Drawio |
---|
border | true |
---|
viewerToolbar | true |
---|
| |
---|
fitWindow | false |
---|
diagramName | stand-main |
---|
simpleViewer | false |
---|
width | |
---|
diagramWidth | 1299 |
---|
revision | 7 |
---|
|
Адресация для GRE:
Подсети
№ стенда | VLAN/subnet tunnel IP (MES) | VLAN/subnet GRE temination (ESR) | subnet AP MGMT (ESR) | subnet AP USER SSID1 (ESR) | VLAN/subnet AP USER SSID2 local-sw | admin (ESR) | admin (MES) |
---|
1 | 2001 / 192.168.101.0/24 | 2011 / 172.16.101.0/28 | 172.31.101.0/24 | 100.64.1.0/24 | 2021 / 100.64.101.0/24 | 10.10.2.4/24 | 10.10.2.201/24 |
2 | 2002 / 192.168.102.0/24 | 2012 / 172.16.102.0/28 | 172.31.102.0/24 | 100.64.2.0/24 | 2022 / 100.64.102.0/24 | 10.10.2.5/24 | 10.10.2.202/24 |
3 | 2003 / 192.168.103.0/24 | 2013 / 172.16.103.0/28 | 172.31.103.0/24 | 100.64.3.0/24 | 2023 / 100.64.103.0/24 | 10.10.2.6/24 | 10.10.2.203/24 |
4 | 2004 / 192.168.104.0/24 | 2014 / 172.16.104.0/28 | 172.31.104.0/24 | 100.64.4.0/24 | 2024 / 100.64.104.0/24 | 10.10.2.7/24 | 10.10.2.204/24 |
5 | 2005 / 192.168.105.0/24 | 2015 / 172.16.105.0/28 | 172.31.105.0/24 | 100.64.5.0/24 | 2025 / 100.64.105.0/24 | 10.10.2.8/24 | 10.10.2.205/24 |
6 | 2006 / 192.168.106.0/24 | 2016 / 172.16.106.0/28 | 172.31.106.0/24 | 100.64.6.0/24 | 2026 / 100.64.106.0/24 | 10.10.2.9/24 | 10.10.2.206/24 |
7 | 2007 / 192.168.107.0/24 | 2017 / 172.16.107.0/28 | 172.31.107.0/24 | 100.64.7.0/24 | 2027 / 100.64.107.0/24 | 10.10.2.10/24 | 10.10.2.207/24 |
8 | 2008 / 192.168.108.0/24 | 2018 / 172.16.108.0/28 | 172.31.108.0/24 | 100.64.8.0/24 | 2028 / 100.64.108.0/24 | 10.10.2.11/24 | 10.10.2.208/24 |
9 | 2009 / 192.168.109.0/24 | 2019 / 172.16.109.0/28 | 172.31.109.0/24 | 100.64.9.0/24 | 2029 / 100.64.109.0/24 | 10.10.2.12/24 | 10.10.2.209/24 |
10 | 2010 / 192.168.110.0/24 | 2020 / 172.16.110.0/28 | 172.31.110.0/24 | 100.64.10.0/24 | 2030 / 100.64.110.0/24 | 10.10.2.13/24 | 10.10.2.210/24 |
11 | 2011 / 192.168.111.0/24 | 2021 / 172.16.111.0/28 | 172.31.111.0/24 | 100.64.11.0/24 | 2030 / 100.64.111.0/24 | 10.10.2.14/24 | 10.10.2.211/24 |
Адрес SoftWLC, ISC-DHCP 10.10.2.254.
Доступ MES admin / admin
Доступ ESR admin / password
Настройка MES
Блок кода |
---|
|
vlan database
vlan 10
exit
!
hostname 201
!
interface gigabitethernet1/0/1
switchport mode general
switchport general allowed vlan add 10 untagged
switchport general pvid 10
switchport forbidden default-vlan
exit
!
interface gigabitethernet1/0/2
switchport mode general
switchport general allowed vlan add 10 untagged
switchport general pvid 10
switchport forbidden default-vlan
exit
!
interface gigabitethernet1/0/3
switchport mode general
switchport general allowed vlan add 10 untagged
switchport general pvid 10
switchport forbidden default-vlan
exit
!
interface gigabitethernet1/0/4
switchport mode general
switchport general allowed vlan add 10 untagged
exit
!
interface vlan 10
ip address 10.10.2.201 255.255.255.0
exit
!
!
end
|
Без форматирования |
---|
ip dhcp relay address 10.10.2.254
ip dhcp relay enable
vlan database
vlan 2001, 2011, 2021
exit
interface gigabitethernet1/0/1
switchport general allowed vlan add 2011 tagged
exit
interface gigabitethernet1/0/2
ip dhcp relay enable
switchport mode general
switchport general allowed vlan add 2021 tagged
switchport general allowed vlan add 2001 untagged
switchport general pvid 2001
switchport forbidden default-vlan
exit
interface vlan 2001
ip address 192.168.101.1 /24
ip dhcp relay enable
exit
interface vlan 2011
ip address 172.16.101.5 /28
ip dhcp relay enable
exit
interface vlan 2021
ip address 100.64.101.1 /24
ip dhcp relay enable
exit
|
Настройка ESR
Начальная конфигурация:
Блок кода |
---|
language | text |
---|
title | Конфигурация |
---|
collapse | true |
---|
|
hostname 4
vlan 2
exit
bridge 2
description "UpLink"
vlan 2
ip firewall disable
ip address 10.10.2.4/24
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport forbidden default-vlan
switchport mode trunk
switchport trunk native-vlan 2
exit
security passwords history 0
ip telnet server
ip ssh server |
Установка лицензии:
Без форматирования |
---|
4# show system id
Serial number:
NP15008778
4# copy tftp://10.10.2.254:/NP15008778.lic system:licence |
Полная конфигурация ESR:
Без форматирования |
---|
hostname 4
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group network MGMT
ip prefix 10.10.2.0/24
ip prefix 172.31.101.0/24
ip prefix 172.16.101.0/28
exit
object-group network nat_users
ip prefix 100.64.1.0/24
exit
radius-server timeout 10
radius-server host 10.10.2.254
key ascii-text testing123
timeout 11
source-address 10.10.2.4
auth-port 31812
acct-port 31813
retransmit 2
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 10.10.2.254
exit
das-server COA
key ascii-text testing123
port 3799
clients object-group MGMT
exit
aaa das-profile COA
das-server COA
exit
vlan 2,2011
exit
no spanning-tree
domain lookup enable
domain name-server 77.88.8.8
security zone trusted
exit
security zone untrusted
exit
security zone user
exit
security zone gre
exit
bridge 1
description "GRE_termination"
vlan 2011
security-zone gre
ip firewall disable
ip address 172.16.101.1/28
ip address 172.16.101.2/28
enable
exit
bridge 2
description "UpLink"
vlan 2
security-zone untrusted
ip firewall disable
ip address 10.10.2.4/24
enable
exit
bridge 3
description "AP_MANAGMENT"
security-zone trusted
ip firewall disable
ip address 172.31.101.1/24
ip helper-address 10.10.2.254
ip tcp adjust-mss 1418
protected-ports local
enable
exit
bridge 10
description "AP_SSID1_USERS"
security-zone user
ip firewall disable
ip address 100.64.1.1/24
ip helper-address 10.10.2.254
ip tcp adjust-mss 1418
location data10
protected-ports local
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport forbidden default-vlan
switchport mode trunk
switchport trunk native-vlan 2
switchport trunk allowed vlan add 2011
exit
tunnel softgre 1
description "managment"
mode management
local address 172.16.101.1
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 3
enable
exit
tunnel softgre 2
description "data"
mode data
local address 172.16.101.2
default-profile
enable
exit
snmp-server
snmp-server system-shutdown
snmp-server community "public" ro
snmp-server community "private" rw
snmp-server host 10.10.2.254
exit
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment fan
snmp-server enable traps environment fan-speed-changed
snmp-server enable traps environment fan-speed-high
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps environment board-overheat-temp
snmp-server enable traps environment board-supercooling-temp
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon fan
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
security zone-pair gre self
rule 1
action permit
match protocol gre
enable
exit
rule 2
action permit
match protocol icmp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match source-address MGMT
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
match source-address MGMT
enable
exit
exit
security zone-pair trusted user
rule 1
action permit
enable
exit
exit
security zone-pair trusted gre
rule 1
action permit
enable
exit
exit
security zone-pair user self
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
exit
security zone-pair user trusted
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
exit
security zone-pair user untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match source-address MGMT
enable
exit
exit
security passwords history 0
nat source
ruleset nat_ALL
to interface bridge 2
rule 1
match source-address nat_users
match not destination-address MGMT
action source-nat interface
enable
exit
exit
exit
ip dhcp-relay
ip route 0.0.0.0/0 10.10.2.1
ip route 192.168.101.0/24 172.16.101.5
wireless-controller
nas-ip-address 10.10.2.4
data-tunnel configuration radius
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip ssh server
ntp enable
ntp server 10.10.2.254
exit
|
DHCP-server
Блок кода |
---|
language | text |
---|
title | Начальная часть |
---|
collapse | true |
---|
|
default-lease-time 300;
max-lease-time 310;
log-facility local7;
#listening subnet
subnet 10.10.2.0 netmask 255.255.255.0 {}
#Описание классов оборудования, которым будем разрешать получения адреса управления
class "ELTEX-DEVICES" {
match if (
(substring (option vendor-class-identifier, 0, 14)="ELTEX_WEP-12AC") or
(substring (option vendor-class-identifier, 0, 14)="ELTEX_WOP-12AC") or
(substring (option vendor-class-identifier, 0, 14)="ELTX_WEP-12AC") or
(substring (option vendor-class-identifier, 0, 14)="ELTX_WOP-12AC") or
(substring (option vendor-class-identifier, 0, 13)="ELTEX_WEP-2AC") or
(substring (option vendor-class-identifier, 0, 12)="ELTEX_WOP-2L") or
(substring (option vendor-class-identifier, 0, 12)="ELTEX_WEP-2L") or
(substring (option vendor-class-identifier, 0, 12)="ELTEX_WEP-1L")
);
} |
Конфигурация:
Без форматирования |
---|
#------------------------Stend 1------------------------------------------------
#Подсеть первичных адресов ТД в vlan 2001
subnet 192.168.101.0 netmask 255.255.255.0 {
pool {
option routers 192.168.101.1;
range 192.168.101.10 192.168.101.254;
option vendor-encapsulated-options 0B:0C:31:37:32:2E:31:36:2E:31:30:31:2E:31:0C:0C:31:37:32:2E:31:36:2E:31:30:31:2E:32;
allow members of "ELTEX-DEVICES";
}
}
#Подсеть управления ТД в ESR-1
subnet 172.31.101.0 netmask 255.255.255.0 {
pool {
option routers 172.31.101.1;
range 172.31.101.10 172.31.101.254;
option vendor-encapsulated-options 0A:0B:31:30:2E:31:30:2E:32:2E:31:34:39;
allow members of "ELTEX-DEVICES";
option domain-name-servers 172.31.101.1;
}
}
#Подсеть пользователей ТД SSID1 ESR-1 (in GRE)
subnet 100.64.1.0 netmask 255.255.255.0 {
pool {
option routers 100.64.1.1;
range 100.64.1.10 100.64.1.254;
option domain-name-servers 100.64.1.1;
}
}
#Подсеть пользователей ТД SSID2 (local switching)
subnet 100.64.101.0 netmask 255.255.255.0 {
pool {
option routers 100.64.101.1;
range 100.64.101.10 100.64.101.254;
option domain-name-servers 100.64.101.1;
}
}
|
Конфигурация обратных маршрутов для сервера SoftWLC:
Без форматирования |
---|
#ip route stend 1
ip route add 192.168.101.0/24 via 10.10.2.201
ip route add 172.31.101.0/24 via 10.10.2.4
ip route add 100.64.1.0/24 via 10.10.2.4
ip route add 100.64.101.0/24 via 10.10.2.4
|