Description
General information
The architecture, assumes that when connecting APs via L2 network, vlan for AP management subnet and vlan for SSID user subnet will be allocated. For each additional SSID a new separate vlan will be allocated. All vlans will be terminated on the ESR. This scheme is called WiFi L2. Let us consider the scheme using the example shown in Fig. 1. It is assumed that the entire SoftWLC complex is installed on one server and has one address for communication with other system components.
Fig. 1 Communication scheme at AP connection via L2 access network
The following subnets are used in the given scheme of communication:
| vlan | Subnet | Description | ESR address | SoftWLC address |
|---|---|---|---|---|
| 3 | 10.10.10.0/23 | AP configuration subnet | 10.10.10.1 | |
| 10 | 100.64.0.0/22 | SSID AP users' subnet | 100.64.0.1 | |
| 1200 | 10.20.20.0/28 | subnetwork for communication with SoftWLC complex | 10.20.20.1 | 10.20.20.2 |
| 3500 | 172.16.0.0/28 | subnet for Internet | 172.16.0.2 |
ESR configuration architecture is shown below in Figure 2.
Fig. 2 ESR configuration architecture by connecting AP via operator access L2 network
Network description
- Access to the Internet is performed in vlan 3500, using the default gateway 172.16.0.1 (router-NAT) for the default route. User egress is done by routing to router-NAT, which performs NAT translation of user addresses to the Internet.
- ESR control network is located in vlan 1200, subnet 10.20.20.20.0/28, which is also used for interaction with SoftWLC complex.
- APs receive the management IP address in vlan 3 from the DHCP server deployed on SoftWLC, from the network 10.10.10.0.0/23. In option 43, the SoftWLC server address is transmitted (see How to configure option 43, and other DHCP configuration aspects). At the same time AP sends packets from the management address without vlan tag, so on the switch, on the port of which it is connected, the untagged traffic from AP should be tagged with vlan ID 3. Then vlan 3 comes to ESR, where it is terminated on sub-interface gi1/0/1.3, whose address (10.10.10.10.1) will be the default gateway for AP management address.
- SSID is configured on the AP, with vlan ID 10. The traffic of this SSID will be coming from the point with tag 10, so on the switch port to which the AP is connected we configure vlan 10 in tagged mode and bring it to ESR. On the ESR, vlan 10 comes on the sub-interface gi1/0/1.10, which address 100.64.0.1 will be the default gateway for SSID users.
- All user traffic will be passed from vlan 10 to the ESR. DHCP requests from the client will be redirected to SoftWLC using DHCP-relay ESR.
AP management traffic is sent without a vlan tag. Therefore, to direct this traffic to the correct vlan, you must assign it the correct tag on the switch port to which the AP is connected. Below is a configuration example for MES switches:
interface gigabitethernet1/0/1 description AP_1 switchport mode trunk switchport trunk allowed vlan add 10 switchport trunk native vlan 3 switchport forbidden default-vlan !
ESR configuration
Before making router settings, it is required to reset the configuration to default. Example commands correspond to ESR software version 1.11.0.
Enable telnet, SSH control:
ip telnet server ip ssh server
Create object profiles tcp/udp ports, subnets:
object-group service dhcp_server port-range 67 exit object-group service dhcp_client port-range 68 exit object-group network MGMT ip prefix 10.10.10.0/23 ip prefix 10.20.20.0/28 exit
On routers like ESR10/20/100/200/1000, disable spanning-tree because the router will connect through single port:
no spanning-tree
Create security zones:
security zone trusted exit security zone untrusted exit security zone user exit
Configure SNMP parameters so that the router status can be monitored by SoftWLC:
Create interfaces to communicate with management and user SSID subnets of AP, SoftWLC complex, Internet:
interface gigabitethernet 1/0/1.3 description "AP_MANAGMENT" security-zone trusted ip address 10.10.10.1/23 ip helper-address 10.20.20.2 exit interface gigabitethernet 1/0/1.10 description "AP_SSID_USERS" security-zone user ip address 100.64.0.1/22 ip helper-address 10.20.20.2 exit interface gigabitethernet 1/0/1.1200 description "MANAGMENT" security-zone trusted ip address 10.20.20.1/28 exit interface gigabitethernet 1/0/1.3500 description "INTERNET" security-zone untrusted ip address 172.16.0.2/28 exit
Enable global forwarding of DHCP requests:
ip dhcp-relay
Add default gateway:
ip route 0.0.0.0/0 172.16.0.1
Configure firewall rules:
#Allow the router to accept all packages from MGMT subnets:
security zone-pair trusted self
rule 1
action permit
match source-address MGMT
enable
exit
exit
#Allow traffic exchange between trusted zones within the used subnets:
security zone-pair trusted trusted
rule 1
action permit
match source-address MGMT
enable
exit
exit
#Allow any traffic from the trusted zone to pass through to AP users:
security zone-pair trusted user
rule 1
action permit
enable
exit
exi
#Allow the router to accept DHCP from AP users so that they can obtain addresses:
security zone-pair user self
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
exit
#Allow users to extend an address obtained via DHCP:
security zone-pair user trusted
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
exit
#Allow all traffic from users to the Internet:
security zone-pair user untrusted
rule 1
action permit
enable
exit
exit
Appendix
Full configuration of ESR
DHCP server configuration
The following is an example of a DHCP server configuration based on the above addressing. ISC-DHCP-SERVER is used as the DHCP server.
Example of NAT configuration on ESR
If it is not intend to use a third-party router to perform client address translation to the Internet, NAT can be configured directly on the ESR. Below is an example of such a configuration:
Bridge interface usage
When using sub-interfaces for SSID vlan termination, it is necessary to allocate and use a separate subnet for each vlan. In order to use one address space for termination of different vlans, it is necessary to use "Bridge" type interface. In this case, the user subnet is assigned to the "Bridge" interface, and the sub-interfaces that terminate the vlan are included in it. The following is an example of a configuration where two vlans 10 and 11 need to be terminated into the same address space: