配置思路:
无线AP 、5720、AC 三者二层打穿 同属于一个 vlan 3 AC是AP的DHCP服务器
业务网关在5720上 并且业务网段的dhcp也在5720上
vlan 87 不能访问内网只能上外网
5720配置:
- vlan batch 3 81 87
- #
- dhcp enable
- #
- ip pool vlan81
- gateway-list 172.22.81.254
- network 172.22.81.0 mask 255.255.255.0
- #
- ip pool vlan87
- gateway-list 172.22.87.254
- network 172.22.87.0 mask 255.255.255.0
- #
- interface Vlanif81
- ip address 172.22.81.254 255.255.255.0
- dhcp select global
- #
- interface Vlanif87
- ip address 172.22.87.254 255.255.255.0
- dhcp select global
- #
---------------------------------------限制vlan 87 访问内网-----------------------
- acl number 3000
- rule 5 permit ip source 172.22.81.0 0.0.0.255
- rule 10 deny ip source 172.22.87.0 0.0.0.255 destination 172.22.0.0 0.0.255.255
- rule 15 permit ip source 172.22.87.0 0.0.0.255
- #
- interface Vlanif1 #链接FW
- ip address 172.22.1.254 255.255.254.0
- #
- interface Vlanif3 # 链接WLAN
- ip address 172.22.3.254 255.255.254.0
- #
- interface GigabitEthernet0/0/1 # 链接WLAN
- port link-type access
- port default vlan 3
- #
- interface GigabitEthernet0/0/2# 链接WLAN
- port hybrid pvid vlan 3
- port hybrid tagged vlan 81 87
- port hybrid untagged vlan 3
- traffic-filter inbound acl 3000
- #
- #
- ip route-static 0.0.0.0 0.0.0.0 172.22.1.1 # 链接FW
AC配置 (web配置)
- interface Vlanif2
- ip address 192.168.136.2 255.255.255.0
- interface GigabitEthernet0/0/2
- port link-type access
- port default vlan 2
首先配置AC 接口、 vlanif、 dhcp、AC地址
在配置ssid 和AP的信息
测试
