1、所有的dhcp都在核心
2、ap管理地址dhcp也在核心
3、接入交换机接ap口要设置pvlan
4、业务vlan 10 20
5、ap管理vlan 100 这个vlan下要有一条option 43 sub-option 3 ascii 10.0.0.2
10.0.0.2为ac的vlan999 地址用于和核心互连

核心配置：
dis cu
dis current-configuration

sysname HX

undo info-center enable

vlan batch 10 20 100 999

stp disable

cluster enable
ntdp enable
ndp enable

drop illegal-mac alarm

dhcp enable

diffserv domain default

drop-profile default

dhcp server group vlan10

ip pool vlan10
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0

ip pool vlan20
gateway-list 192.168.20.1
network 192.168.20.0 mask 255.255.255.0

ip pool vlan100
gateway-list 172.16.0.1
network 172.16.0.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.0.0.2

aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http

interface Vlanif1

interface Vlanif10
ip address 192.168.10.1 255.255.255.0
dhcp select global

interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select global

interface Vlanif100
ip address 172.16.0.1 255.255.255.0
dhcp select global

interface Vlanif999
ip address 10.0.0.1 255.255.255.0

interface MEth0/0/1

interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094

interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094

interface GigabitEthernet0/0/3
port link-type access
port default vlan 999

interface NULL0

user-interface con 0
user-interface vty 0 4

return

接入配置：
dis curr
dis current-configuration

sysname jr

vlan batch 10 20 100

stp disable

cluster enable
ntdp enable
ndp enable

drop illegal-mac alarm

diffserv domain default

drop-profile default

aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http

interface Vlanif1

interface MEth0/0/1

interface Ethernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 10 20 100

interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 10 20 100

interface NULL0

user-interface con 0
user-interface vty 0 4

return

ac控制器配置(web配置)：

设置源ip

创建互通vlan

设置虚拟ip

设置默认路由：

新建立SSID使用自带的默认default模版，不用自己建立模版了：


改上线的ap名称并加入到default组的ssid中：

ac控制器配置(命令行配置)：
dis curr
dis current-configuration

sysname ac

http server enable

set memory-usage threshold 0

ssl renegotiation-rate 1

vlan 999

authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile

diffserv domain default

radius-server template default

pki realm default
rsa local-key-pair default
enrollment self-signed

ike proposal default
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256

free-rule-template name default_free_rule

portal-access-profile name portal_access_profile

aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme radius
radius-server default
domain default_admin
authentication-scheme default
local-user yu password irreversible-cipher $1a$:3Pg*Q1bG~$nZ].OHAtX()o(p+)C^{(}5e5\hat{9}""ip$&v0>-R\DER$
local-user yu privilege level 15
local-user yu service-type telnet terminal ssh ftp http
local-user yeng password cipher %^{%#V]W{-v`S63a!r1D3WoC*=YFsCQ`:WB{VD_"pENy,%}%

local-user yeng privilege level 15
local-user yeng service-type web
local-user admin password irreversible-cipher $1a$<aFd6RYqV/KaTeX parse error: Expected 'EOF', got '&' at position 4: /Dl&̲!/1~h5w6r#*;gL …
local-user admin privilege level 15
local-user admin service-type telnet terminal ssh ftp http

interface Vlanif999
ip address 10.0.0.2 255.255.255.0

interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094

interface GigabitEthernet0/0/2

interface GigabitEthernet0/0/3

interface GigabitEthernet0/0/4

interface GigabitEthernet0/0/5

interface GigabitEthernet0/0/6

interface GigabitEthernet0/0/7
undo negotiation auto
duplex half

interface GigabitEthernet0/0/8
undo negotiation auto
duplex half

interface NULL0

snmp-agent local-engineid 800007DB03000000000000
snmp-agent

ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1

ip route-static 0.0.0.0 0.0.0.0 10.0.0.1

capwap source interface vlanif999

user-interface con 0
authentication-mode password
user-interface vty 0 4
protocol inbound all
user-interface vty 16 20
protocol inbound all

wlan
traffic-profile name default
security-profile name nwy
security wpa-wpa2 psk pass-phrase %^%#"#0d)#b5[O3A-2)%Ko7N|Mx=DdMU1>8jJ#]Ml|-
%^%# aes-tkip
security-profile name guest
security-profile name default
security wpa2 psk pass-phrase %^{%#P{n#-T=*C);OE$;L>aN59$RM4Cu@R@Z’_@#%m]ZJ%}%#
aes
security-profile name tRadio0
security wpa2 psk pass-phrase %^{%#,`-"P{5I^O5Xq!8asY5>lUy4PEsoaIM[y9LM’`*0%}%#
aes
security-profile name tRadio1
security wpa2 psk pass-phrase %^%#2hCPy8[vB}&$;\ast F$<F5|kN7GW1gT6~kc(B;/wT%^%#
aes
security-profile name default-wds
security-profile name default-mesh
ssid-profile name nwy
ssid nwy
ssid-profile name guest
ssid guest
ssid-profile name default
vap-profile name 1
vap-profile name nwy
service-vlan vlan-id 10
permit-vlan vlan-id 10
ssid-profile nwy
security-profile nwy
vlan-mobility-group 10
vap-profile name nwy1
vap-profile name guest
service-vlan vlan-id 20
ssid-profile guest
security-profile guest
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-whitelist-profile name tRadio0
peer-ap mac 00e0-fce4-57d0
mesh-whitelist-profile name tRadio1
peer-ap mac 00e0-fce4-57d0
mesh-profile name default
mesh-profile name tRadio0
security-profile default
mesh-id 1
mesh-profile name tRadio1
security-profile tRadio1
mesh-id 1
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
wireless-access-specification
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap auth-mode no-auth
ap-group name default
radio 0
vap-profile nwy wlan 1
vap-profile guest wlan 2
radio 1
vap-profile nwy wlan 1
vap-profile guest wlan 2
radio 2
vap-profile nwy wlan 1
vap-profile guest wlan 2
ap-id 0 type-id 69 ap-mac 00e0-fce4-57d0 ap-sn 210235448310EC3F0A67
ap-name jxl1
ap-group default
ap-id 1 type-id 69 ap-mac 00e0-fc01-5950 ap-sn 2102354483103213D216
ap-name jxl2
ap-id 2 type-id 69 ap-mac 00e0-fcf7-4de0 ap-sn 210235448310E659C225
provision-ap

dot1x-access-profile name dot1x_access_profile

mac-access-profile name mac_access_profile

return