一、实验拓扑

二、拓扑介绍

• 拓扑中有AP7和AP8两个瘦AP，它们是从AC5自动获取IP地址，它们处于VLAN100；
• STA8与STA9是从三层交换机LSW5自动获取IP地址，它们处于VLAN101；
• AR2是出口路由器，AR3是公网中的任意一个路由器。

三、实验配置

AR3：
interface GigabitEthernet0/0/0
 ip address 16.16.16.16 255.255.255.0 

AR2：
interface GigabitEthernet0/0/0
 ip address 192.168.201.2 255.255.255.0 

acl number 2000  
 rule 5 permit 
interface GigabitEthernet0/0/1
 ip address 16.16.16.1 255.255.255.0 
 nat outbound 2000

ip route-static 0.0.0.0 0.0.0.0 16.16.16.16
ip route-static 192.168.0.0 255.255.0.0 192.168.201.1

LSW5:
vlan batch 100 to 101 201
dhcp enable

ip pool sta
 gateway-list 192.168.101.254
 network 192.168.101.0 mask 255.255.255.0
 dns-list 8.8.8.8

interface Vlanif101
 ip address 192.168.101.254 255.255.255.0
 dhcp select global
#
interface Vlanif201
 ip address 192.168.201.1 255.255.255.0

interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 201
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 100 to 101

ip route-static 0.0.0.0 0.0.0.0 192.168.201.2

LSW6：
sys
vlan batch 100 to 101

interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 to 101

interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100 to 101

LSW7:
vlan batch 100 to 101
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 to 101

interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100 to 101

AC5:
vlan batch 100 to 101
dhcp enable

ip pool ap
 gateway-list 192.168.100.254 
 network 192.168.100.0 mask 255.255.255.0 
 dns-list 8.8.8.8 

interface Vlanif100
 ip address 192.168.100.254 255.255.255.0
 dhcp select global

interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 to 101

wlan
ap-group name ap-group1 //创建ap组
regulatory-domain-profile name default  
country-code CN
q
ap-group name ap-group1
 regulatory-domain-profile  default
选择y
q

capwap source interface vlanif100 //建立源为vlanif100的隧道

wlan
ap auth-mode mac-auth //ap认证模式是mac地址认证
ap-id 0 ap-mac 00e0-fc4d-6320
ap-name ap1
ap-group ap-group1
选择y
q

ap-id 1 ap-mac 00e0-fc42-09c0
ap-name ap2
ap-group ap-group1
选择y
q

dis ap all //查看连接的ap信息

security-profile name anquan //创建安全模板
security wpa-wpa2 psk pass-phrase 12345678 aes
ssid-profile name test
q

vap-profile name test-wlan //创建vap模板
forward-mode direct-forward //直接转发模式
service-vlan vlan 101 //设置VLAN101为服务VLAN
q

ap-group name ap-group1
vap-profile test-wlan wlan 1 radio all

四、结果验证

• 查看STA8自动获取到的ip地址

• 使用AP8ping公网地址测试
  
• 使用display ap all查看AC下面连接的AP信息。

• 使用AP8ping测试AC5。
  
• 查看STA8可以连接的AP列表。

五、总结

AC与瘦AP的组网是企业中最常用的WLAN组网方式，可以使用AC创建合适的安全策略，保证企业WLAN的安全。