一栋大楼内部组建公共无线网络，考虑到客户端数量可能众多，而客户端频繁移动可能性不大，规划将无线客户端划分到不同的vlan内，无线ap及接入层交换机划在一个vlan内。网络连接示意图如下：





无线控制器配置文件：
#
 version 5.20, Release 2308P10
#
 sysname wx5004
#
 domain default enable system
#
 port-security enable
#
 wlan auto-ap enable
#
vlan 1
#
vlan 96
 description ap-client
#
vlan 97
 description ap-client
#
vlan 98
 description ap-client
#
vlan 99
 description ap-client
#
vlan 100
 description ap-client
#
vlan 101
 description ap-client
#
vlan 102
 description ap-client
#
vlan 103
 description managerdevice
#
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#
 public-key peer 192.168.103.254
  public-key-code begin
   30819F300D06092A864886F70D010101050003818D0030818902818100C2171D5A373DAB7E
   0E2B1B202AA91185612713CB3BC6CAD3557BB740D5F9CF3CA1935F20EB05B823B1CACA18E0
   CC401FE26B61DDE098EE75610ACF51084980E2FCD305EE3CF30F6D5E8885F0D3BA5ADE913B
   CD672E038FEACBD4B3CDB9809B2E1D57B660CDCF7F50282DF5EF8D973B264191552DE82E5C
   3EC3B7C9F11D54357D0203010001
  public-key-code end
 peer-public-key end
#
dhcp server ip-pool manager
 network 192.168.103.0 mask 255.255.255.0
 gateway-list 192.168.103.254
 expired day 7
#
dhcp server ip-pool pub-wireless-use
 network 192.168.96.0 mask 255.255.248.0
 dns-list 211.95.193.97 211.94.33.193 8.8.8.8
#
dhcp server ip-pool vlan100
 network 192.168.100.0 mask 255.255.255.0
 gateway-list 192.168.100.254
#
dhcp server ip-pool vlan101
 network 192.168.101.0 mask 255.255.255.0
 gateway-list 192.168.101.254
#
dhcp server ip-pool vlan102
 network 192.168.102.0 mask 255.255.255.0
 gateway-list 192.168.102.254
#
dhcp server ip-pool vlan96
 network 192.168.96.0 mask 255.255.255.0
 gateway-list 192.168.96.254
#
dhcp server ip-pool vlan97
 network 192.168.97.0 mask 255.255.255.0
 gateway-list 192.168.97.254
#
dhcp server ip-pool vlan98
 network 192.168.98.0 mask 255.255.255.0
 gateway-list 192.168.98.254
#
dhcp server ip-pool vlan99
 network 192.168.99.0 mask 255.255.255.0
 gateway-list 192.168.99.254
#
user-group system
 group-attribute allow-guest
#
local-user admin
 password simple xxxxx
 authorization-attribute level 3
 service-type ssh telnet
#
wlan rrm
 dot11a mandatory-rate 6 12 24
 dot11a supported-rate 9 18 36 48 54
 dot11b mandatory-rate 1 2
 dot11b supported-rate 5.5 11
 dot11g mandatory-rate 1 2 5.5 11
 dot11g supported-rate 6 9 12 18 24 36 48 54
#
wlan radio-policy 101
#
wlan radio-policy 103
#
wlan service-template 103 clear
 ssid pubwireless
 bind WLAN-ESS 103
 service-template enable
#
interface NULL0
#
interface Vlan-interface1
#
interface Vlan-interface96
 ip address 192.168.96.253 255.255.255.0
#
interface Vlan-interface97
 ip address 192.168.97.253 255.255.255.0
#
interface Vlan-interface98
 ip address 192.168.98.253 255.255.255.0
#
interface Vlan-interface99
 ip address 192.168.99.253 255.255.255.0
#
interface Vlan-interface100
 ip address 192.168.100.253 255.255.255.0
#
interface Vlan-interface101
 ip address 192.168.101.253 255.255.255.0
#
interface Vlan-interface102
 ip address 192.168.102.253 255.255.255.0
#
interface Vlan-interface103
 ip address 192.168.103.253 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 96 to 103
#
interface GigabitEthernet1/0/2
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 96 to 103
#
interface GigabitEthernet1/0/3
 port access vlan 101
#
interface GigabitEthernet1/0/4
 port access vlan 101
#
interface M-Ethernet1/0/0
#
interface Ten-GigabitEthernet1/0/5
#
interface WLAN-ESS1
#
interface WLAN-ESS101
 port access vlan 101
#
interface WLAN-ESS103
 port access vlan 103
#
wlan ap 3c01 model WA2100 id 2
 serial-id 210235A22WB095002382
 radio 1
  radio-policy 103
  service-template 103 vlan-id 96
  radio enable
#
wlan ap autoap model WA2100 id 1
 serial-id auto
 radio 1
#
wlan ap autoap_0001 model WA2100 id 3
 serial-id 210235A22WB095001936
 radio 1
  radio-policy 103
  service-template 103 vlan-id 96
  radio enable
#
wlan ap autoap_0002 model WA2100 id 4
 serial-id 210235A22WB095002528
 radio 1
  radio-policy 103
  service-template 103 vlan-id 96
  radio enable
#
wlan ap autoap_0003 model WA2100 id 5
 serial-id 210235A22WB095000642
 radio 1
  radio-policy 103
  service-template 103 vlan-id 96
  radio enable
#
wlan ap autoap_0004 model WA2100 id 6
 serial-id 210235A22WB095001850
 radio 1
  radio-policy 103
  service-template 103 vlan-id 97
  radio enable
#
wlan ap autoap_0005 model WA2100 id 7
 serial-id 210235A22WB095000518
 radio 1
  radio-policy 103
  service-template 103 vlan-id 97
  radio enable
#
wlan ap autoap_0006 model WA2100 id 8
 serial-id 210235A22WB095001905
 radio 1
  radio-policy 103
  service-template 103 vlan-id 97
  radio enable
#
wlan ap autoap_0007 model WA2100 id 9
 serial-id 210235A22WB095000643
 radio 1
  radio-policy 103
  service-template 103 vlan-id 97
  radio enable
#
wlan ap autoap_0008 model WA2100 id 10
 serial-id 210235A22WB095001943
 radio 1
  radio-policy 103
  service-template 103 vlan-id 97
  radio enable
#
wlan ap autoap_0009 model WA2100 id 11
 serial-id 210235A22WB095000543
 radio 1
  radio-policy 103
  service-template 103 vlan-id 98
  radio enable
#
wlan ap autoap_0010 model WA2100 id 12
 serial-id 210235A22WB095001939
 radio 1
  radio-policy 103
  service-template 103 vlan-id 98
  radio enable
#
wlan ap autoap_0011 model WA2100 id 13
 serial-id 210235A22WB095002305
 radio 1
  radio-policy 103
  service-template 103 vlan-id 98
  radio enable
#
wlan ap autoap_0012 model WA2100 id 14
 serial-id 210235A22WB095002496
 radio 1
  radio-policy 103
  service-template 103 vlan-id 98
  radio enable
#
wlan ap autoap_0013 model WA2100 id 15
 serial-id 210235A22WB095002598
 radio 1
  radio-policy 103
  service-template 103 vlan-id 99
  radio enable
#
wlan ap autoap_0014 model WA2100 id 16
 serial-id 210235A22WB095002499
 radio 1
  radio-policy 103
  service-template 103 vlan-id 99
  radio enable
#
wlan ap autoap_0018 model WA2100 id 17
 serial-id 210235A22WB095000641
 radio 1
  radio-policy 103
  service-template 103 vlan-id 99
  radio enable
#
wlan ap autoap_0019 model WA2100 id 18
 serial-id 210235A22WB095001945
 radio 1
  radio-policy 103
  service-template 103 vlan-id 99
  radio enable
#
wlan ap autoap_0020 model WA2100 id 19
 serial-id 210235A22WB095001932
 radio 1
  radio-policy 103
  service-template 103 vlan-id 99
  radio enable
#
 undo info-center logfile enable
#
 dhcp server forbidden-ip 192.168.101.1 192.168.101.20
 dhcp server forbidden-ip 192.168.101.240 192.168.101.254
 dhcp server forbidden-ip 192.168.96.1 192.168.96.20
 dhcp server forbidden-ip 192.168.96.240 192.168.96.254
 dhcp server forbidden-ip 192.168.97.1 192.168.97.20
 dhcp server forbidden-ip 192.168.97.240 192.168.97.254
 dhcp server forbidden-ip 192.168.98.1 192.168.98.20
 dhcp server forbidden-ip 192.168.98.240 192.168.98.254
 dhcp server forbidden-ip 192.168.99.1 192.168.99.20
 dhcp server forbidden-ip 192.168.99.240 192.168.99.254
 dhcp server forbidden-ip 192.168.100.1 192.168.100.20
 dhcp server forbidden-ip 192.168.100.240 192.168.100.254
 dhcp server forbidden-ip 192.168.102.1 192.168.102.20
 dhcp server forbidden-ip 192.168.102.240 192.168.102.254
 dhcp server forbidden-ip 192.168.103.1 192.168.103.20
 dhcp server forbidden-ip 192.168.103.240 192.168.103.254
#
 dhcp enable
#
 ssh server enable
 ssh client authentication server 192.168.103.254 assign publickey 192.168.103.254
#
 load xml-configuration
#
user-interface con 0
user-interface vty 0 4
 authentication-mode scheme
 user privilege level 3
#
return




核心交换机配置文件：

#
 version 5.20, Release 2202
#
 sysname wirelessandvideoswitch
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
#
 domain default enable system
#
 undo ip ttl-expires
#
vlan 1
#
vlan 96
 description ap-client
#
vlan 97
 description ap-client
#
vlan 98
 description ap-client
#
vlan 99
 description ap-client
#
vlan 100
 description ap-client
#
vlan 101
 description ap-client
#
vlan 102
 description ap-client
#
vlan 103
 description managerdevice
#
vlan 104
 description connection FW
#
radius scheme system
 server-type extended
 primary authentication 127.0.0.1 1645
 primary accounting 127.0.0.1 1646
 user-name-format without-domain
#
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#

#
user-group system
#
local-user admin
 password simple xxxxxxxxxx
 authorization-attribute level 3
 service-type ssh telnet
#
interface NULL0
#
interface Vlan-interface96
 ip address 192.168.96.254 255.255.255.0
#
interface Vlan-interface97
 ip address 192.168.97.254 255.255.255.0
#
interface Vlan-interface98
 ip address 192.168.98.254 255.255.255.0
#
interface Vlan-interface99
 ip address 192.168.99.254 255.255.255.0
#
interface Vlan-interface100
 ip address 192.168.100.254 255.255.255.0
#
interface Vlan-interface101
 ip address 192.168.101.254 255.255.255.0
#
interface Vlan-interface102
 ip address 192.168.102.254 255.255.255.0
#
interface Vlan-interface103
 ip address 192.168.103.254 255.255.255.0
#
interface Vlan-interface104
 description connectionFW
 ip address 192.168.255.221 255.255.255.252
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/6
#
interface GigabitEthernet1/0/7
#
interface GigabitEthernet1/0/8
#
interface GigabitEthernet1/0/9
#
interface GigabitEthernet1/0/10
#
interface GigabitEthernet1/0/11
#
interface GigabitEthernet1/0/12
#
interface GigabitEthernet1/0/13
 port access vlan 103
#
interface GigabitEthernet1/0/14
 port access vlan 103
#
interface GigabitEthernet1/0/15
 port access vlan 103
#
interface GigabitEthernet1/0/16
 port access vlan 103
#
interface GigabitEthernet1/0/17
 port access vlan 103
#
interface GigabitEthernet1/0/18
 port access vlan 103
#
interface GigabitEthernet1/0/19
 shutdown
#
interface GigabitEthernet1/0/20
 shutdown
#
interface GigabitEthernet1/0/21
#
interface GigabitEthernet1/0/22
 shutdown
#
interface GigabitEthernet1/0/23
 shutdown
#
interface GigabitEthernet1/0/24
 shutdown
#
interface GigabitEthernet1/0/25
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 96 to 103
 shutdown
#
interface GigabitEthernet1/0/26
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 96 to 103
 shutdown
#
interface GigabitEthernet1/0/27
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 96 to 103
#
interface GigabitEthernet1/0/28
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 96 to 103
#
interface GigabitEthernet1/0/29
 shutdown
#
interface GigabitEthernet1/0/30
 port access vlan 103
#
interface GigabitEthernet1/0/31
#
interface GigabitEthernet1/0/32
 port access vlan 104
#
 ssh server enable
 ssh client authentication server 192.168.103.253 assign publickey 192.168.103.253
 ssh client authentication server 192.168.103.254 assign publickey 192.168.103.254
#
user-interface aux 0 8
user-interface vty 0 4
 authentication-mode scheme
 user privilege level 3
#
return





配置要点：
无线控制器中：
创建服务模板
wlan service-template 103 clear
 ssid pubwireless
 bind WLAN-ESS 103
 service-template enable

创建无线虚接口，注意此处的vlan号要与无线ap上联的交换机端口的vlan号一致
interface WLAN-ESS103
 port access vlan 103

配置fit ap
wlan ap autoap_0006 model WA2100 id 8
 serial-id 210235A22WB095001905
 radio 1
  radio-policy 103
  service-template 103 vlan-id 97
  radio enable

因无线客户端的数据包已经经过封装的，所以AP上联端口不用trunk，而采用access模式。



配置说明：
所有AP都用同一个ssid名，AP本身都在同一个vlan下面，AP Client分属不同的vlan。用笔记本测试过，从一个AP漫游到不同vlan的另一个AP时能自动重新获取ip地址连上网络而实现跨vlan漫游。