General description
An example of implementing a fault-tolerant network with ESR redundancy and last-mile PE router redundancy is shown in Fig. 1. Access points placed at the client are included in PoE switches, which allow traffic to be forwarded up to L3 switches/routers in the operator's access network.
...
| Drawio |
|---|
| border | true |
|---|
| viewerToolbar | true |
|---|
| |
|---|
| fitWindow | false |
|---|
| diagramName | main-scheme-vrrp-3-bgp |
|---|
| simpleViewer | false |
|---|
| width | |
|---|
| diagramWidth | 1052 |
|---|
| revision | 1 |
|---|
|
Fig. 1 Use case.
Modes of GRE tunnel creation for AP in Wireless-ControllerIn the L3 enable scheme, when a AP raises two GRE tunnels (mgmt and data) using the data obtained from the 43rd option, the ESR side also needs to raise the tunnels for the APs. In order not to manually set up tunnels for each AP, ESR has implemented a mode of operation that allows to perform this procedure automatically. За данный функционал возложен на wireless-controller. The wireless-controller is responsible for this functionality. To get access to the wireless-controller settings you need to install the "WIFI - Wi-Fi controller" license on ESR. Using this functionality allows you to automate the management of tunnels raised on the ESR towards the AP. For this purpose it is enough to configure once the default profiles for tunnels raising and wireless-controller functionality in accordance with the pre-selected addressing plan and vlan. The automatically created GRE tunnels on ESR will be further referred to as "SoftGRE".
...
| Предупреждение |
|---|
WiFi license is required to access the wireless-controller ESR functionality. You can check if you have a WiFi license by using the show license command: | Без форматирования |
|---|
esr-1000# show licence
Licence information
-------------------
Name: eltex
Version: 1.0
Type: ESR-1000
S/N: NP00000033
MAC: A8:F9:4B:AB:B3:80
Features:
WIFI - Wi-Fi controller
|
|
Algorithm of creating tunnels on ESR with local configuration profile of SoftGRE tunnel
This mode requires a configured customized local profile on ESR:
...
The advantage of this method is the simplicity of ESR configuration and simple logic of tunnel raising, which does not depend on SoftWLC settings. The disadvantage of this method is that for each connecting AP, all data sub-tunnels specified in the profile settings are raised, even if no traffic is transferred from the AP side. This leads to uneconomical consumption of sub-tunnel capacity on ESR.
Algorithm of creating tunnels on ESR with dynamic configuration profile of SoftGRE tunnel
In this mode, data tunnels for APs on ESR side are raised by ELTEX-PCRF (hereinafter referred to as PCRF) commands, which receives necessary information from SoftWLC complex database depending on SSID settings, their bindings and AP position in the object tree. Message exchange is performed via RADIUS protocol, UDP ports 3799, 31812, 31813 are used (if PCRF default settings are used). Access to the server with ELTEX-PCRF is required for correct operation. Below is an example of the minimum required settings:
...
All the scripts of data tunnel creation will be discussed in detail below.
ESR-initiated data tunnel creation:
When executing these scenarios, the initiator of interaction with PCRF is the ESR to which the AP is connected and it needs to get all the data to build the data tunnel and its sub-tunnels. It sends a radius request to the PCRF of type ip-shaper, which contains the tunnel address of the AP and the NAS-IP of the ESR. Then PCRF searches for the AP by tunnel IP, determines its domain and searches for SSID bindings to this domain and domains above in the tree (the search goes from the AP upwards until the ESR to which this AP is connected is found), after which it generates a response containing parameters:
...
The "vlan:id" parameter is necessary, because without it, it is impossible to form a data sub-tunnel with the corresponding sub-interface number.
Script 1 - AP is not initialized and is sandboxed or connecting for the first time
AP is not initialized and is in the sandbox or connecting for the first time - this situation usually occurs for newly connected APs or if the AP has been removed from the EMS tree.
...
Step 4: The data tunnel for the AP will not be raised on the ESR.
As logic of work shows, in this case the data-tunnel for AP is not formed on ESR. Information about it is not transmitted to EMS.
Script 2 - AP is initialized and is in the domain tree in EMS, SSID settings and bindings to the domain are correct
AP is initialized and is in the domain tree in EMS, SSID settings and bindings to the domain are correct - this situation corresponds to normal operation of AP after it was initialized earlier and its reconnection occurs after communication is restored or tunnels are destroyed on ESR.
...
Step 4: The data tunnel for the AP will not be raised on the ESR.
As logic of work shows, in this case the data-tunnel and sub-tunnels for AP is formed on ESR. Information about it is not transmitted to EMS.
Script 3 - AP builds tunnels on ESR, initialized and in the EMS tree, SSID parameters contain incorrect settings.
AP is nitialized and in the EMS tree, SSID parameters contain incorrect settings.
...
| Примечание |
|---|
Starting from ESR software version 1.11.0, if the response to the ip-shaper request contains parameters for raising several data sub-tunnels - then in case of an error in the "Bridge Location" setting, only this sub-tunnel will not be formed. On earlier versions, in case of an error, all data sub tunnels will not be formed. |
EMS-initiated data tunnel creation:
Since in case of ESR-initiated creation of a data tunnel it may not always be formed, e.g. for a newly connected AP - there are scenarios when the command to create a data tunnel on the ESR is initiated by the EMS. This occurs in the following cases:
...
| Предупреждение |
|---|
When executing the data-tunnel create command from EMS, the availability of AP is always first checked by SNMP-ping, and then its tunnel address is read from AP by snmp command and changed if it does not match. If AP has not responded to SNMP-ping - no further actions are performed, you can see a message in the task log in EMS: | Без форматирования |
|---|
FATAL System error of SNMP request processing: TIMEOUT/Timeout: 300 ms |
If no ESR was found as a result of searching for the ESR to which the data-tunnel create command should be sent, the command is not executed. This is not considered an error, because ESR with local SoftGRE tunnel configuration profile can be used. |
Script 4 - The data-tunnel create command from EMS is executed, AP with the specified tunnel address is not found on ESR.
Fig. 7 shows the algorithm of actions when the data-tunnel create command is executed at the initiative of EMS. When the command is processed on the ESR, the AP with the specified tunnel address is not found.
...
| Без форматирования |
|---|
Send 'data-tunnel create' command to ESR NAS ip <IP address of ESR>
- 'Data-tunnel create' command error (ESR: <name of ESR>): Data tunnel for AP <Tunnel IP AP> is not formed on <IP address of ESR> |
Script 5 - The data-tunnel create command from EMS is being executed, AP with the specified tunnel address is found on ESR.
Fig. 8, shows a diagram of the logic when AP with the specified tunnel address is found on ESR, SSID settings and bindings in EMS are correct.
...
| Без форматирования |
|---|
Send 'data-tunnel create'command to ESR NAS ip <IP address of ESR>
- Data tunnel for AP <Tunnel IP AP> is formed <IP address of ESR> |
Script 6 - AP is in the EMS tree, SSID parameters contain incorrect settings.
Fig. 9 shows a diagram of the logic when AP with the specified tunnel address is found on ESR, SSID settings in EMS are incorrect. The concept of incorrect settings is defined in the description of script 3.
...
| Без форматирования |
|---|
Send'data-tunnel create' command to ESR NAS ip <IP address of ESR>
-'Data-tunnel create' command error (ESR: <name of ESR>): Error creating an interface to AP <Tunnel IP AP> to <IP address of ESR> |
Script 7 - ESR that receives the data-tunnel create command is in the VRRP BACKUP state
In a VRRP redundant scheme, two ESRs are used - a primary and a backup ESR. One of the ESRs is always in the VRRP BACKUP state. The diagram for such an ESR is shown in Figure 10.
...
Such a message is not an error.
CoA commands of PCRF domain update and update location
In addition to AP operations, EMS may perform operations on SSIDs that may result in the need to reconfigure data tunnels. When changing SSID settings that may affect the configuration of data tunnels on the ESR, namely:
...
In case of success/failure of this command execution no information about it will appear in EMS.
Adding ESR to EMS
As follows from the mechanism of raising tunnel data by PCRF commands, ESR must be added to the EMS object tree. It is recommended to place ESR in the object tree in such a way that all APs connecting to it are located in nodes which domains form branches from the domain of its location. To add an ESR it is necessary to stand on the required object in the object tree and press the "+" (Add) button:
Image Removed
Image AddedFig. 11.
In the window (fig. 11), type:
...
Then follow to "RADIUS" → "AP management" and entering the ESR management address in the "Filter" field find it and correct the radius key to the one used in the ESR configuration (in the current example it is "testing123"):
Image Removed
Image Added
Fig. 12.
Push "Accept".
...
| Примечание |
|---|
When adding ESR-100/200 "ESR mode" field in the "Access " window will be "StationCE". In this case it is necessary to change the field value to "Station", otherwise such ESR will not be used to build data tunnels for AP. |
ESR configuration
General description of the principles and steps of configuration
Next we will consider ESR configuration in L3 wireless-controller mode, in the mode of raising data tunnels by PCRF commands, with redundancy using VRRF and redundancy of the last-mile router to which ESR is connected. The configuration is discussed using an example with real addressing. It is assumed that the SoftWLC complex is already installed and configured.
...
- Identify subnets, addresses and AS private number to be used in the configuration (an example of required addresses is given in Table 1 below).
- Configure the equipment to be paired with ESR.
- Configure the ESR; it is recommended to disable the firewall on all L3 interfaces of the ESR for easy debugging.
- Configure SoftWLC complex for interaction with ESR.
- Configure and enable the firewall on ESR.
- Check the scheme operability and redundancy operation.
Addressing description
Select the addresses to be configured according to Table 1, where ESR 1 is the primary router and ESR 2 is the backup router.
...
With this connection scheme, asymmetric traffic flow is possible, which is undesirable. A detailed description of the causes of this phenomenon and the settings required to prevent it are described in the section "Preventing traffic passing through the jumper in VRRP+BGP redundancy scheme". It is recommended to read after studying this manual on "Configuring ESR in wireless-controller mode with last-mile router redundancy".
ESR configuration
Perform the necessary initial settings. These settings are performed using the console connection.
...
| Раскрыть |
|---|
| title | Configuration of SNMP ESR 1 Alfa / ESR 2 Beta |
|---|
|
| Без форматирования |
|---|
snmp-server
snmp-server system-shutdown
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 100.123.0.2
exit
snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment pwrin
snmp-server enable traps environment pwrin-insert
snmp-server enable traps environment fan
snmp-server enable traps environment fan-speed-changed
snmp-server enable traps environment fan-speed-high
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps environment board-overheat-temp
snmp-server enable traps environment board-supercooling-temp
snmp-server enable traps environment sfp-overheat-temp
snmp-server enable traps environment sfp-supercooling-temp
snmp-server enable traps environment switch-overheat-temp
snmp-server enable traps environment switch-supercooling-temp
snmp-server enable traps wifi
snmp-server enable traps wifi wifi-tunnels-number-in-bridge-high
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps bras
snmp-server enable traps bras sessions-number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon fan
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon supply
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
|
|
ESR firewall configuration
In the above configuration, the firewall is disabled for all IP interfaces. This is done in order to simplify diagnostics during the initial configuration of the equipment. Figure 14 shows the scheme of assigning security zones to the interfaces (assigning security zones is done above, when configuring the interfaces).
...
After configuring the firewall, be sure to enable it on all interfaces on which it was previously disabled with the no ip firewall disable command.
Description of the traffic passing diagram
Fig. 15 shows the diagram of traffic passing through ESR in normal operation.
...
- Bridge 9 – L3 interface for organizing a channel to the backup ESR. The connection to the backup ESR is made through interface gi1/0/2. (It is recommended to use an aggregated interface, which is a combination of several physical ports into one logical Port Channel (via LACP protocol).
Scheme of ESR redundancy VRRP implementation
VRRP redundancy scheme is shown in Fig. 16. VRRP protocol is configured on each Bridge interface of ESR, which participates in GRE tunnel termination, all interfaces are united into one logical group (vrrp group 1). At ESR 1 Alfa and ESR 2 Beta, real IP addresses (Real IP) from the respective pool are set on the respective bridges and Virtual IP (VIP) is specified. These bridges are interconnected via vlan, which are connected via a jumper between ports gi1/0/2. ESR 1 Alfa is set to priority 200 and ESR 2 Beta is set to priority 20. When ESR 1 Alfa fails or when there is a loss of connectivity in vlan (101, 3, 10) - the master is switched to ESR 2 Beta, resulting in VIPs being set on its interfaces.
...
| Drawio |
|---|
| border | true |
|---|
| viewerToolbar | true |
|---|
| |
|---|
| fitWindow | false |
|---|
| diagramName | esr-3-vrrp-main |
|---|
| simpleViewer | false |
|---|
| width | |
|---|
| diagramWidth | 806 |
|---|
| revision | 1 |
|---|
|
Fig. 16.
Possible reasons of network failure
Below we will consider possible variants of user traffic passing during normal operation and network failure.
Network operational state
Figure 17 shows the operational state of the network. Traffic from the connected APs from the VRF AP passes through PE 1 master and gets to ESR 1. Then it is routed: AP management traffic to VRF core, AP user traffic to VRF NAT. PE 2 backup and ESR 2 do not participate in traffic transfer.
| Drawio |
|---|
| border | true |
|---|
| viewerToolbar | true |
|---|
| |
|---|
| fitWindow | false |
|---|
| diagramName | esr-3-vrrp-work |
|---|
| simpleViewer | false |
|---|
| width | |
|---|
| diagramWidth | 902 |
|---|
| revision | 1 |
|---|
|
Fig. 17.
Failure of PE 1 master
Figure 18 shows the traffic flow diagram when PE 1 master fails.
...
When PE 1 master fails, it will stop announcing routes received from ESR 1. In this case, there will be no VRRP master change and ESR 1 will remain in the VRRP Master state. Traffic from the AP from the VRF AP will go through PE 2 backup, be routed to ESR 2 and get to ESR 1 through the jumper on the gi1/0/2 interfaces. User and AP management traffic from ESR 1 will be routed through the jumper between the gi1/0/2 ports through the bridge 9 junction interface and passed through P2 backup to VRF core and VRF NAT.
Failure of ESR 1
Figure 19 shows the traffic flow diagram when ESR 1 fails.
...
If ESR 1 fails, it stops sending VRRP announcements. When ESR 2 detects this, it enters the VRRP MASTER state, assigning VIP addresses to the corresponding interfaces. As a result, traffic from AP from VRF AP through PE 2 backup gets to ESR 2. Then it is routed: AP management traffic to VRF core, AP user traffic to VRF NAT. PE 1 master does not participate in traffic processing.
Recovery of ESR 1 after a failure
The behavior of the VRRP protocol after ESR 1 is recovered to service depends on the settings. In general, ESR 1, as having the highest priority should hijack VRRP master. However, this is unacceptable because immediately after booting ESR 1 will have no information about the state of the tunnels. Therefore, the VRRP interfaces can be configured with:
...
This asymmetric traffic flow is very undesirable, so there is a way to configure BGP announcements and use VRRP state tracking, which will prevent this traffic flow scheme, more details are described above.
Appendix
Full configuration of ESR 1 Alfa and ESR 2 Beta
Configuration is for ESR 1.11.0 firmware version
...
| Раскрыть |
|---|
|
| Без форматирования |
|---|
#!/usr/bin/clish
#18
#1.11.x
#07/05/2020
#20:46:29
hostname Beta
object-group service telnet
port-range 23
exit
object-group service ssh
port-range 22
exit
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service bgp
port-range 179
exit
object-group service dns
port-range 53
exit
object-group network gre_termination
ip prefix 192.168.200.48/28
exit
object-group network mgmt_AP
ip prefix 198.18.128.0/21
ip prefix 198.18.136.0/22
ip prefix 100.64.0.56/30
exit
object-group network clients_AP
ip prefix 198.18.136.0/22
exit
object-group network SoftWLC
ip prefix 100.123.0.0/24
exit
object-group network nets
ip prefix 10.0.0.0/8
ip prefix 192.168.0.0/16
ip prefix 172.16.0.0/12
exit
radius-server retransmit 2
radius-server host 100.123.0.2
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 5
source-address 198.18.128.3
auth-port 31812
acct-port 31813
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
vlan 3
force-up
exit
vlan 10
force-up
exit
vlan 101
force-up
exit
vlan 9
exit
security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone neighbour
exit
security zone user
exit
route-map out_BGP_GRE
rule 10
match ip address object-group gre_termination
action permit
exit
exit
route-map out_BGP_AP
rule 10
match ip address object-group mgmt_AP
action permit
exit
exit
route-map out_BGP_NAT
rule 10
match ip address object-group clients_AP
action permit
exit
exit
route-map in_PREF
rule 10
action set local-preference 20
action permit
exit
exit
router bgp 64603
neighbor 100.64.0.37
remote-as 65001
update-source 100.64.0.38
address-family ipv4 unicast
route-map out_BGP_GRE out
enable
exit
enable
exit
neighbor 100.64.0.45
remote-as 65001
update-source 100.64.0.46
address-family ipv4 unicast
route-map out_BGP_AP out
enable
exit
enable
exit
neighbor 100.64.0.53
remote-as 65001
update-source 100.64.0.54
address-family ipv4 unicast
route-map out_BGP_NAT out
enable
exit
enable
exit
neighbor 100.64.0.57
remote-as 64603
update-source 100.64.0.58
address-family ipv4 unicast
route-map in_PREF in
next-hop-self
enable
exit
enable
exit
address-family ipv4 unicast
redistribute connected
redistribute static
exit
enable
exit
snmp-server
snmp-server system-shutdown
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 100.123.0.2
exit
snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment pwrin
snmp-server enable traps environment pwrin-insert
snmp-server enable traps environment fan
snmp-server enable traps environment fan-speed-changed
snmp-server enable traps environment fan-speed-high
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps environment board-overheat-temp
snmp-server enable traps environment board-supercooling-temp
snmp-server enable traps environment sfp-overheat-temp
snmp-server enable traps environment sfp-supercooling-temp
snmp-server enable traps environment switch-overheat-temp
snmp-server enable traps environment switch-supercooling-temp
snmp-server enable traps wifi
snmp-server enable traps wifi wifi-tunnels-number-in-bridge-high
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps bras
snmp-server enable traps bras sessions-number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon fan
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon supply
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
bridge 1
description "GRE_termination"
vlan 101
security-zone gre
ip address 192.168.200.52/28
vrrp id 1
vrrp ip 192.168.200.49/32
vrrp ip 192.168.200.50/32 secondary
vrrp priority 20
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
enable
exit
bridge 3
description "mgmt_AP"
vlan 3
security-zone trusted
ip address 198.18.128.3/21
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 3
vrrp ip 198.18.128.1/32
vrrp priority 20
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 9
description "neighbour"
vlan 9
security-zone neighbour
ip address 100.64.0.58/30
enable
exit
bridge 10
description "data_AP"
vlan 10
security-zone user
ip address 198.18.136.3/22
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 10
vrrp ip 198.18.136.1/32
vrrp priority 20
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
location data10
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
interface gigabitethernet 1/0/1.207
description "VRF_AP"
security-zone gre
ip address 100.64.0.38/30
exit
interface gigabitethernet 1/0/1.209
description "VRF_CORE"
security-zone trusted
ip address 100.64.0.46/30
exit
interface gigabitethernet 1/0/1.211
description "VRF_NAT"
security-zone untrusted
ip address 100.64.0.54/30
exit
interface gigabitethernet 1/0/2
description "neighbour"
mode switchport
switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 3,9-10,101 tagged
exit
tunnel softgre 1
mode management
local address 192.168.200.49
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 3
enable
exit
tunnel softgre 2
mode data
local address 192.168.200.50
default-profile
enable
exit
security zone-pair gre self
rule 1
action permit
match protocol gre
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
rule 4
action permit
match protocol tcp
match destination-port bgp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
rule 5
action permit
match source-address SoftWLC
enable
exit
rule 6
action permit
match protocol tcp
match destination-port bgp
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair user untrusted
rule 1
action permit
enable
exit
exit
security zone-pair user self
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
exit
security zone-pair user trusted
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol udp
match destination-port dns
enable
exit
exit
security zone-pair trusted user
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair gre gre
rule 1
action permit
enable
exit
exit
security zone-pair neighbour self
rule 1
action permit
match protocol tcp
match destination-port bgp
enable
exit
rule 2
action permit
match protocol gre
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
rule 4
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 5
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 6
action permit
match source-address SoftWLC
enable
exit
rule 7
action permit
match protocol tcp
match destination-port ssh
enable
exit
exit
security zone-pair neighbour trusted
rule 10
action permit
enable
exit
exit
security zone-pair neighbour untrusted
rule 10
action permit
enable
exit
exit
security zone-pair neighbour gre
rule 10
action permit
enable
exit
exit
security zone-pair neighbour user
rule 10
action permit
enable
exit
exit
security zone-pair trusted neighbour
rule 10
action permit
enable
exit
exit
security zone-pair gre neighbour
rule 10
action permit
enable
exit
exit
security zone-pair user neighbour
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol udp
match destination-port dns
enable
exit
rule 10
action permit
match not destination-address nets
enable
exit
exit
security zone-pair untrusted self
rule 10
action permit
match protocol tcp
match destination-port bgp
enable
exit
exit
wireless-controller
peer-address 100.64.0.57
nas-ip-address 198.18.128.3
vrrp-group 1
data-tunnel configuration radius
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip ssh server
|
|
DHCP server configuration
| Раскрыть |
|---|
| title | Configuration example for ISC-DHCP-Server |
|---|
|
| Без форматирования |
|---|
default-lease-time 86400;
max-lease-time 87000;
log-facility local7;
class "ELTEX-DEVICES" {
match if (
(substring (option vendor-class-identifier, 0, 14)="ELTEX_WEP-12AC") or
(substring (option vendor-class-identifier, 0, 14)="ELTEX_WOP-12AC") or
(substring (option vendor-class-identifier, 0, 14)="ELTX_WEP-12AC") or
(substring (option vendor-class-identifier, 0, 14)="ELTX_WOP-12AC") or
(substring (option vendor-class-identifier, 0, 13)="ELTEX_WEP-2AC") or
(substring (option vendor-class-identifier, 0, 12)="ELTEX_WOP-2L") or
(substring (option vendor-class-identifier, 0, 12)="ELTEX_WEP-2L") or
(substring (option vendor-class-identifier, 0, 12)="ELTEX_WEP-1L") or
(substring (option vendor-class-identifier, 0, 6)="ESR-10") or
(substring (option vendor-class-identifier, 0, 6)="ESR-20")
);
}
#Subnet on which the DHCP server listens for requests
subnet 100.123.0.0 netmask 255.255.255.0 {}
#Subnet configuration of AP primary addresses, in which they receive 43 option with 11,12 suboptions containing GRE termination addresses
subnet 192.168.250.0 netmask 255.255.255.0 {
pool {
allow members of "ELTEX-DEVICES";
option routers 192.168.250.1;
range 192.168.250.100 192.168.250.254;
option vendor-encapsulated-options 0b:0e:31:39:32:2e:31:36:38:2e:32:30:30:2e:34:39:0c:0e:31:39:32:2e:31:36:38:2e:32:30:30:2e:35:30;
}
}
#Subnet of AP configuration addresses issued to bridge 3 ESR
subnet 198.18.128.0 netmask 255.255.248.0 {
pool {
option routers 198.18.128.1;
range 198.18.128.100 198.18.135.254;
option vendor-encapsulated-options 0A:0B:31:30:30:2e:31:32:33:2e:30:2e:32;
allow members of "ELTEX-DEVICES";
option domain-name-servers 100.123.0.2;
}
}
#Subnet of AP client addresses issued to bridge 10 ESRs
subnet 198.18.136.0 netmask 255.255.252.0 {
pool {
option routers 198.18.136.1;
range 198.18.136.10 198.18.139.254;
option domain-name-servers 100.123.0.2;
}
}
|
|
...