| 设备 | 功能 | 是否必须 | 具体配置 | 配置说明 | 注意事项 | 举例 | 参数说明 | ||
| 核心 | 网关认证模式 | √ | auth-mode gateway | 开启大网关模式(极简专用模式,必须开启),调整内部表项容量和功能使之适应大网关场景的部署机制 | 该配置需要保存重启后才能生效 | auth-mode gateway | |||
| 配置用户定期同步 | √ | snmp-server host (radius ip) informs version 2c (key) | 为了防止SAM上有存在因为异常情况导致的用户无法下线情况,SAM每天凌晨2点会自动与NAS上在线用户进行核对,删除假在线的用户信息 | snmp-server host 202.204.193.23 informs version 2c ruijie | radius ip:IP address of radius server key:SNMPv2c community string | ||||
| 接口索引唯一性 | √ | snmp-server if-index persist | 每个端口的接口索引都是唯一,可以通过show interface查看(Index字段),当有多张线卡和AP口时(先插入1张,配置AP口,再插入1张),设备重启后,可能会导致设备接口索引发生变化,导致SAM上的区域划分功能失效,建议开启接口索引唯一。 | snmp-server if-index persist | |||||
| 配置ospf被动接口 | 若现网有配置ospf协议时,被动口配置为必配选项。 若现网使用静态路由配置时,则被动口无需配置 | router ospf (process ID) passive-interface vlan (supervlan id) | 需要在ospf进程下将极简用户的网关supervlan配置为被动接口。 | 注意:该配置为极简放下的重要配置,防止ospf的协议报文在supvlan的所有subvlan中复制,将cpu冲垮。 仅需配置 | router ospf 1 passive-interface vlan 300 | process id:ospf的协议进程号 supervlan id:极简用户网关的supvlan id号 | |||
| 防静态ip地址私设 | web认证相关接口下 | web-auth dhcp-check | 该web认证的接口下开启dhcp snooping和web认证的联动,认证申请的用户需要在dhcp snooping表查到对应ip表项才允许其认证,达到防止ip地址私设的目的。 | web-auth dhcp-check | |||||
| web认证相关接口下 | web-auth dhcp-check vlan (subvlan id) | 功能同上,同时可以基于vlan进行开启防ip地址私设 | web-auth dhcp-check vlan 300 | ||||||
| 绑定合法静态ip用户 | ip source binding (user mac) vlan (subvlan id/pe-vlan id) inner-vlan (ce-vlan id) (user ip) interface (port) | 手动绑定合法的静态ip用户,这部分用户允许进行web认证 | ip source binding e005.c5ef.b7c8 vlan 3002 inner-vlan 15 172.32.0.2 interface AggregatePort 101 | ||||||
| 配置DHCP snooping | √ | ip dhcp snooping ip dhcp snooping check-giaddr | dhcp snooping开关,极简中场景主要作用为,mab、1x认证的带上IP地址。这两种认证的IP地址从dhcp snooping表中获得 ip dhcp snooping check-giaddr必配,解决dhcp snooping和dhcp relay共用时获取不到地址的问题 | ip dhcp snooping | |||||
| 认证 | 基本信息 | aaa new-model aaa accounting network (list name) start-stop group (group name) aaa authentication dot1x (list name) group (group name) aaa authentication web-auth (list name) group (group name) aaa authentication login default local aaa group server radius (group name) server (radius ip) radius-server host (radius ip) key 7 (radius key) aaa accounting update periodic 30 aaa accounting update aaa authorization ip-auth-mode mixed no aaa log enable ip radius source-interface (radius interface) ip portal source-interface (portal interface) radius-server attribute nas-port-id format qinq | aaa和radius-server的通用命令,可参考 | 注意事项1:若使用mab认证时aaa authorization ip-auth-mode (mix/dhcp-server)只能配置这两种模式 注意事项2:ip portal source-interface和ip radius source-interface的接口IP地址,必须和radius或者eportal一致 注意事项3:radius-server attribute nas-port-id format qinq是为了报文QINQ部署模式下,N18K能将用户的双层tag都上传给服务器 | aaa new-model aaa accounting network sam start-stop group sam aaa authentication dot1x sam group sam aaa authentication web-auth sam group sam aaa authentication login default local aaa group server radius sam server 202.204.193.23 radius-server host 202.204.193.23 key 7 184308704078 aaa accounting update periodic 30 aaa accounting update aaa authorization ip-auth-mode mixed no aaa log enable ip portal source-interface TenGigabitEthernet 8/48 ip radius source-interface TenGigabitEthernet 8/48 or ip portal source-interface vlan 60 ip radius source-interface vlan 60 radius-server attribute nas-port-id format qinq | list name:Named aaa(accounting\authentica\authorization) list group name:Group name radius ip:IP address of radius server radius key:The HIDDEN server key portal interface:Specify interface for PORTAL device radius interface:Specify interface for RADIUS device | |||
| 1X认证 | 1x认证 | dot1x accounting (list name) dot1x authentication (list name) | 1x认证配置模板 | dot1x accounting sam dot1x authentication sam | list name:Named aaa(accounting\authentica\authorization) list | ||||
| 相关接口上命令 | dot1x port-control auto | 端口应用1x受控 | dot1x port-control auto | ||||||
| 有线SU客户端下载 | su客户端下载 | web-auth template eportalv2 ip (su download ip) url (su download url) authentication (list name) accounting (list name) http redirect direct-site (su download ip) | su下载配置模板,需要依赖web认证的页面跳转 | 对于第一次进行认证的客户,设备没有下载SU客户端,需要认证前能重定向到su下载的页面 | web-auth template eportalv2 ip 202.204.193.32 url http://202.204.193.32/su/index.jsp authentication sam accounting sam http redirect direct-site 202.204.193.32 | su-download ip::IP address of su-download su-download url::Su-download url list name:Named aaa(accounting\authentica/authorization) list | |||
| 相关接口上命令 | web-auth enable eportalv2 | 端口应用web认证受控 | 在需要进行su客户端下载的端口下开启 | web-auth enable eportalv2 | |||||
| web认证 | web认证 | web-auth template eportalv2 ip (portal ip) url (web url) authentication (list name) accounting (list name) web-auth portal key (portal key) http redirect direct-site (portal ip) | web认证通用模板 | authentication (list name) accounting (list name) 此处的list name需要和aaa配置的list name一致 | web-auth template eportalv2 ip 202.204.193.33 url http://202.204.193.33/eportal/index.jsp authentication sam accounting sam web-auth portal key university http redirect direct-site 202.204.193.33 | portal ip::IP address of portal web url::Portal url list name:Named aaa(accounting\authentica/authorization) list portal key:Portal key string | |||
| 相关接口命令 | web-auth enable eportalv2 | web认证受控口配置通用模板 | 在需要开启web认证的接口上开启 | web-auth enable eportalv2 | |||||
| WEB无感知认证(MAB) | web无感知认证(mab) | ip dhcp snooping aaa authorization ip-auth-mode mixed dot1x accounting (list name) dot1x authentication (list name) dot1x mac-auth-bypass valid-ip-auth dot1x valid-ip-acct enable aaa authentication dot1x (list name) group (group name) | 【无感知认证通用模板】 1、ip dhcp snooping //无感知认证提供给SAM的ip地址表项,需要通过dhcp snooping表项来获取 2、aaa authorization ip-auth-mode mixed//ip授权模式需要配置为mix(该模式会从dhcp snooping拿IP地址) 3、dot1x mac-auth-bypass valid-ip-auth//mab认证前携带IP地址,如果终端在dhcp snooping表中未有地址(如私设静态IP)则不允许认证 4、dot1x valid-ip-acct enable//mab认证后通过记帐报文携带IP地址(从dhcp snooping表中获取),未有ip地址则5分钟后下线 5、web无感知认证(mab)原理是根据dot1x认证来实现,要使用无感知认证,必须开启dot1x认证 | dot1x mac-auth-bypass valid-ip-auth dot1x valid-ip-acct enable 1、若以上两条命令未配置可能在SAM上出现IP为0.0.0.0的地址用户。若SAM对接运营商BOSS系统时,部分运营商Boss系统要求不能有IP为0.0.0.0的用户,该命令必须配置。 2、若该区域存在静态IP的地址用户,不允许使用无感知认证。否则会导致静态IP用户无法认证 | ip dhcp snooping aaa authorization ip-auth-mode mixed dot1x accounting wifi dot1x authentication wifi dot1x mac-auth-bypass valid-ip-auth dot1x valid-ip-acct enable aaa authentication dot1x wifi group radius | list name:Named aaa(accounting\authentica/authorization) list | |||
| 相关接口命令 | dot1x port-control auto dot1x mac-auth-bypass multi-user | 无感知认证受控口配置模板 | 在需要开启web无感知认证的接口上,开启这个命令。 若需要在相关接口下开启部分vlan的无感知认证,可以使用 dot1x mac-auth-bypass vlan (vlan-list) | dot1x port-control auto dot1x mac-auth-bypass multi-user | |||||
| 无线1x认证 | 1x认证 | direct-vlan (1X vlan) | 支持全局/接口上开启 | 当前无线1x认证不能上收到N18K,只能在AC上面。在N18K上开启1x认证用户的直通vlan | direct-vlan 1-2,7,30 | 1X-VLAN:Vlan port number of 1X | |||
| CE-VLAN设置 | √ | qinq termination ce-vlan (ce-vlan-first) to (ce-vlan-end) | 配置qinq终结的内层vlan范围,必配 | qinq termination ce-vlan 101 to 124 | ce-vlan-first:Start vlan number of ce-vlan ce-vlan-end:End vlan number of ce-vlan | ||||
| PE-VLAN设置 | √ | qinq termination pe-vlan add (pe-vlan) | 配置qinq终结的外层vlan范围,必配 | 需要注意,pe-vlan的范围必须是有双层tag,qinq用户的外层vlan范围。若pe-vlan范围内涉及的vlan属于单层vlan的用户,则这些单层用户的vlan无法上网。 具体请参考《极简地图》中的《QINQ实施方案案例》 | qinq termination pe-vlan add 601-624,701 | pe-vlan:Vlan list in separator '-' and ',' of pe-vlan | |||
| DHCP服务器 | 基本信息 | service dhcp | dhcp服务总开关 | service dhcp | |||||
| 地址池 | ip dhcp pool (address-pool-name) lease 0 2 0 network (network-number) (netmask) dns-server (dns-server-address(more than one)) default-router (default-router-address) | dhcp地址池通用模板 | 这个命令可以配置多个地址池 | ip dhcp pool student lease 0 2 0 network 110.65.90.0 255.255.255.0 dns-server 202.116.32.254 222.200.129.134 default-router 110.65.90.254 | address-pool-name:Name of address pool network-number:Network number in dotted-decimal notation netmask:Network mask dns-server-address:IP address of DNS server default-router-address:IP address of Router | ||||
| AM规则 | 基本信息 | address-manage | AM规则,可以作为dhcp地址分配的精细化管理。将总的dhcp地址池,根据匹配用户的vlan+nas port,划分出更精细化的地址池范围 | 注意:全局开启AM规则后,需要对在N18K上对所有区域进行AM规则的vlan+port的配置,包括未改造为极简的区域; 因为一旦开启AM规则的功能,该功能会对所有向N18K进行dhcp申请报文所属的vlan+port进行检查,当发现错误或者未配置,就丢弃dhcp申请报文 | address-manage | ||||
| 基于VLAN | match ip (network-number) (netmask) vlan (vlan list) | 根据vlan进行细分地址池规划 | 这个匹配规则可以配置多个 | match ip 110.64.172.0 255.255.255.0 vlan 100-103 | network-number: IP address netmask::IP address mask vlan list:Vlan list | ||||
| 基于VLAN/PORT | match ip (network-number) (netmask) (interface-info) vlan (vlan list) | 根据vlan+port进行细分地址池规划 | 这个匹配规则可以配置多个 | match ip 110.64.172.0 255.255.255.0 gigabitEthernet8/15 vlan 200-203 | network-number:IP address netmask:IP address mask interface-info: Interface information vlan list:Vlan list | ||||
| 配置am规则的宽松模式 | √ | match ip loose | 若配置了am规则,则宽松模式推荐为必选配置。未配置宽松模式会导致不匹配am规则ip段的用户无法申请到报文,即使静态ip也无法进行网络通信。 | ||||||
| DHCP排斥地址 | ip dhcp excluded-address (excluded-ip-address) | 排斥地址的网段不进行dhcp分配 | 这个地址可以配置多个 | ip dhcp excluded-address 222.201.89.1 | excluded-ip-address:Excluded IP address | ||||
| DHCP中继 | service dhcp ip helper-address (dhcp server ip) | service dhcp ip helper-address 222.201.89.3 | dhcp server ip:IP address of dhcp server | ||||||
| PORTAL逃生 | web-auth portal-check interval 3 timeout 3 retransmit 10 web-auth portal-escape nokick | por | web-auth portal-check interval 3 timeout 3 retransmit 10 web-auth portal-escape nokick | ||||||
| RADIUS逃生 | 基本信息 | radius-server host (radius ip) test username (user-name) idle-time 2 key (radius key) radius-server dead-criteria time 120 tries 12 | radius逃生配置指南,当radius服务器故障后,用户可以直接逃生 注意:最后一个key跟的是radius key,是设备和SAM服务器交互的密码,不是用户的账号密码 | 配置radius服务器并开启检测功能,配置使用用户名a去检测, idle-time为检测间隔。这里面测试用户的密码写死的是ruijie。 同时SAM上需要配置开通这个账户(用户名a,密码ruijie),否则会产生大量账号不存在的垃圾日志。 | radius-server host 192.168.1.6 test username a idle-time 1 keyruijie | radius ip:IP address of radius server user-name:The name of user radius key:The HIDDEN server key | |||
| WEB认证下逃生(全局配置) | web-auth radius-escape | web认证下radius逃生必配命令 | WEB认证RADIUS逃生基于全局开启 | web-auth radius-escape | |||||
| 1X认证下逃生(接口下配置) | dot1x critical dot1x critical recovery action reinitialize | dot1x认证下radius逃生必配命令 | 1X认证RADIUS逃生基于端口开启。开启第二条命令表示当RADIUS服务器恢复后,那些使用1X逃生的用户会被踢下线进行重新认证 | dot1x critical recovery action reinitialize dot1x critical | |||||
| 上传SSID信息 | VLAN同SSID映射 | web-auth mapping (mapping-name) vlan (vlan-list) ssid (ssid-name) | 通过不同vlan进行ssid映射,上传给SAM做策略定制(如不同运营商的认证页面推送,根据不同vlan来做) | 需要对当前所有的VLAN都进行映射 | web-auth mapping Sch-Wifi vlan 301-370,901-926 ssid Wifi-Stu | mapping-name:Webauth mapping name vlan-list:Vlan list ssid-name:Name of ssid | |||
| 相关接口命令 | web-auth apply-mapping (mapping-name) | 将vlan和ssid映射的策略,应用到接口上 | web-auth apply-mapping Sch-Wifi | ||||||
| AC、AP设备管理 | direct-vlan (AP managed vlan) | direct-vlan 10-12,17-20,50 | AP managed vlan:Managed vlan of AP device or AC device | ||||||
| 汇聚、接入设备管理 | direct-vlan (switchboard managed vlan) | direct-vlan 30-35,47,60 | switchboard managed vlan:Vlan port number of switchbord managed vlan | ||||||
| SUPERVLAN管理 | vlan (supervlan) supervlan subvlan (subvlan-list) name (supervlan-name) | 可配置多条 | vlan 4001 supervlan subvlan 601-625 name teacher | supervlan:VLAN ID subvlan-list:VLAN IDs of the sub-vlans supervlan-name:Name of super vlan | |||||
| IPV6 | 通用 | address-bind ipv6-mode compatible | ipv6兼容模式 | 当ipv4认证成功后,ipv6即可联网 | address-bind ipv6-mode compatible | ||||
| 相关接口命令 | ipv6 address (ipv6 address prefix) ipv6 enable no ipv6 nd suppress-ra | 当前IPV6的地址都是使用无状态获取 在需要开启web认证的接口上,开启这个命令 | ipv6 address 2001:DA8:200B:9778::1/64 ipv6 enable no ipv6 nd suppress-ra | ipv6 address prefix:IPv6 prefix | |||||
| 用户端口迁移 | 有线1x认证和mab认证下端口迁移 | station-move permit | 1x认证迁移 | 注意:N18K认证迁移和我司AC共用时,需要在AC上关闭ARP代理。防止N18K在认证迁移发起arp探测时,AC会进行arp自动应答,导致认证迁移不成功 | station-move permit no dot1x station-move arp-detect | ||||
| 无线web认证下迁移免认证 | station-move permit web-auth station-move auto web-auth station-move info-update | web认证迁移 | station-move permit web-auth station-move auto web-auth station-move info-update no web-auth station-move arp-detect no dot1x station-move arp-detect | ||||||
| AC全局上关闭ARP代理 | AC(config)#no proxy_arp enable | AC全局关闭ARP代理 | |||||||
| 无流量下线 | offline-detect interval 15 threshold 0 | N18K通过mac地址表检测,配置时间内mac地址表用户表不存在;则判断为用户没有流量,将其下线 | 建议将无流量下线的时间设置为15分钟,同时需要保证设备上的系统时间同服务器上的时间要一致 | offline-detect interval 15 threshold 0 | |||||
| 汇聚 | VLAN设置 | √ | vlan (vlan-list) | 用户上网VLAN(内层VID+外层VID)、管理VLAN、特殊业务VLAN(内层VID+外层VID) | |||||
| 上联口配置 | √ | interface xx switchport mode trunk switchport trunk native vlan (special-service-vlan-pe) mtu 1530 | native vlan设置为特殊业务的外层VLAN | ||||||
| 下联口配置 | √ | interface xx switchport mode dot1q-tunnel switchport dot1q-tunnel allowed vlan add untagged (net-vlan-pe and managed-vlan and special-service-vlan-pe) switchport dot1q-tunnel native vlan (managed-vlan) dot1q outer-vid (net-vlan-pe) register inner-vid (net-vlan-ce) dot1q outer-vid (special-service-vlan-pe) register inner-vid (special-service-vlan-ce) | |||||||
| 管理地址 | √ | interface vlan (managed-vlan) ip address (managed-ip) | |||||||
| 配置ospf被动接口 | 若现网有配置ospf协议时,被动口配置为必配选项。 若现网使用静态路由配置时,则被动口无需配置 | router ospf (process ID) passive-interface vlan (supervlan id) | 需要在ospf进程下将极简用户的网关supervlan配置为被动接口。 | 注意:该配置为极简放下的重要配置,防止ospf的协议报文在supvlan的所有subvlan中复制,将cpu冲垮。 仅需配置 | router ospf 1 passive-interface vlan 300 | process id:ospf的协议进程号 supervlan id:极简用户网关的supvlan id号 | |||
| 风暴抑制 | √ | interface xx storm-control broadcast pps 1000 storm-control multicast pps 1000 | |||||||
| 接入 | VLAN设置 | √ | vlan (vlan-list) | 用户上网VLAN(内层VID)、管理VLAN、特殊业务VLAN(内层VID) | |||||
| 上联口配置 | √ | interface xx switchport mode trunk switchport trunk native vlan (managed-vlan) | |||||||
| 下联口配置(rldp) | √ | interface xx switchport access vlan (net-vlan-ce) rldp port loop-detect shutdown-port | |||||||
| 接口防环 | √ | errdisable recovery interval 300 | |||||||
| 管理地址 | √ | interface vlan (managed-vlan) ip address (managed-ip) | |||||||
| 风暴抑制 | √ | interface xx storm-control broadcast pps 300 storm-control multicast pps 300 | |||||||
| 无线AC | 互联vlan创建及互联IP配置 | √ | vlan (vlanid) interface VLAN (vlanid) description to_hexin ip address (IP) (subnetmask) | vlan 2100 interface VLAN 2100 description to_hexin ip address 172.18.32.45 255.255.255.240 | |||||
| lookback 0创建及IP配置 | √ | interface Loopback 0 ip address (IP) 255.255.255.255 | 注意事项1:用32位掩码 | interface Loopback 0 ip address 1.1.1.1 255.255.255.255 | |||||
| 用户VLAN配置 | √ | vlan (vlanid) | |||||||
| 配置Wlan-config,创建SSID,并配置转发模式 | √ | wlan-config (wlan-id) (SSID) tunnel (8023 or local) | 8023表示集中转发 local表示本地转发 默认为集中转发 | wlan-config 1 ruijie_test tunnel local | |||||
| wlan限速 | wlan-config (wlan-id) wlan-based per-user-limit up-streams average-data-rate (平均值) burst-data-rate (突发最大值) wlan-based per-user-limit down-streams average-data-rate (平均值) burst-data-rate (突发最大值) | 注意事项1:单位是8Kbps。 注意事项2:突发值可建议设置为平均值的1.5倍。 注意事项3:上行的建议配置比下行的小一些。 | wlan-config 1 wlan-based per-user-limit up-streams average-data-rate 200 burst-data-rate 300 wlan-based per-user-limit down-streams average-data-rate 400 burst-data-rate 600 | ||||||
| 配置ap-group,关联wlan-config和用户vlan | √ | ap-group (group-name) interface-mapping (wlan-id) (vlan-id) | ap-group TSG interface-mapping 1 51 | ||||||
| WIDS用户隔离 | wids user-isolation ap enable user-isolation ac enable | wids user-isolation ap enable user-isolation ac enable | |||||||
| 禁用低速 | ac-controller 802.11g network rate 1 disabled 802.11g network rate 2 disabled 802.11g network rate 5 disabled 802.11g network rate 6 disabled 802.11g network rate 9 disabled 802.11b network rate 1 disabled 802.11b network rate 2 disabled 802.11b network rate 5 disabled | ac-controller 802.11g network rate 1 disabled 802.11g network rate 2 disabled 802.11g network rate 5 disabled 802.11g network rate 6 disabled 802.11g network rate 9 disabled 802.11b network rate 1 disabled 802.11b network rate 2 disabled 802.11b network rate 5 disabled | |||||||
| ip dhcp snooping | √ | ip dhcp snooping | ip dhcp snooping | ||||||
| AC全局上关闭ARP代理 | √ | AC(config)#no proxy_arp enable | AC全局关闭ARP代理 | 注意:N18K认证迁移和我司AC共用时,需要在AC上关闭ARP代理。防止N18K在认证迁移发起arp探测时,AC会进行arp自动应答,导致认证迁移不成功 | |||||
| 防地址私设及防arp欺骗 | wlansec (wlan-id) arp-check ip verify source port-security | 前提是需要先配置dhcp snooping功能 | wlansec 1 arp-check ip verify source port-security | ||||||
| 关闭RRM | advanced 802.11a channel global off advanced 802.11b channel global off | advanced 802.11a channel global off advanced 802.11b channel global off | |||||||
| 配置tftp server | tftp-server enable tftp-server topdir flash:/ | tftp-server enable tftp-server topdir flash:/ | |||||||
| nfpp配置 | arp-guard trusted-host (sta网关ip) (sta网关mac) dhcp-guard trusted-host (dhcp server mac/18K mac) | arp-guard trusted-host 10.1.1.1 00d0.8605.0002 dhcp-guard trusted-host 00d0.8605.0002 | |||||||
| 互联接口配置trunk,并进行vlan裁剪 | interface AggregatePort 1 switchport mode trunk switchport trunk allowed vlan remove (vlan-list) | 注意事项1:本地转发只需要保留互联vlan即可;集中转发则还需要放通无线用户vlan | interface AggregatePort 1 switchport mode trunk switchport trunk allowed vlan remove 2000-4094 | ||||||
| 给AP配置ap-group、信道、功率 | √ | ap-config(ap-name) ap-group (group-name) channel (channel) radio (radioid) power local (power) radio (radioid) | ap-config ap120 ap-group 51 channel 11 radio 1 power local 5 radio 1 | ||||||
| 认证 | 基本信息 | aaa new-model aaa group server radius (group name) server (radius ip) aaa accounting update aaa authentication dot1x (list name) group (group name) aaa accounting network (list name) start-stop group (group name) ip radius source-interface (radius interface) radius-server host (radius ip) key (key) dot1x valid-ip-acct enable | aaa和radius-server的通用命令,可参考 | 注意事项1:ip radius source-interface的接口IP地址,必须和radius或者eportal一致 | aaa new-model aaa accounting network sam start-stop group sam aaa authentication dot1x sam group sam aaa group server radius sam server 202.204.193.23 radius-server host 202.204.193.23 key ruijieaaa accounting update periodic 30 aaa accounting update ip radius source-interface vlan 60 dot1x valid-ip-acct enable | list name:Named aaa(accounting\authentica\authorization) list group name:Group name radius ip:IP address of radius server radius key:The HIDDEN server key radius interface:Specify interface for RADIUS device | |||
| 1X认证 | 1x认证 | wlansec (wlan-id) security rsn enable security rsn ciphers aes enable security rsn akm 802.1x enable dot1x authentication (list name) dot1x accounting (list name) | 1x认证配置模板 | wlansec 20 security rsn enable security rsn ciphers aes enable security rsn akm 802.1x enable dot1x authentication sam dot1x accounting sam | list name:Named aaa(accounting\authentica\authorization) list | ||||
| 热备 | wlan hot-backup (热备对端lookback0 ip) context (context-id) priority level (热备优先级) ap-group (ap-group-name) ap-group default vrrp interface VLAN (vlan-id) group (vrrp-group) wlan hot-backup enable | wlan hot-backup 2.2.2.2 context 1 priority level 6 ap-group XQ-GYL ap-group default vrrp interface VLAN 4036 group 10 wlan hot-backup enable | |||||||