问题
VLAN 100 未从 AP 为 SSID 访客分配 IP 地址,但 Aruba 将 SSID 标记为 VLAN 100。如何让交换机分配 DHCP?在交换机上,似乎正确设置了 dhcp,但它从未将任何内容分配给将其正确标记到 vlan 100 的无线 AP。
有什么有趣的
当我在 mgmt ssid 上时,它能够看到交换机和其他 2 个交换机,但我认为 GUEST SSID 无法按预期访问(即使我设置了静态 IP)但无法获得 DHCP。
在我的无线 AP 上,我有以下配置:
version 8.4.0.0-8.4.0 virtual-controller-country US name Home-VC virtual-controller-ip 10.10.10.11 terminal-access ntp-server time.google.com clock timezone Central-Time -06 00 clock summer-time CDT recurring second sunday march 02:00 first sunday november 02:00 rf-band 5.0allow-new-aps allowed-ap d0:15:a6:cb:0a:04 allowed-ap d0:15:a6:ca:f2:98
arm wide-bands 5ghz 80mhz-support min-tx-power 9 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode preferred-access channel-quality-aware-arm-disable client-aware scanning client-match slb-mode 3
rf dot11g-radio-profile max-distance 0 max-tx-power 9 min-tx-power 6 disable-arm-wids-functions off free-channel-index 40
rf dot11a-radio-profile max-distance 0 max-tx-power 18 min-tx-power 12 disable-arm-wids-functions off
syslog-level warn ap-debug syslog-level warn network syslog-level warn security syslog-level warn system syslog-level warn user syslog-level warn user-debug syslog-level warn wireless
extended-ssid
wlan access-rule Data index 0 rule any any match any any any permit
wlan access-rule default_wired_port_profile index 1 rule any any match any any any permit
wlan access-rule wired-SetMeUp index 2 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permit
wlan access-rule 1008-mgmt index 3 vlan 1 rule any any match any any any permit rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permit
wlan access-rule Guest index 4 vlan 100 rule any any match any any any permit rule any any match udp 67 68 permit rule any any match udp 53 53 permit rule any any match webcategory spam-urls deny rule any any match webcategory malware-sites deny rule any any match webcategory adult-and-pornography deny rule any any match webcategory dating deny rule any any match webcategory keyloggers-and-monitoring deny rule any any match webcategory gross deny rule any any match webcategory cheating deny rule any any match webcategory phishing-and-other-frauds deny rule any any match webcategory proxy-avoidance-and-anonymizers deny rule any any match webcategory spyware-and-adware deny rule any any match webcategory nudity deny rule any any match webcategory bot-nets deny rule any any match webcategory hate-and-racism deny rule any any match webcategory violence deny rule any any match webcategory gambling deny
wlan access-rule Any index 5 rule any any match any any any permit
wlan ssid-profile Data enable index 0 type employee essid Data opmode wpa3-sae-aes max-authentication-failures 0 vlan 90 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64 dot11v
wlan ssid-profile 1008-mgmt enable index 1 type employee essid 1008-mgmt opmode wpa3-sae-aes max-authentication-failures 0 vlan 1 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64 dot11v
wlan ssid-profile Guest enable index 2 type employee essid Guest opmode opensystem max-authentication-failures 0 vlan 100 rf-band all captive-portal disable dtim-period 1 broadcast-filter none content-filtering dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64
auth-survivability cache-time-out 24
dpi
url-visibility
wlan captive-portal background-color 16777215 banner-color 16750848 banner-text "Welcome to Guest Network" terms-of-use "This network is not secure, and use is at your own risk" use-policy "Please read terms and conditions before using Guest Network"
wlan external-captive-portal server localhost port 80 url "/" auth-text "Authenticated" auto-whitelist-disable https
blacklist-time 3600 auth-failure-blacklist-time 3600
ids wireless-containment none infrastructure-detection-level high client-detection-level high infrastructure-protection-level low client-protection-level low
ip dhcp Guest server-type Centralized,L2 disable-split-tunnel server-vlan 100
wired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1x
wired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 no shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee auth-server InternalServer captive-portal disable no dot1x
enet0-port-profile default_wired_port_profile
uplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180
airgroup disable
airgroupservice airplay disable description AirPlay
airgroupservice airprint disable description AirPrint
cluster-security allow-low-assurance-devices
在我的交换机上,我有以下配置:
Building configuration...Current configuration : 4310 bytes ! ! Last configuration change at 02:16:14 UTC Wed Apr 7 2021 by admin ! NVRAM config last updated at 02:06:33 UTC Wed Apr 7 2021 by admin ! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service dhcp ! hostname Switch ! boot-start-marker boot-end-marker ! no aaa new-model switch 1 provision ws-c3560cx-12pd-s system mtu routing 1500 ! ! ! ! ip routing no ip dhcp relay information check ! ip dhcp pool guest-0100 network 10.10.100.0 255.255.255.0 lease 0 0 1 ! ip dhcp pool mgmt-010 network 10.10.11.0 255.255.255.224 default-router 10.10.10.1 lease 0 0 1 ! ! ip igmp snooping vlan 10 last-member-query-count 2 ip igmp snooping vlan 10 last-member-query-interval 1000 ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-2991811840 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2991811840 revocation-check none rsakeypair TP-self-signed-2991811840 ! !
! spanning-tree mode rapid-pvst spanning-tree extend system-id lacp system-priority 1000 ! ! ! ! ! vlan configuration 100 no ip igmp snooping vlan internal allocation policy ascending vlan group Guest vlan-list 100 vlan group mgmt-0010 vlan-list 10 ! lldp run ! ! ! interface Port-channel1 ! interface GigabitEthernet1/0/1 lacp port-priority 1000 channel-group 1 mode active ! interface GigabitEthernet1/0/2 ! interface GigabitEthernet1/0/3 ! interface GigabitEthernet1/0/4 ! interface GigabitEthernet1/0/5 ! interface GigabitEthernet1/0/6 ! interface GigabitEthernet1/0/7 ! interface GigabitEthernet1/0/8 ! interface GigabitEthernet1/0/9 ! interface GigabitEthernet1/0/10 ! interface GigabitEthernet1/0/11 flowcontrol receive desired spanning-tree portfast edge ! interface GigabitEthernet1/0/12 flowcontrol receive desired spanning-tree portfast edge ! interface GigabitEthernet1/0/13 switchport port-security violation shutdown vlan flowcontrol receive desired spanning-tree portfast network ! interface GigabitEthernet1/0/14 switchport mode trunk ip dhcp relay information trusted spanning-tree portfast edge ! interface GigabitEthernet1/0/15 ! interface GigabitEthernet1/0/16 ! interface TenGigabitEthernet1/0/1 ! interface TenGigabitEthernet1/0/2 ! interface Vlan1 ip address 10.10.10.4 255.255.255.224 ! interface Vlan10 description mgmt ip address pool mgmt-010 ! interface Vlan100 description Guest ip dhcp relay information trusted ip address pool guest-0100 ! ip default-gateway 10.10.10.1 ip forward-protocol nd ! ip http server ip http banner ip http authentication local ip http secure-server ip http path flash:CCP-CATALYST ! ! ! ! ! line con 0 line vty 0 4 login transport input ssh line vty 5 15 login transport input ssh end