...
Create a SSID with a link to the domain ott.root (Wireless/SSID Manager). In the field Bridge, Location specify the location corresponding to bridge settings on ESR.
...
Column | ||
---|---|---|
| ||
ESR OTT
Якорь | ||||
---|---|---|---|---|
|
...
Message | |
Connection refused | The Service Activator is not installed, or port 8042 is blocked |
"code":4022, "msg":"No init link found" | No initialization rule links to the AP |
"code":1,"msg":"In request by key 'domain' value is empty or null" | There are no ESR devices with OTT enabled (OTT checkbox in the tab "Access") in the domain specified in the initialization rule link |
"code":4024, "msg":"No OTT station configured" | There are no ESR profiles with OTT profile linked to IP address of ESR device with OTT enabled, or such ESR devices are unavailable. |
"code":4023 | NB communication error |
"code": 4025, "msg": "/ott/upgrade/WOP-12ac-LR-RevB.tar.gz" | AP firmware is not relevant. Update is required |
Annex 3. ESR configuration example
Якорь | ||
---|---|---|
|
...
|
...
|
Examples of ESR configuration on a test bench.
Example 1
The example is for the version 1.6.2 with BGP for ESR models without EoGRE tunnel support. The following addressing is used in the example:
1) gi1/0/1.4092: 10.12.20.4/28 - address directed to the Internet for IPsec termination;
2) gi1/0/1.212: 100.64.0.66/30 - seam address directed to VRF backbone for connection to SoftWLC, DHCP and DNS servers;
3) gi1/0/1.213: 100.64.0.70/30 - seam address directed to VRF nat for clients to access the Internet;
4) bridge 1: 192.168.200.49/28 и 192.168.200.50/28 - addresses to terminate EoGRE from access points for management and client traffic tunnels respectively;
5) bridge 3: 192.168.128.0/22 - subnetwork for AP management addresses. 192.168.128.1 is used as an address for managing ESR from SoftWLC;
6) bridge 10: 198.18.160.0/22 - subnetwork for AP clients. Default gateway for clients - 198.18.160.1, DNS 100.123.0.2;
7) 172.31.252.0/22 - subnetwork for addresses, assigned to access points via mode config and used to establish EoGRE on AP side;
8) 100.110.123.0/24 - management subnetwork. 100.123.0.2 - SoftWLC address, DHCP, DNS.
As the default gateway is directed to the Internet connection via gi1/0/1.4092, PBR rule named "users_map" in ESR configuration is used to direct client traffic via the interface gi1/0/1.213.
Блок кода | ||
---|---|---|
| ||
hostname esr-ipsec object-group service dhcp_server port-range 67 exit object-group service dhcp_client port-range 68 exit object-group service ipsec_ports port-range 500 port-range 4500 exit object-group service dns port-range 53 exit object-group network SoftWLC ip prefix 100.123.0.0/24 exit object-group network ipsec_remote_address ip prefix 10.100.0.0/16 ip prefix 172.31.252.0/22 exit object-group network gre_termination ip prefix 192.168.200.48/28 exit object-group network AP_mgmt ip prefix 192.168.128.0/22 ip prefix 198.18.160.0/22 exit object-group network AP_users ip prefix 198.18.160.0/22 exit syslog console none radius-server timeout 10 radius-server retransmit 5 radius-server host 100.123.0.2 key ascii-text encrypted 88B11079B9014FAAF7B9 timeout 11 priority 20 source-address 192.168.128.1 auth-port 31812 acct-port 31813 retransmit 10 dead-interval 10 exit aaa radius-profile PCRF radius-server host 100.123.0.2 exit das-server COA key ascii-text encrypted 88B11079B9014FAAF7B9 port 3799 clients object-group SoftWLC exit aaa das-profile COA das-server COA exit tech-support login enable root login enable vlan 3 force-up exit vlan 10 force-up exit security zone trusted exit security zone untrusted exit security zone ipsec exit security zone gre exit security zone users exit ip access-list extended users_pbr rule 10 action deny match protocol udp match source-port 68 match destination-port 67 enable exit rule 11 action deny match protocol udp match destination-port 53 enable exit rule 20 action permit enable exit exit route-map out_BGP_AP rule 10 match ip address object-group AP_mgmt action permit exit exit route-map out_BGP_NAT rule 10 match ip address object-group AP_users action permit exit exit route-map users_map rule 10 match ip access-group users_pbr action set ip next-hop verify-availability 100.64.0.69 10 action permit exit exit router bgp 64604 address-family ipv4 router-id 198.18.156.1 redistribute connected neighbor 100.64.0.65 remote-as 1238965001 route-map out_BGP_AP out update-source 100.64.0.66 enable exit neighbor 100.64.0.69 remote-as 1238965001 route-map out_BGP_NAT out update-source 100.64.0.70 enable exit enable exit exit snmp-server snmp-server system-shutdown snmp-server community "private1" rw snmp-server community "public11" ro snmp-server host 100.123.0.2 exit snmp-server enable traps snmp-server enable traps config snmp-server enable traps config commit snmp-server enable traps config confirm snmp-server enable traps environment snmp-server enable traps environment fan snmp-server enable traps environment fan-speed-changed snmp-server enable traps environment fan-speed-high snmp-server enable traps environment memory-flash-critical-low snmp-server enable traps environment memory-flash-low snmp-server enable traps environment memory-ram-critical-low snmp-server enable traps environment memory-ram-low snmp-server enable traps environment cpu-load snmp-server enable traps environment cpu-critical-temp snmp-server enable traps environment cpu-overheat-temp snmp-server enable traps environment cpu-supercooling-temp snmp-server enable traps environment board-overheat-temp snmp-server enable traps environment board-supercooling-temp snmp-server enable traps wifi snmp-server enable traps wifi wifi-tunnels-number-in-bridge-high snmp-server enable traps file-operations snmp-server enable traps file-operations successful snmp-server enable traps file-operations failed snmp-server enable traps file-operations canceled snmp-server enable traps interfaces snmp-server enable traps interfaces rx-utilization-high snmp-server enable traps interfaces tx-utilization-high snmp-server enable traps interfaces number-high snmp-server enable traps bras snmp-server enable traps bras sessions-number-high snmp-server enable traps screen snmp-server enable traps screen dest-limit snmp-server enable traps screen source-limit snmp-server enable traps screen icmp-threshold snmp-server enable traps screen udp-threshold snmp-server enable traps screen syn-flood snmp-server enable traps screen land snmp-server enable traps screen winnuke snmp-server enable traps screen icmp-frag snmp-server enable traps screen udp-frag snmp-server enable traps screen icmp-large snmp-server enable traps screen syn-frag snmp-server enable traps screen unknown-proto snmp-server enable traps screen ip-frag snmp-server enable traps screen port-scan snmp-server enable traps screen ip-sweep snmp-server enable traps screen syn-fin snmp-server enable traps screen fin-no-ack snmp-server enable traps screen no-flag snmp-server enable traps screen spoofing snmp-server enable traps screen reserved snmp-server enable traps screen quench snmp-server enable traps screen echo-request snmp-server enable traps screen time-exceeded snmp-server enable traps screen unreachable snmp-server enable traps screen tcp-all-flags snmp-server enable traps entity snmp-server enable traps entity config-change snmp-server enable traps entity-sensor snmp-server enable traps entity-sensor threshold snmp-server enable traps envmon snmp-server enable traps envmon fan snmp-server enable traps envmon shutdown snmp-server enable traps envmon temperature snmp-server enable traps flash snmp-server enable traps flash insertion snmp-server enable traps flash removal snmp-server enable traps snmp snmp-server enable traps snmp authentication snmp-server enable traps snmp coldstart snmp-server enable traps snmp linkdown snmp-server enable traps snmp linkup snmp-server enable traps syslog bridge 1 description "gre_termination" vlan 1 security-zone gre ip address 192.168.200.49/28 ip address 192.168.200.50/28 enable exit bridge 3 description "AP_mgmt" vlan 3 security-zone trusted ip address 192.168.128.1/22 ip helper-address 100.123.0.2 ip tcp adjust-mss 1312 enable exit bridge 10 description "Users" vlan 10 security-zone users ip address 198.18.160.1/22 ip helper-address 100.123.0.2 ip policy route-map users_map ip tcp adjust-mss 1312 location data10 enable exit interface gigabitethernet 1/0/1 description "UpLink" exit interface gigabitethernet 1/0/1.212 description "VRF_backbone" security-zone trusted ip address 100.64.0.66/30 ip tcp adjust-mss 1312 exit interface gigabitethernet 1/0/1.213 description "VRF_nat" security-zone untrusted ip address 100.64.0.70/30 ip tcp adjust-mss 1312 exit interface gigabitethernet 1/0/1.1000 description "adm_net" security-zone trusted ip address 100.110.0.133/23 exit interface gigabitethernet 1/0/1.4092 description "IPsec" security-zone ipsec ip address 10.12.20.4/28 exit tunnel softgre 1 description "mgmt" mode management local address 192.168.200.49 default-profile enable exit tunnel softgre 1.1 bridge-group 3 enable exit tunnel softgre 2 description "data" mode data local address 192.168.200.50 default-profile enable exit security zone-pair trusted self rule 10 action permit enable exit exit security zone-pair users self rule 10 action permit match protocol udp match source-port dhcp_client match destination-port dhcp_server enable exit exit security zone-pair users untrusted rule 10 action permit enable exit exit security zone-pair users trusted rule 10 action permit match protocol udp match source-port dhcp_client match destination-port dhcp_server enable exit rule 20 action permit match protocol udp match destination-port dns enable exit exit security zone-pair ipsec self rule 1 action permit match protocol udp match destination-port ipsec_ports enable exit rule 2 action permit match protocol esp enable exit rule 3 action permit match protocol gre match source-address ipsec_remote_address match destination-address gre_termination enable exit rule 4 action permit match protocol icmp enable exit exit security zone-pair trusted trusted rule 10 action permit enable exit exit address-assignment pool ipsec_xauth_pool ip prefix 172.31.252.0/22 data-tunnel address 192.168.200.50 management-tunnel address 192.168.200.49 exit security ike proposal dh1_md5_aes128 authentication algorithm md5 encryption algorithm aes128 exit security ike policy psk_xauth lifetime seconds 86400 pre-shared-key ascii-text testing123 authentication method xauth-psk-key authentication mode radius proposal dh1_md5_aes128 exit security ike gateway xauth_gw ike-policy psk_xauth local address 10.12.20.4 local network 192.168.200.48/28 remote address any remote network dynamic pool ipsec_xauth_pool mode policy-based dead-peer-detection action clear dead-peer-detection interval 60 dead-peer-detection timeout 180 exit security ipsec proposal md5_aes128_esp authentication algorithm md5 encryption algorithm aes128 exit security ipsec policy ipsec_pol proposal md5_aes128_esp exit security ipsec vpn xauth_ipsec mode ike ike establish-tunnel by-request ike gateway xauth_gw ike ipsec-policy ipsec_pol enable exit security passwords history 0 ip dhcp-relay ip route 0.0.0.0/0 10.12.20.2 wireless-controller nas-ip-address 192.168.128.1 resp-time 3 failure-count 3 data-tunnel configuration radius aaa das-profile COA aaa radius-profile PCRF enable exit ip telnet server ip ssh server clock timezone gmt +7 ntp enable ntp server 100.123.0.2 exit |
...