WX系列AC IPv6网络的SAVI安全检测功能配置
一、 应用环境
为了保证WLAN接入设备能够对用户IPv6地址进行安全合法性检查,避免非法用户的访问WLAN网络,可以在无线控制器上启用IPv6 SAVI功能。
二、 组网需求:
WX5004无线控制器、WA2620i-AGN无线接入点、便携机(无线网卡支持IPv6)
三、 组网图
四、配置步骤
#
version 5.20, Test 2507P01
#
sysname AC
#
ipv6
#
port-security enable
#
password-recovery enable
#
ipv6 dhcp server enable
#
vlan 1
#
vlan 9
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool ap
network 192.168.0.0 mask 255.255.255.0
gateway-list 192.168.0.100
#
user-group system
group-attribute allow-guest
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
wlan service-template 9 clear
ssid ipv6_savi
ipv6 verify source
bind WLAN-ESS 9
service-template enable
#
wlan ap-group default_group
ap ap9
#
ipv6 dhcp pool 1
network 2001::/64
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface9
ipv6 nd autoconfig managed-address-flag
ipv6 address 2001::1/64
ip address 192.168.9.100 255.255.255.0
ipv6 dhcp server apply pool 1
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface Ten-GigabitEthernet1/0/5
#
interface WLAN-ESS9
port access vlan 9
#
wlan ap ap9 model WA2620i-AGN id 4
serial-id 219801A0CNC124004764
radio 1
radio 2
service-template 9
radio enable
#
undo info-center logfile enable
#
dhcp enable
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
#
return
五、 配置关键点
#使能IPv6和IPv6地址池功能
[AC]ipv6
[AC]ipv6 dhcp server enable
[AC]ipv6 dhcp pool 1
[AC-dhcp6-pool-1]network 2001::/64
#使能服务模板IPv6 SAVI功能
[AC]wlan service-template 9 clear
[AC-wlan-st-9]ssid ipv6_savi
[AC-wlan-st-9]ipv6 verify source
[AC-wlan-st-9]bind WLAN-ESS 9
[AC-wlan-st-9]service-template enable
#VLAN接口下IPv6相关配置
[AC-Vlan-interface9]ipv6 nd autoconfig managed-address-flag
[AC-Vlan-interface9]ipv6 address 2001::1/64
[AC-Vlan-interface9]ipv6 dhcp server apply pool 1
六、结果验证
1、终端关联SSID接入无线网络后,获取IPv6地址:
2、在无线控制器上可以看到相关IPv6地址绑定表项:
3、在客户端上用自动获取的IPv6地址Ping网关:
4、客户端手工配置IPv6地址2001::5并带这个源Ping网关:
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作