ensp实操--使用模拟器配置无线网络

案例目标
（1）通过组网设计，掌握小型网络的组建、无线AC控制器的配置，对网络使用无线设备范围、无线认证和信道进行分析。
（2）综合运用路由、防火墙安全规则、NAT和无线AC控制器。
（3）通过使用无线AC控制器对网络中的无线AP进行管理，设置无线规则和认证策略，配置DHCP地址池，对无线AP和通过AP连接的设置进行动态地址分配。
案例分析
1.架构分析
（1）需求分析
对小型局域网中，对于接入设备的需求，需要再局域网中部署无线网络，通过无线控制器AC管理网络中所有的无线AP设备，下发无限配置信息。无线网络发布2.4G和5G信号，满足不同设备的连接使用。
（2）环境要求
配置虚拟网卡的计算机，华为eNSP模拟软件。
2.规划拓扑
（1）拓扑描述
防火墙连接外网网卡地址为地址为192.168.10.9/24
路由器与核心交换机连通地址为192.168.2.0/24
防火墙安全规则只允许网络中无线网络中地址可以访问外网
配置路由器与防火墙之间来连接地址为192.168.5.0/24网段，配置与交换机换脸地址为192.168.2.2/24
核心交换机配置vlan3为连接无线网络设备，网关地址为172.16.3.1/24，配置vlan1002为连接路由器，IP地址为192.168.2.1/24
AC控制器管理地址为192.168.3.1/24，设置vlan1003为AC和AP之间管理VLAN，配置DHCP地址池，使AP可以自动获取管理地址
（2）拓扑图
注意：防火墙使用USG5500,路由器使用AR2220,AC使用AC6005,AP使用AP2050

各个配置
1.配置Cloud
添加Cloud设备拖入拓扑中，双击Cloud设备进行配置

2.配置设备
（1）LSW2交换机配置

<Huawei>system-view
[Huawei]sysname S2
[S2]vlan batch 3 1003
[S2]interface GigabitEthernet 0/0/3
[S2-GigabitEthernet0/0/3]port link-type trunk
[S2-GigabitEthernet0/0/3]port trunk pvid vlan 1003
[S2-GigabitEthernet0/0/3]port trunk allow-pass vlan 3 1003
[S2-GigabitEthernet0/0/3]quit
[S2]interface GigabitEthernet 0/0/4
[S2-GigabitEthernet0/0/4]port link-type trunk
[S2-GigabitEthernet0/0/4]port trunk pvid vlan 1003
[S2-GigabitEthernet0/0/4]port trunk allow-pass vlan 3 1003
[S2-GigabitEthernet0/0/4]quit
[S2]interface GigabitEthernet 0/0/1
[S2-GigabitEthernet0/0/1]port link-type trunk
[S2-GigabitEthernet0/0/1]port link-type trunk

（2）LSW1交换机配置

<Huawei>system-view
[Huawei]sysname S1
[S1]vlan batch 3 1002 1003
[S1]interface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1]port link-type trunk
[S1-GigabitEthernet0/0/1]port trunk allow-pass vlan 3 1003
[S1-GigabitEthernet0/0/1]quit
[S1]interface GigabitEthernet 0/0/4
[S1-GigabitEthernet0/0/4]port link-type trunk
[S1-GigabitEthernet0/0/4]port trunk allow-pass vlan 3 1003
[S1-GigabitEthernet0/0/4]quit
[S1]interface GigabitEthernet 0/0/3
[S1-GigabitEthernet0/0/3]port link-type access
[S1-GigabitEthernet0/0/3]port default vlan 1002
[S1-GigabitEthernet0/0/3]quit
[S1]dhcp enable
[S1]interface Vlanif 3
[S1-Vlanif3]ip address 172.16.3.1 24
[S1-Vlanif3]dhcp select interface
[S1-Vlanif3]dhcp server dns-list 114.114.114.114 223.5.5.5
[S1-Vlanif3]quit
[S1]interface Vlanif 1002
[S1-Vlanif1002]ip address 192.168.2.1 24
[S1-Vlanif1002]quit
[S1]ip route-static 0.0.0.0 0 192.168.2.2

（3）R1路由器配置

<Huawei>system-view
[Huawei]sysname R1
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.2.2 24
[R1-GigabitEthernet0/0/1]quit
[R1]interface GigabitEthernet 0/0/2
[R1-GigabitEthernet0/0/2]ip address 192.168.5.2 24
[R1-GigabitEthernet0/0/2]quit
[R1-GigabitEthernet0/0/2]quit
[R1]ip route-static 0.0.0.0 0 192.168.5.1
[R1]ip route-static 172.16.3.0 255.255.255.0 192.168.2.1

（4）FW1防火墙配置

<SRG>system-view
[SRG]firewall zone trust
[SRG-zone-trust]add interface GigabitEthernet 0/0/2
[SRG-zone-trust]quit
[SRG]firewall zone untrust
[SRG-zone-untrust]add interface GigabitEthernet 0/0/1
[SRG-zone-untrust]quit
[SRG]interface GigabitEthernet 0/0/2
[SRG-GigabitEthernet0/0/2]ip address 192.168.5.1 24
[SRG-GigabitEthernet0/0/2]quit
[SRG]interface GigabitEthernet 0/0/1
[SRG-GigabitEthernet0/0/1]ip address 192.168.10.9 24
[SRG-GigabitEthernet0/0/1]quit
[SRG]ip route-static 0.0.0.0 0 192.168.10.1
[SRG]ip route-static 172.16.3.0 24 192.168.5.2
[SRG]policy interzone trust untrust outbound
[SRG-policy-interzone-trust-untrust-outbound]policy 0
[SRG-policy-interzone-trust-untrust-outbound-0]action permit
[SRG-policy-interzone-trust-untrust-outbound-0]policy source 172.16.3.0 0.0.0.255
[SRG-policy-interzone-trust-untrust-outbound-0]quit
[SRG-policy-interzone-trust-untrust-outbound]quit
[SRG]nat-policy interzone trust untrust outbound
[SRG-nat-policy-interzone-trust-untrust-outbound]policy 1
[SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat
[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source 172.16.3.0 0.0.0.255
[SRG-nat-policy-interzone-trust-untrust-outbound-1]easy-ip GigabitEthernet 0/0/1

（5）AC控制器配置

<AC6005>system-view
[AC6005]sysname AC
[AC]vlan batch 3 1003
[AC]interface GigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1]port link-type trunk
[AC-GigabitEthernet0/0/1]port trunk allow-pass vlan 3 1003
[AC-GigabitEthernet0/0/1]quit
[AC]dhcp enable
[AC]interface Vlanif 1003
[AC-Vlanif1003]ip address 192.168.3.1 24
[AC-Vlanif1003]dhcp select interface  #以“当前接口的IP与掩码”所处的IP得知范围作为地址池下发
[AC-Vlanif1003]quit
[AC]wlan
[AC-wlan-view]ap-group name ap-group1  #创建并进入AP组视图
[AC-wlan-ap-group-ap-group1]regulatory-domain-profile default  #引用域管理模板
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:Y  
[AC-wlan-ap-group-ap-group1]quit
[AC-wlan-view]quit
[AC]capwap source interface Vlanif 1003  #配置AC与AP建立CAPWAP隧道的源接口
[AC]wlan
[AC-wlan-view]ap auth-mode mac-auth  #配置AP的认证方式mac认证
[AC-wlan-view]ap-id 0 ap-mac 00e0-fc4c-5d70   #根据2个AP的MAC地址填写

两处MAC地址（在AP1和AP2中 通过dis arp 查询）
AP1

AP2

[AC-wlan-ap-0]ap-name area_1
[AC-wlan-ap-0]ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:Y
[AC-wlan-ap-0]quit
[AC-wlan-view]ap-id 1 ap-mac 00e0-fcb4-6b40 
[AC-wlan-ap-1]ap-name area_2
[AC-wlan-ap-1]ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it willclear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1]quit
[AC-wlan-view]display ap all  #显示所有上线AP
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
nor  : normal          [2]
--------------------------------------------------------------------------------
--------------
ID   MAC            Name   Group     IP            Type            State STA Upt
ime
--------------------------------------------------------------------------------
--------------
0    00e0-fc4c-5d70 area_1 ap-group1 192.168.3.107 AP2050DN        nor   0   5M:
35S
1    00e0-fcb4-6b40 area_2 ap-group1 192.168.3.221 AP2050DN        nor   0   9S
--------------------------------------------------------------------------------
--------------
Total: 2

创建安全模板：

[AC-wlan-view]security-profile name ssid_name  #安全认证模板名称
[AC-wlan-sec-prof-ssid_name]security wpa-wpa2 psk pass-phrase a1234567 aes  #便是加密类型wpa-wpa2 认证密码为a1234567
[AC-wlan-sec-prof-ssid_name]quit

创建SSID模板：

[AC-wlan-view]ssid-profile name ssid_name
[AC-wlan-ssid-prof-ssid_name]ssid ssid_name
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-ssid-prof-ssid_name]quit

创建VAP模板：

[AC-wlan-view]vap-profile name ssid_name
[AC-wlan-vap-prof-ssid_name]forward-mode direct-forward
[AC-wlan-vap-prof-ssid_name]service-vlan vlan-id 3  #配置VAP的业务VLAN
[AC-wlan-vap-prof-ssid_name]security-profile ssid_name
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-vap-prof-ssid_name]ssid-profile ssid_name
[AC-wlan-vap-prof-ssid_name]quit

配置AP组引用VAP模板，并在射频0和1上引用VAP模板：

[AC-wlan-view]ap-group name ap-group1
[AC-wlan-ap-group-ap-group1]vap-profile ssid_name wlan 1 radio 0
[AC-wlan-ap-group-ap-group1]vap-profile ssid_name wlan 1 radio 1
[AC-wlan-ap-group-ap-group1]quit

查看无线网络信号

3.设备连接无线
（1）笔记本连接5G和2.4G信号
打开STA1笔记本配置窗口，可以再Vap列表查看到AP释放的信号
选择信道，连接，输入密码“a1234567”，确定，应用
5G

2.4G


（2）测试
STA1

STA>ipconfig

Link local IPv6 address...........: ::
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 172.16.3.254
Subnet mask.......................: 255.255.255.0
Gateway...........................: 172.16.3.1
Physical address..................: 54-89-98-A9-2E-FE
DNS server........................: 114.114.114.114
                                    223.5.5.5

STA>ping 192.168.10.1

Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!

--- 192.168.10.1 ping statistics ---
  3 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

STA>

STA2

STA>ipconfig

Link local IPv6 address...........: ::
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 172.16.3.253
Subnet mask.......................: 255.255.255.0
Gateway...........................: 172.16.3.1
Physical address..................: 54-89-98-F8-50-B6
DNS server........................: 114.114.114.114
                                    223.5.5.5

STA>ping 192.168.10.1

Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!

--- 192.168.10.1 ping statistics ---
  3 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

STA>