华为无线AC主备配置案例
1、VRRP热备份场景-关于授权:授权导入到主控制器,备控制器有测试授权接管ap,但是只能用30天。
2、配置AP、AC和其他网络设备之间实现网络互通。
3、在AC1和AC2上配置VRRP备份组。其中,AC1上配置较高优先级,作为主用设备承担流量转发;AC2上配置较低优先级,作为备用设备。
4、配置双机热备份功能,将AC1上的业务信息通过备份链路批量备份和实时备份到AC2上,保证在主设备故障时业务能够不中断地顺利切换到备份设备。
5、配置VRRP热备份场景下的无线配置同步功能。
6、华为的无线控制器能够纳管华为坤灵的无线AP,必须将AC固件升级到最新版本(V200R024C00),否则部分较新的AP无法识别。
7、dis esn 或者登录网页,获取esn后,前往官网使用密码下载授权文件,授权文件可以叠加。
#核心交换机配置VLAN100 VLAN101 DHCP地址池,核心作为3层网关
#配置AC1连接交换机的接口GE0/0/1为Trunk 其中 VLAN100为管理VLAN,VLAN101为业务VLAN;采用本地转发模式;备AC配置相同
system-view
[HUAWEI] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/1] quit
#创建capwap口,并且复用为带内管理地址,也可以单独创建一个VLAN用于带内管理;这个VLAN100后续还作为VRRP口用于同步状态信息;备AC IP为10.23.100.2
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] management-interface
[AC1-Vlanif100] quit
#配置AC1连接AC2的接口GE0/0/2加入VLAN102,这个2口,以及对应的VLAN102后续将用于配置同步链路;备AC配置相同ip为10.23.102.2
[AC1] vlan batch 102
[AC1] interface gigabitethernet 0/0/2
[AC1-GigabitEthernet0/0/2] port link-type trunk
[AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC1-GigabitEthernet0/0/2] stp disable
[AC1-GigabitEthernet0/0/2] quit
[AC1] interface vlanif 102
[AC1-Vlanif102] ip address 10.23.102.1 24
[AC1-Vlanif102] quit
#配置VRRP备份组的状态恢复延迟时间为60秒;备AC配置相同
[AC1] vrrp recover-delay 60
在AC1上创建管理VRRP备份组,配置AC1在该备份组中的优先级为120作为主AC,并配置抢占时间为1800秒;备AC配置相同,但是优先级改为100,并关闭抢占。
[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
[AC1-Vlanif100] quit
#在AC1上创建HSB主备服务0,并配置其主备通道IP地址和端口号,配置HSB主备服务报文的重传次数和发送间隔;备AC做镜像倒置配置操作。
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit
#在AC1上创建HSB备份组0,并配置其绑定HSB主备服务0和管理VRRP备份组,当VRRP状态角色切换的时候发生HSB切换;备AC做同样配置。
[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit
#配置NAC业务绑定HSB备份组,AP状态,DHCP状态,用于状态同步;备AC做同样配置。
[AC1] hsb-service-type access-user hsb-group 0
[AC1] hsb-service-type ap hsb-group 0
[AC1] hsb-service-type dhcp hsb-group 0
#使能双机热备功能(这个时候主备AC的接线应该是1口接交换机,2口主备AC间互联);备机这个时候不要开服务;只要把主AC服务开起来。
[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable
[AC1-hsb-group-0] quit
#配置Capwap源,这里使用VRRP地址建Capwap隧道,以下命令为必须配置的命令,否则配置无法同步;备AC做同样配置。
[AC1] capwap source ip-address 10.23.100.3
[AC1] capwap dtls inter-controller psk Admin@123.
[AC1] capwap dtls inter-controller data-link encrypt
[AC1] capwap dtls inter-controller control-link encrypt on
[AC1] capwap dtls psk Admin@123.
[AC1] capwap dtls version1.0 enable
[AC1] capwap dtls cbc enable
#开始配置业务;AP导入:
[AC1] wlan
[AC1-wlan-view] temporary-management psk Admin@123.
[AC1-wlan-view] ap username admin password cipher Admin@123.
[AC1-wlan-view] ap auth-mode mac-auth / ap auth-mode no-auth(建议开局使用不认证,等AP全部上线后再改为MAC认证)
[AC1-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC1-wlan-ap-0] ap-name AP0_QuYu_1
[AC1-wlan-ap-0] ap-group name default
Warning: This operation may cause AP to go offline and then online. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] display ap all(这个时候应该能够看到AP上线了)
#业务配置只需要在主AC上面做即可
#开始配置无线业务(这部分可以网页配置 https://10.23.100.1 )也可以命令行配置;这里用命令行配置 ssid wlan-net 密码为 YsH_2022 管理VLAN101的一个无线
[AC1] wlan
[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase YsH_2022 aes
[AC1-wlan-sec-prof-wlan-net] quit
#创建名为“wlan-net”的SSID模板,并配置SSID名称为“wlan-net”。
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
#创建名为“wlan-net”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板和SSID模板。
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit
#配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板“wlan-net”的配置。
[AC1-wlan-view] ap-group name default
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
#配置AC1上的无线配置同步功能,备AC做镜像倒置配置。
[AC1-wlan-view] master controller
[AC1-master-controller] master-redundancy peer-ip ip-address 10.23.102.2 local-ip ip-address 10.23.102.1 psk YsH_2022
[AC1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
[AC1-master-controller] quit
[AC1-wlan-view] quit
#在AC1上配置定时同步功能。
[AC1-wlan-view] synchronize-configuration auto interval 1440 start-time 01:00:00
配置其他管理方面的:
http secure-server server-source -i Vlanif100
ssh server-source -i Vlanif100
ip route-static 0.0.0.0 0.0.0.0 10.23.100.254
其他内容可以在网页下配置,包括无线调优,无线服务,AP改静态IP地址,NTP,syslog,SNMP等
#手动触发无线配置同步
#执行命令display sync-configuration status查看无线配置同步状态信息,状态为“cfg-mismatch”。需要在Master AC上手动触发无线配置同步到Backup Master AC上。等待Backup Master AC自动重启完成。
[AC1] display sync-configuration status
[AC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its configurations. Whether to conti
nue? [Y/N]:y
在AC2上开启双机热备功能
#开启双机热备功能。
[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit
检查配置结果
检查VRRP。
# 完成上述配置以后,在AC1和AC2上分别执行display vrrp命令,可以看到AC1的State字段的显示为Master,AC2的State字段的显示为Backup。
[AC1] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1800 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 00e0-fc00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2016-11-17 16:58:22
Last change time : 2016-11-17 16:58:25
[AC2] display vrrpVlanif100 | Virtual Router 1State : BackupVirtual IP : 10.23.100.3Master IP : 10.23.100.1PriorityRun : 100PriorityConfig : 100MasterPriority : 120Preempt : YES Delay Time : 0 sTimerRun : 2 sTimerConfig : 2 sAuth type : NONEVirtual MAC : 00e0-fc00-0101Check TTL : YESConfig type : admin-vrrpBackup-forward : disabledCreate time : 2016-11-17 02:31:42 UTC-07:00Last change time : 2016-11-17 02:32:21 UTC-07:00# 在AC1和AC2上执行display hsb-service 0命令,查看主备服务的建立情况。可以看到Service State字段的显示为Connected,说明主备服务通道已经成功建立。
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------Local IP Address : 10.23.102.1Peer IP Address : 10.23.102.2Source Port : 10241Destination Port : 10241Keep Alive Times : 3Keep Alive Interval : 6Service State : ConnectedService Batch Modules :Shared-key : -
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------Local IP Address : 10.23.102.2Peer IP Address : 10.23.102.1Source Port : 10241Destination Port : 10241Keep Alive Times : 3Keep Alive Interval : 6Service State : ConnectedService Batch Modules :Shared-key : -
----------------------------------------------------------# 在AC1和AC2上执行display hsb-group 0命令,查看HSB备份组的运行情况。
[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------HSB-group ID : 0Vrrp Group ID : 1Vrrp Interface : Vlanif100Service Index : 0Group Vrrp Status : MasterGroup Status : ActiveGroup Backup Process : RealtimeBackup State : EndedBackup Start Time : THU, 14 Sep 2023 14:30:46Peer Group Device Name : AC Peer Group Software Version : V200R024C00Group Backup Modules : Access-userAPDHCP
----------------------------------------------------------
[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------HSB-group ID : 0Vrrp Group ID : 1Vrrp Interface : Vlanif100Service Index : 0Group Vrrp Status : BackupGroup Status : InactiveGroup Backup Process : RealtimeBackup State : EndedBackup Start Time : THU, 14 Sep 2023 14:30:46Peer Group Device Name : AC Peer Group Software Version : V200R024C00Group Backup Modules : Access-userAPDHCP
---------------------------------------------------------
检查无线配置同步。
# 在Master AC和Backup Master AC上分别执行命令display sync-configuration status,查看无线配置同步状态信息。状态为“up”表示无线配置同步功能正常。
[AC1] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
-----------------------------------------------------------------------------------------
10.23.102.2 Backup AC V200R024C00 up 2017-09-01/11:18:15
-----------------------------------------------------------------------------------------
Total: 1[AC2] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
-----------------------------------------------------------------------------------------
10.23.102.1 Master AC V200R024C00 up 2017-09-01/11:18:25
-----------------------------------------------------------------------------------------
Total: 1AP下的无线接入用户可以搜索到SSID标识为“wlan-net”的WLAN网络并正常上线。
# 通过重启主AC的方式,模拟主AC故障的场景,验证备份配置。重启AC1,当AP与AC1的链路中断后,AC2切换为主AC,保证业务的稳定。
重启AC前,请执行命令save保存AC上的配置文件,以免重启后配置丢失。
# AC1重启期间,STA上业务不中断。AP切换到AC2上线,在AC2上执行命令display ap all可以查看AP的状态由standby变为normal。
# AC1重启恢复正常,触发主备回切后,AP会自动重新到AC1正常上线。