H3C无线控制器EVI隧道典型配置举例(V7)

本文介绍了AC间配置EVI（Ethernet Virtual Interconnect，以太网虚拟化互联）隧道的典型配置举例。

EVI是一种先进的“MAC in IP”技术，是一种基于IP核心网的二层VPN技术。它可以基于现有的服务提供商网络和企业网络，为分散的物理站点提供二层互联功能。

通过在AC间配置EVI隧道，当无线客户端连接上Guest SSID之后，无线客户端的所有流量都会通过EVI隧道技术定向到指定的网络资源，但无法访问任何企业内部资源，从根本上避免了来自企业内部的无线客户端造成的网络安全威胁。

如图1所示，AC 1作为DHCP服务器为AP和Client分配IP地址。现要求在AC 1和AC 2间建立EVI隧道，使Client能够通过EVI隧道访问AC 2侧的内网资源。

设备	接口	IP地址	设备	接口	IP地址
AC 1	Vlan-int100	192.1.0.1/16	AC 2	Vlan-int100	192.1.0.3/16
	Vlan-int200	192.2.0.1/16		Vlan-int200	192.2.0.2/16
Switch	Vlan-int30	192.3.0.2/16		Vlan-int40	192.4.0.1/16
	Vlan-int40	192.4.0.2/16

1.1  配置步骤

1.1.1  配置AC 1

(1)      配置AC 1接口

# 将与AP相连的接口GigabitEthernet1/0/1的链路类型配置为Access，当前Access口允许VLAN 100通过。

<AC1> system-view

[AC1] interface gigabitethernet 1/0/1

[AC1-GigabitEthernet1/0/1] port link-type access

[AC1-GigabitEthernet1/0/1] port access vlan 100

[AC1-GigabitEthernet1/0/1] quit

# 将与Switch相连的接口GigabitEthernet1/0/2的链路类型配置为Access，当前Access口允许VLAN 30通过。

[AC1] interface gigabitethernet 1/0/2

[AC1-GigabitEthernet1/0/2] port link-type access

[AC1-GigabitEthernet1/0/2] port access vlan 30

[AC1-GigabitEthernet1/0/2] quit

# 创建VLAN 100及其对应的VLAN接口，并为该接口配置IP地址192.1.0.1/16。AP将获取该IP地址与AC 1建立CAPWAP隧道。

[AC1] vlan 100

[AC1-vlan100] quit

[AC1] interface vlan-interface 100

[AC1-Vlan-interface100] ip address 192.1.0.1 16

[AC1-Vlan-interface100] quit

# 创建VLAN 200及其对应的VLAN接口，并为该接口配置IP地址192.2.0.1/16，用于转发Client无线报文。

[AC1] vlan 200

[AC1-vlan200] quit

[AC1] interface vlan-interface 200

[AC1-Vlan-interface200] ip address 192.2.0.1 16

[AC1-Vlan-interface200] quit

# 创建VLAN 30及其对应的VLAN接口，并为该接口配置IP地址192.3.0.1/16，用于建立EVI隧道。

[AC1] vlan 30

[AC1-vlan30] quit

[AC1] interface vlan-interface 30

[AC1-Vlan-interface30] ip address 192.3.0.1 16

[AC1-Vlan-interface30] quit

(2)      配置DHCP服务

# 开启DHCP服务。

[AC1] dhcp enable

# 创建DHCP地址池100，为AP动态分配网段为192.1.0.0/16，网关为192.1.0.1的IP地址。

[AC1] dhcp server ip-pool 100

[AC1-dhcp-pool-100] network 192.1.0.0 16

[AC1-dhcp-pool-100] gateway-list 192.1.0.1

[AC1-dhcp-pool-100] quit

(3)      配置无线服务

# 创建无线服务模板1，并进入无线服务模板视图。

[AC1] wlan service-template 1

# 配置SSID为office。

[AC1-wlan-st-1] ssid office

# 配置无线服务模板的VLAN为200。

[AC1-wlan-st-1] vlan 200

# 开启无线服务模板。

[AC1-wlan-st-1] service-template enable

[AC1-wlan-st-1] quit

(4)      配置AP

# 配置AP 1名称为officeap，型号名称选择WA4320i-ACN，并配置序列号210235A1GQC152001076。

[AC1] wlan ap officeap model WA4320i-ACN

[AC1-wlan-ap-officeap] serial-id 210235A1GQC152001076

# 将服务模板1绑定到officeap的Radio 2口，并开启Radio 2。

[AC1-wlan-ap-officeap] radio 2

[AC1-wlan-ap-officeap-radio-2] service-template 1

[AC1-wlan-ap-officeap-radio-2] radio enable

[AC1-wlan-ap-officeap-radio-2] quit

[AC1-wlan-ap-officeap] quit

(5)      配置EVI隧道

# 创建模式为IPv4 EVI隧道的Tunnel接口，并进入Tunnel接口视图。

[AC1] interface tunnel 0 mode evi

# 配置EVI隧道的源端地址为192.3.0.1。

[AC1-Tunnel0] source 192.3.0.1

# 配置Network ID为1。

[AC1-Tunnel0] evi network-id 1

# 配置扩展VLAN为VLAN 200。

[AC1-Tunnel0] evi extend-vlan 200

# 使能接口的ENDS功能。

[AC1-Tunnel0] evi neighbor-discovery server enable

[AC1-Tunnel0] quit

# 开启接口GigabitEthernet1/0/2的EVI功能。

[AC1] interface gigabitethernet 1/0/2

[AC1-GigabitEthernet1/0/2] evi enable

[AC1-GigabitEthernet1/0/2] quit

(6)      配置静态路由

# 配置静态路由，其目的地址为192.4.0.0/16，指定下一跳为Switch的地址192.3.0.2。

[AC1] ip route-static 192.4.0.0 16 192.3.0.2

1.1.2  配置AC 2

(1)      配置AC 2接口

# 将与Server相连的接口GigabitEthernet1/0/1的链路类型配置为Access，当前Access口允许VLAN 200通过。

<AC2> system-view

[AC2] interface gigabitethernet 1/0/1

[AC2-GigabitEthernet1/0/1] port link-type access

[AC2-GigabitEthernet1/0/1] port access vlan 200

[AC2-GigabitEthernet1/0/1] quit

# 将与Switch相连的接口GigabitEthernet1/0/2的链路类型配置为Access，当前Access口允许VLAN 40通过。

[AC2] interface gigabitethernet 1/0/2

[AC2-GigabitEthernet1/0/2] port link-type access

[AC2-GigabitEthernet1/0/2] port access vlan 40

[AC2-GigabitEthernet1/0/2] quit

# 创建VLAN 200及其对应的VLAN接口，并为该接口配置IP地址192.2.0.2/16，用于转发Client的报文。

[AC2] vlan 200

[AC2-vlan200] quit

[AC2] interface vlan-interface 200

[AC2-Vlan-interface200] ip address 192.2.0.2 16

[AC2-Vlan-interface200] quit

# 创建VLAN 40及其对应的VLAN接口，并为该接口配置IP地址192.4.0.1/16，用于建立EVI隧道。

[AC2] vlan 40

[AC2-vlan40] quit

[AC2] interface vlan-interface 40

[AC2-Vlan-interface40] ip address 192.4.0.1 16

[AC2-Vlan-interface40] quit

(2)      配置DHCP服务

# 开启DHCP服务。

[AC2] dhcp enable

# 创建DHCP地址池200，为无线客户端动态分配网段为192.2.0.0/16，不参与自动分配的IP地址为192.2.0.1、192.2.0.2和192.2.0.3，网关的IP地址为192.2.0.2。

[AC2] dhcp server ip-pool 200

[AC2-dhcp-pool-200] network 192.2.0.0 16

[AC2-dhcp-pool-200] forbidden-ip 192.2.0.1 192.2.0.3

[AC2-dhcp-pool-200] gateway-list 192.2.0.2

[AC2-dhcp-pool-200] quit

(3)      配置EVI隧道

# 创建模式为IPv4 EVI隧道的Tunnel接口，并进入Tunnel接口视图。

[AC2] interface tunnel 0 mode evi

# 配置EVI隧道的源端地址为192.4.0.1。

[AC2-Tunnel0] source 192.4.0.1

# 配置Network ID为1。

[AC2-Tunnel0] evi network-id 1

# 配置扩展VLAN为VLAN 200。

[AC2-Tunnel0] evi extend-vlan 200

# 使能接口的ENDC功能，该ENDC对应的ENDS地址为192.3.0.1。

[AC2-Tunnel0] evi neighbor-discovery client enable 192.3.0.1

[AC2-Tunnel0] quit

# 开启接口GigabitEthernet1/0/2的EVI功能。

[AC2] interface gigabitethernet 1/0/2

[AC2-GigabitEthernet1/0/2] evi enable

[AC2-GigabitEthernet1/0/2] quit

(4)      配置静态路由

# 配置静态路由，其目的地址为192.3.0.0/16，指定下一跳为Switch的地址192.4.0.2。

[AC2] ip route-static 192.3.0.0 16 192.4.0.2

1.1.3  配置Switch

# 创建VLAN 30及其对应的VLAN接口，并为该接口配置IP地址192.3.0.2/16，用于转发来自AC 1的EVI流量。

[Switch] vlan 30

[Switch-vlan30] quit

[Switch] interface vlan-interface 30

[Switch-Vlan-interface30] ip address 192.3.0.2 16

[Switch-Vlan-interface30] quit

# 创建VLAN 40及其对应的VLAN接口，并为该接口配置IP地址192.4.0.2/16，用于转发来自AC 2的EVI流量。

[Switch] vlan 40

[Switch-vlan40] quit

[Switch] interface vlan-interface 40

[Switch-Vlan-interface40] ip address 192.4.0.2 16

[Switch-Vlan-interface40] quit

# 将与AC 1相连的接口GigabitEthernet1/0/1加入到VLAN 30中。

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port access vlan 30

[Switch-GigabitEthernet1/0/1] quit

# 将与AC 2相连的接口GigabitEthernet1/0/2加入到VLAN 40中。

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port access vlan 40

[Switch-GigabitEthernet1/0/2] quit

1.2  验证配置

(1)      验证AC 1

# 通过在AC 1上执行display interface tunnel命令可以查看到AC 1上的EVI Tunnel接口状态为开启。

[AC1] display interface tunnel 0

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmit unit: 64000

Internet protocol processing: Disabled

Tunnel source 192.3.0.1

Tunnel keepalive enabled, Period(5 s), Retries(2)

Network ID 1

Tunnel protocol/transport GRE_EVI/IP

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# 通过在AC 1上执行display evi link命令可以查看到AC 1上的EVI Link状态为已连接。

[AC1] display evi link interface tunnel 0

Interface     Status Source          Destination

EVI-Link0     UP     192.3.0.1         192.4.0.1

(2)      验证AC 2

# 通过在AC 2上执行display interface tunnel命令可以查看到AC 2上的EVI Tunnel接口状态为开启。

[AC2] display interface tunnel 0

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmit unit: 64000

Internet protocol processing: Disabled

Tunnel source 192.4.0.1

Tunnel keepalive enabled, Period(5 s), Retries(2)

Network ID 1

Tunnel protocol/transport GRE_EVI/IP

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# 通过在AC 2上执行display evi link命令可以查看到AC 2上的EVI Link状态为已连接。

[AC2] display evi link interface tunnel 0

Interface     Status Source          Destination

EVI-Link0     UP     192.4.0.1         192.3.0.1

(3)      验证Client

Client能通过VLAN 200获取到IP地址并由AC 2访问AC 2侧的内网资源。

1.3  配置文件

·              AC 1：

#

dhcp enable

#

vlan 30

#

vlan 100

#

vlan 200

#

dhcp server ip-pool vlan100

 gateway-list 192.1.0.1

 network 192.1.0.0 mask 255.255.0.0

#

wlan service-template 1

 ssid office

 vlan 200

 service-template enable

#

interface Vlan-interface30

 ip address 192.3.0.1 255.255.0.0

#

interface Vlan-interface100

 ip address 192.1.0.1 255.255.0.0

#

interface Vlan-interface200

 ip address 192.2.0.1 255.255.0.0

#

interface GigabitEthernet1/0/1

 port access vlan 100

#

interface GigabitEthernet1/0/2

 port access vlan 30

 evi enable

#

 ip route-static 192.4.0.0 16 192.3.0.2

#

wlan ap officeap model WA4320i-ACN

 serial-id 210235A1GQC152001076

 radio 1

 radio 2

  radio enable

  service-template 1

#

interface tunnel 0 mode evi

 source 192.3.0.1

 evi network-id 1

 evi extend-vlan 200

 evi neighbor-discovery server enable

#

·              AC 2：

#

dhcp enable

#

vlan 40

#

vlan 200

#

dhcp server ip-pool vlan200

 gateway-list 192.2.0.2

 network 192.2.0.0 mask 255.255.0.0

 forbidden-ip 192.2.0.1

 forbidden-ip 192.2.0.3

#

interface Vlan-interface40

 ip address 192.4.0.1 255.255.0.0

#

interface Vlan-interface200

 ip address 192.2.0.2 255.255.0.0

#

interface GigabitEthernet1/0/1

 port access vlan 200

#

interface GigabitEthernet1/0/2

 port access vlan 40

 evi enable

#

ip route-static 192.3.0.0 16 192.4.0.2

#

interface tunnel 0 mode evi

 source 192.4.0.1

 evi network-id 1

 evi extend-vlan 200

 evi neighbor-discovery client enable 192.3.0.1

#

·              Switch：

#

vlan 30

#

vlan 40

#

interface Vlan-interface30

 ip address 192.3.0.2 255.255.0.0

#

interface Vlan-interface40

 ip address 192.4.0.2 255.255.0.0

#

interface GigabitEthernet1/0/1

 port access vlan 30

#

interface GigabitEthernet1/0/2

 port access vlan 40

#

·              配置AP的序列号时请确保该序列号与AP唯一对应，AP的序列号可以通过AP设备背面的标签获取。

·              Switch为三层交换机设备，连接AC的两个端口需要具有不同的缺省VLAN，保证AC间二层不能互通。