Eltex Documentation EN
Быстрые ссылки
Дерево страниц

Сравнение версий

Старая версия 1

changes.mady.by.user Отдел Документации

Сохранено

по сравнению с

Новая версия 2

changes.mady.by.user Отдел Документации

Сохранено

Ключ

  • Эта строка добавлена.
  • Эта строка удалена.
  • Изменено форматирование.

Оглавление

General information

An example of implementation of a fault-tolerant scheme for enabling ESRs operating in wireless-controller mode is shown in Fig. 1:

...

Traffic processing is performed by the ESR VRRP MASTER. In case of its failure, the VRRP mastery is taken over by the ESR VRRP BACKUP. Last-mile router redundancy (NAT router in Fig. 1) is not covered in this paper. It can be accomplished in the same way using VRRP or by using a different enabling scheme (this scheme can be found in Configuring ESR in wireless-controller mode with last-mile router redundancy).

When using channel aggregation on ESR you cannot use sub-interfaces on the "port-channel" interface.

Enabling scheme

The enabling scheme will be considered on the example of real addressing shown in Table 1.

...

Примечание
titleВажно!

If the "vrrp preempt disable" setting is not used, it is necessary to set "vrrp preempt delay <time in seconds>" to at least 180 seconds in the VRRP configurations on the interfaces. This will prevent the higher priority router from immediately seizing mastery after booting. If this is not done, the router that captured the VRRP mastery after booting will not have time to synchronize the state of the AP tunnels and they will be brought up again as the AP triggers the gre keepalive mechanism.

ESR configuration

ESR tuning will be considered on an example based on the circuit shown in Fig. 3. The wireless-controller configuration will use the SoftGRE dynamic tunnel configuration profile. Do not forget that a license is required to access the wirless-controller functionality (more details can be found in the Configuring ESR by connecting AP via L3 access network (WiFi L3 diagram)).

...

Раскрыть
titleESR VRRP BACKUP


Без форматирования
#!/usr/bin/clish
#18
#1.11.4
hostname esr-backup

object-group service dhcp_server
  port-range 67
exit
object-group service dhcp_client
  port-range 68
exit

object-group network MGMT
  ip prefix 192.168.200.16/28
  ip prefix 10.255.252.0/23
exit
object-group network SoftWLC
  ip address-range 100.123.0.2
exit

radius-server host 100.123.0.2
  key ascii-text encrypted 88B11079B9014FAAF7B9
  timeout 2
  source-address 100.123.0.175
  auth-port 31812
  acct-port 31813
  retransmit 3
  dead-interval 10
exit
aaa radius-profile PCRF
  radius-server host 100.123.0.2
exit
das-server COA
  key ascii-text encrypted 88B11079B9014FAAF7B9
  port 3799
  clients object-group SoftWLC
exit
aaa das-profile COA
  das-server COA
exit

vlan 3,10-11,2300-2301,2308
exit

no spanning-tree

security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone user
exit


bridge 1
  vlan 2308
  security-zone gre
  ip address 192.168.200.20/28
  vrrp id 1
  vrrp ip 192.168.200.17/32
  vrrp ip 192.168.200.18/32 secondary
  vrrp priority 100
  vrrp group 1
  vrrp preempt disable
  vrrp
  enable
exit
bridge 3
  vlan 3
  unknown-unicast-forwarding disable
  security-zone trusted
  ip address 10.255.252.3/23
  ip helper-address 100.123.0.2
  vrrp id 3
  vrrp ip 10.255.252.1/32
  vrrp priority 100
  vrrp group 1
  vrrp preempt disable
  vrrp
  ip tcp adjust-mss 1400
  protected-ports local
  protected-ports exclude vlan
  ports vrrp filtering enable
  ports vrrp filtering exclude vlan
  enable
exit
bridge 4
  vlan 2300
  security-zone trusted
  ip address 100.123.0.175/24
  vrrp id 23
  vrrp ip 100.123.0.174/32
  vrrp priority 100
  vrrp group 1
  vrrp preempt disable
  vrrp
  ip tcp adjust-mss 1400
  enable
exit
bridge 5
  vlan 2301
  security-zone untrusted
  ip address 172.16.0.3/28
  vrrp id 5
  vrrp ip 172.16.0.4/32
  vrrp priority 100
  vrrp group 1
  vrrp preempt disable
  vrrp
  ip tcp adjust-mss 1400
  enable
exit
bridge 10
  vlan 10
  unknown-unicast-forwarding disable
  security-zone user
  ip firewall disable
  ip address 198.18.148.3/22
  vrrp id 10
  vrrp ip 198.18.148.1/32
  vrrp priority 100
  vrrp group 1
  vrrp preempt disable
  vrrp
  ip tcp adjust-mss 1400
  location data10
  protected-ports radius
  protected-ports exclude vlan
  ports vrrp filtering enable
  ports vrrp filtering exclude vlan
  enable
exit
bridge 11
  vlan 11
  unknown-unicast-forwarding disable
  security-zone user
  ip firewall disable
  ip address 198.18.152.3/22
  ip helper-address 100.123.0.2
  vrrp id 11
  vrrp ip 198.18.152.1/32
  vrrp priority 100
  vrrp group 1
  vrrp preempt disable
  vrrp
  ip tcp adjust-mss 1400
  location data11
  protected-ports radius
  protected-ports exclude vlan
  ports vrrp filtering enable
  ports vrrp filtering exclude vlan
  enable
exit

interface port-channel 1
  mode switchport
  switchport forbidden default-vlan
  switchport general acceptable-frame-type tagged-only
  switchport general allowed vlan add 3,10-11,2300-2301,2308 tagged
exit
interface gigabitethernet 1/0/1
  mode switchport
  channel-group 1 mode auto
exit
interface gigabitethernet 1/0/2
  mode switchport
  channel-group 1 mode auto
exit
tunnel softgre 1
  description "mgmt"
  mode management
  local address 192.168.200.17
  default-profile
  enable
exit
tunnel softgre 1.1
  bridge-group 3
  enable
exit
tunnel softgre 2
  description "data"
  mode data
  local address 192.168.200.18
  default-profile
  enable
exit

security zone-pair gre self
  rule 1
    action permit
    match protocol gre
    enable
  exit
  rule 2
    action permit
    match protocol icmp
    enable
  exit
  rule 3
    action permit
    match protocol vrrp
    enable
  exit
exit
security zone-pair trusted self
  rule 1
    action permit
    match source-address MGMT
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
exit
security zone-pair trusted trusted
  rule 1
    action permit
    match source-address MGMT
    enable
  exit
exit
security zone-pair trusted user
  rule 1
    action permit
    enable
  exit
exit
security zone-pair trusted gre
  rule 1
    action permit
    enable
  exit
exit
security zone-pair user self
  rule 1
    action permit
    match protocol udp
    match source-port dhcp_client
    match destination-port dhcp_server
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
exit
security zone-pair user trusted
  rule 1
    action permit
    match protocol udp
    match source-port dhcp_client
    match destination-port dhcp_server
    enable
  exit
exit
security zone-pair user untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair untrusted self
  rule 1
    action permit
    match protocol vrrp
    enable
  exit
exit


ip dhcp-relay

ip route 192.168.240.0/23 192.168.200.21
ip route 0.0.0.0/0 172.16.0.1

wireless-controller
  peer-address 100.123.0.173
  nas-ip-address 100.123.0.175
  vrrp-group 1
  data-tunnel configuration radius
  aaa das-profile COA
  aaa radius-profile PCRF
  enable
exit
ip telnet server
ip ssh server


Adding an ESR to the EMS tree

Both ESRs with real interface address 100.123.0.173 and 100.123.0.175 respectively should be added to the EMS tree. The VRRP address 100.123.0.174 will be used as a gateway for routes to the AP management and WiFi user subnets, it will not appear anywhere in the EMS.

Add ESR-VRRP-MASTER - open EMS, stand on the node to which we plan to add ESR and click the "+" button located at the top left of the node tree:

Image RemovedImage Added

Fig. 4.

In the window that opens, in the field:

...

After that it is necessary to stand on the added ESR (if it does not appear in the tree - click the button above "Image RemovedImage Added" ) open the "Access" tab on the right:

Image RemovedImage Added

Fig. 5.

In the opened window edit the fields:

...

Change the radius password that will be used when interacting with the ESR. To do this, open "RADIUS" → "Access Point Management" in the EMS menu. Select the previously added ESR (in case of a large number of devices you can filter by ESR IP address) and click the "Edit" button:

Image RemovedImage Added

Fig. 6.

In the opened window in the "Key" field set the previously configured for ESR key "testing123" and click "Accept".

Similarly, add ESR-VRRP-BACKUP using its real address 100.123.0.175.

Possible reasons of network failure

Below we will consider possible variants of user traffic passing during normal operation and network failure.

Network operational state

Figure 7 shows the operational state of the network.

...

The traffic of WiFi users connected to the SSID the AP encapsulates in the GRE is routed to the ESR VRRP MASTER (which is in the VRRP MASTER state) where the traffic is decapsulated. Then it is routed to the Internet. The ESR VRRP BACKUP does not participate in traffic processing.

Failure of one of the stack switches

Figure 8 shows the failure state of one of the stack switches to which ESR VRRP MASTER and BACKUP are connected:

...

In this situation, one of the physical interfaces (gi1/0/1 or gi1/0/2) belonging to the port-channel on both ESRs will be disconnected. But, since the remaining interfaces belonging to the port-channel connected to another stack switch will remain in operation, the circuit will remain fully functional and there will be no changes in traffic flow compared to the state before the failure.

Failure of an ESR in the VRRP master state

Figure 9 shows the failure of an ESR in the VRRP MASTER state:

...

In this situation, the VRRP BACKUP ESR, upon detecting the absence of VRRP announcements, will switch to the VRRP MASTER state and begin processing traffic in the same manner as the VRRP ESR MASTER did previously.

Recovery from a failure of an ESR that has a higher VRRP priority

Figure 10 depicts a situation where the ESR VRRP MASTER has returned to operation after a failure:

...

After the ESR VRRP MASTER is brought back online and booted, upon detecting VRRP announcements from the ESR VRRP BACKUP, which is in the VRRP master state, due to the "vrrp preempt disable" setting on the VRRP interfaces, will be in the VRRP backup state and will not attempt to perform a master takeover. Traffic will continue to flow in the preempted state.

Appendixes

Different versions of the spanning-tree protocol family may be used on the switches to which the ESR connects. In this case, it is possible that after the ESR is booted, the switch ports to which it is plugged will not immediately switch to the "forwarding" state and allow traffic to pass. The ESR will then have time to switch to the VRRP MASTER state, which will result in the ESR with a higher VRRP priority taking over the mastery after the traffic transfer starts. There are two ways to avoid this:

...