...
| Интерфейс | VLAN | WLC-1 IP | WLC-2 IP | VRRP IP | Описание |
|---|
| Birdge 1 | 2449 | 192.168.1.2/24 | 192.168.1.3/24 | 192.168.1.1/32 | Интерфейс для для сети управления |
| Bridge 3 | 3 | 192.168.2.2/24 | 192.168.2.3/24 | 192.168.2.1/32 | Интерфейс для клиентов Wi-Fi |
...
| Сервис | Протокол | Порт | Описание |
|---|
| softgre-controller | TCP | 1337 | Используется для синхронизации softgre-туннелей |
| crypto-sync | TCP | 873 | Используется для синхронизации сертификатов и состояния ТД |
| VRRP | VRRP | - | Используется для резервирования |
...
Подключаемся к WLC и переходим в режим конфигурирования режим конфигурирования:
Меняем Меняем имя устройства:
Создаем vlan 2449:
| Блок кода |
|---|
vlan 2449
force-up
exit |
Настраиваем интерфейс gi 1/0/2 , для приема тегированного тегированного трафика в VLAN 3 и 2449:
| Блок кода |
|---|
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit |
Создаем object-group для настройки настройки Firewall:
| Блок кода |
|---|
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit |
Меняем адресацию и настраиваем настраиваем VRRP на Bridge:
| Блок кода |
|---|
no bridge 1
no bridge 3
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.2/24
vrrp priority 120
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.2/24
vrrp priority 120
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit |
Настраиваем Crypto-Sync Sync для синхронизации сертификатов:
| Блок кода |
|---|
crypto-sync
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
remote-delete
enable
exit |
Настраиваем Softgre-Controller для синхронизации туннелей SoftGRE:
| Блок кода |
|---|
softgre-controller
peer-address 192.168.1.3
vrrp-group 1
exit |
Настраиваем WLC для синхронизации точек доступа:
| Блок кода |
|---|
wlc
failover
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
enable
exit
exit |
Настраиваем правила Firewall, разрешаем протокол VRRP и порты для синхронизации синхронизации туннелей и сертификатов:
| Блок кода |
|---|
security zone-pair trusted self
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port sync
enable
exit
exit
security zone-pair users self
rule 11
action permit
match protocol vrrp
enable
exit
exit |
Настраиваем DHCP-сервер:
| Блок кода |
|---|
no ip dhcp-server pool users-pool
no ip dhcp-server pool ap-pool
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit |
Настраиваем DHCP Failover:
| Блок кода |
|---|
ip dhcp-server failover
mode active-standby
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
enable
exit |
Создаем пользователя в локальном Radius-сервере:
| Блок кода |
|---|
radius-server local
domain default
user test
password ascii-text 12345678
exit
exit
exit |
Применяем и подтверждаем конфигурацию:
| Блок кода |
|---|
wlc-1# commit
wlc-1# confirm |
...
Подключаемся к WLC и переходим в режим конфигурирования режим конфигурирования:
Меняем Меняем имя устройства:
Создаем vlan 2449:
| Блок кода |
|---|
vlan 2449
force-up
exit |
Настраиваем интерфейс gi 1/0/2, для приема тегированного тегированного трафика в VLAN 3 и 2449:
| Блок кода |
|---|
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit |
Создаем object-group для настройки настройки Firewall:
| Блок кода |
|---|
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit |
Меняем адресацию и настраиваем настраиваем VRRP на Bridge:
| Блок кода |
|---|
no bridge 1
no bridge 3
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.3/24
vrrp priority 110
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24
vrrp priority 110
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
|
Настраиваем Crypto-Sync Sync для синхронизации сертификатов:
| Блок кода |
|---|
crypto-sync
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
remote-delete
enable
exit |
Настраиваем Softgre-Controller для синхронизации туннелей SoftGRE:
| Блок кода |
|---|
softgre-controller
peer-address 192.168.1.2
vrrp-group 1
exit |
Настраиваем WLC для синхронизации точек доступа:
| Блок кода |
|---|
wlc
failover
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
enable
exit
exit |
Настраиваем правила Firewall, разрешаем протокол VRRP и порты для синхронизации синхронизации туннелей и сертификатов:
| Блок кода |
|---|
security zone-pair trusted self
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port sync
enable
exit
exit
security zone-pair users self
rule 11
action permit
match protocol vrrp
enable
exit
exit |
Настраиваем DHCP-сервер:
| Блок кода |
|---|
no ip dhcp-server pool users-pool
no ip dhcp-server pool ap-pool
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit |
Настраиваем DHCP Failover:
| Блок кода |
|---|
ip dhcp-server failover
mode active-standby
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
enable
exit |
Создаем пользователя в локальном Radius-сервере:
| Блок кода |
|---|
radius-server local
domain default
user test
password ascii-text 12345678
exit
exit
exit |
Применяем и подтверждаем конфигурацию:
| Блок кода |
|---|
wlc-2# commit
wlc-2# confirm |
...
| Раскрыть |
|---|
|
| Блок кода |
|---|
#!/usr/bin/clish
#192
#1.19.1
#31/08/2023
#16:51:49
hostname WLC-2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text encrypted 8CB5107EA7005AFF
network 192.168.1.0/24
exit
nas local
key ascii-text encrypted 8CB5107EA7005AFF
network 127.0.0.1/32
exit
domain default
user test
password ascii-text encrypted CDE65039E5591FA3
exit
exit
virtual-server default
enable
exit
enable
exit
username admin
password encrypted $6$gnFubZbxiPHa/WdA$xEmrfe/dVeVNDGBztQUB1Sk8In.20Hep/LxMJhxcHFWCfs2SPwxaCyyNxmzL3Bqu8buj71PPfp7WdfWz8AqrU/
exit
radius-server host 127.0.0.1
key ascii-text encrypted 8CB5107EA7005AFF
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.3/24
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp priority 110
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp priority 110
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
enable
exit
softgre-controller
peer-address 192.168.1.2
nas-ip-address 127.0.0.1
vrrp-group 1
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
password private-crt-key ascii-text encrypted 8CB5107EA7005AFF
exit
airtune
enable
exit
failover
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
enable
exit
ap-location default-location
description default-location
mode tunnel
ap-profile default-ap
airtune-profile default_airtune
board-profile WEP-1L default_wep-1l_profile
board-profile WEP-200L default_wep-200l_profile
board-profile WEP-2L default_wep-2l_profile
board-profile WEP-30L default_wep-30l_profile
board-profile WEP-3ax default_wep-3ax_profile
board-profile WOP-20L default_wop-20l_profile
board-profile WOP-2L default_wop-2l_profile
board-profile WOP-30L default_wop-30l_profile
ssid-profile default-ssid
exit
airtune-profile default_airtune
exit
ssid-profile default-ssid
description default-ssid
ssid default-ssid
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
board-profile default_wep-1l_profile
ap-model WEP-1L
radio wlan0
band 2g
work-mode bgn
autochannel
channel 1
use-limit-channels
bandwidth 20
tx-power 16
limit-channels 1,11,6
exit
radio wlan1
band 5g
work-mode ac
autochannel
channel 36
use-limit-channels
bandwidth 20
tx-power 19
limit-channels 36,40,44,48
exit
exit
board-profile default_wep-200l_profile
ap-model WEP-200L
radio wlan0
band 2g
work-mode bgn
autochannel
channel 1
use-limit-channels
bandwidth 20
tx-power 16
limit-channels 1,11,6
exit
radio wlan1
band 5g
work-mode ac
autochannel
channel 36
use-limit-channels
bandwidth 20
tx-power 19
limit-channels 36,40,44,48
exit
exit
board-profile default_wep-2l_profile
ap-model WEP-2L
radio wlan0
band 2g
work-mode bgn
autochannel
channel 1
use-limit-channels
bandwidth 20
tx-power 16
limit-channels 1,11,6
exit
radio wlan1
band 5g
work-mode ac
autochannel
channel 36
use-limit-channels
bandwidth 20
tx-power 19
limit-channels 36,40,44,48
exit
exit
board-profile default_wep-30l_profile
ap-model WEP-30L
radio wlan0
band 2g
work-mode bgn
autochannel
channel 1
use-limit-channels
bandwidth 20
tx-power 16
limit-channels 1,11,6
exit
radio wlan1
band 5g
work-mode anacax
autochannel
channel 36
use-limit-channels
bandwidth 20
tx-power 19
limit-channels 36,40,44,48
exit
exit
board-profile default_wep-3ax_profile
ap-model WEP-3ax
radio wlan0
band 2g
work-mode bgn
autochannel
channel 1
use-limit-channels
bandwidth 20
tx-power 16
limit-channels 1,11,6
exit
radio wlan1
band 5g
work-mode anacax
autochannel
channel 36
use-limit-channels
bandwidth 20
tx-power 19
limit-channels 36,40,44,48
exit
exit
board-profile default_wop-20l_profile
ap-model WOP-20L
radio wlan0
band 2g
work-mode bgn
autochannel
channel 1
use-limit-channels
bandwidth 20
tx-power 16
limit-channels 1,11,6
exit
radio wlan1
band 5g
work-mode ac
autochannel
channel 36
use-limit-channels
bandwidth 20
tx-power 19
limit-channels 36,40,44,48
exit
exit
board-profile default_wop-2l_profile
ap-model WOP-2L
radio wlan0
band 2g
work-mode bgn
autochannel
channel 1
use-limit-channels
bandwidth 20
tx-power 16
limit-channels 1,11,6
exit
radio wlan1
band 5g
work-mode ac
autochannel
channel 36
use-limit-channels
bandwidth 20
tx-power 19
limit-channels 36,40,44,48
exit
exit
board-profile default_wop-30l_profile
ap-model WOP-30L
radio wlan0
band 2g
work-mode bgn
autochannel
channel 1
use-limit-channels
bandwidth 20
tx-power 16
limit-channels 1,11,6
exit
radio wlan1
band 5g
work-mode anacax
autochannel
channel 36
use-limit-channels
bandwidth 20
tx-power 19
limit-channels 36,40,44,48
exit
exit
ap-profile default-ap
password ascii-text encrypted 8CB5107EA7005AFF
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text encrypted 8CB5107EA7005AFF
domain default
exit
ip-pool default-ip-pool
description default-ip-pool
ap-location default-location
exit
enable
exit
ip ssh server
ntp enable
ntp broadcast-client enable
crypto-sync
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
remote-delete
enable
exit
|
|
Проверка
Для проверки синхронизации синхронизации туннелей, WLC, DHCP можно посмотреть вывод:
...
