Description
The two WLCs reserve themselves via VRRP protocol, the interface towards the APs is connected to the switch.
Enabling scheme
Task
Organize the WLC redundancy.
Solution
The configuration will be done based on the factory configuration. Interface gi 1/0/1 is towards Uplink, gi 1/0/2 is towards APs.
To accomplish the task at each WLC it is necessary to:
- Create object-group for firewall configuration
- Configure VRRP on interfaces
- Configure Crypto-Sync for certificate symchronization
- Configure WLC to synchronize AP state
- Configure Softgre-Controller for tunnel synchronization
- Configure Firewall, allow VRRP announcements exchange and open ports for tunnel, certificate and WLC state synchronization
- Configure DHCP server in Active-Standby mode
- Configure DHCP failover
Addressing:
| Interface | VLAN | WLC-1 IP | WLC-2 IP | VRRP IP | Description |
|---|
| Birdge 1 | 2449 | 192.168.1.2/24 | 192.168.1.3/24 | 192.168.1.1/32 | Interface for control network |
| Bridge 3 | 3 | 192.168.2.2/24 | 192.168.2.3/24 | 192.168.2.1/32 | Interfcae for Wi-Fi users |
Ports and protocols that require Firewall configuration:
| Service | Protocol | Port | Description |
|---|
| softgre-controller | TCP | 1337 | Used for softgre tunnels synchronization |
| crypto-sync | TCP | 873 | used for certificate and AP state synchronization |
| VRRP | VRRP | - | Used for redundancy |
Configuration example of WLC-1
Connect to the WLC and enter configuration mode:
Change the name:
Create vlan 2449:
Configure gi 1/0/2 interface to accept tagged traffic on VLAN 3 and 2449:
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
Create object-group for Firewall configuration:
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit
Change the addressing and configure VRRP on the Bridge:
no bridge 1
no bridge 3
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.2/24
vrrp priority 120
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.2/24
vrrp priority 120
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
Configure Crypto-Sync for certificate synchronization:
crypto-sync
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
remote-delete
enable
exit
Configure Softgre-Controller for SoftGRE tunnels synchronization:
softgre-controller
peer-address 192.168.1.3
vrrp-group 1
exit
Configure softgre-tunnel for synchronization, vrrp-ip address is specified as local address:
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
Configure WLC for AP synchronization:
wlc
failover
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
enable
exit
exit
Configure Firewall rules, allow VRRP protocol and ports for tunnel and certificate synchronization:
security zone-pair trusted self
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port sync
enable
exit
exit
security zone-pair users self
rule 11
action permit
match protocol vrrp
enable
exit
exit
Configure DHCP server:
no ip dhcp-server pool users-pool
no ip dhcp-server pool ap-pool
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
Configure DHCP Failover:
ip dhcp-server failover
mode active-standby
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
enable
exit
Create a user in local Radius server:
radius-server local
domain default
user test
password ascii-text 12345678
exit
exit
exit
Commit and confirm the configuration:
wlc-1# commit
wlc-1# confirm
Full configuration of WLC-1
Нажмите здесь для раскрытия...
#!/usr/bin/clish
#193
#1.19.2
#22/12/2023
#18:22:05
hostname WLC-1
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text encrypted 8CB5107EA7005AFF
network 192.168.1.0/24
exit
nas local
key ascii-text encrypted 8CB5107EA7005AFF
network 127.0.0.1/32
exit
domain default
user test
password ascii-text encrypted CDE65039E5591FA3
exit
exit
virtual-server default
enable
exit
enable
exit
username admin
password encrypted $6$SE44HkPtLYJkWMTZ$if1UHjuR3c9THrZAbh55PIxPhbAfCoTnyNJjG7rJIcLkTk4otQNjiHF6Sk6or3Rd4Q1uCUNvv6jUQyDQ0ffSx0
exit
radius-server host 127.0.0.1
key ascii-text encrypted 8CB5107EA7005AFF
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.2/24
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp priority 120
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip firewall disable
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.2/24
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp priority 120
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
enable
exit
softgre-controller
peer-address 192.168.1.3
nas-ip-address 127.0.0.1
vrrp-group 1
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
password private-crt-key ascii-text encrypted 8CB5107EA7005AFF
exit
airtune
enable
exit
failover
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
enable
exit
ap-location default-location
description default-location
mode tunnel
ap-profile default-ap
airtune-profile default_airtune
radio-2g-profile default_2g
radio-5g-profile default_5g
ssid-profile default-ssid
exit
airtune-profile default_airtune
exit
ssid-profile default-ssid
description default-ssid
ssid default-ssid
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
radio-2g-profile default_2g
obss-coexistence off
exit
radio-5g-profile default_5g
dfs forced
obss-coexistence off
limit-channels 36,40,44,48,52,56,60,64
exit
ap-profile default-ap
password ascii-text encrypted 8CB5107EA7005AFF
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text encrypted 8CB5107EA7005AFF
domain default
exit
ip-pool default-ip-pool
description default-ip-pool
ap-location default-location
exit
enable
exit
ip ssh server
ntp enable
ntp broadcast-client enable
crypto-sync
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
remote-delete
enable
exit
Configuration example of WLC-2
Connect to the WLC and enter configuration mode:
Change the name:
Create vlan 2449:
Configure gi 1/0/2 interface to accept tagged traffic on VLAN 3 and 2449:
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
Create object-group for Firewall configuration:
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit
Change the addressing and configure VRRP on the Bridge:
no bridge 1
no bridge 3
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.3/24
vrrp priority 110
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24
vrrp priority 110
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
Configure Crypto-Sync for certificate synchronization:
crypto-sync
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
remote-delete
enable
exit
Configure Softgre-Controller for SoftGRE tunnels synchronization:
softgre-controller
peer-address 192.168.1.2
vrrp-group 1
exit
Configure softgre-tunnel for synchronization, vrrp-ip address is specified as local address:
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
Configure WLC for AP synchronization:
wlc
failover
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
enable
exit
exit
Configure Firewall rules, allow VRRP protocol and ports for tunnel and certificate synchronization:
security zone-pair trusted self
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port sync
enable
exit
exit
security zone-pair users self
rule 11
action permit
match protocol vrrp
enable
exit
exit
Configure DHCP server:
no ip dhcp-server pool users-pool
no ip dhcp-server pool ap-pool
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
Configure DHCP Failover:
ip dhcp-server failover
mode active-standby
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
enable
exit
Create a user in local Radius server:
radius-server local
domain default
user test
password ascii-text 12345678
exit
exit
exit
Commit and confirm the configuration:
wlc-2# commit
wlc-2# confirm
Full configuration of WLC-2
Нажмите здесь для раскрытия...
#!/usr/bin/clish
#193
#1.19.2
#22/12/2023
#18:22:05
hostname WLC-2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text encrypted 8CB5107EA7005AFF
network 192.168.1.0/24
exit
nas local
key ascii-text encrypted 8CB5107EA7005AFF
network 127.0.0.1/32
exit
domain default
user test
password ascii-text encrypted CDE65039E5591FA3
exit
exit
virtual-server default
enable
exit
enable
exit
username admin
password encrypted $6$gnFubZbxiPHa/WdA$xEmrfe/dVeVNDGBztQUB1Sk8In.20Hep/LxMJhxcHFWCfs2SPwxaCyyNxmzL3Bqu8buj71PPfp7WdfWz8AqrU/
exit
radius-server host 127.0.0.1
key ascii-text encrypted 8CB5107EA7005AFF
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.3/24
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp priority 110
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp priority 110
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
enable
exit
softgre-controller
peer-address 192.168.1.2
nas-ip-address 127.0.0.1
vrrp-group 1
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
password private-crt-key ascii-text encrypted 8CB5107EA7005AFF
exit
airtune
enable
exit
failover
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
enable
exit
ap-location default-location
description default-location
mode tunnel
ap-profile default-ap
airtune-profile default_airtune
radio-2g-profile default_2g
radio-5g-profile default_5g
ssid-profile default-ssid
exit
airtune-profile default_airtune
exit
ssid-profile default-ssid
description default-ssid
ssid default-ssid
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
radio-2g-profile default_2g
obss-coexistence off
exit
radio-5g-profile default_5g
dfs forced
obss-coexistence off
limit-channels 36,40,44,48,52,56,60,64
exit
ap-profile default-ap
password ascii-text encrypted 8CB5107EA7005AFF
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text encrypted 8CB5107EA7005AFF
domain default
exit
ip-pool default-ip-pool
description default-ip-pool
ap-location default-location
exit
enable
exit
ip ssh server
ntp enable
ntp broadcast-client enable
crypto-sync
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
remote-delete
enable
exit
Verification
To verify the synchronization of tunnels, WLC, DHCP, you can view the output:
WLC-1# show high-availability state
VRRP role: Master
AP Tunnels:
State: Successful synchronization
Last synchronization: 06:18:03 25.09.2023
DHCP option 82 table:
State: Disabled
Last state change: --
DHCP server:
VRF: --
State: Successful synchronization
crypto-sync:
State: Successful synchronization
Last synchronization: 06:18:03 25.09.2023
Firewall:
State: Disabled
Last state change: --
WLC:
State: Successful synchronization
Last synchronization: 06:18:03 25.09.2023
