Description
Allocating and configuring a vlan when connecting new APs can be a time-consuming task. Also it is not always possible to provide L2 channel from AP to ESR. In this case it is necessary to use the scheme of AP connection through L3 network of the operator. The architecture assumes that the operator's access network provides L3 connectivity between ESR, SoftWLC and AP primary address. In this case AP builds L2 GRE (EoGRE) tunnels, which eliminates the need to lay a vlan through the operator's access network from AP to ESR - it is enough to terminate AP vlan on any router or L3 switch supporting DHCP-relay to give AP primary address, which in option 43 will contain ESR addresses for building GRE tunnels. On the ESR side, the functionality to automatically raise counter tunnels, called wireless-controller, is configured. This enabling scheme is called WiFi L3.
There are two modes of tunnel creation:
- Creation using local ESR configuration profile – this mode is called"Local configuration profile of SoftGRE tunnel".
- Creation of data tunnels using radius exchange with PCRF, which receives information about which data tunnels should be raised according to AP position in EMS tree and its SSID settings – this mode is called"Dynamic configuration profile of SoftGRE tunnel".
WiFi license is required to access the wireless-controller ESR functionality. You can check if you have a WiFi license by using the show license command:
esr-1000# show licence Licence information ------------------- Name: eltex Version: 1.0 Type: ESR-1000 S/N: NP00000033 MAC: A8:F9:4B:AB:B3:80 Features: WIFI - Wi-Fi controller
The following terminology will be used to refer to the functionality associated with the use of GRE tunnelling:
- EoGRE - general name of L2 GRE tunnelling
- GRE - the tunnels that AP raises
- SoftGRE - the tunnels that ESR raises
Communication scheme
Here is the example of communication scheme which uses the following addressing:
| vlan | Subnet | Description | ESR address | SoftWLC address | Router address, R1 |
|---|---|---|---|---|---|
| 100 | 192.168.100.0/23 | AP configuration subnet (primary addresses) | -- | -- | 192.168.0.1 |
| 200 | 10.0.0.0/28 | GRE termination address subnet | 10.0.0.1 10.0.0.2 | -- | 10.0.0.3 |
| 3 | 10.10.10.0/23 | AP configuration subnet (secondary addresses) | 10.10.10.1 | -- | -- |
| 10 | 100.64.0.0/22 | SSID AP users' subnet | 100.64.0.1 | -- | -- |
| 1200 | 10.20.20.0/28 | subnet for communication with SoftWLC complex | 10.20.20.1 | 10.20.20.2 | -- |
| 3500 | 172.16.0.0/28 | subnet for Internet | 172.16.0.2 | -- | -- |
Table 1.
The diagram is shown in the digure below:
Fig.1 Communication scheme via L3 access network of the operator
ESR configuration architecture is shown in the figure below:
Fig. 2 ESR configuration architecture by connecting AP via operator access L3 network
Network description
- Access to the Internet is performed in vlan 3500, using the default gateway 172.16.0.1 (router-NAT) for the default route. User egress is done by routing to router-NAT, which performs NAT translation of user addresses to the Internet.
- ESR control network is located in vlan 1200, subnet 10.20.20.20.0/28, which is also used for interaction with SoftWLC complex.
- APs receive the primary IP address from 192.168.100.0/23 network via DHCP-relay switch/router from the DHCP server installed on the server with SoftWLC. In option 43, suboptions 11 and 12, 2 addresses are passed to raise GRE tunnels: 10.0.0.0.1 and 10.0.0.2 (see description of How to configure option 43, and other DHCP configuration aspects). In this case, all traffic from the APs will be untagged. The APs raise 2 EoGRE tunnels from the primary address received via DHCP to the addresses received in suboptions 11 and 12:
- in Management GRE tunnel to the address 10.0.0.1 with vlan id = 1, the AP management traffic is transmitted.
- in Data GRE tunnel to the address 10.0.0.2 with vlan id = N, the traffic of users connected to the AP, on which SSID is configured (in the given example vlans 10 and 11) is transmitted. - Through Management GRE tunnel (vlan id 1) DHCP requests are received from the AP, which are redirected to SoftWLC using DHCP-relay on ESR. The DHCP server configured on SoftWLC issues an IP address from the network 10.10.10.0.0/23 for the AP, the gateway will be bridge 3 ESR with the address 10.10.10.1. In option 43.10 the address of SoftWLC server is passed: 10.20.20.2, (see the description of How to configure option 43, and other DHCP configuration aspects). The same address will be used to exchange service information between the AP and SoftWLC.
- SSID 1 and SSID 2 are configured on the AP, vlan id 10 and 11 are specified. All user traffic will be forwarded from vlan 10 and 11 inside Data GRE tunnel to ESR. DHCP requests from the client, using DHCP-relay ESR will be forwarded to SoftWLC. Users get addresses from bridge 10 network ESR 100.64.0.0.0/22, gateway address 100.64.0.1.
Getting the primary AP address and sending traffic is done without the vlan tag. Therefore, to direct this traffic to the correct vlan, you must assign it the correct tag on the switch port to which the AP is connected. Below is a configuration example for MES switches:
interface gigabitethernet1/0/1 description AP_1 switchport mode accesss switchport access vlan 100 !
Eltex AP, after receiving a primary address with 43 option 11, 12 under options, will form two GRE tunnels for management and user traffic and will become unavailable for management (via telnet, ssh, web-gui) at the primary AP address. Management will become available at the secondary address (management address) received through the GRE management tunnel.
MTU of packets transmitted within EoGRE
Encapsulation of packets in EoGRE tunnels causes the MTU for transmitted traffic to be reduced by 42 bytes. This means that the MTU for AP management and user traffic (under the standard L3 MTU of 1500 bytes on the transport network) will be 1458 bytes. This value will be set automatically when ESR automatically raises tunnels.
Also, to reduce the number of ICMP packets of the "fragmentation needed" type and to prevent TCP sessions of clients from being dropped, it is necessary to adjust the TCP MSS substitution on all interfaces that transmit AP management and user traffic in accordance with the obtained MTU - ip tcp adjust-mss 1418.
The above calculations correspond to the MTU L3 of the transport network through which GRE packets are transmitted, 1500 bytes. In case it is necessary to increase MTU for AP user packets to the standard value of 1500 bytes encapsulated in EoGRE, it is necessary to increase MTU L3 on the transport network and ESR to 1542 bytes.
ESR configuration
Download the licence to be able to use the Wireless-Controller functionality:
To purchase a licence, please contact Eltex commercial department. The model and serial number of the ESR must be provided.
In general, router configuration involves the following algorithm:
- Developing an addressing plan, allocating subnets and addresses (an example is shown in Table 1 above).
- Setting up the initial ESR configuration, which is done through a console connection. During this configuration the factory configuration of ESR is removed, the ip address of management is configured and telnet/SSH access is enabled, the firewall is configured to allow these connections (or it is disabled on the management interface by the ip firewall disable command).
- ESR connections to the network and configuration of paired equipment.
- Configuring interfaces.
- Configuring the parameters of communication with the radius server.
- Configuring and enabling Wireless-Controller functionality.
- Configuring firewall rules.
- Configuring additional functionality - SNMP server, NTP client.
Before configuring the router it is required to reset the configuration to default. The example commands correspond to ESR software version 1.11.0. In the given configuration example the SoftGRE dynamic tunnel configuration profile will be used.
Enable telnet, SSH control:
ip telnet server ip ssh server
Create object profiles of tcp/udp ports, subnets:
object-group service dhcp_server port-range 67 exit object-group service dhcp_client port-range 68 exit object-group network MGMT ip prefix 10.10.10.0/23 ip prefix 10.20.20.0/28 exit
On ESR 100/200/1000 type routers, disable spanning-tree because the router will connect through a single port:
no spanning-tree
Create security zones:
security zone trusted exit security zone untrusted exit security zone gre exit security zone user exit
Configure SNMP parameters to be able to control the router status from the SoftWLC side:
Create interfaces for communication with management and user subnets of AP SSID, SoftWLC complex, Internet, AP primary addresses:
bridge 3 description "AP_MANAGMENT" security-zone trusted ip address 10.10.10.1/23 ip helper-address 10.20.20.2 ip tcp adjust-mss 1418 protected-ports local enable exit bridge 10 description "AP_SSID_USERS" security-zone user ip address 100.64.0.1/22 ip helper-address 10.20.20.2 ip tcp adjust-mss 1418 location data10 protected-ports local enable exit interface gigabitethernet 1/0/1.200 description "GRE_AP" security-zone gre ip address 10.0.0.1/28 ip address 10.0.0.2/28 exit interface gigabitethernet 1/0/1.1200 description "MANAGMENT" security-zone trusted ip address 10.20.20.1/28 ip tcp adjust-mss 1418 exit interface gigabitethernet 1/0/1.3500 description "INTERNET" security-zone untrusted ip address 172.16.0.2/28 ip tcp adjust-mss 1418 exit
Enable global forwarding of DHCP requests:
ip dhcp-relay
Add a default gateway:
ip route 0.0.0.0/0 172.16.0.1
Add a route to the AP's primary address subnet:
ip route 192.168.100.0/23 10.0.0.3
Configure communication with the radius server (PCRF):
If SoftWLC redundancy is used and Eltex-PCRF service is running a cluster - you need to configure interaction for each service by its real address in ESR configuration and specify both instances in aaa radius-profile configuration! It is not allowed to use VRRP address for communication!
radius-server timeout 10 radius-server host 10.20.20.2 key ascii-text testing123 timeout 11 source-address 10.20.20.1 auth-port 31812 acct-port 31813 retransmit 2 dead-interval 10 exit aaa radius-profile PCRF radius-server host 10.20.20.2 exit das-server COA key ascii-text testing123 port 3799 clients object-group MGMT exit aaa das-profile COA das-server COA exit
Configuring profiles for tunnels bring up:
tunnel softgre 1 description "managment" mode management local address 10.0.0.1 default-profile enable exit tunnel softgre 1.1 bridge-group 3 enable exit tunnel softgre 2 description "data" mode data local address 10.0.0.2 default-profile enable exit
Configure and enable the "Wireless-Controller" functionality:
wireless-controller nas-ip-address 10.20.20.1 data-tunnel configuration radius aaa das-profile COA aaa radius-profile PCRF enable exit
Configure the firewall rules:
#Allow receiving all GRE packets and ICMP requests from the gre zone:
security zone-pair gre self
rule 1
action permit
match protocol gre
enable
exit
rule 2
action permit
match protocol icmp
enable
exit
exit
#Allow the router to accept all packets from MGMT subnets:
security zone-pair trusted self
rule 1
action permit
match source-address MGMT
enable
exit
exit
#Allow traffic exchange between trusted zones within the used subnets:
security zone-pair trusted trusted
rule 1
action permit
match source-address MGMT
enable
exit
exit
#Allow any traffic from the trusted zone to pass through to AP users:
security zone-pair trusted user
rule 1
action permit
enable
exit
exit
#Allow any traffic from the trusted zone to pass through to the gre zone:
security zone-pair trusted gre
rule 1
action permit
enable
exit
exit
#Allow the router to accept DHCP from AP users so that they can obtain addresses:
security zone-pair user self
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
exit
#Allow users to prolong an address obtained by DHCP:
security zone-pair user trusted
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
exit
#Allow all traffic from users to the Internet:
security zone-pair user untrusted
rule 1
action permit
enable
exit
exit
Adding an ESR to the EMS tree
Open EMS, stand on the node to which we plan to add ESR and click the "+" button located at the top left of the node tree:
Fig. 3.
In the window that opens, in the field:
- "Object name" - specify random ESR name "esr-gre".
- "Type" - select the type of equipment corresponding to the used type of ESR "ESR1000".
- "IP address" - specify the ESR management address ESR "10.20.20.1".
Click the "Add" button.
After that it is necessary to stand on the added ESR (if it does not appear in the tree - click the button above "
" ) open the "Access" tab on the right:
Рис. 4.
In the opened window edit the fields:
- "File protocol" - choose "FTP".
- "Read community" - specify the name of SNMP RO community, configured earlier "public11".
- "Write community" - specify the name of SNMP RW community, configured earlier "private1".
When adding ESR-100/200, the value of the "ESR mode" field will be "StationCE".
In this case it is necessary to change the field value to "Station", otherwise such ESR will not be used to build data tunnels for AP.
Change the radius password that will be used when interacting with the ESR. To do this, open "RADIUS" → "Access Point Management" in the EMS menu. Select the previously added ESR (in case of a large number of devices you can filter by ESR IP address) and click the "Edit" button:
Рис. 5.
In the opened window in the "Key" field set the previously configured for ESR key "testing123" and click "Accept".
Appendix
Full configuration of ESR for dynamic configuration profile of SoftGRE tunnel
Full configuration of ESR for local configuration profile of SoftGRE tunnel
The main difference from the above configuration is the absence of settings for interaction with radius-server and related functionality in Wireless-Controller settings. Added local profiles for SoftGRE data tunnels with vlaps 10 and 11, which will be included in Bridge 10.
Bridge interface usage
Only "Bridge" type interface can be used for terminating GRE tunnels coming from AP, because EoGRE terminated sub-tunnels provide L2 connectivity and can be included only in this type of interfaces.
It is allowed to include tunnels with different vlan-ID values into one interface of the "Bridge" SoftGRE type.
For "Bridge" type interfaces terminating SoftGRE tunnels from AP it is always recommended to enable port isolation to prevent traffic exchange between SoftGRE interfaces. Enabling is done with the "protected-ports local" command.
If a vlan is used in the settings of the interface of the "Bridge" type, it is necessary to exclude the vlan from isolation with the command "protected-ports exclude vlan" to allow traffic exchange between SoftGR tunnels.
Output example of information about the status of SoftGRE tunnels on ESR
View information about existing SoftGRE tunnels:
View information about Bridge type interfaces and the SoftGRE tunnels included in them:
DHCP server configuration
The following is an example of a DHCP server configuration, based on the above addressing. ISC-DHCP-SERVER is used as the DHCP server.
Example of NAT configuration on ESR
If it is not intend to use a third-party router to perform client address translation to the Internet, NAT can be configured directly on the ESR. Below is an example of such a configuration: