SG300Router MThEXPoeVlanSwitch CiscoAirAP alles richtig konfiguriert?

Hallo Forum,

ich bin gerade dabei mein Netzwerk umzugestalten und habe meine geplante Konfiguration auch zum laufen bekommen.
Vielleicht kann ein Experte sich diese mal anschauen. Ich denke es gibt bestimmt noch die ein oder andere Stellschraube um auch das WLAN ein bisschen schneller zu machen.

Folgende Hardware setzte ich ein:

FriztBoxCabel6591 mit Vodafone GigaCable
Cisco SG300-20 als Router
MikroTik HexPoe als POE VLanSwitch
Cisco air-sap1602e-e-k9 als VLan AP (3x)

Die Fritzbox ist mit Lan1 Home und Lan4 Gast mit dem SG300 verbunden. Dieser ist per LAG mit dem MikroTik verbunden.
Die AP´s hängen an Port 3/4/5 des MT.

Wie gesagt vielleicht gibt es noch die ein oder andere Stellschraube um das System performanter zu machen.
Mir ist bewusst, dass die Vlan7 SSID auf den AP´s den zugriff auf das Management der AP´s zulässt. Es ist aber eine Home Konfig.
Vielen Dank

Gruß Julian

Konfiguration des Cisco SG300

config-file-header
SG300-20
v1.4.11.5 / R800_NIK_1_4_220_026
CLI v1.0
set system mode router 

file SSD indicator plaintext
@
no cdp run 
spanning-tree priority 4096
vlan database
vlan 7,100,110,120,179 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
port-channel load-balance src-dst-mac-ip
green-ethernet energy-detect
green-ethernet short-reach
disable ports leds
ip dhcp server 
ip dhcp pool network Licht
address low 192.168.110.100 high 192.168.110.200 255.255.255.0 
default-router 192.168.110.250
dns-server 192.168.7.1
exit
ip dhcp pool network Solar
address low 192.168.100.100 high 192.168.100.200 255.255.255.0 
default-router 192.168.100.250
dns-server 192.168.7.1
exit
ip dhcp pool network Cloud/TV
address low 192.168.120.100 high 192.168.120.200 255.255.255.0 
default-router 192.168.120.250
dns-server 192.168.7.1
exit
bonjour interface range gi14
bonjour interface range Po1
hostname SG300-20
username  password encrypted  privilege 15 
snmp-server location UG
clock timezone " " +1  
clock summer-time web recurring eu 
clock source sntp
sntp unicast client enable
sntp source-interface vlan 7 
!
interface vlan 1
 no ip address dhcp 
!
interface vlan 7
 name Home 
 ip address 192.168.7.250 255.255.255.0 
!
interface vlan 100
 name Solar 
 ip address 192.168.100.250 255.255.255.0 
!
interface vlan 110
 name Licht 
 ip address 192.168.110.250 255.255.255.0 
!
interface vlan 120
 name Cloud/TV 
 ip address 192.168.120.250 255.255.255.0 
!
interface vlan 179
 name Gast 
!
interface gigabitethernet1
 description HOME_Printer
 switchport mode access 
 switchport access vlan 7 
 switchport forbidden vlan add 179 
 switchport forbidden default-vlan 
!
interface gigabitethernet2
 no eee enable 
 speed 100 
 no negotiation 
 description HOME_Domovea
 switchport mode access 
 switchport access vlan 7 
 switchport forbidden vlan add 179 
 no eee lldp enable 
 green-ethernet short-reach 
 switchport forbidden default-vlan 
!
interface gigabitethernet3
 description HOME
 switchport mode access 
 switchport access vlan 7 
 switchport forbidden vlan add 179 
 switchport forbidden default-vlan 
!
interface gigabitethernet4
 description HOME
 switchport mode access 
 switchport access vlan 7 
 switchport forbidden vlan add 179 
 switchport forbidden default-vlan 
!
interface gigabitethernet5
 description HOME
 switchport mode access 
 switchport access vlan 7 
 switchport forbidden vlan add 179 
 switchport forbidden default-vlan 
!
interface gigabitethernet6
 description GAST
 switchport mode access 
 switchport access vlan 179 
 switchport forbidden vlan add 7,100,110,120 
 switchport forbidden default-vlan 
!
interface gigabitethernet7
 description GAST_Vodafone
 switchport mode access 
 switchport access vlan 179 
 switchport forbidden vlan add 7,100,110,120 
 switchport forbidden default-vlan 
!
interface gigabitethernet8
 description Schnüffler
 port monitor GigabitEthernet 6 
 port monitor GigabitEthernet 7 
 switchport mode general 
 switchport general pvid 4095 
!
interface gigabitethernet9
 no eee enable 
 speed 100 
 description SOLAR_SolarLog
 switchport mode access 
 switchport access vlan 100 
 switchport forbidden vlan add 179 
 no eee lldp enable 
 green-ethernet short-reach 
 switchport forbidden default-vlan 
!
interface gigabitethernet10
 speed 100 
 description "SOLAR_SMA TriPower"  
 ip dhcp snooping trust 
 switchport mode access 
 switchport access vlan 100 
 switchport forbidden vlan add 179 
 switchport forbidden default-vlan 
!
interface gigabitethernet11
 speed 100 
 description "LICHT_Philips HUE"  
 switchport mode access 
 switchport access vlan 110 
 switchport forbidden vlan add 179 
 switchport forbidden default-vlan 
!
interface gigabitethernet12
 description LICHT
 switchport mode access 
 switchport access vlan 110 
 switchport forbidden vlan add 179 
 switchport forbidden default-vlan 
!
interface gigabitethernet13
 description LICHT
 switchport mode access 
 switchport access vlan 110 
 switchport forbidden vlan add 179 
 switchport forbidden default-vlan 
!
interface gigabitethernet14
 no eee enable 
 description CloudTV_LG-TV
 switchport mode access 
 switchport access vlan 120 
 switchport forbidden vlan add 100,110,179 
 switchport access multicast-tv vlan 7 
 no eee lldp enable 
 switchport forbidden default-vlan 
!
interface gigabitethernet15
 description CloudTV_Cloud
 switchport mode access 
 switchport access vlan 120 
 switchport forbidden vlan add 7,100,110,179 
 switchport forbidden default-vlan 
!
interface gigabitethernet16
 description CloudTV
 switchport mode access 
 switchport access vlan 120 
 switchport forbidden vlan add 7,100,110,179 
 switchport forbidden default-vlan 
!
interface gigabitethernet17
 description LAG1_Mikrotik
 spanning-tree link-type point-to-point 
 channel-group 1 mode auto 
 macro description switch
 macro auto smartport type switch $native_vlan 1 
!
interface gigabitethernet18
 description LAG2_Mikrotik
 spanning-tree link-type point-to-point 
 channel-group 1 mode auto 
 macro description switch
 macro auto smartport type switch $native_vlan 1 
!
interface gigabitethernet19
 description Gast_IN
 switchport mode access 
 switchport access vlan 179 
 switchport forbidden vlan add 7,100,110,120 
 switchport forbidden default-vlan 
!
interface gigabitethernet20
 description Home_IN
 switchport mode access 
 switchport access vlan 7 
 switchport forbidden vlan add 179 
!
interface Port-channel1
 flowcontrol on 
 description LAG_MikroTik
 switchport trunk allowed vlan add 7,100,110,120,179 
 switchport protected-port 
!
exit
ip igmp snooping
ipv6 mld snooping
ip igmp snooping vlan 1 
ip igmp snooping vlan 1 immediate-leave 
ip igmp snooping vlan 7 
ip igmp snooping vlan 100 
ip igmp snooping vlan 110 
ip igmp snooping vlan 120 
ip igmp snooping vlan 179 
ip igmp snooping vlan 179 immediate-leave 
ip igmp snooping vlan 7 querier 
ip igmp snooping vlan 100 querier 
ip igmp snooping vlan 110 querier 
ip igmp snooping vlan 120 querier 
ip igmp snooping vlan 179 querier 
ip default-gateway 192.168.7.1 
ip ssh-client key rsa key-pair

Konfiguration des MT hEXPoe

# jul/13/2021 20:27:56 by RouterOS 6.48.2
# software id = KTEN-V1WD
#
# model = 960PGS
# serial number = 78D207683F5E
/interface bridge
add admin-mac=7A:11:F2:9E:26:C8 auto-mac=no comment="VLAN Bridge" \  
    igmp-snooping=yes name=bridge_trunk vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Tagged LAG 1"  
set [ find default-name=ether2 ] comment="Tagged LAG 2"  
set [ find default-name=ether3 ] comment="Tagged AP_UG" poe-out=forced-on  
set [ find default-name=ether4 ] comment="Tagged AP_OG" poe-out=forced-on  
set [ find default-name=ether5 ] comment="Tagged AP_Out" poe-out=forced-on  
set [ find default-name=sfp1 ] comment=N/A
/interface vlan
add comment="Management IP" interface=bridge_trunk name=vlan7 vlan-id=7  
/interface bonding
add mode=active-backup name="Uplink LAG" slaves=ether1,ether2 \  
    transmit-hash-policy=layer-3-and-4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge_trunk comment="Management Vlan 7" frame-types=\  
    admit-only-vlan-tagged interface=vlan7 pvid=7
add bridge=bridge_trunk comment="Tagged AP Port_3" interface=ether3 pvid=7  
add bridge=bridge_trunk comment="Tagged AP Port_4" interface=ether4 pvid=7  
add bridge=bridge_trunk comment="Tagged AP Port_5" interface=ether5 pvid=7  
add bridge=bridge_trunk comment="Tagged Uplink LAG" interface="Uplink LAG"  
/interface bridge vlan
add bridge=bridge_trunk tagged="bridge_trunk,Uplink LAG,vlan7" vlan-ids=7  
add bridge=bridge_trunk tagged="bridge_trunk,Uplink LAG,ether3,ether4,ether5" \  
    vlan-ids=100
add bridge=bridge_trunk tagged="bridge_trunk,Uplink LAG,ether3,ether4,ether5" \  
    vlan-ids=110
add bridge=bridge_trunk tagged="bridge_trunk,Uplink LAG,ether3,ether4,ether5" \  
    vlan-ids=120
add bridge=bridge_trunk tagged="bridge_trunk,Uplink LAG,ether3,ether4,ether5" \  
    vlan-ids=179
/ip address
add address=192.168.7.252/24 interface=vlan7 network=192.168.7.0
/ip dns
set servers=192.168.7.1
/ip route
add distance=1 gateway=192.168.7.250
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MT_hEXPoE

Konfiguration der AP´s (aktuell sind alle identisch bis auf den Namen / IP Adresse und Channel

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap_ug
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
!
!
!
!
aaa session-id common
no ip cef
!
!
!
!
dot11 syslog
dot11 vlan-name CloudTV vlan 120
dot11 vlan-name Gast vlan 179
dot11 vlan-name Home vlan 7
dot11 vlan-name Licht vlan 110
dot11 vlan-name Solar vlan 100
dot11 vlan-name native vlan 1
!
dot11 ssid CloudTv
   vlan 120
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 
!
dot11 ssid Gast
   vlan 179
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 
!
dot11 ssid Home
   vlan 7
   authentication open 
   authentication key-management wpa version 2
   guest-mode
   mbssid guest-mode
   wpa-psk ascii 7 
!
dot11 ssid Licht
   vlan 110
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 
!
dot11 ssid Solar
   vlan 100
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 
!
!
dot11 guest
!
!
!
username Cisco password 7 05280F1C2243
username juli privilege 15 password 7 
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 100 mode ciphers aes-ccm 
 !
 ssid Solar
 !
 antenna gain 0
 stbc
 beamform ofdm
 mbssid
 channel 2412
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.100
 encapsulation dot1Q 100
 bridge-group 100
 bridge-group 100 subscriber-loop-control
 bridge-group 100 spanning-disabled
 bridge-group 100 block-unknown-source
 no bridge-group 100 source-learning
 no bridge-group 100 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption vlan 7 mode ciphers aes-ccm 
 !
 encryption vlan 179 mode ciphers aes-ccm 
 !
 encryption vlan 110 mode ciphers aes-ccm 
 !
 encryption vlan 120 mode ciphers aes-ccm 
 !
 ssid CloudTv
 !
 ssid Gast
 !
 ssid Home
 !
 ssid Licht
 !
 antenna gain 0
 peakdetect
 no dfs band block
 stbc
 beamform ofdm
 mbssid
 channel width 40-above
 channel dfs
 station-role root
!
interface Dot11Radio1.7
 encapsulation dot1Q 7 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.110
 encapsulation dot1Q 110
 bridge-group 110
 bridge-group 110 subscriber-loop-control
 bridge-group 110 spanning-disabled
 bridge-group 110 block-unknown-source
 no bridge-group 110 source-learning
 no bridge-group 110 unicast-flooding
!
interface Dot11Radio1.120
 encapsulation dot1Q 120
 bridge-group 120
 bridge-group 120 subscriber-loop-control
 bridge-group 120 spanning-disabled
 bridge-group 120 block-unknown-source
 no bridge-group 120 source-learning
 no bridge-group 120 unicast-flooding
!
interface Dot11Radio1.179
 encapsulation dot1Q 179
 bridge-group 179
 bridge-group 179 subscriber-loop-control
 bridge-group 179 spanning-disabled
 bridge-group 179 block-unknown-source
 no bridge-group 179 source-learning
 no bridge-group 179 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0.7
 encapsulation dot1Q 7 native
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet0.100
 encapsulation dot1Q 100
 bridge-group 100
 bridge-group 100 spanning-disabled
 no bridge-group 100 source-learning
!
interface GigabitEthernet0.110
 encapsulation dot1Q 110
 bridge-group 110
 bridge-group 110 spanning-disabled
 no bridge-group 110 source-learning
!
interface GigabitEthernet0.120
 encapsulation dot1Q 120
 bridge-group 120
 bridge-group 120 spanning-disabled
 no bridge-group 120 source-learning
!
interface GigabitEthernet0.179
 encapsulation dot1Q 179
 bridge-group 179
 bridge-group 179 spanning-disabled
 no bridge-group 179 source-learning
!
interface BVI1
 ip address 192.168.7.245 255.255.255.0
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
ip default-gateway 192.168.7.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
snmp-server community XXXX RO
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
sntp server 192.168.7.1
sntp broadcast client
end

Please also mark the comments that contributed to the solution of the article

Content-Key: 994843969

Url: https://administrator.de/contentid/994843969

Printed on: April 26, 2024 at 07:04 o'clock

1 Comment

Wenn du damit leben kannst das du dein Management VLAN mit einem WLAN zugänglich gemacht hast ist alles vorbildlich richtig ! 👍
Es wäre aber in Tat sicherer du würdest das Mgmt VLAN rein nur per Kupfer zugänglich machen. Wie sicher oder unsicher dein Netz ist, ist aber wie immer letzlich deine eigene Entscheidung.

German solved Question LAN, WAN, Wireless Networks