Topology
The topology can be saved locally, and then enlarged to view, so that it can be seen more clearly. (Drag to a new window to open it)
Problems in the current environment 8.5.1 can be accessed between wireless.
It can be seen that the internal users and the Guest can be accessed, so there is a certain degree of security, because the visitors come from the outside and have passed through various networks. Assuming that the customer’s PC interferes with the virus, they can pass Wireless transmission to the internal network.
8.5.2 Guest users can access any internal resources
It can be seen that the 192.168.20.0/24 network segment is the network segment of the boss, but the guest can access it freely, which is not allowed.
8.5.3 Any internet speed
By default, the client's network speed will not be limited . Although there is a threshold, it can be said that there is no limit. We hope that the speed limit for guest access is stricter, while the speed limit for internal users is determined according to demand.
8.5.4 Nobumichi调优
It can be seen that the channel tuning is auto, that is, when there are multiple APs in the attachment, the AC will automatically divide the tunnel between the APs according to the information reported by the APs, if it is 2.4G, it will automatically plan A is 1, B is 6, C is 11, so that there is no mutual interference, and 5G can be automatically assigned to channels 149, 153, 157, 161, and 165. Of course, automatic tuning takes a certain amount of time. If you determine the location, you can manually tune the channel. The plan is as follows.
8.5.5 After AP and AC lose connection, it can still provide wireless connection for PC
Note: By default, if the CAPWAP tunnel between the AC and the AP ends, the AP will think that it has lost communication with the AC and will disable all wireless services. After enabling this function, it can be guaranteed that the AP and AC lose connection , Can still provide wireless connection, this kind of wireless architecture between headquarters and branches is very useful.
8.5.6 Wireless roaming [Layer 2 and Layer 3 roaming]
Note: In many cases, because of wireless coverage issues, multiple APs need to be deployed, and the SSID needs to be set the same. The customer's demand is that during the mobile process, the customer will not experience any disconnection, which is transparent to the customer , Roaming can also be divided into two-tier roaming and three-tier roaming.
8.5.7 Low rate and low signal limit user access
Note: When the client is far away from the wireless device, the speed and signal are very low. We hope to give users a good experience. We can deploy such a function so that users with low speed or signal cannot connect. Enter this AP and let it associate with other APs with good signals.
8.5.8 Load Balancing
Note: Load balancing is very useful in actual environments. For example, there are multiple APs in the corporate network hanging in the lobby to provide customers with access to the Internet, but all customers are connected to A instead of B or C, then this situation It will cause A to be overloaded, while B and C are very idle. The effect of load balancing is to define a threshold. When AC detects that the AP's bearer has exceeded this threshold, then the client will be automatically associated with On other APs, this achieves the effect of load balancing.
Optimized solution 8.61 solves the problem of being able to access between wireless.
分析:如果想让2个无线的SSID之间的网络不能互访,那么解决办法有2个,一个是在对应的服务集下做端口隔离,另外一个就是ACL,但是ACL需要明确指定,而客户是动态地址不变的,所以建议的是端口隔离。
具体配置
[AC6605]wlan
[AC6605-wlan-view]service-set id 0
[AC6605-wlan-service-set-intrenet]user-isolate
[AC6605-wlan-service-set-open]q
[AC6605-wlan-view]service-set id 1
[AC6605-wlan-service-set-intrenet]user-isolate
[AC6605-wlan-view]commit ap 1
说明:该效果是启用了端口隔离的服务集之间不能互访。注意最后需要下放配置
验证结果
8.6.2 解决Guest用户可以访问内部任何资源问题
分析:我们之前希望的是,Guest用户只能访问企业内部特点的网站地址,跟Internet,其余的是不允许访问的。这里的解决办法可以使用ACL来决定。
具体配置
[AC6605]acl number 3000
[AC6605-acl-adv-3000] rule 5 permit ip source 192.168.19.0 0.0.0.255 destination 192.168.88.251 0
[AC6605-acl-adv-3000]rule 10 deny ip source 192.168.19.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
[AC6605-acl-adv-3000]rule 15 permit ip source 192.168.19.0 0.0.0.255
说明:ACL定义的重要是,首先允许访问特定的服务器地址,然后拒绝访问内网所有的网段,然后在允许它访问Internet。当然可以具体指定服务器的端口号,只允许访问什么服务。
[AC6605]wlan
[AC6605-wlan-view]service-set id 0
[AC6605-wlan-service-set-open]traffic-filter inbound acl 3000
[AC6605-wlan-view]commit ap 1
说明:然后在服务集下调用,最后下发即可。
验证结果
可以看到访问内部网络的20.1是无法通信的,而访问特点的服务器是OK的,当然访问Internet也是OK的,但是目前还没配置到防火墙那块,没打通Internet服务。
可以看到,当AC下放配置给AP后,AP上面自动会有ACL的存在,并且调用在了WLAn-BSS上面。
8.6.3 解决网速任意问题【对客户限速】
分析:之前可以看到对于用户的网速是没有任何限制的,这样的话很有可能造成某几个用户在大量下载的情况下,导致其他用户延迟非常大,把整个网络资源都占用了,所以我们希望的是,给客户端进行限速,可以基于用户或者VAP。
具体配置
[AC6605-wlan-view]traffic-profile name guest
[AC6605-wlan-traffic-prof-guest]rate-limit client up 200
[AC6605-wlan-traffic-prof-guest]rate-limit client down 400
[AC6605-wlan-traffic-prof-guest]rate-limit vap up 1024
[AC6605-wlan-traffic-prof-guest]rate-limit vap down 2048
[AC6605-wlan-view]traffic-profile name intrenet
[AC6605-wlan-traffic-prof-intrenet]rate-limit client up 400
[AC6605-wlan-traffic-prof-intrenet]rate-limit client down 800
说明:定义了2个流量的模板,一个是Guest,具体的作用就是,每个Client的上行为200,下行为400KB,而总共的VAP不能超过上行1024,下行2048,防止Guest大量下载,造成内部访问公网缓慢。 还定义了一个intrenent的,作用差不多。
[AC6605-wlan-view]service-set name open
[AC6605-wlan-service-set-open]traffic-profile name guest
[AC6605-wlan-view]service-set name intrenet
[AC6605-wlan-service-set-intrenet]traffic-profile name intrenet
[AC6605-wlan-view]commit AP 1
说明:在对于那个的服务集下调用即可,最终下发。
结果测试
说明:由于无线这块是模拟环境部署的,所以没办法进行测试,实际环境部署的话,就是这样的思路。
8.6.4 解决信道调优【自动与手动】
分析:在企业网部署无线的时候,有时候因为覆盖问题,会部署多个AP存在,但是AP之间很有可能由于AP的信道存在重叠,导致干扰,这样的情况下,无线的体验感是非常不好的,所以我们可以通过自动调优 或者认为的调整。
具体配置
[AC6605]wlan
[AC6605-wlan-view]radio-profile name 2.4G
[AC6605-wlan-radio-prof-2.4G]calibrate enable
[AC6605-wlan-radio-prof-2.4G]calibrate-interval 60
[AC6605-wlan-view]commit ap 1
说明:该意思就是说在射频模板下面2.4g的,开启自动调优功能,间隔为60分钟一次。
另外一种就是认为的调试,比如你相邻的有3个AP,A B C,那么可以认为的定义行道为 1,6,11
[AC6605-wlan-view]radio-profile name 2.4G
[AC6605-wlan-radio-prof-2.4G]channel-mode fixed
说明:该意思就是说把信道设为固定的信道,通过人为定义,而不是AC自己根据周围情况变化。
[AC6605-wlan-view]ap 1 radio 0
[AC6605-wlan-radio-1/0]channel 20mhz 1
说明:该意思就是把AP 1的2.4g频率定义为信道1,然后可以定义其他AP为6 ,11,这样就互不干扰了。5g的修方法是一样的,只是进入radio 1下。
结果验证
说明:该效果需要实际环境才能测试出来,所以这里只能给出配置了,但是效果肯定有的,因为在工作中部署过。选择自动还是手动,可以根据需求决定,如果比较固定的网络,使用手动比较好,如果是广场之类的 干扰比较大,则需要AC周期性的根据周围情况来不断变化。
自动的话 可以智能化的实现这种效果,没调整前,AP 2与AP4的信道是重叠的,干扰非常大,调整后,可以看到信道都互不干扰,干扰的情况降低了。
解决信道切换自动掉线问题
在应用了自动调优的情况下,信道会根据环境的变化而变化,也就是说一个VAP可能处于不同的信道,但是默认情况下,客户端关联的是信道1,但是在这个时候,AC下放调优把信道调节成了6,那么客户就会断开连接,需要重新连接,这样是非常麻烦的,也非常不方便,所以需要解决该问题。
[AC6605]wlan
[AC6605-wlan-view]radio-profile name 2.4G
[AC6605-wlan-radio-prof-2.4G]channel-switch announcement enable
[AC6605-wlan-radio-prof-2.4G]channel-switch mode continue-transmitting
[AC6605-wlan-view]commit aP 1
说明:这样的话 开启该功能后,在信道切换的过程中,保证无线客户端是连接的,而且是流量不中断。
8.6.5 解决AP与AC失联后,仍可以为PC提供无线连接【特别是总部与分支架构的情况下】
分析:在AC-AP架构中,如果AP检测到AC出现故障后,会断开CAPWAP链路,停止所有的无线服务功能,这样会导致所有的无线业务出现问题,而启用了该功能后,尽管AC出现了故障 或者链路不通了,但是AP还是可以继续服务,并且可以新关联客户端进来,提供服务,当然这种方法只时候直接转发模式。
Specific configuration
[AC6605-wlan-view]ap id 1
[AC6605-wlan-ap-1]keep-service enable allow new-access
Description: It means that the function of continuing to provide services is turned on. The red part needs special attention, if you directly Enable Enter and press Enter , It can only guarantee that aP can continue to provide services for the already associated wireless clients, and new ones want to connect to the wireless.
Result verification
The AC interface is artificially closed, which can be regarded as the communication between AP and AC cannot continue.
You can see that the previous wireless is still there. I use a new connection to see if it can be connected.
You can see that visitor 2 can also connect.
There is no problem accessing the server.
This article was first published on the public account: Network Road Blog