华为无线设备配置同一业务VLAN的AP间快速漫游

配置LSW和AC，使AP与AC之间能够传输CAPWAP报文
[LSW1]vlan batch 100
[LSW1-GigabitEthernet0/0/1]port link-type trunk
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[LSW1-GigabitEthernet0/0/1]port trunk pvid vlan 100
[LSW1-GigabitEthernet0/0/1]port-isolate enable
[LSW1-GigabitEthernet0/0/2]port link-type trunk
[LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 100
[LSW1-GigabitEthernet0/0/2]port trunk pvid vlan 100
[LSW1-GigabitEthernet0/0/2]port-isolate enable
[LSW1-GigabitEthernet0/0/2]int g0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type trunk
[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 100
[AC1]vlan batch 100 101 102
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100

配置AC与上层网络设备互通
[AC1-GigabitEthernet0/0/2]port link-type trunk
[AC1-GigabitEthernet0/0/2]port trunk allow-pass vlan 101
[AC1-GigabitEthernet0/0/3]port link-type trunk
[AC1-GigabitEthernet0/0/3]port trunk allow-pass vlan 102
[AC1-GigabitEthernet0/0/3]port trunk pvid vlan 102

配置AC作为DHCP服务器，为STA和AP分配IP地址
[AC1]dhcp enable
[AC1-Vlanif100]ip add 10.1.100.1 24
[AC1-Vlanif100]dhcp select interface
[AC1-Vlanif101]ip add 10.1.101.1 24
[AC1-Vlanif101]dhcp select interface
[AC1-Vlanif102]ip add 10.1.102.1 24 //配置VLANIF102，使AC和RADIUS服务器之间能够通信

配置AP上线
[AC1]wlan
[AC1-wlan-view]ap-group name ap-group1 //创建AP组
[AC1-wlan-view]regulatory-domain-profile name domain1 //创建域管理模板，在域管理模板下配置AC的国家码并在AP组下引用域管理模板
[AC1-wlan-regulate-domain-domain1]country-code cn
[AC1-wlan-view]ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1]regulatory-domain-profile domain1
[AC1]capwap source interface Vlanif 100 //配置AC的源接口
[AC1]wlan
[AC1-wlan-view]ap auth-mode mac-auth //在AC上离线导入AP，并将AP加入AP组
[AC1-wlan-view]ap-id 0 ap-mac 00e0-fc38-6cb0
[AC1-wlan-ap-0]ap-name ap1
[AC1-wlan-ap-0]ap-group ap-group1
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fcbb-30c0
[AC1-wlan-ap-1]ap-name ap2
[AC1-wlan-ap-1]ap-group ap-group1

配置RADIUS认证参数
[AC1]radius-server template radius_1 //创建RADIUS服务器模板
[AC1-radius-radius_1]radius-server authentication 10.1.102.2 1812
[AC1-radius-radius_1]radius-server shared-key cipher [email protected]
[AC1]aaa //创建RADIUS方式的认证方案
[AC1-aaa]authentication-scheme radius_1
[AC1-aaa-authen-radius_1]authentication-mode radius
[AC1-aaa]domain 123.com //创建AAA域并配置域的RADIUS服务器模板和认证方案
[AC1-aaa-domain-123.com]radius-server radius_1
[AC1-aaa-domain-123.com]authentication-scheme radius_1

配置802.1X接入模板，管理802.1X接入控制参数
[AC1]dot1x-access-profile name wlan-dot1x //配置802.1X接入模板
[AC1-dot1x-access-profile-wlan-dot1x]dot1x authentication-method eap //配置认证方式为EAP中继模式

创建认证模板，绑定802.1X接入模板，并配置用户强制域
[AC1]authentication-profile name wlan-authentication //创建认证模板
[AC1-authentication-profile-wlan-authentication]dot1x-access-profile wlan-dot1x //绑定802.1X接入模板
[AC1-authentication-profile-wlan-authentication]access-domain 123.com dot1x force //配置用户强制域

配置WLAN业务参数
[AC1-wlan-view]security-profile name wlan-security //创建安全模板，并配置安全策略
[AC1-wlan-sec-prof-wlan-security]security wpa2 dot1x aes
[AC1-wlan-view]ssid-profile name wlan-ssid //创建SSID模板，并配置SSID名称
[AC1-wlan-ssid-prof-wlan-ssid]ssid wlan-net
[AC1-wlan-view]vap-profile name wlan-vap //创建VAP模板，配置业务数据转发模式、业务VLAN，并且引用安全模板和SSID模板
[AC1-wlan-vap-prof-wlan-vap]forward-mode tunnel
[AC1-wlan-vap-prof-wlan-vap]service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap]security-profile wlan-security
[AC1-wlan-vap-prof-wlan-vap]ssid-profile wlan-ssid
[AC1-wlan-vap-prof-wlan-vap]authentication-profile wlan-authentication
[AC1-wlan-view]ap-group name ap-group1 //配置AP组引用VAP模板，AP上射频0和射频1都使用VAP模板的配置
[AC1-wlan-ap-group-ap-group1]vap-profile wlan-vap wlan 1 radio all

配置AP射频的信道和功率
[AC1-wlan-view]rrm-profile name default //关闭射频的信道和功率自动调优功能
[AC1-wlan-rrm-prof-default]calibrate auto-channel-select disable
[AC1-wlan-rrm-prof-default]calibrate auto-txpower-select disable
[AC1-wlan-view]ap-id 0 //配置AP射频0和1的信道和功率
[AC1-wlan-ap-0]radio 0
[AC1-wlan-radio-0/0]channel 20mhz 6
[AC1-wlan-radio-0/0]eirp 127
[AC1-wlan-ap-0]radio 1
[AC1-wlan-radio-0/1]channel 20mhz 149
[AC1-wlan-radio-0/1]eirp 127