本文提供如何使用網狀網解決方案建立點對點橋接連結的基本組態範例。此範例使用兩個輕量型存取點(LAP)。 一個LAP作為頂蓋接入點(RAP)運行,另一個LAP作為頂蓋接入點(PAP)運行,並且它們連線到思科無線區域網(WLAN)控制器(WLC)。 RAP通過Cisco Catalyst交換機連線到WLC。
有關WLC 5.2版及更新版本,請參閱無線LAN控制器MAP網路組態範例(5.2版及更新版本)
WLC已配置為基本操作。
WLC設定在第3層模式下。
已設定WLC的交換器。
嘗試此組態之前,請確保符合以下要求:
LAP和Cisco WLC配置的基本知識
輕量AP協定(LWAPP)基礎知識。
瞭解外部DHCP伺服器和/或域名伺服器(DNS)的配置
思科交換機的基本配置知識
本文中的資訊係根據以下軟體和硬體版本:
Cisco 4402系列WLC(執行韌體3.2.150.6)
兩(2)個Cisco Aironet 1510系列LAP
思科第2層交換器
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。
如需文件慣例的詳細資訊,請參閱思科技術提示慣例。
Cisco Aironet 1510系列輕量型室外網狀AP是一種無線裝置,專用於無線客戶端訪問和點對點橋接、點對多點橋接以及點對多點網狀無線連線。室外接入點是一個獨立的單元,可以安裝在牆壁或懸垂處、屋頂柱或街燈柱上。
AP1510與控制器一起運行,可提供集中且可擴展的管理、高安全性和移動性。AP1510旨在支援零配置部署,可輕鬆、安全地加入網狀網路,並可通過控制器GUI或CLI管理和監控網路。
AP1510配備了兩個同時運行的無線電:用於客戶端訪問的2.4 GHz無線電和用於向其他AP1510傳輸資料的5 GHz無線電訊號。無線LAN使用者端流量會通過AP的回程無線電或通過其他AP1510中繼,直到到達控制器乙太網路連線。
RAP具有到Cisco WLC的有線連線。它們使用回傳無線介面與相鄰PAP通訊。RAP是任何橋接或網狀網路的父節點,將網橋或網狀網路連線到有線網路。因此,任何橋接或網狀網段只能有一個RAP。
注意:使用網狀網路解決方案進行LAN到LAN橋接時,請勿將RAP直接連線到Cisco WLC。Cisco WLC和RAP之間需要交換器或路由器,因為Cisco WLC不會轉送來自啟用LWAPP的埠的乙太網流量。RAP可以在第2層或第3層LWAPP模式下工作。
PAP沒有到Cisco WLC的有線連線。它們可以是完全無線的,並支援與其他PAP或RAP通訊的客戶端,或者可用於連線外圍裝置或有線網路。出於安全原因,乙太網埠預設處於禁用狀態,但您應該為PAP啟用它。
注意:Cisco Aironet 1030遠端邊緣LAP支援單躍點部署,而Cisco Aironet 1500系列輕量型室外AP支援單躍點和多躍點部署。因此,Cisco Aironet 1500系列輕量型室外AP可用作屋頂AP,也可作為Cisco WLC一個或多個躍點的PAP。
網狀網路不支援以下控制器功能:
多國支援
基於負載的CAC(網狀網路僅支援基於頻寬或靜態CAC。)
高可用性(快速心跳和主發現加入計時器)
EAP-FASTv1和802.1X身份驗證
EAP-FASTv1和802.1X身份驗證
本地有效證書
基於位置的服務
以下清單描述了RAP和PAP啟動時會發生的情況:
所有流量在傳送到LAN之前都會通過RAP和Cisco WLC。
當RAP啟動時,PAP自動連線到它。
連線的鏈路使用共用金鑰生成用於為鏈路提供高級加密標準(AES)的金鑰。
一旦遠端PAP連線到RAP,網格AP就可以傳遞資料流量。
使用者可以使用思科命令列介面(CLI)、控制器的Cisco Web使用者介面或思科無線控制系統(Cisco WCS)更改共用金鑰或配置網格AP。 思科建議您修改共用金鑰。
完成這些步驟,設定WLC和AP以進行點對點橋接。
啟用零接觸組態會使AP在控制器註冊到WLC時從控制器獲取共用金鑰。如果取消選中此框,則控制器不提供共用金鑰,並且AP使用預設預共用金鑰進行安全通訊。預設值已啟用(或已檢查)。 在WLC GUI上完成以下步驟:
註:WLC 4.1版及更新版本中沒有零接觸配置的配置。
選擇Wireless > Bridging,然後按一下Enable Zero Touch Configuration。
選擇金鑰格式。
輸入橋接共用金鑰。
在確認共用金鑰中再次輸入橋接共用金鑰。
從CLI完成以下步驟:
發出config network zero-config enable命令,以啟用零接觸設定。
(Cisco Controller) >config network zero-config enable
發出config network bridging-shared-secret <string>命令以新增橋接共用金鑰。
(Cisco Controller) >config network bridging-shared-secret Cisco
下一步是將AP新增到WLC上的授權清單中。為此,請選擇Security > AP Policies,在Add AP to Authorization List下輸入AP MAC地址,然後按一下Add。
在本範例中,兩個AP(RAP和PAP)都會新增到控制器上的AP授權清單中。
發出config auth-list add mic <AP mac>命令,將MIC新增到授權清單。
(Cisco Controller) >config auth-list add mic 00:0b:85:5e:40:00 (Cisco Controller) >config auth-list add mic 00:0b:85:5e:5a:80
本檔案會使用以下設定:
Cisco WLC 4402 |
---|
(Cisco Controller) >show run-config Press Enter to continue... System Inventory Switch Description............................... Cisco Controller Machine Model.................................... WLC4402-12 Serial Number.................................... FLS0943H005 Burned-in MAC Address............................ 00:0B:85:40:CF:A0 Crypto Accelerator 1............................. Absent Crypto Accelerator 2............................. Absent Power Supply 1................................... Absent Power Supply 2................................... Present, OK Press Enter to continue Or <Ctl Z> to abort System Information Manufacturer's Name.............................. Cisco Systems, Inc Product Name..................................... Cisco Controller Product Version.................................. 3.2.150.6 RTOS Version..................................... 3.2.150.6 Bootloader Version............................... 3.2.150.6 Build Type....................................... DATA + WPS System Name...................................... lab120wlc4402ip100 System Location.................................. System Contact................................... System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3 IP Address....................................... 192.168.120.100 System Up Time................................... 0 days 1 hrs 4 mins 6 secs Configured Country............................... United States Operating Environment............................ Commercial (0 to 40 C) Internal Temp Alarm Limits....................... 0 to 65 C Internal Temperature............................. +42 C State of 802.11b Network......................... Disabled State of 802.11a Network......................... Disabled Number of WLANs.................................. 1 3rd Party Access Point Support................... Disabled Number of Active Clients......................... 0 Press Enter to continue Or <Ctl Z> to abort Switch Configuration 802.3x Flow Control Mode......................... Disable Current LWAPP Transport Mode..................... Layer 3 LWAPP Transport Mode after next switch reboot.... Layer 3 FIPS prerequisite features....................... Disabled Press Enter to continue Or <Ctl Z> to abort Network Information RF-Network Name............................. airespacerf Web Mode.................................... Enable Secure Web Mode............................. Enable Secure Shell (ssh).......................... Enable Telnet...................................... Enable Ethernet Multicast Mode..................... Disable Mode: Ucast User Idle Timeout........................... 300 seconds ARP Idle Timeout............................ 300 seconds ARP Unicast Mode............................ Disabled Cisco AP Default Master..................... Disable Mgmt Via Wireless Interface................. Enable Bridge AP Zero Config....................... Enable Bridge Shared Secret........................ youshouldsetme Allow Old Bridging Aps To Authenticate...... Disable Over The Air Provisioning of AP's........... Disable Mobile Peer to Peer Blocking................ Disable Apple Talk ................................. Disable AP Fallback ................................ Enable Web Auth Redirect Ports .................... 80 Fast SSID Change ........................... Disabled Press Enter to continue Or <Ctl Z> to abort Port Summary STP Admin Physical Physical Link Link Mcast Pr Type Stat Mode Mode Status Status Trap Appliance POE -- ------- ---- ------- ---------- ---------- ------ ------- --------- ------- 1 Normal Forw Enable Auto 1000 Full Up Enable Enable N/A 2 Normal Forw Enable Auto 1000 Full Up Enable Enable N/A Mobility Configuration Mobility Protocol Port........................... 16666 Mobility Security Mode........................... Disabled Default Mobility Domain.......................... airespacerf Mobility Group members configured................ 3 Switches configured in the Mobility Group MAC Address IP Address Group Name 00:0b:85:33:a8:40 192.168.5.70 <local> 00:0b:85:40:cf:a0 192.168.120.100 <local> 00:0b:85:43:8c:80 192.168.5.40 airespacerf Interface Configuration Interface Name................................... ap-manager IP Address....................................... 192.168.120.101 IP Netmask....................................... 255.255.255.0 IP Gateway....................................... 192.168.120.1 VLAN............................................. untagged Active Physical Port............................. 1 Primary Physical Port............................ 1 Backup Physical Port............................. Unconfigured Primary DHCP Server.............................. 192.168.1.20 Secondary DHCP Server............................ Unconfigured ACL.............................................. Unconfigured AP Manager....................................... Yes Interface Name................................... management MAC Address...................................... 00:0b:85:40:cf:a0 IP Address....................................... 192.168.120.100 IP Netmask....................................... 255.255.255.0 IP Gateway....................................... 192.168.120.1 VLAN............................................. untagged Active Physical Port............................. 1 Primary Physical Port............................ 1 Backup Physical Port............................. Unconfigured Primary DHCP Server.............................. 192.168.1.20 Secondary DHCP Server............................ Unconfigured ACL.............................................. Unconfigured AP Manager....................................... No Interface Name................................... service-port MAC Address...................................... 00:0b:85:40:cf:a1 IP Address....................................... 192.168.250.100 IP Netmask....................................... 255.255.255.0 DHCP Protocol.................................... Disabled AP Manager....................................... No Interface Name................................... virtual IP Address....................................... 1.1.1.1 Virtual DNS Host Name............................ Disabled AP Manager....................................... No WLAN Configuration WLAN Identifier.................................. 1 Network Name (SSID).............................. lab120wlc4402ip100 Status........................................... Enabled MAC Filtering.................................... Enabled Broadcast SSID................................... Enabled AAA Policy Override.............................. Disabled Number of Active Clients......................... 0 Exclusionlist Timeout............................ 60 seconds Session Timeout.................................. 1800 seconds Interface........................................ management WLAN ACL......................................... unconfigured DHCP Server...................................... Default Quality of Service............................... Silver (best effort) WMM.............................................. Disabled 802.11e.......................................... Disabled Dot11-Phone Mode (7920).......................... Disabled Wired Protocol................................... None IPv6 Support..................................... Disabled Radio Policy..................................... All Radius Servers Authentication................................ 192.168.1.20 1812 Security 802.11 Authentication:........................ Open System Static WEP Keys............................... Enabled Key Index:...................................... 1 Encryption:..................................... 104-bit WEP 802.1X........................................ Disabled Wi-Fi Protected Access (WPA1)................. Disabled Wi-Fi Protected Access v2 (WPA2).............. Disabled IP Security................................... Disabled IP Security Passthru.......................... Disabled L2TP.......................................... Disabled Web Based Authentication...................... Disabled Web-Passthrough............................... Disabled Auto Anchor................................... Disabled Cranite Passthru.............................. Disabled Fortress Passthru............................. Disabled RADIUS Configuration Vendor Id Backward Compatibility................. Disabled Credentials Caching.............................. Disabled Call Station Id Type............................. IP Address Administrative Authentication via RADIUS......... Enabled Keywrap.......................................... Disabled Load Balancing Info Aggressive Load Balancing........................ Enabled Aggressive Load Balancing Window................. 0 clients Signature Policy Signature Processing........................... Enabled Spanning Tree Switch Configuration STP Specification...................... IEEE 802.1D STP Base MAC Address................... 00:0B:85:40:CF:A0 Spanning Tree Algorithm................ Disable STP Bridge Priority.................... 32768 STP Bridge Max. Age (seconds).......... 20 STP Bridge Hello Time (seconds)........ 2 STP Bridge Forward Delay (seconds)..... 15 Spanning Tree Port Configuration STP Port ID................................. 8001 STP Port State.............................. Forwarding STP Port Administrative Mode................ 802.1D STP Port Priority........................... 128 STP Port Path Cost.......................... 4 STP Port Path Cost Mode..................... Auto STP Port ID................................. 8002 STP Port State.............................. Forwarding STP Port Administrative Mode................ 802.1D STP Port Priority........................... 128 STP Port Path Cost.......................... 4 STP Port Path Cost Mode..................... Auto |
本節提供如何配置AP在網狀網路中的角色和相關橋接引數的說明。您可以使用GUI或CLI配置這些引數。
按一下Wireless,然後按一下Access Points下的All APs。系統將顯示All APs頁面。
按一下AP1510的Detail連結以訪問All APs > Details頁面
在此頁面上,對於具有網橋功能的AP(例如AP1510),「常規」(General)下的AP模式自動設定為「網橋」(Bridge)。此頁還在「橋接資訊」(Bridging Information)下顯示此資訊。在Bridging Information下,選擇以下選項之一以指定此AP在網狀網中的角色:
MeshAP — 如果AP1510與控制器有無線連線,請選擇此選項。
RootAP — 如果AP1510與控制器有有線連線,請選擇此選項。
使用本節內容,確認您的組態是否正常運作。
AP向WLC註冊後,您可以在WLC GUI頂部的Wireless頁籤下檢視它們:
在CLI上,可以使用show ap summary命令驗證已在WLC中註冊的AP:
(Cisco Controller) >show ap summary AP Name Slots AP Model Ethernet MAC Location Port ------------------ ----- ---------- ----------------- ---------------- ---- lab120br1510ip152 2 OAP1500 00:0b:85:5e:5a:80 default_location 1 lab120br1510ip150 2 OAP1500 00:0b:85:5e:40:00 default_location 1 (Cisco Controller) >
在GUI中按一下Bridging Details以驗證AP的角色:
在CLI上,您可以使用show mesh path <Cisco AP>和show mesh neigh neigh <Cisco AP>指令驗證是否已向WLC註冊AP:
(Cisco Controller) >show mesh path lab120br1510ip152 00:0B:85:5E:5A:80 is RAP (Cisco Controller) >show mesh neigh lab120br1510ip152 AP MAC : 00:0B:85:5E:40:00 FLAGS : 160 CHILD worstDv 255, Ant 0, channel 0, biters 0, ppiters 10 Numroutes 0, snr 0, snrUp 0, snrDown 26, linkSnr 0 adjustedEase 0, unadjustedEase 0 txParent 0, rxParent 0 poorSnr 0 lastUpdate 1150103792 (Mon Jun 12 09:16:32 2006) parentChange 0 Per antenna smoothed snr values: 0 0 0 0 Vector through 00:0B:85:5E:40:00 (Cisco Controller) >
網狀AP未與WLC相關聯是網狀部署中最常見的問題之一。完成以下檢查:
檢查存取點的MAC位址是否已新增到WLC的Mac過濾器清單中。可從Security > Mac Filtering下看到這種情況。
檢查RAP和MAP之間的共用金鑰。當金鑰不相符時,您可以在WLC中看到此訊息。
" LWAPP Join-Request AUTH_STRING_PAYLOAD, invalid BRIDGE key hash AP 00:0b:85:68:c1:d0"附註: 如果版本可用,請始終嘗試使用啟用零接觸配置選項。這樣可自動配置網狀AP的金鑰並避免配置錯誤。
RAP不會在其無線電介面上轉發任何廣播消息。因此,將DHCP伺服器配置為通過單播傳送IP地址,以便MAP可以通過RAP獲得轉發的IP地址。否則,請對MAP使用靜態IP。
將Bridge Group Name保留為預設值,或者確保在MAP和相應的RAP上配置完全相同的網橋組名稱。
這些是網狀無線接入點特有的問題。有關WLC和存取點之間常見的連線問題,請參閱排解輕量存取點未加入無線LAN控制器的疑難問題。
附註:使用 debug 指令之前,請先參閱有關 Debug 指令的重要資訊。
您可以使用以下debug命令來排除WLC故障:
debug pem state enable — 用於配置訪問策略管理器調試選項。
debug pem events enable — 用於配置訪問策略管理器調試選項。
debug dhcp message enable — 顯示與DHCP伺服器交換的DHCP消息的調試。
debug dhcp packet enable — 顯示傳送到DHCP伺服器以及從DHCP伺服器傳送的DHCP資料包詳細資訊的調試。
您可以用來排解疑難問題的其他debug命令如下:
debug lwapp errors enable — 顯示LWAPP錯誤的調試。
debug pm pki enable — 顯示在AP和WLC之間傳遞的證書消息的調試。
此debug lwapp events enable WLC命令輸出顯示LAP已註冊到WLC:
(Cisco Controller) >debug lwapp events enable Mon Jun 12 09:04:57 2006: 00:0b:85:5e:40:00 Received LWAPP JOIN REQUEST from AP 00:0b:85:5e:40:00 to 06:0a:10:10:00:00 on port '1' Mon Jun 12 09:04:57 2006: 00:0b:85:5e:40:00 AP lab120br1510ip150: txNonce 00:0B:85:40:CF:A0 rxNonce 00:0B:85:5E:40:00 Mon Jun 12 09:04:57 2006: 00:0b:85:5e:40:00 LWAPP Join-Request MTU path from AP 00:0b:85:5e:40:00 is 1500, remote debug mode is 0 Mon Jun 12 09:04:58 2006: 00:0b:85:5e:40:00 Successfully added NPU Entry for AP 00:0b:85:5e:40:00 (index 1) Switch IP: 192.168.120.101, Switch Port: 12223, intIfNum 1, vlanId 0 AP IP: 192.168.120.150, AP Port: 58368, next hop MAC: 00:0b:85:5e:40:00 Mon Jun 12 09:04:58 2006: 00:0b:85:5e:40:00 Successfully transmission of LWAPP Join-Reply to AP 00:0b:85:5e:40:00 Mon Jun 12 09:04:58 2006: 00:0b:85:5e:40:00 Register LWAPP event for AP 00:0b:85:5e:40:00 slot 0 Mon Jun 12 09:04:58 2006: 00:0b:85:5e:40:00 Register LWAPP event for AP 00:0b:85:5e:40:00 slot 1 Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 Received LWAPP CONFIGURE REQUEST from AP 00:0b:85:5e:40:00 to 00:0b:85:40:cf:a3 Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 Updating IP info for AP 00:0b:85:5e:40:00 -- static 1, 192.168.120.150/255.255.255.0, gtw 192.168.120.1 Mon Jun 12 09:04:59 2006: spamVerifyRegDomain RegDomain set for slot 0 code 0 regstring -A regDfromCb -A Mon Jun 12 09:04:59 2006: spamVerifyRegDomain RegDomain set for slot 1 code 0 regstring -A regDfromCb -A Mon Jun 12 09:04:59 2006: spamEncodeDomainSecretPayload:Send domain secret airespacerf<65,4d,c3,6f,88,35,cd,4d,3b,2b,bd,95,5b,42,6d,ac,b6,ab,f7,3d> to AP 00:0b:85:5e:40:00 Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 Successfully transmission of LWAPP Config-Message to AP 00:0b:85:5e:40:00 Mon Jun 12 09:04:59 2006: Running spamEncodeCreateVapPayload for SSID 'lab120wlc4402ip100' Mon Jun 12 09:04:59 2006: Running spamEncodeCreateVapPayload for SSID 'lab120wlc4402ip100' Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 AP 00:0b:85:5e:40:00 associated. Last AP failure was due to Link Failure, reason: STATISTICS_INFO_RES Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 Received LWAPP CHANGE_STATE_EVENT from AP 00:0b:85:5e:40:00 Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 Successfully transmission of LWAPP Change-State-Event Response to AP 00:0b:85:5e:40:00 Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 apfSpamProcessStateChangeInSpamContext: Down LWAPP event for AP 00:0b:85:5e:40:00 slot 0 Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 Received LWAPP Down event for AP 00:0b:85:5e:40:00 slot 0! Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 Received LWAPP CONFIGURE COMMAND RES from AP 00:0b:85:5e:40:00 Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 Received LWAPP CHANGE_STATE_EVENT from AP 00:0b:85:5e:40:00 Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 Successfully transmission of LWAPP Change-State-Event Response to AP 00:0b:85:5e:40:00 Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 apfSpamProcessStateChangeInSpamContext: Down LWAPP event for AP 00:0b:85:5e:40:00 slot 1 Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 Received LWAPP Down event for AP 00:0b:85:5e:40:00 slot 1! Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 Received LWAPP CONFIGURE COMMAND RES from AP 00:0b:85:5e:40:00 Mon Jun 12 09:04:59 2006: 00:0b:85:5e:40:00 Received LWAPP CONFIGURE COMMAND RES from AP 00:0b:85:5e:40:00
修訂 | 發佈日期 | 意見 |
---|---|---|
1.0 |
01-Dec-2013 |
初始版本 |