WX系列AC IPv4网络的SAVI安全检测功能配置
一、 应用环境
为了保证WLAN接入设备能够对用户IP地址进行安全合法性检查,避免非法用户的访问WLAN网络,可以在无线控制器上启用IPv4 SAVI功能。WLAN接入设备能够对用户IP地址进行检查,保证一个终端使用了一个IP地址以后,其他的终端不能再使用这个IP地址访问网络。
二、 组网需求
WX3010无线控制器、WA2620i-AGN无线接入点、无线便携机。
三、 组网图
四、配置步骤
#
version 5.20, Customer 3120P03
#
sysname AC
#
domain default enable system
#
telnet server enable
#
port-security enable
#
oap management-ip 192.168.0.101 slot 0
#
wlan client learn-ipaddr enable
#
vlan 1
#
vlan 2
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool ap
network 192.168.0.0 mask 255.255.255.0
gateway-list 192.168.0.100
#
dhcp server ip-pool client
network 192.168.2.0 mask 255.255.255.0
gateway-list 192.168.2.100
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$gJZzWBe4vIHXgsFuHBJf2RLWKrg4vWWM
authorization-attribute level 3
service-type telnet
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
wlan service-template 2 clear
ssid h3c-ipv4-savi
ip verify source
bind WLAN-ESS 2
service-template enable
#
wlan ap-group default_group
ap ap
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface2
ip address 192.168.2.100 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1
#
interface WLAN-ESS2
port access vlan 2
#
wlan ap ap model WA2620i-AGN id 1
serial-id 219801A0CNC124004764
radio 1
service-template 2
radio enable
radio 2
#
dhcp enable
#
arp-snooping enable
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
#
return
五、 配置关键点
#使能IPv4地址池功能
[AC]dhcp server ip-pool client
[AC]network 192.168.2.0 mask 255.255.255.0
[AC]gateway-list 192.168.2.100
[AC]dhcp enable
#使能服务模板IPv4 SAVI功能
[AC]wlan service-template 2 clear
[AC-wlan-st-9]ssid h3c-ipv4-savi
[AC-wlan-st-9]ip verify source
[AC-wlan-st-9]bind WLAN-ESS 2
[AC-wlan-st-9]service-template enable
#全局视图下使能AC客户端地址学习功能
[AC]wlan client learn-ipaddr enable
六、结果验证
1、终端关联SSID接入无线网络后,在无线控制器上可以看到相关IPv4地址绑定表项:
2、在客户端上用自动获取的地址ping AC:
3、未使能IPv4 savi功能时用另一台客户端手工配置以上IP地址并ping AC:
4、使能IPv4 savi功能后用另一台客户端手工配置以上IP地址并ping AC:
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作