中大型企業有線無線使用者統一接入(實施筆記)

組網圖形

　　　　

有線無線使用者統一接入簡介

• 在實際的使用場景中，有線網路和無線網路環境通常是共同存在的。例如在辦公區內PC電腦、印表機等裝置通常通過有線方式接入網路，而筆記本、手機終端等移動裝置通常是通過無線方式接入網路。通過部署有線無線使用者統一接入的網路環境，可以同時為有線使用者和無線使用者提供網路接入的服務，實現對有線使用者和無線使用者的統一管理。

配置注意事項

• 本舉例使用Portal認證，為保證實際網路的安全性，請根據實際的需求配置合適的安全策略。
• 隧道轉發模式下，管理VLAN和業務VLAN不能配置為同一VLAN。直接轉發模式下，管理VLAN和業務VLAN建議也不要配置為同一VLAN。
• 資料轉發方式為直接轉發時，建議在直接連線AP的裝置介面上配置埠隔離，如果不配置埠隔離，可能會在VLAN記憶體在不必要的廣播報文，或者導致不同AP間的WLAN使用者二層互通的問題。

　　配置管理VLAN和業務VLAN：

• 隧道轉發模式下，業務報文會封裝在CAPWAP資料隧道中進行傳輸，傳送給AC，然後由AC再轉發到上層網路或AP，所以只要配置AC與AP間的網路加入管理VLAN，AC與上層網路間的網路加入業務VLAN，就能正常傳輸業務報文和管理報文。
• 直接轉發模式下，業務報文不會進行CAPWAP封裝，而是直接轉發給上層網路或AP，所以需要配置AC與AP間的網路加入管理VLAN，AP與上層網路間的網路加入業務VLAN，才能正常傳輸業務報文和管理報文。

組網需求

• 企業由於業務要求，需要在其企業大樓內同時部署有線和無線網路。為方便管理維護，管理員希望能夠在AC上集中管理有線使用者和無線使用者，有線使用者採取免認證方式，無線使用者採用Portal認證方式，並且無線使用者能夠在AC內漫遊。
• 如圖所示，AC上行連線出口閘道器Router；下行通過接入交換機S5700-1和S5700-2連線和管理AP，其中，S5700-1部署在一樓，S5700-2部署在二樓。在每個房間內部署AP2010DN為房間內使用者同時提供有線接入和無線接入，在樓道中部署AP5030DN提供無線網路覆蓋。S5700-1和S5700-2均為PoE交換機，為連線的AP供電；為使整體網路規劃簡潔，便於管理，接入交換機只做二層透傳，所有閘道器配置在AC上；AC作為DHCP伺服器為AP、STA和PC分配IP地址。

配置思路

• 1.配置各網路裝置，使AP、接入交換機S5700-1、S5700-2、AC和上層網路裝置之間實現網路互通。
• 2.配置AC作為DHCP伺服器，為AP、有線使用者和無線使用者分配IP地址。
• 3.配置RADIUS伺服器認證、計費和授權模板和Portal認證。
• 4.配置WLAN基本業務，包括AC系統引數、AC上管理AP和WLAN業務引數。
• 5.配置VAP並下發配置。
• 6.驗證配置結果，有線使用者和無線使用者都能夠接入Internet。

操作步驟

• 1.配置各網路裝置互通

　　# 配置交換機S5700-1和S5700-2的介面GE0/0/1～GE0/0/4都加入VLAN100（管理VLAN），S5700-1的介面GE0/0/1～GE0/0/4加入VLAN201（有線業務報文所屬VLAN），S5700-2的介面GE0/0/1～GE0/0/4加入VLAN202（有線業務報文所屬VLAN），其中直連AP的介面需要配置PVID，並建議直連AP的介面配置埠隔離以減少廣播報文。以配置S5700-1為例，S5700-2的配置與S5700-1類似，不再贅述。

[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1] interface gigabitethernet 0/0/2
[S5700-1-GigabitEthernet0/0/2] port link-type trunk
[S5700-1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 100   //直連AP的介面需要配置PVID
[S5700-1-GigabitEthernet0/0/2] port-isolate enable   //配置埠隔離以減少廣播報文
[S5700-1-GigabitEthernet0/0/2] quit
[S5700-1] interface gigabitethernet 0/0/3
[S5700-1-GigabitEthernet0/0/3] port link-type trunk
[S5700-1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/3] quit
[S5700-1] interface gigabitethernet 0/0/4
[S5700-1-GigabitEthernet0/0/4] port link-type trunk
[S5700-1-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/4] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/4] port-isolate enable
[S5700-1-GigabitEthernet0/0/4] quit

 　　# 配置AC連線接入交換機S5700-1的介面GE1/0/1加入VLAN100和VLAN201，連線接入交換機S5700-2的介面GE1/0/2加入VLAN100和VLAN202，連線上層網路的介面GE1/0/4加入VLAN300，連線Agile Controller的介面GE1/0/3加入VLAN200。

[HUAWEI] sysname AC
[AC] vlan batch 100 200 201 202 300
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 201
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 202
[AC-GigabitEthernet1/0/2] quit
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 200
[AC-GigabitEthernet1/0/3] quit
[AC] interface gigabitethernet 1/0/4
[AC-GigabitEthernet1/0/4] port link-type trunk
[AC-GigabitEthernet1/0/4] port trunk allow-pass vlan 300
[AC-GigabitEthernet1/0/4] quit

 　　# 配置VLANIF200，用於AC和Agile Controller通訊。

[AC] interface vlanif200
[AC-Vlanif200] ip address 10.23.200.2 24  //配置IP地址用於AC和Agile Controller通訊
[AC-Vlanif200] quit

•  2.配置AC為DHCP Server，分別為PC、AP、STA分配IP地址

　　# 配置AC通過介面地址池為PC、AP、STA分配IP地址。

[AC] dhcp enable
[AC] vlan batch 101 102
[AC] interface vlanif 100  //配置介面地址池為AP分配IP地址
[AC-Vlanif100] description manage_ap
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101  //配置介面地址池為一樓無線使用者STA分配IP地址
[AC-Vlanif101] description manage_floor1_sta
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102  //配置介面地址池為二樓無線使用者STA分配IP地址
[AC-Vlanif102] description manage_floor2_sta
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
[AC] interface vlanif 201  //配置介面地址池為一樓有線使用者PC分配IP地址
[AC-Vlanif201] description manage_floor1_pc
[AC-Vlanif201] ip address 10.23.201.1 24
[AC-Vlanif201] dhcp select interface
[AC-Vlanif201] quit
[AC] interface vlanif 202  //配置介面地址池為二樓有線使用者PC分配IP地址
[AC-Vlanif202] description manage_floor2_pc
[AC-Vlanif202] ip address 10.23.202.1 24
[AC-Vlanif202] dhcp select interface
[AC-Vlanif202] quit

•  3.配置RADIUS伺服器認證、計費和授權模板和Portal認證

　　# 配置AC的RADIUS伺服器認證、計費和授權模板。

[AC] radius-server template radius1  //建立名為radius1的RADIUS伺服器模板
[AC-radius-radius1] radius-server authentication 10.23.200.1 1812 source ip-address 10.23.200.2 weight 80   //配置RADIUS認證伺服器，認證埠1812，AC使用10.23.200.2和RADIUS伺服器通訊
[AC-radius-radius1] radius-server accounting 10.23.200.1 1813 source ip-address 10.23.200.2 weight 80   //配置RADIUS計費伺服器，以便獲取終端使用者的上下線資訊，計費埠1813，AC使用10.23.200.2和RADIUS伺服器通訊
[AC-radius-radius1] radius-server shared-key cipher Admin@123   //配置RADIUS伺服器預共享金鑰
[AC-radius-radius1] undo radius-server user-name domain-included   //裝置向RADIUS伺服器傳送的使用者名稱不包含域名，當RADIUS伺服器不接受帶域名的使用者時需要配置
[AC-radius-radius1] quit
[AC] radius-server authorization 10.23.200.1 shared-key cipher Admin@123   //配置RADIUS授權伺服器的地址，共享金鑰為Admin@123，必須與認證金鑰和計費金鑰一致。配置授權伺服器以便RADIUS伺服器向AC下發授權規則
[AC] aaa
[AC-aaa] authentication-scheme radius1  //建立名為radius1的認證方案
[AC-aaa-authen-radius1] authentication-mode radius   //Agile Controller作為RADIUS伺服器，認證方案必須配置為RADIUS
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1  //建立名為radius1的計費方案
[AC-aaa-accounting-radius1] accounting-mode radius   //配置計費方案為RADIUS方式。為了方便RADIUS伺服器維護賬號的狀態資訊，例如上下線資訊，強制帳號下線，計費模式必須配置為radius
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1   //建立名為portal1的域
[AC-aaa-domain-portal1] authentication-scheme radius1  //繫結認證方案radius1
[AC-aaa-domain-portal1] accounting-scheme radius1  //繫結計費方案radius1
[AC-aaa-domain-portal1] radius-server radius1  //繫結RADIUS伺服器模板radius1
[AC-aaa-domain-portal1] quit
[AC-aaa] quit

 　　# 配置Portal伺服器。

[AC] web-auth-server portal1  //建立名為portal1的Portal伺服器模板
[AC-web-auth-server-portal1] server-ip 10.23.200.1  //配置Portal伺服器的IP地址
[AC-web-auth-server-portal1] port 50200  //配置裝置向Portal伺服器主動傳送報文時使用的目的埠號為50200，預設為50200
[AC-web-auth-server-portal1] shared-key cipher Admin@123  //配置AC與Portal伺服器資訊互動的共享金鑰
[AC-web-auth-server-portal1] url http://10.23.200.1:8080/portal  //配置指向Portal伺服器的URL
[AC-web-auth-server-portal1] quit

 　　# 在WLAN-ESS介面下繫結Portal伺服器模板，使能Portal認證的功能，對無線使用者進行Portal認證，有線使用者進行免認證。

[AC] interface wlan-ess 1
[AC-Wlan-Ess1] domain name portal1 force  //配置使用者強制域為portal1
[AC-Wlan-Ess1] domain name portal1  //配置使用者預設域為portal1
[AC-Wlan-Ess1] authentication portal  //配置認證功能為Portal認證
[AC-Wlan-Ess1] web-auth-server portal1 direct  //繫結名為portal1的Portal伺服器模板並指定Portal認證方式為二層認證方式
[AC-Wlan-Ess1] quit
[AC] interface wlan-ess 2
[AC-Wlan-Ess2] domain name portal1 force  //配置使用者強制域為portal1
[AC-Wlan-Ess2] domain name portal1  //配置使用者預設域為portal1
[AC-Wlan-Ess2] authentication portal  //配置認證功能為Portal認證
[AC-Wlan-Ess2] web-auth-server portal1 direct  //繫結名為portal1的Portal伺服器模板並指定Portal認證方式為二層認證方式
[AC-Wlan-Ess2] quit

•  4.配置AP上線

　　# 建立AP組，用於將相同配置的AP都加入同一AP組中。

[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] quit

　　# 建立域管理模板，在域管理模板下配置AC的國家碼並在AP組下引用域管理模板。

[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn  //配置AC的國家碼，使AC管理的AP的射頻特性符合不同國家或區域的法律法規要求，國家碼預設值為CN
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y 
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y 
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit

　　# 配置AC的源介面。

[AC] capwap source interface vlanif 100

　　# 在AC上離線匯入AP。

[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 101 ap-mac 60de-4476-e320
[AC-wlan-ap-101] ap-name ap-101
[AC-wlan-ap-101] ap-group ap-group1  //部署在一樓的AP都加入到AP組ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102 ap-mac 60de-4476-e340
[AC-wlan-ap-102] ap-name ap-102
[AC-wlan-ap-102] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 103 ap-mac dcd2-fc04-b520
[AC-wlan-ap-103] ap-name ap-103
[AC-wlan-ap-103] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-103] quit
[AC-wlan-view] ap-id 201 ap-mac 60de-4476-e360
[AC-wlan-ap-201] ap-name ap-201
[AC-wlan-ap-201] ap-group ap-group2  //部署在二樓的AP都加入到AP組ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-201] quit
[AC-wlan-view] ap-id 202 ap-mac 60de-4476-e380
[AC-wlan-ap-202] ap-name ap-202
[AC-wlan-ap-202] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-202] quit
[AC-wlan-view] ap-id 203 ap-mac dcd2-fc04-b540
[AC-wlan-ap-203] ap-name ap-203
[AC-wlan-ap-203] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-203] quit

 　　# 將AP上電後，當執行命令display ap all檢視到AP的“State”欄位為“nor”時，表示AP正常上線。

[AC-wlan-view] display ap all
Total AP information:
nor  : normal          [6]
-------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime
-------------------------------------------------------------------------------------------------
101  60de-4476-e320 ap-101 ap-group1 10.23.101.254 AP6010DN-AGN    nor   0   10S
102  60de-4476-e340 ap-102 ap-group1 10.23.101.253 AP6010DN-AGN    nor   0   15S
103  dcd2-fc04-b520 ap-103 ap-group1 10.23.101.252 AP6010DN-AGN    nor   0   23S
201  60de-4476-e360 ap-201 ap-group2 10.23.102.254 AP6010DN-AGN    nor   0   45S
202  60de-4476-e380 ap-202 ap-group2 10.23.102.253 AP6010DN-AGN    nor   0   49S
203  dcd2-fc04-b540 ap-203 ap-group2 10.23.102.252 AP6010DN-AGN    nor   0   55S
-------------------------------------------------------------------------------------------------
Total: 6

 　　# 配置AP2010DN的上行有線口GE0/0/0和下行介面Eth0/0/0、Eth0/0/1允許有線業務報文通過。

[AC-wlan-view] wired-port-profile name wired1
[AC-wlan-wired-port-wired1] vlan pvid 201  //AP2010DN下行介面用於連線PC等有線使用者終端，需要配置PVID，VLAN201用於傳輸一樓的有線業務報文
[AC-wlan-wired-port-wired1] vlan untagged 201  //AP2010DN下行介面用於連線PC等有線使用者終端，需要配置untagged
[AC-wlan-wired-port-wired1] quit
[AC-wlan-view] wired-port-profile name wired2
[AC-wlan-wired-port-wired2] vlan tagged 201  //AP2010DN上行介面用於連線上行網路裝置，需要配置tagged
[AC-wlan-wired-port-wired2] quit
[AC-wlan-view] wired-port-profile name wired3
[AC-wlan-wired-port-wired3] vlan pvid 202  //AP2010DN下行介面用於連線PC等有線使用者終端，需要配置PVID，VLAN202用於傳輸二樓的有線業務報文
[AC-wlan-wired-port-wired3] vlan untagged 202
[AC-wlan-wired-port-wired3] quit
[AC-wlan-view] wired-port-profile name wired4
[AC-wlan-wired-port-wired4] vlan tagged 202
[AC-wlan-wired-port-wired4] quit
[AC-wlan-view] ap-id 101
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 1
[AC-wlan-ap-101] wired-port-profile wired2 gigabitethernet 0
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102
[AC-wlan-ap-102] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-102] wired-port-profile wired1 ethernet 1
[AC-wlan-ap-102] wired-port-profile wired2 gigabitethernet 0
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 201
[AC-wlan-ap-201] wired-port-profile wired3 ethernet 0
[AC-wlan-ap-201] wired-port-profile wired3 ethernet 1
[AC-wlan-ap-201] wired-port-profile wired4 gigabitethernet 0
[AC-wlan-ap-201] quit
[AC-wlan-view] ap-id 202
[AC-wlan-ap-202] wired-port-profile wired3 ethernet 0
[AC-wlan-ap-202] wired-port-profile wired3 ethernet 1
[AC-wlan-ap-202] wired-port-profile wired4 gigabitethernet 0
[AC-wlan-ap-202] quit

•  5.配置WLAN業務引數

 　　# 建立名為“rrm1”的RRM模板。

[AC-wlan-view] rrm-profile name rrm1
[AC-wlan-rrm-prof-rrm1] calibrate auto-channel-select disable  //配置射頻的通道選擇模式為固定模式
[AC-wlan-rrm-prof-rrm1] calibrate auto-txpower-select disable  //配置射頻的功率模式為固定模式
[AC-wlan-rrm-prof-rrm1] quit

 　　# 建立名為“radio-2g”和“radio-5g”的射頻模板，繫結RRM模板“rrm1”。

[AC-wlan-view] radio-2g-profile name radio-2g
[AC-wlan-radio-2g-prof-radio-2g] rrm-profile rrm1
[AC-wlan-radio-2g-prof-radio-2g] quit
[AC-wlan-view] radio-5g-profile name radio-5g
[AC-wlan-radio-5g-prof-radio-5g] rrm-profile rrm1
[AC-wlan-radio-5g-prof-radio-5g] quit

 　　# 建立名為“wlan-security”的安全模板，並配置安全策略。

[AC-wlan-view] security-profile name wlan-security  //介面下已經使能了Portal認證，所以安全策略使用預設的OPEN方式，不認證，不加密
[AC-wlan-sec-prof-wlan-security] quit

 　　# 建立名為“wlan-ssid”的SSID模板，並配置SSID名稱為“hospital-wlan”。

[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid hospital-wlan  //配置SSID名稱為hospital-wlan
[AC-wlan-ssid-prof-wlan-ssid] quit

 　　# 配置名為“traffic1”的流量模板，並配置無線使用者二層隔離。

[AC-wlan-view] traffic-profile name traffic1
[AC-wlan-traffic-prof-traffic1] user-isolate l2
Warning: This action may cause service interruption. Continue?[Y/N]y 

 　　# 建立名為“wlan-vap1”和“wlan-vap2”的VAP模板，配置業務資料轉發模式、業務VLAN，並且引用安全模板、SSID模板、認證模板和流量模板。

[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel  //配置業務轉發模式為隧道轉發
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101  //預設情況下VLAN ID為1，修改VLAN ID為101
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security 
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap1] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-view] vap-profile name wlan-vap2
[AC-wlan-vap-prof-wlan-vap2] forward-mode tunnel  //配置業務轉發模式為隧道轉發
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102  //預設情況下VLAN ID為1，修改VLAN ID為102
[AC-wlan-vap-prof-wlan-vap2] security-profile wlan-security 
[AC-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid 
[AC-wlan-vap-prof-wlan-vap2] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap2] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap2] quit

 　　# 配置AP組引用VAP模板和射頻模板。

[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio-2g
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio-5g
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 1 radio 0
[AC-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 1 radio 1
[AC-wlan-ap-group-ap-group2] radio-2g-profile radio-2g
[AC-wlan-ap-group-ap-group2] radio-5g-profile radio-5g
[AC-wlan-ap-group-ap-group2] quit

•  6.配置VAP並下發

　　# 配置VAP。

[AC-wlan-view] ap-id 101
[AC-wlan-ap-101] radio 0
[AC-wlan-radio-101/0] channel 20mhz 1  //根據WLAN planner網規工具規劃的結果配置通道
[AC-wlan-radio-101/0] eirp 10  //根據WLAN planner網規工具規劃的結果配置功率
[AC-wlan-radio-101/0] quit
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102
[AC-wlan-ap-102] radio 0
[AC-wlan-radio-102/0] channel 20mhz 6
[AC-wlan-radio-102/0] eirp 10
[AC-wlan-radio-102/0] quit
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 103
[AC-wlan-ap-103] radio 0
[AC-wlan-radio-103/0] channel 20mhz 11
[AC-wlan-radio-103/0] eirp 10
[AC-wlan-radio-103/0] quit
[AC-wlan-ap-103] quit
[AC-wlan-view] ap-id 103
[AC-wlan-ap-103] radio 1  //AP5030支援兩個射頻，此步配置射頻1
[AC-wlan-radio-103/1] channel 20mhz 153
[AC-wlan-radio-103/1] eirp 10
[AC-wlan-radio-103/1] quit
[AC-wlan-ap-103] quit
[AC-wlan-view] ap-id 201
[AC-wlan-ap-201] radio 0
[AC-wlan-radio-201/0] channel 20mhz 1 
[AC-wlan-radio-201/0] eirp 10 
[AC-wlan-radio-201/0] quit
[AC-wlan-ap-201] quit
[AC-wlan-view] ap-id 202
[AC-wlan-ap-202] radio 0
[AC-wlan-radio-202/0] channel 20mhz 6
[AC-wlan-radio-202/0] eirp 10
[AC-wlan-radio-202/0] quit
[AC-wlan-ap-202] quit
[AC-wlan-view] ap-id 203
[AC-wlan-ap-203] radio 0
[AC-wlan-radio-203/0] channel 20mhz 11
[AC-wlan-radio-203/0] eirp 10
[AC-wlan-radio-203/0] quit
[AC-wlan-ap-203] quit
[AC-wlan-view] ap-id 203
[AC-wlan-ap-203] radio 1 
[AC-wlan-radio-203/1] channel 20mhz 157
[AC-wlan-radio-203/1] eirp 10
[AC-wlan-radio-203/1] quit
[AC-wlan-ap-203] quit

 　　# 下發配置。

[AC-wlan-view] commit all  //在AC上配置關於AP的WLAN業務配置後，需要下發配置到AP上才能最終生效
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y

•  7.驗證配置結果

　　# 配置完成後，通過display vap all命令，可以檢視到VAP已建立成功。

[AC-wlan-view] display vap all
WID : WLAN ID
----------------------------------------------------------------------------------
AP ID AP name    RfID WID   BSSID          Status  Auth type  STA  SSID
----------------------------------------------------------------------------------
101   ap-101     0    1     60DE-4476-E320 ON      OPEN       0    hospital-wlan
102   ap-102     0    1     60DE-4476-E340 ON      OPEN       0    hospital-wlan
103   ap-103     0    1     DCD2-FC04-B520 ON      OPEN       0    hospital-wlan
103   ap-103     1    1     DCD2-FC04-B530 ON      OPEN       0    hospital-wlan
201   ap-201     0    1     60DE-4476-E360 ON      OPEN       0    hospital-wlan
202   ap-202     0    1     60DE-4476-E380 ON      OPEN       0    hospital-wlan
203   ap-203     0    1     DCD2-FC04-B540 ON      OPEN       0    hospital-wlan
203   ap-203     1    1     DCD2-FC04-B550 ON      OPEN       0    hospital-wlan
---------------------------------------------------------------------------------
Total: 8 

 　　# STA搜尋到名為“hospital-wlan”的無線網路並正常關聯後，STA能夠被分配相應的IP地址，使用者輸入金鑰可以訪問無線網路，在AC上執行display station all命令，可以檢視到使用者已經接入到無線網路“hospital-wlan”中。

[AC-wlan-view] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------------------------------
STA MAC          AP ID Ap name       Rf/WLAN  Band  Type  Rx/Tx    RSSI  VLAN  IP address    SSID
----------------------------------------------------------------------------------------------------------
14cf-9208-9abf   0     ap-101        0/1      2.4G  11n   3/8      -70   10    10.23.101.254 hospital-wlan
----------------------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0

 　　# 無線使用者STA和有線使用者PC能夠分配到IP地址，正常連線網路。