...
Create a SSID with a link to the domain ott.root (Wireless/SSID Manager). In the field Bridge, Location specify the location corresponding to bridge settings on ESR.
...
| Column | ||
|---|---|---|
| ||
|
ESR OTT
| Якорь | ||||
|---|---|---|---|---|
|
...
Message | |
Connection refused | The Service Activator is not installed, or port 8042 is blocked |
"code":4022, "msg":"No init link found" | No initialization rule links to the AP |
"code":1,"msg":"In request by key 'domain' value is empty or null" | There are no ESR devices with OTT enabled (OTT checkbox in the tab "Access") in the domain specified in the initialization rule link |
"code":4024, "msg":"No OTT station configured" | There are no ESR profiles with OTT profile linked to IP address of ESR device with OTT enabled, or such ESR devices are unavailable. |
"code":4023 | NB communication error |
"code": 4025, "msg": "/ott/upgrade/WOP-12ac-LR-RevB.tar.gz" | AP firmware is not relevant. Update is required |
Annex 3. ESR configuration example
| Якорь | ||
|---|---|---|
|
...
|
...
|
Examples of ESR configuration on a test bench.
Example 1
The example is for the version 1.6.2 with BGP for ESR models without EoGRE tunnel support. The following addressing is used in the example:
1) gi1/0/1.4092: 10.12.20.4/28 - address directed to the Internet for IPsec termination;
2) gi1/0/1.212: 100.64.0.66/30 - seam address directed to VRF backbone for connection to SoftWLC, DHCP and DNS servers;
3) gi1/0/1.213: 100.64.0.70/30 - seam address directed to VRF nat for clients to access the Internet;
4) bridge 1: 192.168.200.49/28 и 192.168.200.50/28 - addresses to terminate EoGRE from access points for management and client traffic tunnels respectively;
5) bridge 3: 192.168.128.0/22 - subnetwork for AP management addresses. 192.168.128.1 is used as an address for managing ESR from SoftWLC;
6) bridge 10: 198.18.160.0/22 - subnetwork for AP clients. Default gateway for clients - 198.18.160.1, DNS 100.123.0.2;
7) 172.31.252.0/22 - subnetwork for addresses, assigned to access points via mode config and used to establish EoGRE on AP side;
8) 100.110.123.0/24 - management subnetwork. 100.123.0.2 - SoftWLC address, DHCP, DNS.
As the default gateway is directed to the Internet connection via gi1/0/1.4092, PBR rule named "users_map" in ESR configuration is used to direct client traffic via the interface gi1/0/1.213.
| Блок кода | ||
|---|---|---|
| ||
hostname esr-ipsec
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service ipsec_ports
port-range 500
port-range 4500
exit
object-group service dns
port-range 53
exit
object-group network SoftWLC
ip prefix 100.123.0.0/24
exit
object-group network ipsec_remote_address
ip prefix 10.100.0.0/16
ip prefix 172.31.252.0/22
exit
object-group network gre_termination
ip prefix 192.168.200.48/28
exit
object-group network AP_mgmt
ip prefix 192.168.128.0/22
ip prefix 198.18.160.0/22
exit
object-group network AP_users
ip prefix 198.18.160.0/22
exit
syslog console none
radius-server timeout 10
radius-server retransmit 5
radius-server host 100.123.0.2
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 11
priority 20
source-address 192.168.128.1
auth-port 31812
acct-port 31813
retransmit 10
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
tech-support login enable
root login enable
vlan 3
force-up
exit
vlan 10
force-up
exit
security zone trusted
exit
security zone untrusted
exit
security zone ipsec
exit
security zone gre
exit
security zone users
exit
ip access-list extended users_pbr
rule 10
action deny
match protocol udp
match source-port 68
match destination-port 67
enable
exit
rule 11
action deny
match protocol udp
match destination-port 53
enable
exit
rule 20
action permit
enable
exit
exit
route-map out_BGP_AP
rule 10
match ip address object-group AP_mgmt
action permit
exit
exit
route-map out_BGP_NAT
rule 10
match ip address object-group AP_users
action permit
exit
exit
route-map users_map
rule 10
match ip access-group users_pbr
action set ip next-hop verify-availability 100.64.0.69 10
action permit
exit
exit
router bgp 64604
address-family ipv4
router-id 198.18.156.1
redistribute connected
neighbor 100.64.0.65
remote-as 1238965001
route-map out_BGP_AP out
update-source 100.64.0.66
enable
exit
neighbor 100.64.0.69
remote-as 1238965001
route-map out_BGP_NAT out
update-source 100.64.0.70
enable
exit
enable
exit
exit
snmp-server
snmp-server system-shutdown
snmp-server community "private1" rw
snmp-server community "public11" ro
snmp-server host 100.123.0.2
exit
snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment fan
snmp-server enable traps environment fan-speed-changed
snmp-server enable traps environment fan-speed-high
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps environment board-overheat-temp
snmp-server enable traps environment board-supercooling-temp
snmp-server enable traps wifi
snmp-server enable traps wifi wifi-tunnels-number-in-bridge-high
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps bras
snmp-server enable traps bras sessions-number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon fan
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
bridge 1
description "gre_termination"
vlan 1
security-zone gre
ip address 192.168.200.49/28
ip address 192.168.200.50/28
enable
exit
bridge 3
description "AP_mgmt"
vlan 3
security-zone trusted
ip address 192.168.128.1/22
ip helper-address 100.123.0.2
ip tcp adjust-mss 1312
enable
exit
bridge 10
description "Users"
vlan 10
security-zone users
ip address 198.18.160.1/22
ip helper-address 100.123.0.2
ip policy route-map users_map
ip tcp adjust-mss 1312
location data10
enable
exit
interface gigabitethernet 1/0/1
description "UpLink"
exit
interface gigabitethernet 1/0/1.212
description "VRF_backbone"
security-zone trusted
ip address 100.64.0.66/30
ip tcp adjust-mss 1312
exit
interface gigabitethernet 1/0/1.213
description "VRF_nat"
security-zone untrusted
ip address 100.64.0.70/30
ip tcp adjust-mss 1312
exit
interface gigabitethernet 1/0/1.1000
description "adm_net"
security-zone trusted
ip address 100.110.0.133/23
exit
interface gigabitethernet 1/0/1.4092
description "IPsec"
security-zone ipsec
ip address 10.12.20.4/28
exit
tunnel softgre 1
description "mgmt"
mode management
local address 192.168.200.49
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 3
enable
exit
tunnel softgre 2
description "data"
mode data
local address 192.168.200.50
default-profile
enable
exit
security zone-pair trusted self
rule 10
action permit
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
exit
security zone-pair users untrusted
rule 10
action permit
enable
exit
exit
security zone-pair users trusted
rule 10
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 20
action permit
match protocol udp
match destination-port dns
enable
exit
exit
security zone-pair ipsec self
rule 1
action permit
match protocol udp
match destination-port ipsec_ports
enable
exit
rule 2
action permit
match protocol esp
enable
exit
rule 3
action permit
match protocol gre
match source-address ipsec_remote_address
match destination-address gre_termination
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
exit
security zone-pair trusted trusted
rule 10
action permit
enable
exit
exit
address-assignment pool ipsec_xauth_pool
ip prefix 172.31.252.0/22
data-tunnel address 192.168.200.50
management-tunnel address 192.168.200.49
exit
security ike proposal dh1_md5_aes128
authentication algorithm md5
encryption algorithm aes128
exit
security ike policy psk_xauth
lifetime seconds 86400
pre-shared-key ascii-text testing123
authentication method xauth-psk-key
authentication mode radius
proposal dh1_md5_aes128
exit
security ike gateway xauth_gw
ike-policy psk_xauth
local address 10.12.20.4
local network 192.168.200.48/28
remote address any
remote network dynamic pool ipsec_xauth_pool
mode policy-based
dead-peer-detection action clear
dead-peer-detection interval 60
dead-peer-detection timeout 180
exit
security ipsec proposal md5_aes128_esp
authentication algorithm md5
encryption algorithm aes128
exit
security ipsec policy ipsec_pol
proposal md5_aes128_esp
exit
security ipsec vpn xauth_ipsec
mode ike
ike establish-tunnel by-request
ike gateway xauth_gw
ike ipsec-policy ipsec_pol
enable
exit
security passwords history 0
ip dhcp-relay
ip route 0.0.0.0/0 10.12.20.2
wireless-controller
nas-ip-address 192.168.128.1
resp-time 3
failure-count 3
data-tunnel configuration radius
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.123.0.2
exit
|
...