hw_ac

约 1285 字大约 4 分钟

2025-11-16

9700M1

警告

不支持mac认证

配置mac认证会导致dot1x认证不通过

配置接口及互联

Master

创建vlan，业务、管理、同步

vlan batch 832 to 833 853 400

配置互联接口

interface Vlanif400
 ip address x.x.x.x 255.255.255.252
#
interface Eth-Trunk0
 port link-type trunk
 port trunk allow-pass vlan 853
#
interface Eth-Trunk1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 400
 stp disable
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface XGigabitEthernet0/0/11
 eth-trunk 0
#
interface XGigabitEthernet0/0/12
 eth-trunk 0

Slave

创建vlan，业务、管理、同步

vlan batch 832 to 833 853 400

配置互联接口

interface Vlanif400
 ip address x.x.x.x 255.255.255.252
#
interface Eth-Trunk0
 port link-type trunk
 port trunk allow-pass vlan 853
#
interface Eth-Trunk1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 400
 stp disable
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface XGigabitEthernet0/0/11
 eth-trunk 0
#
interface XGigabitEthernet0/0/12
 eth-trunk 0

配置VRRP双机热备份

Master

配置VRRP备份组的状态恢复延迟时间为60s

vrrp recover-delay 60

创建管理VRRP备份组，优先级120，抢占时间1800s

interface Vlanif853
 ip address x.x.x.x 255.255.255.0
 vrrp vrid 1 virtual-ip x.x.x.x
 admin-vrrp vrid 1
 vrrp vrid 1 priority 120
 vrrp vrid 1 preempt-mode timer delay 1800

创建HSB主服务0，及主备通道IP地址和端口号

hsb-service 0
 service-ip-port local-ip x.x.x.x peer-ip x.x.x.x local-data-port 10241 peer-data-port 10241
 service-keep-alive detect retransmit 3 interval 6

绑定HSB主备服务0和管理VRRP备份组

hsb-group 0
 track vrrp vrid 1 interface Vlanif853
 bind-service 0
 hsb enable

配置NAC、DHCP、wlan业务绑定HSB备份组

hsb-service-type access-user hsb-group 0
hsb-service-type dhcp hsb-group 0
hsb-service-type ap hsb-group 0

Slave

配置VRRP备份组的状态恢复延迟时间为60s

vrrp recover-delay 60

创建管理VRRP备份组

interface Vlanif2853
 ip address x.x.x.x 255.255.255.0
 vrrp vrid 1 virtual-ip x.x.x.x
 admin-vrrp vrid 1

创建HSB主服务0，及主备通道IP地址和端口号

hsb-service 0
 service-ip-port local-ip x.x.x.x peer-ip x.x.x.x local-data-port 10241 peer-data-port 10241
 service-keep-alive detect retransmit 3 interval 6

绑定HSB主备服务0和管理VRRP备份组

hsb-group 0
 track vrrp vrid 1 interface Vlanif853
 bind-service 0
 hsb enable

配置NAC、DHCP、wlan业务绑定HSB备份组

hsb-service-type access-user hsb-group 0
hsb-service-type dhcp hsb-group 0
hsb-service-type ap hsb-group 0

配置dot1x认证

radius-server template qwe
 radius-server shared-key cipher %^%#LF@=!,.ypU_yK@SGq,VF'|>O-qM>#&\T~F:pq9h(%^%#
 radius-server authentication x.x.x.x 1812 weight 100
 radius-server authentication x.x.x.x 1812 weight 80
 radius-server accounting x.x.x.x 1813 weight 100
 radius-server accounting x.x.x.x 1813 weight 80
#
aaa
 authentication-scheme qwe
  authentication-mode radius
 domain qwe
  authentication-scheme qwe
  accounting-scheme default
  radius-server qwe
#
dot1x-access-profile name qwe
 dot1x authentication-method eap
#
authentication-profile name qwe
 dot1x-access-profile qwe
 access-domain qwe force

全局指定发起认证IP

radius-attribute nas-ip x.x.x.x

配置wlan业务

vlan pool 1
 vlan 832 to 833
#
wlan
 calibrate enable schedule time 03:00:00
 temporary-management psk %^%#e_4(VnB#5a!nQ7BXE%^%#
 ap username admi password cipher %^%gJ{>M&`~7!J#3+m'%>O)99r.*0#x.%^%#
 traffic-profile name linshi
  traffic-optimize broadcast-suppression packets 128
  traffic-optimize multicast-suppression packets 5
  traffic-optimize unicast-suppression packets 128
 security-profile name linshi
  security wpa-wpa2 dot1x aes
  pmf mandatory
 ssid-profile name linshi
  ssid WiFi
 ssid-profile name default
 vap-profile name linshi
  service-vlan vlan-pool 1
  ssid-profile linshi
  security-profile linshi
  traffic-profile linshi
  authentication-profile qwe
 regulatory-domain-profile name linshi
  dca-channel 5g bandwidth 40mhz
 regulatory-domain-profile name default
 regulatory-domain-profile name WiFi
  dca-channel 5g bandwidth 40mhz
 rrm-profile name linshi
  airtime-fair-schedule enable
  band-steer balance start-threshold 30
  sta-load-balance dynamic disable
 rrm-profile name default
 rrm-profile name WiFi
  airtime-fair-schedule enable
  band-steer balance start-threshold 30
  sta-load-balance dynamic disable
 radio-2g-profile name default
 radio-2g-profile name huawei-2.4
  beacon-interval 160
  multicast-rate 54
  wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy normal
 radio-5g-profile name huawei-5.0
  beacon-interval 160
  multicast-rate 54
  dot11a basic-rate 6 9 12 18 24 36 48 54 
 wireless-access-specification
 ap-system-profile name default
  telnet enable
  lldp report enable
  traffic-optimize broadcast-suppression other-broadcast disable
  traffic-optimize broadcast-suppression other-multicast disable
  traffic-optimize broadcast-suppression arp rate-threshold 128
  traffic-optimize broadcast-suppression igmp rate-threshold 128
  traffic-optimize broadcast-suppression nd rate-threshold 128
 ap auth-mode no-auth
 ap-group name linshi
  regulatory-domain-profile linshi
  radio 0
   radio-2g-profile huawei-2.4
   vap-profile linshi wlan 1
  radio 1
   radio-5g-profile huawei-5
   vap-profile linshi wlan 1
  radio 2
   vap-profile linshi wlan 1

配置capwap隧道

capwap source ip-address x.x.x.x
capwap dtls psk 8,z5SS@DLKG-Y4S</Nl%%%^%#
capwap dtls inter-controller psk %:B(3|V]Tl^L.XPPAuGs.<%^%#

主备配置同步

 master controller
  master-redundancy track-vrrp vrid 1 interface Vlanif853
  master-redundancy peer-ip ip-address x.x.x.x local-ip ip-address x.x.x.x psk %^%#p+`l1Ok|<**"HI(Sa{Z2XTKX^5xmr+K%^%#

配置生成树

stp mode rstp
stp bpdu-protection
stp enable

配置NTP

 ntp-service server server-source -i all
 ntp-service unicast-server x.x.x.x

配置时区

 clock timezone BJ add 08:00:00

其他配置

#
aaa
 local-user linshi password irreversible-cipher $1a$2:-f@rU%w4$}|g&Q*o0VLV^:,0'SBxX%>iCK>LfeSCY@EKX\o@,$
 local-user linshi privilege level 15
 local-user linshi service-type ssh http
#
 info-center timestamp log date precision-time millisecond
 info-center timestamp trap date precision-time millisecond
#
undo icmp name timestamp-request receive
#
 snmp-agent community read @+LXB\V$>Wy/X!kU>6>W\30~pZ2iA4u<&K)[4%^%# 
 snmp-agent sys-info version v2c v3
 snmp-agent trap enable
 snmp-agent trap queue-size 500
 snmp-agent trap life 600
 snmp-agent protocol source-interface all
 snmp-agent 
#
 ssh server timeout 120
 ssh server-source -i all
 stelnet server enable 
 undo telnet server enable 
 undo telnet ipv6 server enable 
 telnet server-source -i MEth0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 x.x.x.1

#
user-interface con 0
 authentication-mode password
 set authentication password irreversible-cipher $1b$We]6VzkAm:C])@Y1hIa!$
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 15
 protocol inbound ssh

贡献者

wyutan

更新日志

2025/5/9 02:45

查看所有更新日志

da9e9-Update 4.hw_ac.md于 2025/5/9
2d83c-Update 4.hw_ac.md于 2025/5/9
bc1d4-Update 4.hw_ac.md于 2025/5/9
83743-Update 4.hw_ac.md于 2025/4/21
2494c-Update 4.hw_ac.md于 2025/4/16
bcd47-Update 4.hw_ac.md于 2025/4/16
45bdd-Update 4.hw_ac.md于 2025/4/16
96293-Update 4.hw_ac.md于 2025/4/16
c0031-Update 4.hw_ac.md于 2025/4/16
dbc87-Update 4.hw_ac.md于 2025/4/16