Описание
Два WLC резервируют себя через протокол VRRP, интерфейс в сторону точек доступа подключен к коммутатору.
Резервирование и организация Uplink не рассматриваются в данной статье. |
Схема включения
Для корректной работы точек при смене мастерства на версии 1.30.6, необходимо наличие соответствующей версии прошивки для каждой из точек доступа на WLC. При отсутствии прошивки на WLC, могут возникнуть проблемы при подключении точек в случае смены мастерства. |
Задача
Организовать резервирование контроллера WLC.
Решение
Настройка будет выполнена на базе заводской конфигурации (Factory). Интерфейс gi 1/0/1 смотрит в сторону Uplink, gi 1/0/2 — в сторону точек доступа.
Для решения поставленной задачи на каждом WLC необходимо:
- Создать object-group для настройки firewall
- Настроить VRRP на интерфейсах
- Настроить Crypto-Sync для синхронизации сертификатов
- Настроить WLC для синхронизации состояния точек доступа и их ПО в директории system:access-points-firmwares
- Настроить Softgre-Controller для синхронизации туннелей
- Настроить Firewall, разрешить обмен VRRP-анонсами и отрыть порты для синхронизации туннелей, сертификатов и состояния WLC
- Настроить DHCP-сервер в режиме Active-Standby
- Настроить DHCP failover
- Настроить NTP-сервер
На клиентских интерфейсах, где включен vrrp, необходимо включить: vrrp timers garp refresh 60 |
Данная команда определяет интервал, по истечении которого будет происходить периодическая отправка Gratuituous ARP-сообщений, пока маршрутизатор находится в состоянии Master. Настройку нужно включать, если клиентский трафик туннелируется. |
Адресация:
| Интерфейс | VLAN | WLC-1 IP | WLC-2 IP | VRRP IP | Описание |
|---|
| Birdge 1 | 2449 | 192.168.1.2/24 | 192.168.1.3/24 | 192.168.1.1/32 | Интерфейс для сети управления |
| Bridge 3 | 3 | 192.168.2.2/24 | 192.168.2.3/24 | 192.168.2.1/32 | Интерфейс для клиентов Wi-Fi |
Порты и протоколы, для которых нужно настроить Firewall:
| Сервис | Протокол | Порт | Описание |
|---|
| softgre-controller | TCP | 1337 | Используется для синхронизации softgre-туннелей |
| crypto-sync | TCP | 873 | Используется для синхронизации сертификатов и состояния ТД |
| VRRP | VRRP | - | Используется для резервирования |
Пример настройки WLC-1
Подключаемся к WLC и переходим в режим конфигурирования:
Меняем имя устройства:
Создаем vlan 2449:
Настраиваем интерфейс gi 1/0/2 для приема тегированного трафика в VLAN 3 и 2449:
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit |
Создаем object-group для настройки Firewall:
object-group service journal_sync
port-range 5432
exit
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit |
Меняем адресацию и настраиваем VRRP на Bridge:
no bridge 1
no bridge 3
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.2/24
vrrp priority 120
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp group 1
vrrp preempt disable
vrrp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.2/24
vrrp priority 120
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit |
Указываем адресацию резервируемых контроллеров и назначаем им группу:
ip failover
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
exit |
Настраиваем Crypto-Sync для синхронизации сертификатов:
crypto-sync
remote-delete
enable
exit |
Настраиваем Softgre-Controller для синхронизации туннелей SoftGRE:
softgre-controller
failover
exit |
Настраиваем WLC для синхронизации точек доступа и их ПО в директории system:access-points-firmwares
Настраиваем правила Firewall, разрешаем протокол VRRP и порты для синхронизации туннелей и сертификатов:
security zone-pair trusted self
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
exit
security zone-pair users self
rule 11
action permit
match protocol vrrp
enable
exit
exit |
Настраиваем DHCP-сервер:
no ip dhcp-server pool users-pool
no ip dhcp-server pool ap-pool
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit |
Настраиваем DHCP Failover:
ip dhcp-server failover
mode active-standby
enable
exit |
Настраиваем NTP-сервер. Время на устройствах должно быть синхронизировано для корректной работы синхронизации:
no ntp broadcast-client enable
ntp enable
ntp server 100.110.0.65
exit |
Создаем пользователя в локальном Radius-сервере:
radius-server local
domain default
user test
password ascii-text 12345678
exit
exit
exit |
Применяем и подтверждаем конфигурацию:
wlc-1# commit
wlc-1# confirm |
Полная конфигурация WLC-1
#!/usr/bin/clish
#270
#1.30.x
#2024-11-22
#05:32:21
hostname WLC-1
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service journal_sync
port-range 5432
exit
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text encrypted 8CB5107EA7005AFF
network 192.168.1.0/24
exit
nas local
key ascii-text encrypted 8CB5107EA7005AFF
network 127.0.0.1/32
exit
domain default
user test
password ascii-text encrypted CDE65039E5591FA3
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text encrypted 8CB5107EA7005AFF
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.2/24
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp priority 120
vrrp group 1
vrrp preempt disable
vrrp
no spanning-tree
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.2/24
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp priority 120
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address 192.168.1.2
remote-address 192.168.1.3
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
nas-ip-address 127.0.0.1
failover
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
failover
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text encrypted 8CB5107EA7005AFF
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text encrypted 8CB5107EA7005AFF
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
ntp enable
ntp server 100.110.0.65
exit
crypto-sync
remote-delete
enable
exit
|
|
Пример настройки WLC-2
Подключаемся к WLC и переходим в режим конфигурирования:
Меняем имя устройства:
Создаем vlan 2449:
Настраиваем интерфейс gi 1/0/2 для приема тегированного трафика в VLAN 3 и 2449:
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit |
Создаем object-group для настройки Firewall:
object-group service journal_sync
port-range 5432
exit
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit |
Меняем адресацию и настраиваем VRRP на Bridge:
no bridge 1
no bridge 3
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.3/24
vrrp priority 110
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp group 1
vrrp preempt disable
vrrp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24
vrrp priority 110
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
|
Указываем адресацию резервируемых контроллеров и назначаем им группу:
ip failover
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
exit |
Настраиваем Crypto-Sync для синхронизации сертификатов:
crypto-sync
remote-delete
enable
exit |
Настраиваем Softgre-Controller для синхронизации туннелей SoftGRE:
softgre-controller
failover
exit |
Настраиваем WLC для синхронизации точек доступа и их ПО в директории system:access-points-firmwares:
Настраиваем правила Firewall, разрешаем протокол VRRP и порты для синхронизации туннелей и сертификатов:
security zone-pair trusted self
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
exit
security zone-pair users self
rule 11
action permit
match protocol vrrp
enable
exit
exit |
Настраиваем DHCP-сервер:
no ip dhcp-server pool users-pool
no ip dhcp-server pool ap-pool
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit |
Настраиваем DHCP Failover:
ip dhcp-server failover
mode active-standby
enable
exit |
Настраиваем NTP-сервер. Время на устройствах должно быть синхронизировано для корректной работы синхронизации:
no ntp broadcast-client enable
ntp enable
ntp server 100.110.0.65
exit |
Создаем пользователя в локальном Radius-сервере:
radius-server local
domain default
user test
password ascii-text 12345678
exit
exit
exit |
Применяем и подтверждаем конфигурацию:
wlc-2# commit
wlc-2# confirm |
Полная конфигурация WLC-2
#!/usr/bin/clish
#270
#1.30.x
#2024-11-22
#05:32:21
hostname WLC-2
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service sync
port-range 873
exit
object-group service softgre_controller
port-range 1337
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text encrypted 8CB5107EA7005AFF
network 192.168.1.0/24
exit
nas local
key ascii-text encrypted 8CB5107EA7005AFF
network 127.0.0.1/32
exit
domain default
user test
password ascii-text encrypted CDE65039E5591FA3
exit
exit
virtual-server default
enable
exit
enable
exit
radius-server host 127.0.0.1
key ascii-text encrypted 8CB5107EA7005AFF
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2449
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
bridge 1
vlan 2449
security-zone trusted
ip address 192.168.1.3/24
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp priority 110
vrrp group 1
vrrp preempt disable
vrrp
no spanning-tree
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.3/24
vrrp id 3
vrrp ip 192.168.2.1/32
vrrp priority 110
vrrp group 1
vrrp preempt disable
vrrp timers garp refresh 60
vrrp
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
switchport mode trunk
switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
mode switchport
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
ip failover
local-address 192.168.1.3
remote-address 192.168.1.2
vrrp-group 1
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 12
action permit
match protocol tcp
match destination-port object-group softgre_controller
enable
exit
rule 13
action permit
match protocol tcp
match destination-port object-group sync
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 11
action permit
match protocol vrrp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.4-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.4-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
ip dhcp-server failover
mode active-standby
enable
exit
softgre-controller
nas-ip-address 127.0.0.1
failover
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
failover
ap-location default-location
description "default-location"
mode tunnel
ap-profile default-ap
ssid-profile default-ssid
exit
ssid-profile default-ssid
description "default-ssid"
ssid "default-ssid"
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ap-profile default-ap
password ascii-text encrypted 8CB5107EA7005AFF
exit
radius-profile default-radius
auth-address 192.168.1.1
auth-password ascii-text encrypted 8CB5107EA7005AFF
domain default
exit
ip-pool default-ip-pool
description "default-ip-pool"
ap-location default-location
exit
enable
exit
ip ssh server
ntp enable
ntp server 100.110.0.65
exit
crypto-sync
remote-delete
enable
exit |
|
Проверка
Для проверки синхронизации туннелей, WLC, DHCP можно посмотреть вывод:
wlc-30r# show high-availability state
VRRP role: Backup
AP Tunnels:
State: Successful synchronization
Last synchronization: 2024-11-25 16:18:18
DHCP option 82 table:
State: Disabled
Last state change: --
DHCP server:
VRF: --
State: Successful synchronization
Last synchronization: 2024-11-25 16:18:33
crypto-sync:
State: Successful synchronization
Last synchronization: 2024-11-25 16:18:34
Firewall:
State: Disabled
Last state change: --
WLC:
State: Successful synchronization
Last synchronization: 2024-11-25 16:18:34
WEB profiles:
State: Disabled |