WX系列AC IPv6网络的SAVI安全检测功能配置

一、  应用环境

为了保证WLAN接入设备能够对用户IPv6地址进行安全合法性检查，避免非法用户的访问WLAN网络，可以在无线控制器上启用IPv6 SAVI功能。

二、  组网需求：

WX5004无线控制器、WA2620i-AGN无线接入点、便携机（无线网卡支持IPv6）

三、  组网图

四、配置步骤

#

version 5.20, Test 2507P01

#

 sysname AC

#

 ipv6

#

 port-security enable

#

 password-recovery enable

#

 ipv6 dhcp server enable

#

vlan 1

#

vlan 9

#

domain system

 access-limit disable

 state active

 idle-cut disable

 self-service-url disable

#

dhcp server ip-pool ap

 network 192.168.0.0 mask 255.255.255.0

 gateway-list 192.168.0.100

#

user-group system

 group-attribute allow-guest

#

wlan rrm       

 dot11a mandatory-rate 6 12 24

 dot11a supported-rate 9 18 36 48 54

 dot11b mandatory-rate 1 2

 dot11b supported-rate 5.5 11

 dot11g mandatory-rate 1 2 5.5 11

 dot11g supported-rate 6 9 12 18 24 36 48 54

#              

wlan service-template 9 clear

 ssid ipv6_savi

ipv6 verify source

 bind WLAN-ESS 9

 service-template enable

#

wlan ap-group default_group

 ap ap9

#

ipv6 dhcp pool 1

 network 2001::/64

#

interface NULL0

#

interface Vlan-interface1

 ip address 192.168.0.100 255.255.255.0

#

interface Vlan-interface9

ipv6 nd autoconfig managed-address-flag

 ipv6 address 2001::1/64

 ip address 192.168.9.100 255.255.255.0

 ipv6 dhcp server apply pool 1

#

interface GigabitEthernet1/0/1

#

interface GigabitEthernet1/0/2

#

interface GigabitEthernet1/0/3

#

interface GigabitEthernet1/0/4

#

interface Ten-GigabitEthernet1/0/5

#

interface WLAN-ESS9

 port access vlan 9

#

wlan ap ap9 model WA2620i-AGN id 4

 serial-id 219801A0CNC124004764

 radio 1       

 radio 2

  service-template 9

  radio enable

#

 undo info-center logfile enable

#

 dhcp enable

#

user-interface con 0

user-interface vty 0 4

 authentication-mode scheme

 user privilege level 3

#

return

五、  配置关键点

#使能IPv6和IPv6地址池功能

[AC]ipv6

[AC]ipv6 dhcp server enable

[AC]ipv6 dhcp pool 1

[AC-dhcp6-pool-1]network 2001::/64

#使能服务模板IPv6 SAVI功能

[AC]wlan service-template 9 clear

[AC-wlan-st-9]ssid ipv6_savi

[AC-wlan-st-9]ipv6 verify source

[AC-wlan-st-9]bind WLAN-ESS 9

[AC-wlan-st-9]service-template enable

#VLAN接口下IPv6相关配置

[AC-Vlan-interface9]ipv6 nd autoconfig managed-address-flag

[AC-Vlan-interface9]ipv6 address 2001::1/64  

[AC-Vlan-interface9]ipv6 dhcp server apply pool 1 

六、结果验证

1、终端关联SSID接入无线网络后，获取IPv6地址：

2、在无线控制器上可以看到相关IPv6地址绑定表项：

3、在客户端上用自动获取的IPv6地址Ping网关：

4、客户端手工配置IPv6地址2001::5并带这个源Ping网关：