...
2.2 Схема включения ESR и план адресации
Расмотрим Рассмотрим схему включения ESR на примере. Ниже, на рис. 2.2.1 приведена схема включения:
| Drawio |
|---|
| border | true |
|---|
| viewerToolbar | true |
|---|
| |
|---|
| fitWindow | false |
|---|
| diagramName | main-esr-bras-l3-int |
|---|
| simpleViewer | false |
|---|
| width | |
|---|
| diagramWidth | 1025 |
|---|
| revision | 2 |
|---|
|
Рис. 2.2.1.
| Примечание |
|---|
|
В дальнейшем в документации для ESR BRAS L3 VRRP MASTER будет использоваться имя "Alfa", для ESR BRAS L3 VRRP BACKUP - "Beta". |
Таблица используемой адресации, назначение приведенны приведены ниже в таблице 2.2.1:
| AS 64603 | VRF | ESR BRAS L3-1 (Alfa)
ESR BRAS L3-2 ( |
|
| Beta)
|
|
| назначение |
| интерфейс / влан | IP адрес | VRRP IP | интерфейс / влан | IP адрес |
|---|
| стык с VRF AP (eBGP) | default | gi1/0/1.206 | 100.64.0.34/30 | n/a | gi1/0/1.207 | 100.64.0.38/30 |
| стык с VRF backbone (eBGP) | default | gi1/0/1.208 | 100.64.0.42/30 | n/a | gi1/0/1.209 | 100.64.0.46/30 |
| стык с VRF NAT (eBGP) | default | gi1/0/1.210 | 100.64.0.50/30 | n/a | gi1/0/1.211 | 100.64.0.54/30 |
| внутренний стык с VRF DPI | default | lt 1 | 10.200.200.1/30 | n/a | lt 1 | 10.200.200.5/30 |
| терминация GRE трафика от ТД | default | bridge 1 / 101 | 192.168.200.51/28 | 192.168.200.49/32 192.168.200.50/32 | bridge 1 / 101 | 192.168.200.52/28 |
| терминация подсети управления ТД | default | bridge 3 / 3 | 198.18.128.2/21 | 198.18.128.1/32 | bridge 3 / 3 | 198.18.128.3/21 |
| стыковый адрес с соседним ESR (iBGP) | default | bridge 9 / 9 | 100.64.0.57/30 | n/a | bridge 9 / 9 | 100.64.0.58/30 |
| терминация подсети клиентов ТД в дефолтном VRF | default | bridge 10 / 10 | 198.18.192.2/19 | 198.18.192.1/32 | bridge 10 / 10 | 198.18.192.3/19 |
| стык с VRF DPI (eBGP в VRF dpi) | dpi | lt 2 | 10.200.200.2/30 | n/a | lt 2 | 10.200.200.6/30 |
| внутренний стык с дефолтным VRF | dpi | gi1/0/1.214 | 100.64.0.74/30 | n/a | gi1/0/1.215 | 100.64.0.78/30 |
| терминация подсети клиентов ТД в отдельном VRF (dpi) | dpi | bridge 12 / 12 | 198.19.0.2/19 | 198.19.0.1/32 | bridge 12 / 12 | 198.19.0.3/19 |
| стыковый адрес c соседним ESR (iBGP в VRF dpi) | dpi | bridge 92 / 92 | 100.64.0.97/30 | n/a | bridge 92 / 92 | 100.64.0.98/30 |
...
Т.к. схема включения ESR повторяет собой схемы Настройка ESR в режиме wireless-controller с резервированием роутера "последней мили" и Настройка ESR при терминировании одного из саб-туннелей softgre в Bridge в другом VRF - то ниже будет сразу приведена общая конфигурация ESR (без настроек BRAS).
| Раскрыть |
|---|
| title | ESR BRAS L3-1 (Alfa) |
|---|
|
| Без форматирования |
|---|
#!/usr/bin/clish
#18
hostname Alfa
object-group network gre_termination
ip prefix 192.168.200.48/28
exit
object-group network mgmt_AP
ip prefix 198.18.128.0/21
ip prefix 198.18.192.0/19
ip prefix 100.64.0.56/30
ip prefix 198.19.0.0/19
exit
object-group network clients_AP
ip prefix 198.18.192.0/19
ip prefix 198.18.128.0/21
exit
object-group network clients_dpi
ip prefix 198.19.0.0/19
exit
object-group network SoftWLC
ip prefix 100.123.0.0/24
exit
ip vrf dpi
ip protocols bgp max-routes 250
exit
radius-server retransmit 2
radius-server host 100.123.0.2
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 5
priority 20
source-address 198.18.128.2
auth-port 31812
acct-port 31813
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
vlan 3
force-up
exit
vlan 10
force-up
exit
vlan 12
force-up
exit
vlan 101
force-up
exit
vlan 9,92
exit
security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone sidelink
exit
security zone user
exit
security zone trusted_dpi
ip vrf forwarding dpi
exit
security zone untrusted_dp
ip vrf forwarding dpi
exit
security zone sidelink_dpi
ip vrf forwarding dpi
exit
security zone user_dpi
ip vrf forwarding dpi
exit
route-map out_BGP_GRE
rule 10
match ip address object-group gre_termination
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
route-map out_BGP_AP
rule 10
match ip address object-group mgmt_AP
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
route-map out_BGP_NAT
rule 10
match ip address object-group clients_AP
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
route-map in_PREF
rule 10
action set local-preference 90
action permit
exit
exit
route-map out_BGP_DPI
rule 1
match ip address object-group clients_dpi
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
router bgp 64603
neighbor 100.64.0.33
remote-as 12389
update-source 100.64.0.34
address-family ipv4 unicast
route-map out_BGP_GRE out
enable
exit
enable
exit
neighbor 100.64.0.41
remote-as 12389
update-source 100.64.0.42
address-family ipv4 unicast
route-map out_BGP_AP out
enable
exit
enable
exit
neighbor 100.64.0.49
remote-as 12389
update-source 100.64.0.50
address-family ipv4 unicast
route-map out_BGP_NAT out
enable
exit
enable
exit
neighbor 100.64.0.58
remote-as 64603
update-source 100.64.0.57
address-family ipv4 unicast
route-map in_PREF in
next-hop-self
enable
exit
enable
exit
address-family ipv4 unicast
redistribute connected
redistribute static
exit
enable
vrf dpi
neighbor 100.64.0.73
remote-as 12389
update-source 100.64.0.74
address-family ipv4 unicast
route-map out_BGP_DPI out
enable
exit
enable
exit
neighbor 100.64.0.98
remote-as 64603
update-source 100.64.0.97
address-family ipv4 unicast
route-map in_PREF in
next-hop-self
enable
exit
enable
exit
address-family ipv4 unicast
redistribute connected
exit
enable
exit
exit
tracking 1
vrrp 3 not state master
enable
exit
bridge 1
description "GRE_termination"
vlan 101
security-zone gre
ip firewall disable
ip address 192.168.200.51/28
vrrp id 1
vrrp ip 192.168.200.49/32
vrrp ip 192.168.200.50/32 secondary
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 3
description "mgmt_AP"
vlan 3
security-zone trusted
ip firewall disable
ip address 198.18.128.2/21
ip helper-address 100.123.0.2
ip helper-address 100.123.0.3
ip helper-address vrrp-group 1
vrrp id 3
vrrp ip 198.18.128.1/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
ip tcp adjust-mss 1400
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 9
description "SideLink"
vlan 9
security-zone sidelink
ip firewall disable
ip address 100.64.0.57/30
enable
exit
bridge 10
description "data1_AP"
vlan 10
unknown-unicast-forwarding disable
security-zone user
ip firewall disable
ip address 198.18.192.2/19
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 10
vrrp ip 198.18.192.1/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
location data10
protected-ports radius
protected-ports exclude vlan
rate-limit arp-broadcast
enable
exit
bridge 12
ip vrf forwarding dpi
vlan 12
unknown-unicast-forwarding disable
security-zone user_dpi
ip firewall disable
ip address 198.19.0.2/19
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 12
vrrp ip 198.19.0.1/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
ip tcp adjust-mss 1458
location data12
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
rate-limit arp-broadcast
rate-limit arp-broadcast pps 1
enable
exit
bridge 92
ip vrf forwarding dpi
description "SideLink for VRF dpi"
vlan 92
security-zone sidelink_dpi
ip firewall disable
ip address 100.64.0.97/30
enable
exit
interface gigabitethernet 1/0/1
description "UpLink"
mode hybrid
exit
interface gigabitethernet 1/0/1.206
description "VRF_AP"
security-zone gre
ip firewall disable
ip address 100.64.0.34/30
ipv6 enable
exit
interface gigabitethernet 1/0/1.208
description "VRF_BACKBONE"
security-zone trusted
ip firewall disable
ip address 100.64.0.42/30
ipv6 enable
exit
interface gigabitethernet 1/0/1.210
description "VRF_NAT"
security-zone untrusted
ip firewall disable
ip address 100.64.0.50/30
ipv6 enable
exit
interface gigabitethernet 1/0/1.214
ip vrf forwarding dpi
description "br12_vrf"
security-zone untrusted_dp
ip firewall disable
ip address 100.64.0.74/30
ip tcp adjust-mss 1458
exit
interface gigabitethernet 1/0/2
description "SideLink"
mode hybrid
switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 3,9-10,12,92,101 tagged
exit
tunnel lt 1
peer lt 2
security-zone trusted
ip firewall disable
ip address 10.200.200.1/30
enable
exit
tunnel lt 2
peer lt 1
ip vrf forwarding dpi
security-zone trusted_dpi
ip firewall disable
ip address 10.200.200.2/30
enable
exit
tunnel softgre 1
description "mgmt"
mode management
local address 192.168.200.49
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 3
enable
exit
tunnel softgre 2
description "data"
mode data
local address 192.168.200.50
default-profile
enable
exit
snmp-server
snmp-server system-shutdown
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 100.123.0.2
source-interface bridge 3
exit
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment pwrin
snmp-server enable traps environment pwrin-insert
snmp-server enable traps environment fan
snmp-server enable traps environment fan-speed-changed
snmp-server enable traps environment fan-speed-high
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-dp-critical-temp
snmp-server enable traps environment cpu-dp-overheat-temp
snmp-server enable traps environment cpu-dp-supercooling-temp
snmp-server enable traps environment cpu-mgmt-critical-temp
snmp-server enable traps environment cpu-mgmt-overheat-temp
snmp-server enable traps environment cpu-mgmt-supercooling-temp
snmp-server enable traps environment board-overheat-temp
snmp-server enable traps environment board-supercooling-temp
snmp-server enable traps environment sfp-overheat-temp
snmp-server enable traps environment sfp-supercooling-temp
snmp-server enable traps environment switch-overheat-temp
snmp-server enable traps environment switch-supercooling-temp
snmp-server enable traps wifi
snmp-server enable traps wifi wifi-tunnels-number-in-bridge-high
snmp-server enable traps wifi wifi-tunnels-operation
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon fan
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon supply
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
security passwords history 0
ip dhcp-relay
ip route vrf dpi 100.123.0.0/24 10.200.200.1
ip route 198.19.0.0/19 10.200.200.2
wireless-controller
peer-address 100.64.0.58
nas-ip-address 198.18.128.2
vrrp-group 1
data-tunnel configuration radius
keepalive mode reactive
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip ssh server
ntp enable
ntp server 100.123.0.2
exit
|
|
| Раскрыть |
|---|
| title | ESR BRAS L3-2 (Beta) |
|---|
|
| Без форматирования |
|---|
#!/usr/bin/clish
#18
hostname Beta
object-group network gre_termination
ip prefix 192.168.200.48/28
exit
object-group network mgmt_AP
ip prefix 198.18.128.0/21
ip prefix 198.18.192.0/19
ip prefix 100.64.0.56/30
ip prefix 198.19.0.0/19
exit
object-group network clients_AP
ip prefix 198.18.192.0/19
ip prefix 198.18.128.0/21
exit
object-group network clients_dpi
ip prefix 198.19.0.0/19
exit
object-group network SoftWLC
ip prefix 100.123.0.0/24
exit
ip vrf dpi
ip protocols bgp max-routes 250
exit
radius-server retransmit 2
radius-server host 100.123.0.2
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 11
source-address 198.18.128.3
auth-port 31812
acct-port 31813
retransmit 2
dead-interval 10
exit
radius-server host 100.123.0.3
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 11
priority 20
source-address 198.18.128.3
auth-port 31812
acct-port 31813
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
vlan 3
force-up
exit
vlan 10
force-up
exit
vlan 12
force-up
exit
vlan 101
force-up
exit
vlan 9,92
exit
security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone sidelink
exit
security zone user
exit
security zone trusted_dpi
ip vrf forwarding dpi
exit
security zone untrusted_dp
ip vrf forwarding dpi
exit
security zone sidelink_dpi
ip vrf forwarding dpi
exit
security zone user_dpi
ip vrf forwarding dpi
exit
route-map out_BGP_GRE
rule 10
match ip address object-group gre_termination
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
route-map out_BGP_AP
rule 10
match ip address object-group mgmt_AP
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
route-map out_BGP_NAT
rule 10
match ip address object-group clients_AP
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
route-map in_PREF
rule 10
action set local-preference 20
action permit
exit
exit
route-map out_BGP_DPI
rule 1
match ip address object-group clients_dpi
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
router bgp 64603
neighbor 100.64.0.37
remote-as 12389
update-source 100.64.0.38
address-family ipv4 unicast
route-map out_BGP_GRE out
enable
exit
enable
exit
neighbor 100.64.0.45
remote-as 12389
update-source 100.64.0.46
address-family ipv4 unicast
route-map out_BGP_AP out
enable
exit
enable
exit
neighbor 100.64.0.53
remote-as 12389
update-source 100.64.0.54
address-family ipv4 unicast
route-map out_BGP_NAT out
enable
exit
enable
exit
neighbor 100.64.0.57
remote-as 64603
update-source 100.64.0.58
address-family ipv4 unicast
route-map in_PREF in
next-hop-self
enable
exit
enable
exit
address-family ipv4 unicast
redistribute connected
redistribute static
exit
enable
vrf dpi
neighbor 100.64.0.77
remote-as 12389
update-source 100.64.0.78
address-family ipv4 unicast
route-map out_BGP_DPI out
enable
exit
enable
exit
neighbor 100.64.0.97
remote-as 64603
update-source 100.64.0.98
address-family ipv4 unicast
route-map in_PREF in
next-hop-self
enable
exit
enable
exit
address-family ipv4 unicast
redistribute connected
exit
enable
exit
exit
tracking 1
vrrp 3 not state master
enable
exit
bridge 1
description "GRE_termination"
vlan 101
security-zone gre
ip firewall disable
ip address 192.168.200.52/28
vrrp id 1
vrrp ip 192.168.200.49/32
vrrp ip 192.168.200.50/32 secondary
vrrp priority 190
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
enable
exit
bridge 3
description "mgmt_AP"
vlan 3
security-zone trusted
ip firewall disable
ip address 198.18.128.3/21
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 3
vrrp ip 198.18.128.1/32
vrrp priority 190
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp track-ip interval 9
vrrp
ip tcp adjust-mss 1458
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 9
description "SideLink"
vlan 9
security-zone sidelink
ip firewall disable
ip address 100.64.0.58/30
enable
exit
bridge 10
description "data1_AP"
vlan 10
unknown-unicast-forwarding disable
security-zone user
ip firewall disable
ip address 198.18.192.3/19
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 10
vrrp ip 198.18.192.1/32
vrrp priority 190
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
ip tcp adjust-mss 1458
location data10
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 12
ip vrf forwarding dpi
vlan 12
unknown-unicast-forwarding disable
security-zone user_dpi
ip firewall disable
ip address 198.19.0.3/19
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 12
vrrp ip 198.19.0.1/32
vrrp priority 190
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
ip tcp adjust-mss 1400
location data12
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 92
ip vrf forwarding dpi
description "SideLink for VRF dpi"
vlan 92
security-zone sidelink_dpi
ip firewall disable
ip address 100.64.0.98/30
enable
exit
interface gigabitethernet 1/0/1
mode hybrid
switchport forbidden default-vlan
exit
interface gigabitethernet 1/0/1.207
description "VRF_AP"
security-zone gre
ip firewall disable
ip address 100.64.0.38/30
exit
interface gigabitethernet 1/0/1.209
description "VRF_BACKBONE"
security-zone trusted
ip firewall disable
ip address 100.64.0.46/30
ip tcp adjust-mss 1400
exit
interface gigabitethernet 1/0/1.211
description "VRF_NAT"
security-zone untrusted
ip firewall disable
ip address 100.64.0.54/30
ip tcp adjust-mss 1400
exit
interface gigabitethernet 1/0/1.215
ip vrf forwarding dpi
description "dpi_vrf"
security-zone untrusted_dp
ip firewall disable
ip address 100.64.0.78/30
ip tcp adjust-mss 1400
exit
interface gigabitethernet 1/0/2
description "SideLink"
mode hybrid
switchport forbidden default-vlan
switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 3,9-10,12,92,101 tagged
exit
tunnel lt 1
peer lt 2
security-zone trusted
ip firewall disable
ip address 10.200.200.5/30
enable
exit
tunnel lt 2
peer lt 1
ip vrf forwarding dpi
ip firewall disable
ip address 10.200.200.6/30
enable
exit
tunnel softgre 1
description "mgmt"
mode management
local address 192.168.200.49
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 3
enable
exit
tunnel softgre 2
description "data"
mode data
local address 192.168.200.50
default-profile
enable
exit
snmp-server
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 100.123.0.2
exit
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment pwrin
snmp-server enable traps environment pwrin-insert
snmp-server enable traps environment fan
snmp-server enable traps environment fan-speed-changed
snmp-server enable traps environment fan-speed-high
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-dp-critical-temp
snmp-server enable traps environment cpu-dp-overheat-temp
snmp-server enable traps environment cpu-dp-supercooling-temp
snmp-server enable traps environment cpu-mgmt-critical-temp
snmp-server enable traps environment cpu-mgmt-overheat-temp
snmp-server enable traps environment cpu-mgmt-supercooling-temp
snmp-server enable traps environment board-overheat-temp
snmp-server enable traps environment board-supercooling-temp
snmp-server enable traps environment sfp-overheat-temp
snmp-server enable traps environment sfp-supercooling-temp
snmp-server enable traps environment switch-overheat-temp
snmp-server enable traps environment switch-supercooling-temp
snmp-server enable traps wifi
snmp-server enable traps wifi wifi-tunnels-number-in-bridge-high
snmp-server enable traps wifi wifi-tunnels-operation
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon fan
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon supply
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
security passwords history 0
ip dhcp-relay
ip route vrf dpi 100.123.0.0/24 10.200.200.5
ip route 198.19.0.0/19 10.200.200.6
wireless-controller
peer-address 100.64.0.57
nas-ip-address 198.18.128.3
vrrp-group 1
data-tunnel configuration radius
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip ssh server
ntp enable
ntp server 100.123.0.2
exit
|
|
...
4.2. Настройка BRAS на ESR.
Детально настройка BRAS описана в документе BRAS. L2 WiFi - руководство по настройке и быстрому запуску, поэтому ниже будет приведена конфигурация с необходимыми пояснениями для новых настроек.
Настраиваем взаимодействие с радиус сервером:
| Раскрыть |
|---|
|
| Без форматирования |
|---|
radius-server retransmit 2
radius-server host 100.123.0.2
key ascii-text testing123
timeout 5
priority 20
source-address 198.18.128.2
auth-port 31812
acct-port 31813
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text testing123
port 3799
clients object-group SoftWLC
exit
das-server COA_dpi
key ascii-text testing123
port 30799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
aaa das-profile COA_dpi
das-server COA_dpi
exit
|
|
| Раскрыть |
|---|
|
| Без форматирования |
|---|
radius-server retransmit 2
radius-server host 100.123.0.2
key ascii-text testing123
timeout 5
priority 20
source-address 198.18.128.3
auth-port 31812
acct-port 31813
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text testing123
port 3799
clients object-group SoftWLC
exit
das-server COA_dpi
key ascii-text testing123
port 30799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
aaa das-profile COA_dpi
das-server COA_dpi
exit |
|
Обратим внимание, что появилась дополнительная настройка das-server, которую в дальнейшем будем использовать для взаимодействия с инстансом BRAS, работающем в VRF dpi. Настройки дял обоих роутеров различаются только source-address.
Настраиваем access-list, которые будут использоваться сервисами BRAS:
| Раскрыть |
|---|
|
| Без форматирования |
|---|
ip access-list extended WELCOME
rule 1
action permit
match protocol tcp
match destination-port 443
enable
exit
rule 2
action permit
match protocol tcp
match destination-port 8443
enable
exit
rule 3
action permit
match protocol tcp
match destination-port 80
enable
exit
rule 4
action permit
match protocol tcp
match destination-port 8080
enable
exit
exit
ip access-list extended INTERNET
rule 1
action permit
enable
exit
exit
ip access-list extended unauthUSER
rule 1
action permit
match protocol udp
match source-port 68
match destination-port 67
enable
exit
rule 2
action permit
match protocol udp
match destination-port 53
enable
exit
exit |
|
Данная настройка идентична на обоих ESR.
Далее добавляем необходимые настройки BRAS на интерфейсе клиентов:
4.2) Затем выполняем настройку BRAS:
Портал.
Необходимо включить флаг «Взаимодействие с BRAS».
...