我想实现:
无线控制器的G0/8口与H3C的G1/0/21口互通,通过10.10.100.x网段互联(VLAN 101)
无线控制器中的AP地址下发172.16.90.x(VLAN 690)
SSID A_Dev1 下发172.16.20.x(VLAN 620)
现在遇到的问题就是无线控制器与H3C之间没有实现互通。
************************************************************************************************
上图:左边是当前拓扑,右边是期望调整后的拓扑
现网拓扑场景介绍:
************************************************************************************************
一台Cisco WS-2960L-8PS-LL交换机,里面嵌入(或者叫集成)了无线控制功能,无线控制功能的镜像是C9800-AP-K9_IOSXE-UNIVERSALK9-M,Version 17.3.4。
这台设备当前有两个IP地址:
做为交换机设备的管理地址,192.168.50.201,当前配置链接
做为无线控制器的管理地址,192.168.50.205,当前配置链接
通过这两个IP可以分别登录GUI管理界面。
当前通过G0/8上连一台华硕路由器,里面配置了代理来上网,互联网段是192.168.50.x/24。
这台设备的G0/2、3、5口分别连接了3个Cisco C9115AXE-H无线AP,这些AP的地址也是192.168.50.x 。
这台设备里当前使能的SSID是OFFICE-Cisco,终端通过输入PSK获取到的地址也是192.168.50.x 。
************************************************************************************************
由于我们需要实现不同业务,走不同的线路出口,例如:
连接SSID A_Dev1的用户,分配172.16.20.x网段IP
连接SSID A_BAN的用户,分配172.16.30.x网段IP
在防火墙上使能策略路由,让这两个网段分别走不同的线路出口。
在用H3C 5500v2对接Cisco WS-C2960X-48TS-L二层交换机后,是成功的。二层交换机的接口上划分到指定VLAN,终端即可获取到相应的网段IP。并可以在上层防火墙上实现策略路由来分流。
【成功的配置】H3C 5500v2上(聚合口)对接Cisco WS-C2960X-48TS-L二层交换机的配置如下:
interface Bridge-Aggregation11
port link-type trunk
port trunk permit vlan all
dhcp snooping trust
#
interface GigabitEthernet1/0/17
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable copper
port link-aggregation group 11
dhcp snooping trust
#
interface GigabitEthernet1/0/18
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable copper
port link-aggregation group 11
dhcp snooping trust
#
【成功的配置】Cisco WS-C2960X-48TS-L二层交换机与H3C 5500v2互联聚合口的配置如下:
interface Port-channel11
switchport mode trunk
spanning-tree mst 0 cost 10000
!
interface GigabitEthernet2/0/47
switchport mode trunk
spanning-tree mst 0 cost 20000
channel-group 11 mode on
!
interface GigabitEthernet2/0/48
switchport mode trunk
spanning-tree mst 0 cost 20000
channel-group 11 mode on
!
这部分需求我已经实现,这里说这个,只是说明一下改动的动机。
************************************************************************************************
当前遇到的困扰是:
无线控制器的上连口,我参照上面,与H3C 5500对接时,没有成功。我做的改动是:
【可能有问题】H3C 5500v2上的配置如下(拟用于对接无线控制器):
interface GigabitEthernet1/0/21
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable copper
undo stp enable
dhcp snooping trust
【可能有问题】Cisco WS-2960L-8PS-LL无线控制器的配置如下(与H3C核心对接):
interface GigabitEthernet0/8
switchport mode trunk
!
//这里我敲过switchport trunk allowed vlan all,没有显示。
我想实现:
无线控制器的G0/8口与H3C的G1/0/21口互通,通过10.10.100.x网段互联(VLAN 101)
无线控制器中的AP地址下发172.16.90.x(VLAN 690)
SSID A_Dev1 下发172.16.20.x(VLAN 620)
现在遇到的问题就是无线控制器与H3C之间没有实现互通。
做为无线控制器的管理地址,192.168.50.205,部分截图
做为交换机的管理地址,192.168.50.201,部分截图
我想实现:
无线控制器的G0/8口与H3C的G1/0/21口互通,通过10.10.100.x网段互联(VLAN 101)
无线控制器中的AP地址下发172.16.90.x(VLAN 690)
SSID A_Dev1 下发172.16.20.x(VLAN 620)
现在遇到的问题就是无线控制器与H3C之间没有实现互通。
已解决! 转到解答。
1.交换机与H3C 2层互通,直接开trunk即可,默认允许所有的vlan,h3c的接口stp建议也开启
2.我看你是2960L作为ewc(嵌入无线控制器)和switch,共用物理接口,但在ewc中,management接口是个L3的,应该是不具备打tag的功能,如果想要将management接口改到其他的vlan中,可能需要更改trunk接口的native vlan。
3. 在交换机层面所有的vlan interface都可以登录交换机,可以尝试一下ewc中的其他创建的vlan interface是否能用于登录设备。(其他的vlan interface可能不能用作ap管理注册。注册ap的时候可能还得需要management接口,仅做尝试吧)
首先感谢您的回复。
物理机器的G0/8口,对应两个地址
192.168.50.201
192.168.50.205
下面是分别从两个IP查询到的信息:
**********************************在物理机器console口查询的信息*****************************************
Mon Mar 07 2022 13:55:19 GMT+0800 (中国标准时间)
===================================================================================
#show inter status
Port Name Status Vlan Duplex Speed Type
Gi0/1 notconnect 1 auto 100 10/100/1000BaseTX
Gi0/2 connected 1 a-full 100 10/100/1000BaseTX
Gi0/3 connected 1 a-full 100 10/100/1000BaseTX
Gi0/4 notconnect 1 auto auto 10/100/1000BaseTX
Gi0/5 connected 1 a-full 100 10/100/1000BaseTX
Gi0/6 notconnect 1 auto auto 10/100/1000BaseTX
Gi0/7 notconnect 1 auto auto 10/100/1000BaseTX
Gi0/8 connected trunk a-full 100 10/100/1000BaseTX
Gi0/9 notconnect 1 auto auto Not Present
Gi0/10 notconnect 1 auto auto Not Present
Mon Mar 07 2022 13:55:46 GMT+0800 (中国标准时间)
===================================================================================
#show run inter gi0/8
Building configuration...
Current configuration : 70 bytes
!
interface GigabitEthernet0/8
switchport mode trunk
speed 100
end
Mon Mar 07 2022 14:01:53 GMT+0800 (中国标准时间)
===================================================================================
#show ip inter bri
Interface IP-Address OK? Method Status Protocol
Vlan1 192.168.50.201 YES NVRAM up up
Vlan101 10.10.100.11 YES NVRAM up up
Vlan610 172.16.10.2 YES NVRAM up up
Vlan620 172.16.20.2 YES NVRAM up up
Vlan630 172.16.30.2 YES NVRAM up up
Vlan640 172.16.40.2 YES NVRAM up up
Vlan690 172.16.90.2 YES NVRAM up up
GigabitEthernet0/1 unassigned YES unset down down
GigabitEthernet0/2 unassigned YES unset up up
GigabitEthernet0/3 unassigned YES unset up up
GigabitEthernet0/4 unassigned YES unset down down
GigabitEthernet0/5 unassigned YES unset up up
GigabitEthernet0/6 unassigned YES unset down down
GigabitEthernet0/7 unassigned YES unset down down
GigabitEthernet0/8 unassigned YES unset up up
GigabitEthernet0/9 unassigned YES unset down down
GigabitEthernet0/10 unassigned YES unset down down
**********************************在无线控制器CLI查询的信息*****************************************
AP1#show vers
Cisco IOS XE Software, Version 17.03.04
Cisco IOS Software [Amsterdam], C9800-AP Software (C9800-AP-K9_IOSXE-UNIVERSALK9-M), Version 17.3.4, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2021 by Cisco Systems, Inc.
Compiled Fri 02-Jul-21 17:18 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2021 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
AP1 uptime is 19 hours, 39 minutes
Uptime for this control processor is 19 hours, 42 minutes
System returned to ROM by reload
System restarted at 10:20:15 UTC Sun Mar 6 2022
System image file is "/tmp/sw/rp/0/0/rp_wlc/mount/usr/binos/bin/linux_iosd-image"
Last reload reason: reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
AIR License Level: AIR DNA Essentials
Next reload AIR license Level: AIR DNA Essentials
Smart Licensing Status: Registration Not Applicable/Not Applicable
cisco C9115AXE-H (VXE) processor (revision VXE) with 324967K bytes of memory.
Processor board ID FGL2450L3XA
2048K bytes of non-volatile configuration memory.
1971660K bytes of physical memory.
100000K bytes of AP Images at ap_images:.
513300K bytes of Backup Controller Image at backup_image:.
7774207K bytes of virtual hard disk at bootflash:.
25000K bytes of Temp trace export at tmp_trace_export:.
Installation mode is BUNDLE
Configuration register is 0x2102
AP1#show inter stats
GigabitEthernet0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
Vlan1
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
Vlan101
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
Vlan610
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
Vlan620
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
Vlan630
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
Vlan640
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
Vlan690
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
AP1#show interfaces gigabitEthernet 0
GigabitEthernet0 is up, line protocol is up
Hardware is EWC management port, address is 0000.5e00.0101 (bia 0000.0000.0000)
Internet address is 192.168.50.205/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Unknown, Unknown, link type is force-up, media type is unknown media type
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 packets output, 0 bytes, 0 underruns
Output 0 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
AP1#
1、先检查思科交换机和H3C交换机之间的链路聚合配置;建议2侧都使用动态LACP协议;
2、思科交换机和H3C交换机之间的链路是在聚合口的基础上跑TRUNK,在思科交换机这一侧要检查是否封装成了802.1Q协议;
3、在上述步骤都没问题的情况下,把该透的VLAN都透了,检查2侧设备是否还有VLAN没创建或没透VLAN;
4、剩下再解决交换机接入AP的端口,接入AP的端口也应该是TRUNK口,透业务VLAN和管理VLAN;
1.交换机与H3C 2层互通,直接开trunk即可,默认允许所有的vlan,h3c的接口stp建议也开启
2.我看你是2960L作为ewc(嵌入无线控制器)和switch,共用物理接口,但在ewc中,management接口是个L3的,应该是不具备打tag的功能,如果想要将management接口改到其他的vlan中,可能需要更改trunk接口的native vlan。
3. 在交换机层面所有的vlan interface都可以登录交换机,可以尝试一下ewc中的其他创建的vlan interface是否能用于登录设备。(其他的vlan interface可能不能用作ap管理注册。注册ap的时候可能还得需要management接口,仅做尝试吧)
此回复最为接近,感谢您的回复,给我起到了很大的帮助。
详细配置如下:
CSW:H3C 5500v2 交换机
#
dhcp snooping enable
#
stp region-configuration
region-name ABC
revision-level 10
active region-configuration
#
stp instance 0 root primary
stp global enable
#
interface Bridge-Aggregation13
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 101
dhcp snooping trust
#
interface GigabitEthernet1/0/15
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 101
port link-aggregation group 13
dhcp snooping trust
#
interface GigabitEthernet1/0/16
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 101
port link-aggregation group 13
dhcp snooping trust
#
EWC:Cisco WS-C2960L-8PS-LL
!
ip dhcp snooping vlan 101,610,620,630,640,690
ip dhcp snooping
!
spanning-tree mode mst
spanning-tree extend system-id
spanning-tree pathcost method long
!
spanning-tree mst configuration
name ABC
revision 10
!
no spanning-tree vlan 101,610,620,630,640,690
!
vlan internal allocation policy ascending
no cdp advertise-v2
!
interface Port-channel3
switchport trunk native vlan 101
switchport mode trunk
spanning-tree mst 0 cost 10000
ip dhcp snooping trust
!
interface GigabitEthernet0/7
switchport trunk native vlan 101
switchport mode trunk
spanning-tree mst 0 cost 20000
channel-group 3 mode on
ip dhcp snooping trust
!
interface GigabitEthernet0/8
switchport trunk native vlan 101
switchport mode trunk
spanning-tree mst 0 cost 20000
channel-group 3 mode on
ip dhcp snooping trust
!
EWC上的管理接口还是配置为L3,放在VLAN101段,AP也在VLAN101段,这样AP和管理接口在同一段,可以直接注册。
以上。
最后,也感谢其他专家给予我的回复,感谢你们。