.14.7/32VLAN 100VLAN 101
Layer 3 switchVLAN 100: 10.1.100.1/24VLAN 101: 10.1.101.1/24
DHCP Reply10.1.100.32
SIP: 14.7DIP: 10.96 802.11802.3
14
100
GRE
802.1q14, 100, 101
10.1.100.32
ap group “1st Floor”vlan 100
ap group “2nd Floor”vlan 101
802.3
Theory of Operations
18
Theory of Operations
Data Center
First Floor
Second Floor
DHCPE-mail
10
11
14
10.1.10.96AP1/1st Floor
10.1.10.68AP2/1st Floor
10.1.11.42AP3/2nd Floor
10.1.11.36AP4/2nd Floor
Mobility ControllerVLAN 14: 10.1.14.6/24loopback: 10.1.14.7/32VLAN 100VLAN 101
Layer 3 switchVLAN 100: 10.1.100.1/24VLAN 101: 10.1.101.1/24
DHCP Renew10.1.100.32
802.1114
100
SIP: 11.42DIP: 14.7802.3
GRE
802.1q14, 100, 101
10.1.100.32
ap group “1st Floor”vlan 100
ap group “2nd Floor”vlan 101
802.3
19
Data Center
First Floor
Second Floor
DHCPE-mail
10
11
14
10.1.10.96AP1/1st Floor
10.1.10.68AP2/1st Floor
10.1.11.42AP3/2nd Floor
10.1.11.36AP4/2nd Floor
Mobility ControllerVLAN 14: 10.1.14.6/24loopback: 10.1.14.7/32VLAN 100VLAN 101
Layer 3 switchVLAN 100: 10.1.100.1/24VLAN 101: 10.1.101.1/24
DHCP Reply10.1.100.32
SIP: 14.7DIP: 11.42
802.11802.314
100
GRE
802.1q14, 100, 101
10.1.100.32
ap group “1st Floor”vlan 100
ap group “2nd Floor”vlan 101
802.3
Theory of Operations
21
登入 Controller
使用 GUIhttps://x.x.x.x:4343default IP address :172.16.0.254
使用 CLI將 console 控制線接至 controller serial portserial setting9600 8 n 1
22
AP GroupAP Group
Wireless LANWireless LAN RF ManagementRF Management APAP QoSQoS IDSIDS
Virtual APProperties
Virtual APProperties
SSIDSSID
AAAAAA
a/g RadioSettings
a/g RadioSettings
RFOptimizations
RFOptimizations
System ProfileSystem Profile
EthernetEthernet
RegulatoryRegulatory
SNMPSNMP
VoIPVoIP
a/g Managementa/g Management
Virtual APProperties
Virtual APProperties
SSIDSSID
AAAAAA
Groups and Properties
24
設定範例在實驗室中,為了安全考量, SSID 分類為
student : WPA2-PSKGuest : web authentication ,不能存取 student vlan
Vlan 分配:student : Vlan 1 IP 192.168.1.0/24Guest : Vlan 11 IP 192.168.11.0/24
25
範例架構說明無線存取架構
Firewall or IP sharing
Switch
Internet
2.4 or 5 Ghz
192.168.1.250/24192.168.1.254/24
192.168.1.249/24
26
設定步驟新增 student and Guest Vlan 、 IP 、 DHCP新增 student 及 Guest SSID設定 student 屬性、 role設定 Guest firewall policy 、 role新增 student 及 Guest aaa profile新增 student 及 Guest Virtual AP profile新增 Group新增 AP
29
設定 vlan 11 IP address 下圖紅框 1 下圖紅框 2 ,啟用 NAT Apply
設定 Guest Vlan IP
11
192.168.11.254255.255.255.0
1
2
3
40
編輯 student aaa profile 點選 AAA-Student-> 編輯內容 將 authenticated role 套用至 AAA-Student profile , 802.1x
authentication default role
1
2
3
43
新增 student 及 Guest Virtual AP profile
先在藍框處輸入 VAP-student->Add新增完 VAP-student ,在藍框處輸入 VAP-Guest->Add
48
設定 VAP-Guest SSID profile 選擇 SSID profile SSID-Guest 設定 VAP-Guest AAA profile 選擇 AAA profile AAA-Guest
編輯 VAP-Guest profile
1
2
3
55
範例架構說明Mesh 架構
Firewall or IP sharing
Internet
5Ghz
2.4Ghz
5Ghz
192.168.1.250/24
192.168.1.254/24
192.168.1.249/24
192.168.1.248/24
192.168.1.247/24
58
編輯 Mesh Radio Profile
Reselection mode:1 、 reselect-anytime2 、 reselect-never3 、 startup-subthreshold4 、 subthreshold-only
Metric algorithm:1 、 best-link-rssi 2 、 distributed-tree-rssi
68
Concept Review: AP Boot Process
1. Acquire IP Address
2. “Discover” a controller
3. Update code if necessary
4. Obtain configuration information
5. Build GRE
6. Enable radio
70
AP setting command
清空指令 purge修改 ap 的 ip
setenv ipaddr x.x.x.xsetenv netmask x.x.x.xsetenv gatewayip x.x.x.xsetenv name xxx
存檔 save顯示設定 print重開 boot