Configure TQ6702 GEN2-R via CLI
Configure settings on the TQ6702 GEN2-R (wireless AP router), such as creating AP profiles, bridges, firewalls, DHCP servers, AMF settings, etc., using the CLI.
Login
- Log in to the wireless AP router CLI with a privileged user account (user with privilege level 15).
- Shift to Privileged EXEC mode.
awplus> enable awplus#
- Shift from Privileged EXEC mode to Global Configuration mode.
awplus# configure terminal Enter configuration commands, one per line. End with CNTL/Z. awplus(config)#
* The prompts and command responses are omitted hereafter.
Wireless Configuration
- To configure the wireless function, type wireless command and shift to Wireless Configuration mode.
wireless
- Create security settings to be used for each VAP.
- Set security mode to WPA Personal (security mode wpa-personal)
- Set security key (key)
- Specify WPA versions (versions)
security 1 mode wpa-personal key passphrase1 versions wpa2 wpa3 security 2 mode wpa-personal key passphrase2 versions wpa2 wpa3
- Set security mode to WPA Personal (security mode wpa-personal)
- Create network settings to be used for each VAP.
- Network setting (network)
- SSID name (ssid)
- Enable SSID Stealth mode (hide-ssid)
- Enable band steering (band-steering)
- Selecting security profile (security)
network 1 ssid Network hide-ssid band-steering security 1 network 2 ssid Management hide-ssid band-steering security 2 network 17 ssid Network hide-ssid band-steering security 1 network 18 ssid Management hide-ssid band-steering security 2
- Network setting (network)
- Create a AP profile that configures various functions and VAPs for Radio 1/2.
Use the "ap-profile local" command to enter AP Profile mode, then use the "radio" command to specify the radio number and execute the following command.
- Enable the radio band (enable)
- Enter VAP Configuration mode (vap)
- Enable Zero Wait DFS (zero-wait-dfs enable)
ap-profile local radio 1 enable vap 0 network 1 vap 1 network 2 radio 2 enable zero-wait-dfs enable vap 0 network 17 vap 1 network 18
- Enable the radio band (enable)
- Once here, switch to Privileged EXEC mode and execute the "wireless ap-configuration apply ap local" command to apply the wireless configuration.
This enables each VAP interface (vap1.0, vap1.1, vap2.0, vap2.1).
After the wireless application is finished, return to the Global Config mode again to continue the configuration.
end wireless ap-configuration apply ap local configure terminal
- Create the software bridge 1 and 2. To do this, use the "bridge" command.
bridge 1 bridge 2
- Assign vap1.0 and vap2.0 to bridge "1", and vap1.1 and vap2.1 to bridge "2". To do this, use the "bridge-group" command.
Note
In this quick tour, 2.4GHz and 5GHz VAPs with the same VAP numbers belong to the bridges and operate in the same segments.
When operating 2.4GHz and 5GHz VAPs in different segments, set IP addresses for each VAP and change entity and firewall settings.interface vap1.0 bridge-group 1 interface vap1.1 bridge-group 2 interface vap2.0 bridge-group 1 interface vap2.1 bridge-group 2
- Once again here, switch to Privileged EXEC mode and execute the "wireless ap-configuration apply ap local" command to apply the wireless configuration.
If bridges are created after the VAPs are created and applied to the VAP, wireless application is required after the bridges are created.
After the wireless application is finished, return to the Global Config mode again to continue the configuration.
end wireless ap-configuration apply ap local configure terminal
Router Configuration
- Set IP addresses for Bridge 1 (br1) and Bridge 2 (br2) on separate segments. To do this, use the "ip address" command.
interface br1 ip address 192.168.10.1/24 interface br2 ip address 192.168.100.1/24
- In the same way, set the IP address and netmask notified by the administrator of AMF Network to cpper port eth1.
interface eth1 ip address 192.168.1.200/24
- Define "Entities" to be used when creating firewall and NAT rules.
Create a zone "private" representing the internal network.
To do this, use the "zone", "network", and "ip subnet" commands.
zone private network dhcp ip subnet 0.0.0.0/0 interface br1 ip subnet 0.0.0.0/0 interface br2 network lan1 ip subnet 192.168.10.0/24 network lan2 ip subnet 192.168.100.0/24
- Create a zone "public" representing the external network.
In addition to the above commands, the "host" and "ip address" commands are also used here.
zone public network wan ip subnet 0.0.0.0/0 interface eth1 host eth1 ip address 192.168.1.200
- Define the "Application" used to specify communication content when creating firewall rules.
To do this, use the "application", "protocol", and "dport" commands.
Define a custom application "DHCP" representing the DHCP packets.
application dhcp protocol udp dport 67 to 68
- Configure the firewall function to allow communication from outside to the wireless router while blocking communication between each bridge.
To do this, use the "firewall", "rule", and "protect" commands.
- Rule 10 - Allow internal DHCP communication
- Rule 20 - Allow communication between terminals under bridge 1 and the wireless router
- Rule 30 - Allow communication between terminals under bridge 2 and the wireless router
- Rule 40 - Allow external communication from terminals under bridge 1
- Rule 50 - Allow external communication from terminals under bridge 2
- Rule 60 - Allow communication from the wired LAN interface of the wireless router to the outside
- Rule 70 - Allow communication from the outside to the wired LAN interface of the wireless router.
firewall rule 10 permit dhcp from private.dhcp to private.dhcp rule 20 permit any from private.lan1 to private.lan1 rule 30 permit any from private.lan2 to private.lan2 rule 40 permit any from private.lan1 to public rule 50 permit any from private.lan2 to public rule 60 permit any from public.wan.eth1 to public.wan rule 70 permit any from public.wan to public.wan.eth1 protect
- Rule 10 - Allow internal DHCP communication
- Configure the dynamic ENAT feature so that all terminals associated to the wireless LAN networks can use it.
To do this, use the "nat", "rule", and "enable" commands.
nat rule 10 masq any from private to public enable
- Configure the DHCP server function for computers to be associated to the wireless LAN networks.
To do this, create a DHCP pool with the "ip dhcp pool" command and set the following information:
- Subnet (network)
- IP address range to be leased (range)
- Default gateway (default-router)
- DNS server address (dns-server)
- Lease time (lease)
ip dhcp pool pool10 network 192.168.10.0 255.255.255.0 range 192.168.10.100 192.168.10.131 dns-server 192.168.10.1 default-router 192.168.10.1 lease 0 2 0 ip dhcp pool pool100 network 192.168.100.0 255.255.255.0 range 192.168.100.100 192.168.100.131 dns-server 192.168.100.1 default-router 192.168.100.1 lease 0 2 0
- Subnet (network)
- Enable DHCP server. To do this, use the "service dhcp-server" command.
service dhcp-server
- Direct the default route to the default gateway notified by the administrator. To do this, use the "ip route" command.
ip route 0.0.0.0/0 192.168.1.1
AMF Configuration
- Specify the AMF network name "AMF001".
atmf network-name AMF001
- Create an AMF virtual link to connect to the AMF master.
atmf virtual-link id 1 ip 192.168.1.200 remote-id 1 remote-ip 192.168.1.254
When the AMF virtual link is correctly communicated with the AMF master, the AMF network participation logs are displayed.
- This completes the configuration of the wireless router.
end
Save the Configuration
After configuration is complete, save the current settings as a startup configuration. To do this, execute the copy command in the format "copy running-config startup-config".awplus# copy running-config startup-config
Building configuration...
[OK]
The same can also be done with the "write file" and "write memory" commands.awplus# write memory
Building configuration...
[OK]
Configuration Example
The following is an example of a configuration set up in this quick tour.! wireless security 1 mode wpa-personal key passphrase1 versions wpa2 wpa3 security 2 mode wpa-personal key passphrase2 wersions wpa2 wpa3 network 1 ssid Network hide-ssid band-steering security 1 network 2 ssid Management hide-ssid band-steering security 2 network 17 ssid Network hide-ssid band-steering security 1 network 18 ssid Management hide-ssid band-steering security 2 ap-profile local radio 1 enable vap 0 network 1 vap 1 network 2 radio 2 enable zero-wait-dfs enable vap 0 network 17 vap 1 network 18 ap local ! bridge 1 bridge 2 ! interface vap1.0 bridge-group 1 ! interface vap1.1 bridge-group 2 ! interface vap2.0 bridge-group 1 ! interface vap2.1 bridge-group 2 ! interface br1 ip address 192.168.10.1/24 ! interface br2 ip address 192.168.100.1/24 ! interface eth1 ip address 192.168.1.200/24 ! zone private network dhcp ip subnet 0.0.0.0/0 interface br1 ip subnet 0.0.0.0/0 interface br2 network lan1 ip subnet 192.168.10.0/24 network lan2 ip subnet 192.168.100.0/24 ! zone public network wan ip subnet 0.0.0.0/0 interface eth1 host eth1 ip address 192.168.1.200 ! application dhcp protocol udp dport 67 to 68 ! firewall rule 10 permit dhcp from private.dhcp to private.dhcp rule 20 permit any from private.lan1 to private.lan1 rule 30 permit any from private.lan2 to private.lan2 rule 40 permit any from private.lan1 to public rule 50 permit any from private.lan2 to public rule 60 permit any from public.wan.eth1 to public.wan rule 70 permit any from public.wan to public.wan.eth1 protect ! nat rule 10 masq any from private to public enable ! ip dhcp pool pool10 network 192.168.10.0 255.255.255.0 range 192.168.10.100 192.168.10.131 dns-server 192.168.10.1 default-router 192.168.10.1 lease 0 2 0 ip dhcp pool pool100 network 192.168.100.0 255.255.255.0 range 192.168.100.100 192.168.100.131 dns-server 192.168.100.1 default-router 192.168.100.1 lease 0 2 0 ! service dhcp-server ! ip route 0.0.0.0/0 192.168.1.1 ! atmf network-name AMF001 ! atmf virtual-link id 1 ip 192.168.1.200 remote-id 1 remote-ip 192.168.1.254 end
12 Jul 2024 09:32