Wifi跨VLAN三层漫游-洪萨配资

一、适用场景

1、移动语音/视讯
校园、医院、 VoWiFi、无线 IPC、移动护理终端，漫游时若 IP 变化，SIP 会话会掉话或重注册；三层漫游把流量隧道回“原网关”，保证会话不中断。
2、移动扫码支付/POS
商场、超市的无线 POS 机、扫码枪需要长连支付平台，IP 一变平台就踢下线；三层漫游让 VLAN10→VLAN20 时仍用原地址，交易不失败。
3、AGV/移动机器人
工厂、物流仓的 AGV 跨区移动，调度系统用 IP 做实时坐标；若换 IP 会被判“掉线”而停车。三层漫游使其在 VLAN 边界无缝通过。
4、多建筑校园/企业园区
各楼已按部门划分子网（VLAN），但老师/员工需要边走边开视频会议、SSH 远程调试；二层漫游无法跨楼，三层漫游在 AC 内/AC 间建隧道，把流量引回原子网，用户无感知。
5、中大型物流仓库
在 5～20 万 m² 的中大型物流仓库里，要让扫码枪、AGV、车载 PAD 等终端“跨库区移动时 VLAN 切换但业务不丢包”，必须部署 Wi-Fi 跨 VLAN 三层漫游（L3 Roaming）。扫码枪、AGV 在移动中若重新 DHCP，支付/调度会话会中断，订单掉线 = 停产；二层漫游无法跨网段，只有三层漫游能把流量隧道回“原网关”，保持 IP 不变，业务 0 中断。

二、业务需求

企业用户通过WLAN接入网络，以满足移动办公的最基本需求。为了区分部门进行管理，不同部门的员工在不同的子网。且在覆盖区域内移动发生漫游时，不影响用户的业务使用。
Wi-Fi 跨 VLAN 三层漫游（L3 roaming）的核心价值是“IP 地址保持不变”，因此它适用于终端必须持续使用同一 IP 才能不中断业务、且无法通过二层漫游解决的特定场景。
一句话：只要“移动中换 VLAN 且不能换 IP”就是三层漫游的适用场景；能容忍换 IP 或业务可快速重连的场合，用普通二层漫游+重新 DHCP 更简单。

三、拓扑图与规划设计

（一）拓扑图

（二）配置前的网络规划

四、配置过程

（一）配置网络互通

1、R1路由器
sysname R1
vlan batch 101 to 102
dhcp enable
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
dhcp select interface

interface Vlanif102
ip address 10.23.102.2 255.255.255.0
dhcp select interface
interface GigabitEthernet0/0/1
portswitch
port link-type trunk
port trunk allow-pass vlan 101 to 102
2、LSW1汇聚交换机
sysname LSW1

vlan batch 10 100 to 102
dhcp enable
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.100.1

interface Vlanif100
ip address 10.23.100.2 255.255.255.0

interface Vlanif101
ip address 10.23.101.1 255.255.255.0

interface Vlanif102
ip address 10.23.102.1 255.255.255.0
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 101 to 102
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100

interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 101 to 102

3、AC1无线控制器
vlan batch 100
vlan pool sta-pool
vlan 101 to 102

dhcp enable
ip pool ap
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
ip route-static 10.23.10.0 255.255.255.0 10.23.100.2

4、LW2接入交换机
sysname LSW2

vlan batch 10 101 to 102
interface Ethernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101
port-isolate enable group 1

interface Ethernet0/0/2
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 102
port-isolate enable group 1
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 101 to 102

（二）配置AP上线

1、创建AP组，用于将相同配置的AP都加入同一AP组中。
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] quit

2、创建域管理模板，在域管理模板下配置AC的国家码并在AP组下引用域管理模板。
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit

3、配置AC的源接口
[AC] capwap source interface vlanif 100

4、在AC上离线添加2个AP，并将area_1和area_2分别加入AP组“ap-group1”和“ap-group2”当中
[AC-wlan-view] ap-id 1 ap-mac 00e0-fcc9-5700
[AC-wlan-ap-0] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 2 ap-mac 00e0-fc19-56f0
[AC-wlan-ap-1] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit

5、查看AP是否上线
（1）输入指令，可以看到有2个AP出现在列表中，且状态为nor，即normal正常
display ap all

（2）在LSW1汇聚交换机的G0/0/3端口上抓取数据包，核对看到的2个AP的ip地址，由DHCP服务返回给客户端client的ip地址，正是AP请求的ip地址，如下图：

（三）配置WLAN业务参数

1、创建安全、ssid、vap模板
[AC-wlan]vlan pool sta-pool
[AC-wlan-vlan-pool-sta-pool] vlan 101 to 102
[AC-wlan-vlan-pool-sta-pool]quit

[AC-wlan]wlan
[AC-wlan-view] ssid-profile name wlan-2.4G
[AC-wlan-ssid-prof-wlan-net] ssid wlan-2.4G
[AC-wlan-ssid-prof-wlan-net] quit

[AC-wlan-view] ssid-profile name wlan-5G
[AC-wlan-ssid-prof-wlan-net] ssid wlan-5G
[AC-wlan-ssid-prof-wlan-net] quit

[AC-wlan-view] security-profile name wlan-sec
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit

[AC-wlan-view] vap-profile name wlan1-2.4G
[AC-wlan-vap-prof-wlan-net1] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-net1] security-profile wlan-sec
[AC-wlan-vap-prof-wlan-net1] ssid-profile wlan-2.4G
[AC-wlan-vap-prof-wlan-net1] quit

[AC-wlan-view] vap-profile name wlan1-5G
[AC-wlan-vap-prof-wlan-net1] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-net1] security-profile wlan-sec
[AC-wlan-vap-prof-wlan-net1] ssid-profile wlan-5G
[AC-wlan-vap-prof-wlan-net1] quit

[AC-wlan-view] vap-profile name wlan2-2.4G
[AC-wlan-vap-prof-wlan-net2] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-net2] security-profile wlan-sec
[AC-wlan-vap-prof-wlan-net2] ssid-profile wlan-2.4G
[AC-wlan-vap-prof-wlan-net2] quit

[AC-wlan-view] vap-profile name wlan2-5G
[AC-wlan-vap-prof-wlan-net2] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-net2] security-profile wlan-sec
[AC-wlan-vap-prof-wlan-net2] ssid-profile wlan-5G
[AC-wlan-vap-prof-wlan-net2] quit

2、配置AP组引用VAP模板，area_1上射频0和射频1都使用VAP模板“wlan-net1”的配置，area_2上射频0和射频1都使用VAP模板“wlan-net2”的配置。
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan1-2.4G wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan1-5G wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] vap-profile wlan2-2.4G wlan 1 radio 0
[AC-wlan-ap-group-ap-group2] vap-profile wlan2-5G wlan 1 radio 1
[AC-wlan-ap-group-ap-group2] quit

3、创建RRM模板，关闭自动调优功能，开启空口时间公平调度功能和智能漫游功能，并指定用户漫游触发方式为基于终端信噪比，触发门限值为15dB

[AC-wlan-view] rrm-profile name wlan-rrm
[AC-wlan-rrm-prof-wlan-rrm] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-wlan-rrm] calibrate auto-txpower-select disable

4、在域管理模板下配置调优信道集合。
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] dca-channel 2.4g channel-set 1,6,11
[AC-wlan-regulate-domain-default] dca-channel 5g bandwidth 20mhz
[AC-wlan-regulate-domain-default] dca-channel 5g channel-set 149,153,157,161
[AC-wlan-regulate-domain-default] quit

5、创建空口扫描模板“wlan-airscan”，并配置调优信道集合、扫描间隔时间和扫描持续时间
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC-wlan-air-scan-prof-wlan-airscan] quit

6、创建2G射频模板“wlan-radio2g”，并在该模板下引用RRM模板“wlan-rrm”和空口扫描模板“wlan-airscan”。
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-wlan-radio2g] quit

7、创建5G射频模板“wlan-radio5g”，并在该模板下引用RRM模板“wlan-rrm”和空口扫描模板“wlan-airscan”。
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
[AC-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-wlan-radio5g] quit

8、在名为“ap-group1”和“ap-group2”的AP组下引用5G射频模板“wlan-radio5g”和2G射频模板“wlan-radio2g”。
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group2] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group2] quit

9、配置射频调优模式为手动调优，并手动触发射频调优
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup

五、验证结果

（一）手机连接wifi

1、本例先连接wlan-2.4G，连接时根据提示，输入配置的wifi密码

2、连接验证密码通过后，出现了信号标识，正在获取ip…，说明此时手机终端正从DHCP服务请求ip地址

3、当出现已连接后，点击命令行，输入ipconfig，查看手机获取到的ip地址

4、可以看出手机获取到的ip地址是10.23.101.254，网关是指向R1路由器的vlan101的ip地址，如下图：

（二）移动手机的位置并验证跨vlan的连通性

1、移动手机的位置前，修改LSW2接入交换机上的E0/0/2接口，使该接口trunk透传vlan101，否则移动手机从area1到area2时，wifi身份验证通过后获取不到ip地址，配置如下：

2、把手机连接好wifi，从area1区域移动到area2区域，右击手机，执行自由移动，如下图：

3、移动的过程中，手机从area1移动时，刚进入area2，就已经自动连接上了area2中的wifi，出现了连接上的信号，如下图：

4、再次验证area2区域的手机到R1路由器的连通性，ip地址不变，连通也正常，如下图：

5、在AC控制器上的CLI模式查看手机的MAC地址在wlan-2.4G的ssid中移动的轨迹
Display station roam-track sta-mac 5489-9821-74F0

（三）移动笔记本电脑STA的位置并验证跨vlan的连通性

1、修改LSW2接入交换机的e0/0/1接口，trunk透传vlan102，如下图：

2、移动笔记本电脑从area2到area1，然后查看STA笔记本电脑在2个VLAN的wifi之间的移动轨迹，如下图：
Display station roam-track sta-mac 00e0-fc19-56f0

3、查看笔记本电脑的ip地址并没有变化，再测试到R1路由器的连通性也正常，如下图：

4、附：验证视频
https://live.csdn.net/v/506247

至此，本文结束，实现了无线终端用户跨区域vlan的无缝漫游连接，AC控制器给各AP分配管理网络的ip地址采用了DHCP全局地址池，从各AP到AC之间的访问，通过LSW1汇聚交换机中继DHCP。R1路由器给各终端用户（手机、笔记本电脑）分配业务网络ip地址采用了DHCP的基于vlanif接口的地址池。WLAN无线技术则配置了统一的ssid名称模板、security安全模板、vap配置调用模板、rrm模板、空口扫描模板、2.4G射频模板、5G射频模板、调用了vlan-pool等。不足之处敬请批评指正。