| Оглавление |
|---|
General information
SoftWLC is supposed to be already configured for connecting AP OTT and working with BRAS (all the required services and tariffs are configured, interaction is provided), so their configuration is not given there.
To establish a GRE over IPsec tunnel, the same ESR as used for AP OTT tunnel establishment is applied. Additional setting is not required.
Connection scheme would provide clients with Internet access locally on the ESR-10 connection. Only a GRE over IPsec tunnel will be established to the root. This tunnel will be used for ESR-10 management and client redirection to the authorization portal.
To work with "OTT individual configuration" for ESR-10, the service "Jerry" should be installed. See more in v1.14_Jerry.
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Requirements for connection points
1) only the port gi1/0/1 ESR10 is used for Internet connection;
2) an address is assigned via DHCP. It should contain a default gateway and a DNS server
3) traffic that goes through ESR10 connection point to the Internet should be untagged.
Connection schemes
ESR-10 BRAS works at L3, which implies that clients will allways have a separate subnetwork with ESR-10 serving as a default gateway. Then client traffic can go to the Internet from ESR-10 primary address via NAT or via routing. In the second case, NAT provides a client's router with Internet access.
1. ESR-10 connects to the Internet via a client's router. Access points are connected to ESR-10 via a switch using a separate VLAN for SSID that terminates via a sub-interface on ESR-10 uplink and to which clients connect to. ESR-10 provides clients with Internet access using NAT.
...
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Preconfiguration
Two ways of ESR-10 connection in the OTT mode are possible:
1) prior connection of ESR-10 and its initialization to a certain default domain by a default rule - in this case ESR-10 will be seen in the default domain, but it will not be used for the Internet access until it is put into the required client domain where a custom configuration agreed with a client will be assigned to it.
2) coordination with a client, creating an initialization rule link (with OTT custom configuration specified) by MAC address of ESR-10 that will be installed at a client's, adding all necessary settings to SoftWLC (L2 subnetworks, creating tariffs if needed). In this case, ESR-20 will get a required configuration right after its installation and will be ready to work.
Enabling the Service Activator client on ESR-10
OTT mode is not enabled on ESR-10 in the supply, so the device can be used as a standard router. If router configuration was changed - reset it to factory-config. Router with factory configuration will require to enter a password (enter "password"; when configuration from the Service Activator will be received, the password will be changed):
...
To change a link to access the Service Activator, provide a new one and restart ESR-10.
ELTEX-WIFI-SA
Add a current firmware to the directory /var/lib/eltex-wifi-sa/firmware/
...
root@softwlc-ott:/tftpboot# service eltex-wifi-sa restart
eltex-wifi-sa stop/waiting
eltex-wifi-sa start/running, process 29739
ISC-DHCP-SERVER
In OTT mode, ESR-10 uses suboption 15 of option 43 via which an address for GRE keepalived is sent. If an address with this option is received, an OTT connection is established successfully. In addition, a default route for management address will not be received that requires generation of a route to SoftWLC management core using option 121.
A default gateway's address for the management subnetwork (172.16.27.1 in the example given) will serve as an address, accessibility of which will be checked by GRE keepalive:
...
Do not forget to define ESR-10 in a rule allowing access only to devices of special types, if such a rule is used. In the example above, it is allow members of "ELTEX-DEVICES";
Configuring connection and initialization using a default rule
For the successful connection and initialization under a default rule, create a default configuration for ESR in the section "OTT custom config", create an initialization rule and specify ESR-10 in default link configuration.
EMS
1. Open the menu "Wireless" → "AP initialization rules manager", select the tab "OTT custom config" and click "Add".
...
and click "Accept".
10. Close the window "AP initialization rules manager". Preconfiguration is completed. When connected, ESR-10 will be put into the default domain. After that, it can be put into a client domain and configured according to a client's requirements
Connecting clients
Before connecting a client, a connection scheme should be determined (how client traffic will pass from AP). Several ways are possible:
1) user traffic is tagged with a relevant vlan ID and sent to the uplink (gi1/0/1) of ESR-10 connection;
2) user traffic is untagged - in this case, only connection via the interfaces gi1/0/2 - gi1/0/6 is possible;
3) user traffic is tagged, but a special port (not uplink) gi1/0/2-gi1/0/6 ESR-10 is used for connection.
MAC address of ESR-10 that will be set up for a client can be either known or unknown. It will most likely be unknown, so in the example given below, ESR-10 will be put into a default domain by a default link at the first connection, then it will be moved into a required domain. Custom configuration will be assigned to an appeared link. Then reset will be performed for the ESR to get new information.
In the example given below, it is assumed that tagged traffic from a client's access points passes through ESR-10 uplink. Two SSID are used in their respective vlan: SSID 1 VID 701 and SSID2 VID 702, they come to the same bridge with location SSID12.
Configuring BRAS services and tariffs
Configuration of services and tariffs is done in the same way as for the classic scheme with BRAS. Existing services and tariffs can be used. New ones can also be created. In the example given, it is assumed that a new service and tariff are created for the scheme with OTT. The WELCOME service remains the same.
1. Open the Admin Panel, select the tab "Services and tariffs" → "PCRF services" and click "Add":
...
1) "Name" - tariff name;
2) "Tariff's code" - tariff code;
3) "Domain" - tariff domain (it should be the same as a domain of a service that will be used in the tariff);
4) "Time of session life" - "12" hours;
5) "Time of session life if user is inactive" - "10" minutes;
6) "Account interim interval" - "600" seconds;
7) "Services" - select the service "OTTinternet" configured before;
And click "Save".
Portal configuration
Portal configuration is done in the same way as for the classic scheme with BRAS. An existing portal can be used. New one can also be created. In the example below, a new portal will be created. BRAS interaction is assumed to have been configured.
1. Open the Portal Constructor, click "New portal":
1) "Virtual portal name" - enter the name;
2) "Domain" - select a domain;
Click "Save".
2. Open the menu "Tariffs". Delete the default tariff for AP and add the tariff "OTT_bras" created before.
Click "Save".
Configuring SSID
SSID configuration and linking is done in the same way as for tariffs using BRAS: "Wireless" → "SSID Manager" → "Add SSID":
...
Create links to a domain where ESR-10 will be put.
Creating L2 subnetworks
L2 subnetworks are created in the "Admin Panel". As IP address is assigned to a management device via DHCP, it can be changed during operation. To do this, a special type of L2 subnetworks has been implemented for the OTT scheme (and for any scheme using BRAS on ESR-10) - "MAC, static". The main marker for determining L2 subnetwork affiliation is NAS MAC. NAS IP is updated in the following cases:
1) management address is changed (SNMP trap of ESR-10 presence is sent to the same MAC from another address);
2) during initialization;
3) during reinitialization.
In these cases, the entry "Notify PCRF about IP changes for MAC-based subnets" will be added to the log.
In the example given, two L2 subnetworks will be required - for SSID1 and SSID2.
In the Admin Panel, open the tab "PCRF settings" → "L2 subnets" and click "Add":
Enter:
Name - "SSID1";
1) "NAS IP" - do not fill (but if necessary, IP address can be specified or changed manually);
2) "Type" - select "MAC, static", enter ESR-10 MAC address;
3) "VRF" - check "Default VRF value";
4) "Location" - specify location gi1/0/1.701 (sub-interface to which traffic will come from SSID1);
5) "Service domain" - select SSID service domain;
6) "AP domain" - select a domain into which ESR-10 will be put.
7) "SSID" - select a required SSID (SSID1 in this case);
Click "Save".
Configure a L2 subnetwork for SSID2 in a similar way:
Creating OTT custom configuration
1. Open the menu "AP initialization rule manager", select the tab "OTT custom config" and click "Add":
...
| Раскрыть | ||
|---|---|---|
| ||
hostname ESR10-OTT-of1 object-group service dns object-group network natpool radius-server timeout 10 domain lookup enable security zone trusted ip access-list extended WELCOME ip access-list extended INTERNET ip access-list extended unauthUSER subscriber-control filters-server-url http://192.168.42.178:7070/filters/file snmp-server host 192.168.42.178 snmp-server enable traps bridge 1 interface gigabitethernet 1/0/1 security zone-pair untrusted self access profile acc_p security ike proposal ike_prop security ike policy ike_pol security ike gateway ike_gw security ipsec proposal ipsec_prop security ipsec policy ipsec_pol security ipsec vpn ipsec_vpn nat source ip dhcp-server ip ssh server clock timezone gmt +7 ntp enable |
and click "Accept".
Creating a link for ESR-10 with OTT custom configuration
A link between OTT custom configuration and ESR can be created in two ways:
1) A default OTT link was used for ESR-10, and it was put into the default domain
In thic case, ESR-10 MAC address becomes known after device installation.
1. Find it in the OTT device initialization default domain, select it and put into a required domain:
...
The status of implementation can be seen in the panel "Tasks" of the appeared task.
7. After that, the device is ready to go - performance check can be done.
2) Default OTT link is not used in EMS configuration, or MAC address of a device installed at a client's is known in advance.
1. Creating an initialization rule for ESR-10 in the OTT mode. Open the tab "Wireless" → "AP initialization rules manager" → "Rules" and click "Add":
...
It can be seen that initialization rule link has been performed successfully.
ESR-10 will be initialized within a required domain and ready to go right after its activation.
Appendices
Configuring OTT custom config, sent by the Service Activator
General description
Configuration received by ESR-10 from the Service Activator (hereinafter the "SA") consists of two parts - the first one contains IPsec parameters, update-timer, wait-timer, administrator password (admin) in JSON format. The second part contains CLI configuration in text format as set of CLI commands. All the parameters are keeped in one file.
If a part containing CLI in SA response received is empty, an error has occurred. This configuration will not be applied, an error code will be sent to the SA. ESR-10 will request the SA upon wait-timer expiry.
If a configuration contains wrong and non-existent commands, such a configuration will not be applied, an error code will be sent to the SA. ESR-10 will request the SA upon wait-timer expiry.
If a configuration contains incomplete settings that require other settings to be enabled, such a configuration will be applied, but incomplete settings will not be enabled.
If a configuration contains settings that are also passed by the Service Activator in IPsec connection parameters, the ones specified in the configuration will be used.
Configuration received by ESR-10 from the SA in the CLI part, is created in the tab "OTT custom config" of the meny "AP initialization rules manager". Parts of configuration containing uplink, IPsec, GRE settings, should be described in a certain way. Their change is unacceptable, as it will lead to configuration disability after applying (in this case, ESR will rollback to factory-config via ESR-10 wait-timer and send the error message to the SA).
OTT connection establishment implies having suboption 15 of option 43 when getting an address by the management interface (it will always be bridge 1). If an address with this option has not been received during wait-timer, connection is considered as failed. Configuration will rollback to factory-config, and the error message will be sent to the Service Activator. A request to the Service Activator will be repeated on the wait-timer expiry.
Untagged client traffic from SSID should not be passed via uplinks.
It is recommended to use a bridge with subinterfaces or physical interfaces for client termination. If BRAS is used on a physical interface or on a subinterface, it will require configuring two L2 subnetworks for each interface (the first subnetwork will contain location with the interface; the second one will contain the interface in the format of gi1/0/2 or gi1/0/2.100)
Description of default configuration in the OTT custom config
For a default initialization rule, create a configuration "default" and provide a minimum necessary configuration to establish IPsec, get a management address and sent a presence trap to the system. Configuration name may differ. ESR-10 will appear in the default domain with this configuration. There will be an opportunity to manage it via EMS, but clients cannot work with this configuration. This configuration will be used only in situations when MAC address of a client's ESR-10 is unknown. After that, ESR-10 should be put into another domain. Another custom link will be created for it, and it will be possible to choose another custom configuration. A custom link can be also created in advance with required configuration provided for a client.
An example of ESR-10 configuration after applying parameters from SA is given below. Parameters that should not be specified in "OTT custom config" are shaded gray.
...
| Раскрыть | ||
|---|---|---|
| ||
hostname ESR10-OTT line console aaa disable exit
snmp-server source-interface bridge 1
security ipsec vpn ipsec_vpn mode ike ike establish-tunnel immediate ike gateway ike_gw ike ipsec-policy ipsec_pol enable exit ip ssh server |
Configuration for client connection
Default part of the configuration used for OTT installation remains the same. A client termination interface (bridge) on which BRAS works is added to it. Tagged traffic from SSID is received via subinterfaces that are grouped into a client bridge. To do that, any interfaces including uplink ones can be used. Untagged traffic from SSID can be received via ports gi1/0/2-6 (uplink gi1/0/1 should not be used for this purpose). To tag traffic in access mode, the same vlan as in bridge settings is used. Clients access the Internet using NAT via a current uplink address.
Configuration in which Internet access is provided via gi1/0/1, traffic from SSID1 and SSID1 comes to the same port with the tags 2314 and 2315 respectively. Both vlans are grouped into one client bridge 11 using subinterfaces. Clients access the Internet via NAT using the uplink gi1/0/1.
...
| Раскрыть | ||
|---|---|---|
| ||
| hostname ESR10-OTT-BR ip firewall sessions classification enable root login enable tech-support login enable object-group service dns port-range 53 exit object-group service dhcp_server port-range 67 exit object-group service dhcp_client port-range 68 exit object-group service redirect port-range 3128-3129 port-range 3130-3131 exit object-group network natpool ip prefix 198.19.253.0/24 exit object-group network SoftWLC ip address-range 192.168.42.178 exit vlan 701 exit radius-server timeout 10 radius-server retransmit 5 radius-server host 192.168.42.178 key ascii-text encrypted 88B11079B9014FAAF7B9 timeout 11 priority 20 source-interface bridge 1 auth-port 31812 acct-port 31813 retransmit 10 dead-interval 10 exit aaa radius-profile PCRF radius-server host 192.168.42.178 exit das-server COA key ascii-text encrypted 88B11079B9014FAAF7B9 port 3799 clients object-group SoftWLC exit aaa das-profile COA das-server COA exit line console aaa disable exit domain lookup enable security zone trusted exit security zone untrusted exit security zone user exit ip access-list extended WELCOME rule 1 action permit match protocol tcp match destination-port 443 enable exit rule 2 action permit match protocol tcp match destination-port 8443 enable exit rule 3 action permit match protocol tcp match destination-port 80 enable exit rule 4 action permit match protocol tcp match destination-port 8080 enable exit exit ip access-list extended INTERNET rule 1 action permit enable exit exit ip access-list extended unauthUSER rule 1 action permit match protocol udp match source-port 68 match destination-port 67 enable exit rule 2 action permit match protocol udp match destination-port 53 enable exit exit subscriber-control filters-server-url http://192.168.42.178:7070/filters/file subscriber-control aaa das-profile COA aaa sessions-radius-profile PCRF aaa services-radius-profile PCRF nas-interface bridge 1 session mac-authentication bypass-traffic-acl unauthUSER default-service class-map unauthUSER filter-name remote gosuslugi filter-action permit default-action redirect http://192.168.42.178:8080/eltex_portal/ session-timeout 600 exit enable exit snmp-server snmp-server system-shutdown snmp-server community "public11" ro snmp-server community "private1" rw snmp-server host 192.168.42.178 source-interface bridge 1 exit snmp-server enable traps snmp-server enable traps config snmp-server enable traps config commit snmp-server enable traps config confirm snmp-server enable traps environment snmp-server enable traps environment memory-flash-critical-low snmp-server enable traps environment memory-flash-low snmp-server enable traps environment memory-ram-critical-low snmp-server enable traps environment memory-ram-low snmp-server enable traps environment cpu-load snmp-server enable traps environment cpu-critical-temp snmp-server enable traps environment cpu-overheat-temp snmp-server enable traps environment cpu-supercooling-temp snmp-server enable traps file-operations snmp-server enable traps file-operations successful snmp-server enable traps file-operations failed snmp-server enable traps file-operations canceled snmp-server enable traps interfaces snmp-server enable traps interfaces rx-utilization-high snmp-server enable traps interfaces tx-utilization-high snmp-server enable traps interfaces number-high snmp-server enable traps bras snmp-server enable traps bras sessions-number-high snmp-server enable traps screen snmp-server enable traps screen dest-limit snmp-server enable traps screen source-limit snmp-server enable traps screen icmp-threshold snmp-server enable traps screen udp-threshold snmp-server enable traps screen syn-flood snmp-server enable traps screen land snmp-server enable traps screen winnuke snmp-server enable traps screen icmp-frag snmp-server enable traps screen udp-frag snmp-server enable traps screen icmp-large snmp-server enable traps screen syn-frag snmp-server enable traps screen unknown-proto snmp-server enable traps screen ip-frag snmp-server enable traps screen port-scan snmp-server enable traps screen ip-sweep snmp-server enable traps screen syn-fin snmp-server enable traps screen fin-no-ack snmp-server enable traps screen no-flag snmp-server enable traps screen spoofing snmp-server enable traps screen reserved snmp-server enable traps screen quench snmp-server enable traps screen echo-request snmp-server enable traps screen time-exceeded snmp-server enable traps screen unreachable snmp-server enable traps screen tcp-all-flags snmp-server enable traps entity snmp-server enable traps entity config-change snmp-server enable traps entity-sensor snmp-server enable traps entity-sensor threshold snmp-server enable traps envmon snmp-server enable traps envmon shutdown snmp-server enable traps envmon temperature snmp-server enable traps flash snmp-server enable traps flash insertion snmp-server enable traps flash removal snmp-server enable traps snmp snmp-server enable traps snmp authentication snmp-server enable traps snmp coldstart bridge 1 security-zone trusted ip address dhcp ip dhcp client ignore dns-nameserver ip dhcp client ignore router enable exit bridge 2 vlan 701 security-zone user ip address 198.19.253.1/24 service-subscriber-control any location SSID12 enable exit interface gigabitethernet 1/0/1 description "UPLink" ip address dhcp security-zone untrusted service-policy dynamic all exit interface gigabitethernet 1/0/2.702 bridge-group 2 exit interface gigabitethernet 1/0/3 mode switchport switchport access vlan 701 exit interface gigabitethernet 1/0/4 shutdown exit interface gigabitethernet 1/0/5 shutdown exit interface gigabitethernet 1/0/6 shutdown exit interface loopback 1 exit tunnel gre 1 keepalive retries 3 keepalive dhcp dependent-interface bridge 1 keepalive dhcp dependent-interface gi1/0/1 mode ethernet local address xauth ipsec_vpn remote address xauth ipsec_vpn management-ip enable exit tunnel gre 1.1 bridge-group 1 snmp init-trap enable exit security zone-pair untrusted self rule 1 action permit match protocol icmp enable exit exit security zone-pair trusted self rule 1 action permit enable exit exit security zone-pair user untrusted rule 10 action permit enable exit exit security zone-pair user self rule 10 action permit match protocol udp match source-port dhcp_client match destination-port dhcp_server enable exit rule 20 action permit match protocol tcp match destination-port redirect enable exit rule 30 action permit match protocol udp match destination-port dns enable exit exit access profile acc_p exit security ike proposal ike_prop exit security ike policy ike_pol authentication method xauth-psk-key authentication mode client proposal ike_prop exit security ike gateway ike_gw ike-policy ike_pol assign-interface loopback 1 local interface gigabitethernet 1/0/1 remote network dynamic client mode policy-based dead-peer-detection action restart dead-peer-detection interval 10 dead-peer-detection timeout 60 exit security ipsec proposal ipsec_prop exit security ipsec policy ipsec_pol proposal ipsec_prop exit security ipsec vpn ipsec_vpn mode ike ike establish-tunnel immediate ike gateway ike_gw ike ipsec-policy ipsec_pol enable exit nat source ruleset NAT to interface gigabitethernet 1/0/1 rule 10 match source-address natpool action source-nat interface enable exit exit exit ip dhcp-server ip dhcp-server pool lan network 198.19.253.0/24 max-lease-time 000:00:20 default-lease-time 000:00:10 address-range 198.19.253.2-198.19.253.254 default-router 198.19.253.1 dns-server 198.19.253.1 exit ip telnet server ip ssh server clock timezone gmt +7 ntp enable ntp server 192.168.42.178 exit |
List of error codes sent by ESR-10 to the Service Activator
If a connection error occurs, ESR-10 will reset to factory configuration and send and error code to the SA. After 5 minutes or after expiry of wait-timer, if it has been received, connect to the SA again.
...